First, i can't access to any antivirus website. Before, i dont have internet connection to my machine, so, i never try this out earlier. but today i installed internet, and i try to open antivirus wbsite, the website wont open.
Second, when i connect my machine to internet, my CPU process just spike to 100%. This never happen before i install internet. I have do some research about the cause, and its maybe caused by malware. I checked the Resource monitor and found the program that use almost 97% of my resource. The program named 7D2C.exe . after i run combofix, the program change name to 7899.exe . i have to suspend the program to run my PC in normal state again, if i end the process, the program will run again by itself.
also, i have try to run combofix and here the log report.
Sorry if my explanation is not clear enough, as im not a savvy computer user and english is not my main language.
Thank you kindly for your help, here the log report from combofix
ComboFix 13-01-06.01 - User 01/08/2013 14:26:40.2.3 - x86
Microsoft Windows 7 Professional 6.1.7600.3.1252.1.1033.18.3198.2145 [GMT 7:00]
Running from: c:\users\User\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\User\AppData\Roaming\7899.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-12-08 to 2013-01-08 )))))))))))))))))))))))))))))))
.
.
2013-01-08 07:29 . 2013-01-08 07:29 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-12-31 10:04 . 2012-12-31 10:04 -------- d-----w- c:\windows\Derpy and the Elusive Muffin Uninstaller
2012-12-31 10:04 . 2012-12-28 18:07 1135247 ----a-w- c:\windows\Derpy and the Elusive Muffin.scr
2012-12-30 06:48 . 2012-12-30 06:48 -------- d-----w- c:\users\User\AppData\Roaming\Lonely Troops
2012-12-17 06:36 . 2012-12-17 06:36 -------- d-----w- c:\windows\Pinkie Finished Uninstaller
2012-12-17 06:36 . 2012-12-15 22:40 1116157 ----a-w- c:\windows\Pinkie Finished.scr
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-13 04:39 . 2012-06-07 10:01 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IDM Shell Extension]
@="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
[HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]
2012-02-08 00:49 22376 ----a-w- c:\program files\Internet Download Manager\IDMShellExt.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2012-07-24 3487128]
"Steam"="c:\program files\Steam\Steam.exe" [2013-01-08 1354736]
"MSIDLL"="msivii32.dll" [2012-07-28 180224]
"RGSC"="e:\game\Rockstar Games Social Club\RGSCLauncher.exe" [2008-11-14 305064]
"PIg"="c:\users\User\AppData\Roaming\7899.exe" [BU]
"PIg"="c:\users\User\AppData\Roaming\7899.exe" [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-05 500208]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-21 406992]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"RemoteControl11"="c:\program files\CyberLink\PowerDVD11\PDVD11Serv.exe" [2011-04-20 234792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2012-06-07 198160]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"StartRun"="c:\program files\EVDO USB Modem\StartRun.exe" [2009-07-23 204800]
"PIg"="c:\users\User\AppData\Roaming\7899.exe" [BU]
.
c:\users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Rainmeter.lnk - c:\program files\Rainmeter\Rainmeter.exe [2012-7-3 40136]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\3.0.207\SSScheduler.exe [2011-6-18 272528]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\3.0.207\McCHSvc.exe [x]
R3 qcusbser;Mobile Connector USB Device for Legacy Serial Communication;c:\windows\system32\DRIVERS\cmusbser.sys [x]
R3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]
S2 {329F96B6-DF1E-4328-BFDA-39EA953C1312};Power Control [2012/06/07 17:06];c:\program files\CyberLink\PowerDVD11\Common\NavFilter\000.fcl [x]
S2 CLHNServiceForPowerDVD;CLHNServiceForPowerDVD;c:\program files\CyberLink\PowerDVD11\Kernel\DMP\CLHNServiceForPowerDVD.exe [x]
S2 CyberLink PowerDVD 11.0 Monitor Service;CyberLink PowerDVD 11.0 Monitor Service;c:\program files\CyberLink\PowerDVD11\Common\MediaServer\CLMSMonitorService.exe [x]
S2 CyberLink PowerDVD 11.0 Service;CyberLink PowerDVD 11.0 Service;c:\program files\CyberLink\PowerDVD11\Common\MediaServer\CLMSServer.exe [x]
S2 IDMWFP;IDMWFP;c:\windows\system32\DRIVERS\idmwfp.sys [x]
S2 ntk_PowerDVD;ntk_PowerDVD;c:\program files\CyberLink\PowerDVD11\Kernel\DMP\ntk_PowerDVD.sys [x]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2013-01-08 c:\windows\Tasks\AutoKMS.job
- c:\windows\AutoKMS.exe [2012-06-07 09:26]
.
2013-01-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-152147981-2974144520-1009932935-1000Core.job
- c:\users\User\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-17 22:50]
.
2013-01-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-152147981-2974144520-1009932935-1000UA.job
- c:\users\User\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-17 22:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://home.gamesgofree.com/
mStart Page = hxxp://home.gamesgofree.com/
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~1\Office14\ONBttnIE.dll/105
TCP: Interfaces\{62AA58AF-9CF8-440B-806D-783F5561FFB1}: NameServer = 202.169.224.3,202.169.224.4
FF - ProfilePath - c:\users\User\AppData\Roaming\Mozilla\Firefox\Profiles\cnc3ym8f.default\
FF - prefs.js: Keyword.Enabled - true
FF - prefs.js: browser.startup.homepage - hxxp://home.gamesgofree.com/
FF - prefs.js: keyword.URL - hxxp://home.allgameshome.com/results.php?category=web&s=
FF - prefs.js: network.proxy.http - 202.75.102.18
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.type - 0
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\{329F96B6-DF1E-4328-BFDA-39EA953C1312}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD11\Common\NavFilter\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-152147981-2974144520-1009932935-1000\Software\SecuROM\License information*]
"datasecu"=hex:b5,e0,17,24,56,55,3f,ab,4a,2f,6e,58,54,28,8f,60,2f,c9,8a,07,0d,
83,bb,f9,4c,56,97,01,bc,39,70,38,c2,d8,27,fe,cc,df,30,1f,6a,ee,65,ba,72,92,\
"rkeysecu"=hex:88,3f,71,43,47,c0,f5,e4,1f,48,73,71,aa,57,75,18
.
[HKEY_USERS\S-1-5-21-152147981-2974144520-1009932935-1000_Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):78,a3,c7,f5,34,82,1c,eb,d0,e6,dc,dc,cd,69,11,65,e9,f6,ea,27,de,
e9,a5,f8,08,98,ef,f3,e5,81,b9,b7,c6,d4,3d,12,60,0a,f7,2f,00,00,00,00,00,00,\
.
[HKEY_USERS\S-1-5-21-152147981-2974144520-1009932935-1000_Classes\CLSID\{7fce31d0-91d6-4a5a-9d36-500f37f595a6}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"Model"=dword:00000112
"Therad"=dword:0000000f
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-01-08 14:30:41
ComboFix-quarantined-files.txt 2013-01-08 07:30
ComboFix2.txt 2013-01-08 06:59
.
Pre-Run: 85,623,721,984 bytes free
Post-Run: 85,568,393,216 bytes free
.
- - End Of File - - FDA2F46637207B0F1CAC8B1B4C250A17
Edited by siweling, 08 January 2013 - 01:39 AM.