Jump to content

Recommended Posts

One of our computers is infected with the "Antispyware Win 7" malware. It has hijacked the internet connection and seems to have disabled Microsoft Internet Security as well. If we try to use the internet fake virus and scare messages pop up and we can't get to any sites.

I read the post about if your computer is infected, but I can't download or run any programs. I downloaded malware bytes on another computer and transferred it to the infected one with a USB drive, but but when I try to run it the malware is triggered and it can't be run.

I read some of the threads with similar, but differently named problems, and hope that there is a way with the assistance here to zap the malware.

Also, I want to be sure that the USB drive is clean, will formatting it from another computer take care of that?

Thanks

Link to post
Share on other sites

Hi and :welcome:

First of all, to protect your USB drive, use Flash Disinfector.

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.

  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.

Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

Note: If using Firefox right-click on any download links and choose Save As

Please download OTH to your desktop

Please download OTL to your desktop

Double click the OTH file to run it and click Kill All Processes, your desktop will go blank.

OTH_Main.gif

Then select Start OTL. OTL will now run

  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

    [*]Click the Internet Explorer button, post these logs in your Virus Removal topic.

Link to post
Share on other sites

Hi Elise, thanks for the response. I ran the OTL/OTH, then recalled reading about running programs as an administrator. I tried that and was able to open Internet Explorer, then download and run Malwarebytes. I deleted the .txt files and re-ran OTL, however the Extras.txt file would not generate. I tried a few times, killing some processes, etc. but couldn't get it. I do have the OTL.txt and mbam-log-2011-04-10 (21-01-43).txt files, which are below.

After that I also uninstalled Microsoft Security Essentials since it was broken and downloaded and reinstalled it. It didn't show anything when I scanned with it either.

Everything seems to be working fine now, but I don't know if everything has been rooted out. Appreciate your advice as to where to go now.

-----------------------------------

OTL logfile created on: 4/10/2011 9:04:37 PM - Run 5

OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\Spencer\Desktop

64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.7600.16385)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 79.00% Memory free

8.00 Gb Paging File | 7.00 Gb Available in Paging File | 88.00% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)

Drive C: | 218.20 Gb Total Space | 154.01 Gb Free Space | 70.58% Space Free | Partition Type: NTFS

Drive D: | 14.65 Gb Total Space | 6.73 Gb Free Space | 45.93% Space Free | Partition Type: NTFS

Computer Name: SPENCER-PC | User Name: Spencer | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans

Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/04/10 19:40:24 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Spencer\Desktop\OTL.scr

PRC - [2011/04/10 19:40:12 | 000,258,560 | ---- | M] (OldTimer Tools) -- C:\Users\Spencer\Desktop\OTH.scr

PRC - [2009/07/13 21:14:47 | 000,254,976 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\wbem\WmiPrvSE.exe

========== Modules (SafeList) ==========

MOD - [2011/04/10 19:40:24 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Spencer\Desktop\OTL.scr

MOD - [2010/08/21 01:21:32 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_420fe3fa2b8113bd\comctl32.dll

========== Win32 Services (SafeList) ==========

SRV:64bit: - [2010/11/11 15:36:38 | 000,282,616 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe -- (NisSrv)

SRV:64bit: - [2010/09/22 22:10:10 | 000,057,184 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Live\Mesh\wlcrasvc.exe -- (wlcrasvc)

SRV - [2010/03/18 17:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)

SRV - [2009/06/10 17:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)

========== Driver Services (SafeList) ==========

DRV:64bit: - [2010/10/24 22:25:38 | 000,072,064 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\NisDrvWFP.sys -- (NisDrv)

DRV:64bit: - [2010/09/23 04:36:48 | 000,048,488 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\fssfltr.sys -- (fssfltr)

DRV:64bit: - [2010/08/25 20:36:04 | 010,611,552 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\igdkmd64.sys -- (igfx)

DRV:64bit: - [2010/07/21 20:59:28 | 000,045,456 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\point64.sys -- (Point64)

DRV:64bit: - [2010/07/21 20:59:28 | 000,023,952 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nuidfltr.sys -- (NuidFltr)

DRV:64bit: - [2010/07/01 21:52:18 | 000,051,600 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\dc3d.sys -- (dc3d)

DRV:64bit: - [2009/07/13 21:52:21 | 000,106,576 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)

DRV:64bit: - [2009/07/13 21:52:21 | 000,028,752 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)

DRV:64bit: - [2009/07/13 21:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)

DRV:64bit: - [2009/07/13 21:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)

DRV:64bit: - [2009/07/13 21:47:48 | 000,077,888 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)

DRV:64bit: - [2009/07/13 21:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)

DRV:64bit: - [2009/06/10 16:38:56 | 000,000,308 | ---- | M] () [File_System | On_Demand | Running] -- C:\Windows\SysNative\wbem\ntfs.mof -- (Ntfs)

DRV:64bit: - [2009/06/10 16:35:33 | 000,389,120 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\yk62x64.sys -- (yukonw7)

DRV:64bit: - [2009/06/10 16:34:38 | 001,311,232 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\BCMWL664.SYS -- (BCM43XX)

DRV:64bit: - [2009/06/10 16:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)

DRV:64bit: - [2009/06/10 16:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)

DRV:64bit: - [2009/06/10 16:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)

DRV:64bit: - [2009/06/10 16:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

IE - HKLM\..\URLSearchHook: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - File not found

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/?ref=hp

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://ca.msn.com/iat/us_ca.aspx

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 41 89 8F 4B 3C 82 CB 01 [binary data]

IE - HKCU\..\URLSearchHook: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - File not found

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

O1 HOSTS File: ([2009/06/10 17:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts

O2 - BHO: (Conduit Engine) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\ConduitEngine.dll (Conduit Ltd.)

O2 - BHO: (uTorrentBar Toolbar) - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - File not found

O3 - HKLM\..\Toolbar: (Conduit Engine) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\ConduitEngine.dll (Conduit Ltd.)

O3 - HKLM\..\Toolbar: (uTorrentBar Toolbar) - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - File not found

O3 - HKCU\..\Toolbar\WebBrowser: (Conduit Engine) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\ConduitEngine.dll (Conduit Ltd.)

O3 - HKCU\..\Toolbar\WebBrowser: (uTorrentBar Toolbar) - {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - File not found

O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation)

O4:64bit: - HKLM..\Run: [igfxTray] C:\Windows\SysNative\igfxtray.exe (Intel Corporation)

O4:64bit: - HKLM..\Run: [intelliPoint] c:\Program Files\Microsoft IntelliPoint\ipoint.exe (Microsoft Corporation)

O4:64bit: - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)

O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1

O13 - gopher Prefix: missing

O13 - gopher Prefix: missing

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)

O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1

O18:64bit: - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found

O18:64bit: - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found

O18:64bit: - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - Reg Error: Key error. File not found

O18:64bit: - Protocol\Handler\wlpg {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - Reg Error: Key error. File not found

O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)

O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)

O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found

O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found

O20:64bit: - Winlogon\Notify\igfxcui: DllName - Reg Error: Key error. - C:\Windows\SysNative\igfxdev.dll (Intel Corporation)

O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.

O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2004/04/30 17:01:00 | 000,000,053 | -HS- | M] () - D:\AUTORUN.INF -- [ NTFS ]

O33 - MountPoints2\E\Shell - "" = AutoRun

O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\AUTORUN.EXE

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35:64bit: - HKLM\..comfile [open] -- "%1" %*

O35:64bit: - HKLM\..exefile [open] -- "%1" %*

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O35 - HKCU\..exefile [open] -- "%1" %*

O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*

O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/04/10 21:03:54 | 000,000,000 | ---D | C] -- C:\Users\Spencer\AppData\Local\{C12BBCD9-308E-4376-85D8-567C0EEF963E}

[2011/04/10 20:57:43 | 000,000,000 | ---D | C] -- C:\Users\Spencer\AppData\Roaming\Malwarebytes

[2011/04/10 20:57:17 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysWow64\drivers\mbamswissarmy.sys

[2011/04/10 20:57:17 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware

[2011/04/10 20:57:16 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes

[2011/04/10 20:57:13 | 000,024,152 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys

[2011/04/10 20:57:13 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware

[2011/04/10 20:56:43 | 007,734,208 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Spencer\Desktop\mbam-setup-1.50.1.1100.exe

[2011/04/10 19:47:13 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Users\Spencer\Desktop\OTL.scr

[2011/04/10 19:47:13 | 000,258,560 | ---- | C] (OldTimer Tools) -- C:\Users\Spencer\Desktop\OTH.scr

[2011/04/07 01:37:31 | 000,586,752 | -HS- | C] (Microsoft Corporation) -- C:\Users\Spencer\AppData\Local\jhr.exe

[2011/04/07 01:37:31 | 000,586,752 | -HS- | C] (Microsoft Corporation) -- C:\Users\Spencer\AppData\Local\fyc.exe

[2011/04/06 22:24:24 | 000,000,000 | ---D | C] -- C:\Users\Spencer\AppData\Local\{A2FE768D-9C7A-419F-BC93-5BAA82E7BFB1}

[2011/04/06 09:20:40 | 000,000,000 | ---D | C] -- C:\Users\Spencer\AppData\Local\{5CCA5351-C7F4-4279-8021-FB85454299E7}

[2011/04/05 18:49:01 | 000,000,000 | ---D | C] -- C:\Users\Spencer\AppData\Local\{6501B6E7-0C37-4133-A5E9-D6EE8E2AEB2C}

[2011/04/04 16:23:51 | 000,000,000 | ---D | C] -- C:\Users\Spencer\AppData\Local\{563B2276-2A57-4913-9756-5C599230B05B}

[2011/04/03 18:08:04 | 000,000,000 | ---D | C] -- C:\Users\Spencer\AppData\Local\{EB92BC1F-CD70-419C-B031-CCFEEB266482}

[2011/04/02 17:13:26 | 000,000,000 | ---D | C] -- C:\Users\Spencer\AppData\Local\{6C6231B2-2288-440A-A804-933462749A8C}

[2011/04/01 16:46:46 | 000,000,000 | ---D | C] -- C:\Users\Spencer\AppData\Local\{054F3773-E07C-4B17-9987-88CE1ADC42A0}

[2011/03/31 22:25:33 | 000,000,000 | ---D | C] -- C:\Users\Spencer\AppData\Local\{E849A314-D12C-4D3A-A2BC-693527EF7228}

[2011/03/31 08:44:26 | 000,000,000 | ---D | C] -- C:\Users\Spencer\AppData\Local\{5BE4963B-C21D-4CE7-8670-DF6F45F49AA4}

[2011/03/30 13:57:02 | 000,000,000 | ---D | C] -- C:\Users\Spencer\AppData\Local\{8FD12A2A-249C-4E38-8BB9-618CD6030993}

[2011/03/25 18:15:00 | 000,000,000 | ---D | C] -- C:\Windows\Minidump

[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/04/10 21:02:48 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat

[2011/04/10 21:02:41 | 3191,623,680 | -HS- | M] () -- C:\hiberfil.sys

[2011/04/10 20:57:17 | 000,001,111 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk

[2011/04/10 20:56:51 | 007,734,208 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Spencer\Desktop\mbam-setup-1.50.1.1100.exe

[2011/04/10 20:41:50 | 000,729,688 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI

[2011/04/10 20:41:50 | 000,626,278 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat

[2011/04/10 20:41:50 | 000,107,522 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat

[2011/04/10 20:40:13 | 000,011,724 | -HS- | M] () -- C:\Users\Spencer\AppData\Local\d370ib50k8d5s35bk41t72fyy28xc84

[2011/04/10 20:40:13 | 000,011,724 | -HS- | M] () -- C:\ProgramData\d370ib50k8d5s35bk41t72fyy28xc84

[2011/04/10 20:38:55 | 000,013,440 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

[2011/04/10 20:38:55 | 000,013,440 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

[2011/04/10 19:40:24 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Spencer\Desktop\OTL.scr

[2011/04/10 19:40:12 | 000,258,560 | ---- | M] (OldTimer Tools) -- C:\Users\Spencer\Desktop\OTH.scr

[2011/03/25 18:14:56 | 432,137,067 | ---- | M] () -- C:\Windows\MEMORY.DMP

[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/04/10 20:57:17 | 000,001,111 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk

[2011/04/07 01:37:43 | 000,011,724 | -HS- | C] () -- C:\Users\Spencer\AppData\Local\d370ib50k8d5s35bk41t72fyy28xc84

[2011/04/07 01:37:43 | 000,011,724 | -HS- | C] () -- C:\ProgramData\d370ib50k8d5s35bk41t72fyy28xc84

[2011/03/30 12:16:12 | 000,002,488 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Live Messenger.lnk

[2011/03/25 18:14:56 | 432,137,067 | ---- | C] () -- C:\Windows\MEMORY.DMP

[2011/02/08 22:54:44 | 000,743,534 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI

[2010/11/17 16:31:25 | 000,000,000 | ---- | C] () -- C:\Windows\PowerReg.dat

[2010/11/12 20:46:22 | 000,000,920 | ---- | C] () -- C:\Windows\eReg.dat

[2010/08/25 20:34:30 | 000,982,240 | ---- | C] () -- C:\Windows\SysWow64\igkrng500.bin

[2010/08/25 20:34:30 | 000,439,308 | ---- | C] () -- C:\Windows\SysWow64\igcompkrng500.bin

[2010/08/25 20:34:30 | 000,092,356 | ---- | C] () -- C:\Windows\SysWow64\igfcg500m.bin

[2010/08/25 19:52:00 | 000,208,896 | ---- | C] () -- C:\Windows\SysWow64\iglhsip32.dll

[2010/08/25 19:52:00 | 000,143,360 | ---- | C] () -- C:\Windows\SysWow64\iglhcp32.dll

[2009/07/14 01:38:36 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat

[2009/07/13 22:35:51 | 000,000,741 | ---- | C] () -- C:\Windows\SysWow64\NOISE.DAT

[2009/07/13 22:34:42 | 000,215,943 | ---- | C] () -- C:\Windows\SysWow64\dssec.dat

[2009/07/13 20:10:29 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin

[2009/07/13 19:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll

[2009/07/13 17:59:36 | 000,139,824 | ---- | C] () -- C:\Windows\SysWow64\igfcg500.bin

[2009/07/13 17:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll

[2009/06/10 17:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\SysWow64\mlang.dat

========== LOP Check ==========

[2011/04/07 01:45:41 | 000,000,000 | ---D | M] -- C:\Users\Spencer\AppData\Roaming\FrostWire

[2010/11/12 22:17:58 | 000,000,000 | ---D | M] -- C:\Users\Spencer\AppData\Roaming\Gabob.NowBoarding.B1EDF665FD3C3F3F09EA618A6CFE5BBDBDB5E912.1

[2010/11/17 05:10:53 | 000,000,000 | ---D | M] -- C:\Users\Spencer\AppData\Roaming\Valusoft

[2010/12/01 19:53:48 | 000,000,000 | ---D | M] -- C:\Users\Spencer\AppData\Roaming\Windows Live Writer

[2009/07/14 01:08:49 | 000,011,420 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========

< End of report >

----------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6328

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

4/10/2011 9:01:43 PM

mbam-log-2011-04-10 (21-01-43).txt

Scan type: Quick scan

Objects scanned: 162260

Time elapsed: 2 minute(s), 22 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 0

Registry Keys Infected: 14

Registry Values Infected: 2

Registry Data Items Infected: 2

Folders Infected: 10

Files Infected: 16

Memory Processes Infected:

c:\Users\Spencer\AppData\Local\doe.exe (Trojan.Agent) -> 3656 -> Unloaded process successfully.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\AppID\{11C27351-716B-4052-9361-E3B0A3F8221C} (Adware.ClickPotato) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1602F07D-8BF3-4C08-BDD6-DDDB1C48AEDC} (Adware.ClickPotato) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A078F691-9C07-4AF2-BF43-35E79EECF8B7} (Adware.Softomate) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{69725738-CD68-4f36-8D02-8C43722EE5DA} (Adware.Hotbar) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{B58926D6-CFB0-45D2-9C28-4B5A0F0368AE} (Adware.ClickPotato) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\ClickPotatoLiteAx.Info (Adware.ClickPotato) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\ClickPotatoLiteAx.Info.1 (Adware.ClickPotato) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\ClickPotatoLiteAX.UserProfiles (Adware.ClickPotato) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\ClickPotatoLiteAX.UserProfiles.1 (Adware.ClickPotato) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\MenuButtonIE.ButtonIE (Adware.ClickPotato) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\MenuButtonIE.ButtonIE.1 (Adware.ClickPotato) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\AppID\MenuButtonIE.DLL (Adware.ClickPotato) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\clickpotatolitesa (Adware.ClickPotato) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\ClickPotatoLite (Adware.ClickPotato) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Value: (default) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions\ClickPotatoLite@ClickPotatoLite.com (Adware.ClickPotato) -> Value: ClickPotatoLite@ClickPotatoLite.com -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Spencer\AppData\Local\doe.exe" -a "C:\Program Files (x86)\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\exefile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("C:\Users\Spencer\AppData\Local\doe.exe" -a "%1" %*) Good: ("%1" %*) -> Quarantined and deleted successfully.

Folders Infected:

c:\programdata\2aca5cc3-0f83-453d-a079-1076fe1a8b65 (Adware.Seekmo) -> Quarantined and deleted successfully.

c:\programdata\clickpotatolitesa (Adware.ClickPotato) -> Quarantined and deleted successfully.

c:\Users\Spencer\AppData\Roaming\clickpotatolite (Adware.ClickPotato) -> Quarantined and deleted successfully.

c:\program files (x86)\clickpotatolite (Adware.ClickPotato) -> Quarantined and deleted successfully.

c:\program files (x86)\clickpotatolite\bin (Adware.ClickPotato) -> Quarantined and deleted successfully.

c:\program files (x86)\clickpotatolite\bin\10.0.621.0 (Adware.ClickPotato) -> Quarantined and deleted successfully.

c:\program files (x86)\clickpotatolite\bin\10.0.621.0\firefox (Adware.ClickPotato) -> Quarantined and deleted successfully.

c:\program files (x86)\clickpotatolite\bin\10.0.621.0\firefox\extensions (Adware.ClickPotato) -> Quarantined and deleted successfully.

c:\program files (x86)\clickpotatolite\bin\10.0.621.0\firefox\extensions\plugins (Adware.ClickPotato) -> Quarantined and deleted successfully.

c:\programdata\microsoft\Windows\start menu\Programs\clickpotato (Adware.ClickPotato) -> Quarantined and deleted successfully.

Files Infected:

c:\Users\Spencer\AppData\Local\doe.exe (Trojan.Agent) -> Quarantined and deleted successfully.

c:\Users\Spencer\AppData\Local\Temp\0.8616649363411647.exe (Trojan.Agent) -> Quarantined and deleted successfully.

c:\Users\Spencer\local settings\doe.exe (Trojan.Agent) -> Quarantined and deleted successfully.

c:\Users\Spencer\local settings\qdw.exe (Trojan.Agent) -> Quarantined and deleted successfully.

c:\Users\Spencer\local settings\application data\doe.exe (Trojan.Agent) -> Quarantined and deleted successfully.

c:\Users\Spencer\local settings\application data\qdw.exe (Trojan.Agent) -> Quarantined and deleted successfully.

c:\programdata\clickpotatolitesa\clickpotatolitesa.dat (Adware.ClickPotato) -> Quarantined and deleted successfully.

c:\programdata\clickpotatolitesa\clickpotatolitesaabout.mht (Adware.ClickPotato) -> Quarantined and deleted successfully.

c:\programdata\clickpotatolitesa\clickpotatolitesaau_update.dat (Adware.ClickPotato) -> Quarantined and deleted successfully.

c:\programdata\clickpotatolitesa\clickpotatolitesaeula.mht (Adware.ClickPotato) -> Quarantined and deleted successfully.

c:\programdata\clickpotatolitesa\clickpotatolitesa_hpk.dat (Adware.ClickPotato) -> Quarantined and deleted successfully.

c:\programdata\clickpotatolitesa\clickpotatolitesa_kyf_update.dat (Adware.ClickPotato) -> Quarantined and deleted successfully.

c:\program files (x86)\clickpotatolite\bin\10.0.621.0\firefox\extensions\install.rdf (Adware.ClickPotato) -> Quarantined and deleted successfully.

c:\programdata\microsoft\Windows\start menu\Programs\clickpotato\About Us.lnk (Adware.ClickPotato) -> Quarantined and deleted successfully.

c:\programdata\microsoft\Windows\start menu\Programs\clickpotato\clickpotato customer support.lnk (Adware.ClickPotato) -> Quarantined and deleted successfully.

c:\programdata\microsoft\Windows\start menu\Programs\clickpotato\clickpotato uninstall instructions.lnk (Adware.ClickPotato) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Hi, that looks good so far, I see no active malware, only some leftovers.

COMBOFIX

---------------

Please download ComboFix from one of these locations:


Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

Link to post
Share on other sites

Thanks, that is encouraging. Below is the combofix log file.

Sidenote - the flash disinfetor program wouldn't run on either of our laptop computers. First though, I'll finish cleaning this one!

---------------------------------------

ComboFix 11-04-11.01 - Spencer 04/11/2011 17:17:41.1.2 - x64

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.4058.2966 [GMT -4:00]

Running from: c:\users\Spencer\Desktop\ComboFix.exe

AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}

SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\users\Spencer\AppData\Local\fyc.exe

c:\users\Spencer\AppData\Local\jhr.exe

D:\Autorun.inf

.

.

((((((((((((((((((((((((( Files Created from 2011-03-11 to 2011-04-11 )))))))))))))))))))))))))))))))

.

.

2011-04-11 21:21 . 2011-04-11 21:21 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-04-11 20:51 . 2011-04-11 20:51 -------- d-----w- c:\users\Spencer\AppData\Local\{B03A3576-672C-49BB-8924-9AAC867E58C4}

2011-04-11 01:26 . 2011-04-11 01:25 601424 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll

2011-04-11 01:26 . 2011-04-11 01:25 601424 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B7392398-BE21-45BB-A56F-A9DA538FB243}\gapaengine.dll

2011-04-11 01:26 . 2011-01-13 06:20 7844688 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2011-04-11 01:25 . 2011-03-15 02:17 8424784 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{32F77FA1-D95A-4579-9AC6-04409F93C356}\mpengine.dll

2011-04-11 01:22 . 2011-04-11 01:22 -------- d-----w- c:\program files (x86)\Microsoft Security Client

2011-04-11 01:22 . 2011-04-11 01:23 -------- d-----w- c:\program files\Microsoft Security Client

2011-04-11 01:03 . 2011-04-11 01:03 -------- d-----w- c:\users\Spencer\AppData\Local\{C12BBCD9-308E-4376-85D8-567C0EEF963E}

2011-04-11 00:57 . 2011-04-11 00:57 -------- d-----w- c:\users\Spencer\AppData\Roaming\Malwarebytes

2011-04-11 00:57 . 2010-12-20 22:09 38224 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys

2011-04-11 00:57 . 2011-04-11 00:57 -------- d-----w- c:\programdata\Malwarebytes

2011-04-11 00:57 . 2011-04-11 00:57 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware

2011-04-11 00:57 . 2010-12-20 22:08 24152 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-04-07 02:24 . 2011-04-07 02:24 -------- d-----w- c:\users\Spencer\AppData\Local\{A2FE768D-9C7A-419F-BC93-5BAA82E7BFB1}

2011-04-06 13:20 . 2011-04-06 13:20 -------- d-----w- c:\users\Spencer\AppData\Local\{5CCA5351-C7F4-4279-8021-FB85454299E7}

2011-04-05 22:49 . 2011-04-05 22:49 -------- d-----w- c:\users\Spencer\AppData\Local\{6501B6E7-0C37-4133-A5E9-D6EE8E2AEB2C}

2011-04-04 20:23 . 2011-04-04 20:23 -------- d-----w- c:\users\Spencer\AppData\Local\{563B2276-2A57-4913-9756-5C599230B05B}

2011-04-03 22:08 . 2011-04-03 22:08 -------- d-----w- c:\users\Spencer\AppData\Local\{EB92BC1F-CD70-419C-B031-CCFEEB266482}

2011-04-02 21:13 . 2011-04-02 21:13 -------- d-----w- c:\users\Spencer\AppData\Local\{6C6231B2-2288-440A-A804-933462749A8C}

2011-04-01 20:46 . 2011-04-01 20:46 -------- d-----w- c:\users\Spencer\AppData\Local\{054F3773-E07C-4B17-9987-88CE1ADC42A0}

2011-04-01 02:25 . 2011-04-01 02:25 -------- d-----w- c:\users\Spencer\AppData\Local\{E849A314-D12C-4D3A-A2BC-693527EF7228}

2011-03-31 12:44 . 2011-03-31 12:44 -------- d-----w- c:\users\Spencer\AppData\Local\{5BE4963B-C21D-4CE7-8670-DF6F45F49AA4}

2011-03-30 17:57 . 2011-03-30 17:57 -------- d-----w- c:\users\Spencer\AppData\Local\{8FD12A2A-249C-4E38-8BB9-618CD6030993}

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-03-09 21:21 . 2010-06-24 19:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll

2011-02-19 06:37 . 2011-03-09 02:26 1135104 ----a-w- c:\windows\system32\FntCache.dll

2011-02-19 06:37 . 2011-03-09 02:26 1540608 ----a-w- c:\windows\system32\DWrite.dll

2011-02-19 06:36 . 2011-03-09 02:26 902656 ----a-w- c:\windows\system32\d2d1.dll

2011-02-19 05:32 . 2011-03-09 02:26 1074176 ----a-w- c:\windows\SysWow64\DWrite.dll

2011-02-19 05:32 . 2011-03-09 02:26 739840 ----a-w- c:\windows\SysWow64\d2d1.dll

2011-01-26 06:53 . 2011-02-08 23:06 982912 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys

2011-01-26 06:53 . 2011-02-08 23:06 265088 ----a-w- c:\windows\system32\drivers\dxgmms1.sys

2011-01-26 06:31 . 2011-02-08 23:06 144384 ----a-w- c:\windows\system32\cdd.dll

2011-01-17 01:53 . 2011-01-17 01:53 423656 ----a-w- c:\windows\SysWow64\deployJava1.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]

2010-12-09 17:51 3911776 ----a-w- c:\program files (x86)\ConduitEngine\ConduitEngine.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]

"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files (x86)\ConduitEngine\ConduitEngine.dll" [2010-12-09 3911776]

.

[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"HideSCAHealth"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]

R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 282616]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]

R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]

S3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\DRIVERS\dc3d.sys [x]

S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]

S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [x]

S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - MPNWMON

*NewlyCreated* - NISDRV

.

.

--------- x86-64 -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2010-07-22 2327952]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 161304]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 386584]

"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 415256]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 1436224]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"LoadAppInit_DLLs"=0x0

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://www.facebook.com/?ref=hp

mLocal Page = c:\windows\SysWOW64\blank.htm

.

- - - - ORPHANS REMOVED - - - -

.

URLSearchHooks-{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files (x86)\uTorrentBar\tbuTor.dll

BHO-{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files (x86)\uTorrentBar\tbuTor.dll

Toolbar-{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files (x86)\uTorrentBar\tbuTor.dll

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

WebBrowser-{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - (no file)

WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)

AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-2409562946-967249341-1898184411-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]

@Denied: (2) (LocalSystem)

"Progid"="WindowsLiveMail.Email.1"

.

[HKEY_USERS\S-1-5-21-2409562946-967249341-1898184411-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]

@Denied: (2) (LocalSystem)

"Progid"="WindowsLiveMail.VCard.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.10"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2011-04-11 17:23:40

ComboFix-quarantined-files.txt 2011-04-11 21:23

.

Pre-Run: 164,267,032,576 bytes free

Post-Run: 164,431,241,216 bytes free

.

- - End Of File - - 429A580AEBA83FB317FBF3C59BBF9041

Link to post
Share on other sites

  • 3 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.