Run LL?

G

greybelt

New Member
I did it, and I copied the log and when I clicked on my computer forum icon I had no service. So now how do I get to show you the log. And please let me know if I can disable, hijack, maleware and combofix. And the two popups didn't occur on start up. But I still a blue twirl alongside of my cursor that popsup every 5-6 mins for 4-5 seconds.
 
Last edited:
johnb35

johnb35

Administrator
Staff member
The combofix log is located at C:\combofix.txt. You should keep hijackthis and malwarebytes, use malwarebytes to scan your system every few days just to keep it clean. Combofix, we will get rid of when we are done.
 
G

greybelt

New Member
At the risk of being annoying, what do you mean it is located at. I am not com. saavy, I can't believe I was able to get this far.
 
Last edited:
johnb35

johnb35

Administrator
Staff member
Thats where the log is located at. click on computer in start menu, click on C drive, find a file called combofix.txt. Again, its located at C:\combofix.txt.
 
G

greybelt

New Member
ComboFix 11-11-24.01 - Vinnievel 11/24/2011 13:40:47.1.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1023.257 [GMT -5:00]
Running from: c:\users\Vinnievel\Desktop\ComboFix.exe
AV: avast! Internet Security *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
FW: avast! Internet Security *Enabled* {131692B0-0864-D491-4E21-3A3A1D8BBB47}
SP: avast! Internet Security *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Search Toolbar
c:\program files\Search Toolbar\icon.ico
c:\program files\Search Toolbar\SearchToolbarUninstall.exe
c:\program files\Search Toolbar\SearchToolbarUpdater.exe
c:\users\Vinnievel\AppData\Roaming\OpenCloud Security
c:\users\Vinnievel\AppData\Roaming\OpenCloud Security\OpenCloud Security.ico
c:\users\Vinnievel\AppData\Roaming\OpenCloud Security\wmf.cfg
c:\users\Vinnievel\Documents\~WRL0001.tmp
c:\users\Vinnievel\Documents\~WRL0002.tmp
c:\users\Vinnievel\Documents\~WRL0003.tmp
c:\users\Vinnievel\Documents\~WRL0004.tmp
c:\users\Vinnievel\Documents\~WRL0005.tmp
c:\users\Vinnievel\Documents\~WRL0006.tmp
c:\users\Vinnievel\Documents\~WRL0007.tmp
c:\users\Vinnievel\Documents\~WRL0008.tmp
c:\users\Vinnievel\Documents\~WRL0009.tmp
c:\users\Vinnievel\Documents\~WRL0010.tmp
c:\users\Vinnievel\Documents\~WRL0136.tmp
c:\users\Vinnievel\Documents\~WRL0250.tmp
c:\users\Vinnievel\Documents\~WRL0861.tmp
c:\users\Vinnievel\Documents\~WRL1018.tmp
c:\users\Vinnievel\Documents\~WRL1406.tmp
c:\users\Vinnievel\Documents\~WRL1548.tmp
c:\users\Vinnievel\Documents\~WRL1697.tmp
c:\users\Vinnievel\Documents\~WRL1892.tmp
c:\users\Vinnievel\Documents\~WRL1911.tmp
c:\users\Vinnievel\Documents\~WRL1938.tmp
c:\users\Vinnievel\Documents\~WRL2000.tmp
c:\users\Vinnievel\Documents\~WRL2156.tmp
c:\users\Vinnievel\Documents\~WRL2175.tmp
c:\users\Vinnievel\Documents\~WRL2350.tmp
c:\users\Vinnievel\Documents\~WRL2464.tmp
c:\users\Vinnievel\Documents\~WRL2585.tmp
c:\users\Vinnievel\Documents\~WRL2675.tmp
c:\users\Vinnievel\Documents\~WRL2699.tmp
c:\users\Vinnievel\Documents\~WRL2908.tmp
c:\users\Vinnievel\Documents\~WRL3096.tmp
c:\users\Vinnievel\Documents\~WRL3212.tmp
c:\users\Vinnievel\Documents\~WRL3378.tmp
c:\users\Vinnievel\Documents\~WRL3516.tmp
c:\users\Vinnievel\Documents\~WRL3742.tmp
c:\users\Vinnievel\Documents\~WRL3764.tmp
c:\users\Vinnievel\Documents\~WRL4073.tmp
c:\users\Vinnievel\GoToAssistDownloadHelper.exe
c:\windows\system32\service
c:\windows\system32\service\09102009_TIS17_SfFniAU.log
c:\windows\system32\service\19102009_TIS17_SfFniAU.log
.
.
((((((((((((((((((((((((( Files Created from 2011-10-24 to 2011-11-24 )))))))))))))))))))))))))))))))
.
.
2011-11-24 18:57 . 2011-11-24 18:58 -------- d-----w- c:\users\Vinnievel\AppData\Local\temp
2011-11-24 18:57 . 2011-11-24 18:57 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-11-24 18:10 . 2011-11-24 18:10 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{748C3753-A768-4390-B06C-41E314C23BB1}\offreg.dll
2011-11-22 07:07 . 2011-10-07 03:48 6668624 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{748C3753-A768-4390-B06C-41E314C23BB1}\mpengine.dll
2011-11-21 14:18 . 2011-11-21 14:18 388096 ----a-r- c:\users\Vinnievel\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-11-21 14:18 . 2011-11-21 14:18 -------- d-----w- c:\program files\Trend Micro
2011-11-15 08:52 . 2011-11-15 08:52 -------- d-----w- c:\users\Vinnievel\AppData\Roaming\Malwarebytes
2011-11-15 08:51 . 2011-11-15 08:51 -------- d-----w- c:\programdata\Malwarebytes
2011-11-15 08:51 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-15 08:51 . 2011-11-15 08:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-11 02:31 . 2011-09-06 21:36 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-11-11 02:31 . 2011-09-06 21:37 320856 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-11-11 02:31 . 2011-09-06 21:38 111320 ----a-w- c:\windows\system32\drivers\aswFW.sys
2011-11-11 02:29 . 2011-09-06 21:37 195416 ----a-w- c:\windows\system32\drivers\aswNdis2.sys
2011-11-11 02:29 . 2011-09-06 21:36 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-11-11 02:29 . 2011-09-06 21:38 442200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-11-11 02:29 . 2011-09-06 21:36 52568 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-11-11 02:29 . 2011-09-06 21:36 54616 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-11-11 02:28 . 2011-09-06 21:45 41184 ----a-w- c:\windows\avastSS.scr
2011-11-11 02:28 . 2011-09-06 21:10 12112 ----a-w- c:\windows\system32\drivers\aswNdis.sys
2011-11-11 02:28 . 2011-09-06 21:45 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-11-10 22:08 . 2011-10-17 11:41 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-11-10 22:08 . 2011-09-20 21:02 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-11-10 22:08 . 2011-09-30 15:57 707584 ----a-w- c:\program files\Common Files\System\wab32.dll
2011-11-01 16:34 . 2011-11-06 15:23 -------- d-----w- c:\programdata\ArcaBit
2011-10-25 20:19 . 2011-08-13 04:43 6144 ----a-w- c:\program files\Internet Explorer\iecompat.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-30 23:06 . 2011-10-12 05:14 916480 ----a-w- c:\windows\system32\wininet.dll
2011-09-30 23:02 . 2011-10-12 05:14 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-09-30 23:01 . 2011-10-12 05:14 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-09-30 23:01 . 2011-10-12 05:14 109056 ----a-w- c:\windows\system32\iesysprep.dll
2011-09-30 23:01 . 2011-10-12 05:14 71680 ----a-w- c:\windows\system32\iesetup.dll
2011-09-30 22:07 . 2011-10-12 05:14 385024 ----a-w- c:\windows\system32\html.iec
2011-09-30 21:29 . 2011-10-12 05:14 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2011-09-30 21:28 . 2011-10-12 05:14 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-09-06 13:30 . 2011-10-12 05:14 2043392 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-09-06 21:45 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-11-10 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]
"SunJavaUpdateReg"="c:\windows\system32\jureg.exe" [2007-04-07 54936]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"DPService"="c:\program files\HP\DVDPlay\DPService.exe" [2007-12-18 90112]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-12-05 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8530464]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-12 29984]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-12 46368]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-09-06 3722416]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [x]
R3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2011-02-28 183560]
R3 cpuz134;cpuz134;c:\users\VINNIE~1\AppData\Local\Temp\cpuz134\cpuz134_x32.sys [x]
R3 VST_DPV;VST_DPV;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2006-11-02 987648]
R3 VSTHWBS2;VSTHWBS2;c:\windows\system32\DRIVERS\VSTBS23.SYS [2006-11-02 251904]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 aswNdis;avast! Firewall NDIS Filter Service;c:\windows\system32\DRIVERS\aswNdis.sys [2011-09-06 12112]
S0 aswNdis2;avast! Firewall Core Firewall Service; [x]
S1 aswFW;avast! TDI Firewall driver; [x]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-09-06 54616]
S2 avast! Firewall;avast! Firewall;c:\program files\AVAST Software\Avast\afwServ.exe [2011-09-06 127192]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-08-31 22216]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-24 c:\windows\Tasks\User_Feed_Synchronization-{50DE2697-B028-451F-9231-A45B7D5F8F7D}.job
- c:\windows\system32\msfeedssync.exe [2011-10-12 21:29]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
TCP: DhcpNameServer = 167.206.251.129 167.206.251.130
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-KeyboardVerifierVerifier - c:\programdata\KeyboardVerifierVerifier.dll
HKLM-Run-ABREGMON - c:\program files\ArcaBit\ArcaVir\ABregmon.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-24 13:57
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
C:\## aswSnx private storage
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-767366433-610941212-150165689-1000\¬ î**]
@Allowed: (Read) (RestrictedCode)
"MachineID"=hex:80,9a,af,d0,2a,7a,28,00
DUMPHIVE0.003 (REGF)
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-11-24 14:05:42
ComboFix-quarantined-files.txt 2011-11-24 19:05
.
Pre-Run: 232,880,283,648 bytes free
Post-Run: 233,142,558,720 bytes free
.
- - End Of File - - 4FFA216A5EF261D2A9F62BFC37C17D7B
 
G

greybelt

New Member
--------------------------------------------------------------------------------

ComboFix 11-11-24.01 - Vinnievel 11/24/2011 13:40:47.1.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1023.257 [GMT -5:00]
Running from: c:\users\Vinnievel\Desktop\ComboFix.exe
AV: avast! Internet Security *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
FW: avast! Internet Security *Enabled* {131692B0-0864-D491-4E21-3A3A1D8BBB47}
SP: avast! Internet Security *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Search Toolbar
c:\program files\Search Toolbar\icon.ico
c:\program files\Search Toolbar\SearchToolbarUninstall.exe
c:\program files\Search Toolbar\SearchToolbarUpdater.exe
c:\users\Vinnievel\AppData\Roaming\OpenCloud Security
c:\users\Vinnievel\AppData\Roaming\OpenCloud Security\OpenCloud Security.ico
c:\users\Vinnievel\AppData\Roaming\OpenCloud Security\wmf.cfg
c:\users\Vinnievel\Documents\~WRL0001.tmp
c:\users\Vinnievel\Documents\~WRL0002.tmp
c:\users\Vinnievel\Documents\~WRL0003.tmp
c:\users\Vinnievel\Documents\~WRL0004.tmp
c:\users\Vinnievel\Documents\~WRL0005.tmp
c:\users\Vinnievel\Documents\~WRL0006.tmp
c:\users\Vinnievel\Documents\~WRL0007.tmp
c:\users\Vinnievel\Documents\~WRL0008.tmp
c:\users\Vinnievel\Documents\~WRL0009.tmp
c:\users\Vinnievel\Documents\~WRL0010.tmp
c:\users\Vinnievel\Documents\~WRL0136.tmp
c:\users\Vinnievel\Documents\~WRL0250.tmp
c:\users\Vinnievel\Documents\~WRL0861.tmp
c:\users\Vinnievel\Documents\~WRL1018.tmp
c:\users\Vinnievel\Documents\~WRL1406.tmp
c:\users\Vinnievel\Documents\~WRL1548.tmp
c:\users\Vinnievel\Documents\~WRL1697.tmp
c:\users\Vinnievel\Documents\~WRL1892.tmp
c:\users\Vinnievel\Documents\~WRL1911.tmp
c:\users\Vinnievel\Documents\~WRL1938.tmp
c:\users\Vinnievel\Documents\~WRL2000.tmp
c:\users\Vinnievel\Documents\~WRL2156.tmp
c:\users\Vinnievel\Documents\~WRL2175.tmp
c:\users\Vinnievel\Documents\~WRL2350.tmp
c:\users\Vinnievel\Documents\~WRL2464.tmp
c:\users\Vinnievel\Documents\~WRL2585.tmp
c:\users\Vinnievel\Documents\~WRL2675.tmp
c:\users\Vinnievel\Documents\~WRL2699.tmp
c:\users\Vinnievel\Documents\~WRL2908.tmp
c:\users\Vinnievel\Documents\~WRL3096.tmp
c:\users\Vinnievel\Documents\~WRL3212.tmp
c:\users\Vinnievel\Documents\~WRL3378.tmp
c:\users\Vinnievel\Documents\~WRL3516.tmp
c:\users\Vinnievel\Documents\~WRL3742.tmp
c:\users\Vinnievel\Documents\~WRL3764.tmp
c:\users\Vinnievel\Documents\~WRL4073.tmp
c:\users\Vinnievel\GoToAssistDownloadHelper.exe
c:\windows\system32\service
c:\windows\system32\service\09102009_TIS17_SfFniAU .log
c:\windows\system32\service\19102009_TIS17_SfFniAU .log
.
.
((((((((((((((((((((((((( Files Created from 2011-10-24 to 2011-11-24 )))))))))))))))))))))))))))))))
.
.
2011-11-24 18:57 . 2011-11-24 18:58 -------- d-----w- c:\users\Vinnievel\AppData\Local\temp
2011-11-24 18:57 . 2011-11-24 18:57 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-11-24 18:10 . 2011-11-24 18:10 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{748C3753-A768-4390-B06C-41E314C23BB1}\offreg.dll
2011-11-22 07:07 . 2011-10-07 03:48 6668624 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{748C3753-A768-4390-B06C-41E314C23BB1}\mpengine.dll
2011-11-21 14:18 . 2011-11-21 14:18 388096 ----a-r- c:\users\Vinnievel\AppData\Roaming\Microsoft\Insta ller\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-11-21 14:18 . 2011-11-21 14:18 -------- d-----w- c:\program files\Trend Micro
2011-11-15 08:52 . 2011-11-15 08:52 -------- d-----w- c:\users\Vinnievel\AppData\Roaming\Malwarebytes
2011-11-15 08:51 . 2011-11-15 08:51 -------- d-----w- c:\programdata\Malwarebytes
2011-11-15 08:51 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-15 08:51 . 2011-11-15 08:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-11 02:31 . 2011-09-06 21:36 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-11-11 02:31 . 2011-09-06 21:37 320856 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-11-11 02:31 . 2011-09-06 21:38 111320 ----a-w- c:\windows\system32\drivers\aswFW.sys
2011-11-11 02:29 . 2011-09-06 21:37 195416 ----a-w- c:\windows\system32\drivers\aswNdis2.sys
2011-11-11 02:29 . 2011-09-06 21:36 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-11-11 02:29 . 2011-09-06 21:38 442200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-11-11 02:29 . 2011-09-06 21:36 52568 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-11-11 02:29 . 2011-09-06 21:36 54616 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-11-11 02:28 . 2011-09-06 21:45 41184 ----a-w- c:\windows\avastSS.scr
2011-11-11 02:28 . 2011-09-06 21:10 12112 ----a-w- c:\windows\system32\drivers\aswNdis.sys
2011-11-11 02:28 . 2011-09-06 21:45 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-11-10 22:08 . 2011-10-17 11:41 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-11-10 22:08 . 2011-09-20 21:02 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-11-10 22:08 . 2011-09-30 15:57 707584 ----a-w- c:\program files\Common Files\System\wab32.dll
2011-11-01 16:34 . 2011-11-06 15:23 -------- d-----w- c:\programdata\ArcaBit
2011-10-25 20:19 . 2011-08-13 04:43 6144 ----a-w- c:\program files\Internet Explorer\iecompat.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2011-09-30 23:06 . 2011-10-12 05:14 916480 ----a-w- c:\windows\system32\wininet.dll
2011-09-30 23:02 . 2011-10-12 05:14 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-09-30 23:01 . 2011-10-12 05:14 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-09-30 23:01 . 2011-10-12 05:14 109056 ----a-w- c:\windows\system32\iesysprep.dll
2011-09-30 23:01 . 2011-10-12 05:14 71680 ----a-w- c:\windows\system32\iesetup.dll
2011-09-30 22:07 . 2011-10-12 05:14 385024 ----a-w- c:\windows\system32\html.iec
2011-09-30 21:29 . 2011-10-12 05:14 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2011-09-30 21:28 . 2011-10-12 05:14 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-09-06 13:30 . 2011-10-12 05:14 2043392 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\00 avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-09-06 21:45 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2009-11-10 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]
"SunJavaUpdateReg"="c:\windows\system32\jureg. exe" [2007-04-07 54936]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"DPService"="c:\program files\HP\DVDPlay\DPService.exe" [2007-12-18 90112]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-12-05 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8530464]
"NvMediaCenter"="c:\windows\system32\NvMcTray. dll" [2007-12-05 81920]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-12 29984]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-12 46368]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-09-06 3722416]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WRConsumerService]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\ v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.ex e [x]
R3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2011-02-28 183560]
R3 cpuz134;cpuz134;c:\users\VINNIE~1\AppData\Local\Te mp\cpuz134\cpuz134_x32.sys [x]
R3 VST_DPV;VST_DPV;c:\windows\system32\DRIVERS\VSTDPV 3.SYS [2006-11-02 987648]
R3 VSTHWBS2;VSTHWBS2;c:\windows\system32\DRIVERS\VSTB S23.SYS [2006-11-02 251904]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30 319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 aswNdis;avast! Firewall NDIS Filter Service;c:\windows\system32\DRIVERS\aswNdis.sys [2011-09-06 12112]
S0 aswNdis2;avast! Firewall Core Firewall Service; [x]
S1 aswFW;avast! TDI Firewall driver; [x]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\as wMonFlt.sys [2011-09-06 54616]
S2 avast! Firewall;avast! Firewall;c:\program files\AVAST Software\Avast\afwServ.exe [2011-09-06 127192]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\dr ivers\mbam.sys [2011-08-31 22216]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-24 c:\windows\Tasks\User_Feed_Synchronization-{50DE2697-B028-451F-9231-A45B7D5F8F7D}.job
- c:\windows\system32\msfeedssync.exe [2011-10-12 21:29]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
TCP: DhcpNameServer = 167.206.251.129 167.206.251.130
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-KeyboardVerifierVerifier - c:\programdata\KeyboardVerifierVerifier.dll
HKLM-Run-ABREGMON - c:\program files\ArcaBit\ArcaVir\ABregmon.exe
.
.
.
************************************************** ************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-24 13:57
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
C:\## aswSnx private storage
.
scan completed successfully
hidden files: 1
.
************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-767366433-610941212-150165689-1000\¬ î**]
@Allowed: (Read) (RestrictedCode)
"MachineID"=hex:80,9a,af,d0,2a,7a,28,00
DUMPHIVE0.003 (REGF)
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-11-24 14:05:42
ComboFix-quarantined-files.txt 2011-11-24 19:05
.
Pre-Run: 232,880,283,648 bytes free
Post-Run: 233,142,558,720 bytes free
.
- - End Of File - - 4FFA216A5EF261D2A9F62BFC37C17D7B
 
johnb35

johnb35

Administrator
Staff member
Sorry about missing your earlier post, not sure what happened there.

We need to run one more special script for combofix.

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box

Code: 
KIllall::

Reglock::

[HKEY_USERS\S-1-5-21-767366433-610941212-150165689-1000\¬ î**]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!


CFScript-1.gif


ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

How's the system running now?
 
Last edited:
G

greybelt

New Member
I blended icons, a data or log type of screen started running, sandbox poped up, I clicked run norm. The screen that was running after the blend left the screen. Disable firewall again.
 
Last edited:
johnb35

johnb35

Administrator
Staff member
When dropping the notepad file on top of combofix, it will run like normally. You should disable sandbox again until after combofix runs and also disable your antivirus again. Also I just edited the script so you will need to recopy the text in the codebox and create a new one. There was a space where there shouldn't be.
 
G

greybelt

New Member
ComboFix 11-12-02.01 - Vinnievel 12/02/2011 12:31:21.1.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1023.267 [GMT -5:00]
Running from: c:\users\Vinnievel\Desktop\ComboFix.exe
Command switches used :: c:\users\Vinnievel\Desktop\CFScript.txt
AV: avast! Internet Security *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
FW: avast! Internet Security *Enabled* {131692B0-0864-D491-4E21-3A3A1D8BBB47}
SP: avast! Internet Security *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-11-02 to 2011-12-02 )))))))))))))))))))))))))))))))
.
.
2011-12-02 17:47 . 2011-12-02 17:47 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{EA88867D-2766-4D9C-B8F7-0E8E636B0BB5}\offreg.dll
2011-12-02 17:42 . 2011-12-02 17:48 -------- d-----w- c:\users\Vinnievel\AppData\Local\temp
2011-12-02 17:42 . 2011-12-02 17:42 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-12-02 07:13 . 2011-11-21 10:47 6823496 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{EA88867D-2766-4D9C-B8F7-0E8E636B0BB5}\mpengine.dll
2011-11-21 14:18 . 2011-11-21 14:18 388096 ----a-r- c:\users\Vinnievel\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-11-21 14:18 . 2011-11-21 14:18 -------- d-----w- c:\program files\Trend Micro
2011-11-15 08:52 . 2011-11-15 08:52 -------- d-----w- c:\users\Vinnievel\AppData\Roaming\Malwarebytes
2011-11-15 08:51 . 2011-11-15 08:51 -------- d-----w- c:\programdata\Malwarebytes
2011-11-15 08:51 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-15 08:51 . 2011-11-15 08:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-11 02:31 . 2011-09-06 21:36 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-11-11 02:31 . 2011-09-06 21:37 320856 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-11-11 02:31 . 2011-09-06 21:38 111320 ----a-w- c:\windows\system32\drivers\aswFW.sys
2011-11-11 02:29 . 2011-09-06 21:37 195416 ----a-w- c:\windows\system32\drivers\aswNdis2.sys
2011-11-11 02:29 . 2011-09-06 21:36 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-11-11 02:29 . 2011-09-06 21:38 442200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-11-11 02:29 . 2011-09-06 21:36 52568 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-11-11 02:29 . 2011-09-06 21:36 54616 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-11-11 02:28 . 2011-09-06 21:45 41184 ----a-w- c:\windows\avastSS.scr
2011-11-11 02:28 . 2011-09-06 21:10 12112 ----a-w- c:\windows\system32\drivers\aswNdis.sys
2011-11-11 02:28 . 2011-09-06 21:45 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-11-10 22:08 . 2011-10-17 11:41 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-11-10 22:08 . 2011-09-20 21:02 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-11-10 22:08 . 2011-09-30 15:57 707584 ----a-w- c:\program files\Common Files\System\wab32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-30 23:06 . 2011-10-12 05:14 916480 ----a-w- c:\windows\system32\wininet.dll
2011-09-30 23:02 . 2011-10-12 05:14 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-09-30 23:01 . 2011-10-12 05:14 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-09-30 23:01 . 2011-10-12 05:14 109056 ----a-w- c:\windows\system32\iesysprep.dll
2011-09-30 23:01 . 2011-10-12 05:14 71680 ----a-w- c:\windows\system32\iesetup.dll
2011-09-30 22:07 . 2011-10-12 05:14 385024 ----a-w- c:\windows\system32\html.iec
2011-09-30 21:29 . 2011-10-12 05:14 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2011-09-30 21:28 . 2011-10-12 05:14 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-09-06 13:30 . 2011-10-12 05:14 2043392 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-09-06 21:45 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-11-10 39408]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]
"SunJavaUpdateReg"="c:\windows\system32\jureg.exe" [2007-04-07 54936]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"DPService"="c:\program files\HP\DVDPlay\DPService.exe" [2007-12-18 90112]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-12-05 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8530464]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-12 29984]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-12 46368]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-09-06 3722416]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [x]
R3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2011-02-28 183560]
R3 cpuz134;cpuz134;c:\users\VINNIE~1\AppData\Local\Temp\cpuz134\cpuz134_x32.sys [x]
R3 VST_DPV;VST_DPV;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2006-11-02 987648]
R3 VSTHWBS2;VSTHWBS2;c:\windows\system32\DRIVERS\VSTBS23.SYS [2006-11-02 251904]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 aswNdis;avast! Firewall NDIS Filter Service;c:\windows\system32\DRIVERS\aswNdis.sys [2011-09-06 12112]
S0 aswNdis2;avast! Firewall Core Firewall Service; [x]
S1 aswFW;avast! TDI Firewall driver; [x]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-09-06 54616]
S2 avast! Firewall;avast! Firewall;c:\program files\AVAST Software\Avast\afwServ.exe [2011-09-06 127192]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-08-31 22216]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-02 c:\windows\Tasks\User_Feed_Synchronization-{50DE2697-B028-451F-9231-A45B7D5F8F7D}.job
- c:\windows\system32\msfeedssync.exe [2011-10-12 21:29]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
TCP: DhcpNameServer = 167.206.251.129 167.206.251.130
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-767366433-610941212-150165689-1000\¬ î**]
@Allowed: (Read) (RestrictedCode)
"MachineID"=hex:80,9a,af,d0,2a,7a,28,00
DUMPHIVE0.003 (REGF)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Microsoft\BingBar\SeaPort.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\servicing\TrustedInstaller.exe
c:\windows\system32\sdclt.exe
.
**************************************************************************
.
Completion time: 2011-12-02 12:57:30 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-02 17:56
ComboFix2.txt 2011-11-24 19:05
.
Pre-Run: 232,264,216,576 bytes free
Post-Run: 232,144,875,520 bytes free
.
- - End Of File - - 4CF521AA822D123B2C422AFB225E7514

The system seems fine. The run ll popups no longer appear. But I still have a blue twirl
alongside of my cursor thay pops up every 5 mins. for 5 secs.
 
Last edited:
G

greybelt

New Member
ComboFix 11-12-02.01 - Vinnievel 12/02/2011 12:31:21.1.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1023.267 [GMT -5:00]
Running from: c:\users\Vinnievel\Desktop\ComboFix.exe
Command switches used :: c:\users\Vinnievel\Desktop\CFScript.txt
AV: avast! Internet Security *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
FW: avast! Internet Security *Enabled* {131692B0-0864-D491-4E21-3A3A1D8BBB47}
SP: avast! Internet Security *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-11-02 to 2011-12-02 )))))))))))))))))))))))))))))))
.
.
2011-12-02 17:47 . 2011-12-02 17:47 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{EA88867D-2766-4D9C-B8F7-0E8E636B0BB5}\offreg.dll
2011-12-02 17:42 . 2011-12-02 17:48 -------- d-----w- c:\users\Vinnievel\AppData\Local\temp
2011-12-02 17:42 . 2011-12-02 17:42 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-12-02 07:13 . 2011-11-21 10:47 6823496 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{EA88867D-2766-4D9C-B8F7-0E8E636B0BB5}\mpengine.dll
2011-11-21 14:18 . 2011-11-21 14:18 388096 ----a-r- c:\users\Vinnievel\AppData\Roaming\Microsoft\Insta ller\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-11-21 14:18 . 2011-11-21 14:18 -------- d-----w- c:\program files\Trend Micro
2011-11-15 08:52 . 2011-11-15 08:52 -------- d-----w- c:\users\Vinnievel\AppData\Roaming\Malwarebytes
2011-11-15 08:51 . 2011-11-15 08:51 -------- d-----w- c:\programdata\Malwarebytes
2011-11-15 08:51 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-15 08:51 . 2011-11-15 08:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-11 02:31 . 2011-09-06 21:36 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-11-11 02:31 . 2011-09-06 21:37 320856 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-11-11 02:31 . 2011-09-06 21:38 111320 ----a-w- c:\windows\system32\drivers\aswFW.sys
2011-11-11 02:29 . 2011-09-06 21:37 195416 ----a-w- c:\windows\system32\drivers\aswNdis2.sys
2011-11-11 02:29 . 2011-09-06 21:36 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-11-11 02:29 . 2011-09-06 21:38 442200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-11-11 02:29 . 2011-09-06 21:36 52568 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-11-11 02:29 . 2011-09-06 21:36 54616 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-11-11 02:28 . 2011-09-06 21:45 41184 ----a-w- c:\windows\avastSS.scr
2011-11-11 02:28 . 2011-09-06 21:10 12112 ----a-w- c:\windows\system32\drivers\aswNdis.sys
2011-11-11 02:28 . 2011-09-06 21:45 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-11-10 22:08 . 2011-10-17 11:41 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-11-10 22:08 . 2011-09-20 21:02 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-11-10 22:08 . 2011-09-30 15:57 707584 ----a-w- c:\program files\Common Files\System\wab32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2011-09-30 23:06 . 2011-10-12 05:14 916480 ----a-w- c:\windows\system32\wininet.dll
2011-09-30 23:02 . 2011-10-12 05:14 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-09-30 23:01 . 2011-10-12 05:14 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-09-30 23:01 . 2011-10-12 05:14 109056 ----a-w- c:\windows\system32\iesysprep.dll
2011-09-30 23:01 . 2011-10-12 05:14 71680 ----a-w- c:\windows\system32\iesetup.dll
2011-09-30 22:07 . 2011-10-12 05:14 385024 ----a-w- c:\windows\system32\html.iec
2011-09-30 21:29 . 2011-10-12 05:14 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2011-09-30 21:28 . 2011-10-12 05:14 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-09-06 13:30 . 2011-10-12 05:14 2043392 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\00 avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-09-06 21:45 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2009-11-10 39408]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]
"SunJavaUpdateReg"="c:\windows\system32\jureg. exe" [2007-04-07 54936]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"DPService"="c:\program files\HP\DVDPlay\DPService.exe" [2007-12-18 90112]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-12-05 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8530464]
"NvMediaCenter"="c:\windows\system32\NvMcTray. dll" [2007-12-05 81920]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-12 29984]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-12 46368]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-09-06 3722416]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WRConsumerService]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\ v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.ex e [x]
R3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2011-02-28 183560]
R3 cpuz134;cpuz134;c:\users\VINNIE~1\AppData\Local\Te mp\cpuz134\cpuz134_x32.sys [x]
R3 VST_DPV;VST_DPV;c:\windows\system32\DRIVERS\VSTDPV 3.SYS [2006-11-02 987648]
R3 VSTHWBS2;VSTHWBS2;c:\windows\system32\DRIVERS\VSTB S23.SYS [2006-11-02 251904]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30 319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 aswNdis;avast! Firewall NDIS Filter Service;c:\windows\system32\DRIVERS\aswNdis.sys [2011-09-06 12112]
S0 aswNdis2;avast! Firewall Core Firewall Service; [x]
S1 aswFW;avast! TDI Firewall driver; [x]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\as wMonFlt.sys [2011-09-06 54616]
S2 avast! Firewall;avast! Firewall;c:\program files\AVAST Software\Avast\afwServ.exe [2011-09-06 127192]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\dr ivers\mbam.sys [2011-08-31 22216]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-02 c:\windows\Tasks\User_Feed_Synchronization-{50DE2697-B028-451F-9231-A45B7D5F8F7D}.job
- c:\windows\system32\msfeedssync.exe [2011-10-12 21:29]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
TCP: DhcpNameServer = 167.206.251.129 167.206.251.130
.
.
************************************************** ************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-767366433-610941212-150165689-1000\¬ î**]
@Allowed: (Read) (RestrictedCode)
"MachineID"=hex:80,9a,af,d0,2a,7a,28,00
DUMPHIVE0.003 (REGF)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\windows\Microsoft.Net\Framework\v3.0\WPF\Presen tationFontCache.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Microsoft\BingBar\SeaPort.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\servicing\TrustedInstaller.exe
c:\windows\system32\sdclt.exe
.
************************************************** ************************
.
Completion time: 2011-12-02 12:57:30 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-02 17:56
ComboFix2.txt 2011-11-24 19:05
.
Pre-Run: 232,264,216,576 bytes free
Post-Run: 232,144,875,520 bytes free
.
- - End Of File - - 4CF521AA822D123B2C422AFB225E7514

The system seems fine. The run ll popups no longer appear. But I still have a blue twirl
alongside of my cursor thay pops up every 5 mins. for 5 secs.
 
G

greybelt

New Member
johnb35 said:
Ok, that got it all cleared up.

How's the system running now?
Click to expand...

I got the mother of all viruses. Vista 2012. after having me install hijackthis maleware it didn't stop it, it's like they were worthless. There isn't one thing I can do. I'm at the library. I you know someything that might save it, let me know before I trash it.
 
johnb35

johnb35

Administrator
Staff member
So you are infected again? Vista security requires rkill to be ran first before malwarebytes will remove the infection. Get the link for rkill in my first post.
 
You must log in or register to reply here.
Top