dascoop Posted September 2, 2011 ID:471972 Share Posted September 2, 2011 I have a svchost.exe in my /windows directory (not in system or system32) and it keeps trying to access websites that your program blocks. Your program sees it as infected and deletes it, but it comes right back instantly, so obviously something else is continuously rebuilding it. I have run several scanners, bullguard and microsoft don't see it, yours does. Is it really an issue, or an incompatibility? I did have a infection, and I think I cleared it. This may just be file damage from that. Take a look, tell me what you think. I am so frustrated!Malwarebytes' Anti-Malware 1.51.1.1800www.malwarebytes.orgDatabase version: 7637Windows 6.1.7601 Service Pack 1Internet Explorer 9.0.8112.164219/2/2011 11:08:11 AMmbam-log-2011-09-02 (11-08-11).txtScan type: Quick scanObjects scanned: 1Time elapsed: 3 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:c:\Windows\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.-----------------------------------------------------------------.DDS (Ver_2011-08-26.01) - NTFSAMD64 Internet Explorer: 9.0.8112.16421Run by Dascoop at 10:40:54 on 2011-09-02Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4095.2467 [GMT -4:00].AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}.============== Running Processes ===============.C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunch-netsvcsC:\Windows\system32\nvvsvc.exeC:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exeC:\Windows\system32\svchost.exe -k RPCSSc:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exeC:\Windows\system32\conhost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\svchost.exe -k LocalServiceC:\Program Files\NVIDIA Corporation\Display\nvxdsync.exeC:\Windows\system32\nvvsvc.exeC:\Windows\system32\svchost.exe -k NetworkServiceC:\Windows\System32\spoolsv.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkC:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Windows\system32\taskhost.exeC:\Program Files\Prevx\prevx.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonationC:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exeC:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeC:\Program Files\Microsoft Security Client\msseces.exeC:\Program Files (x86)\Citrix\ICA Client\concentr.exeC:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXEC:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exeC:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe-netsvcsC:\Windows\system32\conhost.exeC:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exeC:\Windows\system32\SearchIndexer.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestrictedC:\Windows\system32\WUDFHost.exeC:\Program Files\Windows Media Player\wmpnetwk.exeC:\Windows\System32\svchost.exe -k LocalServicePeerNetC:\Windows\system32\DllHost.exeC:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exeC:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exeC:\Windows\system32\SearchProtocolHost.exeC:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Windows\system32\SearchFilterHost.exeC:\Windows\SysWOW64\cmd.exeC:\Windows\system32\conhost.exeC:\Windows\SysWOW64\cscript.exeC:\Windows\system32\wbem\wmiprvse.exe.============== Pseudo HJT Report ===============.uStart Page = hxxp://www.google.com/BHO: AutorunsDisabled - No FileBHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllBHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dllBHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MIF5BA~1\Office14\GROOVEEX.DLLBHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllBHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dllBHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MIF5BA~1\Office14\URLREDIR.DLLBHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dllmRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"mRun: [ConnectionCenter] "C:\Program Files (x86)\Citrix\ICA Client\concentr.exe" /startupmRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttraymPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)mPolicies-system: EnableLUA = 0 (0x0)mPolicies-system: EnableUIADesktopToggle = 0 (0x0)mPolicies-system: PromptOnSecureDesktop = 0 (0x0)IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~3\Office14\EXCEL.EXE/3000IE: Se&nd to OneNote - C:\PROGRA~1\MICROS~3\Office14\ONBttnIE.dll/105IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dllIE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dllIE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dllIE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dllDPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cabDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cabDPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cabDPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cabTCP: DhcpNameServer = 75.75.75.75 75.75.76.76 192.168.1.1 75.75.75.75 75.75.76.76TCP: Interfaces\{E5CCA749-5CEF-46EA-82E5-6894D25A0FAA} : DhcpNameServer = 75.75.75.75 75.75.76.76 192.168.1.1 75.75.75.75 75.75.76.76Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dllFilter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dllFilter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLLHandler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dllSEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MIF5BA~1\Office14\GROOVEEX.DLLBHO-X64: AutorunsDisabled - No FileBHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllBHO-X64: AcroIEHelperStub - No FileBHO-X64: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dllBHO-X64: Search Helper - No FileBHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MIF5BA~1\Office14\GROOVEEX.DLLBHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllBHO-X64: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dllBHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MIF5BA~1\Office14\URLREDIR.DLLBHO-X64: URLRedirectionBHO - No FileBHO-X64: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dllmRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"mRun-x64: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"mRun-x64: [ConnectionCenter] "C:\Program Files (x86)\Citrix\ICA Client\concentr.exe" /startupmRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttraySEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~2\MIF5BA~1\Office14\GROOVEEX.DLL.============= SERVICES / DRIVERS ===============.R0 pxscan;pxscan;C:\Windows\system32\drivers\pxscan.sys --> C:\Windows\system32\drivers\pxscan.sys [?]R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]R1 pxrts;pxrts;C:\Windows\system32\drivers\pxrts.sys --> C:\Windows\system32\drivers\pxrts.sys [?]R2 CSIScanner;CSIScanner;C:\Program Files\Prevx\prevx.exe [2011-9-2 6746280]R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-9-2 366640]R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-7-16 2214504]R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-5-20 378472]R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]R3 pxkbf;pxkbf;C:\Windows\system32\drivers\pxkbf.sys --> C:\Windows\system32\drivers\pxkbf.sys [?]R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]S3 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-6-6 64952]S3 fssfltr;fssfltr;C:\Windows\system32\DRIVERS\fssfltr.sys --> C:\Windows\system32\DRIVERS\fssfltr.sys [?]S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;C:\Program Files\Microsoft Office\Office14\GROOVE.EXE [2010-12-28 51727736]S3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]S3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-4-27 288272]S3 ose64;Office 64 Source Engine;C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-1-9 174440]S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]S4 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2010-9-23 1493352]S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184].=============== Created Last 30 ================.2011-09-02 14:30:08 -------- d-----w- C:\$RECYCLE.BIN2011-09-02 14:18:57 98816 ----a-w- C:\Windows\sed.exe2011-09-02 14:18:57 518144 ----a-w- C:\Windows\SWREG.exe2011-09-02 14:18:57 256000 ----a-w- C:\Windows\PEV.exe2011-09-02 14:18:57 208896 ----a-w- C:\Windows\MBR.exe2011-09-02 14:04:38 62976 ----a-w- C:\Windows\SysWow64\PxSecure.dll2011-09-02 14:04:37 65736 ----a-w- C:\Windows\System32\drivers\pxrts.sys2011-09-02 14:04:37 36384 ----a-w- C:\Windows\System32\drivers\pxscan.sys2011-09-02 14:04:37 24024 ----a-w- C:\Windows\System32\drivers\pxkbf.sys2011-09-02 14:04:36 -------- d-----w- C:\Program Files\Prevx2011-09-02 14:04:21 -------- d-----w- C:\ProgramData\PrevxCSI2011-09-02 13:41:59 41272 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys2011-09-02 13:41:52 25912 ----a-w- C:\Windows\System32\drivers\mbam.sys2011-09-02 13:38:36 8862544 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{F6EEF163-4BCE-4CB9-AD13-E3368785B1AA}\mpengine.dll2011-09-02 13:35:03 20480 ------w- C:\Windows\svchost.exe2011-09-02 13:07:00 -------- d-----w- C:\Users\Dascoop\AppData\Roaming\Software Inspection Library2011-09-02 12:57:27 -------- d-----w- C:\Users\Dascoop\AppData\Roaming\BullGuard2011-09-02 12:56:37 -------- d-----w- C:\ProgramData\BullGuard2011-09-02 12:55:45 -------- d-----w- C:\Program Files\BullGuard Ltd2011-09-02 12:28:26 -------- d-----w- C:\Program Files (x86)\ESET2011-09-01 23:56:10 -------- d-----w- C:\Users\Dascoop\AppData\Roaming\Malwarebytes2011-09-01 23:56:02 -------- d-----w- C:\ProgramData\Malwarebytes2011-09-01 23:55:58 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware2011-08-31 11:15:22 255560 ----a-w- C:\Windows\System32\drivers\NSKernel.sys2011-08-28 21:58:41 -------- d-----w- C:\Windows\pss2011-08-16 00:53:40 -------- d-----w- C:\Users\Dascoop\AppData\Roaming\uqm2011-08-16 00:53:40 -------- d-----w- C:\Program Files (x86)\The Ur-Quan Masters2011-08-11 19:07:50 601424 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{FE7BE1E6-2A76-4D21-85B1-3BF8FE3C04FC}\gapaengine.dll2011-08-10 10:32:04 4096 ---ha-w- C:\Windows\System32\api-ms-win-core-localization-l1-1-0.dll.==================== Find3M ====================.2011-07-15 20:51:57 404640 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl2011-07-07 00:21:36 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll2011-06-19 00:36:46 275360 ----a-w- C:\Windows\System32\DreamScene.dll2011-06-16 14:41:30 178800 ----a-w- C:\Windows\SysWow64\CmdLineExt_x64.dll2011-06-11 03:07:25 3137536 ----a-w- C:\Windows\System32\win32k.sys.============= FINISH: 10:41:22.21 ===============Attach.zip Link to post Share on other sites More sharing options...
Staff screen317 Posted September 5, 2011 Staff ID:472905 Share Posted September 5, 2011 Hi and welcome to Malwarebytes. Please update MBAM, run a Quick Scan, and post its log. Next, please visit this webpage for instructions for running ComboFix: http://www.bleepingcomputer.com/combofix/how-to-use-combofix When the tool is finished, it will produce a report for you.Please post the contents of C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system. Link to post Share on other sites More sharing options...
dascoop Posted September 5, 2011 Author ID:473175 Share Posted September 5, 2011 Malwarebytes' Anti-Malware 1.51.1.1800www.malwarebytes.orgDatabase version: 7660Windows 6.1.7601 Service Pack 1Internet Explorer 9.0.8112.164219/5/2011 7:38:22 PMmbam-log-2011-09-05 (19-38-22).txtScan type: Quick scanObjects scanned: 202781Time elapsed: 4 minute(s), 4 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 1Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:c:\Windows\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.There ya go, other logs coming Link to post Share on other sites More sharing options...
dascoop Posted September 6, 2011 Author ID:473258 Share Posted September 6, 2011 My post was too long, had to attach everything, but all 3 logs are there in the attachment. Thanks in advance.Attach (2).zip Link to post Share on other sites More sharing options...
Staff screen317 Posted September 7, 2011 Staff ID:473764 Share Posted September 7, 2011 Hi,Post the contents of these files:C:\qoobox\ComboFix2.txtC:\qoobox\ComboFix3.txtDon't attach them. Split them into multiple posts if necessary. Link to post Share on other sites More sharing options...
dascoop Posted September 7, 2011 Author ID:473802 Share Posted September 7, 2011 ComboFix 11-09-01.03 - Dascoop 09/02/2011 10:19:46.1.2 - x64 NETWORKMicrosoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4095.3060 [GMT -4:00]Running from: c:\users\Dascoop\Desktop\ComboFix.exeAV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} * Created a new restore point..((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))..C:\Install.exec:\windows\svchost.exe..((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))..-------\Service_RelevantKnowledge..((((((((((((((((((((((((( Files Created from 2011-08-02 to 2011-09-02 )))))))))))))))))))))))))))))))..2011-09-02 14:04 . 2011-09-02 14:04 62976 ----a-w- c:\windows\SysWow64\PxSecure.dll2011-09-02 14:04 . 2011-09-02 14:04 65736 ----a-w- c:\windows\system32\drivers\pxrts.sys2011-09-02 14:04 . 2011-09-02 14:04 36384 ----a-w- c:\windows\system32\drivers\pxscan.sys2011-09-02 14:04 . 2011-09-02 14:04 24024 ----a-w- c:\windows\system32\drivers\pxkbf.sys2011-09-02 14:04 . 2011-09-02 14:04 -------- d-----w- c:\program files\Prevx2011-09-02 14:04 . 2011-09-02 14:10 -------- d-----w- c:\programdata\PrevxCSI2011-09-02 13:41 . 2011-07-06 23:52 41272 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys2011-09-02 13:41 . 2011-07-06 23:52 25912 ----a-w- c:\windows\system32\drivers\mbam.sys2011-09-02 13:38 . 2011-08-12 04:10 8862544 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F6EEF163-4BCE-4CB9-AD13-E3368785B1AA}\mpengine.dll2011-09-02 13:07 . 2011-09-02 13:07 -------- d-----w- c:\users\Dascoop\AppData\Roaming\Software Inspection Library2011-09-02 12:57 . 2011-09-02 13:07 -------- d-----w- c:\users\Dascoop\AppData\Roaming\BullGuard2011-09-02 12:56 . 2011-09-02 13:14 -------- d-----w- c:\programdata\BullGuard2011-09-02 12:55 . 2011-09-02 12:55 -------- d-----w- c:\program files\BullGuard Ltd2011-09-02 12:28 . 2011-09-02 12:28 -------- d-----w- c:\program files (x86)\ESET2011-09-01 23:56 . 2011-09-01 23:56 -------- d-----w- c:\users\Dascoop\AppData\Roaming\Malwarebytes2011-09-01 23:56 . 2011-09-01 23:56 -------- d-----w- c:\programdata\Malwarebytes2011-09-01 23:55 . 2011-09-02 13:41 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware2011-08-31 11:15 . 2011-08-31 11:15 255560 ----a-w- c:\windows\system32\drivers\NSKernel.sys2011-08-16 00:53 . 2011-08-16 01:19 -------- d-----w- c:\users\Dascoop\AppData\Roaming\uqm2011-08-16 00:53 . 2011-08-16 01:03 -------- d-----w- c:\program files (x86)\The Ur-Quan Masters2011-08-11 19:07 . 2011-04-25 07:55 601424 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{FE7BE1E6-2A76-4D21-85B1-3BF8FE3C04FC}\gapaengine.dll2011-08-10 10:32 . 2011-07-16 05:21 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localization-l1-1-0.dll...(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2011-07-15 20:51 . 2011-06-11 21:57 404640 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl2011-07-13 04:53 . 2011-07-31 19:01 8578896 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Updates\mpengine.dll2011-07-13 04:53 . 2011-04-25 10:54 8578896 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll2011-07-07 00:21 . 2011-07-07 00:21 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll2011-06-19 00:36 . 2011-06-19 00:36 275360 ----a-w- c:\windows\system32\DreamScene.dll2011-06-16 14:41 . 2011-06-16 14:41 178800 ----a-w- c:\windows\SysWow64\CmdLineExt_x64.dll2011-06-11 03:07 . 2011-07-13 09:51 3137536 ----a-w- c:\windows\system32\win32k.sys..((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4.[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]"ConnectionCenter"="c:\program files (x86)\Citrix\ICA Client\concentr.exe" [2010-05-12 300472]"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584].[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]"ConsentPromptBehaviorAdmin"= 0 (0x0)"ConsentPromptBehaviorUser"= 3 (0x3)"EnableLUA"= 0 (0x0)"EnableUIADesktopToggle"= 0 (0x0)"PromptOnSecureDesktop"= 0 (0x0).[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]"Taskman"="".[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]"aux"=wdmaud.drv.[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp.[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]@="Service".R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]R3 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2010-12-28 51727736]R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 288272]R3 ose64;Office 64 Source Engine;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-01-10 174440]R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]S0 pxscan;pxscan;c:\windows\System32\drivers\pxscan.sys [x]S1 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [x]S2 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [2011-09-02 6746280]S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-07-06 366640]S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-05-25 2214504]S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-05-21 378472]S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]S3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [x]S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]..Contents of the 'Scheduled Tasks' folder.2011-08-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2839132259-1478123975-1270290933-1000Core.job- c:\users\Dascoop\AppData\Local\Google\Update\GoogleUpdate.exe [2011-05-17 12:09].2011-08-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2839132259-1478123975-1270290933-1000UA.job- c:\users\Dascoop\AppData\Local\Google\Update\GoogleUpdate.exe [2011-05-17 12:09]..--------- x86-64 -----------..[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-07-28 11101800]"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 1436736]"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 112512]"combofix"="c:\combofix\CF869.3XE" [2010-11-20 345088].[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]"LoadAppInit_DLLs"=0x0.------- Supplementary Scan -------.uLocal Page = c:\windows\system32\blank.htmuStart Page = hxxp://www.google.com/mLocal Page = c:\windows\SysWOW64\blank.htmIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105TCP: DhcpNameServer = 75.75.75.75 75.75.76.76 192.168.1.1 75.75.75.75 75.75.76.76.- - - - ORPHANS REMOVED - - - -.AddRemove-PunkBusterSvc - c:\windows\system32\pbsvc.exe...--------------------- LOCKED REGISTRY KEYS ---------------------.[HKEY_USERS\S-1-5-21-2839132259-1478123975-1270290933-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]@Denied: (2) (LocalSystem)"Progid"="WindowsLiveMail.Email.1".[HKEY_USERS\S-1-5-21-2839132259-1478123975-1270290933-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]@Denied: (2) (LocalSystem)"Progid"="WindowsLiveMail.VCard.1".[HKEY_USERS\S-1-5-21-2839132259-1478123975-1270290933-1000\Software\SecuROM\License information*]"datasecu"=hex:e9,3c,49,b2,c7,23,3e,e5,bd,d5,39,36,32,d7,2d,83,5b,e5,91,f7,9b, 39,ad,b0,22,77,7f,9c,fd,30,58,20,f0,e6,87,ab,4f,b0,73,1c,ff,d8,cb,7f,10,4a,\"rkeysecu"=hex:67,b8,4c,66,47,0a,ba,2e,f7,1f,4f,3c,ab,aa,fa,90.[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]@Denied: (A 2) (Everyone)@="FlashBroker""LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10t_ActiveX.exe,-101".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]"Enabled"=dword:00000001.[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10t_ActiveX.exe".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]@Denied: (A 2) (Everyone)@="Shockwave Flash Object".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx""ThreadingModel"="Apartment".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]@="0".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]@="ShockwaveFlash.ShockwaveFlash.10".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx, 1".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]@="{D27CDB6B-AE6D-11cf-96B8-444553540000}".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]@="1.0".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]@="ShockwaveFlash.ShockwaveFlash".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]@Denied: (A 2) (Everyone)@="Macromedia Flash Factory Object".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx""ThreadingModel"="Apartment".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]@="FlashFactory.FlashFactory.1".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx, 1".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]@="{D27CDB6B-AE6D-11cf-96B8-444553540000}".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]@="1.0".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]@="FlashFactory.FlashFactory".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]@Denied: (A 2) (Everyone)@="IFlashBroker4".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]@="{00020424-0000-0000-C000-000000000046}".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}""Version"="1.0".[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]@Denied: (Full) (Everyone).------------------------ Other Running Processes ------------------------.c:\\.\globalroot\systemroot\svchost.exec:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exec:\\.\globalroot\systemroot\svchost.exec:\program files (x86)\Citrix\ICA Client\wfcrun32.exe.**************************************************************************.Completion time: 2011-09-02 10:37:37 - machine was rebootedComboFix-quarantined-files.txt 2011-09-02 14:36ComboFix2.txt 2011-09-02 12:25.Pre-Run: 311,021,379,584 bytes freePost-Run: 310,564,458,496 bytes free.- - End Of File - - D15F1D429862E5D016226E3159BD3CC1ComboFix 11-09-01.03 - Dascoop 09/02/2011 8:07.2.2 - x64Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4095.2744 [GMT -4:00]Running from: c:\users\Dascoop\Desktop\ComboFix.exeAV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}..((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))..C:\Install.exec:\windows\svchost.exe..((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))..-------\Service_RelevantKnowledge..((((((((((((((((((((((((( Files Created from 2011-08-02 to 2011-09-02 )))))))))))))))))))))))))))))))..2011-09-02 11:49 . 2011-09-02 11:49 110896 ----a-w- c:\windows\system32\drivers\33978970.sys2011-09-01 23:56 . 2011-09-01 23:56 -------- d-----w- c:\users\Dascoop\AppData\Roaming\Malwarebytes2011-09-01 23:56 . 2011-07-06 23:52 41272 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys2011-09-01 23:56 . 2011-09-01 23:56 -------- d-----w- c:\programdata\Malwarebytes2011-09-01 23:55 . 2011-09-01 23:56 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware2011-09-01 23:55 . 2011-07-06 23:52 25912 ----a-w- c:\windows\system32\drivers\mbam.sys2011-09-01 15:14 . 2011-08-12 04:10 8862544 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1911F76A-CF5D-4445-9B76-9F3D91337C51}\mpengine.dll2011-08-27 22:22 . 2011-08-27 22:22 -------- d-----w- c:\users\Dascoop\AppData\Roaming\PunkBuster2011-08-24 05:16 . 2011-07-09 05:26 2048 ----a-w- c:\windows\system32\tzres.dll2011-08-24 05:16 . 2011-07-09 04:29 2048 ----a-w- c:\windows\SysWow64\tzres.dll2011-08-16 00:53 . 2011-08-16 01:19 -------- d-----w- c:\users\Dascoop\AppData\Roaming\uqm2011-08-16 00:53 . 2011-08-16 01:03 -------- d-----w- c:\program files (x86)\The Ur-Quan Masters2011-08-11 19:07 . 2011-04-25 07:55 601424 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{FE7BE1E6-2A76-4D21-85B1-3BF8FE3C04FC}\gapaengine.dll...(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2011-08-27 22:22 . 2011-04-26 13:14 189248 ----a-w- c:\windows\SysWow64\PnkBstrB.exe2011-08-27 22:22 . 2011-04-26 13:14 75136 ----a-w- c:\windows\SysWow64\PnkBstrA.exe2011-08-12 04:10 . 2011-04-25 10:54 8862544 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll2011-07-16 04:26 . 2011-08-10 10:32 44032 ----a-w- c:\windows\apppatch\acwow64.dll2011-07-15 20:51 . 2011-06-11 21:57 404640 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl2011-07-13 04:53 . 2011-07-31 19:01 8578896 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Updates\mpengine.dll2011-07-07 00:21 . 2011-07-07 00:21 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll2011-06-19 00:36 . 2011-06-19 00:36 275360 ----a-w- c:\windows\system32\DreamScene.dll2011-06-16 14:41 . 2011-06-16 14:41 178800 ----a-w- c:\windows\SysWow64\CmdLineExt_x64.dll2011-06-11 03:07 . 2011-07-13 09:51 3137536 ----a-w- c:\windows\system32\win32k.sys..((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4.[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]"ConnectionCenter"="c:\program files (x86)\Citrix\ICA Client\concentr.exe" [2010-05-12 300472]"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584].[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]"ConsentPromptBehaviorAdmin"= 0 (0x0)"ConsentPromptBehaviorUser"= 3 (0x3)"EnableLUA"= 0 (0x0)"EnableUIADesktopToggle"= 0 (0x0)"PromptOnSecureDesktop"= 0 (0x0).[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]"aux"=wdmaud.drv.[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp.[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]@="Service".R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2010-12-28 51727736]R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 288272]R3 ose64;Office 64 Source Engine;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-01-10 174440]R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]R4 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]R4 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-05-25 2214504]R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-07-06 366640]S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-05-21 378472]S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]..Contents of the 'Scheduled Tasks' folder.2011-09-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2839132259-1478123975-1270290933-1000Core.job- c:\users\Dascoop\AppData\Local\Google\Update\GoogleUpdate.exe [2011-05-17 12:09].2011-09-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2839132259-1478123975-1270290933-1000UA.job- c:\users\Dascoop\AppData\Local\Google\Update\GoogleUpdate.exe [2011-05-17 12:09]..--------- x86-64 -----------..[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-07-28 11101800]"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 1436736]"combofix"="c:\combofix\CF7293.3XE" [2010-11-20 345088].[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]"LoadAppInit_DLLs"=0x0.------- Supplementary Scan -------.uLocal Page = c:\windows\system32\blank.htmuStart Page = hxxp://www.google.com/mLocal Page = c:\windows\SysWOW64\blank.htmIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105TCP: DhcpNameServer = 75.75.75.75 75.75.76.76 192.168.1.1 75.75.75.75 75.75.76.76.- - - - ORPHANS REMOVED - - - -.AddRemove-{08234a0d-cf39-4dca-99f0-0c5cb496da81} - c:\program files (x86)\Bing Bar Installer\InstallManager.exe...--------------------- LOCKED REGISTRY KEYS ---------------------.[HKEY_USERS\S-1-5-21-2839132259-1478123975-1270290933-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]@Denied: (2) (LocalSystem)"Progid"="WindowsLiveMail.Email.1".[HKEY_USERS\S-1-5-21-2839132259-1478123975-1270290933-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]@Denied: (2) (LocalSystem)"Progid"="WindowsLiveMail.VCard.1".[HKEY_USERS\S-1-5-21-2839132259-1478123975-1270290933-1000\Software\SecuROM\License information*]"datasecu"=hex:e9,3c,49,b2,c7,23,3e,e5,bd,d5,39,36,32,d7,2d,83,5b,e5,91,f7,9b, 39,ad,b0,22,77,7f,9c,fd,30,58,20,f0,e6,87,ab,4f,b0,73,1c,ff,d8,cb,7f,10,4a,\"rkeysecu"=hex:67,b8,4c,66,47,0a,ba,2e,f7,1f,4f,3c,ab,aa,fa,90.[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]@Denied: (A 2) (Everyone)@="FlashBroker""LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10t_ActiveX.exe,-101".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]"Enabled"=dword:00000001.[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10t_ActiveX.exe".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]@Denied: (A 2) (Everyone)@="Shockwave Flash Object".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx""ThreadingModel"="Apartment".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]@="0".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]@="ShockwaveFlash.ShockwaveFlash.10".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx, 1".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]@="{D27CDB6B-AE6D-11cf-96B8-444553540000}".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]@="1.0".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]@="ShockwaveFlash.ShockwaveFlash".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]@Denied: (A 2) (Everyone)@="Macromedia Flash Factory Object".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx""ThreadingModel"="Apartment".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]@="FlashFactory.FlashFactory.1".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx, 1".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]@="{D27CDB6B-AE6D-11cf-96B8-444553540000}".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]@="1.0".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]@="FlashFactory.FlashFactory".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]@Denied: (A 2) (Everyone)@="IFlashBroker4".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]@="{00020424-0000-0000-C000-000000000046}".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}""Version"="1.0".[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]@Denied: (Full) (Everyone).------------------------ Other Running Processes ------------------------.c:\\.\globalroot\systemroot\svchost.exec:\windows\SysWOW64\PnkBstrA.exec:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exec:\\.\globalroot\systemroot\svchost.exe.**************************************************************************.Completion time: 2011-09-02 08:25:00 - machine was rebootedComboFix-quarantined-files.txt 2011-09-02 12:25.Pre-Run: 312,475,504,640 bytes freePost-Run: 312,049,696,768 bytes free.- - End Of File - - F57883E1CBA42240AF0259319146B932 Link to post Share on other sites More sharing options...
dascoop Posted September 8, 2011 Author ID:473837 Share Posted September 8, 2011 Also as a side note, and probably related, in any browser, opening a page in a new tab/ window takes a really really long time, like 10-20 seconds at times, as if it's going through a million proxies or something, just really slow, but once it loads i seem to have no issues. Link to post Share on other sites More sharing options...
HighVoltage87 Posted September 8, 2011 ID:473861 Share Posted September 8, 2011 Just to add to this topic - I am facing the exact same problem. svchost.exe in \windows description says winscrmdeTried deleting it with many tools (move on boot, avenger script etc... nothing works)No other anti-malware/anti-virus sees it as a problem. Link to post Share on other sites More sharing options...
Staff screen317 Posted September 8, 2011 Staff ID:474173 Share Posted September 8, 2011 Anyone who is not dascoop, please start your own topic to receive assistance.dascoop,Please download GMER from one of the following locations and save it to your Desktop:Main MirrorThis version will download a randomly named file (Recommended)Zipped MirrorThis version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan. Double click GMER.exe. If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan.. In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ... Sections IAT/EAT Drives/Partition other than Systemdrive (typically C:\) Show All (don't miss this one) Click the image to enlarge it[*] Then click the Scan button & wait for it to finish. [*] Once done click on the [save..] button, and in the File name area, type in "ark.txt" [*]Save the log where you can easily find it, such as your desktop.**Caution**Rootkit scans often produce false positives. Do NOT take any action on any <--- ROOTKIT entries Please copy and paste the report into your Post. Link to post Share on other sites More sharing options...
dascoop Posted September 9, 2011 Author ID:474283 Share Posted September 9, 2011 It showed absolutely blank. Link to post Share on other sites More sharing options...
dascoop Posted September 9, 2011 Author ID:474294 Share Posted September 9, 2011 Also, most of that crap on the right was greyed out except for ADS Link to post Share on other sites More sharing options...
Staff screen317 Posted September 13, 2011 Staff ID:475489 Share Posted September 13, 2011 Hi,Try this instead:Download the file TDSSKiller.zip and extract it into a folder on the infected PC.Execute the file TDSSKiller.exe by double-clicking on it.Wait for the scan and disinfection process to be over.When its work is over, the utility prompts for a reboot to complete the disinfection.By default, the utility outputs runtime log into the system disk root directory (the disk where the operating system is installed, C:\ as a rule).The log is like UtilityName.Version_Date_Time_log.txt.for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt.Please post that log here. Link to post Share on other sites More sharing options...
Staff screen317 Posted October 10, 2011 Staff ID:483902 Share Posted October 10, 2011 Are you still with us? This topic will be closed in a few days if we do not hear back from you. Link to post Share on other sites More sharing options...
Staff screen317 Posted October 14, 2011 Staff ID:485539 Share Posted October 14, 2011 Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts