Jump to content

Recommended Posts

Hi, I posted a thread in the 'false positive' forum and was told to come here. The mistaken 'false positive' thread I started with info on what the problem is that I am having is linked to below-

http://forums.malwarebytes.org/index.php?showtopic=115347

I'm attaching the DDS and Attach logs to this post.

Thanks a bunch for any help,

J

PS- I did not temporarily disable any script blocker if my Anti-Virus/Anti-Malware has it as I do not know if my AV/AM has script blocking and I don't know how to disable it if it did. If there is any problem with the DDS logs please let me know how to fix it. I can probably figure out how to disable it by googling but I don't know if it's on to begin with. My computer is running Spybot S&D, MalwareBytes Pro and Microsoft Security Essentials. Thanks again.

.

DDS (Ver_2011-08-26.01) - NTFSAMD64

Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_31

Run by John at 10:16:34 on 2012-09-05

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4061.2648 [GMT -5:00]

.

AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

c:\Program Files\Microsoft Security Client\MsMpEng.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe

C:\Program Files\Broadcom\BPowMon\BPowMon.exe

C:\Windows\Explorer.EXE

C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

C:\dell\DBRM\Reminder\DbrmTrayicon.exe

C:\Windows\System32\igfxtray.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe

C:\Windows\System32\rundll32.exe

C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE

C:\Windows\SysWOW64\rundll32.exe

C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe

C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Windows\System32\svchost.exe -k HPZ12

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\conhost.exe

C:\Windows\SysWOW64\cscript.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

mWinlogon: Userinit=userinit.exe,

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: TmIEPlugInBHO Class: {1ca1377b-dc1d-4a52-9585-6e06050fac53} - c:\Program Files (x86)\Trend Micro\Client Server Security Agent\bho\1009\TmIEPlg32.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

{555d4d79-4bd2-4094-a395-cfc534424a05}

uRun: [iSUSPM] "C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe" -scheduler

uRun: [spybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe

uRun: [apcnap] rundll32.exe "C:\Users\John\AppData\Roaming\apcnap.dll",PSTSetNewData

uRun: [uetrn] "C:\Windows\System32\rundll32.exe" "C:\Users\John\AppData\Roaming\uetrn.dll",AnyFile

mRun: [hpqSRMon] C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe

mRun: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

StartupFolder: C:\Users\John\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\HPDIGI~1.LNK - C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll

DPF: {50647AB5-18FD-4142-82B0-5852478DD0D5} - hxxp://webeffective.keynote.com/applications/pconnector/download/ConnectorLauncher.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 192.168.0.1

TCP: Interfaces\{5F37D38D-EEC2-42A7-959D-A85608803995} : DhcpNameServer = 192.168.0.1

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL

Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} -

BHO-X64: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO-X64: 0x1 - No File

BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO-X64: AcroIEHelperStub - No File

BHO-X64: TmIEPlugInBHO Class: {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - c:\Program Files (x86)\Trend Micro\Client Server Security Agent\bho\1009\TmIEPlg32.dll

BHO-X64: Trend Micro NSC BHO - No File

BHO-X64: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll

BHO-X64: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll

BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO-X64: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

EB-X64: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File

mRun-x64: [hpqSRMon] C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe

mRun-x64: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe

mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

Hosts: 127.0.0.1 www.spywareinfo.com

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\John\AppData\Roaming\Mozilla\Firefox\Profiles\tvgwncf2.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/cse?cx=partner-pub-3540673482024757:xbhdw8hkfz5&ie=ISO-8859-1&q=&sa=Search

FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll

FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npdeployJava1.dll

FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll

FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrlui.dll

FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll

FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npwachk.dll

.

============= SERVICES / DRIVERS ===============

.

R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]

R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]

R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]

R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]

R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2011-8-11 140672]

R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-7-27 63960]

R2 AERTFilters;Andrea RT Filters Service;C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe [2011-2-11 92160]

R2 BPowMon;Broadcom Power monitoring service;C:\Program Files\Broadcom\BPowMon\BPowMon.exe [2009-8-17 117568]

R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-7-8 655944]

R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2012-8-20 1153368]

R3 k57nd60a;Broadcom NetLink Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\k57nd60a.sys --> C:\Windows\system32\DRIVERS\k57nd60a.sys [?]

R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]

S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-7-13 160944]

S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-8-4 113120]

S3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]

S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2012-3-26 291696]

S3 PCDSRVC{1E208CE0-FB7451FF-06020101}_0;PCDSRVC{1E208CE0-FB7451FF-06020101}_0 - PCDR Kernel Mode Service Helper Driver;C:\Program Files\Dell Support Center\pcdsrvc_x64.pkms [2010-7-30 25072]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]

.

=============== Created Last 30 ================

.

2012-09-05 10:37:06 -------- d-----r- C:\Program Files (x86)\Skype

2012-09-05 07:09:39 -------- d-----w- C:\Users\John\AppData\Local\{CDB40BDD-B875-4EEB-AA9A-071C840C836A}

2012-09-05 01:52:35 9310152 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{D9797C7B-FABB-4FD3-87A4-7272971237B4}\mpengine.dll

2012-09-04 13:23:57 -------- d-----w- C:\Users\John\AppData\Local\{2336959A-14D0-41CC-9814-A8E7C841C6A5}

2012-09-03 21:57:27 9310152 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2012-09-03 14:37:15 -------- d-----w- C:\Users\John\AppData\Local\{B4B654BF-C18F-4CC7-970C-0988D5CF21E4}

2012-09-02 20:53:34 -------- d-----w- C:\Users\John\AppData\Local\{DEACA6D6-A44E-4D97-9056-A6573E1EF987}

2012-09-02 17:26:26 -------- d-----w- C:\Users\John\AppData\Local\{82150780-1C51-4C41-96E2-573B13D8CC70}

2012-09-02 13:59:10 -------- d-----w- C:\Users\John\AppData\Local\{18282C4A-BB43-4439-A6FE-CD1CAB81DC5C}

2012-09-01 15:56:05 -------- d-----w- C:\Users\John\AppData\Local\{0C21A3FD-6555-4F22-A8C2-4525ADE49151}

2012-09-01 01:13:53 -------- d-----w- C:\Users\John\AppData\Local\{2F5FF353-F3D2-11E1-8270-B8AC6F996F26}

2012-09-01 01:13:15 1606144 ----a-w- C:\Users\John\AppData\Roaming\uetrn.dll

2012-08-31 22:10:11 -------- d-----w- C:\Users\John\AppData\Local\{176D2F1E-8226-4605-A11C-D79306FF29E3}

2012-08-31 09:49:05 -------- d-----w- C:\Users\John\AppData\Local\{1CBCA05D-A0B0-4D2B-A26F-72E0FA1C6D51}

2012-08-30 13:14:07 -------- d-----w- C:\Users\John\AppData\Local\{4B025F52-5A2C-48DB-9019-01DC4789460E}

2012-08-29 14:52:33 -------- d-----w- C:\Users\John\AppData\Local\{CD85E3F2-4A10-491C-B508-B495360A9BBA}

2012-08-29 02:52:09 -------- d-----w- C:\Users\John\AppData\Local\{E4BA529C-A15B-4E8A-8384-4D2ACD4EF1BE}

2012-08-28 12:47:57 -------- d-----w- C:\Users\John\AppData\Local\{CB85860C-A262-4290-8E27-08DC3010A214}

2012-08-27 13:32:22 -------- d-----w- C:\Users\John\AppData\Local\{AC9AA695-E81C-49E8-ABF4-EFCC80DFC80F}

2012-08-26 18:40:44 -------- d-----w- C:\Users\John\AppData\Local\{DCFCAA79-9605-4C3B-AF53-0719829F9E86}

2012-08-25 12:50:30 -------- d-----w- C:\Users\John\AppData\Local\{0CEA634D-E501-4332-ACD9-EDB74349A8C3}

2012-08-24 12:59:49 -------- d-----w- C:\Users\John\AppData\Local\{3175CFDA-13FC-40B0-9D8B-B01D23C3D35A}

2012-08-23 22:39:30 -------- d-----w- C:\Users\John\AppData\Local\{FD8FB502-9484-499F-AF0B-A8FC689B9352}

2012-08-23 10:39:05 -------- d-----w- C:\Users\John\AppData\Local\{B1173028-C40B-408F-B6A5-D095D7FE93AD}

2012-08-22 19:17:18 -------- d-----w- C:\Users\John\AppData\Local\{DF129ACA-5509-4A8C-833C-8FC4F8CD9F28}

2012-08-22 01:50:17 -------- d-----w- C:\Users\John\AppData\Local\{2DDC4943-F121-4FE9-9950-BF6509C8C83E}

2012-08-21 13:33:23 -------- d-----w- C:\Users\John\AppData\Local\{E9AF1586-53BD-4DCA-911C-FD0A5B70E3CB}

2012-08-20 18:14:34 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy

2012-08-20 18:14:34 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy

2012-08-16 14:27:11 -------- d--h--w- C:\Users\John\AppData\Local\{332BCF5A-F283-4C22-941C-6E0C4F9AD0E8}

2012-08-16 14:26:59 -------- d--h--w- C:\Users\John\AppData\Local\{595E6E07-6A28-4E98-932F-0D66CE1F9EE1}

2012-08-15 14:33:02 -------- d--h--w- C:\Users\John\AppData\Local\{EFE44AD6-29D7-41EB-A8AF-11BDFD62AAB0}

2012-08-15 14:32:50 -------- d--h--w- C:\Users\John\AppData\Local\{2A98D746-F8C4-4B09-A9F7-5971A163B4C1}

2012-08-15 13:00:07 609792 ----a-w- C:\Windows\System32\vbscript.dll

2012-08-15 13:00:06 428032 ----a-w- C:\Windows\SysWow64\vbscript.dll

2012-08-15 13:00:05 59392 ----a-w- C:\Windows\System32\browcli.dll

2012-08-15 13:00:05 41984 ----a-w- C:\Windows\SysWow64\browcli.dll

2012-08-15 13:00:05 136704 ----a-w- C:\Windows\System32\browser.dll

2012-08-15 12:56:06 -------- d--h--w- C:\Users\John\AppData\Local\{5F60411D-5187-4D3F-8DA1-1F0EC386FE8B}

2012-08-15 11:58:39 -------- d--h--w- C:\Users\John\AppData\Local\{A813428B-4EF5-408D-B987-D3BC0F60FC58}

2012-08-14 15:38:45 -------- d--h--w- C:\Users\John\AppData\Local\{E7FE2864-2B1C-46BC-9A6C-7B2A3BE9B201}

2012-08-14 15:38:33 -------- d--h--w- C:\Users\John\AppData\Local\{6D08883D-9F4D-491D-9054-B86D29451EA5}

2012-08-14 02:28:57 -------- d--h--w- C:\Users\John\AppData\Local\{1A5E901C-0651-4DDC-92B3-CCA16CE622C2}

2012-08-14 02:28:45 -------- d--h--w- C:\Users\John\AppData\Local\{2FEB36D7-F962-4119-BFCB-7FCBC1999595}

2012-08-13 17:28:46 927800 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{50D75D90-49B6-4348-87E5-8487E4EACD3E}\gapaengine.dll

2012-08-13 14:02:31 -------- d--h--w- C:\Users\John\AppData\Local\{ABC00FAA-FD93-4A3E-A1E6-555A11E74D84}

2012-08-13 14:02:19 -------- d--h--w- C:\Users\John\AppData\Local\{F427A1D8-473D-4C4D-9461-6B10B1458261}

2012-08-13 13:13:46 -------- d--h--w- C:\Users\John\AppData\Local\{AD61B744-BF85-4AC9-B7CF-A1947009E97D}

2012-08-13 12:57:16 -------- d--h--w- C:\Users\John\AppData\Local\{93EE1446-C6EA-46F8-A5D1-02CDA5E7919C}

2012-08-13 12:55:23 -------- d--h--w- C:\Users\John\AppData\Local\{B96971FF-3C18-4513-BED1-05C70DA5E296}

2012-08-12 22:08:50 -------- d--h--w- C:\Users\John\AppData\Local\{A6B2F823-5A81-47BC-B33E-64579977A4F9}

2012-08-12 22:08:38 -------- d--h--w- C:\Users\John\AppData\Local\{49E6D802-5A3D-4605-87A9-4A760E49176D}

2012-08-12 07:02:14 -------- d--h--w- C:\Users\John\AppData\Local\{58718545-A520-4A31-86EF-4029F6076F22}

2012-08-12 07:02:03 -------- d--h--w- C:\Users\John\AppData\Local\{D95A82C0-3623-4382-B5E6-AECA9C892BA2}

2012-08-12 04:10:13 -------- d-----w- C:\Windows\System32\SPReview

2012-08-12 04:09:23 -------- d-----w- C:\Windows\System32\EventProviders

2012-08-11 07:07:47 328704 ----a-w- C:\Windows\System32\services.exe.8ECD608AF9133C10

2012-08-11 05:32:02 -------- d-----w- C:\Users\John\AppData\Roaming\SUPERAntiSpyware.com

2012-08-11 05:31:55 -------- d--h--w- C:\ProgramData\SUPERAntiSpyware.com

2012-08-11 05:31:55 -------- d-----w- C:\Program Files\SUPERAntiSpyware

2012-08-11 01:50:13 -------- d-sh--w- C:\Windows\SysWow64\%APPDATA%

2012-08-11 01:49:03 -------- d--h--w- C:\Users\John\AppData\Local\{9B7E5494-E356-11E1-8270-B8AC6F996F26}

2012-08-11 01:48:32 -------- d--h--w- C:\ProgramData\0C1CFB130008C96702A766874F147CE7

2012-08-10 17:22:38 -------- d--h--w- C:\Users\John\AppData\Local\{4D0F8AED-EFB6-4CFE-9094-A9849BB880BD}

2012-08-10 17:22:27 -------- d--h--w- C:\Users\John\AppData\Local\{310D3E3D-D6F5-4A33-B6D4-CFB6125E9899}

2012-08-10 01:30:38 -------- d--h--w- C:\Users\John\AppData\Local\{BDA73459-00FF-4671-B91E-4F577F6C3A4D}

2012-08-10 01:30:26 -------- d--h--w- C:\Users\John\AppData\Local\{94C72498-BD07-4DFB-821C-A05304BB189F}

2012-08-09 13:16:20 -------- d--h--w- C:\Users\John\AppData\Local\{47C8A171-1CCE-4A64-936C-63295C5E76B2}

2012-08-09 13:16:09 -------- d--h--w- C:\Users\John\AppData\Local\{978C3A83-038F-404C-A35C-3814958B9B18}

2012-08-08 13:11:16 -------- d--h--w- C:\Users\John\AppData\Local\{3604AC68-4AC6-42D6-B3DB-647C574990CE}

2012-08-08 13:11:03 -------- d--h--w- C:\Users\John\AppData\Local\{41C32D44-7671-41CB-ADCE-1758C259B177}

2012-08-07 14:37:46 -------- d--h--w- C:\Users\John\AppData\Local\{6BDBDF2C-F6D9-4A91-B6AB-671AF7B11597}

2012-08-07 14:37:35 -------- d--h--w- C:\Users\John\AppData\Local\{F4A65B5F-E922-4359-B12D-D413406F61B4}

2012-08-07 02:16:06 -------- d--h--w- C:\Users\John\AppData\Local\{A0B0762F-69FB-4E5A-993D-BC1BFB61A602}

2012-08-07 02:15:55 -------- d--h--w- C:\Users\John\AppData\Local\{970ABA11-F71C-439E-BE8F-1E9BCB0166A4}

.

==================== Find3M ====================

.

2012-08-12 04:21:04 152576 ----a-w- C:\Windows\SysWow64\msclmd.dll

2012-08-12 04:21:03 175616 ----a-w- C:\Windows\System32\msclmd.dll

2012-08-04 15:34:13 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2012-08-04 15:34:13 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe

2012-07-18 18:15:06 3148800 ----a-w- C:\Windows\System32\win32k.sys

2012-07-08 23:29:30 10063024 ----a-w- C:\mbam-setup.exe

2012-07-08 23:24:48 457632 ----a-w- C:\FixExec.exe

2012-07-03 18:46:44 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys

2012-06-27 07:06:53 1188864 ----a-w- C:\Windows\System32\wininet.dll

2012-06-27 05:53:07 981504 ----a-w- C:\Windows\SysWow64\wininet.dll

2012-06-27 04:53:10 1638912 ----a-w- C:\Windows\System32\mshtml.tlb

2012-06-27 04:10:55 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb

.

============= FINISH: 10:17:00.08 ===============

DDS.txt

Attach.txt

Link to post
Share on other sites

:welcome:

Please go to http://www.virustotal.com/, click on Browse, and upload the following file for analysis:

C:\Users\John\AppData\Roaming\uetrn.dll

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.

Do the same for:

C:\Users\John\AppData\Roaming\apcnap.dll

If virustotal is too busy you can try these.

http://virusscan.jotti.org

http://www.kaspersky...anforvirus.html

Link to post
Share on other sites

Thanks a bunch for the help. Here's the log for C:\Users\John\AppData\Roaming\uetrn.dll, I can't find the file for C:\Users\John\AppData\Roaming\apcnap.dll. MalwareBytes says that it quarantined this file, do I need to look somewhere else for it? Neither showed up when I searched for them in the Start menu.

Thanks again.

SHA256: 4df4e7124dada82e1360b35b779ac4be9190600285ebf5b42c693fd262a43754 SHA1: b84fd2bff483c6d50d52fb15fd9977a9c8b09092 MD5: 314dac373927cbbb27d67b75e7f94e55 File size: 1.5 MB ( 1606144 bytes ) File name: uetrn.dll File type: Win32 DLL Detection ratio: 5 / 42 Analysis date: 2012-09-06 01:24:27 UTC ( 0 minutes ago )

More details

Antivirus Result Update AhnLab-V3 - 20120905 AntiVir - 20120906 Antiy-AVL - 20120905 Avast - 20120905 AVG - 20120906 BitDefender - 20120906 ByteHero - 20120831 CAT-QuickHeal - 20120905 ClamAV - 20120906 Commtouch - 20120906 Comodo TrojWare.Win32.Agent.RXKO 20120905 DrWeb Trojan.Packed 20120906 Emsisoft - 20120906 eSafe - 20120904 ESET-NOD32 a variant of Win32/Medfos.DC 20120905 F-Prot - 20120906 F-Secure - 20120906 Fortinet W32/Medfos.BLA!tr 20120830 GData - 20120906 Ikarus - 20120906 Jiangmin - 20120905 K7AntiVirus - 20120905 Kaspersky HEUR:Trojan.Win32.Generic 20120905 McAfee - 20120906 McAfee-GW-Edition - 20120905 Microsoft - 20120906 Norman - 20120905 nProtect - 20120905 Panda - 20120905 PCTools - 20120905 Rising - 20120905 Sophos - 20120906 SUPERAntiSpyware - 20120905 Symantec - 20120906 TheHacker - 20120905 TotalDefense - 20120905 TrendMicro - 20120906 TrendMicro-HouseCall - 20120906 VBA32 - 20120905 VIPRE - 20120905 ViRobot - 20120905 VirusBuster -

20120905

Link to post
Share on other sites

Lets do this.

Please do not attach the scan results from Combofx. Use copy/paste.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Download ComboFix from this link

Link 1

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  • Double click on ComboFix.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
    Note: If you have XP SP3, use the XP SP2 package.
    If Vista or Windows 7, skip the Recovery Console part
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

I ran Combofix but when my computer restarted after running Combofix nothing will open now. No programs will open, not Internet Explorer, Notepad, Paint, etc; they all say 'Illegal operation attempted on a registry key that has been marked for deletion'. Right now I'm using my laptop to post this. I think this is the second time that Combofix has jacked up my computer, the first time I think I had to boot Windows 7 from the installation dvd to run System Restore because my computer kept on randomly restarting after running Combofix.

Thanks again for the help.

--------------------------------------------------------------

ComboFix 12-09-06.02 - John 09/06/2012 17:12:56.1.2 - x64

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4061.2981 [GMT -5:00]

Running from: c:\users\John\Desktop\ComboFix.exe

AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}

SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\programdata\40H77AFF9sGbSO

c:\programdata\dsgsdgdsgdsgw.pad

c:\users\John\AppData\Roaming\uetrn.dll

c:\users\John\g2mdlhlpx.exe

.

.

((((((((((((((((((((((((( Files Created from 2012-08-06 to 2012-09-06 )))))))))))))))))))))))))))))))

.

.

2012-09-06 21:53 . 2012-08-25 02:01 883864 ----a-w- c:\program files (x86)\Mozilla Firefox\uninstall\helper.exe

2012-09-06 15:32 . 2012-08-23 08:26 9310152 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1ED96D5B-B9B3-4340-A43A-4B77781B0F1B}\mpengine.dll

2012-09-05 10:39 . 2012-09-05 10:58 -------- d-----w- c:\users\John\AppData\Roaming\Skype

2012-09-05 10:37 . 2012-09-05 10:37 -------- d-----w- c:\program files (x86)\Common Files\Skype

2012-09-05 10:37 . 2012-09-05 10:37 -------- d-----r- c:\program files (x86)\Skype

2012-09-05 10:37 . 2012-09-05 10:39 -------- d-----w- c:\programdata\Skype

2012-09-05 01:52 . 2012-08-23 08:26 9310152 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2012-09-01 01:13 . 2012-09-01 01:13 -------- d-----w- c:\users\John\AppData\Local\{2F5FF353-F3D2-11E1-8270-B8AC6F996F26}

2012-08-20 18:14 . 2012-09-06 22:04 -------- d-----w- c:\programdata\Spybot - Search & Destroy

2012-08-20 18:14 . 2012-08-20 18:16 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy

2012-08-15 13:00 . 2012-06-16 05:15 911360 ----a-w- c:\windows\system32\jscript.dll

2012-08-15 13:00 . 2012-06-16 05:16 609792 ----a-w- c:\windows\system32\vbscript.dll

2012-08-15 13:00 . 2012-06-16 04:26 428032 ----a-w- c:\windows\SysWow64\vbscript.dll

2012-08-15 13:00 . 2012-07-04 22:16 73216 ----a-w- c:\windows\system32\netapi32.dll

2012-08-15 13:00 . 2012-07-04 22:13 59392 ----a-w- c:\windows\system32\browcli.dll

2012-08-15 13:00 . 2012-07-04 22:13 136704 ----a-w- c:\windows\system32\browser.dll

2012-08-15 13:00 . 2012-07-04 21:14 41984 ----a-w- c:\windows\SysWow64\browcli.dll

2012-08-13 17:28 . 2012-08-13 17:28 927800 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{50D75D90-49B6-4348-87E5-8487E4EACD3E}\gapaengine.dll

2012-08-12 04:10 . 2012-08-12 04:10 -------- d-----w- c:\windows\system32\SPReview

2012-08-12 04:09 . 2012-08-12 04:09 -------- d-----w- c:\windows\system32\EventProviders

2012-08-11 07:07 . 2012-08-11 07:07 328704 ----a-w- c:\windows\system32\services.exe.8ECD608AF9133C10

2012-08-11 05:32 . 2012-08-20 15:53 -------- d-----w- c:\users\John\AppData\Roaming\SUPERAntiSpyware.com

2012-08-11 05:31 . 2012-08-12 02:48 -------- d-----w- c:\program files\SUPERAntiSpyware

2012-08-11 05:31 . 2012-08-11 05:31 -------- d--h--w- c:\programdata\SUPERAntiSpyware.com

2012-08-11 01:50 . 2012-08-11 01:50 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%

2012-08-11 01:49 . 2012-08-12 02:43 -------- d--h--w- c:\users\John\AppData\Local\{9B7E5494-E356-11E1-8270-B8AC6F996F26}

2012-08-11 01:48 . 2012-08-12 02:43 -------- d--h--w- c:\programdata\0C1CFB130008C96702A766874F147CE7

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-08-16 08:00 . 2011-02-19 21:06 62134624 ----a-w- c:\windows\system32\MRT.exe

2012-08-12 04:21 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll

2012-08-12 04:21 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll

2012-08-04 15:34 . 2012-04-19 18:30 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2012-08-04 15:34 . 2011-06-04 06:31 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-07-08 23:29 . 2012-07-08 23:29 10063024 ----a-w- C:\mbam-setup.exe

2012-07-08 23:24 . 2012-07-08 23:24 457632 ----a-w- C:\FixExec.exe

2012-07-03 18:46 . 2012-07-08 23:33 24904 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-06-24 00:28 . 2012-06-24 00:28 19736 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll

2012-06-09 05:43 . 2012-07-10 20:33 14172672 ----a-w- c:\windows\system32\shell32.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"hpqSRMon"="c:\program files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-07-23 150528]

"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]

"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]

.

c:\users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2009-9-23 270336]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-07-13 160944]

R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-21 98688]

R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-26 291696]

R3 PCDSRVC{1E208CE0-FB7451FF-06020101}_0;PCDSRVC{1E208CE0-FB7451FF-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\dell support center\pcdsrvc_x64.pkms [2010-07-30 25072]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-02-19 1255736]

S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2011-03-04 55856]

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]

S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]

S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]

S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-07-27 63960]

S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-03-31 92160]

S2 BPowMon;Broadcom Power monitoring service;c:\program files\Broadcom\BPowMon\BPowMon.exe [2009-08-17 117568]

S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-07-03 655944]

S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]

S3 k57nd60a;Broadcom NetLink Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys [2009-08-21 320040]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-07-03 24904]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WS2IFSL

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

.

2012-07-28 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job

- c:\program files\Dell Support Center\uaclauncher.exe [2010-08-05 23:47]

.

2012-09-06 c:\windows\Tasks\SystemToolsDailyTest.job

- c:\program files\Dell Support Center\pcdrcui.exe [2010-08-05 23:47]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-09-12 8114720]

"DBRMTray"="c:\dell\DBRM\Reminder\DbrmTrayIcon.exe" [2010-05-20 206336]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 161304]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 386584]

"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 415256]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 1271168]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"LoadAppInit_DLLs"=0x0

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://www.google.com/

mLocal Page = c:\windows\SysWOW64\blank.htm

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.0.1

FF - ProfilePath - c:\users\John\AppData\Roaming\Mozilla\Firefox\Profiles\tvgwncf2.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/cse?cx=partner-pub-3540673482024757:xbhdw8hkfz5&ie=ISO-8859-1&q=&sa=Search

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

Wow6432Node-HKCU-Run-ISUSPM - c:\programdata\FLEXnet\Connect\11\ISUSPM.exe

Wow6432Node-HKCU-Run-apcnap - c:\users\John\AppData\Roaming\apcnap.dll

Wow6432Node-HKCU-Run-uetrn - c:\users\John\AppData\Roaming\uetrn.dll

Toolbar-Locked - (no file)

.

.

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\services\PCDSRVC{1E208CE0-FB7451FF-06020101}_0]

"ImagePath"="\??\c:\program files\dell support center\pcdsrvc_x64.pkms"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_270_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_270_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2012-09-06 17:24:05 - machine was rebooted

ComboFix-quarantined-files.txt 2012-09-06 22:24

.

Pre-Run: 83,102,760,960 bytes free

Post-Run: 83,030,695,936 bytes free

.

- - End Of File - - 975972A9556686BF27A63B8FBF3CCA6E

Link to post
Share on other sites

Ahh, sweet relief, thank you so much. Everything works now. It's funny, I was feeling gut-checked the whole time thinking I was going to have to do some big to do to get my system restored and then I thought 'maybe just a restart will work' but I didn't want to do anything without instructions, so thanks again.

One other question, if possible- the last virus I got made all my folders translucent or whatever and I don't know how to get them back to normal. I think I remember there being a system-wide way to do it but does that also do folders that should or shouldn't be hidden, like system files? Which do I want- read only or not plus hidden or not? Sorry I didn't say anything about it earlier, I thought from what I remembered from the last time it happened it was only the read-only part that was affected, I didn't realize hidden was selected too. Did that possibly affect the combofix and dds logs? Sorry again if I mucked things up.

Link to post
Share on other sites

One more question- is there any way I can get one on one support? This is my fathers computer and having to wait hours and hours between replies (which can end up being days) might not be appreciated if there's something he needs to do. Also I don't think it's a hard drive failure as I opened bittorrent to keep the computer from sleeping during a MalwareBytes scan and the files are being seeded, plus the computer is a desktop and is only a year or two old so it's not some ancient hd or one that has been dropped and/or abused like laptop hd's can be. Thanks again.

Link to post
Share on other sites

Last note- I think it might have happened after uninstalling Combofix because I don't remember stuff being missing after running Combofix because I was asking about hidden files and folders following running Combofix. So it's possible that it only happened after uninstalling Combofix. Thanks again.

Link to post
Share on other sites

Ok, I got some help and ran Unhide and the problem is fixed. One last question that I would like to ask if possible, Malwarebytes seems to take a long time to load now, like a couple minutes or something. It's a long time after my other programs load and I deliberately don't have a lot of stuff running on startup, should I uninstall MB and then reinstall it? I remember back when I had McAfee it developed some sort of conflict along the way that made it really slow, has anyone reported similar issues with MB? Thanks again for all the help, I appreciate it very much. You guys are great.

Link to post
Share on other sites

Sorry my work schedule here is M-F.

When you run unhide it does unhide system files / folders that need to remain hidden.

First we need to rehide hidden / system files so they don't get deleted.

To re-hide those files:

  • Click on My Computer from your desktop and from the menu click on Tools and then Folder Options.
    http://www.online-tech-tips.com/wp-content/uploads/2007/07/toolsfolderoptions.png
  • Click on the View tab and under the Hidden Files and Folders section, choose the radio button that says “Do not show hidden files and folders”.
    http://www.online-tech-tips.com/wp-content/uploads/2007/07/folderoptions.png
  • Click OK to save the changes.

As for re-install of MBAM

Note: If using the paid Pro version you will need to reactivate the program using the license you were sent via email as this process will clear all Malwarebytes program files, logs, and registry settings from your computer.

If you no longer have access to your order number you can contact Cleverbridge to obtain information about your order and registration information.

Cleverbridge customer service

https://store.malwarebytes.org/342/?scope=cuseco

We are going to perform a clean install, please follow these steps:

Step 1: Run the clean up tool and allow a reboot when prompted.

xxxx link removed xxxx

Step 2: Install Malwarebytes' Anti-Malware by following the link below.

http://downloads.malwarebytes.org/file/mbam

Save the file and double-click it to begin the installation, selecting options you desire when presented.

Once opened, click on the 'Activate' button in the lower-left corner, and enter your ID and key.

 

 

 

Post updated [02/12/2021 - AdvancedSetup]

The following MBST tool should be used to perform a clean removal and reinstall

https://support.malwarebytes.com/hc/en-us/articles/360039023473-Uninstall-and-reinstall-using-the-Malwarebytes-Support-Tool

 

 

Edited by AdvancedSetup
updated information
Link to post
Share on other sites

  • 2 weeks later...

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.