Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: Virtumonde.DLL

  1. #1
    Junior Member
    Join Date
    Sep 2010
    Posts
    8

    Default Virtumonde.DLL

    Hello Spybot Team,
    I currently have a Virtumonde.DLL that i can't seem to remove. Any assistance would be great. Thanks,

    Attached is my DDS log.

    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Nessaboo at 12:47:53.58 on Sat 09/04/2010
    Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_17
    Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2046.1362 [GMT -7:00]


    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\system32\atiesrxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\atieclxx.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
    C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RP7.EXE
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\system32\PnkBstrA.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\system32\taskhost.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Alwil Software\Avast5\AvastUI.exe
    C:\Users\Nessaboo\AppData\Local\Google\Update\1.2.183.29\GoogleCrashHandler.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\sppsvc.exe
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Java\jre6\bin\jucheck.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Users\Nessaboo\Downloads\dds.scr
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.yahoo.com/
    uInternet Settings,ProxyOverride = *.local
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~3\office14\GROOVEEX.DLL
    BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~3\office14\URLREDIR.DLL
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    uRun: [Steam] "c:\program files\steam\steam.exe" -silent
    uRun: [AnyDVD] c:\program files\slysoft\anydvd\AnyDVDtray.exe
    uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork
    uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
    uRun: [Google Update] "c:\users\nessaboo\appdata\local\google\update\GoogleUpdate.exe" /c
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
    StartupFolder: c:\users\nessaboo\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
    mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~1\micros~3\office14\ONBttnIE.dll/105
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
    IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.71.0.cab
    DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.10.115.cab
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
    DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://ebs-prd.hologic.com/OA_HTML/oaj2se.exe
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {DB28CF23-0083-40B5-BF63-69925D672385} - hxxp://www.nero.com/doc/NeroVersionChecker.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://vpn1.hologic.com/dana-cached/sc/JuniperSetupClient.cab
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office14\GROOVEEX.DLL
    Hosts: 127.0.0.1 www.spywareinfo.com

    ================= FIREFOX ===================

    FF - ProfilePath - c:\users\nessaboo\appdata\roaming\mozilla\firefox\profiles\m01ih5tb.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
    FF - plugin: c:\progra~1\micros~3\office14\NPAUTHZ.DLL
    FF - plugin: c:\progra~1\micros~3\office14\NPSPWRAP.DLL
    FF - plugin: c:\program files\download manager\npfpdlm.dll
    FF - plugin: c:\users\nessaboo\appdata\local\google\update\1.2.183.29\npGoogleOneClick8.dll
    FF - plugin: c:\users\nessaboo\appdata\roaming\facebook\npfbplugin_1_0_3.dll
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
    c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
    c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

    ============= SERVICES / DRIVERS ===============

    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-8-29 165456]
    R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-8-18 176128]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-8-29 17744]
    R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-8-29 50256]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-29 40384]
    R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-29 40384]
    S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-29 40384]
    S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2010-3-25 30969208]
    S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
    S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-5-17 1343400]

    =============== Created Last 30 ================

    2010-09-02 04:45:59 0 d-----w- c:\program files\Trend Micro
    2010-09-02 04:30:55 0 d-----w- c:\users\nessaboo\appdata\roaming\Malwarebytes
    2010-09-02 04:30:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-09-02 04:30:46 0 d-----w- c:\programdata\Malwarebytes
    2010-09-02 04:30:45 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-09-02 04:30:45 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-09-02 04:25:37 0 d-sh--w- C:\$RECYCLE.BIN
    2010-09-02 04:12:58 98816 ----a-w- c:\windows\sed.exe
    2010-09-02 04:12:58 77312 ----a-w- c:\windows\MBR.exe
    2010-09-02 04:12:58 256512 ----a-w- c:\windows\PEV.exe
    2010-09-02 04:12:58 161792 ----a-w- c:\windows\SWREG.exe
    2010-08-30 06:39:29 50256 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2010-08-30 06:39:09 38848 ----a-w- c:\windows\avastSS.scr
    2010-08-30 06:39:05 0 d-----w- c:\programdata\Alwil Software
    2010-08-30 06:23:02 196 ----a-w- c:\windows\wininit.ini
    2010-08-30 05:13:42 0 d-----w- c:\programdata\Spybot - Search & Destroy
    2010-08-30 05:13:42 0 d-----w- c:\program files\Spybot - Search & Destroy
    2010-08-30 03:50:46 79360 --sha-r- c:\windows\system32\msimsgn.dll
    2010-08-25 14:40:49 571904 ----a-w- c:\windows\system32\oleaut32.dll
    2010-08-22 16:41:11 0 d-----w- c:\program files\Microsoft
    2010-08-08 03:54:28 0 d-----w- c:\users\nessaboo\appdata\roaming\Red Kawa
    2010-08-07 01:18:42 411368 ----a-w- c:\windows\system32\deploytk.dll
    2010-08-07 01:12:05 398704 ----a-w- c:\windows\system32\dsNcSmartCardProv.dll
    2010-08-07 01:12:05 345456 ----a-w- c:\windows\system32\dsNcCredProv.dll
    2010-08-07 01:11:40 0 d-----w- c:\program files\Juniper Networks
    2010-08-07 01:11:21 0 d-----w- c:\users\nessaboo\appdata\roaming\Juniper Networks

    ==================== Find3M ====================

    2010-07-29 06:30:49 197632 ----a-w- c:\windows\system32\ir32_32.dll
    2010-07-29 06:30:34 82944 ----a-w- c:\windows\system32\iccvid.dll
    2010-06-30 06:25:31 978432 ----a-w- c:\windows\system32\wininet.dll
    2010-06-19 06:33:29 3955080 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2010-06-19 06:33:29 3899784 ----a-w- c:\windows\system32\ntoskrnl.exe
    2010-06-19 06:23:50 37376 ----a-w- c:\windows\system32\rtutils.dll
    2010-06-19 04:07:18 2326016 ----a-w- c:\windows\system32\win32k.sys
    2010-06-16 05:48:35 224256 ----a-w- c:\windows\system32\schannel.dll
    2010-06-08 06:02:06 1233920 ----a-w- c:\windows\system32\msxml3.dll
    2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
    2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
    2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
    2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
    2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
    2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
    2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
    2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
    2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
    2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
    2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

    ============= FINISH: 12:48:41.57 ==============

    Also is the Zipped Attach file.

    Thanks,
    Jason

  2. #2
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

    µTorrent


    I'd like you to read this thread.

    Please go to Control Panel > Programs and Features and uninstall the programs listed above (in red).


    After that:


    Please visit this webpage for download links, and instructions for running ComboFix tool:

    http://www.bleepingcomputer.com/comb...o-use-combofix

    Please ensure you read this guide carefully first.

    Please continue as follows:

    1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
      Remember to re-enable them afterwards.

    2. Click Yes to allow ComboFix to continue scanning for malware.


    When the tool is finished, it will produce a report for you.

    Please include the following reports for further review, and so we may continue cleansing the system:

    C:\ComboFix.txt
    New dds log.


    A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  3. #3
    Junior Member
    Join Date
    Sep 2010
    Posts
    8

    Default

    Thank you Blade,

    ComboFix 10-09-07.01 - Nessaboo 09/07/2010 20:45:48.2.2 - x86
    Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2046.1246 [GMT -7:00]
    Running from: c:\users\Nessaboo\Desktop\ComboFix.exe
    .

    ((((((((((((((((((((((((( Files Created from 2010-08-08 to 2010-09-08 )))))))))))))))))))))))))))))))
    .

    2010-09-08 03:53 . 2010-09-08 03:53 -------- d-----w- c:\users\Public\AppData\Local\temp
    2010-09-08 03:53 . 2010-09-08 03:53 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-09-04 20:07 . 2010-09-04 20:07 -------- d-----w- c:\users\Nessaboo\AppData\Local\WinZip
    2010-09-04 20:07 . 2010-09-04 20:07 -------- d-----w- c:\programdata\WinZip
    2010-09-04 19:46 . 2010-09-04 19:46 -------- d-----w- c:\program files\ERUNT
    2010-09-02 04:45 . 2010-09-02 04:45 -------- d-----w- c:\program files\Trend Micro
    2010-09-02 04:30 . 2010-09-02 04:30 -------- d-----w- c:\users\Nessaboo\AppData\Roaming\Malwarebytes
    2010-09-02 04:30 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-09-02 04:30 . 2010-09-02 04:30 -------- d-----w- c:\programdata\Malwarebytes
    2010-09-02 04:30 . 2010-09-02 04:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-09-02 04:30 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-08-30 06:39 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-08-30 06:39 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2010-08-30 06:39 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-08-30 06:39 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-08-30 06:39 . 2010-06-28 20:32 50256 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2010-08-30 06:39 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
    2010-08-30 06:39 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
    2010-08-30 06:39 . 2010-08-30 06:39 -------- d-----w- c:\programdata\Alwil Software
    2010-08-30 06:39 . 2010-08-30 06:39 -------- d-----w- c:\program files\Alwil Software
    2010-08-30 05:13 . 2010-08-30 06:28 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2010-08-30 05:13 . 2010-08-30 05:13 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-08-30 03:54 . 2010-08-30 03:54 -------- d-----w- c:\windows\Sun
    2010-08-30 03:50 . 2010-08-30 03:50 79360 --sha-r- c:\windows\system32\msimsgn.dll
    2010-08-25 14:40 . 2010-04-07 07:10 571904 ----a-w- c:\windows\system32\oleaut32.dll
    2010-08-22 17:35 . 2010-08-22 17:36 -------- d-----w- c:\users\Nessaboo\AppData\Local\Google
    2010-08-22 16:41 . 2010-08-22 16:41 -------- d-----w- c:\users\Nessaboo\AppData\Local\IsolatedStorage
    2010-08-22 16:41 . 2010-08-22 16:41 -------- d-----w- c:\program files\Microsoft

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-07 05:18 . 2010-05-17 03:45 -------- d-----w- c:\program files\Steam
    2010-09-02 16:31 . 2010-05-17 03:45 -------- d-----w- c:\program files\Common Files\Steam
    2010-08-12 10:03 . 2010-08-05 03:14 -------- d-----w- c:\programdata\Microsoft Help
    2010-08-09 03:07 . 2010-07-26 01:16 -------- d-----w- c:\users\Nessaboo\AppData\Roaming\ImgBurn
    2010-08-08 03:54 . 2010-08-08 03:54 -------- d-----w- c:\users\Nessaboo\AppData\Roaming\Red Kawa
    2010-08-07 01:18 . 2010-08-07 01:18 411368 ----a-w- c:\windows\system32\deploytk.dll
    2010-08-07 01:18 . 2010-08-07 01:18 -------- d-----w- c:\program files\Java
    2010-08-07 01:13 . 2010-08-07 01:11 -------- d-----w- c:\users\Nessaboo\AppData\Roaming\Juniper Networks
    2010-08-07 01:12 . 2010-08-07 01:11 -------- d-----w- c:\program files\Juniper Networks
    2010-08-07 01:11 . 2010-08-07 01:11 162656 ----a-w- c:\users\Nessaboo\AppData\Roaming\Juniper Networks\Setup Client\x86_Microsoft.VC80.CRTP_8.0.50727.762.exe
    2010-08-07 01:11 . 2010-08-07 01:11 292704 ----a-w- c:\users\Nessaboo\AppData\Roaming\Juniper Networks\Setup Client\x86_Microsoft.VC80.CRTR_8.0.50727.762.exe
    2010-08-05 03:28 . 2010-05-18 02:05 108824 ----a-w- c:\users\Nessaboo\AppData\Local\GDIPFONTCACHEV1.DAT
    2010-08-05 03:18 . 2009-07-14 04:52 -------- d-----w- c:\program files\MSBuild
    2010-08-05 03:18 . 2010-08-05 03:18 -------- d-----w- c:\program files\Microsoft Synchronization Services
    2010-08-05 03:17 . 2010-08-05 03:17 -------- d-----w- c:\program files\Microsoft Sync Framework
    2010-08-05 03:17 . 2010-08-05 03:17 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
    2010-08-05 03:17 . 2010-06-26 10:38 -------- d-----w- c:\program files\Microsoft.NET
    2010-08-05 03:16 . 2010-08-05 03:16 -------- d-----w- c:\program files\Microsoft Visual Studio 8
    2010-08-05 03:15 . 2010-08-05 03:15 -------- d-----w- c:\program files\Microsoft Analysis Services
    2010-07-29 06:30 . 2010-08-12 04:24 197632 ----a-w- c:\windows\system32\ir32_32.dll
    2010-07-29 06:30 . 2010-08-12 04:24 82944 ----a-w- c:\windows\system32\iccvid.dll
    2010-07-26 01:15 . 2010-07-26 01:15 -------- d-----w- c:\program files\ImgBurn
    2010-07-26 01:07 . 2010-07-26 01:07 -------- d-----w- c:\programdata\NCH Swift Sound
    2010-07-26 01:06 . 2010-07-26 01:06 -------- d-----w- c:\program files\NCH Swift Sound
    2010-07-14 10:18 . 2010-05-17 05:20 -------- d-----w- c:\programdata\NOS
    2010-07-12 05:17 . 2010-07-12 05:17 -------- d-----w- c:\programdata\McAfee
    2010-06-30 06:25 . 2010-08-12 04:24 978432 ----a-w- c:\windows\system32\wininet.dll
    2010-06-28 03:59 . 2010-06-28 03:59 50354 ----a-w- c:\users\Nessaboo\AppData\Roaming\Facebook\uninstall.exe
    2010-06-22 02:47 . 2010-08-12 04:24 310784 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-06-22 02:47 . 2010-08-12 04:24 307200 ----a-w- c:\windows\system32\drivers\srv2.sys
    2010-06-22 02:47 . 2010-08-12 04:24 113664 ----a-w- c:\windows\system32\drivers\srvnet.sys
    2010-06-19 06:33 . 2010-08-12 04:24 3955080 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2010-06-19 06:33 . 2010-08-12 04:24 3899784 ----a-w- c:\windows\system32\ntoskrnl.exe
    2010-06-19 06:23 . 2010-08-12 04:24 37376 ----a-w- c:\windows\system32\rtutils.dll
    2010-06-19 04:07 . 2010-08-12 04:24 2326016 ----a-w- c:\windows\system32\win32k.sys
    2010-06-16 05:48 . 2010-08-12 04:24 224256 ----a-w- c:\windows\system32\schannel.dll
    2010-06-14 06:12 . 2010-08-12 04:24 1286016 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
    2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Steam"="c:\program files\steam\steam.exe" [2010-08-23 1242448]
    "AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe" [2008-12-12 2292672]
    "igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2009-10-27 1103216]
    "Google Update"="c:\users\Nessaboo\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-08-22 136176]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2007-07-23 77824]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
    "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
    "BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-08-07 149280]
    "avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-06-28 2837864]

    c:\users\Nessaboo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)

    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2010-03-25 30969208]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-18 1343400]
    S1 aswSP;aswSP; [x]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-08-18 176128]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-06-28 50256]

    .
    Contents of the 'Scheduled Tasks' folder

    2010-09-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-32453113-1086635514-2273911061-1001Core.job
    - c:\users\Nessaboo\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-22 17:35]

    2010-09-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-32453113-1086635514-2273911061-1001UA.job
    - c:\users\Nessaboo\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-22 17:35]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
    DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.71.0.cab
    DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
    DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://ebs-prd.hologic.com/OA_HTML/oaj2se.exe
    DPF: {DB28CF23-0083-40B5-BF63-69925D672385} - hxxp://www.nero.com/doc/NeroVersionChecker.cab
    DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://vpn1.hologic.com/dana-cached/sc/JuniperSetupClient.cab
    FF - ProfilePath - c:\users\Nessaboo\AppData\Roaming\Mozilla\Firefox\Profiles\m01ih5tb.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
    FF - plugin: c:\progra~1\MICROS~3\Office14\NPAUTHZ.DLL
    FF - plugin: c:\progra~1\MICROS~3\Office14\NPSPWRAP.DLL
    FF - plugin: c:\program files\Download Manager\npfpdlm.dll
    FF - plugin: c:\users\Nessaboo\AppData\Local\Google\Update\1.2.183.29\npGoogleOneClick8.dll
    FF - plugin: c:\users\Nessaboo\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-32453113-1086635514-2273911061-1001\Software\SecuROM\License information*]
    "datasecu"=hex:3a,f5,44,df,3b,90,87,a4,f3,b6,65,79,06,09,b6,95,4b,c9,c9,cf,ca,
    03,86,0b,20,29,a2,b5,6e,c2,59,e1,77,2b,80,11,49,0d,3b,fb,6c,20,7f,45,02,90,\
    "rkeysecu"=hex:00,28,36,25,fe,b4,40,44,31,af,d3,3c,7a,86,7f,ec

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2010-09-07 20:56:49
    ComboFix-quarantined-files.txt 2010-09-08 03:56
    ComboFix2.txt 2010-09-02 04:27

    Pre-Run: 20,507,197,440 bytes free
    Post-Run: 20,368,621,568 bytes free

    - - End Of File - - B7F78A0ACD82C2F842EE275B68C8E37C

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



    DDS.log
    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Nessaboo at 21:00:21.67 on Tue 09/07/2010
    Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_17
    Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2046.1128 [GMT -7:00]


    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\system32\atiesrxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\atieclxx.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\taskhost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
    C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RP7.EXE
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\system32\PnkBstrA.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Alwil Software\Avast5\AvastUI.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Users\Nessaboo\AppData\Local\Google\Update\1.2.183.29\GoogleCrashHandler.exe
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Program Files\Java\jre6\bin\jucheck.exe
    C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATICAA.EXE
    C:\Windows\system32\WUDFHost.exe
    C:\Windows\Explorer.exe
    C:\Windows\system32\notepad.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Users\Nessaboo\Downloads\dds.scr
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.yahoo.com/
    uInternet Settings,ProxyOverride = *.local
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~3\office14\GROOVEEX.DLL
    BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~3\office14\URLREDIR.DLL
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    uRun: [Steam] "c:\program files\steam\steam.exe" -silent
    uRun: [AnyDVD] c:\program files\slysoft\anydvd\AnyDVDtray.exe
    uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork
    uRun: [Google Update] "c:\users\nessaboo\appdata\local\google\update\GoogleUpdate.exe" /c
    mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
    StartupFolder: c:\users\nessaboo\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
    mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~1\micros~3\office14\ONBttnIE.dll/105
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
    IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.71.0.cab
    DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.10.115.cab
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
    DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://ebs-prd.hologic.com/OA_HTML/oaj2se.exe
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {DB28CF23-0083-40B5-BF63-69925D672385} - hxxp://www.nero.com/doc/NeroVersionChecker.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://vpn1.hologic.com/dana-cached/sc/JuniperSetupClient.cab
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office14\GROOVEEX.DLL
    Hosts: 127.0.0.1 www.spywareinfo.com

    ================= FIREFOX ===================

    FF - ProfilePath - c:\users\nessaboo\appdata\roaming\mozilla\firefox\profiles\m01ih5tb.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
    FF - plugin: c:\progra~1\micros~3\office14\NPAUTHZ.DLL
    FF - plugin: c:\progra~1\micros~3\office14\NPSPWRAP.DLL
    FF - plugin: c:\program files\download manager\npfpdlm.dll
    FF - plugin: c:\users\nessaboo\appdata\local\google\update\1.2.183.29\npGoogleOneClick8.dll
    FF - plugin: c:\users\nessaboo\appdata\roaming\facebook\npfbplugin_1_0_3.dll
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
    c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
    c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

    ============= SERVICES / DRIVERS ===============

    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-8-29 165456]
    R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-8-18 176128]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-8-29 17744]
    R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-8-29 50256]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-29 40384]
    R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-29 40384]
    S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-29 40384]
    S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2010-3-25 30969208]
    S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
    S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-5-17 1343400]

    =============== Created Last 30 ================

    2010-09-08 03:55:35 0 d-sh--w- C:\$RECYCLE.BIN
    2010-09-04 20:07:22 0 d-----w- c:\programdata\WinZip
    2010-09-02 04:45:59 0 d-----w- c:\program files\Trend Micro
    2010-09-02 04:30:55 0 d-----w- c:\users\nessaboo\appdata\roaming\Malwarebytes
    2010-09-02 04:30:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-09-02 04:30:46 0 d-----w- c:\programdata\Malwarebytes
    2010-09-02 04:30:45 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-09-02 04:30:45 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-09-02 04:12:58 98816 ----a-w- c:\windows\sed.exe
    2010-09-02 04:12:58 77312 ----a-w- c:\windows\MBR.exe
    2010-09-02 04:12:58 256512 ----a-w- c:\windows\PEV.exe
    2010-09-02 04:12:58 161792 ----a-w- c:\windows\SWREG.exe
    2010-08-30 06:39:29 50256 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2010-08-30 06:39:09 38848 ----a-w- c:\windows\avastSS.scr
    2010-08-30 06:39:05 0 d-----w- c:\programdata\Alwil Software
    2010-08-30 06:23:02 196 ----a-w- c:\windows\wininit.ini
    2010-08-30 05:13:42 0 d-----w- c:\programdata\Spybot - Search & Destroy
    2010-08-30 05:13:42 0 d-----w- c:\program files\Spybot - Search & Destroy
    2010-08-30 03:50:46 79360 --sha-r- c:\windows\system32\msimsgn.dll
    2010-08-25 14:40:49 571904 ----a-w- c:\windows\system32\oleaut32.dll
    2010-08-22 16:41:11 0 d-----w- c:\program files\Microsoft

    ==================== Find3M ====================

    2010-08-07 01:18:28 411368 ----a-w- c:\windows\system32\deploytk.dll
    2010-07-29 06:30:49 197632 ----a-w- c:\windows\system32\ir32_32.dll
    2010-07-29 06:30:34 82944 ----a-w- c:\windows\system32\iccvid.dll
    2010-06-30 06:25:31 978432 ----a-w- c:\windows\system32\wininet.dll
    2010-06-19 06:33:29 3955080 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2010-06-19 06:33:29 3899784 ----a-w- c:\windows\system32\ntoskrnl.exe
    2010-06-19 06:23:50 37376 ----a-w- c:\windows\system32\rtutils.dll
    2010-06-19 04:07:18 2326016 ----a-w- c:\windows\system32\win32k.sys
    2010-06-16 05:48:35 224256 ----a-w- c:\windows\system32\schannel.dll
    2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
    2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
    2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
    2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
    2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
    2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
    2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
    2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
    2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
    2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
    2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

    ============= FINISH: 21:00:50.20 ===============

    FYI. This screenshot popped-up during combofix. not sure what it is related to



    Thanks again,
    Jason

  4. #4
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi,

    Please look for ComboFix2.txt file (should be in c:\ComboFix folder) and post back its contents, please.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  5. #5
    Junior Member
    Join Date
    Sep 2010
    Posts
    8

    Default ComboFix2.txt

    ComboFix 10-09-01.02 - Nessaboo 09/01/2010 21:15:04.1.2 - x86
    Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2046.1030 [GMT -7:00]
    Running from: c:\users\Nessaboo\Desktop\ComboFix.exe
    .

    ((((((((((((((((((((((((( Files Created from 2010-08-02 to 2010-09-02 )))))))))))))))))))))))))))))))
    .

    2010-09-02 04:23 . 2010-09-02 04:23 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-08-30 06:39 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-08-30 06:39 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2010-08-30 06:39 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-08-30 06:39 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-08-30 06:39 . 2010-06-28 20:32 50256 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2010-08-30 06:39 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
    2010-08-30 06:39 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
    2010-08-30 06:39 . 2010-08-30 06:39 -------- d-----w- c:\programdata\Alwil Software
    2010-08-30 06:39 . 2010-08-30 06:39 -------- d-----w- c:\program files\Alwil Software
    2010-08-30 05:13 . 2010-08-30 06:28 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2010-08-30 05:13 . 2010-08-30 05:13 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-08-30 03:54 . 2010-08-30 03:54 -------- d-----w- c:\windows\Sun
    2010-08-30 03:50 . 2010-08-30 03:50 79360 --sha-r- c:\windows\system32\msimsgn.dll
    2010-08-25 14:40 . 2010-04-07 07:10 571904 ----a-w- c:\windows\system32\oleaut32.dll
    2010-08-22 17:35 . 2010-08-22 17:36 -------- d-----w- c:\users\Nessaboo\AppData\Local\Google
    2010-08-22 16:41 . 2010-08-22 16:41 -------- d-----w- c:\users\Nessaboo\AppData\Local\IsolatedStorage
    2010-08-22 16:41 . 2010-08-22 16:41 -------- d-----w- c:\program files\Microsoft
    2010-08-08 03:54 . 2010-08-08 03:54 -------- d-----w- c:\users\Nessaboo\AppData\Roaming\Red Kawa
    2010-08-07 01:18 . 2010-08-07 01:18 411368 ----a-w- c:\windows\system32\deploytk.dll
    2010-08-07 01:18 . 2010-08-07 01:18 -------- d-----w- c:\program files\Java
    2010-08-07 01:12 . 2010-08-07 01:12 -------- d-----w- c:\users\Public\Juniper Networks
    2010-08-07 01:12 . 2010-02-19 00:22 398704 ----a-w- c:\windows\system32\dsNcSmartCardProv.dll
    2010-08-07 01:12 . 2010-02-19 00:22 345456 ----a-w- c:\windows\system32\dsNcCredProv.dll
    2010-08-07 01:11 . 2010-08-07 01:11 162656 ----a-w- c:\users\Nessaboo\AppData\Roaming\Juniper Networks\Setup Client\x86_Microsoft.VC80.CRTP_8.0.50727.762.exe
    2010-08-07 01:11 . 2010-08-07 01:12 -------- d-----w- c:\program files\Juniper Networks
    2010-08-07 01:11 . 2010-08-07 01:11 292704 ----a-w- c:\users\Nessaboo\AppData\Roaming\Juniper Networks\Setup Client\x86_Microsoft.VC80.CRTR_8.0.50727.762.exe
    2010-08-07 01:11 . 2010-08-07 01:13 -------- d-----w- c:\users\Nessaboo\AppData\Roaming\Juniper Networks
    2010-08-05 03:18 . 2010-08-05 03:18 -------- d-----w- c:\program files\Microsoft Synchronization Services
    2010-08-05 03:17 . 2010-08-05 03:17 -------- d-----w- c:\windows\PCHEALTH
    2010-08-05 03:17 . 2010-08-05 03:17 -------- d-----w- c:\program files\Microsoft Sync Framework
    2010-08-05 03:17 . 2010-08-05 03:17 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
    2010-08-05 03:16 . 2010-08-05 03:16 -------- d-----w- c:\program files\Microsoft Visual Studio 8
    2010-08-05 03:15 . 2010-08-05 03:15 -------- d-----w- c:\program files\Microsoft Analysis Services
    2010-08-05 03:15 . 2010-08-05 03:15 -------- d-----w- c:\users\Nessaboo\AppData\Local\Microsoft Help
    2010-08-05 03:14 . 2010-08-12 10:03 -------- d-----w- c:\programdata\Microsoft Help
    2010-08-05 03:14 . 2010-08-05 03:14 -------- d-----r- C:\MSOCache

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-02 04:08 . 2010-05-17 03:45 -------- d-----w- c:\program files\Common Files\Steam
    2010-09-02 04:08 . 2010-07-26 01:01 -------- d-----w- c:\users\Nessaboo\AppData\Roaming\uTorrent
    2010-09-02 04:08 . 2010-05-17 03:45 -------- d-----w- c:\program files\Steam
    2010-08-09 03:07 . 2010-07-26 01:16 -------- d-----w- c:\users\Nessaboo\AppData\Roaming\ImgBurn
    2010-08-05 03:28 . 2010-05-18 02:05 108824 ----a-w- c:\users\Nessaboo\AppData\Local\GDIPFONTCACHEV1.DAT
    2010-08-05 03:18 . 2009-07-14 04:52 -------- d-----w- c:\program files\MSBuild
    2010-08-05 03:17 . 2010-06-26 10:38 -------- d-----w- c:\program files\Microsoft.NET
    2010-07-29 06:30 . 2010-08-12 04:24 197632 ----a-w- c:\windows\system32\ir32_32.dll
    2010-07-29 06:30 . 2010-08-12 04:24 82944 ----a-w- c:\windows\system32\iccvid.dll
    2010-07-26 01:15 . 2010-07-26 01:15 -------- d-----w- c:\program files\ImgBurn
    2010-07-26 01:07 . 2010-07-26 01:07 -------- d-----w- c:\programdata\NCH Swift Sound
    2010-07-26 01:06 . 2010-07-26 01:06 -------- d-----w- c:\program files\NCH Swift Sound
    2010-07-26 01:01 . 2010-07-26 01:01 -------- d-----w- c:\program files\uTorrent
    2010-07-14 10:18 . 2010-05-17 05:20 -------- d-----w- c:\programdata\NOS
    2010-07-12 05:17 . 2010-07-12 05:17 -------- d-----w- c:\programdata\McAfee
    2010-06-30 06:25 . 2010-08-12 04:24 978432 ----a-w- c:\windows\system32\wininet.dll
    2010-06-28 03:59 . 2010-06-28 03:59 50354 ----a-w- c:\users\Nessaboo\AppData\Roaming\Facebook\uninstall.exe
    2010-06-22 02:47 . 2010-08-12 04:24 310784 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-06-22 02:47 . 2010-08-12 04:24 307200 ----a-w- c:\windows\system32\drivers\srv2.sys
    2010-06-22 02:47 . 2010-08-12 04:24 113664 ----a-w- c:\windows\system32\drivers\srvnet.sys
    2010-06-19 06:33 . 2010-08-12 04:24 3955080 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2010-06-19 06:33 . 2010-08-12 04:24 3899784 ----a-w- c:\windows\system32\ntoskrnl.exe
    2010-06-19 06:23 . 2010-08-12 04:24 37376 ----a-w- c:\windows\system32\rtutils.dll
    2010-06-19 04:07 . 2010-08-12 04:24 2326016 ----a-w- c:\windows\system32\win32k.sys
    2010-06-16 05:48 . 2010-08-12 04:24 224256 ----a-w- c:\windows\system32\schannel.dll
    2010-06-14 06:12 . 2010-08-12 04:24 1286016 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2010-06-09 10:45 . 2010-06-09 10:45 5591040 ----a-w- c:\users\Nessaboo\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll
    2010-06-08 06:02 . 2010-08-12 04:24 1233920 ----a-w- c:\windows\system32\msxml3.dll
    2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
    2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Steam"="c:\program files\steam\steam.exe" [2010-08-23 1242448]
    "AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe" [2008-12-12 2292672]
    "igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2009-10-27 1103216]
    "uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-07-26 327984]
    "Google Update"="c:\users\Nessaboo\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-08-22 136176]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2007-07-23 77824]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
    "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
    "BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-08-07 149280]
    "avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-06-28 2837864]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)

    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2010-03-25 30969208]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-18 1343400]
    S1 aswSP;aswSP; [x]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-08-18 176128]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-06-28 50256]

    .
    Contents of the 'Scheduled Tasks' folder

    2010-09-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-32453113-1086635514-2273911061-1001Core.job
    - c:\users\Nessaboo\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-22 17:35]

    2010-09-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-32453113-1086635514-2273911061-1001UA.job
    - c:\users\Nessaboo\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-22 17:35]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
    DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.71.0.cab
    DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
    DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://ebs-prd.hologic.com/OA_HTML/oaj2se.exe
    DPF: {DB28CF23-0083-40B5-BF63-69925D672385} - hxxp://www.nero.com/doc/NeroVersionChecker.cab
    DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://vpn1.hologic.com/dana-cached/sc/JuniperSetupClient.cab
    FF - ProfilePath - c:\users\Nessaboo\AppData\Roaming\Mozilla\Firefox\Profiles\m01ih5tb.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
    FF - plugin: c:\progra~1\MICROS~3\Office14\NPAUTHZ.DLL
    FF - plugin: c:\progra~1\MICROS~3\Office14\NPSPWRAP.DLL
    FF - plugin: c:\program files\Download Manager\npfpdlm.dll
    FF - plugin: c:\users\Nessaboo\AppData\Local\Google\Update\1.2.183.29\npGoogleOneClick8.dll
    FF - plugin: c:\users\Nessaboo\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-Run-NWEReboot - (no file)


    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-32453113-1086635514-2273911061-1001\Software\SecuROM\License information*]
    "datasecu"=hex:3a,f5,44,df,3b,90,87,a4,f3,b6,65,79,06,09,b6,95,4b,c9,c9,cf,ca,
    03,86,0b,20,29,a2,b5,6e,c2,59,e1,77,2b,80,11,49,0d,3b,fb,6c,20,7f,45,02,90,\
    "rkeysecu"=hex:00,28,36,25,fe,b4,40,44,31,af,d3,3c,7a,86,7f,ec

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2010-09-01 21:27:04
    ComboFix-quarantined-files.txt 2010-09-02 04:27

    Pre-Run: 20,660,363,264 bytes free
    Post-Run: 20,565,471,232 bytes free

    - - End Of File - - C04BC289B644589980630B8F3D17855C

  6. #6
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi again,


    Open notepad and copy/paste the text in the quotebox below into it:

    Code:
    http://forums.spybot.info/showthread.php?t=59323
    Suspect::[76]
    c:\windows\system32\msimsgn.dll

    Save this as
    CFScript

    A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.



    Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
    Then post the resultant log.



    Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

    Updating Java:
    • Download the latest version of Java Runtime Environment (JRE) 6 Update 21.
    • Click the
      Download
      button to the right.
    • Select Windows on platform combobox and check the box that says:
      Accept License Agreement. Click continue.
    • The page will refresh.
    • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u21-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.




    Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

    Double-click ATF Cleaner.exe to open it

    Under Main choose:
    Windows Temp
    Current User Temp
    All Users Temp
    Cookies
    Temporary Internet Files
    Java Cache

    *The other boxes are optional*
    Then click the Empty Selected button.

    If you use Firefox:
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    If you use Opera:
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    Click Exit on the Main menu to close the program.


    Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.


    Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  7. #7
    Junior Member
    Join Date
    Sep 2010
    Posts
    8

    Default KAS log, DDS log, Combofix log

    --------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER 7.0: scan report
    Thursday, September 9, 2010
    Operating system: Microsoft Professional (build 7600)
    Kaspersky Online Scanner version: 7.0.26.13
    Last database update: Thursday, September 09, 2010 03:32:56
    Records in database: 4207742
    --------------------------------------------------------------------------------

    Scan settings:
    scan using the following database: extended
    Scan archives: yes
    Scan e-mail databases: yes

    Scan area - My Computer:
    C:\
    D:\
    E:\
    F:\

    Scan statistics:
    Objects scanned: 123978
    Threats found: 1
    Infected objects found: 1
    Suspicious objects found: 0
    Scan duration: 08:42:32


    File name / Threat / Threats count
    F:\System Volume Information\_restore{A84870B0-E216-462B-9F2E-DC4B18030A75}\RP50\A0020935.exe Infected: Trojan-Clicker.Win32.VBiframe.zl 1

    Selected area has been scanned.



    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    DDS Log

    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Nessaboo at 17:29:56.93 on Thu 09/09/2010
    Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_21
    Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2046.1306 [GMT -7:00]


    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\system32\atiesrxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\atieclxx.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\taskhost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
    C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RP7.EXE
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\system32\PnkBstrA.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Alwil Software\Avast5\AvastUI.exe
    C:\Users\Nessaboo\AppData\Local\Google\Update\1.2.183.29\GoogleCrashHandler.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\PROGRA~1\Java\jre6\bin\jp2launcher.exe
    C:\Program Files\Java\jre6\bin\java.exe
    C:\Windows\system32\conhost.exe
    C:\Users\Nessaboo\AppData\Local\Temp\jkos-Nessaboo\binaries\ScanningProcess.exe
    C:\Users\Nessaboo\AppData\Local\Temp\jkos-Nessaboo\binaries\ScanningProcess.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Users\Nessaboo\Downloads\dds.scr
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.yahoo.com/
    uInternet Settings,ProxyOverride = *.local
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~3\office14\GROOVEEX.DLL
    BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~3\office14\URLREDIR.DLL
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    uRun: [Steam] "c:\program files\steam\steam.exe" -silent
    uRun: [AnyDVD] c:\program files\slysoft\anydvd\AnyDVDtray.exe
    uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork
    uRun: [Google Update] "c:\users\nessaboo\appdata\local\google\update\GoogleUpdate.exe" /c
    mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
    mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    StartupFolder: c:\users\nessaboo\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
    mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~1\micros~3\office14\ONBttnIE.dll/105
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
    IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.71.0.cab
    DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.10.115.cab
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
    DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {DB28CF23-0083-40B5-BF63-69925D672385} - hxxp://www.nero.com/doc/NeroVersionChecker.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://vpn1.hologic.com/dana-cached/sc/JuniperSetupClient.cab
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office14\GROOVEEX.DLL
    Hosts: 127.0.0.1 www.spywareinfo.com

    ================= FIREFOX ===================

    FF - ProfilePath - c:\users\nessaboo\appdata\roaming\mozilla\firefox\profiles\m01ih5tb.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
    FF - plugin: c:\progra~1\micros~3\office14\NPAUTHZ.DLL
    FF - plugin: c:\progra~1\micros~3\office14\NPSPWRAP.DLL
    FF - plugin: c:\program files\download manager\npfpdlm.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\users\nessaboo\appdata\local\google\update\1.2.183.29\npGoogleOneClick8.dll
    FF - plugin: c:\users\nessaboo\appdata\roaming\facebook\npfbplugin_1_0_3.dll
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
    c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
    c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

    ============= SERVICES / DRIVERS ===============

    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-8-29 165456]
    R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-8-18 176128]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-8-29 17744]
    R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-8-29 50256]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-29 40384]
    R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-29 40384]
    S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-29 40384]
    S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2010-3-25 30969208]
    S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
    S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-5-17 1343400]

    =============== Created Last 30 ================

    2010-09-09 06:16:17 0 d-----w- c:\programdata\Sun
    2010-09-09 06:15:46 423656 ----a-w- c:\windows\system32\deployJava1.dll
    2010-09-09 05:59:31 0 d-sh--w- C:\$RECYCLE.BIN
    2010-09-04 20:07:22 0 d-----w- c:\programdata\WinZip
    2010-09-02 04:45:59 0 d-----w- c:\program files\Trend Micro
    2010-09-02 04:30:55 0 d-----w- c:\users\nessaboo\appdata\roaming\Malwarebytes
    2010-09-02 04:30:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-09-02 04:30:46 0 d-----w- c:\programdata\Malwarebytes
    2010-09-02 04:30:45 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-09-02 04:30:45 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-09-02 04:12:58 98816 ----a-w- c:\windows\sed.exe
    2010-09-02 04:12:58 77312 ----a-w- c:\windows\MBR.exe
    2010-09-02 04:12:58 256512 ----a-w- c:\windows\PEV.exe
    2010-09-02 04:12:58 161792 ----a-w- c:\windows\SWREG.exe
    2010-08-30 06:39:29 50256 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2010-08-30 06:39:09 38848 ----a-w- c:\windows\avastSS.scr
    2010-08-30 06:39:05 0 d-----w- c:\programdata\Alwil Software
    2010-08-30 06:23:02 196 ----a-w- c:\windows\wininit.ini
    2010-08-30 05:13:42 0 d-----w- c:\programdata\Spybot - Search & Destroy
    2010-08-30 05:13:42 0 d-----w- c:\program files\Spybot - Search & Destroy
    2010-08-30 03:50:46 79360 --sha-r- c:\windows\system32\msimsgn.dll
    2010-08-25 14:40:49 571904 ----a-w- c:\windows\system32\oleaut32.dll
    2010-08-22 16:41:11 0 d-----w- c:\program files\Microsoft

    ==================== Find3M ====================

    2010-07-29 06:30:49 197632 ----a-w- c:\windows\system32\ir32_32.dll
    2010-07-29 06:30:34 82944 ----a-w- c:\windows\system32\iccvid.dll
    2010-06-30 06:25:31 978432 ----a-w- c:\windows\system32\wininet.dll
    2010-06-19 06:33:29 3955080 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2010-06-19 06:33:29 3899784 ----a-w- c:\windows\system32\ntoskrnl.exe
    2010-06-19 06:23:50 37376 ----a-w- c:\windows\system32\rtutils.dll
    2010-06-19 04:07:18 2326016 ----a-w- c:\windows\system32\win32k.sys
    2010-06-16 05:48:35 224256 ----a-w- c:\windows\system32\schannel.dll
    2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
    2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
    2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
    2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
    2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
    2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
    2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
    2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
    2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
    2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
    2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

    ============= FINISH: 17:30:49.13 ===============


    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    ComboFix 10-09-07.01 - Nessaboo 09/08/2010 22:50:01.3.2 - x86
    Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2046.1234 [GMT -7:00]
    Running from: c:\users\Nessaboo\Desktop\ComboFix.exe
    Command switches used :: c:\users\Nessaboo\Desktop\CFScript.txt

    file zipped: c:\windows\System32\msimsgn.dll
    .

    ((((((((((((((((((((((((( Files Created from 2010-08-09 to 2010-09-09 )))))))))))))))))))))))))))))))
    .

    2010-09-09 05:57 . 2010-09-09 05:57 -------- d-----w- c:\users\Public\AppData\Local\temp
    2010-09-09 05:57 . 2010-09-09 05:57 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-09-04 20:07 . 2010-09-04 20:07 -------- d-----w- c:\users\Nessaboo\AppData\Local\WinZip
    2010-09-04 20:07 . 2010-09-04 20:07 -------- d-----w- c:\programdata\WinZip
    2010-09-04 19:46 . 2010-09-04 19:46 -------- d-----w- c:\program files\ERUNT
    2010-09-02 04:45 . 2010-09-02 04:45 -------- d-----w- c:\program files\Trend Micro
    2010-09-02 04:30 . 2010-09-02 04:30 -------- d-----w- c:\users\Nessaboo\AppData\Roaming\Malwarebytes
    2010-09-02 04:30 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-09-02 04:30 . 2010-09-02 04:30 -------- d-----w- c:\programdata\Malwarebytes
    2010-09-02 04:30 . 2010-09-02 04:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-09-02 04:30 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-08-30 06:39 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-08-30 06:39 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2010-08-30 06:39 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-08-30 06:39 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-08-30 06:39 . 2010-06-28 20:32 50256 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2010-08-30 06:39 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
    2010-08-30 06:39 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
    2010-08-30 06:39 . 2010-08-30 06:39 -------- d-----w- c:\programdata\Alwil Software
    2010-08-30 06:39 . 2010-08-30 06:39 -------- d-----w- c:\program files\Alwil Software
    2010-08-30 05:13 . 2010-08-30 06:28 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2010-08-30 05:13 . 2010-08-30 05:13 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-08-30 03:54 . 2010-08-30 03:54 -------- d-----w- c:\windows\Sun
    2010-08-30 03:50 . 2010-08-30 03:50 79360 --sha-r- c:\windows\system32\msimsgn.dll
    2010-08-25 14:40 . 2010-04-07 07:10 571904 ----a-w- c:\windows\system32\oleaut32.dll
    2010-08-22 17:35 . 2010-08-22 17:36 -------- d-----w- c:\users\Nessaboo\AppData\Local\Google
    2010-08-22 16:41 . 2010-08-22 16:41 -------- d-----w- c:\users\Nessaboo\AppData\Local\IsolatedStorage
    2010-08-22 16:41 . 2010-08-22 16:41 -------- d-----w- c:\program files\Microsoft

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-08 04:26 . 2010-05-17 03:45 -------- d-----w- c:\program files\Steam
    2010-09-02 16:31 . 2010-05-17 03:45 -------- d-----w- c:\program files\Common Files\Steam
    2010-08-12 10:03 . 2010-08-05 03:14 -------- d-----w- c:\programdata\Microsoft Help
    2010-08-09 03:07 . 2010-07-26 01:16 -------- d-----w- c:\users\Nessaboo\AppData\Roaming\ImgBurn
    2010-08-08 03:54 . 2010-08-08 03:54 -------- d-----w- c:\users\Nessaboo\AppData\Roaming\Red Kawa
    2010-08-07 01:18 . 2010-08-07 01:18 411368 ----a-w- c:\windows\system32\deploytk.dll
    2010-08-07 01:18 . 2010-08-07 01:18 -------- d-----w- c:\program files\Java
    2010-08-07 01:13 . 2010-08-07 01:11 -------- d-----w- c:\users\Nessaboo\AppData\Roaming\Juniper Networks
    2010-08-07 01:12 . 2010-08-07 01:11 -------- d-----w- c:\program files\Juniper Networks
    2010-08-07 01:11 . 2010-08-07 01:11 162656 ----a-w- c:\users\Nessaboo\AppData\Roaming\Juniper Networks\Setup Client\x86_Microsoft.VC80.CRTP_8.0.50727.762.exe
    2010-08-07 01:11 . 2010-08-07 01:11 292704 ----a-w- c:\users\Nessaboo\AppData\Roaming\Juniper Networks\Setup Client\x86_Microsoft.VC80.CRTR_8.0.50727.762.exe
    2010-08-05 03:28 . 2010-05-18 02:05 108824 ----a-w- c:\users\Nessaboo\AppData\Local\GDIPFONTCACHEV1.DAT
    2010-08-05 03:18 . 2009-07-14 04:52 -------- d-----w- c:\program files\MSBuild
    2010-08-05 03:18 . 2010-08-05 03:18 -------- d-----w- c:\program files\Microsoft Synchronization Services
    2010-08-05 03:17 . 2010-08-05 03:17 -------- d-----w- c:\program files\Microsoft Sync Framework
    2010-08-05 03:17 . 2010-08-05 03:17 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
    2010-08-05 03:17 . 2010-06-26 10:38 -------- d-----w- c:\program files\Microsoft.NET
    2010-08-05 03:16 . 2010-08-05 03:16 -------- d-----w- c:\program files\Microsoft Visual Studio 8
    2010-08-05 03:15 . 2010-08-05 03:15 -------- d-----w- c:\program files\Microsoft Analysis Services
    2010-07-29 06:30 . 2010-08-12 04:24 197632 ----a-w- c:\windows\system32\ir32_32.dll
    2010-07-29 06:30 . 2010-08-12 04:24 82944 ----a-w- c:\windows\system32\iccvid.dll
    2010-07-26 01:15 . 2010-07-26 01:15 -------- d-----w- c:\program files\ImgBurn
    2010-07-26 01:07 . 2010-07-26 01:07 -------- d-----w- c:\programdata\NCH Swift Sound
    2010-07-26 01:06 . 2010-07-26 01:06 -------- d-----w- c:\program files\NCH Swift Sound
    2010-07-14 10:18 . 2010-05-17 05:20 -------- d-----w- c:\programdata\NOS
    2010-07-12 05:17 . 2010-07-12 05:17 -------- d-----w- c:\programdata\McAfee
    2010-06-30 06:25 . 2010-08-12 04:24 978432 ----a-w- c:\windows\system32\wininet.dll
    2010-06-28 03:59 . 2010-06-28 03:59 50354 ----a-w- c:\users\Nessaboo\AppData\Roaming\Facebook\uninstall.exe
    2010-06-22 02:47 . 2010-08-12 04:24 310784 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-06-22 02:47 . 2010-08-12 04:24 307200 ----a-w- c:\windows\system32\drivers\srv2.sys
    2010-06-22 02:47 . 2010-08-12 04:24 113664 ----a-w- c:\windows\system32\drivers\srvnet.sys
    2010-06-19 06:33 . 2010-08-12 04:24 3955080 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2010-06-19 06:33 . 2010-08-12 04:24 3899784 ----a-w- c:\windows\system32\ntoskrnl.exe
    2010-06-19 06:23 . 2010-08-12 04:24 37376 ----a-w- c:\windows\system32\rtutils.dll
    2010-06-19 04:07 . 2010-08-12 04:24 2326016 ----a-w- c:\windows\system32\win32k.sys
    2010-06-16 05:48 . 2010-08-12 04:24 224256 ----a-w- c:\windows\system32\schannel.dll
    2010-06-14 06:12 . 2010-08-12 04:24 1286016 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
    2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Steam"="c:\program files\steam\steam.exe" [2010-08-23 1242448]
    "AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe" [2008-12-12 2292672]
    "igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2009-10-27 1103216]
    "Google Update"="c:\users\Nessaboo\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-08-22 136176]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2007-07-23 77824]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
    "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
    "BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-08-07 149280]
    "avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-06-28 2837864]

    c:\users\Nessaboo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)

    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2010-03-25 30969208]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-18 1343400]
    S1 aswSP;aswSP; [x]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-08-18 176128]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-06-28 50256]

    .
    Contents of the 'Scheduled Tasks' folder

    2010-09-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-32453113-1086635514-2273911061-1001Core.job
    - c:\users\Nessaboo\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-22 17:35]

    2010-09-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-32453113-1086635514-2273911061-1001UA.job
    - c:\users\Nessaboo\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-22 17:35]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
    DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.71.0.cab
    DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
    DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://ebs-prd.hologic.com/OA_HTML/oaj2se.exe
    DPF: {DB28CF23-0083-40B5-BF63-69925D672385} - hxxp://www.nero.com/doc/NeroVersionChecker.cab
    DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://vpn1.hologic.com/dana-cached/sc/JuniperSetupClient.cab
    FF - ProfilePath - c:\users\Nessaboo\AppData\Roaming\Mozilla\Firefox\Profiles\m01ih5tb.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
    FF - plugin: c:\progra~1\MICROS~3\Office14\NPAUTHZ.DLL
    FF - plugin: c:\progra~1\MICROS~3\Office14\NPSPWRAP.DLL
    FF - plugin: c:\program files\Download Manager\npfpdlm.dll
    FF - plugin: c:\users\Nessaboo\AppData\Local\Google\Update\1.2.183.29\npGoogleOneClick8.dll
    FF - plugin: c:\users\Nessaboo\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-32453113-1086635514-2273911061-1001\Software\SecuROM\License information*]
    "datasecu"=hex:3a,f5,44,df,3b,90,87,a4,f3,b6,65,79,06,09,b6,95,4b,c9,c9,cf,ca,
    03,86,0b,20,29,a2,b5,6e,c2,59,e1,77,2b,80,11,49,0d,3b,fb,6c,20,7f,45,02,90,\
    "rkeysecu"=hex:00,28,36,25,fe,b4,40,44,31,af,d3,3c,7a,86,7f,ec

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2010-09-08 23:00:45
    ComboFix-quarantined-files.txt 2010-09-09 06:00
    ComboFix2.txt 2010-09-08 03:56
    ComboFix3.txt 2010-09-02 04:27

    Pre-Run: 21,294,288,896 bytes free
    Post-Run: 21,246,222,336 bytes free

    - - End Of File - - C834AE3199F78A0F6AF702E49B5E9472
    Upload was successful


    thanks,
    Jason

  8. #8
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi again,

    Open notepad and copy/paste the text in the quotebox below into it:

    Code:
    File::
    c:\windows\system32\msimsgn.dll

    Save this as
    CFScript

    A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.



    Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
    Then post the resultant log. Does Spybot still detect infections?
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  9. #9
    Junior Member
    Join Date
    Sep 2010
    Posts
    8

    Default ComboFix Results

    Hi Blade,

    ComboFix 10-09-07.01 - Nessaboo 09/10/2010 20:29:08.4.2 - x86
    Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2046.1392 [GMT -7:00]
    Running from: c:\users\Nessaboo\Desktop\ComboFix.exe
    Command switches used :: c:\users\Nessaboo\Desktop\CFScript.txt
    .

    ((((((((((((((((((((((((( Files Created from 2010-08-11 to 2010-09-11 )))))))))))))))))))))))))))))))
    .

    2010-09-11 03:38 . 2010-09-11 03:38 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-09-10 21:56 . 2010-09-10 21:56 -------- d-----w- c:\users\Nessaboo\AppData\Local\Apple
    2010-09-10 21:55 . 2010-09-10 21:55 -------- d-----w- c:\users\Nessaboo\AppData\Local\Apple Computer
    2010-09-09 06:16 . 2010-09-09 06:16 -------- d-----w- c:\program files\Common Files\Java
    2010-09-09 06:15 . 2010-09-09 06:15 423656 ----a-w- c:\windows\system32\deployJava1.dll
    2010-09-09 06:15 . 2010-09-09 06:15 -------- d-----w- c:\program files\Java
    2010-09-04 20:07 . 2010-09-04 20:07 -------- d-----w- c:\users\Nessaboo\AppData\Local\WinZip
    2010-09-04 20:07 . 2010-09-04 20:07 -------- d-----w- c:\programdata\WinZip
    2010-09-04 19:46 . 2010-09-04 19:46 -------- d-----w- c:\program files\ERUNT
    2010-09-02 04:45 . 2010-09-02 04:45 -------- d-----w- c:\program files\Trend Micro
    2010-09-02 04:30 . 2010-09-02 04:30 -------- d-----w- c:\users\Nessaboo\AppData\Roaming\Malwarebytes
    2010-09-02 04:30 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-09-02 04:30 . 2010-09-02 04:30 -------- d-----w- c:\programdata\Malwarebytes
    2010-09-02 04:30 . 2010-09-02 04:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-09-02 04:30 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-08-30 06:39 . 2010-09-07 14:52 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-08-30 06:39 . 2010-09-07 14:47 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2010-08-30 06:39 . 2010-09-07 14:47 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-08-30 06:39 . 2010-09-07 14:52 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-08-30 06:39 . 2010-09-07 14:47 50768 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2010-08-30 06:39 . 2010-09-07 15:12 38848 ----a-w- c:\windows\avastSS.scr
    2010-08-30 06:39 . 2010-09-07 15:11 167592 ----a-w- c:\windows\system32\aswBoot.exe
    2010-08-30 06:39 . 2010-08-30 06:39 -------- d-----w- c:\programdata\Alwil Software
    2010-08-30 06:39 . 2010-08-30 06:39 -------- d-----w- c:\program files\Alwil Software
    2010-08-30 05:13 . 2010-08-30 06:28 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2010-08-30 05:13 . 2010-08-30 05:13 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-08-30 03:54 . 2010-08-30 03:54 -------- d-----w- c:\windows\Sun
    2010-08-30 03:50 . 2010-08-30 03:50 79360 --sha-r- c:\windows\system32\msimsgn.dll
    2010-08-25 14:40 . 2010-04-07 07:10 571904 ----a-w- c:\windows\system32\oleaut32.dll
    2010-08-22 17:35 . 2010-08-22 17:36 -------- d-----w- c:\users\Nessaboo\AppData\Local\Google
    2010-08-22 16:41 . 2010-08-22 16:41 -------- d-----w- c:\users\Nessaboo\AppData\Local\IsolatedStorage
    2010-08-22 16:41 . 2010-08-22 16:41 -------- d-----w- c:\program files\Microsoft

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-11 03:18 . 2010-05-17 03:45 -------- d-----w- c:\program files\Steam
    2010-09-02 16:31 . 2010-05-17 03:45 -------- d-----w- c:\program files\Common Files\Steam
    2010-08-12 10:03 . 2010-08-05 03:14 -------- d-----w- c:\programdata\Microsoft Help
    2010-08-09 03:07 . 2010-07-26 01:16 -------- d-----w- c:\users\Nessaboo\AppData\Roaming\ImgBurn
    2010-08-08 03:54 . 2010-08-08 03:54 -------- d-----w- c:\users\Nessaboo\AppData\Roaming\Red Kawa
    2010-08-07 01:13 . 2010-08-07 01:11 -------- d-----w- c:\users\Nessaboo\AppData\Roaming\Juniper Networks
    2010-08-07 01:12 . 2010-08-07 01:11 -------- d-----w- c:\program files\Juniper Networks
    2010-08-07 01:11 . 2010-08-07 01:11 162656 ----a-w- c:\users\Nessaboo\AppData\Roaming\Juniper Networks\Setup Client\x86_Microsoft.VC80.CRTP_8.0.50727.762.exe
    2010-08-07 01:11 . 2010-08-07 01:11 292704 ----a-w- c:\users\Nessaboo\AppData\Roaming\Juniper Networks\Setup Client\x86_Microsoft.VC80.CRTR_8.0.50727.762.exe
    2010-08-05 03:28 . 2010-05-18 02:05 108824 ----a-w- c:\users\Nessaboo\AppData\Local\GDIPFONTCACHEV1.DAT
    2010-08-05 03:18 . 2009-07-14 04:52 -------- d-----w- c:\program files\MSBuild
    2010-08-05 03:18 . 2010-08-05 03:18 -------- d-----w- c:\program files\Microsoft Synchronization Services
    2010-08-05 03:17 . 2010-08-05 03:17 -------- d-----w- c:\program files\Microsoft Sync Framework
    2010-08-05 03:17 . 2010-08-05 03:17 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
    2010-08-05 03:17 . 2010-06-26 10:38 -------- d-----w- c:\program files\Microsoft.NET
    2010-08-05 03:16 . 2010-08-05 03:16 -------- d-----w- c:\program files\Microsoft Visual Studio 8
    2010-08-05 03:15 . 2010-08-05 03:15 -------- d-----w- c:\program files\Microsoft Analysis Services
    2010-07-29 06:30 . 2010-08-12 04:24 197632 ----a-w- c:\windows\system32\ir32_32.dll
    2010-07-29 06:30 . 2010-08-12 04:24 82944 ----a-w- c:\windows\system32\iccvid.dll
    2010-07-26 01:15 . 2010-07-26 01:15 -------- d-----w- c:\program files\ImgBurn
    2010-07-26 01:07 . 2010-07-26 01:07 -------- d-----w- c:\programdata\NCH Swift Sound
    2010-07-26 01:06 . 2010-07-26 01:06 -------- d-----w- c:\program files\NCH Swift Sound
    2010-07-14 10:18 . 2010-05-17 05:20 -------- d-----w- c:\programdata\NOS
    2010-06-30 06:25 . 2010-08-12 04:24 978432 ----a-w- c:\windows\system32\wininet.dll
    2010-06-28 03:59 . 2010-06-28 03:59 50354 ----a-w- c:\users\Nessaboo\AppData\Roaming\Facebook\uninstall.exe
    2010-06-22 02:47 . 2010-08-12 04:24 310784 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-06-22 02:47 . 2010-08-12 04:24 307200 ----a-w- c:\windows\system32\drivers\srv2.sys
    2010-06-22 02:47 . 2010-08-12 04:24 113664 ----a-w- c:\windows\system32\drivers\srvnet.sys
    2010-06-19 06:33 . 2010-08-12 04:24 3955080 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2010-06-19 06:33 . 2010-08-12 04:24 3899784 ----a-w- c:\windows\system32\ntoskrnl.exe
    2010-06-19 06:23 . 2010-08-12 04:24 37376 ----a-w- c:\windows\system32\rtutils.dll
    2010-06-19 04:07 . 2010-08-12 04:24 2326016 ----a-w- c:\windows\system32\win32k.sys
    2010-06-16 05:48 . 2010-08-12 04:24 224256 ----a-w- c:\windows\system32\schannel.dll
    2010-06-14 06:12 . 2010-08-12 04:24 1286016 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
    2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Steam"="c:\program files\steam\steam.exe" [2010-08-23 1242448]
    "AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe" [2008-12-12 2292672]
    "igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2009-10-27 1103216]
    "Google Update"="c:\users\Nessaboo\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-08-22 136176]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2007-07-23 77824]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
    "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
    "BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
    "avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

    c:\users\Nessaboo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)

    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2010-03-25 30969208]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-18 1343400]
    S1 aswSP;aswSP; [x]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-08-18 176128]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-09-07 50768]

    .
    Contents of the 'Scheduled Tasks' folder

    2010-09-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-32453113-1086635514-2273911061-1001Core.job
    - c:\users\Nessaboo\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-22 17:35]

    2010-09-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-32453113-1086635514-2273911061-1001UA.job
    - c:\users\Nessaboo\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-22 17:35]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
    DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.71.0.cab
    DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
    DPF: {DB28CF23-0083-40B5-BF63-69925D672385} - hxxp://www.nero.com/doc/NeroVersionChecker.cab
    DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://vpn1.hologic.com/dana-cached/sc/JuniperSetupClient.cab
    FF - ProfilePath - c:\users\Nessaboo\AppData\Roaming\Mozilla\Firefox\Profiles\m01ih5tb.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
    FF - plugin: c:\progra~1\MICROS~3\Office14\NPAUTHZ.DLL
    FF - plugin: c:\progra~1\MICROS~3\Office14\NPSPWRAP.DLL
    FF - plugin: c:\program files\Download Manager\npfpdlm.dll
    FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\users\Nessaboo\AppData\Local\Google\Update\1.2.183.29\npGoogleOneClick8.dll
    FF - plugin: c:\users\Nessaboo\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-32453113-1086635514-2273911061-1001\Software\SecuROM\License information*]
    "datasecu"=hex:3a,f5,44,df,3b,90,87,a4,f3,b6,65,79,06,09,b6,95,4b,c9,c9,cf,ca,
    03,86,0b,20,29,a2,b5,6e,c2,59,e1,77,2b,80,11,49,0d,3b,fb,6c,20,7f,45,02,90,\
    "rkeysecu"=hex:00,28,36,25,fe,b4,40,44,31,af,d3,3c,7a,86,7f,ec

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2010-09-10 20:42:21
    ComboFix-quarantined-files.txt 2010-09-11 03:42
    ComboFix2.txt 2010-09-09 06:01
    ComboFix3.txt 2010-09-08 03:56
    ComboFix4.txt 2010-09-02 04:27

    Pre-Run: 19,684,339,712 bytes free
    Post-Run: 19,438,362,624 bytes free

    - - End Of File - - 3E2E818D5F5F358807DB9A8853532FB1

    I ran Spybot afterwards and still found the following trojan.

    --- Search result list ---
    Virtumonde.dll: [SBI $2F4068FC] Library (File, nothing done)
    C:\Windows\System32\msimsgn.dll
    Properties.size=79360
    Properties.md5=D41D8CD98F00B204E9800998ECF8427E
    Properties.filedate=1283140246
    Properties.filedatetext=2010-08-29 20:50:46

    Right Media: Tracking cookie (Internet Explorer: Nessaboo) (Cookie, nothing done)

    Thanks,
    Jason

  10. #10
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi again,

    Open notepad and copy/paste the text in the quotebox below into it:

    Code:
    Rootkit::
    c:\windows\system32\msimsgn.dll

    Save this as
    CFScript

    A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.



    Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
    Then post the resultant log.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •