Malwarebytes blocked, Chameleon doesn't seem to work

gail33 · March 27, 2013

Malware finds 1 object, and the program becomes unresponsive after scanning about 120,000 files (quick scan) / about 211,000 files (full scan). I ran Chameleon and the DOS window opened in 4 tests. Each test wanted to connect online (couldn't because I was offline), and then would show PROGRAM_ERROR_UPDATING (0,0,No address found). In task manager it showed the Chameleon program running, but even after 15/20 minutes there was no change in the PROGRAM_ERROR... message. Does Chameleon need to run longer? And while trying to shut down Malwarebytes in Task Manager, I found 2 process files running that I couldn't get information on: atiedxx.exe and csrss.exe I don't know if that's important or not. I hope someone has the time to help me. Because I have slow/limited internet access I have to go to town to the library or McDonalds for wifi and faster access. I also am not computer savvy, so if someone can help me he/she will have to explain things (such as how to post logs.) Thank you, gail

Maurice Naggar · March 29, 2013

Hello Gail and welcome to MalwareBytes forum.

We must have some logs before we get going.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do NOT turn off the firewall

Please download Rkill by Grinler and save it to your desktop.

Link 2
Link 3
Link 4
Double-click on the Rkill desktop icon to run the tool.
If using Vista or Windows 7, right-click on it and Run As Administrator.
A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
If not, delete the file, then download and use the one provided in Link 2.
If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
If the tool does not run from any of the links provided, please let me know.
If your antivirus program gives a prompt message, respond positive to allow RKILL to run.
If a malware-rogue gives a message regarding RKILL, proceed forward to running RKILL

IF you still have a problem running RKILL, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.

When all done, rkill.txt log file will be on your desktop. Copy & Paste contents of Rkill.txt into a reply.

More Information about Rkill can be found at this link: http://www.bleepingcomputer.com/forums/topic308364.html

Download DDS and save it to your desktop from http://download.bleepingcomputer.com/sUBs/dds.com here

or http://download.bleepingcomputer.com/sUBs/dds.scr or

http://www.infospyware.net/sUBs/dds

Disable any script blocker if your antivirus/antimalware has it.

On Vista/ Windows 7/ Windows 8 do a RIGHT-click on dds and select Run As Administrator :excl:

On Windows XP double click dds to run the tool.

DDS will run in a command prompt window and will take 3 to 4 minutes or so.

Follow and answer the prompts as appropriate.

When done, DDS will open two (2) logs:
DDS.txt
Attach.txt
Save both reports to your desktop.

Please Copy & Paste contents of the following logs in your next reply:
DDS.txt
Attach.txt

Download & SAVE to your Desktop Tigzy's RogueKiller >> from here << or
>> from here <<
Quit all programs that you may have started.
Please disconnect any USB or external drives from the computer before you run this scan!
For Vista or Windows 7 / 8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.
For Windows XP, double-click to start.
Wait until Prescan has finished ...
Then Click on Scan button at upper right of screen.
Wait until the Status box shows "Scan Finished"
Click on Report and copy/paste the content of the Notepad into your next reply.
The log should be found in RKreport[1].txt on your Desktop
Do NOT press any Fix button.
Exit/Close RogueKiller

gail33 · March 30, 2013

Hi Maurice and thank you so much for responding.

Link3 on the Rkill file was unable to download, a "not found" page if I remember correctly. I ran the Rkill (1st link,

no number) and got the following report. I did not run RKill links 2 or 3. I hope I did this part correctly.

As soon as you tell me everything is okay I plan on buying Malwarebytes Pro so I never have to go through

this again! Thank you so much, gail

--------------------------

Rkill 2.4.7 by Lawrence Abrams (Grinler)

http://www.bleepingcomputer.com/

More Information about Rkill can be found at this link:

http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 03/29/2013 03:37:18 PM in x64 mode.

Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* C:\Windows\SysWOW64\ezSharedSvcHost.exe (PID: 1576) [sFI]

1 proccess terminated!

Checking Registry for malware related settings:

* Explorer Policy Removed: NoActiveDesktopChanges [HKLM]

Backup Registry file created at:

C:\Users\gs\Desktop\rkill\rkill-03-29-2013-03-37-23.reg

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* No issues found.

Checking Windows Service Integrity:

* No issues found.

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* No issues found.

Program finished at: 03/29/2013 03:37:42 PM

Execution time: 0 hours(s), 0 minute(s), and 24 seconds(s)

-----------------------------------------

DDS.txt log:

DDS (Ver_2012-11-20.01) - NTFS_AMD64

Internet Explorer: 9.0.8112.16470

Run by gs at 15:45:31 on 2013-03-29

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3691.2165 [GMT -5:00]

.

AV: Norton Internet Security *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Norton Internet Security *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}

FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}

.

============== Running Processes ===============

.

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\system32\atiesrxx.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Program Files\IDT\WDM\STacSV64.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\atieclxx.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe

C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe

C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe

C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files (x86)\Norton Internet Security\Engine\19.9.1.14\ccSvcHst.exe

C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe

C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Windows\system32\Dwm.exe

C:\Windows\system32\taskhost.exe

C:\Windows\Explorer.EXE

C:\Program Files (x86)\Norton Internet Security\Engine\19.9.1.14\ccSvcHst.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\IDT\WDM\sttray64.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Windows\System32\rundll32.exe

C:\Windows\System32\regsvr32.exe

C:\Windows\SysWOW64\regsvr32.exe

C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe

C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe

C:\Windows\system32\taskeng.exe

C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe

C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe

C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe

C:\Windows\system32\svchost.exe -k HPService

C:\Windows\System32\svchost.exe -k secsvcs

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_6_602_180_ActiveX.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\Internet Explorer\IELowutil.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Windows\System32\Notepad.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\System32\cscript.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = about:blank

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\19.9.1.14\coieplg.dll

BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\19.9.1.14\ips\ipsbho.dll

BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll

BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL

BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -

BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

BHO: HP Network Check Helper: {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll

TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\19.9.1.14\coieplg.dll

TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} -

uRun: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

uRun: [Diagnostics] rundll32.exe "C:\Users\gs\AppData\Local\Google\Diagnostics\vevyhjerp.dll",DllRegisterServer

uRun: [CyberLink] rundll32.exe "C:\Users\gs\AppData\Local\Temp\",CreateInstance

uRun: [{EB9AA2ED-F5EB-4505-B1F6-56813C012FA8}] rundll32 "C:\Users\gs\AppData\Local\{E7D4159C-9B1F-4642-8FF8-65410CAFFE96}\{EB9AA2ED-F5EB-4505-B1F6-56813C012FA8}\zswjzgft.dll",DllRegisterServerW

uRun: [sprint] regsvr32.exe C:\Users\gs\AppData\Local\Sprint\dwwvzyaj.dll

mRun: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

mRun: [HPConnectionManager] C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HPCMDelayStart.exe

mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun: [Easybits Recovery] C:\Program Files (x86)\EasyBits For Kids\ezRecover.exe

mRun: [sprint SmartView] "C:\Program Files (x86)\Sprint\Sprint SmartView\SprintSV.exe" -a

mRun: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe

mRun: [HPOSD] C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mPolicies-Explorer: NoActiveDesktop = dword:1

mPolicies-Explorer: EnableShellExecuteHooks = dword:1

mPolicies-System: ConsentPromptBehaviorAdmin = dword:5

mPolicies-System: ConsentPromptBehaviorUser = dword:3

mPolicies-System: EnableUIADesktopToggle = dword:0

mPolicies-System: HideFastUserSwitching = dword:0

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

IE: {25510184-5A38-4A99-B273-DCA8EEF6CD08} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\NCLauncherFromIE.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_39-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0039-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_39-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_39-windows-i586.cab

TCP: NameServer = 192.168.6.1 64.134.255.2 64.134.255.10

TCP: Interfaces\{C3FCEEB3-B541-4449-815B-92E90456AAED} : DHCPNameServer = 192.168.6.1 64.134.255.2 64.134.255.10

TCP: Interfaces\{C3FCEEB3-B541-4449-815B-92E90456AAED}\075726C69636C6962627162797 : DHCPNameServer = 8.8.8.8 8.8.4.4

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

SSODL: WebCheck - <orphaned>

x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL

x64-BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

x64-Run: [synTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe

x64-Run: [sysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe

x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll

x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

x64-DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>

x64-SSODL: WebCheck - <orphaned>

.

============= SERVICES / DRIVERS ===============

.

R0 amd_sata;amd_sata;C:\Windows\System32\drivers\amd_sata.sys [2011-1-28 77952]

R0 amd_xata;amd_xata;C:\Windows\System32\drivers\amd_xata.sys [2011-1-28 38016]

R0 SymDS;Symantec Data Store;C:\Windows\System32\drivers\NISx64\1309010.00E\symds64.sys [2013-2-5 451192]

R0 SymEFA;Symantec Extended File Attributes;C:\Windows\System32\drivers\NISx64\1309010.00E\symefa64.sys [2013-2-5 1129120]

R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.7.0.9\Definitions\BASHDefs\20130322.001\BHDrvx64.sys [2013-3-21 1387608]

R1 ccSet_NIS;Norton Internet Security Settings Manager;C:\Windows\System32\drivers\NISx64\1309010.00E\ccsetx64.sys [2013-2-5 167072]

R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.7.0.9\Definitions\IPSDefs\20130328.001\IDSviA64.sys [2013-3-29 513184]

R1 SymIRON;Symantec Iron Driver;C:\Windows\System32\drivers\NISx64\1309010.00E\ironx64.sys [2013-2-5 190072]

R1 SymNetS;Symantec Network Security WFP Driver;C:\Windows\System32\drivers\NISx64\1309010.00E\symnets.sys [2013-2-5 405624]

R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2011-2-28 203776]

R2 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-2-28 354304]

R2 AMD Reservation Manager;AMD Reservation Manager;C:\Program Files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe [2010-6-17 194496]

R2 HP Support Assistant Service;HP Support Assistant Service;C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe [2012-9-27 86528]

R2 HPClientSvc;HP Client Services;C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe [2010-10-11 346168]

R2 HPWMISVC;HPWMISVC;C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2012-2-15 34872]

R2 IconMan_R;IconMan_R;C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [2011-6-28 2375168]

R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-10-12 398184]

R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-10-12 682344]

R2 NIS;Norton Internet Security;C:\Program Files (x86)\Norton Internet Security\Engine\19.9.1.14\ccsvchst.exe [2013-2-5 138272]

R2 RoxioNow Service;RoxioNow Service;C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe [2010-11-26 399344]

R3 amdiox64;AMD IO Driver;C:\Windows\System32\drivers\amdiox64.sys [2011-6-28 46136]

R3 clwvd;CyberLink WebCam Virtual Driver;C:\Windows\System32\drivers\clwvd.sys [2010-7-28 31088]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2013-3-19 138912]

R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2012-5-30 24176]

R3 netr28x;Ralink 802.11n Extensible Wireless Driver;C:\Windows\System32\drivers\netr28x.sys [2011-6-28 1492992]

R3 RSPCIESTOR;Realtek PCIE CardReader Driver;C:\Windows\System32\drivers\RtsPStor.sys [2011-6-28 335464]

R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-6-28 436840]

R3 usbfilter;AMD USB Filter Driver;C:\Windows\System32\drivers\usbfilter.sys [2011-6-28 44672]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S2 ezSharedSvc;Easybits Services for Windows;C:\Windows\System32\ezSharedSvcHost.exe --> C:\Windows\System32\ezSharedSvcHost.exe [?]

S3 BBSvc;Bing Bar Update Service;C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-3-1 183560]

S3 CASprint;Sprint Con App Svc;C:\Program Files (x86)\Sprint\Sprint SmartView\ConAppsSvc.exe [2008-10-15 124160]

S3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]

S3 hpCMSrv;HP Connection Manager 4.0 Service;C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\hpCMSrv.exe [2011-2-15 1071160]

S3 mbamchameleon;mbamchameleon;C:\Windows\System32\drivers\mbamchameleon.sys [2013-3-26 36680]

S3 PCTINDIS5X64;PCTINDIS5X64 NDIS Protocol Driver;C:\Windows\System32\PCTINDIS5X64.sys [2008-10-15 43032]

S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\System32\drivers\VSTAZL6.SYS [2009-7-13 292864]

S3 SrvHsfV92;SrvHsfV92;C:\Windows\System32\drivers\VSTDPV6.SYS [2009-7-13 1485312]

S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\System32\drivers\VSTCNXT6.SYS [2009-7-13 740864]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]

S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-8-15 1255736]

S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]

.

=============== Created Last 30 ================

.

2013-03-27 03:18:52 36680 ----a-w- C:\Windows\System32\drivers\mbamchameleon.sys

2013-03-19 18:03:36 9162192 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{51C2F1BC-AE4F-4219-8A2E-F733F8F1E353}\mpengine.dll

2013-03-19 17:38:59 19968 ----a-w- C:\Windows\System32\drivers\usb8023.sys

.

==================== Find3M ====================

.

2013-03-27 03:17:42 218184 ----a-w- C:\Users\gs\winlogon.exe

2013-03-27 03:17:42 218184 ----a-w- C:\Users\gs\svchost.exe

2013-03-27 03:17:41 218184 ----a-w- C:\Users\gs\rundll32.exe

2013-03-27 03:17:40 218184 ----a-w- C:\Users\gs\mbam-chameleon.scr

2013-03-27 03:17:40 218184 ----a-w- C:\Users\gs\mbam-chameleon.pif

2013-03-27 03:17:39 218184 ----a-w- C:\Users\gs\mbam-chameleon.exe

2013-03-27 03:17:39 218184 ----a-w- C:\Users\gs\mbam-chameleon.com

2013-03-27 03:17:39 218184 ----a-w- C:\Users\gs\iexplore.exe

2013-03-27 03:17:37 218184 ----a-w- C:\Users\gs\firefox.scr

2013-03-27 03:17:37 218184 ----a-w- C:\Users\gs\firefox.pif

2013-03-27 03:17:33 218184 ----a-w- C:\Users\gs\firefox.exe

2013-03-27 03:17:32 218184 ----a-w- C:\Users\gs\firefox.com

2013-03-16 00:49:40 73432 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2013-03-16 00:49:40 693976 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe

2013-02-12 05:45:24 135168 ----a-w- C:\Windows\apppatch\AppPatch64\AcXtrnal.dll

2013-02-12 05:45:22 350208 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll

2013-02-12 05:45:22 308736 ----a-w- C:\Windows\apppatch\AppPatch64\AcGenral.dll

2013-02-12 05:45:22 111104 ----a-w- C:\Windows\apppatch\AppPatch64\acspecfc.dll

2013-02-12 04:48:31 474112 ----a-w- C:\Windows\apppatch\AcSpecfc.dll

2013-02-12 04:48:26 2176512 ----a-w- C:\Windows\apppatch\AcGenral.dll

2013-02-02 06:57:02 2312704 ----a-w- C:\Windows\System32\jscript9.dll

2013-02-02 06:47:24 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl

2013-02-02 06:47:19 1392128 ----a-w- C:\Windows\System32\wininet.dll

2013-02-02 06:42:18 173056 ----a-w- C:\Windows\System32\ieUnatt.exe

2013-02-02 06:41:51 599040 ----a-w- C:\Windows\System32\vbscript.dll

2013-02-02 06:38:01 2382848 ----a-w- C:\Windows\System32\mshtml.tlb

2013-02-02 03:38:35 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll

2013-02-02 03:30:32 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl

2013-02-02 03:30:21 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll

2013-02-02 03:26:47 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe

2013-02-02 03:26:21 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll

2013-02-02 03:23:28 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb

2013-01-17 07:28:58 273840 ------w- C:\Windows\System32\MpSigStub.exe

2013-01-15 22:56:10 477616 ----a-w- C:\Windows\SysWow64\npdeployJava1.dll

2013-01-15 22:56:07 473520 ----a-w- C:\Windows\SysWow64\deployJava1.dll

2013-01-05 05:53:43 5553512 ----a-w- C:\Windows\System32\ntoskrnl.exe

2013-01-05 05:00:15 3967848 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe

2013-01-05 05:00:11 3913064 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe

2013-01-04 05:46:09 215040 ----a-w- C:\Windows\System32\winsrv.dll

2013-01-04 04:51:16 5120 ----a-w- C:\Windows\SysWow64\wow32.dll

2013-01-04 04:43:21 44032 ----a-w- C:\Windows\apppatch\acwow64.dll

2013-01-04 03:26:48 3153408 ----a-w- C:\Windows\System32\win32k.sys

2013-01-04 02:47:35 25600 ----a-w- C:\Windows\SysWow64\setup16.exe

2013-01-04 02:47:34 7680 ----a-w- C:\Windows\SysWow64\instnm.exe

2013-01-04 02:47:34 2048 ----a-w- C:\Windows\SysWow64\user.exe

2013-01-04 02:47:33 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll

2013-01-03 06:00:54 1913192 ----a-w- C:\Windows\System32\drivers\tcpip.sys

2013-01-03 06:00:42 288088 ----a-w- C:\Windows\System32\drivers\FWPKCLNT.SYS

.

============= FINISH: 15:46:18.05 ===============

DDS Attach.bt report:

DDS (Ver_2012-11-20.01)

.

Microsoft Windows 7 Home Premium

Boot Device: \Device\HarddiskVolume1

Install Date: 8/13/2011 10:35:41 PM

System Uptime: 3/29/2013 3:19:36 PM (0 hours ago)

.

Motherboard: Hewlett-Packard | | 1699

Processor: AMD E-350 Processor | Socket FT1 | 1600/100mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 451 GiB total, 406.468 GiB free.

D: is FIXED (NTFS) - 15 GiB total, 1.631 GiB free.

E: is CDROM ()

G: is FIXED (FAT32) - 0 GiB total, 0.089 GiB free.

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP219: 2/14/2013 3:53:11 PM - Windows Update

RP220: 2/14/2013 4:44:22 PM - Windows Update

RP221: 2/19/2013 12:12:48 AM - Windows Update

RP222: 2/22/2013 11:02:41 PM - Windows Update

RP223: 2/26/2013 11:24:33 AM - Windows Update

RP224: 3/1/2013 1:20:48 PM - Windows Update

RP225: 3/5/2013 1:08:19 PM - Windows Update

RP226: 3/12/2013 8:22:33 AM - Windows Update

RP227: 3/14/2013 8:50:31 AM - Windows Update

RP228: 3/15/2013 8:55:11 AM - Windows Update

RP229: 3/18/2013 11:56:15 AM - Windows Update

RP230: 3/20/2013 9:06:56 AM - Windows Update

.

==== Installed Programs ======================

.

Adobe Flash Player 11 ActiveX

Adobe Reader X MUI

Adobe Shockwave Player 11.5

Agatha Christie - Peril at End House

AMD Fuel

ATI Catalyst Install Manager

Bejeweled 2 Deluxe

Bing Bar

Blasterball 3

Blio

Catalyst Control Center - Branding

Catalyst Control Center Graphics Previews Common

Catalyst Control Center InstallProxy

Catalyst Control Center Localization All

ccc-core-static

ccc-utility64

CCC Help Chinese Standard

CCC Help Chinese Traditional

CCC Help Czech

CCC Help Danish

CCC Help Dutch

CCC Help English

CCC Help Finnish

CCC Help French

CCC Help German

CCC Help Greek

CCC Help Hungarian

CCC Help Italian

CCC Help Japanese

CCC Help Korean

CCC Help Norwegian

CCC Help Polish

CCC Help Portuguese

CCC Help Russian

CCC Help Spanish

CCC Help Swedish

CCC Help Thai

CCC Help Turkish

CyberLink YouCam

D3DX10

Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition

Energy Star Digital Logo

ESU for Microsoft Windows 7

Evernote v. 4.2.2

Farm Frenzy

Hewlett-Packard ACLM.NET v1.2.1.1

HP Auto

HP Client Services

HP Connection Manager

HP Customer Experience Enhancements

HP Documentation

HP Games

HP MovieStore

HP On Screen Display

HP Power Manager

HP Quick Launch

HP Setup

HP Setup Manager

HP Software Framework

HP Support Assistant

IDT Audio

Java Auto Updater

Java 6 Update 24 (64-bit)

Java 6 Update 39

Junk Mail filter update

Malwarebytes Anti-Malware version 1.70.0.1100

Mesh Runtime

Microsoft .NET Framework 4 Client Profile

Microsoft Application Error Reporting

Microsoft Office 2010 Service Pack 1 (SP1)

Microsoft Office Access MUI (English) 2010

Microsoft Office Access Setup Metadata MUI (English) 2010

Microsoft Office Excel MUI (English) 2010

Microsoft Office Home and Student 2010

Microsoft Office Office 64-bit Components 2010

Microsoft Office OneNote MUI (English) 2010

Microsoft Office Outlook MUI (English) 2010

Microsoft Office PowerPoint MUI (English) 2010

Microsoft Office Proof (English) 2010

Microsoft Office Proof (French) 2010

Microsoft Office Proof (Spanish) 2010

Microsoft Office Proofing (English) 2010

Microsoft Office Publisher MUI (English) 2010

Microsoft Office Shared 64-bit MUI (English) 2010

Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010

Microsoft Office Shared MUI (English) 2010

Microsoft Office Shared Setup Metadata MUI (English) 2010

Microsoft Office Single Image 2010

Microsoft Office Word MUI (English) 2010

Microsoft Silverlight

Microsoft SQL Server 2005 Compact Edition [ENU]

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219

Microsoft WSE 3.0 Runtime

MSVCRT

MSVCRT_amd64

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

Namco All-Stars PAC-MAN

Norton Internet Security

PlayReady PC Runtime x86

Polar Golfer

Ralink RT5390 802.11b/g/n WiFi Adapter

Realtek Ethernet Controller Driver

Realtek PCIE Card Reader

Recovery Manager

RoxioNow Player

Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)

Security Update for Microsoft Excel 2010 (KB2597126) 32-Bit Edition

Security Update for Microsoft Filter Pack 2.0 (KB2553501) 32-Bit Edition

Security Update for Microsoft InfoPath 2010 (KB2687417) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2553091)

Security Update for Microsoft Office 2010 (KB2553096)

Security Update for Microsoft Office 2010 (KB2553371) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2553447) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2598243) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2687501) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2687510) 32-Bit Edition

Security Update for Microsoft OneNote 2010 (KB2760600) 32-Bit Edition

Security Update for Microsoft Visio Viewer 2010 (KB2687505) 32-Bit Edition

Security Update for Microsoft Word 2010 (KB2760410) 32-Bit Edition

Sprint SmartView

Synaptics Pointing Device Driver

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

Update for Microsoft Office 2010 (KB2494150)

Update for Microsoft Office 2010 (KB2553065)

Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553378) 32-Bit Edition

Update for Microsoft Office 2010 (KB2566458)

Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition

Update for Microsoft Office 2010 (KB2598242) 32-Bit Edition

Update for Microsoft Office 2010 (KB2687503) 32-Bit Edition

Update for Microsoft Office 2010 (KB2687509) 32-Bit Edition

Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition

Update for Microsoft Office 2010 (KB2767886) 32-Bit Edition

Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition

Update for Microsoft Outlook 2010 (KB2597090) 32-Bit Edition

Update for Microsoft Outlook 2010 (KB2687623) 32-Bit Edition

Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition

Update for Microsoft PowerPoint 2010 (KB2598240) 32-Bit Edition

Update for Microsoft SharePoint Workspace 2010 (KB2589371) 32-Bit Edition

Update Installer for WildTangent Games App

WildTangent Games App (HP Games)

Windows Live Communications Platform

Windows Live Essentials

Windows Live ID Sign-in Assistant

Windows Live Installer

Windows Live Language Selector

Windows Live Mail

Windows Live Mesh

Windows Live Mesh ActiveX Control for Remote Connections

Windows Live Messenger

Windows Live MIME IFilter

Windows Live Movie Maker

Windows Live Photo Common

Windows Live Photo Gallery

Windows Live PIMT Platform

Windows Live Remote Client

Windows Live Remote Client Resources

Windows Live Remote Service

Windows Live Remote Service Resources

Windows Live SOXE

Windows Live SOXE Definitions

Windows Live UX Platform

Windows Live UX Platform Language Pack

Windows Live Writer

Windows Live Writer Resources

WMV9/VC-1 Video Playback

.

==== Event Viewer Messages From Past Week ========

.

3/29/2013 3:37:19 PM, Error: Service Control Manager [7034] - The Easybits Services for Windows service terminated unexpectedly. It has done this 1 time(s).

.

==== End Of File ===========================

-----------------------------------------------

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : gs [Admin rights]

Mode : Scan -- Date : 03/29/2013 15:55:14

| ARK || FAK || MBR |

¤¤¤ Bad processes : 2 ¤¤¤

[DLL] rundll32.exe -- C:\Windows\System32\rundll32.exe : C:\Users\gs\AppData\Local\{E7D4159C-9B1F-4642-8FF8-65410CAFFE96}\{EB9AA2ED-F5EB-4505-B1F6-56813C012FA8}\zswjzgft.dll [x] -> KILLED [TermProc]

[DLL] rundll32.exe -- C:\Windows\SysWOW64\rundll32.exe : C:\Users\gs\AppData\Local\{E7D4159C-9B1F-4642-8FF8-65410CAFFE96}\{EB9AA2ED-F5EB-4505-B1F6-56813C012FA8}\zswjzgft.dll [x] -> KILLED [TermProc]

¤¤¤ Registry Entries : 11 ¤¤¤

[RUN][sUSP PATH] HKCU\[...]\Run : Diagnostics (rundll32.exe "C:\Users\gs\AppData\Local\Google\Diagnostics\vevyhjerp.dll",DllRegisterServer) [x] -> FOUND

[RUN][sUSP PATH] HKCU\[...]\Run : CyberLink (rundll32.exe "C:\Users\gs\AppData\Local\Temp\",CreateInstance) [x] -> FOUND

[RUN][sUSP PATH] HKCU\[...]\Run : {EB9AA2ED-F5EB-4505-B1F6-56813C012FA8} (rundll32 "C:\Users\gs\AppData\Local\{E7D4159C-9B1F-4642-8FF8-65410CAFFE96}\{EB9AA2ED-F5EB-4505-B1F6-56813C012FA8}\zswjzgft.dll",DllRegisterServerW) [-] -> FOUND

[RUN][sUSP PATH] HKCU\[...]\Run : Sprint (regsvr32.exe C:\Users\gs\AppData\Local\Sprint\dwwvzyaj.dll) [-] -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-2053469509-3836685608-2809686641-1001[...]\Run : Diagnostics (rundll32.exe "C:\Users\gs\AppData\Local\Google\Diagnostics\vevyhjerp.dll",DllRegisterServer) [x] -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-2053469509-3836685608-2809686641-1001[...]\Run : CyberLink (rundll32.exe "C:\Users\gs\AppData\Local\Temp\",CreateInstance) [x] -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-2053469509-3836685608-2809686641-1001[...]\Run : {EB9AA2ED-F5EB-4505-B1F6-56813C012FA8} (rundll32 "C:\Users\gs\AppData\Local\{E7D4159C-9B1F-4642-8FF8-65410CAFFE96}\{EB9AA2ED-F5EB-4505-B1F6-56813C012FA8}\zswjzgft.dll",DllRegisterServerW) [-] -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-2053469509-3836685608-2809686641-1001[...]\Run : Sprint (regsvr32.exe C:\Users\gs\AppData\Local\Sprint\dwwvzyaj.dll) [-] -> FOUND

[HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND

[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HTS545050B9A300 SATA Disk Device +++++

--- User ---

[MBR] aed73740c9008d8a741b1c889874e490

[bSP] 8e3f116b7e5b59d639444c5caf80aef7 : Windows 7/8 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 199 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 409600 | Size: 461578 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 945721344 | Size: 15058 Mo

3 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 976560128 | Size: 103 Mo

User = LL1 ... OK!

User != LL2 ... KO!

--- LL2 ---

[MBR] bd0ed8a344127a17f82ffc2d51eb6090

[bSP] 8e3f116b7e5b59d639444c5caf80aef7 : Windows 7/8 MBR Code

Partition table:

0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 409600 | Size: 77824 Mo

1 - [XXXXXX] FAT16 (0x06) [VISIBLE] Offset (sectors): 159793152 | Size: 4000 Mo

2 - [ACTIVE] FAT16 (0x06) [VISIBLE] Offset (sectors): 167985152 | Size: 2000 Mo

3 - [XXXXXX] FAT16 (0x06) [VISIBLE] Offset (sectors): 172081152 | Size: 20002 Mo

Finished : << RKreport[1]_S_03292013_02d1555.txt >>

RKreport[1]_S_03292013_02d1555.txt

Maurice Naggar · March 30, 2013

Hello Gail.

It's after the fact now, but RKILL was meant to be run one time; the other 3 links are "alternate ways" if the 1st was unable to run; or the 2nd...etc

We are past that now. Just so you know, only.

You will want to print out or copy these instructions to Notepad for offline reference!

These steps are for member Gail33 only. If you are a casual viewer, do NOT try this on your system!

If you are not Gail33 and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

=

Close any of your open programs while you run these tools.

On most all of the following programs and tools, you will need to do a right-click on the program link or shortcut or desktop icon (as appropriate) and then select "Run as Administrator". Please remember that as you go along and use these tools, each in turn.

Turn off your Norton Internet Security antivirus so that it does not interfere with these next tools.

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Please disconnect any USB or external storage drives from the computer before you run this scan!
Right-Click RogueKiller and select Run as Administrator.
Wait until Prescan finishes.
On the RogueKiller console, click the Registry tab.
Put a check next to all of these and uncheck the rest: We only want to select these 9 lines (if found)
[RUN][sUSP PATH] HKCU\[...]\Run : Diagnostics (rundll32.exe "C:\Users\gs\AppData\Local\Google\Diagnostics\vevyhjerp.dll",DllRegisterServer) [x] -> FOUND
[RUN][sUSP PATH] HKCU\[...]\Run : CyberLink (rundll32.exe "C:\Users\gs\AppData\Local\Temp\",CreateInstance) [x] -> FOUND
[RUN][sUSP PATH] HKCU\[...]\Run : {EB9AA2ED-F5EB-4505-B1F6-56813C012FA8} (rundll32 "C:\Users\gs\AppData\Local\{E7D4159C-9B1F-4642-8FF8-65410CAFFE96}\{EB9AA2ED-F5EB-4505-B1F6-56813C012FA8}\zswjzgft.dll",DllRegisterServerW) [-] -> FOUND
[RUN][sUSP PATH] HKCU\[...]\Run : Sprint (regsvr32.exe C:\Users\gs\AppData\Local\Sprint\dwwvzyaj.dll) [-] -> FOUND
[RUN][sUSP PATH] HKUS\S-1-5-21-2053469509-3836685608-2809686641-1001[...]\Run : Diagnostics (rundll32.exe "C:\Users\gs\AppData\Local\Google\Diagnostics\vevyhjerp.dll",DllRegisterServer) [x] -> FOUND
[RUN][sUSP PATH] HKUS\S-1-5-21-2053469509-3836685608-2809686641-1001[...]\Run : CyberLink (rundll32.exe "C:\Users\gs\AppData\Local\Temp\",CreateInstance) [x] -> FOUND
[RUN][sUSP PATH] HKUS\S-1-5-21-2053469509-3836685608-2809686641-1001[...]\Run : {EB9AA2ED-F5EB-4505-B1F6-56813C012FA8} (rundll32 "C:\Users\gs\AppData\Local\{E7D4159C-9B1F-4642-8FF8-65410CAFFE96}\{EB9AA2ED-F5EB-4505-B1F6-56813C012FA8}\zswjzgft.dll",DllRegisterServerW) [-] -> FOUND
[RUN][sUSP PATH] HKUS\S-1-5-21-2053469509-3836685608-2809686641-1001[...]\Run : Sprint (regsvr32.exe C:\Users\gs\AppData\Local\Sprint\dwwvzyaj.dll) [-] -> FOUND
[HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND
Then click on Delete on the right hand column under Options.
When done, The log will be found as RKreport
Copy & Paste the contents into a new reply.

Task 2

To show all files:

Press Windows-key +R key on your keyboard to get RUN option.
Type in
```
explorer.exe
```
and press Enter to start Windows Explorer.
From the menu options, Select Tools, then Folder Options.
Next click the View tab.
Locate and uncheck Hide file extensions for known file types.
Locate and uncheck Hide protected operating system files (Recommended).
Locate and click Show hidden files and folders and drives.
Click Apply > OK.

Task 3

We Need to Run a Batch Script

Press the Windows-key on keyboard.
In the box, type notepad and press Enter.

Highlight the contents of the following codebox, and copy and paste that text into NOTEPAD.

sc stop Diagnostics
sc stop CyberLink
sc stop {EB9AA2ED-F5EB-4505-B1F6-56813C012FA8}
sc stop Sprint
sc delete Diagnostics
sc delete CyberLink
sc delete {EB9AA2ED-F5EB-4505-B1F6-56813C012FA8}
sc delete Sprint
del /f /q C:\Users\gs\AppData\Local\Google\Diagnostics\vevyhjerp.dll
del /f /q C:\Users\gs\AppData\Local\{E7D4159C-9B1F-4642-8FF8-65410CAFFE96}\{EB9AA2ED-F5EB-4505-B1F6-56813C012FA8}\zswjzgft.dll
del /f /q C:\Users\gs\AppData\Local\Sprint\dwwvzyaj.dll
rd /s /q C:\Users\gs\AppData\Local\{E7D4159C-9B1F-4642-8FF8-65410CAFFE96}
del /f /q "%~f0"

Select File -> Save AS.
Press the Desktop button on the left side of the save dialog.
In the box, type in Fix.bat.
Press .
Close Notepad.
Right click on your desktop, and choose .
Press Yes if prompted by User Account Control.

Task 4

Please follow my guidance. Ask if you have questions.

I am going to ask you to read very carefully. I am asking you to download to unique folder !!

Step 1. Close and save any open documents, and exit programs that you started.

Step 2. Download TDSSKiller.exe and SAVE it to a special folder

http://support.kaspe.../tdsskiller.exe

and be sure to SAVE it in this folder --> C:\Program Files (x86)\Malwarebytes' Anti-Malware\Chameleon

Step 3. Install the Chameleon driver by doing the following:

Press the Windows key + R and in the Run box, copy and paste the following command then press Enter. Copy All of the line from beginning to end {from the double-quote ...all the way to the last o ......ALL

"C:\Program Files (x86)\Malwarebytes' Anti-Malware\Chameleon" /o

A black DOS prompt will appear with a prompt to press any key to continue, please do.

Step 4

Please read carefully and follow these steps.

Do a RIGHT-Click TDSSKiller.exe and select Run as Administrator to start TDSSKILLER.exe. and allow to start
then click Start Scan.
If an infected file is detected, the default action will be Cure, click on Continue.
If a suspicious file is detected, the default action will be Skip, click on Continue.
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please Copy & Paste that log in reply.

gail33 · March 30, 2013

Hi Maurice,

I have a question, but first to report.

I did Task 1, run RogueKiller, after prescan I clicked on Registry Tab, there was nothing there.

Under Task 2, I changed folder options as instructed:

Locate and uncheck Hide file extensions for known file types.
Locate and uncheck Hide protected operating system files (Recommended).
Locate and click Show hidden files and folders and drive

Then I did Task 3. (ran a batch script)

My question is on Task 4,

"Step 1. Close and save any open documents, and exit programs that you started.

Step 2. Download TDSSKiller.exe and SAVE it to a special folder"

Should I leave the folder options as I changed them to in Task 2, or go back into Folder Options and restore them to the previous status? My concern is going online with the Folder Options left as changed in Task 2.

I have another home computer (uninfected and now protected with MawarebytesPro) I'm using to post this, so the infected computer is "stopped" at the end of Task 3.

Thank you Maurice,

Gail

Maurice Naggar · March 31, 2013

Leave the folder options as I outlined, in Task 2. Having done that, please do not worry about that. We need to see all files.

Malware in any event has no such limits.

As to RogueKiller, I wonder if you -did- wait for the Prescan to finish. ?

Try to do Roguekiller again as I outlined.

Then do Task 4.

Edited March 31, 2013 by Maurice Naggar

gail33 · April 1, 2013

Hi again Maurice,

I ran the RogueKiller again, and when the screen said: "Prescan finished Please hti scan button" , I clicked on the registry tab, nothing was listed.

I have tried 6 times to download TDSSkiller to the folder you specified. The first 5 times I hit "save" would get a screen that said I needed administrator approval. I was logged in as the administrator. I had to walk away from the computer for a while, and when I got back to it, I could no longer log on as administrator. A relative suggested I go into safe mode, and reset the password, which seemed to work. But again when trying to download into the C:\ file you specified, the popup screen again rejected because I was not logged in as administrator.

I can download the file, just not into C:\.

I'm lost.... gail

Maurice Naggar · April 1, 2013

Let's forget the last instructions.

For now, let's have you do this.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Select English as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account an click Next.

OR If you have the Windows o.s. DVD, then To enter System Recovery Options, by using Windows installation disc:

Insert the installation disc.
Restart your computer.
If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
Click Repair your computer.
Select English as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

- Startup Repair
- System Restore
- Windows Complete PC Restore
- Windows Memory Diagnostic Tool
- Command Prompt

[*]Select Command Prompt

[*]In the command window type in notepad and press Enter.

[*]The notepad opens. Under File menu select Open.

[*]Select "Computer" and find your flash drive letter and close the notepad.

[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter

Note: Replace letter e with the drive letter of your flash drive.

[*]The tool will start to run.

[*]When the tool opens click Yes to disclaimer.

[*]Press Scan button.

[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

gail33 · April 1, 2013

Good day, Maurice,

I'm following this set of directions:

To enter System Recovery Options from the Advanced Boot Options:

Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Select English as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account an click Next.

A problem comes up after selecting English/ US and clicking next.

A window pops up asking for the admin password, my original password seems to work.

Then a window pops up with these 2 choices:

Start up repair

HP Recovery manager

the click choices are shut down or restart

No other choices.

I did create recovery files on a USB for that computer, if that is needed. I've also downloaded personal files just in case....

gail

Maurice Naggar · April 1, 2013

Good morning.

This is a HP computer? I wonder if that is why you do not see the other options.

Let's call off that last procedure. Please restart your system fresh.

Download and SAVE & then run mbam-clean.exe from >> here <<

It will ask to restart your computer, please allow it to do so very important

After the computer restarts, temporarily disable your Anti-Virus

If you need how-to guidance, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Next Download & SAVE the latest version of Malwarebytes' Anti-Malware from >> here <<

Run the mbam-setup.

Note: You will need to reactivate the program using the license you were sent via email if using the Pro version

Launch the program and set the Protection and Registration, if you have a license. Then go to the UPDATE tab if not done during installation and check for updates.

Restart the computer again and verify that Malwarebytes Anti-Malware is in the task tray if using the Pro version. Now setup any file exclusions as may be required in your Anti-Virus/Internet-Security/Firewall applications.

You may use the guides posted in the FAQ's >> here << or ask and we'll explain how to do it.

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab and then the General Settings sub-tab. Make sure all option lines have a checkmark.

Then click the Scanner settings sub-tab in second row of tabs. Make sure all option lines have a checkmark.

If you have the PRO license, then do this too: Click the Protection tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

If prompted for a Restart, do that.

When done, click the Scanner tab.

Do a Full Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

When all done, Copy & paste the MBAM scan log into a new reply.

Tell me, How is the system ?

Re-enable your antivirus program.

gail33 · April 1, 2013

After I loaded Malwarebytes PRO, restarted the computer and started the full scan I noticed Norton anti-virus had reset to ON (ie, was on for the full scan, had been disabled when the program downloaded onto computer). I don't know if that makes a difference.

Full scan completed successfully:

Malwarebytes Anti-Malware (PRO) 1.70.0.1100

www.malwarebytes.org

Database version: v2013.04.01.06

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

my computer :: GS-HP [administrator]

Protection: Enabled

4/1/2013 12:10:07 PM

mbam-log-2013-04-01 (12-10-07).txt

Scan type: Full scan (C:\|D:\|G:\|)

Scan options disabled: P2P

Objects scanned: 397119

Time elapsed: 1 hour(s), 1 minute(s), 36 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 3

C:\Users\gs\AppData\Local\Temp\0.9921130188528324 (Trojan.Dropper.ED) -> Quarantined and deleted successfully.

C:\Users\gs\AppData\Local\Temp\zswjzgft\zswjzgft.dll (Trojan.Tracur.DL) -> Quarantined and deleted successfully.

C:\Users\gs\AppData\Local\{E7D4159C-9B1F-4642-8FF8-65410CAFFE96}\{EB9AA2ED-F5EB-4505-B1F6-56813C012FA8}\zswjzgft.dll (Trojan.Tracur.DL) -> Quarantined and deleted successfully.

(end)

I then restarted the computer and 3 "RunDLL" windows popped up, the info in the window matches the addresses of the 3 objects found.

At the end of the scan Norton was busy dealing with a virus, "Trogen.Gen" that was successfully removed.

Is there a way to stop the RunDLL boxes from popping up at the start?

If everything is now "clean", can I remove the programs you had me download, and do they have to be uninstalled, or just deleted?

thank you for your patience and help Maurice. I've learned a few new things about computers, but I have to admit I don't like learning at the School of Hard Knocks.

Maurice Naggar · April 1, 2013

Yippy Hoora. Mbam has run on your system now.

Do not delete the tools I had you use, just yet. I will guide you at the end when I give the all clear. {later}

I need for you to do some more tasks.

Your temp files need to be removed (that's where 2 of the "trojans" had been.

Download TFC by OldTimer and SAVE it to your desktop

Double-click TFC.exe to run it. (Note: If you are running on Vista or Windows 7, right-click on the file and choose Run As Administrator).
It will close all programs when run, so make sure you have saved all your work before you begin.
Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

Task 2

You should create a "system repair disc" for your Windows 7 either to a CD, DVD, or new USB-flash-thumb drive {if your hardware can boot from USB}.

The following is a reference page at Microsoft and also has a link to a how-to-video.

Create a Windows 7 system repair disc

This "repair disc" is a very handy tool that one may use when and IF you are not able to start Windows 7 normally.

This "repair disc" or "rescue disc" is not intended as a replacement for having the Windows 7 operating system DVD.

Make a rescue disc, put a label on it, store it away for a "rainy day".

Task 3

You will want to print out or copy these instructions to Notepad for offline reference!

These steps are for member Gail33 only. If you are a casual viewer, do NOT try this on your system!

If you are not Gail33 and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

=

Close any of your open programs while you run these tools.

On most all of the following programs and tools, you will need to do a right-click on the program link or shortcut or desktop icon (as appropriate) and then select "Run as Administrator". Please remember that as you go along and use these tools, each in turn.

If you have a prior copy of Combofix, delete it now

Download Combofix from any of the links below, and SAVE it to your Desktop.

Link 1

Link 2

**Note: It is important that it is saved directly to your Desktop and not run straight away from download **

Turn OFF your antivirus, otherwise it will interfere. How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Have infinite patience during the run & scan by Combofix. It has many phases: some 50+ stages

It will display it's "stage" within the Command prompt window. Do NOT panic if it seems slow to change ! It has lots of work.

You may notice the desktop icons disappear. Do NOT panic, as that is expected behavior.

Combofix my take as little as 10 minutes and perhaps as much as 30-40 minutes. Time taken will depend on speed of your system and how much there is to scan & how much it needs to clean.

If this is on a notebook system, make sure first the notebook is connected to wall-power (AC power)or a UPS system

Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.

Right- click on Combo-Fix.exe on your Desktop and select "Run as Administrator".

A window may open with a warning or prompts. Accept the EULA and follow the prompts during the start phase of Combofix.
When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.

A caution - Do not run Combofix more than once.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

If this occurs, please reboot to restore the desktop.

A file will be created at => C:\Combofix.txt.

Notes:

[1] IF after Combofix reboot you get the message

Illegal operation attempted on registry key that has been marked for deletion

....please reboot the computer, this should resolve the problem. You may have reboot the pc a second time if needed.

[2] Do not mouseclick combofix's window nor run any program while Combofix is running.

That may cause it to stall.

[3]When all done, IF Combofix did not do a Restart...then ... I need for you to Restart the system fresh :excl:

Reply & Copy & Paste contents of the C:\Combofix.txt log and tell me, How is the system now ?

Re-enable your antivirus program.

gail33 · April 2, 2013

a bit of frustration...

I disabled Norton anti-virus and firewall before starting ComboFix. A warning window popped up stating antispyware was still running. I went into Norton, found the antispyware and turned it off (for 5 hours). I also turned off almost everything else in Norton I found for 5 hours. While ComboFix was running a window popped up that said Norton was using the idle time to do background tasks.....

ComboFix completed the scan and as per your instructions, "When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes"

The Notepad opened, I saved a copy to the desktop, closed it, and did not find another window to "Save changes". The usual Desktop is showing.

I did move the computer after the Notepad opened, have not clicked on anything else or shut the thing off.

gail

Maurice Naggar · April 2, 2013

Sidenote: You should have turned off Norton completely, instead of putting a limit.

Now, I need for you to copy & paste the contents of Combofix.txt for my review.

It may be on your Desktop or at C:\Combofix.txt

and insure your antivirus is now back ON.

gail33 · April 2, 2013

"You should have turned off Norton completely, instead of putting a limit"

I apologize for not doing that correctly. The choices were a time limit of 15 min., 1 hr, 5 hrs, until restart or permanently. Are you saying I should have checked, "permanently"?

ComboFix 13-04-01.01 - my computer 04/01/2013 18:46:49.1.2 - x64

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3691.2373 [GMT -5:00]

Running from: c:\users\my computer\Desktop\ComboFix.exe

AV: Norton Internet Security *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}

FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}

SP: Norton Internet Security *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\programdata\Microsoft\Windows\DRM\BD07.tmp

c:\programdata\Microsoft\Windows\DRM\BD37.tmp

c:\users\gs\firefox.com

c:\users\gs\firefox.exe

c:\users\gs\firefox.pif

c:\users\gs\firefox.scr

c:\users\gs\iexplore.exe

c:\users\gs\mbam-chameleon.com

c:\users\gs\mbam-chameleon.exe

c:\users\gs\mbam-chameleon.pif

c:\users\gs\mbam-chameleon.scr

c:\users\gs\Microsoft_Office_Home_Student_2010_3PC_1User_Downloader.exe

c:\users\gs\rundll32.exe

c:\users\gs\svchost.exe

c:\users\gs\winlogon.exe

.

((((((((((((((((((((((((( Files Created from 2013-03-01 to 2013-04-01 )))))))))))))))))))))))))))))))

.

2013-04-01 23:59 . 2013-04-01 23:59 -------- d-----w- c:\users\Default\AppData\Local\temp

2013-04-01 23:34 . 2013-04-01 23:34 76232 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{248614FD-5C68-4EF0-B590-D7C1FE8AA895}\offreg.dll

2013-04-01 17:00 . 2013-04-01 17:00 -------- d-----w- c:\users\my computer\AppData\Roaming\Malwarebytes

2013-04-01 17:00 . 2013-04-01 17:00 -------- d-----w- c:\programdata\Malwarebytes

2013-04-01 17:00 . 2013-04-01 17:00 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware

2013-04-01 17:00 . 2012-12-14 21:49 24176 ----a-w- c:\windows\system32\drivers\mbam.sys

2013-04-01 16:36 . 2013-03-15 06:28 9311288 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{248614FD-5C68-4EF0-B590-D7C1FE8AA895}\mpengine.dll

2013-04-01 16:26 . 2013-04-01 16:26 -------- d-----w- c:\users\my computer\AppData\Local\Programs

2013-03-31 18:30 . 2013-03-31 18:30 -------- d-----w- C:\New folder (2)

2013-03-31 18:28 . 2013-03-31 18:28 -------- d-----w- C:\New folder

2013-03-19 17:38 . 2013-02-12 04:12 19968 ----a-w- c:\windows\system32\drivers\usb8023.sys

2013-03-15 13:58 . 2013-03-15 13:58 -------- d-----w- c:\program files\Microsoft Silverlight

2013-03-15 13:58 . 2013-03-15 13:58 -------- d-----w- c:\program files (x86)\Microsoft Silverlight

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-03-16 00:49 . 2012-05-27 04:47 693976 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2013-03-16 00:49 . 2011-09-12 12:42 73432 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2013-03-15 14:04 . 2011-09-27 00:43 72013344 ----a-w- c:\windows\system32\MRT.exe

2013-02-12 05:45 . 2013-03-14 14:05 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll

2013-02-12 05:45 . 2013-03-14 14:05 350208 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll

2013-02-12 05:45 . 2013-03-14 14:05 308736 ----a-w- c:\windows\apppatch\AppPatch64\AcGenral.dll

2013-02-12 05:45 . 2013-03-14 14:05 111104 ----a-w- c:\windows\apppatch\AppPatch64\acspecfc.dll

2013-02-12 04:48 . 2013-03-14 14:05 474112 ----a-w- c:\windows\apppatch\AcSpecfc.dll

2013-02-12 04:48 . 2013-03-14 14:05 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll

2013-01-17 06:28 . 2010-11-21 03:27 273840 ------w- c:\windows\system32\MpSigStub.exe

2013-01-15 22:56 . 2012-07-24 01:37 477616 ----a-w- c:\windows\SysWow64\npdeployJava1.dll

2013-01-15 22:56 . 2011-04-21 23:35 473520 ----a-w- c:\windows\SysWow64\deployJava1.dll

2013-01-05 05:53 . 2013-02-14 22:00 5553512 ----a-w- c:\windows\system32\ntoskrnl.exe

2013-01-05 05:00 . 2013-02-14 22:00 3967848 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe

2013-01-05 05:00 . 2013-02-14 22:00 3913064 ----a-w- c:\windows\SysWow64\ntoskrnl.exe

2013-01-04 05:46 . 2013-02-14 22:06 215040 ----a-w- c:\windows\system32\winsrv.dll

2013-01-04 04:51 . 2013-02-14 22:06 5120 ----a-w- c:\windows\SysWow64\wow32.dll

2013-01-04 04:43 . 2013-02-14 22:06 44032 ----a-w- c:\windows\apppatch\acwow64.dll

2013-01-04 03:26 . 2013-02-14 22:00 3153408 ----a-w- c:\windows\system32\win32k.sys

2013-01-04 02:47 . 2013-02-14 22:06 25600 ----a-w- c:\windows\SysWow64\setup16.exe

2013-01-04 02:47 . 2013-02-14 22:06 7680 ----a-w- c:\windows\SysWow64\instnm.exe

2013-01-04 02:47 . 2013-02-14 22:05 2048 ----a-w- c:\windows\SysWow64\user.exe

2013-01-04 02:47 . 2013-02-14 22:06 14336 ----a-w- c:\windows\SysWow64\ntvdm64.dll

2013-01-03 06:00 . 2013-02-14 22:00 1913192 ----a-w- c:\windows\system32\drivers\tcpip.sys

2013-01-03 06:00 . 2013-02-14 22:00 288088 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-02-28 336384]

"HPConnectionManager"="c:\program files (x86)\Hewlett-Packard\HP Connection Manager\HPCMDelayStart.exe" [2011-02-15 94264]

"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-16 35736]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-16 932288]

"Sprint SmartView"="c:\program files (x86)\Sprint\Sprint SmartView\SprintSV.exe" [2008-10-15 17664]

"HP Quick Launch"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2012-02-15 577408]

"HPOSD"="c:\program files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe" [2011-08-19 379960]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-09-17 254896]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

"HideFastUserSwitching"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"EnableShellExecuteHooks"= 1 (0x1)

.

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-03-02 183560]

R3 CASprint;Sprint Con App Svc;c:\program files (x86)\Sprint\Sprint SmartView\ConAppsSvc.exe [2008-10-15 124160]

R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]

R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [2009-06-10 292864]

R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312]

R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 740864]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]

R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-08-15 1255736]

R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]

S0 amd_sata;amd_sata;c:\windows\system32\DRIVERS\amd_sata.sys [2011-01-29 77952]

S0 amd_xata;amd_xata;c:\windows\system32\DRIVERS\amd_xata.sys [2011-01-29 38016]

S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NISx64\1309010.00E\SYMDS64.SYS [2012-03-29 451192]

S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NISx64\1309010.00E\SYMEFA64.SYS [2012-05-22 1129120]

S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.7.0.9\Definitions\BASHDefs\20130322.001\BHDrvx64.sys [2013-03-22 1387608]

S1 ccSet_NIS;Norton Internet Security Settings Manager;c:\windows\system32\drivers\NISx64\1309010.00E\ccSetx64.sys [2012-06-07 167072]

S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.7.0.9\Definitions\IPSDefs\20130329.001\IDSvia64.sys [2012-09-06 513184]

S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NISx64\1309010.00E\Ironx64.SYS [2012-04-18 190072]

S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\NISx64\1309010.00E\SYMNETS.SYS [2012-04-18 405624]

S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-02-28 203776]

S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-02-28 354304]

S2 AMD Reservation Manager;AMD Reservation Manager;c:\program files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe [2010-06-17 194496]

S2 ezSharedSvc;Easybits Services for Windows;c:\windows\System32\ezSharedSvcHost.exe [x]

S2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2012-09-27 86528]

S2 HPClientSvc;HP Client Services;c:\program files\Hewlett-Packard\HP Client Services\HPClientServices.exe [2010-10-11 346168]

S2 HPWMISVC;HPWMISVC;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2012-02-15 34872]

S2 IconMan_R;IconMan_R;c:\program files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [2011-03-08 2375168]

S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-12-14 398184]

S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-12-14 682344]

S2 NIS;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\19.9.1.14\ccSvcHst.exe [2012-06-16 138272]

S2 RoxioNow Service;RoxioNow Service;c:\program files (x86)\Roxio\RoxioNow Player\RNowSvc.exe [2010-11-26 399344]

S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys [2010-02-18 46136]

S3 clwvd;CyberLink WebCam Virtual Driver;c:\windows\system32\DRIVERS\clwvd.sys [2010-07-28 31088]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2013-01-19 138912]

S3 hpCMSrv;HP Connection Manager 4.0 Service;c:\program files (x86)\Hewlett-Packard\HP Connection Manager\hpCMSrv.exe [2011-02-15 1071160]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-12-14 24176]

S3 netr28x;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\DRIVERS\netr28x.sys [2011-07-19 1492992]

S3 PCTINDIS5X64;PCTINDIS5X64 NDIS Protocol Driver;c:\windows\system32\PCTINDIS5X64.SYS [2008-10-15 43032]

S3 RSPCIESTOR;Realtek PCIE CardReader Driver;c:\windows\system32\DRIVERS\RtsPStor.sys [2011-02-15 335464]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-03-05 436840]

S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [2010-11-29 44672]

.

Contents of the 'Scheduled Tasks' folder

.

2013-04-01 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-27 00:49]

.

2013-03-18 c:\windows\Tasks\HPCeeScheduleForGS-HP$.job

- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 05:15]

.

2013-03-16 c:\windows\Tasks\HPCeeScheduleForgs.job

- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 05:15]

.

--------- X64 Entries -----------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2011-02-15 1128448]

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uLocal Page = c:\windows\system32\blank.htm

mLocal Page = c:\windows\SysWOW64\blank.htm

.

- - - - ORPHANS REMOVED - - - -

.

Wow6432Node-HKLM-Run-<NO NAME> - (no file)

Wow6432Node-HKLM-Run-Easybits Recovery - c:\program files (x86)\EasyBits For Kids\ezRecover.exe

HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe

AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe

AddRemove-{EE202411-2C26-49E8-9784-1BC1DBF7DE96} - c:\program files (x86)\InstallShield Installation Information\{EE202411-2C26-49E8-9784-1BC1DBF7DE96}\setup.exe

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\services\NIS]

"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\19.9.1.14\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files (x86)\Norton Internet Security\Engine\19.9.1.14\diMaster.dll\" /prefetch:1"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_180_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_180_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]

@Denied: (A) (Everyone)

"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"

.

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]

@Denied: (A) (Everyone)

.

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]

"Key"="ActionsPane3"

"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2013-04-01 19:05:22

ComboFix-quarantined-files.txt 2013-04-02 00:05

.

Pre-Run: 436,828,696,576 bytes free

Post-Run: 436,206,206,976 bytes free

.

- - End Of File - - EF375A7F2B55EDE17D1DE61142111E7A

Maurice Naggar · April 2, 2013

Insure that your antivirus is now back ON.

Combofix did not find very much. Basically just 1 temp file.

Let's go back a moment & address a couple of points.

I assumed all along that you were logged in to Windows with an administrator-rights-level account.

It is important to do that most especially during malware removal.

Are you logged in with "my computer"?

Aren't you logged in with your usual user account & does not that account have administrator rights ?

Also, just so you know {and I hope you do not ever have to do a Combofix run in the future}.

Yes, we have to "permanently" turn off any Antivirus before the run. We would turn it back ON -after - the run is completed.

As you saw {and I have seen many other cases}, a timed-turn off or a incomplete turn off will cause glitches & cause undue complications.

When we say "off" we mean "all off".

Now then, do you typically do all your downloads to the folder c:\users\gs ?

Is that why chameleon was in there?

What's the difference in the accounts gs as compared to "my computer" ???

Is this computer yours ? Do you have more people using this system than just you?

gail33 · April 2, 2013

Hello Maurice,

I am posting this from a different computer than the one you are trying to clean up

Insure that your antivirus is now back ON. It is

I assumed all along that you were logged in to Windows with an administrator-rights-level account.

It is important to do that most especially during malware removal. Yes, with one exception (the very first scan from post #2) I have right clicked on programs and clicked, "run as administrator"

Are you logged in with "my computer"?

Aren't you logged in with your usual user account & does not that account have administrator rights ?What's the difference in the accounts gs as compared to "my computer" ???

Is this computer yours ? Do you have more people using this system than just you? You are seeing my computer illiteracy. Somehow after buying the computer I set up two user accounts, with "gs" being my password protected user that at the beginning of this journey had administrator privileges. I've rarely used "my computer", using "gs" as my everyday user. I had to switch from "gs" to "my computer" after the goofy computer decided I no longer had admin rights while trying to download TDSSkiller to the folder you specified. (see post #7 on 3-31) In order to get any admin rights back I had to go into safe mode and create a new password...which then worked as the "my computer" user, and will not work for "gs". Yesterday when I was able to download Malwarebytes PRO, I was using the "my computer" side. I hope that explains why the user switch. I own the computer and am the only person using it.

Now then, do you typically do all your downloads to the folder c:\users\gs ?

Is that why chameleon was in there? Again my computer ignorance. The computer (when logged into "gs") only allowed me to download into "gs downloads", even when I was signed in as administrator. I noticed when I was trying to get TDSSkiller (unsuccessfully) downloaded onto C:\ the control panel user account had me as as a "standard user" even though I was logged in as adminstrator, which I found totally confusing. I tried a number of times to change to "administrator", but it wouldn't accept the change. It was after starting up the computer after a several hours break that I couldn't even log in as administrator at all, which forced me into the safe mode change to get admin privilege.

Re: turning off (permanently) anti-virus

"Turn OFF your antivirus, otherwise it will interfere. How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs""

This is from the Norton instructions on the link: "select a duration of 5 hours (this assures no interference with the cleanup of your pc)"

I'm sorry for the misunderstanding.

gail

Maurice Naggar · April 2, 2013

Let me just say this about Norton or any other antivirus in general:

While cleaning malware at a malware-removal forum, follow your "guide" {in this case, me} and turn off in total.

In this situation, disregard what the a-v vendor may or may not have suggested.

When you use a "timed" turn off, it does not result in a total turn off of the antivirus services {those services would still be active processes} & causes un-needed & really un-wanted complications.

On your accounts: You will need to sort that out yourself. Figure out which one of the accounts you want to use on a regular basis.

I believe we had a good MBAM run & we had finished the Combofix task.

Older versions of Java pose a security risk. Uninstall all these Java versions: Java Auto Updater

Java 6 Update 24 (64-bit)

Java 6 Update 39

And if you do not need Java for the programs that you use, keep Java off your system .

How to disable Java in various browsers : http://blog.eset.com/2012/08/29/disabling-java-a-safer-way-to-browse

Also see No, Seriously, Just Disable Java in Your Browser Right Now

As noted by Brian Krebs,

Most consumers can get by without Java installed, or least not plugged into the browser. Because of the prevalence of threats targeting Java installations, I’d urge these users to remove Java or unplug it from the browser. If this is too much trouble, consider adopting a dual-browser approach, keeping Java unplugged from your main browser, and plugged in to a secondary browser that you only use to visit sites that require the plugin.

Now, I would like for you to do a full scan of your system with your antivirus program.

Then let me know the result.

Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Then tell me, How is the system now as compared to your original problem ?

gail33 · April 3, 2013

Maurice,

I uninstalled all Java programs. After you have declared the computer 'clean', I will replace IE with Firefox as the browser. I've been told IE cannot be uninstalled because it is needed to update MS programs, do you agree with that?

Norton full scan was run and found No Threats.

When I log onto the "gs" user, the 3 RunDLL popups still appear.:

C:\Users\gs\AppData\Local\Temp\0.9921130188528324

C:\Users\gs\AppData\Local\Temp\zswjzgft\zswjzgft.dll

C:\Users\gs\AppData\Local\{E7D4159C-9B1F-4642-8FF8-65410CAFFE96}\{EB9AA2ED-F5EB-4505-B1F6-56813C012FA8}\zswjzgft.dll

I noticed in post #11 the log states, " Quarantined and deleted successfully". Should those popup windows still appear?

In the gs user, after the desktop loads it momentarily flashes, which is unusual. That does not happen with the "my computer" user. Gail

Results of screen317's Security Check version 0.99.61

Windows 7 Service Pack 1 x64 (UAC is enabled)

Internet Explorer 9

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

Norton Internet Security

WMI entry may not exist for antivirus; attempting automatic update.

`````````Anti-malware/Other Utilities Check:`````````

Malwarebytes Anti-Malware version 1.70.0.1100

````````Process Check: objlist.exe by Laurent````````

Norton ccSvcHst.exe

Malwarebytes Anti-Malware mbamservice.exe

Malwarebytes Anti-Malware mbamgui.exe

Malwarebytes' Anti-Malware mbamscheduler.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 0%

````````````````````End of Log``````````````````````

Maurice Naggar · April 3, 2013

I will replace IE with Firefox as the browser. I've been told IE cannot be uninstalled because it is needed to update MS programs, do you agree with that?

I am glad you did ask. You can install Firefox as another browser. That is fine & ok.

You should NOT attempt to uninstall Internet Explorer. You would run the risk of breaking something else if you did.

When I log onto the "gs" user, the 3 RunDLL popups still appear.:
C:\Users\gs\AppData\Local\Temp\0.9921130188528324
C:\Users\gs\AppData\Local\Temp\zswjzgft\zswjzgft.dll
C:\Users\gs\AppData\Local\{E7D4159C-9B1F-4642-8FF8-65410CAFFE96}\{EB9AA2ED-F5EB-4505-B1F6-56813C012FA8}\zswjzgft.dll

I will address that below.

I noticed in post #11 the log states, " Quarantined and deleted successfully". Should those popup windows still appear?

I do not think that another MBAM scan would show those anymore. At least hopefully.

Do the following next:

Logoff and restart Windows fresh.

Then login with the "gs" account.

Let Windows load as usual. Don't freak out if you see any exceptions like those above.

We Need to Run a Batch Script

Press the Windows-key on keyboard.
In the box, type notepad and press Enter.

Highlight the contents of the following codebox, and copy and paste that text into NOTEPAD.

del /f /q C:\Users\gs\AppData\Local\{E7D4159C-9B1F-4642-8FF8-65410CAFFE96}\{EB9AA2ED-F5EB-4505-B1F6-56813C012FA8}\zswjzgft.dll
rd /s /q C:\Users\gs\AppData\Local\Temp
rd /s /q C:\Users\gs\AppData\Local\{E7D4159C-9B1F-4642-8FF8-65410CAFFE96}\{EB9AA2ED-F5EB-4505-B1F6-56813C012FA8}
del /f /q "%~f0"

Select File -> Save AS.
Press the Desktop button on the left side of the save dialog.
In the box, type in Fix.bat.
Press .
Close Notepad.
Right click on your desktop, and choose .
Press Yes if prompted by User Account Control.

gail33 · April 3, 2013

Maurice,

I'm posting this from a different computer than the one you are fixing.

I ran the "fix" as you posted, as administrator.

A black window appeared and disappeared so fast I couldn't read a thing. The desktop icon for the fix seems to have disappeared.

Now what? I won't shut the computer off until I receive further instructions.

Gail

Maurice Naggar · April 3, 2013

The task does run very quickly. It finishes and deletes itself. as instructed.

Now, do a MBAM QUICK scan. Then kindly copy> paste that log.

Then you already had the DDS tool.

Run it and then copy > paste the new DDS.txt

Tell me, If your original issue is now gone? I think we are ready to do closure steps & cleanups.

gail33 · April 3, 2013

This isn't good,

I started the MBAM Quick scan (on gs user), and it got stuck after scanning 150,900 files. Task manager shows is not responding.

(posted from a different computer)

Maurice Naggar · April 3, 2013

If it is still "stuck", restart the system.

Then, next do this,

Download mbam-check.exe from >>> here <<<and save it to your desktop
On Vista/Windows 7, Right-click on mbam-check.exe & select Run as Administrator & allow to Run.
On XP,Double-click on mbam-check.exe to run it.
It should then open a log file CheckResults.txt
Please copy and paste the entire contents of the log into your next post, or, if you prefer, you may attach the CheckResults.txt file located on your desktop instead

gail33 · April 4, 2013

I've been off-line since my last post, and I just noticed the scan finished, but it took 2 hours, 11 min. What would you like me to do next? gail

Malwarebytes Anti-Malware (PRO) 1.70.0.1100

www.malwarebytes.org

Database version: v2013.04.01.06

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

gs :: GS-HP [limited]

Protection: Enabled

4/3/2013 5:48:11 PM

mbam-log-2013-04-03 (17-48-11).txt

Scan type: Quick scan

Scan options disabled: P2P

Objects scanned: 162481

Time elapsed: 2 hour(s), 11 minute(s), 20 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Malwarebytes blocked, Chameleon doesn't seem to work

Recommended Posts

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Recently Browsing 0 members

Important Information