Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Trojan Cockroaches [Solved]

Started by St@mpEdO , Jun 01 2012 03:48 PM

This topic is locked

#16
WhiteHat

Posted 17 June 2012 - 01:07 PM

Trusted Helper

Retired Staff
1,925 posts

Hi,

Sorry for delay,

Download and Install Combofix

Download ComboFix from one of the following locations:

Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop * IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

Double click on ComboFix.exe & follow the prompts.
Accept the disclaimer and allow to update if it asks

Posted Image

When finished, it produces a log for you.
Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

After the run you may have internet problems or access to somethng problems. Simply reboot the computer.

#17
St@mpEdO

Posted 19 June 2012 - 12:51 PM

Member

Topic Starter
Member
25 posts

I disabled Antiviruses, but they somehow restarted when ComboFix finished (while i was asleep)... Is that normal ? Or maybe computer auto restarted by himself on the end of the scan ?

Well, beside that virus 2 days ago that locked down my computer (lol) everything else seems to be okay...

Why did that happen ?

Am i using the wrong antivirus/malware ?

Which antivirus should i be using ?

I heard there is a problem when someone uses 2 malware programs and i use SUPERAntiSpyware and MalwarebytesAntiMalware with AVG free edition as the Antivirus now.

Any other tips that you can tell me out of all those logs i sent ?

Thx in forward.

Combofix Log

ComboFix 12-06-19.01 - Administrator 06/19/2012 14:42:02.1.2 - x86
Microsoft® Windows Vista™ Ultimate 6.0.6000.0.1252.1.1033.18.3071.2161 [GMT 2:00]
Running from: c:\users\Administrator\Desktop\ComboFix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Administrator\AppData\Local\lateral1.bmp
c:\users\Administrator\AppData\Local\lateral2.bmp
c:\users\Administrator\AppData\Local\lateral3.bmp
c:\users\Administrator\AppData\Local\toolbar3.bmp
c:\users\Administrator\AppData\Roaming\Microsoft\Windows\9T43qNwbLs.dat
c:\users\Administrator\AppData\Roaming\Microsoft\Windows\9T43qNwbLs.xtr
c:\windows\Install
c:\windows\pkunzip.pif
c:\windows\pkzip.pif
c:\windows\system32\drivers\etc\hosts.ics
.
Infected copy of c:\windows\system32\Services.exe was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6000.16386_none_cd28fe6bd05df036\services.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-05-19 to 2012-06-19 )))))))))))))))))))))))))))))))
.
.
2012-06-19 12:47 . 2012-06-19 12:50 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2012-06-19 12:47 . 2012-06-19 12:47 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-06-14 22:47 . 2012-06-14 22:47 -------- d-----w- c:\program files\Common Files\xing shared
2012-06-14 22:46 . 2012-06-14 22:46 129144 ----a-w- c:\program files\Mozilla Firefox\plugins\nprpplugin.dll
2012-06-14 00:02 . 2012-06-14 00:02 -------- d-----w- c:\users\Administrator\AppData\Local\Macromedia
2012-06-12 12:32 . 2012-06-12 22:01 -------- d-----w- C:\Snimi
2012-06-11 00:38 . 2012-06-11 00:38 -------- d-----w- c:\users\Administrator\AppData\Roaming\AVG2012
2012-06-11 00:36 . 2012-06-19 09:16 -------- d-----w- c:\windows\system32\drivers\AVG
2012-06-11 00:36 . 2012-06-11 00:46 -------- d-----w- c:\programdata\AVG2012
2012-06-11 00:36 . 2012-06-11 00:36 -------- d-----w- C:\$AVG
2012-06-11 00:34 . 2012-06-11 00:34 -------- d-----w- c:\program files\AVG
2012-06-08 02:56 . 2012-06-16 14:49 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-06-08 02:56 . 2012-06-08 02:56 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll
2012-06-08 02:56 . 2012-06-08 02:56 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll
2012-06-06 02:09 . 2012-06-06 02:09 -------- d-----w- C:\_OTL
2012-06-01 23:54 . 2012-06-01 23:54 -------- d--h--w- c:\programdata\Common Files
2012-06-01 23:52 . 2012-06-19 09:16 -------- d-----w- c:\programdata\MFAData
2012-06-01 22:08 . 2012-06-01 22:08 -------- d-----w- c:\users\Administrator\AppData\Roaming\SUPERAntiSpyware.com
2012-06-01 22:07 . 2012-06-01 22:08 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-06-01 22:07 . 2012-06-01 22:07 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-06-01 21:51 . 2012-06-01 22:06 -------- d-----w- c:\program files\SpywareBlaster
2012-06-01 21:43 . 2012-06-01 21:43 -------- d-----w- c:\users\Administrator\AppData\Roaming\Malwarebytes
2012-06-01 21:43 . 2012-06-01 21:43 -------- d-----w- c:\programdata\Malwarebytes
2012-06-01 21:43 . 2012-06-01 21:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-06-01 21:43 . 2012-04-04 13:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-01 16:22 . 2012-06-01 16:22 -------- d-----w- c:\program files\CCleaner
2012-05-30 11:59 . 2012-05-30 11:59 4966600 ----a-w- c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}\components\SkypeFfComponent.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-14 22:46 . 2005-07-02 12:14 348160 ----a-w- c:\windows\system32\msvcr71.dll
2012-06-14 22:46 . 2003-03-19 05:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2012-06-14 00:02 . 2012-04-25 19:44 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-14 00:02 . 2011-05-24 06:33 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-19 02:50 . 2012-04-19 02:50 24896 ----a-w- c:\windows\system32\drivers\avgidshx.sys
2012-06-16 12:34 . 2011-03-30 19:06 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-05-21 3905920]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-08-19 13543968]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-08-19 92704]
"MGSysCtrl"="c:\program files\System Control Manager\MGSysCtrl.exe" [2008-10-09 708608]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"ContentTransferWMDetector.exe"="c:\program files\Sony\Content Transfer\ContentTransferWMDetector.exe" [2009-01-23 423200]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2008-12-19 83336]
"RtHDVCpl"="RtHDVCpl.exe" [2008-07-22 6253088]
"fspuip"="c:\program files\FSP\fspuip.exe" [2008-08-28 360448]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"SmartSoft PDF Printer Agent"="c:\program files\Smart PDF Creator Pro\SmartSoft PDF Printer Agent.exe" [2011-07-19 50568]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-04-05 2587008]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2012-06-14 296056]
.
c:\users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2009-5-26 2528584]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"EnableLUA"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"Start_ShowMyMusic"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-14 257224]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-08-11 116608]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-19 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-25 00:02]
.
2012-06-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-27 20:50]
.
2012-06-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-27 20:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.rs/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 195.34.133.21 212.186.211.21
TCP: Interfaces\{7B35CA7A-EA94-4ED9-808E-4688E6AFFC07}: NameServer = 195.34.133.21,212.186.211.21
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - ProfilePath - c:\users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\w153cjvt.default\
FF - prefs.js: browser.search.defaulturl -
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ncr
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
Notify-klogon - (no file)
SafeBoot-WudfPf
SafeBoot-WudfRd
.
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gp\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\wmplayer.exe"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AIFF"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AIFF"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AIFF"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASX"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AU"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.avi\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\GOM.EXE"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bin\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\DTLite.exe"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cda\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.CDA"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DAT\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\ShowTime.exe"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flv\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\wmplayer.exe"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.IFO\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\GOM.EXE"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.iso\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\DTLite.exe"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="ACDSee.JPG"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.M3U"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\wmplayer.exe"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\notepad.exe"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.MHT"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MIDI"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MIDI"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MOD\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mov\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\wmplayer.exe"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MP3"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MP4\UserChoice]
@Denied: (2) (Administrator)
"Progid"="VLC.mp4"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpa\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MIDI"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AU"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.url\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.URL"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vob\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\GOM.EXE"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WAV"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wax\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WAX"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASF"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMA"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmd\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMD"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wms\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMS"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASX"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmz\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMZ"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wpl\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WPL"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WVX"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(4076)
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\AVG\AVG2012\avgrsx.exe
c:\program files\AVG\AVG2012\avgcsrvx.exe
c:\windows\system32\nvvsvc.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\WLANExt.exe
c:\program files\AVG\AVG2012\avgwdsvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\System Control Manager\MSIService.exe
c:\program files\O2Micro Flash Memory Card Driver\o2flash.exe
c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe
c:\windows\System32\rundll32.exe
c:\windows\RtHDVCpl.exe
c:\program files\ROCCAT\Kone[+] Mouse\Kone[+]Monitor.exe
c:\program files\TeamViewer\Version6\TeamViewer_Service.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\program files\AVG\AVG2012\avgidsagent.exe
c:\program files\AVG\AVG2012\avgnsx.exe
c:\program files\AVG\AVG2012\avgemcx.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe
.
**************************************************************************
.
Completion time: 2012-06-19 14:54:49 - machine was rebooted
ComboFix-quarantined-files.txt 2012-06-19 12:54
.
Pre-Run: 41,297,682,432 bytes free
Post-Run: 40,827,432,960 bytes free
.
- - End Of File - - 260899A1FF7E95DA2CB0AF62414E9D7A

#18
WhiteHat

Posted 19 June 2012 - 07:42 PM

Trusted Helper

Retired Staff
1,925 posts

Or maybe computer auto restarted by himself on the end of the scan ?

That's right.

Am i using the wrong antivirus/malware ?

This doesn't exist.

Which antivirus should i be using ?

If you are happy with AVG, continue using him.

I heard there is a problem when someone uses 2 malware programs and i use SUPERAntiSpyware and MalwarebytesAntiMalware with AVG free edition as the Antivirus now.

You can continue using these protection softwares.

Why did that happen ?

I don't have any idea. :confused:

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Hold down the Windows key + R on your keyboard. This will display the Run dialogue box:
Write (Copy/Paste)Notepad.exe. Then click in Ok.
copy/paste the text in the quotebox below to notepad

SRPeek::
C:\Windows\system32\wscsvc.dll
C:\Program Files\Windows Defender\MpSvc.dll
Save this as CFScript.txt, in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply

#19
St@mpEdO

Posted 01 July 2012 - 03:07 PM

Member

Topic Starter
Member
25 posts

Sry for the delay, i was on the business trip...

Hope the kids didn do much to undo everything we did... :happy:

Anyhow,

ComboFix Log.txt

#20
WhiteHat

Posted 02 July 2012 - 01:26 PM

Trusted Helper

Retired Staff
1,925 posts

Download RogueKiller and save it on your desktop.
Quit all programs
Start RogueKiller.exe.
Wait until Prescan has finished ...
Click on Scan

Wait for the end of the scan.
The report has been created on the desktop.
Click on the Delete button.

The report has been created on the desktop.

Next click on the ShortcutsFix
The report has been created on the desktop.

Please post: All RKreport.txt text files located on your desktop.

#21
St@mpEdO

Posted 11 July 2012 - 03:27 AM

Member

Topic Starter
Member
25 posts

Scan

RogueKiller V7.6.3 [07/08/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6000 ) 32 bits version
Started in : Normal mode
User: Administrator [Admin rights]
Mode: Scan -- Date: 07/11/2012 11:04:46

¤¤¤ Bad processes: 1 ¤¤¤
[SUSP PATH] c2c_service.exe -- C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe -> KILLED [TermProc]

¤¤¤ Registry Entries: 6 ¤¤¤
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: FUJITSU MHZ2320BH G2 ATA Device +++++
--- User ---
[MBR] a3a564a569db41af11e846ae310c831a
[BSP] fc999c7624219d445dbbc57cbeaa1f3a : Windows Vista MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 80003 Mo
1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 163846935 | Size: 225239 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1].txt >>
RKreport[1].txt

Delete

RogueKiller V7.6.3 [07/08/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6000 ) 32 bits version
Started in : Normal mode
User: Administrator [Admin rights]
Mode: Remove -- Date: 07/11/2012 11:05:21

¤¤¤ Bad processes: 1 ¤¤¤
[SUSP PATH] c2c_service.exe -- C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe -> KILLED [TermProc]

¤¤¤ Registry Entries: 6 ¤¤¤
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> REPLACED (2)
[HJ] HKLM\[...]\System : EnableLUA (0) -> REPLACED (1)
[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> REPLACED (1)
[HJ] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> REPLACED (1)
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: FUJITSU MHZ2320BH G2 ATA Device +++++
--- User ---
[MBR] a3a564a569db41af11e846ae310c831a
[BSP] fc999c7624219d445dbbc57cbeaa1f3a : Windows Vista MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 80003 Mo
1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 163846935 | Size: 225239 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt

ShortcutsFix

RogueKiller V7.6.3 [07/08/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6000 ) 32 bits version
Started in : Normal mode
User: Administrator [Admin rights]
Mode: Shortcuts HJfix -- Date: 07/11/2012 11:08:55

¤¤¤ Bad processes: 1 ¤¤¤
[SUSP PATH] c2c_service.exe -- C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe -> KILLED [TermProc]

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ File attributes restored: ¤¤¤
Desktop: Success 27 / Fail 0
Quick launch: Success 0 / Fail 0
Programs: Success 413 / Fail 0
Start menu: Success 0 / Fail 0
User folder: Success 112 / Fail 0
My documents: Success 0 / Fail 0
My favorites: Success 0 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 0 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 970 / Fail 0
Backup: [NOT FOUND]

Drives:
[C:] \Device\HarddiskVolume2 -- 0x3 --> Restored
[D:] \Device\HarddiskVolume1 -- 0x3 --> Restored
[G:] \Device\CdRom0 -- 0x5 --> Skipped
[I:] \Device\IsoCdRom0 -- 0x5 --> Skipped

¤¤¤ Infection : ¤¤¤

Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt

#22
WhiteHat

Posted 12 July 2012 - 01:29 PM

Trusted Helper

Retired Staff
1,925 posts

Hi,

How is your computer?

Please download Farbar Service Scanner and run it on the computer.
Posted Image

Make sure the following options are checked:
- Internet Services
- Windows Firewall
- System Restore
- Security Center
- Windows Update
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.

#23
St@mpEdO

Posted 16 July 2012 - 05:48 AM

Member

Topic Starter
Member
25 posts

Hello,

My computer is running fine now, i don`t seem to be having difficulties but the internet ones, but i think that is the internet provider anyway...

Farbar Service Scanner log

Farbar Service Scanner Version: 08-07-2012
Ran by Administrator (administrator) on 16-07-2012 at 13:47:38
Running from "C:\Users\Administrator\Desktop"
Microsoft® Windows Vista™ Ultimate (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============

Firewall Disabled Policy:
==================

System Restore:
============

System Restore Disabled Policy:
========================

Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================

File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll
[2006-11-02 10:56] - [2006-11-02 11:46] - 0204800 ____A (Microsoft Corporation) 17210D8064EC116A3FC6B5E45E577D43

C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys
[2006-11-02 10:58] - [2006-11-02 10:58] - 0802816 ____A (Microsoft Corporation) D944522B048A5FEB7700B5170D3D9423

C:\Windows\system32\dnsrslvr.dll
[2006-11-02 10:46] - [2006-11-02 11:46] - 0083968 ____A (Microsoft Corporation) 7EF78529439683570884F9308A02EC11

C:\Windows\system32\mpssvc.dll
[2006-11-02 10:56] - [2006-11-02 11:46] - 0395264 ____A (Microsoft Corporation) 370248683BDF5FE36BD06C6416E6CE83

C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys
[2006-11-02 10:56] - [2006-11-02 10:56] - 0063488 ____A (Microsoft Corporation) 8D326E8B321685D4784AFA1C55169D73

C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit

ATTENTION!=====> C:\Windows\system32\wscsvc.dll FILE IS MISSING AND SHOULD BE RESTORED.

C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll
[2008-12-31 22:01] - [2008-12-31 22:01] - 1712984 ____A (Microsoft Corporation) 3EEC20E41F5F331B94002970CEAEC92F

C:\Windows\system32\qmgr.dll
[2006-11-02 10:40] - [2006-11-02 11:46] - 0749568 ____A (Microsoft Corporation) 733FB484A06B9D6A44DD9CA1D3BE937B

C:\Windows\system32\es.dll
[2006-11-02 10:51] - [2006-11-02 11:46] - 0259584 ____A (Microsoft Corporation) DFB250BAC1A9108ABD777EA181E32015

C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll
[2006-11-02 10:50] - [2006-11-02 11:46] - 0545792 ____A (Microsoft Corporation) B46D8EA6DD30BAA49F674DACDC4C491F

**** End of log ****

#24
St@mpEdO

Posted 16 July 2012 - 07:18 AM

Member

Topic Starter
Member
25 posts

As a matter of fact, i do have a problem i forgot to mention...

I cannot enter the sleep mode, as i try to, the error 0000009f appears (blue screen).

That is happening during the time we are fixing things here...

Can we do anything about that?

#25
St@mpEdO

Posted 16 July 2012 - 06:04 PM

Member

Topic Starter
Member
25 posts

And my shockwave player seems to stop working after some time... (white squares where it should be showing content)

And it`s the last version...

Which also happened during our work ...

#26
WhiteHat

Posted 17 July 2012 - 10:14 AM

Trusted Helper

Retired Staff
1,925 posts

Hi,

Can we do anything about that?

See this page:
http://support.micro...=929762&sd=RMVP

And my shockwave player seems to stop working after some time...

Reinstall the shockwave:
http://get.adobe.com/shockwave/

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Hold down the Windows key + R on your keyboard. This will display the Run dialogue box:
Write (Copy/Paste)Notepad.exe. Then click in Ok.
copy/paste the text in the codebox below to notepad
```
SRPeek::
C:\Windows\system32\wscsvc.dll
```
Save this as CFScript.txt, in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply

#27
St@mpEdO

Posted 19 July 2012 - 01:05 PM

Member

Topic Starter
Member
25 posts

Hi there.

Can we do anything about that?

See this page:
http://support.micro...=929762&sd=RMVP

This doesn`t help at all ...

Can you maybe download the fix for me ? Because i cannot access the download page...

Pretty please ? :rolleyes:

And my shockwave player seems to stop working after some time...

Reinstall the shockwave:
http://get.adobe.com/shockwave/

This i did allready - didnt help.

ComboFix Log

ComboFix 12-07-19.02 - Administrator 07/19/2012 20:11:45.2.2 - x86
Microsoft® Windows Vista™ Ultimate 6.0.6000.0.1252.1.1033.18.3071.2294 [GMT 2:00]
Running from: c:\users\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\users\Administrator\Desktop\CFScript.txt
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2012-06-19 to 2012-07-19 )))))))))))))))))))))))))))))))
.
.
2012-07-19 18:17 . 2012-07-19 18:17 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-07-19 18:17 . 2012-07-19 18:17 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-19 17:50 . 2012-07-19 17:50 -------- d-----w- c:\windows\system32\Adobe
2012-07-12 03:19 . 2012-07-12 03:19 9226440 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2012-07-02 18:41 . 2012-07-02 18:41 -------- d-----w- c:\programdata\McAfee
2012-07-01 20:56 . 2012-07-01 20:57 -------- d-----w- c:\program files\Recuva
2012-06-25 19:07 . 2012-06-25 19:07 -------- d-----w- C:\Graboid
2012-06-25 19:00 . 2012-06-25 19:00 -------- d-----w- c:\users\Administrator\AppData\Local\Graboid Inc
2012-06-25 19:00 . 2012-06-27 05:16 -------- d-----w- c:\users\Administrator\AppData\Local\Graboid
2012-06-25 19:00 . 2012-06-25 19:00 -------- d-----w- c:\programdata\Graboid Inc
2012-06-25 19:00 . 2012-06-25 19:00 -------- d-----w- c:\users\Administrator\AppData\Local\Geckofx
2012-06-25 18:58 . 2012-06-25 19:03 -------- d-----w- c:\program files\Graboid
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-12 03:19 . 2012-04-25 19:44 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-12 03:19 . 2011-05-24 06:33 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-14 22:46 . 2005-07-02 12:14 348160 ----a-w- c:\windows\system32\msvcr71.dll
2012-06-14 22:46 . 2003-03-19 05:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2012-07-18 13:29 . 2012-07-03 01:34 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-06-19_12.50.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-31 20:08 . 2012-07-19 10:37 64732 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-12-31 20:01 . 2012-07-19 17:59 14526 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2899288009-97569274-2756643056-500_UserData.bin
+ 2006-11-02 13:00 . 2012-07-19 17:58 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2006-11-02 13:00 . 2012-06-19 12:39 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2006-11-02 13:00 . 2012-06-19 12:39 81920 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2006-11-02 13:00 . 2012-07-19 17:58 81920 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2006-11-02 13:00 . 2012-07-19 17:58 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2006-11-02 13:00 . 2012-06-19 12:39 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2012-07-19 17:50 . 2012-07-19 17:50 87944 c:\windows\System32\Adobe\Shockwave 11\uninstaller.exe
+ 2012-07-05 08:04 . 2012-07-05 08:04 86016 c:\windows\System32\Adobe\Shockwave 11\SwMenu.dll
+ 2012-07-05 07:48 . 2012-07-05 07:48 73408 c:\windows\System32\Adobe\Shockwave 11\gtapi.dll
+ 2012-07-05 07:48 . 2012-07-05 07:48 64512 c:\windows\System32\Adobe\Shockwave 11\gcapi_dll.dll
+ 2012-07-05 08:05 . 2012-07-05 08:05 12800 c:\windows\System32\Adobe\Shockwave 11\DynaPlayer.dll
+ 2012-07-12 13:30 . 2012-07-12 13:30 22016 c:\windows\Installer\e804b.msi
+ 2012-06-27 02:06 . 2012-06-27 02:06 9560 c:\windows\System32\networklist\icons\{A31B4D3A-D78E-4229-BA02-1398434DDAE6}_48.bin
+ 2012-06-27 02:06 . 2012-06-27 02:06 4280 c:\windows\System32\networklist\icons\{A31B4D3A-D78E-4229-BA02-1398434DDAE6}_32.bin
+ 2012-06-27 02:06 . 2012-06-27 02:06 2456 c:\windows\System32\networklist\icons\{A31B4D3A-D78E-4229-BA02-1398434DDAE6}_24.bin
- 2012-06-19 12:49 . 2012-06-19 12:49 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-07-19 17:56 . 2012-07-19 17:56 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-07-19 17:56 . 2012-07-19 17:56 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-06-19 12:49 . 2012-06-19 12:49 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-01-07 11:22 . 2012-07-19 14:13 694900 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2006-11-02 13:03 . 2012-07-19 17:59 142846 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 10:33 . 2012-07-19 17:42 621552 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2012-06-19 11:11 621552 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2012-07-19 17:42 104868 c:\windows\System32\perfc009.dat
- 2006-11-02 10:33 . 2012-06-19 11:11 104868 c:\windows\System32\perfc009.dat
+ 2012-07-12 02:23 . 2012-07-12 02:23 686280 c:\windows\System32\Macromed\Flash\FlashUtil32_11_3_300_265_Plugin.exe
+ 2012-07-12 03:19 . 2012-07-12 03:19 686280 c:\windows\System32\Macromed\Flash\FlashUtil32_11_3_300_265_ActiveX.exe
+ 2012-07-12 03:19 . 2012-07-12 03:19 465096 c:\windows\System32\Macromed\Flash\FlashUtil32_11_3_300_265_ActiveX.dll
+ 2012-04-25 19:44 . 2012-07-12 03:19 250056 c:\windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe
+ 2012-07-05 07:48 . 2012-07-05 07:48 284600 c:\windows\System32\Adobe\Shockwave 11\SymCCIS.dll
+ 2012-07-05 08:04 . 2012-07-05 08:04 114176 c:\windows\System32\Adobe\Shockwave 11\SwInit.exe
+ 2012-07-05 08:05 . 2012-07-05 08:05 434176 c:\windows\System32\Adobe\Shockwave 11\Proj.dll
+ 2012-07-05 08:05 . 2012-07-05 08:05 366592 c:\windows\System32\Adobe\Shockwave 11\Plugin.dll
+ 2012-07-05 07:52 . 2012-07-05 07:52 990208 c:\windows\System32\Adobe\Shockwave 11\iml32.dll
+ 2012-07-05 08:04 . 2012-07-05 08:04 544256 c:\windows\System32\Adobe\Shockwave 11\Control.dll
+ 2012-07-05 08:11 . 2012-07-05 08:11 143840 c:\windows\System32\Adobe\Director\SWDNLD.EXE
+ 2012-07-05 08:11 . 2012-07-05 08:11 323552 c:\windows\System32\Adobe\Director\SwDir_1165635.dll
+ 2012-07-05 08:05 . 2012-07-05 08:05 195584 c:\windows\System32\Adobe\Director\np32dsw_1165635.dll
- 2012-04-16 18:26 . 2012-04-16 18:26 371272 c:\windows\Installer\{EE7257A2-39A2-4D2F-9DAC-F9F25B8AE1D8}\SkypeIcon.exe
+ 2012-07-16 17:50 . 2012-07-16 17:50 371272 c:\windows\Installer\{EE7257A2-39A2-4D2F-9DAC-F9F25B8AE1D8}\SkypeIcon.exe
+ 2012-07-12 02:23 . 2012-07-12 02:23 9465032 c:\windows\System32\Macromed\Flash\NPSWF32_11_3_300_265.dll
+ 2012-07-12 02:23 . 2012-07-12 02:23 1536712 c:\windows\System32\Macromed\Flash\FlashPlayerPlugin_11_3_300_265.exe
+ 2012-07-05 08:11 . 2012-07-05 08:11 1040864 c:\windows\System32\Adobe\Shockwave 11\SwHelper_1165635.exe
+ 2012-07-05 07:48 . 2012-07-05 07:48 2376368 c:\windows\System32\Adobe\Shockwave 11\gt.exe
+ 2012-07-05 07:48 . 2012-07-05 07:48 1292288 c:\windows\System32\Adobe\Shockwave 11\gi.dll
+ 2012-07-05 07:54 . 2012-07-05 07:54 1742336 c:\windows\System32\Adobe\Shockwave 11\dirapi.dll
+ 2012-07-16 17:50 . 2012-07-16 17:50 1648640 c:\windows\Installer\fed3f4.msi
+ 2012-06-27 03:07 . 2012-06-27 03:07 1259008 c:\windows\Installer\223a5.msi
+ 2012-07-17 06:11 . 2012-07-17 06:11 5164032 c:\windows\Installer\16eb345.msi
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-06-21 3905408]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-08-19 13543968]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-08-19 92704]
"MGSysCtrl"="c:\program files\System Control Manager\MGSysCtrl.exe" [2008-10-09 708608]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"ContentTransferWMDetector.exe"="c:\program files\Sony\Content Transfer\ContentTransferWMDetector.exe" [2009-01-23 423200]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2008-12-19 83336]
"RtHDVCpl"="RtHDVCpl.exe" [2008-07-22 6253088]
"fspuip"="c:\program files\FSP\fspuip.exe" [2008-08-28 360448]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"SmartSoft PDF Printer Agent"="c:\program files\Smart PDF Creator Pro\SmartSoft PDF Printer Agent.exe" [2011-07-19 50568]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-04-05 2587008]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2012-06-14 296056]
.
c:\users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2009-5-26 2528584]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"Start_ShowMyMusic"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-19 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-25 03:19]
.
2012-07-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-27 20:50]
.
2012-07-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-27 20:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.rs/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 195.34.133.21 212.186.211.21
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - ProfilePath - c:\users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\w153cjvt.default\
FF - prefs.js: browser.search.defaulturl -
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ncr
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-19 20:17
Windows 6.0.6000 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AIFF"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AIFF"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AIFF"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AU"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bin\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\DTLite.exe"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cda\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.CDA"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.iso\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\DTLite.exe"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="ACDSee.JPG"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.M3U"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\notepad.exe"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.MHT"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MIDI"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MIDI"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MOD\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MP3"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpa\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MIDI"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AU"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.url\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.URL"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WAV"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wax\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WAX"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMA"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmd\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMD"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wms\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMS"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmz\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMZ"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wpl\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WPL"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-2899288009-97569274-2756643056-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2012-07-19 20:21:27
ComboFix-quarantined-files.txt 2012-07-19 18:21
ComboFix2.txt 2012-06-19 12:54
.
Pre-Run: 48,593,334,272 bytes free
Post-Run: 48,410,361,856 bytes free
.
- - End Of File - - 6CB2AB2BAA79F7D634F4F40AF1D6D3C0

#28
WhiteHat

Posted 19 July 2012 - 07:30 PM

Trusted Helper

Retired Staff
1,925 posts

Hi,

Are you using an illegal version of windows vista? I mean, you purchased a windows license?

#29
St@mpEdO

Posted 22 July 2012 - 12:58 PM

Member

Topic Starter
Member
25 posts

Hello, idk is that illegal, i`m using the lite version from Windows Vista, the friend installed it...

Anyway, in my land, the private users never buy the windows, so it isnt considered as illegal...

Anyhow, if you will be in problem downloading that for me, (i just thought of that now) than no need for that.

Sorry i brought you in such position...

#30
WhiteHat

Posted 23 July 2012 - 08:24 AM

Trusted Helper

Retired Staff
1,925 posts

Hi,

I can't download this for you.

The computer seems clean.

About the shockwave player, I searched for a solution in google but all adobe pages recommended what I've told to you before (Remove the shockwave and reinstall).

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

The following will implement some cleanup procedures as well as reset System Restore points:

Remove ComboFix

Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
In the Run box, type in ComboFix /Uninstall (Notice the space between the "x" and "/") then click OK
Follow the prompts on the screen
A message should appear confirming that ComboFix was uninstalled

Remove OTL

Run OTL and hit the Posted Image

cleanup button. It will remove all the programmes we have used plus itself.

Posted Image

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:

Go to this site and click Do I have Java
It will check your current version and then offer to update to the latest version

SPRING CLEAN

To manually create a new Restore Point

(If you use Windows 7/Vista)
Go to Control Panel and select System
Select System
On the left select System Protection and accept the warning if you get one
Select System Protection Tab
Select Create at the bottom
Type in a name i.e. Clean
Select Create

(If you use Windows XP)
Go to Start > All Programs > Acessories > System Tools > System Restore.
Select the option Create a restore point and click in Next.
Type in a name i.e. Clean
Select Create

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
Posted Image

Malwarebytes. Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit