Jump to content

Security Protection


Recommended Posts

OK, so I'm not even sure how or when I got infected, but two days ago I had a pop up of "Security Protection". I tried a system restore to no avail. I booted to safe mode, ran Malwarebytes and deleted like 16 files. I rebooted and I got a pop up from malwarebytes IP Blocked 208.xxx.xxx.xxx (not sure) svchost.exe and then a blue screen. I reboot, and now Security Protection is back. Back to safe mode - and Malwarebytes detects more infected files...

Logs -

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7494

Windows 6.1.7600 (Safe Mode)

Internet Explorer 8.0.7600.16385

8/17/2011 8:40:07 PM

mbam-log-2011-08-17 (20-40-07).txt

Scan type: Quick scan

Objects scanned: 164343

Time elapsed: 2 minute(s), 52 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 14

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kximuneburi (Trojan.Hiloti) -> Value: Kximuneburi -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Security Protection (Trojan.FakeAlert) -> Value: Security Protection -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Windows\System32\config\systemprofile\AppData\Local\ima027.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.

c:\Windows\Temp\0.038495194601316784.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.

c:\Windows\Temp\0.15650728480928044.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

c:\Windows\Temp\0.1844032401464989.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.

c:\Windows\Temp\2ED3.tmp (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.

c:\Windows\Temp\4D7C.tmp (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.

c:\Windows\Temp\4F20.tmp (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.

c:\Windows\Temp\jar_cache7106412428970004528.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

c:\Windows\Temp\srv1A8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

c:\Windows\System32\config\systemprofile\local settings\ima027.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.

c:\Windows\System32\config\systemprofile\local settings\oxx.exe (Trojan.Agent) -> Quarantined and deleted successfully.

c:\Windows\System32\config\systemprofile\local settings\application data\ima027.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.

c:\Windows\System32\config\systemprofile\local settings\application data\oxx.exe (Trojan.Agent) -> Quarantined and deleted successfully.

c:\programdata\defender.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Second Scan -

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7494

Windows 6.1.7600 (Safe Mode)

Internet Explorer 8.0.7600.16385

8/17/2011 10:18:25 PM

mbam-log-2011-08-17 (22-18-25).txt

Scan type: Full scan (C:\|)

Objects scanned: 289423

Time elapsed: 27 minute(s), 10 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 9

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gA01602KhDgC01602 (Trojan.FakeAlert) -> Value: gA01602KhDgC01602 -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Security Protection (Trojan.FakeAlert) -> Value: Security Protection -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\programdata\ga01602khdgc01602\ga01602khdgc01602.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\deployment\cache\6.0\62\45c923be-6fbbe832 (Trojan.Ransom.Gen) -> Quarantined and deleted successfully.

c:\Windows\System32\config\systemprofile\AppData\Roaming\Adobe\plugs\mmc232.exe (VirTool.Obfuscator) -> Quarantined and deleted successfully.

c:\Windows\Temp\0.053151268680833086.exe (Trojan.Ransom.Gen) -> Quarantined and deleted successfully.

c:\Windows\Temp\0.5753256391106913.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.

c:\Windows\Temp\7898.tmp (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.

c:\Windows\Temp\jar_cache8530220809430180293.tmp (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.

c:\programdata\defender.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\Windows\System32\config\systemprofile\AppData\Roaming\Adobe\shed\thr1.chm (Malware.Trace) -> Quarantined and deleted successfully.

Third Scan -

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7502

Windows 6.1.7600 (Safe Mode)

Internet Explorer 8.0.7600.16385

8/18/2011 7:21:35 PM

mbam-log-2011-08-18 (19-21-35).txt

Scan type: Full scan (C:\|)

Objects scanned: 289371

Time elapsed: 28 minute(s), 1 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 2

Registry Keys Infected: 0

Registry Values Infected: 3

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 11

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

c:\Windows\System32\config\systemprofile\AppData\Local\ima027.dll (Trojan.Hiloti) -> Delete on reboot.

c:\Windows\System32\config\systemprofile\AppData\Local\ubufivuta.dll (IPH.Trojan.Hiloti.7B) -> Delete on reboot.

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kximuneburi (Trojan.Hiloti) -> Value: Kximuneburi -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rjoxizuxa (IPH.Trojan.Hiloti.7B) -> Value: Rjoxizuxa -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Security Protection (Trojan.FakeAlert) -> Value: Security Protection -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Windows\System32\config\systemprofile\AppData\Local\ima027.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.

c:\Windows\System32\config\systemprofile\AppData\Local\ubufivuta.dll (IPH.Trojan.Hiloti.7B) -> Quarantined and deleted successfully.

c:\Windows\Temp\0.7354424438864159.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.

c:\Windows\Temp\0.7785120250179365.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.

c:\Windows\Temp\19C6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

c:\Windows\Temp\695C.tmp (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.

c:\Windows\Temp\B7E2.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.

c:\Windows\Temp\srv4DC.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

c:\Windows\Temp\srv5BC.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

c:\programdata\defender.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\Windows\Temp\0.62959696463532.exe (Exploit.Drop.2) -> Quarantined and deleted successfully.

4th Scan -

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7502

Windows 6.1.7600 (Safe Mode)

Internet Explorer 8.0.7600.16385

8/18/2011 8:02:41 PM

mbam-log-2011-08-18 (20-02-41).txt

Scan type: Quick scan

Objects scanned: 167468

Time elapsed: 1 minute(s), 37 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 4

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

c:\Windows\System32\config\systemprofile\AppData\Local\ima027.dll (Trojan.Hiloti) -> Delete on reboot.

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kximuneburi (Trojan.Hiloti) -> Value: Kximuneburi -> Delete on reboot.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Windows\System32\config\systemprofile\AppData\Local\ima027.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.

c:\Windows\Temp\0.9916966340127285.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.

c:\Windows\System32\config\systemprofile\local settings\ima027.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.

c:\Windows\System32\config\systemprofile\local settings\application data\ima027.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.

THEN ran ComboFix and it deleted two files. I rebooted and ran Malwarebytes

LOG

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7502

Windows 6.1.7600 (Safe Mode)

Internet Explorer 8.0.7600.16385

8/18/2011 8:07:47 PM

mbam-log-2011-08-18 (20-07-47).txt

Scan type: Quick scan

Objects scanned: 165744

Time elapsed: 2 minute(s), 57 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Then Combofix again -

ComboFix 11-08-18.03 - Shane 08/18/2011 20:11:42.2.2 - x86 NETWORK

Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3582.2586 [GMT -4:00]

Running from: c:\users\Shane\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}

SP: AVG Anti-Virus Free *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

.

((((((((((((((((((((((((( Files Created from 2011-07-19 to 2011-08-19 )))))))))))))))))))))))))))))))

.

.

2011-08-19 00:15 . 2011-08-19 00:15 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-08-18 01:26 . 2011-08-18 01:26 50176 ---ha-w- c:\windows\system32\fingdate.dll

2011-08-18 01:25 . 2011-08-18 02:18 -------- d-----w- c:\programdata\gA01602KhDgC01602

2011-08-18 00:35 . 2011-08-18 00:35 -------- d-----w- c:\users\Shane\AppData\Roaming\Malwarebytes

2011-08-18 00:35 . 2011-07-08 11:55 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-08-18 00:35 . 2011-08-18 00:35 -------- d-----w- c:\programdata\Malwarebytes

2011-08-18 00:35 . 2011-08-18 00:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-08-18 00:35 . 2011-07-08 11:55 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-17 01:42 . 2011-06-15 09:04 86016 ----a-w- c:\windows\system32\odbccu32.dll

2011-08-17 01:42 . 2011-06-15 09:04 81920 ----a-w- c:\windows\system32\odbccr32.dll

2011-08-17 01:42 . 2011-06-15 09:04 122880 ----a-w- c:\windows\system32\odbccp32.dll

2011-08-17 01:21 . 2011-08-17 23:54 53248 ---ha-w- c:\windows\system32\chglutil.dll

2011-08-17 01:09 . 2011-08-17 01:09 -------- d-----w- c:\windows\Sun

2011-08-09 22:40 . 2011-06-15 09:04 319488 ----a-w- c:\windows\system32\odbcjt32.dll

2011-08-09 22:40 . 2011-06-15 09:04 163840 ----a-w- c:\windows\system32\odbctrac.dll

2011-08-09 22:40 . 2011-06-15 09:04 94208 ----a-w- c:\program files\Common Files\System\Ole DB\msdaosp.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-06-30 01:51 . 2011-06-24 04:48 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-06-11 02:37 . 2011-07-13 01:54 2332672 ----a-w- c:\windows\system32\win32k.sys

2011-06-02 05:59 . 2011-07-13 01:54 169984 ----a-w- c:\windows\system32\winsrv.dll

2011-06-02 05:58 . 2011-07-13 01:54 290816 ----a-w- c:\windows\system32\KernelBase.dll

2011-06-02 05:55 . 2011-07-13 01:54 271872 ----a-w- c:\windows\system32\conhost.exe

2011-06-02 05:45 . 2011-07-13 01:54 4608 ---ha-w- c:\windows\system32\api-ms-win-core-processthreads-l1-1-0.dll

2011-06-02 05:45 . 2011-07-13 01:54 4096 ---ha-w- c:\windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll

2011-06-02 05:45 . 2011-07-13 01:54 4096 ---ha-w- c:\windows\system32\api-ms-win-core-synch-l1-1-0.dll

2011-06-02 05:45 . 2011-07-13 01:54 4096 ---ha-w- c:\windows\system32\api-ms-win-core-misc-l1-1-0.dll

2011-06-02 05:45 . 2011-07-13 01:54 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localregistry-l1-1-0.dll

2011-06-02 05:45 . 2011-07-13 01:54 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localization-l1-1-0.dll

2011-06-02 05:45 . 2011-07-13 01:54 3584 ---ha-w- c:\windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll

2011-06-02 05:45 . 2011-07-13 01:54 3584 ---ha-w- c:\windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll

2011-06-02 05:45 . 2011-07-13 01:54 3584 ---ha-w- c:\windows\system32\api-ms-win-core-memory-l1-1-0.dll

2011-06-02 05:45 . 2011-07-13 01:54 3072 ---ha-w- c:\windows\system32\api-ms-win-core-string-l1-1-0.dll

2011-06-02 05:45 . 2011-07-13 01:54 3072 ---ha-w- c:\windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll

2011-06-02 05:45 . 2011-07-13 01:54 3072 ---ha-w- c:\windows\system32\api-ms-win-core-profile-l1-1-0.dll

2011-06-02 05:45 . 2011-07-13 01:54 3584 ---ha-w- c:\windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll

2011-06-02 05:45 . 2011-07-13 01:54 5120 ---ha-w- c:\windows\system32\api-ms-win-core-file-l1-1-0.dll

2011-06-02 05:45 . 2011-07-13 01:54 3584 ---ha-w- c:\windows\system32\api-ms-win-core-interlocked-l1-1-0.dll

2011-06-02 05:45 . 2011-07-13 01:54 3584 ---ha-w- c:\windows\system32\api-ms-win-core-heap-l1-1-0.dll

2011-06-02 05:45 . 2011-07-13 01:54 3072 ---ha-w- c:\windows\system32\api-ms-win-core-io-l1-1-0.dll

2011-06-02 05:45 . 2011-07-13 01:54 3072 ---ha-w- c:\windows\system32\api-ms-win-core-handle-l1-1-0.dll

2011-06-02 05:45 . 2011-07-13 01:54 3072 ---ha-w- c:\windows\system32\api-ms-win-core-fibers-l1-1-0.dll

2011-06-02 05:45 . 2011-07-13 01:54 3072 ---ha-w- c:\windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll

2011-06-02 05:45 . 2011-07-13 01:54 3072 ---ha-w- c:\windows\system32\api-ms-win-core-delayload-l1-1-0.dll

2011-06-02 05:45 . 2011-07-13 01:54 3072 ---ha-w- c:\windows\system32\api-ms-win-core-debug-l1-1-0.dll

2011-06-02 05:45 . 2011-07-13 01:54 3072 ---ha-w- c:\windows\system32\api-ms-win-core-datetime-l1-1-0.dll

2011-06-02 05:45 . 2011-07-13 01:54 3072 ---ha-w- c:\windows\system32\api-ms-win-core-console-l1-1-0.dll

2011-06-02 03:45 . 2011-07-13 01:54 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll

2011-06-02 03:45 . 2011-07-13 01:54 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll

2011-06-02 03:45 . 2011-07-13 01:54 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll

2011-06-02 03:45 . 2011-07-13 01:54 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll

2011-05-28 03:00 . 2011-06-16 23:33 1638912 ----a-w- c:\windows\system32\mshtml.tlb

2011-05-24 10:35 . 2011-06-28 22:07 294912 ----a-w- c:\windows\system32\umpnpmgr.dll

.

.

((((((((((((((((((((((((((((( SnapShot@2011-08-18_23.52.26 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-08-17 01:09 . 2011-08-19 00:03 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat

- 2011-08-17 01:09 . 2011-08-18 23:29 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat

- 2011-08-18 23:24 . 2011-08-18 23:29 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat

+ 2011-08-19 00:03 . 2011-08-19 00:03 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat

+ 2011-08-19 00:03 . 2011-08-19 00:03 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat

- 2011-08-18 23:24 . 2011-08-18 23:29 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat

+ 2010-09-25 01:21 . 2011-08-19 00:03 262144 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat

- 2010-09-25 01:21 . 2011-08-18 23:38 262144 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat

+ 2010-09-25 04:18 . 2011-08-19 00:03 114688 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

- 2010-09-25 04:18 . 2011-08-18 23:48 114688 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

+ 2009-07-14 04:41 . 2011-08-19 00:03 196608 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

- 2009-07-14 04:41 . 2011-08-18 23:48 196608 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

- 2010-09-25 04:18 . 2011-08-18 23:48 1703936 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

+ 2010-09-25 04:18 . 2011-08-19 00:03 1703936 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2011-03-18 12:11 2471240 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2011-03-18 2471240]

.

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2011-03-18 2471240]

.

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-10-26 1029416]

"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2011-03-14 2071904]

"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2010-07-21 1797008]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]

"V0650Mon.exe"="c:\windows\V0650Mon.exe" [2010-02-23 28672]

"Rocket Live! Central 2"="c:\program files\Rocketfish HD Webcam\Live! Central\RFLVCentral2.exe" [2010-02-24 430247]

"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2009-09-13 103768]

"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2011-01-08 288872]

"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-11-04 1753192]

"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-07-08 1047656]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"GrpConv"="grpconv -o" [X]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-08 449584]

.

c:\users\Shane\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2011-3-10 576000]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

PHOTOfunSTUDIO 5.0 HD Edition.lnk - c:\program files\Common Files\Panasonic\PHOTOfunSTUDIO AutoStart\AutoStartupService.exe [2010-12-25 172544]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\srv1A8]

@="service"

.

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2010-09-25 216400]

R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [2009-09-08 65584]

R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [2010-09-25 921952]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-09-25 308136]

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-07-08 366640]

R2 MicrosoftDynamicsNavServer;Microsoft Dynamics NAV Server;c:\program files\Microsoft Dynamics NAV\60\Service\Microsoft.Dynamics.Nav.Server.exe [2009-08-14 141184]

R2 srv1A8;srv1A8;c:\windows\system32\svchost.exe [2009-07-14 20992]

R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-01-08 378984]

R3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [2011-03-18 947528]

R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [2010-03-26 144640]

R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2010-07-07 44432]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-07-08 22712]

R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2010-03-25 30969208]

R3 MicrosoftDynamicsNavWS;Microsoft Dynamics NAV Business Web Services;c:\program files\Microsoft Dynamics NAV\60\Service\Microsoft.Dynamics.Nav.Server.exe [2009-08-14 141184]

R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]

R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]

R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]

R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]

R3 V0650Vid;Rocketfish HD Webcam Driver;c:\windows\system32\DRIVERS\V0650Vid.sys [2010-03-31 322176]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-09-25 1343400]

S1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2011-05-06 243152]

S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

WindowsMobile REG_MULTI_SZ wcescomm rapimgr

LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

srv1A8

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\MICROS~1\Office14\ONBttnIE.dll/105

TCP: DhcpNameServer = 209.18.47.61 209.18.47.62

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

.

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\srv1A8]

"servicedll"="\\?\globalroot\Device\HarddiskVolume2\Windows\Temp\srv1A8.tmp"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2011-08-18 20:16:52

ComboFix-quarantined-files.txt 2011-08-19 00:16

ComboFix2.txt 2011-08-18 23:53

.

Pre-Run: 134,619,508,736 bytes free

Post-Run: 134,541,299,712 bytes free

.

- - End Of File - - 796AFE0614655634B5F0EE33A4ABD25B

After all of this, I boot up in normal, and bam - Malwarebytes blocks some IP (svchost.exe) and I get the blue screen.

HELP!!

Link to post
Share on other sites

Quickscan in Safe Mode just now -

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7503

Windows 6.1.7600 (Safe Mode)

Internet Explorer 8.0.7600.16385

8/18/2011 8:48:08 PM

mbam-log-2011-08-18 (20-48-08).txt

Scan type: Quick scan

Objects scanned: 167100

Time elapsed: 2 minute(s), 28 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Hi, sunnyd53:

Sorry you are infected.

Unfortunately, we cannot review review scan logs or work on malware detection/removal in this part of the General MBAM forum.

The following information will help you get started on the cleaning process.

If you would like expert assistance with cleaning your system, there are 3 support options from which to choose:

  • Option 1 -- Free, Expert advice in the Malware Removal Forum
  • Option 2 -- Free support for paying customers using MBAM PRO -- Contact MBAM Support via email
  • Option 3 -- Premium, Fee-Based Support

OPTION 1

As we don't deal with malware removal in this General Malwarebytes' Anti-Malware Forum, you need to start a topic in the Malware Removal forum so that a qualified helper can help you fix any malware related problems/infections you may have.

  • First, please print out, read and follow the directions here, skipping any steps you are unable to complete. It looks as if you have already done some of this, including running MBAM -- this is good. :)
  • If the infection has so crippled the computer that you cannot follow most/all of the requested steps, then please just proceed as advised below:
  • Then please post a NEW topic here.
  • When posting your new thread, please make sure that, under "options", you select Track this topic and choose Immediate Email Notification, so that you're alerted when someone has replied to your post.
  • One of the expert helpers there will give you free, one-on-one assistance when one becomes available.
  • Please refrain from making any further changes to your computer such as (Install/Uninstall programs, use special fix tools (e.g. Combofix), delete files, edit the registry, etc...) unless advised by a malware removal helper. Doing so can result in system changes which may hinder the attempts by a helper to clean your machine.

IMPORTANT NOTE:Please DO NOT post back to your topic or "bump" it within the first 48 hours.

Replying to your own posts changes the post count from zero. Helpers are looking for topics with zero replies. If you reply to your own post, helpers may think that you're already being helped and thus may overlook your post. This will only delay your obtaining assistance.


  • o If there is no reply from any experts after 48 hours, you can reply to the topic, asking for help again.
    Or
    o You may send a Private Message to a Moderator asking for assistance.

OPTION 2

Alternatively, as a paying customer using MBAM PRO, you can contact the help desk at support@malwarebytes.org or here.

OPTION 3

If you would like to use the Malwarebytes Premium Services (Comprehensive solutions to all your computer support needs -- from installation and set-up to troubleshooting and tune-ups), please go to the Malwarebytes Premium Services support site.

Please be patient -- someone will assist you as soon as it is possible.

Thanks very much!

daledoc1

PS: Please use the zMn2t.jpg button instead of other ones when you reply here and at the other forums, so that it will be easier to read. :)

Link to post
Share on other sites

That's OK -- it happens all the time. :)

There are many sub-forums here, and it can be a bit confusing for newcomers.

Please be patient waiting for assistance at the malware removal forum -- it is rather busy these days.

Also, please note: it is not recommended to run Combofix or other special tools without expert help.

They can really mess up your system and make it hard to clean. :(

The malware expert who assists you at the other forum will guide you through the use of the scanners, cleaners and other tools needed for your particular system and infection(s).

It's also recommended not to reply to your own topic there for at least 48 hours -- the "0" reply count helps the experts to locate those topics still needing help.

If the count is not 0, it can look as if you are already being helped, and that might cause your topic to be overlooked, delaying your assistance. :(

Thanks very much for your patience and understanding. :)

Best regards,

daledoc1

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.