Bad image [Solved]
Started by
ven15
, Oct 25 2012 10:00 PM
-
This topic is locked
#16
Posted 04 November 2012 - 04:03 PM
ven15
- Topic Starter
-
- Member
-
- 22 posts
Member
#17
Posted 04 November 2012 - 04:06 PM
ven15
- Topic Starter
-
- Member
-
- 22 posts
Member
aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-11-04 16:59:08
-----------------------------
16:59:08.875 OS Version: Windows 5.1.2600 Service Pack 2
16:59:08.875 Number of processors: 1 586 0xD08
16:59:08.875 ComputerName: MJ-Q90GBADVVHK5 UserName: Michael
16:59:10.375 Initialize success
16:59:10.656 AVAST engine defs: 12110400
16:59:33.062 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
16:59:33.062 Disk 0 Vendor: ST9402112A 3.06 Size: 38154MB BusType: 3
16:59:33.140 Disk 0 MBR read successfully
16:59:33.140 Disk 0 MBR scan
16:59:33.140 Disk 0 Windows XP default MBR code
16:59:33.140 Disk 0 Partition 1 00 12 Compaq diag MSWIN4.1 3200 MB offset 63
16:59:33.171 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 34946 MB offset 6554520
16:59:33.203 Disk 0 scanning sectors +78124095
16:59:33.281 Disk 0 scanning C:\WINDOWS\system32\drivers
16:59:55.046 Service scanning
17:00:38.046 Modules scanning
17:00:54.031 Module: C:\WINDOWS\System32\drivers\dxgthk.sys **SUSPICIOUS**
17:00:59.515 Module: C:\WINDOWS\system32\ntdll.dll **SUSPICIOUS**
17:01:00.031 Disk 0 trace - called modules:
17:01:00.046 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
17:01:00.062 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89dbdab8]
17:01:00.062 3 CLASSPNP.SYS[ba0e905b] -> nt!IofCallDriver -> \Device\00000080[0x89d9e9e8]
17:01:00.078 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x89dd5940]
17:01:00.500 AVAST engine scan C:\WINDOWS
17:01:07.328 AVAST engine scan C:\WINDOWS\system32
17:08:25.437 AVAST engine scan C:\WINDOWS\system32\drivers
17:08:58.046 AVAST engine scan C:\Documents and Settings\Michael
17:20:04.687 AVAST engine scan C:\Documents and Settings\All Users
17:23:29.328 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Michael\My Documents\MBR.dat"
17:23:29.421 The log file has been saved successfully to "C:\Documents and Settings\Michael\My Documents\aswMBR.txt"
Run date: 2012-11-04 16:59:08
-----------------------------
16:59:08.875 OS Version: Windows 5.1.2600 Service Pack 2
16:59:08.875 Number of processors: 1 586 0xD08
16:59:08.875 ComputerName: MJ-Q90GBADVVHK5 UserName: Michael
16:59:10.375 Initialize success
16:59:10.656 AVAST engine defs: 12110400
16:59:33.062 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
16:59:33.062 Disk 0 Vendor: ST9402112A 3.06 Size: 38154MB BusType: 3
16:59:33.140 Disk 0 MBR read successfully
16:59:33.140 Disk 0 MBR scan
16:59:33.140 Disk 0 Windows XP default MBR code
16:59:33.140 Disk 0 Partition 1 00 12 Compaq diag MSWIN4.1 3200 MB offset 63
16:59:33.171 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 34946 MB offset 6554520
16:59:33.203 Disk 0 scanning sectors +78124095
16:59:33.281 Disk 0 scanning C:\WINDOWS\system32\drivers
16:59:55.046 Service scanning
17:00:38.046 Modules scanning
17:00:54.031 Module: C:\WINDOWS\System32\drivers\dxgthk.sys **SUSPICIOUS**
17:00:59.515 Module: C:\WINDOWS\system32\ntdll.dll **SUSPICIOUS**
17:01:00.031 Disk 0 trace - called modules:
17:01:00.046 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
17:01:00.062 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89dbdab8]
17:01:00.062 3 CLASSPNP.SYS[ba0e905b] -> nt!IofCallDriver -> \Device\00000080[0x89d9e9e8]
17:01:00.078 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x89dd5940]
17:01:00.500 AVAST engine scan C:\WINDOWS
17:01:07.328 AVAST engine scan C:\WINDOWS\system32
17:08:25.437 AVAST engine scan C:\WINDOWS\system32\drivers
17:08:58.046 AVAST engine scan C:\Documents and Settings\Michael
17:20:04.687 AVAST engine scan C:\Documents and Settings\All Users
17:23:29.328 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Michael\My Documents\MBR.dat"
17:23:29.421 The log file has been saved successfully to "C:\Documents and Settings\Michael\My Documents\aswMBR.txt"
Edited by ven15, 04 November 2012 - 04:26 PM.
#18
Posted 04 November 2012 - 07:25 PM
gringo_pr
-
- Malware Removal
-
- 7,268 posts
Trusted Helper
Greetings ven15
How are things running at this time?
:Run CFScript:
Open Notepad and copy/paste the text in the box into the window:
Save it to your desktop as CFScript.txt
Refering to the picture above, drag CFScript.txt into ComboFix.exe
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer
"information and logs"
Gringo
How are things running at this time?
:Run CFScript:
Open Notepad and copy/paste the text in the box into the window:
ClearJavaCache::
Save it to your desktop as CFScript.txt
Refering to the picture above, drag CFScript.txt into ComboFix.exe
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer
"information and logs"
- In your next post I need the following
- report from Combofix
- let me know of any problems you may have had
- How is the computer doing now after running the script?
Gringo
#19
Posted 06 November 2012 - 07:19 PM
ven15
- Topic Starter
-
- Member
-
- 22 posts
Member
im trying to run this script bt it take so long to do ill try my best to finish now anyways my computer is improving thanks to you
#21
Posted 08 November 2012 - 10:31 PM
gringo_pr
-
- Malware Removal
-
- 7,268 posts
Trusted Helper
Greetings
I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.
Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools
Gringo
I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.
Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools
Gringo
#22
Posted 10 November 2012 - 07:38 AM
ven15
- Topic Starter
-
- Member
-
- 22 posts
Member
well everyday i try to do th combofix thing bt it can never be completed it always stop at the 48 stage and it takes along time to do
bt today is my priority to finish no matter how long it takes bt its really slow
bt today is my priority to finish no matter how long it takes bt its really slow
#23
Posted 10 November 2012 - 11:09 AM
gringo_pr
-
- Malware Removal
-
- 7,268 posts
Trusted Helper
Hello
Ok lets try this, I want you to run the combofix script in safe mode but it is very important that when combofix reboots the computer for you to direct it back into safe mode so it can finish the scan.
Boot into Safe Mode
Reboot your computer in Safe Mode.
after combofix has finished its scan please post the report back here.
Gringo
Ok lets try this, I want you to run the combofix script in safe mode but it is very important that when combofix reboots the computer for you to direct it back into safe mode so it can finish the scan.
Boot into Safe Mode
Reboot your computer in Safe Mode.
- If the computer is running, shut down Windows, and then turn off the power.
- Wait 30 seconds, and then turn the computer on.
- Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
- Ensure that the Safe Mode option is selected.
- Press Enter. The computer then begins to start in Safe mode.
- Login on your usual account.
after combofix has finished its scan please post the report back here.
Gringo
#24
Posted 10 November 2012 - 07:09 PM
ven15
- Topic Starter
-
- Member
-
- 22 posts
Member
how do i find safe mode
#25
Posted 10 November 2012 - 07:24 PM
gringo_pr
-
- Malware Removal
-
- 7,268 posts
Trusted Helper
Boot into Safe Mode
Reboot your computer in Safe Mode.
Reboot your computer in Safe Mode.
- If the computer is running, shut down Windows, and then turn off the power.
- Wait 30 seconds, and then turn the computer on.
- Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
- Ensure that the Safe Mode option is selected.
- Press Enter. The computer then begins to start in Safe mode.
- Login on your usual account.
#26
Posted 10 November 2012 - 08:45 PM
ven15
- Topic Starter
-
- Member
-
- 22 posts
Member
finally did it thanks here it is anyways
ComboFix 12-11-09.02 - Michael 11/10/2012 21:30:57.10.1 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1730 [GMT -5:00]
Running from: c:\documents and settings\Michael\Desktop\ComboFix.exe
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: avast! Internet Security *Disabled* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\EventSystem.log
c:\windows\system32\DEBUG.log
c:\windows\system32\dllcache\wmpvis.dll
c:\windows\system32\drivers\etc\hosts.ics
c:\windows\system32\roboot.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-10-11 to 2012-11-11 )))))))))))))))))))))))))))))))
.
.
2012-10-31 21:54 . 2012-10-31 21:54 -------- d-----w- C:\RK_Quarantine
2012-10-30 23:26 . 2012-10-30 23:26 101 ----a-w- c:\windows\DeleteOnReboot.bat
2012-10-24 01:41 . 2012-10-24 01:41 -------- d-----w- c:\windows\system32\wbem\Repository
2012-10-23 23:11 . 2012-10-23 23:11 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\IObit
2012-10-23 21:34 . 2012-10-23 21:34 -------- d-----w- c:\documents and settings\LocalService\Application Data\IObit
2012-10-23 21:33 . 2012-10-23 21:33 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2012-10-23 21:33 . 2012-10-23 23:15 -------- d-----w- c:\documents and settings\Michael\Application Data\IObit
2012-10-23 21:33 . 2012-10-23 21:33 -------- d-----w- c:\program files\IObit
2012-10-21 13:37 . 2012-10-24 01:41 81984 ----a-w- c:\windows\system32\bdod.bin
2012-10-21 13:04 . 2012-10-21 13:04 -------- d-----w- c:\documents and settings\Guest
2012-10-21 02:09 . 2012-10-21 02:09 -------- d-----w- c:\documents and settings\Michael\Application Data\BitDefender
2012-10-21 02:07 . 2012-10-21 13:05 -------- d-----w- c:\documents and settings\All Users\Application Data\BitDefender
2012-10-21 02:07 . 2012-10-21 02:07 -------- d-----w- c:\program files\BitDefender
2012-10-21 02:00 . 2012-10-21 02:07 -------- d-----w- c:\program files\Common Files\BitDefender
2012-10-21 00:09 . 2012-10-21 00:15 -------- d-----w- c:\documents and settings\Michael\Application Data\.purple
2012-10-21 00:08 . 2012-10-21 00:08 -------- d-----w- c:\program files\Paltalk Messenger Interop
2012-10-20 23:48 . 2012-10-21 00:06 -------- d-----w- c:\documents and settings\Michael\Application Data\Paltalk
2012-10-20 23:45 . 2012-10-20 23:49 -------- d-----w- c:\program files\Paltalk Messenger
2012-10-20 23:14 . 2012-10-22 00:00 -------- d-----w- c:\documents and settings\Michael\Application Data\Systweak
2012-10-20 22:52 . 2012-10-20 22:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Hotspot Shield
2012-10-20 22:51 . 2012-10-20 22:52 -------- d-----w- c:\program files\Hotspot Shield
2012-10-20 22:49 . 2012-10-20 22:49 -------- d-----w- c:\program files\Artdocks Software
2012-10-20 19:04 . 2012-10-27 04:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Guard.Mail.Ru
2012-10-20 18:37 . 2012-10-20 18:59 -------- d-----w- c:\documents and settings\LocalService\Application Data\{DCD48218-E972-4d0c-9E5F-43462BC13E3B}
2012-10-20 16:03 . 2012-11-10 23:32 -------- d-----w- c:\documents and settings\Michael\Local Settings\Application Data\Mail.Ru
2012-10-20 16:03 . 2012-10-20 16:03 -------- d-----w- c:\program files\Mail.Ru
2012-10-20 15:12 . 2012-10-20 15:12 -------- d-----w- c:\documents and settings\Michael\Application Data\AVG2013
2012-10-20 00:01 . 2012-10-21 02:05 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2013
2012-10-19 23:59 . 2012-10-19 23:59 -------- d-----w- c:\program files\AVG
2012-10-19 23:55 . 2012-10-19 23:55 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2012-10-19 23:55 . 2012-10-19 23:57 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2012-10-19 23:55 . 2012-10-19 23:55 -------- d-----w- c:\documents and settings\Michael\Local Settings\Application Data\MFAData
2012-10-19 23:55 . 2012-10-19 23:55 -------- d-----w- c:\documents and settings\Michael\Local Settings\Application Data\Avg2013
2012-10-19 23:46 . 2012-10-19 23:48 -------- d-----w- c:\program files\Trend Micro
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-21 13:36 . 2009-04-15 20:13 146312 ----a-w- c:\windows\system32\drivers\bdfm.sys
2012-10-09 00:04 . 2012-02-22 16:39 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-09 00:04 . 2012-02-22 16:39 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-27 04:41 . 2012-10-27 04:40 261600 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-03-07 00:15 123536 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2012-02-22 39408]
"SnowWallpaper"="c:\program files\Artdocks Software\Animated Snow Desktop Wallpaper\SnowWallpaper.exe" [2010-10-21 241664]
"ooVoo.exe"="c:\program files\ooVoo\oovoo.exe" [2012-09-10 27115128]
"4shared Desktop"="c:\program files\4shared Desktop\desktop.exe" [2011-03-16 4613624]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-07 4241512]
"Wbutton"="c:\program files\Launch Manager\Wbutton.exe" [2005-11-08 81920]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2012-09-28 296096]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-04 102490]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-04 708698]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
"SoundMan"="SOUNDMAN.EXE" [2005-04-15 77824]
"PowerKey"="c:\program files\Launch Manager\PowerKey.exe" [2002-08-30 94208]
"LMgrOSD"="c:\program files\Launch Manager\OSDCtrl.exe" [2005-07-25 241664]
"LManager"="c:\program files\Launch Manager\HotkeyApp.exe" [2005-11-08 69632]
"LaunchAp"="c:\program files\Launch Manager\LaunchAp.exe" [2005-07-25 32768]
"igfxtray"="c:\windows\System32\igfxtray.exe" [2005-08-24 94208]
"igfxpers"="c:\windows\System32\igfxpers.exe" [2005-08-24 114688]
"igfxhkcmd"="c:\windows\System32\hkcmd.exe" [2005-08-24 77824]
"Guard.Mail.ru.gui"="c:\program files\Mail.Ru\Guard\GuardMailRu.exe" [2012-10-27 2241128]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"EPM-DM"="c:\acer\Empowering Technology\ePower\epm-dm.exe" [2005-11-11 212992]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-07-26 69632]
"CtrlVol"="c:\program files\Launch Manager\CtrlVol.exe" [2003-09-16 20480]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-28 59280]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"ADMTray.exe"="c:\acer\Empowering Technology\admtray.exe" [2005-10-24 2462208]
"ACU"="c:\program files\Atheros\ACU.exe" [2005-01-31 253952]
"Acer ePower Management"="c:\acer\Empowering Technology\ePower\Acer ePower Management.exe" [2005-11-09 3084288]
"4shared Update"="c:\program files\4shared Desktop\checkUpdate.exe" [2011-03-16 608760]
.
c:\documents and settings\Michael\Start Menu\Programs\Startup\
PalTalk.lnk - c:\program files\Paltalk Messenger\paltalk.exe [2012-10-1 8356008]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2005-9-19 581693]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsasvr.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsvsvr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Mail.Ru\\Sputnik\\SputnikHelper.exe"=
"c:\\Program Files\\Mail.Ru\\Sputnik\\SputnikFlashPlayer.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:ooVoo TCP port 443
"443:UDP"= 443:UDP:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:ooVoo UDP port 37675
.
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2/22/2012 12:30 PM 612184]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2/22/2012 12:30 PM 337880]
S1 mailKmd;mailKmd; [x]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2/22/2012 12:30 PM 20696]
S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [3/17/2012 2:20 PM 238952]
S2 GamingWonderlandService;GamingWonderlandService;c:\progra~1\GAMING~2\bar\1.bin\gtbarsvc.exe --> c:\progra~1\GAMING~2\bar\1.bin\gtbarsvc.exe [?]
S2 Guard.Mail.ru;Guard.Mail.ru;c:\program files\Mail.Ru\Guard\GuardMailRu.exe [10/20/2012 11:03 AM 2241128]
S2 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe [8/2/2012 8:12 PM 387440]
S2 ogmservice;Online Games Manager;c:\program files\Online Games Manager\ogmservice.exe [6/8/2012 2:02 AM 521344]
S3 EraserUtilDrv11220;EraserUtilDrv11220;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11220.sys [9/30/2012 10:27 PM 106656]
S3 FsUsbExDisk;FsUsbExDisk;\??\c:\windows\system32\FsUsbExDisk.SYS --> c:\windows\system32\FsUsbExDisk.SYS [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;"c:\program files\McAfee Security Scan\3.0.287\McCHSvc.exe" --> c:\program files\McAfee Security Scan\3.0.287\McCHSvc.exe [?]
S3 POWERKEY;POWERKEY;c:\program files\Launch Manager\POWERKEY.SYS [2/22/2012 10:55 AM 2343]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - PARPORT
.
Contents of the 'Scheduled Tasks' folder
.
2012-11-11 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-02-22 00:04]
.
2012-11-10 c:\windows\Tasks\ASC6_PerformanceMonitor.job
- c:\program files\IObit\Advanced SystemCare 6\Monitor.exe [2012-10-23 19:59]
.
2012-11-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-02-22 16:37]
.
2012-11-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-02-22 16:37]
.
2012-11-10 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1343024091-436374069-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-07-27 19:27]
.
2012-10-26 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1343024091-436374069-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-07-27 19:27]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.mail.ru/cnt/7227
mStart Page = hxxp://www.yahoo.com/?fr=fp-ygamesbar&type=yahoo_oberon_ygames_ytb
uInternet Connection Wizard,ShellNext = iexplore
IE: &Download All using 4shared Desktop - c:\program files\4shared Desktop\Desktop.32/D_ALL_LINK
IE: &Download using 4shared Desktop - c:\program files\4shared Desktop\Desktop.32/D_ONE_LINK
IE: &Sample Toolband Serach - c:\windows\system32\ToolBand.dll/MENUSEARCH.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Michael\Start Menu\Programs\IMVU\Run IMVU.lnk
TCP: DhcpNameServer = 65.183.0.77 65.183.0.86
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game.zylom.com/activex/zylomgamesplayer.cab
FF - ProfilePath - c:\documents and settings\Michael\Application Data\Mozilla\Firefox\Profiles\uys8gli1.default\
FF - prefs.js: browser.search.selectedEngine - Поиск@Mail.Ru
FF - prefs.js: keyword.URL - hxxp://go.mail.ru/search?fr=fftb&q=
FF - ExtSQL: 2012-09-27 20:10; {0153E448-190B-4987-BDE1-F256CADA672F}; c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-31849530.sys
SafeBoot-85574966.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-11-10 21:38
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2012-11-10 21:40:53
ComboFix-quarantined-files.txt 2012-11-11 02:40
ComboFix2.txt 2012-11-03 23:48
.
Pre-Run: 15,028,817,920 bytes free
Post-Run: 15,314,976,768 bytes free
.
- - End Of File - - 86D7C2F4D215712AF496E28BE6DAE374
ComboFix 12-11-09.02 - Michael 11/10/2012 21:30:57.10.1 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1730 [GMT -5:00]
Running from: c:\documents and settings\Michael\Desktop\ComboFix.exe
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: avast! Internet Security *Disabled* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\EventSystem.log
c:\windows\system32\DEBUG.log
c:\windows\system32\dllcache\wmpvis.dll
c:\windows\system32\drivers\etc\hosts.ics
c:\windows\system32\roboot.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-10-11 to 2012-11-11 )))))))))))))))))))))))))))))))
.
.
2012-10-31 21:54 . 2012-10-31 21:54 -------- d-----w- C:\RK_Quarantine
2012-10-30 23:26 . 2012-10-30 23:26 101 ----a-w- c:\windows\DeleteOnReboot.bat
2012-10-24 01:41 . 2012-10-24 01:41 -------- d-----w- c:\windows\system32\wbem\Repository
2012-10-23 23:11 . 2012-10-23 23:11 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\IObit
2012-10-23 21:34 . 2012-10-23 21:34 -------- d-----w- c:\documents and settings\LocalService\Application Data\IObit
2012-10-23 21:33 . 2012-10-23 21:33 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2012-10-23 21:33 . 2012-10-23 23:15 -------- d-----w- c:\documents and settings\Michael\Application Data\IObit
2012-10-23 21:33 . 2012-10-23 21:33 -------- d-----w- c:\program files\IObit
2012-10-21 13:37 . 2012-10-24 01:41 81984 ----a-w- c:\windows\system32\bdod.bin
2012-10-21 13:04 . 2012-10-21 13:04 -------- d-----w- c:\documents and settings\Guest
2012-10-21 02:09 . 2012-10-21 02:09 -------- d-----w- c:\documents and settings\Michael\Application Data\BitDefender
2012-10-21 02:07 . 2012-10-21 13:05 -------- d-----w- c:\documents and settings\All Users\Application Data\BitDefender
2012-10-21 02:07 . 2012-10-21 02:07 -------- d-----w- c:\program files\BitDefender
2012-10-21 02:00 . 2012-10-21 02:07 -------- d-----w- c:\program files\Common Files\BitDefender
2012-10-21 00:09 . 2012-10-21 00:15 -------- d-----w- c:\documents and settings\Michael\Application Data\.purple
2012-10-21 00:08 . 2012-10-21 00:08 -------- d-----w- c:\program files\Paltalk Messenger Interop
2012-10-20 23:48 . 2012-10-21 00:06 -------- d-----w- c:\documents and settings\Michael\Application Data\Paltalk
2012-10-20 23:45 . 2012-10-20 23:49 -------- d-----w- c:\program files\Paltalk Messenger
2012-10-20 23:14 . 2012-10-22 00:00 -------- d-----w- c:\documents and settings\Michael\Application Data\Systweak
2012-10-20 22:52 . 2012-10-20 22:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Hotspot Shield
2012-10-20 22:51 . 2012-10-20 22:52 -------- d-----w- c:\program files\Hotspot Shield
2012-10-20 22:49 . 2012-10-20 22:49 -------- d-----w- c:\program files\Artdocks Software
2012-10-20 19:04 . 2012-10-27 04:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Guard.Mail.Ru
2012-10-20 18:37 . 2012-10-20 18:59 -------- d-----w- c:\documents and settings\LocalService\Application Data\{DCD48218-E972-4d0c-9E5F-43462BC13E3B}
2012-10-20 16:03 . 2012-11-10 23:32 -------- d-----w- c:\documents and settings\Michael\Local Settings\Application Data\Mail.Ru
2012-10-20 16:03 . 2012-10-20 16:03 -------- d-----w- c:\program files\Mail.Ru
2012-10-20 15:12 . 2012-10-20 15:12 -------- d-----w- c:\documents and settings\Michael\Application Data\AVG2013
2012-10-20 00:01 . 2012-10-21 02:05 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2013
2012-10-19 23:59 . 2012-10-19 23:59 -------- d-----w- c:\program files\AVG
2012-10-19 23:55 . 2012-10-19 23:55 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2012-10-19 23:55 . 2012-10-19 23:57 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2012-10-19 23:55 . 2012-10-19 23:55 -------- d-----w- c:\documents and settings\Michael\Local Settings\Application Data\MFAData
2012-10-19 23:55 . 2012-10-19 23:55 -------- d-----w- c:\documents and settings\Michael\Local Settings\Application Data\Avg2013
2012-10-19 23:46 . 2012-10-19 23:48 -------- d-----w- c:\program files\Trend Micro
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-21 13:36 . 2009-04-15 20:13 146312 ----a-w- c:\windows\system32\drivers\bdfm.sys
2012-10-09 00:04 . 2012-02-22 16:39 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-09 00:04 . 2012-02-22 16:39 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-27 04:41 . 2012-10-27 04:40 261600 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-03-07 00:15 123536 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2012-02-22 39408]
"SnowWallpaper"="c:\program files\Artdocks Software\Animated Snow Desktop Wallpaper\SnowWallpaper.exe" [2010-10-21 241664]
"ooVoo.exe"="c:\program files\ooVoo\oovoo.exe" [2012-09-10 27115128]
"4shared Desktop"="c:\program files\4shared Desktop\desktop.exe" [2011-03-16 4613624]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-07 4241512]
"Wbutton"="c:\program files\Launch Manager\Wbutton.exe" [2005-11-08 81920]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2012-09-28 296096]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-04 102490]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-04 708698]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
"SoundMan"="SOUNDMAN.EXE" [2005-04-15 77824]
"PowerKey"="c:\program files\Launch Manager\PowerKey.exe" [2002-08-30 94208]
"LMgrOSD"="c:\program files\Launch Manager\OSDCtrl.exe" [2005-07-25 241664]
"LManager"="c:\program files\Launch Manager\HotkeyApp.exe" [2005-11-08 69632]
"LaunchAp"="c:\program files\Launch Manager\LaunchAp.exe" [2005-07-25 32768]
"igfxtray"="c:\windows\System32\igfxtray.exe" [2005-08-24 94208]
"igfxpers"="c:\windows\System32\igfxpers.exe" [2005-08-24 114688]
"igfxhkcmd"="c:\windows\System32\hkcmd.exe" [2005-08-24 77824]
"Guard.Mail.ru.gui"="c:\program files\Mail.Ru\Guard\GuardMailRu.exe" [2012-10-27 2241128]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"EPM-DM"="c:\acer\Empowering Technology\ePower\epm-dm.exe" [2005-11-11 212992]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-07-26 69632]
"CtrlVol"="c:\program files\Launch Manager\CtrlVol.exe" [2003-09-16 20480]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-28 59280]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"ADMTray.exe"="c:\acer\Empowering Technology\admtray.exe" [2005-10-24 2462208]
"ACU"="c:\program files\Atheros\ACU.exe" [2005-01-31 253952]
"Acer ePower Management"="c:\acer\Empowering Technology\ePower\Acer ePower Management.exe" [2005-11-09 3084288]
"4shared Update"="c:\program files\4shared Desktop\checkUpdate.exe" [2011-03-16 608760]
.
c:\documents and settings\Michael\Start Menu\Programs\Startup\
PalTalk.lnk - c:\program files\Paltalk Messenger\paltalk.exe [2012-10-1 8356008]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2005-9-19 581693]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsasvr.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsvsvr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Mail.Ru\\Sputnik\\SputnikHelper.exe"=
"c:\\Program Files\\Mail.Ru\\Sputnik\\SputnikFlashPlayer.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:ooVoo TCP port 443
"443:UDP"= 443:UDP:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:ooVoo UDP port 37675
.
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2/22/2012 12:30 PM 612184]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2/22/2012 12:30 PM 337880]
S1 mailKmd;mailKmd; [x]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2/22/2012 12:30 PM 20696]
S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [3/17/2012 2:20 PM 238952]
S2 GamingWonderlandService;GamingWonderlandService;c:\progra~1\GAMING~2\bar\1.bin\gtbarsvc.exe --> c:\progra~1\GAMING~2\bar\1.bin\gtbarsvc.exe [?]
S2 Guard.Mail.ru;Guard.Mail.ru;c:\program files\Mail.Ru\Guard\GuardMailRu.exe [10/20/2012 11:03 AM 2241128]
S2 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe [8/2/2012 8:12 PM 387440]
S2 ogmservice;Online Games Manager;c:\program files\Online Games Manager\ogmservice.exe [6/8/2012 2:02 AM 521344]
S3 EraserUtilDrv11220;EraserUtilDrv11220;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11220.sys [9/30/2012 10:27 PM 106656]
S3 FsUsbExDisk;FsUsbExDisk;\??\c:\windows\system32\FsUsbExDisk.SYS --> c:\windows\system32\FsUsbExDisk.SYS [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;"c:\program files\McAfee Security Scan\3.0.287\McCHSvc.exe" --> c:\program files\McAfee Security Scan\3.0.287\McCHSvc.exe [?]
S3 POWERKEY;POWERKEY;c:\program files\Launch Manager\POWERKEY.SYS [2/22/2012 10:55 AM 2343]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - PARPORT
.
Contents of the 'Scheduled Tasks' folder
.
2012-11-11 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-02-22 00:04]
.
2012-11-10 c:\windows\Tasks\ASC6_PerformanceMonitor.job
- c:\program files\IObit\Advanced SystemCare 6\Monitor.exe [2012-10-23 19:59]
.
2012-11-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-02-22 16:37]
.
2012-11-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-02-22 16:37]
.
2012-11-10 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1343024091-436374069-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-07-27 19:27]
.
2012-10-26 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1343024091-436374069-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-07-27 19:27]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.mail.ru/cnt/7227
mStart Page = hxxp://www.yahoo.com/?fr=fp-ygamesbar&type=yahoo_oberon_ygames_ytb
uInternet Connection Wizard,ShellNext = iexplore
IE: &Download All using 4shared Desktop - c:\program files\4shared Desktop\Desktop.32/D_ALL_LINK
IE: &Download using 4shared Desktop - c:\program files\4shared Desktop\Desktop.32/D_ONE_LINK
IE: &Sample Toolband Serach - c:\windows\system32\ToolBand.dll/MENUSEARCH.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Michael\Start Menu\Programs\IMVU\Run IMVU.lnk
TCP: DhcpNameServer = 65.183.0.77 65.183.0.86
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game.zylom.com/activex/zylomgamesplayer.cab
FF - ProfilePath - c:\documents and settings\Michael\Application Data\Mozilla\Firefox\Profiles\uys8gli1.default\
FF - prefs.js: browser.search.selectedEngine - Поиск@Mail.Ru
FF - prefs.js: keyword.URL - hxxp://go.mail.ru/search?fr=fftb&q=
FF - ExtSQL: 2012-09-27 20:10; {0153E448-190B-4987-BDE1-F256CADA672F}; c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-31849530.sys
SafeBoot-85574966.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-11-10 21:38
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2012-11-10 21:40:53
ComboFix-quarantined-files.txt 2012-11-11 02:40
ComboFix2.txt 2012-11-03 23:48
.
Pre-Run: 15,028,817,920 bytes free
Post-Run: 15,314,976,768 bytes free
.
- - End Of File - - 86D7C2F4D215712AF496E28BE6DAE374
#27
Posted 10 November 2012 - 09:03 PM
gringo_pr
-
- Malware Removal
-
- 7,268 posts
Trusted Helper
Greetings
I want you to run these next,
tdsskiller:
Please read carefully and follow these steps.
Please download aswMBR to your desktop.
If you have any problems running either one come back and let me know
please reply with the reports from TDSSKiller and aswMBR
Gringo
I want you to run these next,
tdsskiller:
Please read carefully and follow these steps.
- Download TDSSKiller and save it to your Desktop.
- doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
- If an infected file is detected, the default action will be Cure, click on Continue.
- If a suspicious file is detected, the default action will be Skip, click on Continue.
- It may ask you to reboot the computer to complete the process. Click on Reboot Now.
- If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
- If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
Please download aswMBR to your desktop.
- Double click the aswMBR.exe icon to run it
- it will ask to download extra definitions - ALLOW IT
- Click the Scan button to start the scan
- On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.
If you have any problems running either one come back and let me know
please reply with the reports from TDSSKiller and aswMBR
Gringo
#28
Posted 11 November 2012 - 02:05 PM
ven15
- Topic Starter
-
- Member
-
- 22 posts
Member
u made me try the first one already and its still not working
#29
Posted 11 November 2012 - 02:31 PM
gringo_pr
-
- Malware Removal
-
- 7,268 posts
Trusted Helper
how is the computer working at this time?
gringo
gringo
#30
Posted 11 November 2012 - 02:54 PM
ven15
- Topic Starter
-
- Member
-
- 22 posts
Member
aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software
Run date: 2012-11-11 15:39:05
-----------------------------
15:39:05.531 OS Version: Windows 5.1.2600 Service Pack 2
15:39:05.531 Number of processors: 1 586 0xD08
15:39:05.531 ComputerName: MJ-Q90GBADVVHK5 UserName: Michael
15:39:12.656 Initialize success
15:39:13.000 AVAST engine defs: 12111100
15:39:16.843 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
15:39:16.843 Disk 0 Vendor: ST9402112A 3.06 Size: 38154MB BusType: 3
15:39:16.906 Disk 0 MBR read successfully
15:39:16.906 Disk 0 MBR scan
15:39:16.921 Disk 0 Windows XP default MBR code
15:39:16.984 Disk 0 Partition 1 00 12 Compaq diag MSWIN4.1 3200 MB offset 63
15:39:17.015 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 34946 MB offset 6554520
15:39:17.062 Disk 0 scanning sectors +78124095
15:39:17.218 Disk 0 scanning C:\WINDOWS\system32\drivers
15:39:49.234 Service scanning
15:40:41.406 Modules scanning
15:41:02.890 Module: C:\WINDOWS\System32\drivers\dxgthk.sys **SUSPICIOUS**
15:41:10.718 Module: C:\WINDOWS\system32\ntdll.dll **SUSPICIOUS**
15:41:11.546 Disk 0 trace - called modules:
15:41:11.578 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
15:41:11.640 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89dbdab8]
15:41:11.656 3 CLASSPNP.SYS[ba0e905b] -> nt!IofCallDriver -> \Device\00000080[0x89d9e9e8]
15:41:11.671 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x89dd5940]
15:41:12.343 AVAST engine scan C:\WINDOWS
15:41:20.578 AVAST engine scan C:\WINDOWS\system32
15:47:21.359 AVAST engine scan C:\WINDOWS\system32\drivers
15:47:47.890 AVAST engine scan C:\Documents and Settings\Michael
15:50:37.187 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Michael\My Documents\MBR.dat"
15:50:37.250 The log file has been saved successfully to "C:\Documents and Settings\Michael\My Documents\amm.txt"
Run date: 2012-11-11 15:39:05
-----------------------------
15:39:05.531 OS Version: Windows 5.1.2600 Service Pack 2
15:39:05.531 Number of processors: 1 586 0xD08
15:39:05.531 ComputerName: MJ-Q90GBADVVHK5 UserName: Michael
15:39:12.656 Initialize success
15:39:13.000 AVAST engine defs: 12111100
15:39:16.843 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
15:39:16.843 Disk 0 Vendor: ST9402112A 3.06 Size: 38154MB BusType: 3
15:39:16.906 Disk 0 MBR read successfully
15:39:16.906 Disk 0 MBR scan
15:39:16.921 Disk 0 Windows XP default MBR code
15:39:16.984 Disk 0 Partition 1 00 12 Compaq diag MSWIN4.1 3200 MB offset 63
15:39:17.015 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 34946 MB offset 6554520
15:39:17.062 Disk 0 scanning sectors +78124095
15:39:17.218 Disk 0 scanning C:\WINDOWS\system32\drivers
15:39:49.234 Service scanning
15:40:41.406 Modules scanning
15:41:02.890 Module: C:\WINDOWS\System32\drivers\dxgthk.sys **SUSPICIOUS**
15:41:10.718 Module: C:\WINDOWS\system32\ntdll.dll **SUSPICIOUS**
15:41:11.546 Disk 0 trace - called modules:
15:41:11.578 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
15:41:11.640 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89dbdab8]
15:41:11.656 3 CLASSPNP.SYS[ba0e905b] -> nt!IofCallDriver -> \Device\00000080[0x89d9e9e8]
15:41:11.671 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x89dd5940]
15:41:12.343 AVAST engine scan C:\WINDOWS
15:41:20.578 AVAST engine scan C:\WINDOWS\system32
15:47:21.359 AVAST engine scan C:\WINDOWS\system32\drivers
15:47:47.890 AVAST engine scan C:\Documents and Settings\Michael
15:50:37.187 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Michael\My Documents\MBR.dat"
15:50:37.250 The log file has been saved successfully to "C:\Documents and Settings\Michael\My Documents\amm.txt"
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
As Featured On:
Sign In
Create Account
