Having some issues..very confused.

johnb35

johnb35

Administrator
Staff member
1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box

Code: 
File::

C:\ProgramData\atiumdva32.exe 
C:\Users\All Users\atiumdva32.exe 
C:\Users\All Users\Application Data\atiumdva32.exe 
C:\Users\Amanda\AppData\Roaming\FileSubmit\stormwarningss\install\14852C7\stormwarningss.msi 
C:\Users\Amanda\AppData\Roaming\FileSubmit\stormwarningss\install\FA366A1\stormwarningss.msi 
C:\Users\Amanda\Downloads\7artChristmasLand3DInst.exe 
C:\Users\Amanda\Downloads\moviebar_us_z(2).exe 
C:\Users\Amanda\Downloads\moviebar_us_z(3).exe 
C:\Users\Amanda\Downloads\moviebar_us_z.exe 
c:\programdata\SMBHelperClass32.dll
c:\programdata\feclient32.dll
c:\programdata\CddbLangJA32.dll
c:\programdata\KBDCZ232.dll
c:\windows\SysWow64\atiumdva32.dll
c:\programdata\D3DCompiler_3432.dll
c:\programdata\TimeDateMUICallback32.dll
c:\programdata\snmpapi32.dll
c:\programdata\findnetprinters32.dll
c:\programdata\certenc32.dll
c:\programdata\KBDDIV132.dll
c:\programdata\atiumdva32.dll
c:\windows\SysWow64\MFC7132.exe



3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!


CFScript-1.gif


ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.
 
M

M199

New Member
Here you go;

ComboFix 11-07-12.09 - Amanda 07/12/2011 20:56:50.6.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.5886.3936 [GMT -4:00]
Running from: c:\users\Amanda\Downloads\ComboFix.exe
Command switches used :: c:\users\Amanda\Desktop\CFScript.txt
AV: Trend Micro Titanium *Disabled/Updated* {68F968AC-2AA0-091D-848C-803E83E35902}
SP: Trend Micro Titanium *Disabled/Updated* {D3988948-0C9A-0693-BE3C-BB4CF86413BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\programdata\atiumdva32.dll"
"c:\programdata\atiumdva32.exe"
"c:\programdata\CddbLangJA32.dll"
"c:\programdata\certenc32.dll"
"c:\programdata\D3DCompiler_3432.dll"
"c:\programdata\feclient32.dll"
"c:\programdata\findnetprinters32.dll"
"c:\programdata\KBDCZ232.dll"
"c:\programdata\KBDDIV132.dll"
"c:\programdata\SMBHelperClass32.dll"
"c:\programdata\snmpapi32.dll"
"c:\programdata\TimeDateMUICallback32.dll"
"c:\users\All Users\Application Data\atiumdva32.exe"
"c:\users\All Users\atiumdva32.exe"
"c:\users\Amanda\AppData\Roaming\FileSubmit\stormwarningss\install\14852C7\stormwarningss.msi"
"c:\users\Amanda\AppData\Roaming\FileSubmit\stormwarningss\install\FA366A1\stormwarningss.msi"
"c:\users\Amanda\Downloads\7artChristmasLand3DInst.exe"
"c:\users\Amanda\Downloads\moviebar_us_z(2).exe"
"c:\users\Amanda\Downloads\moviebar_us_z(3).exe"
"c:\users\Amanda\Downloads\moviebar_us_z.exe"
"c:\windows\SysWow64\atiumdva32.dll"
"c:\windows\SysWow64\MFC7132.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\atiumdva32.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-06-13 to 2011-07-13 )))))))))))))))))))))))))))))))
.
.
2011-07-13 01:15 . 2011-07-13 01:20 -------- d-----w- c:\users\Amanda\AppData\Local\temp
2011-07-13 01:15 . 2011-07-13 01:15 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2011-07-13 01:15 . 2011-07-13 01:15 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-07-13 01:15 . 2011-07-13 01:15 -------- d-----w- c:\users\Conrad\AppData\Local\temp
2011-07-11 05:34 . 2011-07-11 05:34 8896 --sha-w- c:\programdata\ole3232.dll
2011-07-11 05:02 . 2011-07-11 05:02 8896 --sha-w- c:\programdata\dnsapi32.dll
2011-07-11 04:29 . 2011-07-11 04:29 8896 --sha-w- c:\programdata\msvcp6032.dll
2011-07-11 03:56 . 2011-07-11 03:56 8896 --sha-w- c:\programdata\chsbrkr32.dll
2011-07-11 03:06 . 2011-07-11 03:06 8896 --sha-w- c:\programdata\msvbvm6032.dll
2011-07-11 02:36 . 2011-07-11 02:36 8896 --sha-w- c:\programdata\cewmdm32.dll
2011-07-11 02:04 . 2011-07-11 02:04 8896 --sha-w- c:\programdata\d3d8thk32.dll
2011-07-11 01:34 . 2011-07-11 01:34 8896 --sha-w- c:\programdata\termmgr32.dll
2011-07-10 01:58 . 2011-07-10 01:58 -------- d-----w- c:\program files\CCleaner
2011-07-08 16:11 . 2011-07-08 16:11 8896 --sha-w- c:\programdata\SMBHelperClass32.dll
2011-07-08 15:41 . 2011-07-08 15:41 8896 --sha-w- c:\programdata\feclient32.dll
2011-07-08 04:26 . 2011-07-08 04:26 8896 --sha-w- c:\programdata\CddbLangJA32.dll
2011-07-08 03:54 . 2011-07-08 03:54 8896 --sha-w- c:\programdata\KBDCZ232.dll
2011-07-08 02:57 . 2011-07-08 02:57 8896 --sha-w- c:\programdata\D3DCompiler_3432.dll
2011-07-08 02:49 . 2011-07-08 02:49 -------- d-----w- c:\users\Amanda\AppData\Roaming\SUPERAntiSpyware.com
2011-07-08 02:49 . 2011-07-08 02:49 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-07-08 02:49 . 2011-07-08 02:49 -------- d-----w- c:\programdata\!SASCORE
2011-07-08 02:49 . 2011-07-08 02:49 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-07-08 02:27 . 2011-07-08 02:27 8896 --sha-w- c:\programdata\TimeDateMUICallback32.dll
2011-07-08 01:56 . 2011-07-08 01:56 8896 --sha-w- c:\programdata\snmpapi32.dll
2011-07-07 17:36 . 2011-07-07 17:36 8896 --sha-w- c:\programdata\findnetprinters32.dll
2011-07-07 17:04 . 2011-07-07 17:04 8896 --sha-w- c:\programdata\certenc32.dll
2011-07-07 16:31 . 2011-07-07 16:31 8896 --sha-w- c:\programdata\KBDDIV132.dll
2011-07-07 15:58 . 2011-07-07 15:58 8896 --sha-w- c:\programdata\atiumdva32.dll
2011-07-07 15:34 . 2011-07-07 15:34 -------- d-----w- c:\program files (x86)\ESET
2011-07-07 00:39 . 2011-07-07 00:39 -------- d-----w- c:\program files (x86)\Common Files\Java
2011-07-06 15:11 . 2011-07-06 15:11 388096 ----a-r- c:\users\Amanda\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-07-06 15:11 . 2011-07-06 15:11 -------- d-----w- c:\program files (x86)\Trend Micro
2011-07-06 14:56 . 2011-05-29 13:11 39984 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-07-06 14:56 . 2011-07-06 14:56 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-07-06 00:17 . 2011-07-06 00:17 -------- d-----w- c:\users\Amanda\AppData\Roaming\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2011-07-01 02:29 . 2011-06-24 03:18 565248 ------w- c:\windows\SysWow64\MFC7132.exe
2011-06-29 15:00 . 2011-04-29 16:15 344576 ----a-w- c:\windows\system32\schannel.dll
2011-06-29 15:00 . 2011-04-29 15:59 276992 ----a-w- c:\windows\SysWow64\schannel.dll
2011-06-27 14:38 . 2011-06-27 14:38 2106216 ----a-w- c:\program files (x86)\Mozilla Firefox\D3DCompiler_43.dll
2011-06-27 14:38 . 2011-06-27 14:38 1998168 ----a-w- c:\program files (x86)\Mozilla Firefox\d3dx9_43.dll
2011-06-15 17:05 . 2011-07-01 03:35 404640 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-06-14 00:03 . 2011-06-14 00:03 -------- d-----w- c:\program files (x86)\MAGIX
2011-06-14 00:03 . 2011-06-14 00:03 -------- d-----w- c:\program files (x86)\Common Files\MAGIX Services
2011-06-13 14:54 . 2011-06-13 14:54 -------- d-----w- c:\program files (x86)\Safari
2011-06-13 14:42 . 2011-06-13 14:42 -------- d-----w- c:\program files\iPod
2011-06-13 14:42 . 2011-06-13 14:43 -------- d-----w- c:\program files\iTunes
2011-06-13 14:42 . 2011-06-13 14:43 -------- d-----w- c:\program files (x86)\iTunes
2011-06-13 14:38 . 2011-06-13 14:38 -------- d-----w- c:\program files\Bonjour
2011-06-13 14:38 . 2011-06-13 14:38 -------- d-----w- c:\program files (x86)\Bonjour
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-07 00:38 . 2010-07-25 23:37 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2011-05-29 13:11 . 2011-06-13 01:09 25912 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-10 12:06 . 2011-05-10 12:06 51712 ----a-w- c:\windows\system32\drivers\usbaapl64.sys
2011-05-10 12:06 . 2011-05-10 12:06 4517664 ----a-w- c:\windows\system32\usbaaplrc.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-07-06_21.44.18 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-21 03:20 . 2011-07-06 21:11 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-01-21 03:20 . 2011-07-11 03:56 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-01-21 03:20 . 2011-07-11 03:56 49152 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-21 03:20 . 2011-07-06 21:11 49152 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-21 03:20 . 2011-07-06 21:11 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-01-21 03:20 . 2011-07-11 03:56 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-07-13 01:17 . 2011-07-13 01:17 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-07-06 21:43 . 2011-07-06 21:43 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-07-06 21:43 . 2011-07-06 21:43 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-07-13 01:17 . 2011-07-13 01:17 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-07-07 00:39 . 2011-07-07 00:38 157472 c:\windows\SysWOW64\javaws.exe
+ 2011-07-07 00:39 . 2011-07-07 00:38 145184 c:\windows\SysWOW64\javaw.exe
- 2010-10-27 22:35 . 2010-09-15 08:50 145184 c:\windows\SysWOW64\javaw.exe
+ 2011-07-07 00:39 . 2011-07-07 00:38 145184 c:\windows\SysWOW64\java.exe
- 2010-10-27 22:35 . 2010-09-15 08:50 145184 c:\windows\SysWOW64\java.exe
+ 2010-11-12 04:49 . 2011-07-13 01:16 441820 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2010-11-12 04:49 . 2011-07-06 21:42 441820 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2011-06-13 00:39 . 2011-07-04 03:40 853060 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2819834726-533737158-1913216436-1000-12288.dat
+ 2011-06-13 00:39 . 2011-07-10 02:52 853060 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2819834726-533737158-1913216436-1000-12288.dat
+ 2011-07-07 00:39 . 2011-07-07 00:39 203776 c:\windows\Installer\9d68ec.msi
+ 2011-07-07 00:38 . 2011-07-07 00:38 675840 c:\windows\Installer\9d68de.msi
+ 2010-11-12 04:49 . 2011-07-13 01:16 4897704 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2819834726-533737158-1913216436-1000-8192.dat
- 2010-11-12 04:49 . 2011-07-06 21:42 4897704 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2819834726-533737158-1913216436-1000-8192.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files (x86)\Yahoo!\Companion\Installs\cpn4\YTNavAssist.dll" [2011-03-16 214840]
.
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{A31F34A1-EBD2-45A2-BF6D-231C1B987CC8}]
[HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-09 68856]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"YSearchProtection"="c:\program files (x86)\Yahoo!\Search Protection\YspService.exe" [2010-06-14 296248]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-06-30 2988928]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-30 61440]
"LchDrvKey"="LchDrvKey.exe" [2007-03-29 36864]
"LedKey"="CNYHKey.exe" [2008-04-24 339968]
"CLMLServer"="c:\program files (x86)\Cyberlink\Power2Go\CLMLSvc.exe" [2008-12-24 103720]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-06-07 421160]
"AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-11-02 8704]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-23 135664]
R3 b57nd60a;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60a.sys [x]
R3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files (x86)\Common Files\MAGIX Services\Database\bin\fbserver.exe [2008-08-07 3276800]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-23 135664]
R3 PCASp50a64;PCASp50a64 NDIS Protocol Driver;c:\windows\system32\Drivers\PCASp50a64.sys [x]
R3 PCTINDIS5X64;PCTINDIS5X64 NDIS Protocol Driver;c:\windows\system32\PCTINDIS5X64.SYS [x]
R3 SWNC8U80;Sierra Wireless MUX NDIS Driver (UMTS80);c:\windows\system32\DRIVERS\swnc8u80.sys [x]
R3 SWUMX80;Sierra Wireless USB MUX Driver (UMTS80);c:\windows\system32\DRIVERS\swumx80.sys [x]
R3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [2010-09-24 306416]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 1020768]
R4 ahcix64s;ahcix64s;c:\windows\system32\drivers\ahcix64s.sys [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2010-02-17 14920]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2010-02-17 12360]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-05-04 128384]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2008-01-21 27648]
S2 Amsp;Trend Micro Solution Platform;c:\program files\Trend Micro\AMSP\coreServiceShell.exe coreFrameworkHost.exe [x]
S2 Fabs;FABS - Helping agent for MAGIX media database;c:\program files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe [2009-08-27 1253376]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\DRIVERS\tmevtmgr.sys [x]
S2 yksvc;Marvell Yukon Service;c:\windows\System32\svchost.exe [2008-01-21 27648]
S3 netr28ux;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28ux.sys [x]
S3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
S3 yukonx64;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk60x64.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-23 17:50]
.
2011-07-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-23 17:50]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-03-30 7574048]
"Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2009-03-30 1833504]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-09-24 163568]
"Trend Micro Titanium"="c:\program files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" [2011-02-17 1111568]
"Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2011-02-10 197152]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHP
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://www.yahoo.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.2.1 74.128.17.114 74.128.19.102
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Amanda\AppData\Roaming\Mozilla\Firefox\Profiles\9oxvab5v.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://m.www.yahoo.com/\r
FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, true
.
- - - - ORPHANS REMOVED - - - -
.
SharedTaskScheduler-{705FB965-7459-4644-BF5E-12152519A1D8} - (no file)
WebBrowser-{D0523BB4-21E7-11DD-9AB7-415B56D89593} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{015113EC-A4E0-4FB1-9CE1-2140252DABE2}"=hex:51,66,7a,6c,4c,1d,38,12,82,10,42,
05,d2,ea,df,0a,e3,f7,62,00,20,73,ef,f6
"{014D2F73-E2A5-44F6-BD45-F0A791DE42A7}"=hex:51,66,7a,6c,4c,1d,38,12,1d,2c,5e,
05,97,ac,98,01,c2,53,b3,e7,94,80,06,b3
"{010DBB78-2FED-4AED-A7E8-DC083989F51F}"=hex:51,66,7a,6c,4c,1d,38,12,16,b8,1e,
05,df,61,83,0f,d8,fe,9f,48,3c,d7,b1,0b
"{009A6416-669F-4147-8F1B-176A85CCE46A}"=hex:51,66,7a,6c,4c,1d,38,12,78,67,89,
04,ad,28,29,04,f0,0d,54,2a,80,92,a0,7e
"{005C3BD7-7E45-425D-AE16-69460AD19D6B}"=hex:51,66,7a,6c,4c,1d,38,12,b9,38,4f,
04,77,30,33,07,d1,00,2a,06,0f,8f,d9,7f
.
[HKEY_USERS\S-1-5-21-2819834726-533737158-1913216436-1000\Software\SecuROM\License information*]
"datasecu"=hex:71,1d,81,de,fe,f4,50,82,c4,5b,8b,93,a1,93,1a,f8,e9,47,58,e8,a3,
0f,6b,38,5c,d0,bf,13,43,71,55,72,c3,27,da,64,dd,d6,91,51,db,17,59,57,a7,a1,\
"rkeysecu"=hex:6d,fd,d5,a6,54,58,d5,b1,55,2c,10,1a,0b,7c,0c,a1
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Bonjour\mDNSResponder.exe
c:\windows\SysWOW64\mfc7132.exe
c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\programdata\atiumdva32.exe
c:\program files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\CNYHKey.exe
c:\windows\MHotkey.exe
c:\windows\ModLedKey.exe
c:\windows\ChiFuncExt.exe
.
**************************************************************************
.
Completion time: 2011-07-12 21:26:18 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-13 01:26
ComboFix2.txt 2011-07-10 03:01
ComboFix3.txt 2011-07-08 01:53
ComboFix4.txt 2011-07-07 15:32
ComboFix5.txt 2011-07-13 00:55
.
Pre-Run: 398,820,945,920 bytes free
Post-Run: 399,442,997,248 bytes free
.
- - End Of File - - B57C1C86EA4B8468684FEC2E5312886C
 
johnb35

johnb35

Administrator
Staff member
Sorry for the late reply, went to bed early last night and had a long day at work today.


OK, something is definately going on here that won't stop.

Please download aswMBR to your desktop.

Double click the aswMBR.exe to run it. Click the [Scan] button to start scan. On completion of the scan click [Save log], save it to your desktop and post in your next reply.
 
M

M199

New Member
It's fine,
and I'll get right on that.

My computer re-started itself to update last night. It asked my permission to run 'Microsoft Windows Malicious Software Removal Tool - July 2011'
Did you want to see the results of
'Malicious software was detected and removed from your computer' ?
 
johnb35

johnb35

Administrator
Staff member
M199 said:
It's fine,
and I'll get right on that.

My computer re-started itself to update last night. It asked my permission to run 'Microsoft Windows Malicious Software Removal Tool - July 2011'
Did you want to see the results of
'Malicious software was detected and removed from your computer' ?
Click to expand...

Yeah, that would be great.

M199 said:
I also got this. Yes or no?
Click to expand...

Nope, you already have trend micro so you can't install avast as well.
 
johnb35

johnb35

Administrator
Staff member
Ok, at this point in time, I recommend you to back up any data you need and then do a fresh install of windows.
 
M

magna86

New Member
malicious service that uses the svchost.exe is still active in the system ...
and Combofix can not see the rootkit in kenler mode it Gmer's integrated tools in the Combofix not detect presence...
 
M

M199

New Member
Ok, thanks for your help!
For now..can I take all the virus scanners and what not I've downloaded off?
 
johnb35

johnb35

Administrator
Staff member
magna86 said:
malicious service that uses the svchost.exe is still active in the system ...
and Combofix can not see the rootkit in kenler mode it Gmer's integrated tools in the Combofix not detect presence...
Click to expand...

Ok, prove to me that the yukon service is malicious....

M199 said:
Ok, thanks for your help!
For now..can I take all the virus scanners and what not I've downloaded off?
Click to expand...

If you are going to reinstall windows then everything will be gone when you do it. You may delete them if you wish.
 
M

M199

New Member
Well, that's true.

My trend micro is saying it finds Troj_ etcetc..
Aren't there ways to manually remove trojan viruses? (If that's what this means..)
Or is that what we've been trying to do here?
 
johnb35

johnb35

Administrator
Staff member
Can you post the log that trend micro comes up with? There should be a report somewhere that you can export and post.
 
M

M199

New Member
Here's what I was talking about..

7/4/2011 9:36 PM,C:\Users\Amanda\AppData\Local\Temp\4F33.exe,BKDR_CYCBOT.SMIB,Threat,Removed
7/4/2011 9:37 PM,C:\Users\Amanda\AppData\Local\Temp\8A9E.exe,BKDR_CYCBOT.SMIB,Threat,Removed
7/4/2011 9:44 PM,C:\Users\Amanda\AppData\Local\Temp\F063.exe,BKDR_CYCBOT.SMIB,Threat,Removed
7/4/2011 9:44 PM,C:\Users\Amanda\AppData\Local\Temp\29CC.exe,BKDR_CYCBOT.SMIB,Threat,Removed
7/4/2011 10:05 PM,C:\Users\Amanda\AppData\Local\Temp\7888.exe,BKDR_CYCBOT.SMIB,Threat,Removed
7/4/2011 10:05 PM,C:\Users\Amanda\AppData\Local\Temp\B7AB.exe,BKDR_CYCBOT.SMIB,Threat,Removed
7/6/2011 8:31 PM,C:\Qoobox\Quarantine\C\Windows\SysWOW64\atiumdva32.dll.vir,TROJ_GEN.R47C1G5,Threat,Removed
7/7/2011 9:51 PM,C:\Windows\SysWow64\atiumdva32.dll,TROJ_GEN.R47C1G5,Threat,Removed
7/10/2011 11:23 PM,C:\Windows\SysWOW64\atiumdva32.dll,TROJ_GEN.R47C1G5,Threat,Removed
7/11/2011 1:13 AM,C:\Windows\SysWOW64\MFC7132.exe,TROJ_GEN.RC1C1G9,Threat,Access Denied
7/11/2011 1:16 AM,C:\Windows\SysWOW64\MFC7132.exe,TROJ_GEN.RC1C1G9,Threat,Access Denied
7/12/2011 9:22 PM,C:\Windows\SysWow64\MFC7132.exe,TROJ_GEN.RC1C1G9,Threat,Access Denied
7/14/2011 3:02 AM,C:\Windows\SysWOW64\mfc7132.exe,TROJ_GEN.RC1C1G9,Threat,Access Denied
7/14/2011 3:02 AM,C:\Windows\SysWOW64\mfc7132.exe,TROJ_GEN.RC1C1G9,Threat,Access Denied
7/14/2011 3:02 AM,C:\Windows\SysWOW64\mfc7132.exe,TROJ_GEN.RC1C1G9,Threat,Access Denied
7/14/2011 3:03 AM,C:\Windows\SysWOW64\mfc7132.exe,TROJ_GEN.RC1C1G9,Threat,Access Denied
7/14/2011 3:06 AM,C:\Windows\SysWOW64\mfc7132.exe,TROJ_GEN.RC1C1G9,Threat,Access Denied
 
You must log in or register to reply here.
Top