Print Page - Help with Virus/Malware please!!

Title: Help with Virus/Malware please!!
Post by: a-mazing on June 28, 2011, 01:18:12 AM

My daughter's laptop has a virus/malware problem. When you turn the computer on a page opens that says "Malware Protection" It looks like a legitimate computer anti-virus program but I'm sure it's not. Any attempt you make to open a program whether it's internet or otherwise a box pops up that says "Security Warning! Malicious program has been detected. Click here to protect your computer" I was going to run a virus scan, but I can't. What do I do?? Thank you very much for your help! After I get rid of it, what anti-virus and anti-malware programs would you recommend? The operating system is Windows 7.

Title: Re: Help with Virus/Malware please!!
Post by: Corrine on June 28, 2011, 01:43:38 AM

Hi, a-mazing.

Let's take care of the rogue first and then we'll take a look at security programs for your daughter's laptop. Please follow the instructions below in the order provided. Note that it may take more than one reply to get all the requested logs to post.

1. Please restart the computer in Safe Mode with Networking. (To do this, turn your computer off and then back on and immediately when you see anything on the screen, start tapping the F8 key on your keyboard. Using the arrow keys on your keyboard, select Safe Mode with Networking and press Enter on your keyboard. Windows will now boot into safe mode with networking and prompt you to login as a user.)

2) Please download the TDSSKiller.exe (http://support.kaspersky.com/downloads/utils/tdsskiller.exe) by Kaspersky... save it to your Desktop. <-Important!!!

Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
Vista - W7 users: Right-click and select "Run As Administrator".
If TDSSKiller does not run... rename it. Right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. ektfhtw.com).
If you don't see file extensions, please see: How to change the file extension (http://www.mediacollege.com/microsoft/windows/extension-change.html).
Click the Start Scan button. Do not use the computer during the scan!
If the scan completes with nothing found, click Close to exit.
If malicious objects are found, they will show in the "Scan results - Select action for found objects[/b]" and offer 3 options.
- Ensure Cure (default) is selected... then click Continue > Reboot now to finish the cleaning process.
A log file named TDSSKiller_version_dd.mm.yyyy_hh.mm.ss_log.txt will be created and saved to the root directory. (usually Local Disk C:).
Copy and paste the contents of that file in your next reply.

Note: If TDSSKiller requires you to reboot, please allow it to do so. After you reboot, reboot back into Safe Mode with Networking again.

3. Please download rkill from one of the following links and save to your Desktop:

One (http://download.bleepingcomputer.com/grinler/rkill.exe), Two (http://download.bleepingcomputer.com/grinler/rkill.com),Three (http://download.bleepingcomputer.com/grinler/rkill.scr) or Four (http://download.bleepingcomputer.com/grinler/rkill.pif)

Double-click rkill to run.
A command window will open then disappear upon completion, this is normal.
Please leave rkill on the Desktop until otherwise advised.
Do NOT restart your computer after running rkill as the malware program(s) will start again.

Note: If you you receive security warnings about rkill, please ignore and allow the download to continue.

4. Please download Malwarebytes' Anti-Malware (http://www.malwarebytes.org/mbam.php) to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to
Update Malwarebytes' Anti-Malware and
Launch Malwarebytes' Anti-Malware
Click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, be sure Quick scan is selected, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, EXCEPT items in System Restore as shown in this sample:
(https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fsecuritygarden.googlepages.com%2FMBAM_SR.png&hash=38adbab18bc0003ecf543fafb564e34dadece253)
Click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See the Note below)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Please post contents of that file in your next reply.

** Note **

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

5. Download DDS.scr by sUBs from one of the following links and save it to your desktop.
Link 1 (http://download.bleepingcomputer.com/sUBs/dds.scr)
Link 2 (http://www.forospyware.com/sUBs/dds)

Double-Click dds.scr and a command window will appear. This is normal
Shortly after two logs will appear, DDS.txt & Attach.txt
A window will open instructing you save & post the logs
Save the logs to a convenient place such as your desktop
Copy the contents of both logs & post in your next reply

6. Download Security Check by screen317 from here (http://screen317.spywareinfoforum.org/SecurityCheck.exe) or here (http://screen317.changelog.fr/SecurityCheck.exe).

Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Requested logs:

TDSSKiller
Malwarebytes
Both DDS.txt and Attach.txt
checkup.txt

Title: Re: Help with Virus/Malware please!!
Post by: a-mazing on June 28, 2011, 03:14:36 AM

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6964

Windows 6.1.7600 (Safe Mode)
Internet Explorer 8.0.7600.16385

6/27/2011 11:03:27 PM
mbam-log-2011-06-27 (23-03-27).txt

Scan type: Quick scan
Objects scanned: 166285
Time elapsed: 3 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Malware Protection (Trojan.FakeAlert) -> Value: Malware Protection -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\hellacious\AppData\Roaming\defender.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\hellacious\AppData\Local\Temp\37C8.tmp (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\Users\hellacious\AppData\Local\Temp\42D0.tmp (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\Users\hellacious\AppData\Local\Temp\Low\9b88.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\hellacious\AppData\Local\Temp\Low\oxn.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\hellacious\AppData\Local\Temp\Low\oxn.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\hellacious\AppData\Local\Temp\Low\qgl.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\hellacious\AppData\Local\Temp\Low\R66v.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\hellacious\AppData\Local\Temp\Low\jymagvksb\kpqpufyxsik.exe (Trojan.FakeAlertRP.Gen) -> Quarantined and deleted successfully.

this is the results of the malwarebytes scan. I'm still working

Title: Re: Help with Virus/Malware please!!
Post by: a-mazing on June 28, 2011, 03:43:47 AM

DDS (Ver_2011-06-23.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385
Run by Hellacious at 23:37:48 on 2011-06-27
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2811.1514 [GMT -4:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\atibtmon.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe
C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
C:\Program Files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe
C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\DllHost.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe
C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe
C:\Program Files\Realtek\RtVOsd\RtVOsd.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files (x86)\Hewlett-Packard\Shared\hpCaslNotification.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10h_ActiveX.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\consent.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.theinfamousmag.com/
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\IPS\IPSBHO.DLL
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files (x86)\MSN Toolbar\Platform\6.3.2380.0\npwinext.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\coIEPlg.dll
TB: @c:\Program Files (x86)\MSN Toolbar\Platform\6.3.2380.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\Program Files (x86)\MSN Toolbar\Platform\6.3.2380.0\npwinext.dll
uRun: [HPAdvisorDock] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe
uRun: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
mRun: [Norton Online Backup] C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
TCP: DhcpNameServer = 10.0.0.1
TCP: Interfaces\{B46B8EEB-761B-4C75-880E-C8734A28A45A} : DhcpNameServer = 10.0.0.1
TCP: Interfaces\{B46B8EEB-761B-4C75-880E-C8734A28A45A}\24C4B4245616E6 : DhcpNameServer = 10.0.0.1
TCP: Interfaces\{B46B8EEB-761B-4C75-880E-C8734A28A45A}\7416277237 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{B46B8EEB-761B-4C75-880E-C8734A28A45A}\E4164756058656C60737 : DhcpNameServer = 10.0.1.1
TCP: Interfaces\{C05AD519-926E-46DA-A286-D6B3A0E85834} : DhcpNameServer = 40.1.1.100
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO-X64: Symantec NCO BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\coIEPlg.dll
BHO-X64: Symantec NCO BHO - No File
BHO-X64: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\IPS\IPSBHO.DLL
BHO-X64: Symantec Intrusion Prevention - No File
BHO-X64: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
BHO-X64: Search Helper - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Skype Plug-In: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO-X64: SkypeIEPluginBHO - No File
BHO-X64: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files (x86)\MSN Toolbar\Platform\6.3.2380.0\npwinext.dll
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\coIEPlg.dll
TB-X64: @c:\Program Files (x86)\MSN Toolbar\Platform\6.3.2380.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\Program Files (x86)\MSN Toolbar\Platform\6.3.2380.0\npwinext.dll
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
mRun-x64: [Norton Online Backup] C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe

and Attach:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-23.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 2/12/2011 9:17:08 AM
System Uptime: 6/27/2011 11:06:38 PM (0 hours ago)
.
Motherboard: Hewlett-Packard | | 1444
Processor: AMD Athlon(tm) II P340 Dual-Core Processor | Socket S1G4 | 792/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 280 GiB total, 233.607 GiB free.
D: is FIXED (NTFS) - 17 GiB total, 2.509 GiB free.
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP48: 5/29/2011 8:41:15 PM - Windows Backup
RP49: 5/31/2011 2:27:22 PM - Windows Update
RP50: 6/3/2011 6:28:57 PM - Windows Update
RP51: 6/5/2011 8:24:43 PM - Windows Backup
RP52: 6/7/2011 5:32:30 PM - Windows Update
RP53: 6/11/2011 2:53:55 PM - Windows Update
RP54: 6/12/2011 7:00:14 PM - Windows Backup
RP55: 6/15/2011 8:10:02 PM - Windows Update
RP56: 6/16/2011 1:16:19 AM - Windows Update
RP57: 6/17/2011 4:35:24 PM - Windows Update
RP58: 6/18/2011 12:21:24 PM - Windows Update
RP59: 6/18/2011 7:55:27 PM - Windows Update
RP60: 6/21/2011 12:18:14 PM - Windows Update
RP61: 6/21/2011 12:23:40 PM - Windows Backup
RP62: 6/26/2011 11:49:48 PM - Removed Norton Online Backup
RP63: 6/27/2011 9:21:54 PM - Windows Backup
RP64: 6/27/2011 11:11:55 PM - Windows Update
.
==== Installed Programs ======================
.
Acrobat.com
ActiveCheck component for HP Active Support Library
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9.3 MUI
Adobe Shockwave Player 11.5
AIM 7
AMD USB Filter Driver
Atheros Driver Installation Program
Bejeweled 2 Deluxe
Bing Bar
Bing Bar Platform
Bing Rewards Client Installer
Blackhawk Striker 2
Build-a-lot 2
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center Graphics Previews Vista
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
ccc-core-static
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
Chuzzle Deluxe
CinemaNow Media Manager
Cisco Connect
Cisco EAP-FAST Module
Cisco LEAP Module
Cisco PEAP Module
CyberLink DVD Suite
CyberLink MediaShow
CyberLink PowerDVD 9
CyberLink YouCam
Diner Dash 2 Restaurant Rescue
Dora's Carnival Adventure
Download Updater (AOL LLC)
Energy Star Digital Logo
Escape Rosecliff Island
ESU for Microsoft Windows 7
FATE
Final Drive Nitro
Google Earth Plug-in
Google Update Helper
Heroes of Hellas 2 - Olympia
HP Advisor
HP Customer Experience Enhancements
HP Documentation
HP Game Console
HP Games
HP MediaSmart CinemaNow 2.0
HP Photo Creations
HP Power Manager
HP Quick Launch
HP Setup
HP Software Framework
HP Support Assistant
HPAsset component for HP Active Support Library
Java Auto Updater
Java(TM) 6 Update 20
Jewel Quest 3
Jewel Quest Solitaire 2
Junk Mail filter update
LabelPrint
LightScribe System Software
Malwarebytes' Anti-Malware version 1.51.0.1200
Microsoft Choice Guard
Microsoft Default Manager
Microsoft Office 2010
Microsoft Office Click-to-Run 2010
Microsoft Office Starter 2010 - English
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft WSE 3.0 Runtime
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Norton Internet Security
Norton Online Backup
Penguins!
PhotoNow!
Plants vs. Zombies
Poker Superstars III
Polar Bowler
Polar Golfer
Power2Go
PowerDirector
Realtek Ethernet Controller Driver For Windows 7
Realtek High Definition Audio Driver
Realtek USB 2.0 Card Reader
Recovery Manager
Roxio CinemaNow 2.0
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Skype Toolbars
Skype™ 5.1
Virtual Families
Virtual Villagers - The Secret City
Wheel of Fortune 2
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Movie Maker
Windows Live Photo Gallery
Windows Live Sync
Windows Live Upload Tool
Windows Live Writer
Yahoo! BrowserPlus 2.9.8
Zuma Deluxe
.
==== Event Viewer Messages From Past Week ========
.
6/27/2011 11:09:06 PM, Error: NetBT [4321] - The name "WORKGROUP :1d" could not be registered on the interface with IP address 10.0.0.30. The computer with the IP address 10.0.0.5 did not allow the name to be claimed by this computer.
6/27/2011 11:03:30 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
6/27/2011 10:36:36 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {D3DCB472-7261-43CE-924B-0704BD730D5F}
6/27/2011 10:36:36 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
6/27/2011 10:32:55 PM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.
6/27/2011 10:29:51 PM, Error: Microsoft-Windows-WLAN-AutoConfig [10000] - WLAN Extensibility Module has failed to start. Module Path: C:\Windows\system32\athihvs.dll Error Code: 21
6/27/2011 10:29:50 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
6/27/2011 10:29:49 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
6/27/2011 10:29:48 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
6/27/2011 10:29:43 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
6/27/2011 10:29:34 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: BHDrvx64 discache eeCtrl IDSVia64 spldr SRTSPX SymIRON SymNetS Wanarpv6
6/27/2011 10:29:33 PM, Error: Service Control Manager [7001] - The Client Virtualization Handler service depends on the Application Virtualization Client service which failed to start because of the following error: The dependency service or group failed to start.
.
==== End Of File ===========================

.

Title: Re: Help with Virus/Malware please!!
Post by: a-mazing on June 28, 2011, 03:49:13 AM

Results of screen317's Security Check version 0.99.17
Windows 7 (UAC is enabled)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
Norton Internet Security
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Java(TM) 6 Update 20
Out of date Java installed!
Adobe Flash Player
````````````````````````````````
Process Check:
objlist.exe by Laurent
Norton ccSvcHst.exe
``````````End of Log````````````

Title: Re: Help with Virus/Malware please!!
Post by: a-mazing on June 28, 2011, 03:52:29 AM

:mitch: I've completed everything and think I have all the logs. The TDSSkiller didn't find anything so there was no log. I'm ready for the next set of instructions.
Thank you so much! You're an angel!

Title: Re: Help with Virus/Malware please!!
Post by: Corrine on June 28, 2011, 02:14:56 PM

That was fast work!

Please download JavaRa (http://sourceforge.net/project/downloading.php?groupname=javara&filename=JavaRa.zip&use_mirror=osdn) and unzip it to your desktop.

Double-click on JavaRa.exe to start the program. (Windows Vista users Right-click JavaRa.exe > Select Run as Administrator)
Click on Remove Older Versions to remove older versions of Java.
A logfile will pop up. Please save it to a convenient location.

Then download and install Java SE Runtime Environment 6u26 (http://java.com/en/download/manual.jsp).

Note: UNCHECK any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.

Next, since the Malware Protection rogue is particularly nasty, please do the folloiwng:

Please follow these instructions carefully.

Download ComboFix from one of the following locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.infospyware.net/antimalware/combofix/)

!!! IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your antivirus and anti-malware security applications. If not disabled, these programs will likely interfere with cleanup process. This can usually be accomplished by a right-click on the icon in the System Tray.

Note: If you are unsure how to disable your security software, see the instructions in this topic at Tech Support Forum: How to disable your security applications (http://www.techsupportforum.com/forums/f50/how-to-disable-your-security-applications-490111.html).

Now, please run ComboFix:

Note: If infections are found, ComboFix will automatically reboot the machine to complete the removal process. Please ensure all opened windows are closed before proceeding.
Double-click ComboFix.exe on your desktop and follow the prompts.
As part of the process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it is strongly recommended to have this pre-installed on your machine before doing any malware removal. The Recovery Console will allow you to start up the computer in a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Please note: If the Microsoft Windows Recovery Console is already installed on the computer, ComboFix will continue the malware removal procedures.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

(https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fsecuritygarden.googlepages.com%2FCF_RC1.png&hash=29e6fe1eb864e58b4b66611caa7d7b6be84a47f8)

After the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

(https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fsecuritygarden.googlepages.com%2FCF_RC2.png&hash=e111f6aa2d657579d44cabc5fb4258fd1dce26eb)

Click "Yes" to continue scanning for malware.

When finished, a log will be produced. Please include the C:\ComboFix.txt in your next reply.

Title: Re: Help with Virus/Malware please!!
Post by: a-mazing on June 29, 2011, 09:53:02 PM

ComboFix 11-06-29.06 - Hellacious 06/29/2011 17:33:03.4.2 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2811.1852 [GMT -4:00]
Running from: c:\users\Hellacious\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
   /wow section - STAGE 50
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The system cannot find the file LockedB.
The system cannot find the file lockedB.
'.d.a.1.a.3.f.f.' is not recognized as an internal or external command
'.0.\\.' is not recognized as an internal or external command
The system cannot find the file LockedB.
The system cannot find the file LockedB.
.
.
((((((((((((((((((((((((( Files Created from 2011-05-28 to 2011-06-29 )))))))))))))))))))))))))))))))
.
.
2011-06-29 21:40 . 2011-06-29 21:40   --------   d-----w-   c:\users\Default\AppData\Local\temp
2011-06-29 01:16 . 2011-06-29 01:16   --------   d-----w-   c:\program files (x86)\Common Files\Java
2011-06-29 01:15 . 2011-06-29 01:15   --------   d-----w-   c:\program files (x86)\Java
2011-06-28 02:58 . 2011-06-28 02:58   --------   d-----w-   c:\users\Hellacious\AppData\Roaming\Malwarebytes
2011-06-28 02:58 . 2011-05-29 13:11   39984   ----a-w-   c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-06-28 02:58 . 2011-06-28 02:58   --------   d-----w-   c:\programdata\Malwarebytes
2011-06-28 02:58 . 2011-05-29 13:11   25912   ----a-w-   c:\windows\system32\drivers\mbam.sys
2011-06-28 02:58 . 2011-06-28 02:58   --------   d-----w-   c:\program files (x86)\Malwarebytes' Anti-Malware
2011-06-28 02:27 . 2011-06-28 02:27   --------   d-----w-   c:\users\Hellacious\AppData\Local\ElevatedDiagnostics
2011-06-19 00:45 . 2011-06-19 00:45   --------   d-----w-   c:\programdata\Recovery
2011-06-16 00:12 . 2011-04-27 02:57   102400   ----a-w-   c:\windows\system32\drivers\dfsc.sys
2011-06-16 00:12 . 2011-04-25 05:32   1896832   ----a-w-   c:\windows\system32\drivers\tcpip.sys
2011-06-16 00:12 . 2011-04-25 02:44   499712   ----a-w-   c:\windows\system32\drivers\afd.sys
2011-06-16 00:12 . 2011-04-29 05:47   1110528   ----a-w-   c:\program files\Common Files\Microsoft Shared\VGX\VGX.dll
2011-06-16 00:12 . 2011-04-29 05:08   759296   ----a-w-   c:\program files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll
2011-06-16 00:10 . 2011-04-29 03:12   399872   ----a-w-   c:\windows\system32\drivers\srv2.sys
2011-06-16 00:10 . 2011-04-29 03:13   461312   ----a-w-   c:\windows\system32\drivers\srv.sys
2011-06-16 00:10 . 2011-04-29 03:12   161792   ----a-w-   c:\windows\system32\drivers\srvnet.sys
2011-06-16 00:10 . 2010-12-18 06:13   861184   ----a-w-   c:\windows\system32\oleaut32.dll
2011-06-16 00:10 . 2010-12-18 05:31   571904   ----a-w-   c:\windows\SysWow64\oleaut32.dll
2011-06-16 00:10 . 2011-05-03 05:21   976896   ----a-w-   c:\windows\system32\inetcomm.dll
2011-06-16 00:10 . 2011-05-03 04:50   740864   ----a-w-   c:\windows\SysWow64\inetcomm.dll
2011-06-13 04:50 . 2011-06-13 04:50   --------   d-----w-   c:\program files (x86)\Google
2011-06-13 04:50 . 2011-06-13 04:50   --------   d-----w-   c:\users\Hellacious\AppData\Local\Google
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-29 01:15 . 2010-07-11 05:29   472808   ----a-w-   c:\windows\SysWow64\deployJava1.dll
2011-05-24 23:14 . 2011-04-14 05:11   270720   ------w-   c:\windows\system32\MpSigStub.exe
2011-04-30 18:03 . 2011-04-30 18:04   2048104   ----a-w-   c:\windows\system32\RtPgEx64.dll
2011-04-30 18:03 . 2011-04-30 18:04   1146984   ----a-w-   c:\windows\system32\RTSnMg64.cpl
2011-04-30 18:03 . 2011-04-30 18:04   332392   ----a-w-   c:\windows\system32\RtlCPAPI64.dll
2011-04-30 18:03 . 2011-04-30 18:04   569960   ----a-w-   c:\windows\system32\RtkApi64.dll
2011-04-30 18:03 . 2011-04-30 18:04   2625640   ----a-w-   c:\windows\system32\RtkAPO64.dll
2011-04-30 18:03 . 2011-04-30 18:04   2494056   ----a-w-   c:\windows\system32\drivers\RTKVHD64.sys
2011-04-30 18:03 . 2011-04-30 18:04   149608   ----a-w-   c:\windows\system32\RtkCfg64.dll
2011-04-30 18:03 . 2011-04-30 18:04   1215592   ----a-w-   c:\windows\system32\RTCOM64.dll
2011-04-30 18:03 . 2011-04-30 18:04   80488   ----a-w-   c:\windows\system32\RCoInst64.dll
2011-04-30 18:02 . 2011-04-30 18:04   200800   ----a-w-   c:\windows\system32\AERTAC64.dll
2011-04-30 18:02 . 2010-11-20 08:42   1251944   ----a-w-   c:\windows\RtlExUpd.dll
2011-04-22 20:18 . 2011-05-24 21:33   27008   ----a-w-   c:\windows\system32\drivers\Diskdump.sys
2011-04-09 06:58 . 2011-05-17 12:20   142336   ----a-w-   c:\windows\system32\poqexec.exe
2011-04-09 06:45 . 2011-05-10 23:37   5509504   ----a-w-   c:\windows\system32\ntoskrnl.exe
2011-04-09 06:13 . 2011-05-10 23:37   3957632   ----a-w-   c:\windows\SysWow64\ntkrnlpa.exe
2011-04-09 06:13 . 2011-05-10 23:37   3901824   ----a-w-   c:\windows\SysWow64\ntoskrnl.exe
2011-04-09 05:56 . 2011-05-17 12:20   123904   ----a-w-   c:\windows\SysWow64\poqexec.exe
.
.
((((((((((((((((((((((((((((( SnapShot_2011-06-29_04.57.38 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-06-29 01:04 . 2011-05-04 04:52   86528 c:\windows\SysWOW64\SearchFilterHost.exe
- 2009-07-14 00:13 . 2009-07-14 01:14   86528 c:\windows\SysWOW64\SearchFilterHost.exe
- 2009-07-14 00:12 . 2009-07-14 01:15   59392 c:\windows\SysWOW64\msscntrs.dll
+ 2011-06-29 01:04 . 2011-05-04 04:52   59392 c:\windows\SysWOW64\msscntrs.dll
+ 2011-06-29 01:04 . 2011-05-24 10:34   44544 c:\windows\SysWOW64\devrtl.dll
- 2009-07-13 23:16 . 2009-07-14 01:15   44544 c:\windows\SysWOW64\devrtl.dll
- 2009-07-13 23:16 . 2009-07-14 01:15   64512 c:\windows\SysWOW64\devobj.dll
+ 2011-06-29 01:04 . 2011-05-24 10:34   64512 c:\windows\SysWOW64\devobj.dll
+ 2011-06-29 21:41 . 2011-06-29 21:41   13366 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
- 2011-06-29 04:55 . 2011-06-29 04:55   13366 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
+ 2009-07-14 04:54 . 2011-06-29 21:41   16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2011-06-29 04:56   16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2011-06-29 04:56   32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2011-06-29 21:41   32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2011-06-29 21:41   16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2011-06-29 04:56   16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-07-11 03:12 . 2011-06-29 21:43   44762 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2011-06-29 21:43   37054 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
- 2009-07-14 05:10 . 2011-06-29 04:59   37054 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-02-12 14:18 . 2011-06-29 21:43   14724 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1227915785-3733434846-2752287559-1001_UserData.bin
+ 2011-06-29 01:04 . 2011-05-04 05:28   75264 c:\windows\system32\msscntrs.dll
- 2009-07-14 00:29 . 2009-07-14 01:41   75264 c:\windows\system32\msscntrs.dll
+ 2011-02-12 18:14 . 2011-06-29 21:29   16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-02-12 18:14 . 2011-06-29 01:29   16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-02-12 18:14 . 2011-06-29 21:29   32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2011-02-12 18:14 . 2011-06-29 01:29   32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2011-06-29 21:29   16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2011-06-29 01:29   16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-02-13 16:01 . 2011-06-29 21:43   16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-02-13 16:01 . 2011-06-29 04:58   16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:46 . 2011-06-29 21:35   78344 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
+ 2011-02-13 16:01 . 2011-06-29 21:43   32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2011-02-13 16:01 . 2011-06-29 04:58   32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2011-02-13 16:01 . 2011-06-29 04:58   16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-02-13 16:01 . 2011-06-29 21:43   16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-02-12 14:18 . 2011-06-29 04:58   16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-02-12 14:18 . 2011-06-29 21:43   16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-02-12 14:18 . 2011-06-29 21:43   16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-02-12 14:18 . 2011-06-29 04:58   16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-06-29 04:56 . 2011-06-29 04:56   2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-06-29 21:41 . 2011-06-29 21:41   2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-06-29 04:56 . 2011-06-29 04:56   2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-06-29 21:41 . 2011-06-29 21:41   2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-06-29 01:04 . 2011-05-04 04:52   164352 c:\windows\SysWOW64\SearchProtocolHost.exe
- 2009-07-14 00:14 . 2009-07-14 01:14   164352 c:\windows\SysWOW64\SearchProtocolHost.exe
+ 2011-06-29 01:04 . 2011-05-04 04:52   428032 c:\windows\SysWOW64\SearchIndexer.exe
- 2009-07-14 00:14 . 2009-07-14 01:14   428032 c:\windows\SysWOW64\SearchIndexer.exe
- 2009-07-14 00:13 . 2009-07-14 01:15   666624 c:\windows\SysWOW64\mssvp.dll
+ 2011-06-29 01:04 . 2011-05-04 04:52   666624 c:\windows\SysWOW64\mssvp.dll
+ 2011-06-29 01:04 . 2011-05-04 04:52   197120 c:\windows\SysWOW64\mssphtb.dll
- 2009-07-14 00:14 . 2009-07-14 01:15   197120 c:\windows\SysWOW64\mssphtb.dll
+ 2011-06-29 01:04 . 2011-05-04 04:52   337408 c:\windows\SysWOW64\mssph.dll
- 2009-07-14 00:13 . 2009-07-14 01:15   337408 c:\windows\SysWOW64\mssph.dll
- 2009-07-13 23:16 . 2009-07-14 01:14   252928 c:\windows\SysWOW64\drvinst.exe
+ 2011-06-29 01:04 . 2011-05-24 10:32   252928 c:\windows\SysWOW64\drvinst.exe
- 2009-07-13 23:16 . 2009-07-14 01:15   145920 c:\windows\SysWOW64\cfgmgr32.dll
+ 2011-06-29 01:04 . 2011-05-24 10:34   145920 c:\windows\SysWOW64\cfgmgr32.dll
+ 2011-02-12 02:48 . 2011-06-29 21:26   258680 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2011-06-29 01:04 . 2011-05-24 11:21   404992 c:\windows\system32\umpnpmgr.dll
- 2009-07-14 00:30 . 2009-07-14 01:39   249856 c:\windows\system32\SearchProtocolHost.exe
+ 2011-06-29 01:04 . 2011-05-04 05:24   249856 c:\windows\system32\SearchProtocolHost.exe
- 2009-07-14 00:32 . 2009-07-14 01:39   593408 c:\windows\system32\SearchIndexer.exe
+ 2011-06-29 01:04 . 2011-05-04 05:24   593408 c:\windows\system32\SearchIndexer.exe
+ 2011-06-29 01:04 . 2011-05-04 05:24   113664 c:\windows\system32\SearchFilterHost.exe
- 2009-07-14 00:29 . 2009-07-14 01:39   113664 c:\windows\system32\SearchFilterHost.exe
- 2009-07-14 02:36 . 2011-06-29 03:50   624622 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2011-06-29 21:27   624622 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2011-06-29 21:27   106708 c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2011-06-29 03:50   106708 c:\windows\system32\perfc009.dat
- 2009-07-14 00:30 . 2009-07-14 01:41   779264 c:\windows\system32\mssvp.dll
+ 2011-06-29 01:04 . 2011-05-04 05:28   779264 c:\windows\system32\mssvp.dll
- 2009-07-14 00:32 . 2009-07-14 01:41   288256 c:\windows\system32\mssphtb.dll
+ 2011-06-29 01:04 . 2011-05-04 05:28   288256 c:\windows\system32\mssphtb.dll
+ 2011-06-29 01:04 . 2011-05-04 05:28   491520 c:\windows\system32\mssph.dll
- 2009-07-14 00:30 . 2009-07-14 01:41   491520 c:\windows\system32\mssph.dll
- 2009-07-14 04:45 . 2011-06-16 19:55   285448 c:\windows\system32\FNTCACHE.DAT
+ 2009-07-14 04:45 . 2011-06-29 21:29   285448 c:\windows\system32\FNTCACHE.DAT
+ 2009-07-14 05:01 . 2011-06-29 21:41   234640 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-02-12 03:22 . 2011-06-29 21:41   679392 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1227915785-3733434846-2752287559-1001-8192.dat
+ 2011-06-29 01:04 . 2011-05-04 04:53   1553920 c:\windows\SysWOW64\tquery.dll
+ 2011-06-29 01:04 . 2011-05-04 04:52   1401856 c:\windows\SysWOW64\mssrch.dll
- 2009-07-14 00:13 . 2009-07-14 01:15   1401856 c:\windows\SysWOW64\mssrch.dll
+ 2011-06-29 01:04 . 2011-05-04 05:30   2326016 c:\windows\system32\tquery.dll
+ 2009-07-14 02:34 . 2011-06-29 21:40   9961472 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
- 2009-07-14 02:34 . 2011-06-29 03:06   9961472 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
+ 2011-06-29 01:04 . 2011-05-04 05:28   2228224 c:\windows\system32\mssrch.dll
- 2009-07-14 00:35 . 2009-07-14 01:41   2228224 c:\windows\system32\mssrch.dll
+ 2009-07-14 04:45 . 2011-06-29 21:35   3777877 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
- 2009-07-14 04:45 . 2011-06-19 00:15   3777877 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPAdvisorDock"="c:\program files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe" [2010-02-10 1712184]
"LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2010-05-19 2736128]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-06-17 98304]
"Microsoft Default Manager"="c:\program files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"HP Quick Launch"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2010-11-09 586296]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages   REG_MULTI_SZ     kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-06-13 136176]
R2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2010-06-18 103992]
R2 RtVOsdService;RtVOsdService Installer;c:\program files\Realtek\RtVOsd\RtVOsdService.exe [2010-06-24 315392]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-06-13 136176]
R3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys

R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-11-18 98208]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe
S2 CinemaNow Service;CinemaNow Service;c:\program files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe [2010-05-21 140272]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-02-28 821664]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-02-04 92216]
S2 HPWMISVC;HPWMISVC;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2010-11-09 26680]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2010-04-24 483688]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atipmdag.sys
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2010-04-24 209768]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-05-19 18:36 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-06-13 04:50]
.
2011-06-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-06-13 04:50]
.
2011-06-06 c:\windows\Tasks\HPCeeScheduleForHellacious.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-01-05 10:53]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtkNGUI64.exe" [2011-04-30 6489704]
"HPWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe" [2010-06-18 8192]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.theinfamousmag.com/
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 10.0.0.1
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\atibtmon.exe
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
.
**************************************************************************
.
Completion time: 2011-06-29 17:47:41 - machine was rebooted
ComboFix-quarantined-files.txt 2011-06-29 21:47
ComboFix2.txt 2011-06-29 05:02
.
Pre-Run: 251,100,827,648 bytes free
Post-Run: 250,670,796,800 bytes free
.
- - End Of File - - C124E90F56EE901D457D8BD4ED54322E
not sure about the javara, had trouble with it

Title: Re: Help with Virus/Malware please!!
Post by: Corrine on June 30, 2011, 12:53:04 AM

Hi, a-mazing.

Quotenot sure about the javara, had trouble with it

In that case, just go to Add/Remove programs and uninstall Java(TM) 6 Update 20. Then download and install Java SE Runtime Environment 6u26 (http://java.com/en/download/manual.jsp).

I am investigating the information about the Stage 50 message in your log and will follow up in due course.

Title: Re: Help with Virus/Malware please!!
Post by: a-mazing on June 30, 2011, 04:15:08 AM

OK. Fixed the java issue. Ready for my next assignment! :thumbsup:

Title: Re: Help with Virus/Malware please!!
Post by: Corrine on June 30, 2011, 04:38:33 PM

Hi, a-mazing.

Let's see if a new build of ComboFix solves the errors shown in the log. Please delete the ComboFix icon on your desktop and download an updated version, running it again, as instructed above (http://www.landzdown.com/index.php/topic,52712.msg144423.html#msg144423) and post the resultant log.

Title: Re: Help with Virus/Malware please!!
Post by: a-mazing on July 01, 2011, 02:58:39 AM

ComboFix 11-06-30.03 - Hellacious 06/30/2011 22:43:58.5.2 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2811.1632 [GMT -4:00]
Running from: c:\users\Hellacious\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\HELLAC~1\AppData\Local\Temp\E1D5.tmp
c:\users\Hellacious\AppData\Local\Temp\E1D5.tmp
.
.
((((((((((((((((((((((((( Files Created from 2011-06-01 to 2011-07-01 )))))))))))))))))))))))))))))))
.
.
2011-07-01 02:50 . 2011-07-01 02:50   --------   d-----w-   c:\users\Default\AppData\Local\temp
2011-06-30 04:11 . 2011-06-30 04:11   --------   d-----w-   c:\program files\Java
2011-06-29 04:45 . 2011-06-29 04:45   --------   d-----w-   C:\HP_TOOLS_mountHPSF
2011-06-29 01:16 . 2011-06-29 01:16   --------   d-----w-   c:\program files (x86)\Common Files\Java
2011-06-29 01:15 . 2011-06-29 01:15   --------   d-----w-   c:\program files (x86)\Java
2011-06-28 02:58 . 2011-06-28 02:58   --------   d-----w-   c:\users\Hellacious\AppData\Roaming\Malwarebytes
2011-06-28 02:58 . 2011-05-29 13:11   39984   ----a-w-   c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-06-28 02:58 . 2011-06-28 02:58   --------   d-----w-   c:\programdata\Malwarebytes
2011-06-28 02:58 . 2011-05-29 13:11   25912   ----a-w-   c:\windows\system32\drivers\mbam.sys
2011-06-28 02:58 . 2011-06-28 02:58   --------   d-----w-   c:\program files (x86)\Malwarebytes' Anti-Malware
2011-06-28 02:27 . 2011-06-28 02:27   --------   d-----w-   c:\users\Hellacious\AppData\Local\ElevatedDiagnostics
2011-06-19 00:45 . 2011-06-19 00:45   --------   d-----w-   c:\programdata\Recovery
2011-06-16 00:12 . 2011-04-27 02:57   102400   ----a-w-   c:\windows\system32\drivers\dfsc.sys
2011-06-16 00:12 . 2011-04-25 05:32   1896832   ----a-w-   c:\windows\system32\drivers\tcpip.sys
2011-06-16 00:12 . 2011-04-25 02:44   499712   ----a-w-   c:\windows\system32\drivers\afd.sys
2011-06-16 00:12 . 2011-04-29 05:47   1110528   ----a-w-   c:\program files\Common Files\Microsoft Shared\VGX\VGX.dll
2011-06-16 00:12 . 2011-04-29 05:08   759296   ----a-w-   c:\program files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll
2011-06-16 00:10 . 2011-04-29 03:12   399872   ----a-w-   c:\windows\system32\drivers\srv2.sys
2011-06-16 00:10 . 2011-04-29 03:13   461312   ----a-w-   c:\windows\system32\drivers\srv.sys
2011-06-16 00:10 . 2011-04-29 03:12   161792   ----a-w-   c:\windows\system32\drivers\srvnet.sys
2011-06-16 00:10 . 2010-12-18 06:13   861184   ----a-w-   c:\windows\system32\oleaut32.dll
2011-06-16 00:10 . 2010-12-18 05:31   571904   ----a-w-   c:\windows\SysWow64\oleaut32.dll
2011-06-16 00:10 . 2011-05-03 05:21   976896   ----a-w-   c:\windows\system32\inetcomm.dll
2011-06-16 00:10 . 2011-05-03 04:50   740864   ----a-w-   c:\windows\SysWow64\inetcomm.dll
2011-06-13 04:50 . 2011-06-13 04:50   --------   d-----w-   c:\program files (x86)\Google
2011-06-13 04:50 . 2011-06-13 04:50   --------   d-----w-   c:\users\Hellacious\AppData\Local\Google
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-30 04:11 . 2010-07-11 05:29   525544   ----a-w-   c:\windows\system32\deployJava1.dll
2011-06-29 01:15 . 2010-07-11 05:29   472808   ----a-w-   c:\windows\SysWow64\deployJava1.dll
2011-05-24 23:14 . 2011-04-14 05:11   270720   ------w-   c:\windows\system32\MpSigStub.exe
2011-04-30 18:03 . 2011-04-30 18:04   2048104   ----a-w-   c:\windows\system32\RtPgEx64.dll
2011-04-30 18:03 . 2011-04-30 18:04   1146984   ----a-w-   c:\windows\system32\RTSnMg64.cpl
2011-04-30 18:03 . 2011-04-30 18:04   332392   ----a-w-   c:\windows\system32\RtlCPAPI64.dll
2011-04-30 18:03 . 2011-04-30 18:04   569960   ----a-w-   c:\windows\system32\RtkApi64.dll
2011-04-30 18:03 . 2011-04-30 18:04   2625640   ----a-w-   c:\windows\system32\RtkAPO64.dll
2011-04-30 18:03 . 2011-04-30 18:04   2494056   ----a-w-   c:\windows\system32\drivers\RTKVHD64.sys
2011-04-30 18:03 . 2011-04-30 18:04   149608   ----a-w-   c:\windows\system32\RtkCfg64.dll
2011-04-30 18:03 . 2011-04-30 18:04   1215592   ----a-w-   c:\windows\system32\RTCOM64.dll
2011-04-30 18:03 . 2011-04-30 18:04   80488   ----a-w-   c:\windows\system32\RCoInst64.dll
2011-04-30 18:02 . 2011-04-30 18:04   200800   ----a-w-   c:\windows\system32\AERTAC64.dll
2011-04-30 18:02 . 2010-11-20 08:42   1251944   ----a-w-   c:\windows\RtlExUpd.dll
2011-04-22 20:18 . 2011-05-24 21:33   27008   ----a-w-   c:\windows\system32\drivers\Diskdump.sys
2011-04-09 06:58 . 2011-05-17 12:20   142336   ----a-w-   c:\windows\system32\poqexec.exe
2011-04-09 06:45 . 2011-05-10 23:37   5509504   ----a-w-   c:\windows\system32\ntoskrnl.exe
2011-04-09 06:13 . 2011-05-10 23:37   3957632   ----a-w-   c:\windows\SysWow64\ntkrnlpa.exe
2011-04-09 06:13 . 2011-05-10 23:37   3901824   ----a-w-   c:\windows\SysWow64\ntoskrnl.exe
2011-04-09 05:56 . 2011-05-17 12:20   123904   ----a-w-   c:\windows\SysWow64\poqexec.exe
.
.
((((((((((((((((((((((((((((( SnapShot_2011-06-29_21.42.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-07-01 02:50 . 2011-07-01 02:50   13366 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
- 2011-06-29 21:41 . 2011-06-29 21:41   13366 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
+ 2009-07-14 04:54 . 2011-07-01 02:51   16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2011-06-29 21:41   16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2011-06-29 21:41   32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2011-07-01 02:51   32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2011-06-29 21:41   16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2011-07-01 02:51   16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-07-11 03:12 . 2011-07-01 02:52   44940 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2011-07-01 02:52   37054 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
- 2009-07-14 05:10 . 2011-06-29 21:43   37054 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-02-12 14:18 . 2011-07-01 02:52   14796 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1227915785-3733434846-2752287559-1001_UserData.bin
- 2011-02-12 18:14 . 2011-06-29 21:29   16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-02-12 18:14 . 2011-06-30 20:00   16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-02-12 18:14 . 2011-06-30 20:00   32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2011-02-12 18:14 . 2011-06-29 21:29   32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2011-06-30 20:00   16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2011-06-29 21:29   16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-02-13 16:01 . 2011-07-01 02:52   16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-02-13 16:01 . 2011-06-29 21:43   16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:46 . 2011-06-29 21:51   78552 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
- 2011-02-13 16:01 . 2011-06-29 21:43   32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-02-13 16:01 . 2011-07-01 02:52   32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2011-02-13 16:01 . 2011-06-29 21:43   16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-02-13 16:01 . 2011-07-01 02:52   16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-02-12 14:18 . 2011-07-01 02:52   16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-02-12 14:18 . 2011-06-29 21:43   16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-02-12 14:18 . 2011-06-29 21:43   16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-02-12 14:18 . 2011-07-01 02:52   16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-05-30 05:29 . 2011-06-30 04:16   3860 c:\windows\system32\wdi\ERCQueuedResolutions.dat
- 2011-06-29 21:41 . 2011-06-29 21:41   2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-07-01 02:50 . 2011-07-01 02:50   2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-07-01 02:50 . 2011-07-01 02:50   2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2011-06-29 21:41 . 2011-06-29 21:41   2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-02-12 02:48 . 2011-07-01 00:13   258680 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
- 2011-02-12 02:48 . 2011-06-29 21:26   258680 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2009-07-14 02:36 . 2011-07-01 00:15   624622 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2011-06-29 21:27   624622 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2011-06-29 21:27   106708 c:\windows\system32\perfc009.dat
+ 2009-07-14 02:36 . 2011-07-01 00:15   106708 c:\windows\system32\perfc009.dat
+ 2011-06-30 04:11 . 2011-06-30 04:11   190752 c:\windows\system32\javaws.exe
+ 2011-06-30 04:11 . 2011-06-30 04:11   171808 c:\windows\system32\javaw.exe
+ 2011-06-30 04:11 . 2011-06-30 04:11   171808 c:\windows\system32\java.exe
+ 2010-11-20 09:21 . 2011-07-01 02:50   757760 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2009-07-14 05:01 . 2011-06-29 21:41   234640 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2011-07-01 02:50   234640 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-02-12 03:22 . 2011-07-01 02:50   679392 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1227915785-3733434846-2752287559-1001-8192.dat
- 2011-02-12 03:22 . 2011-06-29 21:41   679392 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1227915785-3733434846-2752287559-1001-8192.dat
+ 2011-06-30 04:10 . 2011-06-30 04:10   683520 c:\windows\Installer\161d44d.msi
- 2009-07-14 02:34 . 2011-06-29 21:40   9961472 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
+ 2009-07-14 02:34 . 2011-06-30 19:54   9961472 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPAdvisorDock"="c:\program files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe" [2010-02-10 1712184]
"LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2010-05-19 2736128]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-06-17 98304]
"Microsoft Default Manager"="c:\program files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"HP Quick Launch"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2010-11-09 586296]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages   REG_MULTI_SZ     kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-06-13 136176]
R2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2010-06-18 103992]
R2 RtVOsdService;RtVOsdService Installer;c:\program files\Realtek\RtVOsd\RtVOsdService.exe [2010-06-24 315392]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-06-13 136176]
R3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys

R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-11-18 98208]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe
S2 CinemaNow Service;CinemaNow Service;c:\program files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe [2010-05-21 140272]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-02-28 821664]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-02-04 92216]
S2 HPWMISVC;HPWMISVC;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2010-11-09 26680]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2010-04-24 483688]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atipmdag.sys
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2010-04-24 209768]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-05-19 18:36 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-06-13 04:50]
.
2011-07-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-06-13 04:50]
.
2011-06-06 c:\windows\Tasks\HPCeeScheduleForHellacious.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-01-05 10:53]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtkNGUI64.exe" [2011-04-30 6489704]
"HPWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe" [2010-06-18 8192]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.theinfamousmag.com/
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 10.0.0.1
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\atibtmon.exe
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
.
**************************************************************************
.
Completion time: 2011-06-30 22:56:21 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-01 02:56
ComboFix2.txt 2011-06-29 21:47
ComboFix3.txt 2011-06-29 05:02
.
Pre-Run: 250,738,491,392 bytes free
Post-Run: 250,694,217,728 bytes free
.
- - End Of File - - BD8574836DBC009EECDB16DBD551F56C

Title: Re: Help with Virus/Malware please!!
Post by: Corrine on July 01, 2011, 01:54:13 PM

Thank you, a-mazing. That is much better.

How is your daughter's laptop now?

Title: Re: Help with Virus/Malware please!!
Post by: a-mazing on July 01, 2011, 08:32:55 PM

It seems to be running fine Just need to download anti-virus/malware software.
Thanks so much for your help

Title: Re: Help with Virus/Malware please!!
Post by: Corrine on July 01, 2011, 09:28:06 PM

Hi, a-mazing.

Your daughter has Norton Internet Security installed on the laptop for antivirus and firewall protection. Since that is a suite, if it is expired and being replaced, the Windows 7 Firewall needs to be turned on.

Malwarebytes Anti-Malware is an anti-malware software.

The following antivirus software programs are free for personal use, with Microsoft Security Essentials my favorite.

avast! 5 Home Edition (http://www.avast.com/eng/download-avast-home.html)
Microsoft Security Essentials (http://www.microsoft.com/security_essentials/default.aspx)

LandzDown Forum

Security => Analysis and Malware Removal => Topic started by: a-mazing on June 28, 2011, 01:18:12 AM