PDA

View Full Version : Backdoor.Agent Problem



enzo11
2011-12-23, 17:01
Hello =)

Two days ago my Firefox started to open new tabs to "mediashifting.com".After updating and scanning with Spybot, I couldn't find any malware.
I used Malware Bytes quick scan and got this log:


Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Versão da Base de Dados: 911122306

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

23/12/2011 11:20:41
mbam-log-2011-12-23 (11-20-41).txt

Tipo de Verificação: Verificação Rápida
Objetos escaneados: 185020
Tempo decorrido: 2 minuto(s), 7 segundo(s)

Processos de Memória Infectados: 0
Módulos de Memória Infectados: 0
Chaves de Registro Infectadas: 0
Valores de Registro Infectados: 1
Itens de Dados no Registro Infectados: 0
Pastas Infectadas: 0
Arquivos Infectados: 2

Processos de Memória Infectados:
(Não foram detectados ítens maliciosos)

Módulos de Memória Infectados:
(Não foram detectados ítens maliciosos)

Chaves de Registro Infectadas:
(Não foram detectados ítens maliciosos)

Valores de Registro Infectados:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Backdoor.Agent) -> Value: Shell -> Delete on reboot.

Itens de Dados no Registro Infectados:
(Não foram detectados ítens maliciosos)

Pastas Infectadas:
(Não foram detectados ítens maliciosos)

Arquivos Infectados:
c:\Users\E\AppData\Roaming\java.exe.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
c:\Users\E\0.8416047531555684.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.


After restarting, I scanned again and the "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Backdoor.Agent) -> Value: Shell -> Delete on reboot." still was there, I quarantined, deleted and restarted again and the same thing.

Here's the DDS log:


.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_22
Run by E at 12:48:19 on 2011-12-23
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.55.1046.18.3957.2582 [GMT -2:00]
.
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\nvvsvc.exe
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\WLANExt.exe
C:\windows\system32\conhost.exe
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\windows\SysWOW64\Rezip.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\windows\system32\nvvsvc.exe
C:\windows\System32\svchost.exe -k secsvcs
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\windows\system32\SearchIndexer.exe
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\windows\system32\taskhost.exe
C:\windows\system32\taskeng.exe
C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe
C:\Program Files (x86)\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe
C:\Program Files (x86)\Samsung\Samsung Support Center\SSCKbdHk.exe
C:\Program Files (x86)\Samsung\Samsung Recovery Solution 4\WCScheduler.exe
C:\windows\system32\Dwm.exe
C:\windows\explorer.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\windows\System32\svchost.exe -k LocalServicePeerNet
C:\windows\system32\DllHost.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
C:\windows\system32\wuauclt.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\windows\system32\DllHost.exe
C:\windows\system32\DllHost.exe
C:\windows\SysWOW64\cmd.exe
C:\windows\system32\conhost.exe
C:\windows\SysWOW64\cscript.exe
C:\windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=smsn&bmod=smsn
uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=smsn&bmod=smsn
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=userinit.exe,
uWinlogon: Shell=C:\Users\E\AppData\Local\ce680107\X
BHO: Auxiliar de Conexão do Windows Live ID: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
{555d4d79-4bd2-4094-a395-cfc534424a05}
mRun: [UCam_Menu] "C:\Program Files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\YouCam" UpdateWithCreateOnce "Software\CyberLink\YouCam\2.0"
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\RAINME~1.LNK - C:\Program Files (x86)\Rainmeter\Rainmeter.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Enviar imagem para Dispositivo &Bluetooth... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Enviar página para Dispositivo &Bluetooth ... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{DACE21EB-C065-4551-A94F-E84A92815EA3} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{DACE21EB-C065-4551-A94F-E84A92815EA3}\D4943425F454C4544525F4E4943414 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{DACE21EB-C065-4551-A94F-E84A92815EA3}\E4F647560205164756C6C6960214365627 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{F37648D8-9DE9-4418-BD56-F15E07CCD79D} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{F7BABD8C-D1ED-4CB1-92B7-CD9B5C4B5BEF} : DhcpNameServer = 192.168.0.1
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
{9030D464-4C02-4ABF-8ECC-5164760863C6}
{DBC80044-A445-435b-BC74-9C25C1C588A9}
TB-X64: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB-X64: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File
mRun-x64: [UCam_Menu] "C:\Program Files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\YouCam" UpdateWithCreateOnce "Software\CyberLink\YouCam\2.0"
IE-X64: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\E\AppData\Roaming\Mozilla\Firefox\Profiles\dw69y0it.default\
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnI=I%27m+Feeling+Lucky&ie=UTF-8&oe=UTF-8&q=
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.50401.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\E\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: C:\Users\E\AppData\Roaming\Mozilla\Firefox\Profiles\dw69y0it.default\extensions\{1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}\plugins\npietab2.dll
FF - plugin: C:\windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\windows\system32\DRIVERS\dtsoftbus01.sys --> C:\windows\system32\DRIVERS\dtsoftbus01.sys [?]
R1 SABI;SAMSUNG Kernel Driver For Windows 7;\??\C:\windows\system32\Drivers\SABI.sys --> C:\windows\system32\Drivers\SABI.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\windows\system32\DRIVERS\vwififlt.sys --> C:\windows\system32\DRIVERS\vwififlt.sys [?]
R2 cpuz135;cpuz135;\??\C:\windows\system32\drivers\cpuz135_x64.sys --> C:\windows\system32\drivers\cpuz135_x64.sys [?]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2010-2-28 821664]
R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-12-20 2253120]
R2 Rezip;Rezip;C:\Windows\SysWOW64\Rezip.exe [2010-6-19 311296]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2011-2-20 1153368]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2009-12-2 483688]
R3 btwampfl;Bluetooth AMP USB Filter;C:\windows\system32\drivers\btwampfl.sys --> C:\windows\system32\drivers\btwampfl.sys [?]
R3 btwl2cap;Bluetooth L2CAP Service;C:\windows\system32\DRIVERS\btwl2cap.sys --> C:\windows\system32\DRIVERS\btwl2cap.sys [?]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\windows\system32\drivers\nvhda64v.sys --> C:\windows\system32\drivers\nvhda64v.sys [?]
R3 Sftfs;Sftfs;C:\windows\system32\DRIVERS\Sftfslh.sys --> C:\windows\system32\DRIVERS\Sftfslh.sys [?]
R3 Sftplay;Sftplay;C:\windows\system32\DRIVERS\Sftplaylh.sys --> C:\windows\system32\DRIVERS\Sftplaylh.sys [?]
R3 Sftredir;Sftredir;C:\windows\system32\DRIVERS\Sftredirlh.sys --> C:\windows\system32\DRIVERS\Sftredirlh.sys [?]
R3 Sftvol;Sftvol;C:\windows\system32\DRIVERS\Sftvollh.sys --> C:\windows\system32\DRIVERS\Sftvollh.sys [?]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2009-12-2 209768]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\windows\system32\DRIVERS\yk62x64.sys --> C:\windows\system32\DRIVERS\yk62x64.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 fssfltr;fssfltr;C:\windows\system32\DRIVERS\fssfltr.sys --> C:\windows\system32\DRIVERS\fssfltr.sys [?]
S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2011-5-13 1492840]
S3 Impcd;Impcd;C:\windows\system32\DRIVERS\Impcd.sys --> C:\windows\system32\DRIVERS\Impcd.sys [?]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 RTL8167;Realtek 8167 NT Driver;C:\windows\system32\DRIVERS\Rt64win7.sys --> C:\windows\system32\DRIVERS\Rt64win7.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\windows\system32\Drivers\usbaapl64.sys --> C:\windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Serviço de Tecnologias de Ativação do Windows;C:\windows\system32\Wat\WatAdminSvc.exe --> C:\windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2011-12-23 13:07:18 -------- d-----w- C:\Users\E\AppData\Roaming\Malwarebytes
2011-12-23 13:07:13 -------- d-----w- C:\ProgramData\Malwarebytes
2011-12-23 13:07:10 25416 ----a-w- C:\windows\System32\drivers\mbam.sys
2011-12-23 13:07:10 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-12-23 12:41:23 -------- d-----w- C:\Program Files\CCleaner
2011-12-20 16:25:34 837952 ----a-w- C:\windows\System32\easyupdatusapiu64.dll
2011-12-20 16:25:34 5067584 ----a-w- C:\windows\System32\nvsvc64.dll
2011-12-20 16:25:34 3074368 ----a-w- C:\windows\System32\nvsvcr.dll
2011-12-20 16:25:34 222528 ----a-w- C:\windows\System32\nvmctray.dll
2011-12-20 16:25:34 1640768 ----a-w- C:\windows\System32\nvvsvc.exe
2011-12-20 16:25:34 137536 ----a-w- C:\windows\System32\nvshext.dll
2011-12-20 16:25:34 10406208 ----a-w- C:\windows\System32\nvcpl.dll
2011-12-20 16:25:28 -------- d-----w- C:\ProgramData\NVIDIA Corporation
2011-12-20 14:33:09 -------- d-----w- C:\windows\SysWow64\xlive
2011-12-20 14:33:09 -------- d-----w- C:\Program Files (x86)\Microsoft Games for Windows - LIVE
2011-12-19 21:30:32 -------- d-----w- C:\Users\E\AppData\Local\{F4C015FD-78A4-42DB-86B3-7732219E245E}
2011-12-19 21:30:16 -------- d-----w- C:\Users\E\AppData\Local\{B6296749-CFFA-4B2C-91C4-AE132B049E2A}
2011-12-18 16:58:33 -------- d-----w- C:\Users\E\AppData\Local\{9CCB8F46-460A-41BC-97C7-5D2B0DB8DBF7}
2011-12-18 16:58:17 -------- d-----w- C:\Users\E\AppData\Local\{C147D067-4273-485F-A55E-8302FFCFBD2E}
2011-12-17 17:44:03 -------- d-----w- C:\Users\E\AppData\Local\{904EFC0F-ECD2-4630-9701-9432DB3A2623}
2011-12-17 17:43:51 -------- d-----w- C:\Users\E\AppData\Local\{29D9269D-9B92-4A7A-91FA-EEC68833EA62}
2011-12-17 01:55:11 -------- d-sh--w- C:\Users\E\AppData\Local\ce680107
2011-12-15 23:02:22 -------- d-----w- C:\Users\E\AppData\Local\{B8F56DFF-31C3-4FEB-96B0-B30D735E0D4D}
2011-12-15 23:02:10 -------- d-----w- C:\Users\E\AppData\Local\{98394B84-B4A4-4237-BD78-44DD61C381B9}
2011-12-11 21:26:40 -------- d-----w- C:\Users\E\AppData\Local\{566F2CEC-DF02-469E-A739-0DF091C705E1}
2011-12-11 21:26:28 -------- d-----w- C:\Users\E\AppData\Local\{FFC2298B-7E4C-40A4-999A-D2383A11C736}
2011-12-10 15:54:46 -------- d-----w- C:\Users\E\AppData\Local\{29E4E099-0D35-47AF-BF7C-149E3FA08DCB}
2011-12-10 15:54:33 -------- d-----w- C:\Users\E\AppData\Local\{3A12E647-46B0-415A-B011-DB4D9944BFDD}
2011-12-09 16:53:28 -------- d-----w- C:\Users\E\AppData\Local\{82758853-90D7-486A-9E8A-742D31BA3B8A}
2011-12-09 16:53:16 -------- d-----w- C:\Users\E\AppData\Local\{47FC946E-6D68-490C-A256-827B7A971263}
2011-12-08 21:42:33 -------- d-----w- C:\Users\E\AppData\Local\{9B6E2117-0EF6-476B-B6D4-376BC8137935}
2011-12-08 21:42:20 -------- d-----w- C:\Users\E\AppData\Local\{2E43068C-D7D4-438B-8936-458DB6E99C78}
2011-12-07 23:37:38 -------- d-----w- C:\Users\E\AppData\Local\{AA937318-9A6D-4DDE-B7F3-AF5B3B4205CA}
2011-12-07 23:37:27 -------- d-----w- C:\Users\E\AppData\Local\{9E9917EA-65F1-4298-9A7D-43FA5687180F}
2011-12-04 13:38:08 -------- d-----w- C:\Users\E\AppData\Local\{C2D99A13-EB89-4D0D-96ED-2F012A360C17}
2011-12-04 13:37:41 -------- d-----w- C:\Users\E\AppData\Local\{C02C163F-A7A7-4105-B61D-F0D8FA3DC29F}
2011-11-30 21:28:09 -------- d-----w- C:\Users\E\AppData\Local\{F4771FB4-6EEE-4FA8-86FC-9DEB1B71E672}
2011-11-30 21:27:47 -------- d-----w- C:\Users\E\AppData\Local\{51537D06-52E1-42E8-81E8-2C3126B48ECF}
2011-11-30 00:34:10 -------- d-----w- C:\Users\E\AppData\Local\{12B35E7B-F0B9-4556-8561-A166BBFC3AC5}
2011-11-30 00:33:46 -------- d-----w- C:\Users\E\AppData\Local\{045B7D23-FD34-4CCD-993F-EBEC89A8CDC2}
2011-11-29 20:34:26 -------- d-----w- C:\Program Files (x86)\Alcohol Soft
2011-11-29 20:28:23 503352 ----a-w- C:\windows\System32\drivers\sptd.sys
2011-11-29 20:19:43 -------- d-----w- C:\windows\SysWow64\WinDir
2011-11-29 20:19:41 31117824 ----a-w- C:\Users\E\AppData\Roaming\Alcohol 120 7.0 Setup.exe
2011-11-24 18:06:33 -------- d-----w- C:\Users\E\AppData\Local\{60DF692C-5BD1-463E-8D71-099DDC09067C}
2011-11-24 18:06:10 -------- d-----w- C:\Users\E\AppData\Local\{75728587-96F2-4136-91F4-75B8F373CC16}
2011-11-23 20:00:50 -------- d-----w- C:\Users\E\AppData\Local\{997745F0-EAF7-4922-9248-50D519161FE2}
2011-11-23 20:00:25 -------- d-----w- C:\Users\E\AppData\Local\{345712DB-94E0-4B50-AA3C-62A0DD189C85}
.
==================== Find3M ====================
.
2011-12-19 15:44:04 332288 ----a-w- C:\windows\System32\uxtheme.dll
2011-12-19 15:44:03 2851328 ----a-w- C:\windows\System32\themeui.dll
2011-12-19 15:44:01 44544 ----a-w- C:\windows\System32\themeservice.dll
2011-12-04 13:24:23 414368 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl
.
============= FINISH: 12:49:13,75 ===============

jeffce
2011-12-27, 00:28
Hi and Welcome!! :) My name is Jeff. I would be more than happy to take a look at your malware results logs and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:

I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Watch Topic button to the right of your topic title and then choosing the notification method ( Recommended: Inmediate Notification)
The fixes are specific to your problem and should only be used for the issues on this machine.
Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
It's often worth reading through these instructions and printing them for ease of reference.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Please reply to this thread. Do not start a new topic.

IMPORTANT NOTE : Please do not delete anything unless instructed to.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.
Doing so could make your system inoperable and could require a full reinstall of your OS losing all your programs and data.

Vista and Windows 7 users:
These tools MUST be run from the executable (.exe) every time you run them
with Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.
----------

Please download DeFogger (http://www.jpshortstuff.247fixes.com/Defogger.exe) to your desktop.
Right-click and Run as Administrator DeFogger to run the tool.

The application window will appear
Click the Disable button to disable your CD Emulation drivers
Click Yes to continue
A 'Finished!' message will appear
Click OK
If it needs to, DeFogger may ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.
Do not re-enable these drivers until otherwise instructed.
----------


Please download aswMBR (http://public.avast.com/~gmerek/aswMBR.exe ) to your desktop.

Right click and Run as Administrator the aswMBR icon to run it.
Click the Scan button to start scan.
When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply.

http://i1190.photobucket.com/albums/z454/Blottedisk/aswMBRscan-1.png (http://i1190.photobucket.com/albums/z454/Blottedisk/aswMBRscan.png )
Click the image to enlarge it
----------

In your next reply please post the log created by aswMBR.exe. :)

enzo11
2011-12-28, 21:22
Thanks for your time Jeff =)

Here's the log (I downloaded the definitions before scanning):

aswMBR version 0.9.9.1120 Copyright(c) 2011 AVAST Software
Run date: 2011-12-28 16:48:03
-----------------------------
16:48:03.770 OS Version: Windows x64 6.1.7600
16:48:03.770 Number of processors: 4 586 0x2505
16:48:03.770 ComputerName: PC UserName: E
16:48:06.859 Initialize success
16:53:13.102 AVAST engine defs: 11122801
16:53:58.501 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
16:53:58.505 Disk 0 Vendor: SAMSUNG_ 2AC1 Size: 476940MB BusType: 3
16:53:58.528 Disk 0 MBR read successfully
16:53:58.533 Disk 0 MBR scan
16:53:58.540 Disk 0 unknown MBR code
16:53:58.560 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 20480 MB offset 2048
16:53:58.597 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 41945088
16:53:58.633 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 355957 MB offset 42149888
16:53:58.680 Disk 0 Partition 4 00 07 HPFS/NTFS NTFS 100401 MB offset 771149824
16:53:58.690 Service scanning
16:54:01.421 Modules scanning
16:54:01.430 Disk 0 trace - called modules:
16:54:01.460 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
16:54:01.472 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800454e060]
16:54:01.482 3 CLASSPNP.SYS[fffff8800187543f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8004472050]
16:54:02.733 AVAST engine scan C:\windows
16:54:06.065 AVAST engine scan C:\windows\system32
16:55:32.639 AVAST engine scan C:\windows\system32\drivers
16:55:43.648 AVAST engine scan C:\Users\E
16:55:44.618 File: C:\Users\E\AppData\Local\ce680107\U\800000cb.@ **INFECTED** Win32:Malware-gen
16:55:44.652 File: C:\Users\E\AppData\Local\ce680107\U\800000cf.@ **INFECTED** Win32:Malware-gen
16:55:44.681 File: C:\Users\E\AppData\Local\ce680107\X **INFECTED** Win32:Trojan-gen
17:14:49.714 AVAST engine scan C:\ProgramData
17:15:53.195 Scan finished successfully
17:20:44.055 Disk 0 MBR has been saved successfully to "C:\Users\E\Desktop\MBR.dat"
17:20:44.066 The log file has been saved successfully to "C:\Users\E\Desktop\aswMBR.txt"

jeffce
2011-12-28, 21:27
Hi enzo11,

Please download MBRCheck.exe (http://ad13.geekstogo.com/MBRCheck.exe) to your desktop.

Be sure to disable your security programs
Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
A window will open on your desktop
if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
If nothing unusual is found just press Enter A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
Please post the contents of that file.

enzo11
2011-12-29, 02:48
Here it is:

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows 7 Home Premium Edition
Windows Information: (build 7600), 64-bit
Base Board Manufacturer: SAMSUNG ELECTRONICS CO., LTD.
BIOS Manufacturer: Phoenix Technologies Ltd.
System Manufacturer: SAMSUNG ELECTRONICS CO., LTD.
System Product Name: R480/R431/R481
Logical Drives Mask: 0x0001003c

Kernel Drivers (total 198):
0x03A0B000 \SystemRoot\system32\ntoskrnl.exe
0x03FE7000 \SystemRoot\system32\hal.dll
0x00BC4000 \SystemRoot\system32\kdcom.dll
0x00C46000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x00C8A000 \SystemRoot\system32\PSHED.dll
0x00C9E000 \SystemRoot\system32\CLFS.SYS
0x00CFC000 \SystemRoot\system32\CI.dll
0x00E22000 \SystemRoot\system32\drivers\Wdf01000.sys
0x00EC6000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x00ED5000 \SystemRoot\system32\DRIVERS\ACPI.sys
0x00F2C000 \SystemRoot\system32\DRIVERS\WMILIB.SYS
0x00F35000 \SystemRoot\system32\DRIVERS\msisadrv.sys
0x00F3F000 \SystemRoot\system32\DRIVERS\vdrvroot.sys
0x00F4C000 \SystemRoot\system32\DRIVERS\pci.sys
0x00F7F000 \SystemRoot\System32\drivers\partmgr.sys
0x00F94000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x00F9D000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x00FA9000 \SystemRoot\system32\DRIVERS\volmgr.sys
0x0106F000 \SystemRoot\System32\drivers\volmgrx.sys
0x010CB000 \SystemRoot\System32\drivers\mountmgr.sys
0x012C4000 \SystemRoot\system32\DRIVERS\iaStor.sys
0x014CE000 \SystemRoot\system32\DRIVERS\atapi.sys
0x014D7000 \SystemRoot\system32\DRIVERS\ataport.SYS
0x01501000 \SystemRoot\system32\DRIVERS\msahci.sys
0x0150C000 \SystemRoot\system32\DRIVERS\PCIIDEX.SYS
0x0151C000 \SystemRoot\system32\DRIVERS\amdxata.sys
0x01527000 \SystemRoot\system32\drivers\fltmgr.sys
0x01573000 \SystemRoot\system32\drivers\fileinfo.sys
0x01626000 \SystemRoot\System32\Drivers\Ntfs.sys
0x01587000 \SystemRoot\System32\Drivers\msrpc.sys
0x017C9000 \SystemRoot\System32\Drivers\ksecdd.sys
0x01200000 \SystemRoot\System32\Drivers\cng.sys
0x017E3000 \SystemRoot\System32\drivers\pcw.sys
0x017F4000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x010E5000 \SystemRoot\system32\drivers\ndis.sys
0x01000000 \SystemRoot\system32\drivers\NETIO.SYS
0x01273000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x0181A000 \SystemRoot\system32\DRIVERS\volsnap.sys
0x01866000 \SystemRoot\System32\Drivers\spldr.sys
0x0186E000 \SystemRoot\System32\drivers\rdyboost.sys
0x018A8000 \SystemRoot\System32\Drivers\mup.sys
0x018BA000 \SystemRoot\System32\drivers\hwpolicy.sys
0x018C3000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x018FD000 \SystemRoot\system32\DRIVERS\disk.sys
0x01913000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
0x042B7000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x042E1000 \SystemRoot\System32\Drivers\Null.SYS
0x042EA000 \SystemRoot\System32\Drivers\Beep.SYS
0x042F1000 \SystemRoot\System32\drivers\vga.sys
0x042FF000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x04324000 \SystemRoot\System32\drivers\watchdog.sys
0x04334000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x0433D000 \SystemRoot\system32\drivers\rdpencdd.sys
0x04346000 \SystemRoot\system32\drivers\rdprefmp.sys
0x0434F000 \SystemRoot\System32\Drivers\Msfs.SYS
0x0435A000 \SystemRoot\System32\Drivers\Npfs.SYS
0x02C01000 \SystemRoot\System32\drivers\tcpip.sys
0x0436B000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x043B5000 \SystemRoot\system32\DRIVERS\tdx.sys
0x043D3000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x04000000 \SystemRoot\system32\drivers\afd.sys
0x01951000 \SystemRoot\System32\DRIVERS\netbt.sys
0x04089000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x01996000 \SystemRoot\system32\DRIVERS\pacer.sys
0x043E0000 \SystemRoot\system32\DRIVERS\vwififlt.sys
0x019BC000 \SystemRoot\system32\DRIVERS\netbios.sys
0x00DBC000 \SystemRoot\system32\DRIVERS\dtsoftbus01.sys
0x019CB000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x019E6000 \SystemRoot\system32\DRIVERS\termdd.sys
0x043F6000 \??\C:\windows\system32\Drivers\SABI.sys
0x03ACD000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x03B1E000 \SystemRoot\system32\drivers\nsiproxy.sys
0x03B2A000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x03B35000 \SystemRoot\System32\drivers\discache.sys
0x03B44000 \SystemRoot\System32\Drivers\dfsc.sys
0x03B62000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x03B73000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x0FE60000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
0x10AD7000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x0FE00000 \SystemRoot\System32\drivers\dxgmms1.sys
0x10BCB000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x10BEF000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x03B99000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x072FD000 \SystemRoot\system32\DRIVERS\bcmwl664.sys
0x075ED000 \SystemRoot\system32\DRIVERS\vwifibus.sys
0x07200000 \SystemRoot\system32\DRIVERS\yk62x64.sys
0x07265000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x0726A000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x07288000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x07297000 \SystemRoot\system32\DRIVERS\SynTP.sys
0x072E9000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x072EB000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x0FE46000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0x03A00000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x03A16000 \SystemRoot\system32\DRIVERS\CompositeBus.sys
0x03A26000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x03A3C000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x0FE53000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x03A60000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x03A8F000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x03AAA000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x01800000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x072FA000 \SystemRoot\system32\DRIVERS\swenum.sys
0x00C00000 \SystemRoot\system32\DRIVERS\ks.sys
0x01600000 \SystemRoot\system32\DRIVERS\umbus.sys
0x076C6000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x07720000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x07735000 \SystemRoot\system32\drivers\nvhda64v.sys
0x07762000 \SystemRoot\system32\drivers\portcls.sys
0x0779F000 \SystemRoot\system32\drivers\drmk.sys
0x077C1000 \SystemRoot\system32\drivers\ksthunk.sys
0x078DF000 \SystemRoot\system32\drivers\RTKVHD64.sys
0x00000000 \SystemRoot\System32\win32k.sys
0x07AFD000 \SystemRoot\System32\drivers\Dxapi.sys
0x07B09000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x07B26000 \SystemRoot\System32\Drivers\usbvideo.sys
0x07B54000 \SystemRoot\System32\Drivers\crashdmp.sys
0x04092000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0x07B62000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x02652000 \SystemRoot\system32\drivers\btwampfl.sys
0x028D8000 \SystemRoot\System32\Drivers\BTHUSB.sys
0x028F0000 \SystemRoot\System32\Drivers\bthport.sys
0x0297C000 \SystemRoot\system32\DRIVERS\monitor.sys
0x004D0000 \SystemRoot\System32\TSDDD.dll
0x00680000 \SystemRoot\System32\cdd.dll
0x0298A000 \SystemRoot\system32\DRIVERS\rfcomm.sys
0x029B6000 \SystemRoot\system32\DRIVERS\BthEnum.sys
0x029C6000 \SystemRoot\system32\DRIVERS\bthpan.sys
0x07B75000 \SystemRoot\system32\DRIVERS\btwavdt.sys
0x07800000 \SystemRoot\system32\drivers\btwaudio.sys
0x029E6000 \SystemRoot\system32\DRIVERS\btwl2cap.sys
0x029F4000 \SystemRoot\system32\DRIVERS\btwrchid.sys
0x02600000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x02619000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x00930000 \SystemRoot\System32\ATMFD.DLL
0x02622000 \SystemRoot\system32\drivers\luafv.sys
0x02645000 \SystemRoot\system32\DRIVERS\Sftvollh.sys
0x07887000 \SystemRoot\system32\drivers\WudfPf.sys
0x078A8000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x07600000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x078BD000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x07653000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x03CC7000 \SystemRoot\system32\drivers\HTTP.sys
0x03D8F000 \SystemRoot\system32\DRIVERS\bowser.sys
0x03DAD000 \SystemRoot\System32\drivers\mpsdrv.sys
0x03DC5000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x03C00000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x03C4E000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x03C71000 \??\C:\windows\system32\drivers\cpuz135_x64.sys
0x07099000 \SystemRoot\system32\drivers\peauth.sys
0x0713F000 \SystemRoot\System32\Drivers\secdrv.SYS
0x07E44000 \SystemRoot\system32\DRIVERS\Sftfslh.sys
0x07EFB000 \SystemRoot\system32\DRIVERS\Sftplaylh.sys
0x07F48000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x07F75000 \SystemRoot\System32\drivers\tcpipreg.sys
0x07F87000 \SystemRoot\System32\DRIVERS\srv2.sys
0x07FEE000 \SystemRoot\system32\DRIVERS\Sftredirlh.sys
0x0714A000 \SystemRoot\System32\DRIVERS\srv.sys
0x07000000 \SystemRoot\System32\Drivers\fastfat.SYS
0x77440000 \Windows\System32\ntdll.dll
0x48530000 \Windows\System32\smss.exe
0xFF760000 \Windows\System32\apisetschema.dll
0xFF650000 \Windows\System32\autochk.exe
0xFF740000 \Windows\System32\nsi.dll
0xFF6D0000 \Windows\System32\gdi32.dll
0xFF680000 \Windows\System32\ws2_32.dll
0xFF4A0000 \Windows\System32\setupapi.dll
0xFF400000 \Windows\System32\clbcatq.dll
0xFF360000 \Windows\System32\msvcrt.dll
0x77340000 \Windows\System32\user32.dll
0xFF1E0000 \Windows\System32\urlmon.dll
0xFF1C0000 \Windows\System32\sechost.dll
0x77610000 \Windows\System32\normaliz.dll
0x77220000 \Windows\System32\kernel32.dll
0xFF0E0000 \Windows\System32\oleaut32.dll
0xFF060000 \Windows\System32\shlwapi.dll
0xFEF50000 \Windows\System32\msctf.dll
0xFEED0000 \Windows\System32\difxapi.dll
0xFECC0000 \Windows\System32\ole32.dll
0x77600000 \Windows\System32\psapi.dll
0xFEC90000 \Windows\System32\imm32.dll
0xFEBF0000 \Windows\System32\comdlg32.dll
0xFEAC0000 \Windows\System32\rpcrt4.dll
0xFEA70000 \Windows\System32\Wldap32.dll
0xFEA60000 \Windows\System32\lpk.dll
0xFDBE0000 \Windows\System32\shell32.dll
0xFDAB0000 \Windows\System32\wininet.dll
0xFD9E0000 \Windows\System32\usp10.dll
0xFD9C0000 \Windows\System32\imagehlp.dll
0xFD8E0000 \Windows\System32\advapi32.dll
0xFD680000 \Windows\System32\iertutil.dll
0xFD640000 \Windows\System32\wintrust.dll
0xFD5D0000 \Windows\System32\KernelBase.dll
0xFD460000 \Windows\System32\crypt32.dll
0xFD440000 \Windows\System32\devobj.dll
0xFD3A0000 \Windows\System32\comctl32.dll
0xFD360000 \Windows\System32\cfgmgr32.dll
0xFD350000 \Windows\System32\msasn1.dll

Processes (total 65):
0 System Idle Process
4 System
308 C:\Windows\System32\smss.exe
456 csrss.exe
524 C:\Windows\System32\wininit.exe
548 csrss.exe
580 C:\Windows\System32\services.exe
604 C:\Windows\System32\lsass.exe
612 C:\Windows\System32\lsm.exe
716 C:\Windows\System32\svchost.exe
780 C:\Windows\System32\nvvsvc.exe
820 C:\Windows\System32\svchost.exe
880 C:\Windows\System32\svchost.exe
920 C:\Windows\System32\winlogon.exe
972 C:\Windows\System32\svchost.exe
1004 C:\Windows\System32\svchost.exe
552 C:\Windows\System32\svchost.exe
1084 C:\Windows\System32\svchost.exe
1176 C:\Windows\System32\wlanext.exe
1184 C:\Windows\System32\conhost.exe
1276 C:\Windows\System32\spoolsv.exe
1316 C:\Windows\System32\svchost.exe
1568 C:\Windows\System32\svchost.exe
1600 C:\Windows\System32\svchost.exe
1636 C:\Windows\SysWOW64\Rezip.exe
1980 C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
1048 C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
1052 C:\Windows\System32\nvvsvc.exe
1388 C:\Windows\System32\svchost.exe
2112 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
2248 C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
2340 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
2500 C:\Windows\System32\dwm.exe
2540 C:\Windows\explorer.exe
2648 C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
2696 C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
3000 C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
3012 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
1488 C:\Program Files (x86)\Rainmeter\Rainmeter.exe
2880 C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE
3112 C:\Windows\System32\SearchIndexer.exe
3124 C:\Windows\System32\taskhost.exe
3244 C:\Windows\System32\taskeng.exe
3404 C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe
3412 C:\Windows\System32\svchost.exe
3580 C:\Program Files (x86)\Samsung\EasySpeedUpManager\EasySpeedUpManager.exe
3588 C:\Program Files (x86)\Samsung\Samsung Support Center\SSCKbdHk.exe
3604 C:\Program Files (x86)\Samsung\Samsung Recovery Solution 4\WCScheduler.exe
3748 C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
2432 C:\Windows\System32\svchost.exe
356 C:\Windows\System32\svchost.exe
2496 C:\Program Files (x86)\Mozilla Firefox\firefox.exe
3088 dllhost.exe
4656 C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
4956 C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
4484 C:\Windows\System32\wuauclt.exe
3212 C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
3892 C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
4312 C:\Windows\System32\audiodg.exe
3784 C:\Program Files (x86)\Java\jre6\bin\javaw.exe
128 C:\Windows\System32\svchost.exe
3876 dllhost.exe
4876 dllhost.exe
4688 C:\Users\E\Downloads\MBRCheck.exe
3428 C:\Windows\System32\conhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000005`06500000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x0000005b`eda00000 (NTFS)
\\.\Q: --> error 5

PhysicalDrive0 Model Number: SAMSUNGHM500JI, Rev: 2AC101C4

Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: F5C09ACABD4A5370BDD907E8EDFE0C1DA0F9D3F5


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

jeffce
2011-12-29, 07:32
Hi enzo11,

Download Combofix from either of the links below, and save it to your desktop.
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216)

--------------------------------------------------------------------

Right-Click and Run as Administrator on ComboFix.exe & follow the prompts. When finished, it will produce a report for you.
Please post the C:\ComboFix.txt for further review.

enzo11
2011-12-30, 18:44
I'm keeping TeaTimer shut off since the MalwareBytes scan =)


ComboFix 11-12-29.05 - E 30/12/2011 14:28:06.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.55.1046.18.3957.2401 [GMT -2:00]
Executando de: c:\users\E\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Criado um novo ponto de restauração
.
.
((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\FullRemove.exe
c:\users\E\AppData\Local\ce680107\U
c:\users\E\AppData\Local\ce680107\U\80000000.@
c:\users\E\AppData\Local\ce680107\U\800000cb.@
c:\users\E\AppData\Local\ce680107\U\800000cf.@
c:\users\E\AppData\Local\ce680107\X
c:\users\E\Documents\tu.jpg
c:\windows\SysWow64\windir
c:\windows\SysWow64\WinDir\java.exe
.
.
(((((((((((((((( Arquivos/Ficheiros criados de 2011-11-28 to 2011-12-30 ))))))))))))))))))))))))))))
.
.
2011-12-30 16:33 . 2011-12-30 16:33 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-12-23 13:07 . 2011-12-23 13:07 -------- d-----w- c:\users\E\AppData\Roaming\Malwarebytes
2011-12-23 13:07 . 2011-12-23 13:07 -------- d-----w- c:\programdata\Malwarebytes
2011-12-23 13:07 . 2011-12-23 13:20 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-12-23 13:07 . 2011-08-31 19:00 25416 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-20 16:25 . 2011-12-20 16:25 -------- d-----w- c:\users\UpdatusUser
2011-12-20 16:25 . 2011-12-20 16:25 -------- d-----w- c:\programdata\NVIDIA
2011-12-20 16:25 . 2011-10-15 08:53 837952 ----a-w- c:\windows\system32\easyupdatusapiu64.dll
2011-12-20 16:25 . 2011-10-15 08:53 5067584 ----a-w- c:\windows\system32\nvsvc64.dll
2011-12-20 16:25 . 2011-10-15 08:53 3074368 ----a-w- c:\windows\system32\nvsvcr.dll
2011-12-20 16:25 . 2011-10-15 08:53 222528 ----a-w- c:\windows\system32\nvmctray.dll
2011-12-20 16:25 . 2011-10-15 08:53 1640768 ----a-w- c:\windows\system32\nvvsvc.exe
2011-12-20 16:25 . 2011-10-15 08:53 137536 ----a-w- c:\windows\system32\nvshext.dll
2011-12-20 16:25 . 2011-10-15 08:53 10406208 ----a-w- c:\windows\system32\nvcpl.dll
2011-12-20 16:25 . 2011-12-20 16:25 -------- d-----w- c:\programdata\NVIDIA Corporation
2011-12-20 14:33 . 2011-12-20 14:33 -------- d-----w- c:\windows\SysWow64\xlive
2011-12-20 14:33 . 2011-12-20 14:33 -------- d-----w- c:\program files (x86)\Microsoft Games for Windows - LIVE
2011-12-17 01:55 . 2011-12-30 16:33 -------- d-sh--w- c:\users\E\AppData\Local\ce680107
.
.
.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-19 15:44 . 2009-07-13 23:55 332288 ----a-w- c:\windows\system32\uxtheme.dll
2011-12-19 15:44 . 2009-07-13 23:54 2851328 ----a-w- c:\windows\system32\themeui.dll
2011-12-19 15:44 . 2009-07-13 23:54 44544 ----a-w- c:\windows\system32\themeservice.dll
2011-12-04 13:24 . 2011-06-18 01:26 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-11-29 20:28 . 2011-11-29 20:28 503352 ----a-w- c:\windows\system32\drivers\sptd.sys
2011-10-10 19:49 . 2011-10-10 19:49 188128 ----a-w- c:\programdata\Microsoft\VCSExpress\10.0\1033\ResourceCache.dll
2011-10-10 19:33 . 2011-08-19 15:22 1367232 ----a-w- c:\programdata\Microsoft\VisualStudio\10.0\1033\ResourceCache.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-11-10 . 2BB457EDBA37215C7EBC0057674A5E48 . 3206144 . . [6.1.7600.16385] .. c:\windows\explorer.exe
[7] 2009-10-31 . B8EC4BD49CE8F6FC457721BFC210B67F . 2870272 . . [6.1.7600.16385] .. c:\windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20563_none_ae46d6aeac7ca7c7\explorer.exe
[7] 2009-10-31 . 9AAAEC8DAC27AA17B053E6352AD233AE . 2870272 . . [6.1.7600.16385] .. c:\windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16450_none_adc508f19359a007\explorer.exe
[7] 2009-08-03 . 700073016DAC1C3D2E7E2CE4223334B6 . 2868224 . . [6.1.7600.16385] .. c:\windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20500_none_ae84b558ac4eb41c\explorer.exe
[7] 2009-08-03 . F170B4A061C9E026437B193B4D571799 . 2868224 . . [6.1.7600.16385] .. c:\windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16404_none_adff19b5932d79ae\explorer.exe
[7] 2009-07-14 . C235A51CB740E45FFA0EBFB9BAFCDA64 . 2868224 . . [6.1.7600.16385] .. c:\windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_ada998b9936d7566\explorer.exe
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por padrão não são apresentadas.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"UCam_Menu"="c:\program files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Rainmeter.lnk - c:\program files (x86)\Rainmeter\Rainmeter.exe [2011-2-6 99840]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="c:\users\E\AppData\Local\ce680107\X"
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Serviço de Tecnologias de Ativação do Windows;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]
S1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\Drivers\SABI.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x64.sys [x]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-02-28 821664]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-10-15 2253120]
S2 Rezip;Rezip;c:\windows\SysWOW64\Rezip.exe [2009-03-05 311296]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2009-12-03 483688]
S3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys [x]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2009-12-03 209768]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
.
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-12-15 9644576]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Scan Suplementar -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=smsn&bmod=smsn
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Enviar imagem para Dispositivo &Bluetooth... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Enviar página para Dispositivo &Bluetooth ... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\E\AppData\Roaming\Mozilla\Firefox\Profiles\dw69y0it.default\
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnI=I%27m+Feeling+Lucky&ie=UTF-8&oe=UTF-8&q=
.
- - - - ORFÃOS REMOVIDOS - - - -
.
Toolbar-Locked - (no file)
SafeBoot-mcmscsvc
SafeBoot-MCODS
Toolbar-Locked - (no file)
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
.
.
.
--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------
.
[HKEY_USERS\S-1-5-21-2566226363-914769290-2283136121-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-2566226363-914769290-2283136121-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10x_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10x_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Tempo para conclusão: 2011-12-30 14:36:27
ComboFix-quarantined-files.txt 2011-12-30 16:36
.
Pré-execução: 84.058.525.696 bytes disponíveis
Pós execução: 83.523.174.400 bytes disponíveis
.
- - End Of File - - 0DA9584B14AB6D22C1B781184358EE25

jeffce
2011-12-30, 21:08
Hi enzo11,



Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:


DDS::
uWinlogon: Shell=C:\Users\E\AppData\Local\ce680107\X
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TB-X64: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB-X64: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File

Folder::
c:\users\E\AppData\Local\ce680107
C:\Users\E\AppData\Local\{F4C015FD-78A4-42DB-86B3-7732219E245E}
C:\Users\E\AppData\Local\{B6296749-CFFA-4B2C-91C4-AE132B049E2A}
C:\Users\E\AppData\Local\{9CCB8F46-460A-41BC-97C7-5D2B0DB8DBF7}
C:\Users\E\AppData\Local\{C147D067-4273-485F-A55E-8302FFCFBD2E}
C:\Users\E\AppData\Local\{904EFC0F-ECD2-4630-9701-9432DB3A2623}
C:\Users\E\AppData\Local\{29D9269D-9B92-4A7A-91FA-EEC68833EA62}
C:\Users\E\AppData\Local\{B8F56DFF-31C3-4FEB-96B0-B30D735E0D4D}
C:\Users\E\AppData\Local\{98394B84-B4A4-4237-BD78-44DD61C381B9}
C:\Users\E\AppData\Local\{566F2CEC-DF02-469E-A739-0DF091C705E1}
C:\Users\E\AppData\Local\{FFC2298B-7E4C-40A4-999A-D2383A11C736}
C:\Users\E\AppData\Local\{29E4E099-0D35-47AF-BF7C-149E3FA08DCB}
C:\Users\E\AppData\Local\{3A12E647-46B0-415A-B011-DB4D9944BFDD}
C:\Users\E\AppData\Local\{82758853-90D7-486A-9E8A-742D31BA3B8A}
C:\Users\E\AppData\Local\{47FC946E-6D68-490C-A256-827B7A971263}
C:\Users\E\AppData\Local\{9B6E2117-0EF6-476B-B6D4-376BC8137935}
C:\Users\E\AppData\Local\{2E43068C-D7D4-438B-8936-458DB6E99C78}
C:\Users\E\AppData\Local\{AA937318-9A6D-4DDE-B7F3-AF5B3B4205CA}
C:\Users\E\AppData\Local\{9E9917EA-65F1-4298-9A7D-43FA5687180F}
C:\Users\E\AppData\Local\{C2D99A13-EB89-4D0D-96ED-2F012A360C17}
C:\Users\E\AppData\Local\{C02C163F-A7A7-4105-B61D-F0D8FA3DC29F}
C:\Users\E\AppData\Local\{F4771FB4-6EEE-4FA8-86FC-9DEB1B71E672}
C:\Users\E\AppData\Local\{51537D06-52E1-42E8-81E8-2C3126B48ECF}
C:\Users\E\AppData\Local\{12B35E7B-F0B9-4556-8561-A166BBFC3AC5}
C:\Users\E\AppData\Local\{045B7D23-FD34-4CCD-993F-EBEC89A8CDC2}
C:\Users\E\AppData\Local\{60DF692C-5BD1-463E-8D71-099DDC09067C}
C:\Users\E\AppData\Local\{75728587-96F2-4136-91F4-75B8F373CC16}
C:\Users\E\AppData\Local\{997745F0-EAF7-4922-9248-50D519161FE2}
C:\Users\E\AppData\Local\{345712DB-94E0-4B50-AA3C-62A0DD189C85}


Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------

enzo11
2011-12-31, 22:25
Combofix updated before running the script:

ComboFix 11-12-31.03 - E 31/12/2011 18:13:03.2.4 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.55.1046.18.3957.2627 [GMT -2:00]
Executando de: c:\users\E\Desktop\ComboFix.exe
Comandos utilizados :: c:\users\E\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\E\AppData\Local\{045B7D23-FD34-4CCD-993F-EBEC89A8CDC2}
c:\users\E\AppData\Local\{12B35E7B-F0B9-4556-8561-A166BBFC3AC5}
c:\users\E\AppData\Local\{29D9269D-9B92-4A7A-91FA-EEC68833EA62}
c:\users\E\AppData\Local\{29E4E099-0D35-47AF-BF7C-149E3FA08DCB}
c:\users\E\AppData\Local\{2E43068C-D7D4-438B-8936-458DB6E99C78}
c:\users\E\AppData\Local\{345712DB-94E0-4B50-AA3C-62A0DD189C85}
c:\users\E\AppData\Local\{3A12E647-46B0-415A-B011-DB4D9944BFDD}
c:\users\E\AppData\Local\{47FC946E-6D68-490C-A256-827B7A971263}
c:\users\E\AppData\Local\{51537D06-52E1-42E8-81E8-2C3126B48ECF}
c:\users\E\AppData\Local\{566F2CEC-DF02-469E-A739-0DF091C705E1}
c:\users\E\AppData\Local\{60DF692C-5BD1-463E-8D71-099DDC09067C}
c:\users\E\AppData\Local\{75728587-96F2-4136-91F4-75B8F373CC16}
c:\users\E\AppData\Local\{82758853-90D7-486A-9E8A-742D31BA3B8A}
c:\users\E\AppData\Local\{904EFC0F-ECD2-4630-9701-9432DB3A2623}
c:\users\E\AppData\Local\{98394B84-B4A4-4237-BD78-44DD61C381B9}
c:\users\E\AppData\Local\{997745F0-EAF7-4922-9248-50D519161FE2}
c:\users\E\AppData\Local\{9B6E2117-0EF6-476B-B6D4-376BC8137935}
c:\users\E\AppData\Local\{9CCB8F46-460A-41BC-97C7-5D2B0DB8DBF7}
c:\users\E\AppData\Local\{9E9917EA-65F1-4298-9A7D-43FA5687180F}
c:\users\E\AppData\Local\{AA937318-9A6D-4DDE-B7F3-AF5B3B4205CA}
c:\users\E\AppData\Local\{B6296749-CFFA-4B2C-91C4-AE132B049E2A}
c:\users\E\AppData\Local\{B8F56DFF-31C3-4FEB-96B0-B30D735E0D4D}
c:\users\E\AppData\Local\{C02C163F-A7A7-4105-B61D-F0D8FA3DC29F}
c:\users\E\AppData\Local\{C147D067-4273-485F-A55E-8302FFCFBD2E}
c:\users\E\AppData\Local\{C2D99A13-EB89-4D0D-96ED-2F012A360C17}
c:\users\E\AppData\Local\{F4771FB4-6EEE-4FA8-86FC-9DEB1B71E672}
c:\users\E\AppData\Local\{F4C015FD-78A4-42DB-86B3-7732219E245E}
c:\users\E\AppData\Local\{FFC2298B-7E4C-40A4-999A-D2383A11C736}
c:\users\E\AppData\Local\ce680107
c:\users\E\AppData\Local\ce680107\@
c:\users\E\AppData\Local\ce680107\loader.tlb
.
.
(((((((((((((((( Arquivos/Ficheiros criados de 2011-11-28 to 2011-12-31 ))))))))))))))))))))))))))))
.
.
2011-12-31 20:19 . 2011-12-31 20:19 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-12-23 13:07 . 2011-12-23 13:07 -------- d-----w- c:\users\E\AppData\Roaming\Malwarebytes
2011-12-23 13:07 . 2011-12-23 13:07 -------- d-----w- c:\programdata\Malwarebytes
2011-12-23 13:07 . 2011-12-23 13:20 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-12-23 13:07 . 2011-08-31 19:00 25416 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-20 16:25 . 2011-12-20 16:25 -------- d-----w- c:\users\UpdatusUser
2011-12-20 16:25 . 2011-12-20 16:25 -------- d-----w- c:\programdata\NVIDIA
2011-12-20 16:25 . 2011-10-15 08:53 837952 ----a-w- c:\windows\system32\easyupdatusapiu64.dll
2011-12-20 16:25 . 2011-10-15 08:53 5067584 ----a-w- c:\windows\system32\nvsvc64.dll
2011-12-20 16:25 . 2011-10-15 08:53 3074368 ----a-w- c:\windows\system32\nvsvcr.dll
2011-12-20 16:25 . 2011-10-15 08:53 222528 ----a-w- c:\windows\system32\nvmctray.dll
2011-12-20 16:25 . 2011-10-15 08:53 1640768 ----a-w- c:\windows\system32\nvvsvc.exe
2011-12-20 16:25 . 2011-10-15 08:53 137536 ----a-w- c:\windows\system32\nvshext.dll
2011-12-20 16:25 . 2011-10-15 08:53 10406208 ----a-w- c:\windows\system32\nvcpl.dll
2011-12-20 16:25 . 2011-12-20 16:25 -------- d-----w- c:\programdata\NVIDIA Corporation
2011-12-20 14:33 . 2011-12-20 14:33 -------- d-----w- c:\windows\SysWow64\xlive
2011-12-20 14:33 . 2011-12-20 14:33 -------- d-----w- c:\program files (x86)\Microsoft Games for Windows - LIVE
.
.
.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-19 15:44 . 2009-07-13 23:55 332288 ----a-w- c:\windows\system32\uxtheme.dll
2011-12-19 15:44 . 2009-07-13 23:54 2851328 ----a-w- c:\windows\system32\themeui.dll
2011-12-19 15:44 . 2009-07-13 23:54 44544 ----a-w- c:\windows\system32\themeservice.dll
2011-12-04 13:24 . 2011-06-18 01:26 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-11-29 20:28 . 2011-11-29 20:28 503352 ----a-w- c:\windows\system32\drivers\sptd.sys
2011-10-10 19:49 . 2011-10-10 19:49 188128 ----a-w- c:\programdata\Microsoft\VCSExpress\10.0\1033\ResourceCache.dll
2011-10-10 19:33 . 2011-08-19 15:22 1367232 ----a-w- c:\programdata\Microsoft\VisualStudio\10.0\1033\ResourceCache.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-11-10 . 2BB457EDBA37215C7EBC0057674A5E48 . 3206144 . . [6.1.7600.16385] .. c:\windows\explorer.exe
[7] 2009-10-31 . B8EC4BD49CE8F6FC457721BFC210B67F . 2870272 . . [6.1.7600.16385] .. c:\windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20563_none_ae46d6aeac7ca7c7\explorer.exe
[7] 2009-10-31 . 9AAAEC8DAC27AA17B053E6352AD233AE . 2870272 . . [6.1.7600.16385] .. c:\windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16450_none_adc508f19359a007\explorer.exe
[7] 2009-08-03 . 700073016DAC1C3D2E7E2CE4223334B6 . 2868224 . . [6.1.7600.16385] .. c:\windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20500_none_ae84b558ac4eb41c\explorer.exe
[7] 2009-08-03 . F170B4A061C9E026437B193B4D571799 . 2868224 . . [6.1.7600.16385] .. c:\windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16404_none_adff19b5932d79ae\explorer.exe
[7] 2009-07-14 . C235A51CB740E45FFA0EBFB9BAFCDA64 . 2868224 . . [6.1.7600.16385] .. c:\windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_ada998b9936d7566\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot@2011-12-30_16.34.09 )))))))))))))))))))))))))))))))))))))))))
.
- 2011-12-29 03:26 . 2011-12-29 03:26 13270 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
+ 2011-12-31 02:09 . 2011-12-31 02:09 13270 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
- 2009-07-14 04:54 . 2011-12-30 16:15 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2011-12-31 20:06 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2011-12-31 20:06 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2011-12-30 16:15 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2011-12-31 20:06 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2011-12-30 16:15 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-06-19 07:16 . 2011-12-30 16:17 47642 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2010-06-19 07:16 . 2011-12-31 20:08 47642 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
- 2009-07-14 05:10 . 2011-12-30 16:17 41168 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2011-12-31 20:08 41168 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-02-20 18:05 . 2011-12-31 20:08 14260 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2566226363-914769290-2283136121-1000_UserData.bin
- 2011-02-20 19:00 . 2011-12-30 16:21 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-02-20 19:00 . 2011-12-31 20:10 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-02-20 19:00 . 2011-12-30 16:21 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-02-20 19:00 . 2011-12-31 20:10 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-12-30 16:15 . 2011-12-30 16:15 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-12-31 20:05 . 2011-12-31 20:05 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-12-30 16:15 . 2011-12-30 16:15 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-12-31 20:05 . 2011-12-31 20:05 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-14 05:01 . 2011-12-31 02:09 243036 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 05:01 . 2011-12-29 03:26 243036 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-05-18 19:40 . 2011-12-31 02:09 22235784 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2566226363-914769290-2283136121-1000-8192.dat
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por padrão não são apresentadas.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"UCam_Menu"="c:\program files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Rainmeter.lnk - c:\program files (x86)\Rainmeter\Rainmeter.exe [2011-2-6 99840]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Serviço de Tecnologias de Ativação do Windows;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]
S1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\Drivers\SABI.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x64.sys [x]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-02-28 821664]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-10-15 2253120]
S2 Rezip;Rezip;c:\windows\SysWOW64\Rezip.exe [2009-03-05 311296]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2009-12-03 483688]
S3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys [x]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2009-12-03 209768]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
.
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-12-15 9644576]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
.
------- Scan Suplementar -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=smsn&bmod=smsn
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Enviar imagem para Dispositivo &Bluetooth... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Enviar página para Dispositivo &Bluetooth ... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\E\AppData\Roaming\Mozilla\Firefox\Profiles\dw69y0it.default\
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnI=I%27m+Feeling+Lucky&ie=UTF-8&oe=UTF-8&q=
.
- - - - ORFÃOS REMOVIDOS - - - -
.
Toolbar-Locked - (no file)
.
.
.
--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------
.
[HKEY_USERS\S-1-5-21-2566226363-914769290-2283136121-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-2566226363-914769290-2283136121-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10x_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10x_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Tempo para conclusão: 2011-12-31 18:22:02
ComboFix-quarantined-files.txt 2011-12-31 20:22
ComboFix2.txt 2011-12-30 16:36
.
Pré-execução: 78.758.797.312 bytes disponíveis
Pós execução: 78.724.280.320 bytes disponíveis
.
- - End Of File - - 6BB55B06056405708393EF8DAD9556D6

jeffce
2012-01-01, 02:10
Hi enzo11,


I see that you have Malwarebytes on your system. Please open Malwarebytes, update it and then run a Quick Scan. Please save the log that is created for your next reply.
----------

ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan

Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.


As a Vista/Win7 user you will need to right click your browser icon and select "Run as Administrator" in order to run this scan.

Do not use this instance of your browser for anything besides doing this scan
When the scan is complete and the results saved, close that instance of your browser
Open a new one the usual way and post the results in this topic.



Right-click and Run as Administartor on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan)
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop.

Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png
Click the Start button.
Accept any security warnings from your browser.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png
Make sure that the option "Remove found threats" is Unchecked
Push the Start button.
ESET will then download updates for itself, install itself, and begin
scanning your computer. Please be patient as this can take some time.
When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as
ESETScan. Include the contents of this report in your next reply.
Push the Back button.
Push Finish

http://www.eset.com/onlinescan/
----------

In your next reply please post the logs created by Malwarebytes and ESET online scanner. :)

enzo11
2012-01-02, 00:32
ESET:

C:\Qoobox\Quarantine\C\Users\E\AppData\Local\ce680107\X.vir Win64/Sirefef.K trojan
C:\Qoobox\Quarantine\C\Users\E\AppData\Local\ce680107\U\80000000.@.vir Win64/Sirefef.P trojan
C:\Qoobox\Quarantine\C\Users\E\AppData\Local\ce680107\U\800000cb.@.vir Win64/Sirefef.M trojan
C:\Qoobox\Quarantine\C\Users\E\AppData\Local\ce680107\U\800000cf.@.vir Win64/Sirefef.O trojan
C:\Users\E\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\14bbfdec-135cc6f8 a variant of Java/TrojanDownloader.OpenStream.NCM trojan
C:\Users\E\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\14bbfdec-18302781 a variant of Java/TrojanDownloader.OpenStream.NCM trojan
C:\Users\E\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\14bbfdec-32c71f64 a variant of Java/TrojanDownloader.OpenStream.NCM trojan
C:\Users\E\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\14bbfdec-5f8ba836 a variant of Java/TrojanDownloader.OpenStream.NCM trojan
C:\Users\E\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\14bbfdec-60601aa7 a variant of Java/TrojanDownloader.OpenStream.NCM trojan
C:\Users\E\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\14bbfdec-67040525 a variant of Java/TrojanDownloader.OpenStream.NCM trojan
C:\Users\E\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\30a46148-7b4572c3 Java/TrojanDownloader.OpenStream.NCM trojan
C:\Users\E\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\79efab09-406fd805 probably a variant of Java/TrojanDownloader.OpenStream.NCC trojan


Malware:

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Versão da Base de Dados: v2012.01.01.03

Windows 7 x64 NTFS
Internet Explorer 8.0.7600.16385
E :: PC [administrador]

01/01/2012 20:28:08
mbam-log-2012-01-01 (20-28-08).txt

Tipo de Verificação: Verificação Rápida
Opções de verificações ativadas: Memória | Inicialização | Registro | Sistema de arquivos | Heurística/Extra | Heurística/Shuriken | PUP | PUM
Opções de verificação desativadas: P2P
Objetos escaneados: 190278
Tempo decorrido: 1 minuto(s), 51 segundo(s)

Processos de Memória Detectados: 0
(Não foram detectados ítens maliciosos)

Módulos de Memória Detectados: 0
(Não foram detectados ítens maliciosos)

Chaves de Registro Detectadas: 0
(Não foram detectados ítens maliciosos)

Valores de Registro Detectadas: 0
(Não foram detectados ítens maliciosos)

Itens de Dados no Registro Detectadas: 0
(Não foram detectados ítens maliciosos)

Pastas Detectadas: 0
(Não foram detectados ítens maliciosos)

Arquivos Detectados: 0
(Não foram detectados ítens maliciosos)

(fim)

jeffce
2012-01-02, 04:04
Hi,



Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:


File::
C:\Users\E\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\14bbfdec-135cc6f8
C:\Users\E\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\14bbfdec-18302781
C:\Users\E\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\14bbfdec-32c71f64
C:\Users\E\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\14bbfdec-5f8ba836
C:\Users\E\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\14bbfdec-60601aa7
C:\Users\E\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\14bbfdec-67040525
C:\Users\E\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\30a46148-7b4572c3
C:\Users\E\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\79efab09-406fd805


Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------

When you originally ran DDS there was a log created named Attach.txt. If you still have that please post that log as well as the new ComboFix log into your next reply. Also let me know how your system is running now? :)

enzo11
2012-01-03, 04:02
Combofix gave me a warning about the script already being used in another process, then updated and did a scan, resulting in this log:

ComboFix 12-01-02.02 - E 02/01/2012 23:40:08.3.4 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.55.1046.18.3957.2770 [GMT -2:00]
Executando de: c:\users\E\Desktop\ComboFix.exe
Comandos utilizados :: c:\users\E\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Criado um novo ponto de restauração
.
FILE ::
"c:\users\E\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\14bbfdec-135cc6f8"
"c:\users\E\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\14bbfdec-18302781"
"c:\users\E\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\14bbfdec-32c71f64"
"c:\users\E\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\14bbfdec-5f8ba836"
"c:\users\E\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\14bbfdec-60601aa7"
"c:\users\E\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\14bbfdec-67040525"
"c:\users\E\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\30a46148-7b4572c3"
"c:\users\E\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\79efab09-406fd805"
.
.
((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\E\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\14bbfdec-135cc6f8
c:\users\E\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\14bbfdec-18302781
c:\users\E\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\14bbfdec-32c71f64
c:\users\E\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\14bbfdec-5f8ba836
c:\users\E\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\14bbfdec-60601aa7
c:\users\E\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\14bbfdec-67040525
c:\users\E\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\30a46148-7b4572c3
c:\users\E\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\79efab09-406fd805
.
.
(((((((((((((((( Arquivos/Ficheiros criados de 2011-12-03 to 2012-01-03 ))))))))))))))))))))))))))))
.
.
2012-01-03 01:45 . 2012-01-03 01:45 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-12-23 13:07 . 2011-12-23 13:07 -------- d-----w- c:\users\E\AppData\Roaming\Malwarebytes
2011-12-23 13:07 . 2011-12-23 13:07 -------- d-----w- c:\programdata\Malwarebytes
2011-12-23 13:07 . 2012-01-01 22:23 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-12-23 13:07 . 2011-12-10 17:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-20 16:25 . 2011-12-20 16:25 -------- d-----w- c:\users\UpdatusUser
2011-12-20 16:25 . 2011-12-20 16:25 -------- d-----w- c:\programdata\NVIDIA
2011-12-20 16:25 . 2011-10-15 08:53 837952 ----a-w- c:\windows\system32\easyupdatusapiu64.dll
2011-12-20 16:25 . 2011-10-15 08:53 5067584 ----a-w- c:\windows\system32\nvsvc64.dll
2011-12-20 16:25 . 2011-10-15 08:53 3074368 ----a-w- c:\windows\system32\nvsvcr.dll
2011-12-20 16:25 . 2011-10-15 08:53 222528 ----a-w- c:\windows\system32\nvmctray.dll
2011-12-20 16:25 . 2011-10-15 08:53 1640768 ----a-w- c:\windows\system32\nvvsvc.exe
2011-12-20 16:25 . 2011-10-15 08:53 137536 ----a-w- c:\windows\system32\nvshext.dll
2011-12-20 16:25 . 2011-10-15 08:53 10406208 ----a-w- c:\windows\system32\nvcpl.dll
2011-12-20 16:25 . 2011-12-20 16:25 -------- d-----w- c:\programdata\NVIDIA Corporation
2011-12-20 14:33 . 2011-12-20 14:33 -------- d-----w- c:\windows\SysWow64\xlive
2011-12-20 14:33 . 2011-12-20 14:33 -------- d-----w- c:\program files (x86)\Microsoft Games for Windows - LIVE
.
.
.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-19 15:44 . 2009-07-13 23:55 332288 ----a-w- c:\windows\system32\uxtheme.dll
2011-12-19 15:44 . 2009-07-13 23:54 2851328 ----a-w- c:\windows\system32\themeui.dll
2011-12-19 15:44 . 2009-07-13 23:54 44544 ----a-w- c:\windows\system32\themeservice.dll
2011-12-04 13:24 . 2011-06-18 01:26 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-11-29 20:28 . 2011-11-29 20:28 503352 ----a-w- c:\windows\system32\drivers\sptd.sys
2011-10-10 19:49 . 2011-10-10 19:49 188128 ----a-w- c:\programdata\Microsoft\VCSExpress\10.0\1033\ResourceCache.dll
2011-10-10 19:33 . 2011-08-19 15:22 1367232 ----a-w- c:\programdata\Microsoft\VisualStudio\10.0\1033\ResourceCache.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-11-10 . 2BB457EDBA37215C7EBC0057674A5E48 . 3206144 . . [6.1.7600.16385] .. c:\windows\explorer.exe
[7] 2009-10-31 . B8EC4BD49CE8F6FC457721BFC210B67F . 2870272 . . [6.1.7600.16385] .. c:\windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20563_none_ae46d6aeac7ca7c7\explorer.exe
[7] 2009-10-31 . 9AAAEC8DAC27AA17B053E6352AD233AE . 2870272 . . [6.1.7600.16385] .. c:\windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16450_none_adc508f19359a007\explorer.exe
[7] 2009-08-03 . 700073016DAC1C3D2E7E2CE4223334B6 . 2868224 . . [6.1.7600.16385] .. c:\windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20500_none_ae84b558ac4eb41c\explorer.exe
[7] 2009-08-03 . F170B4A061C9E026437B193B4D571799 . 2868224 . . [6.1.7600.16385] .. c:\windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16404_none_adff19b5932d79ae\explorer.exe
[7] 2009-07-14 . C235A51CB740E45FFA0EBFB9BAFCDA64 . 2868224 . . [6.1.7600.16385] .. c:\windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_ada998b9936d7566\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot@2011-12-30_16.34.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-01-02 17:02 . 2012-01-02 17:02 13270 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
- 2011-12-29 03:26 . 2011-12-29 03:26 13270 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
- 2009-07-14 04:54 . 2011-12-30 16:15 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-01-03 00:35 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-01-03 00:35 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2011-12-30 16:15 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2011-12-30 16:15 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-01-03 00:35 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-06-19 07:16 . 2011-12-30 16:17 47642 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2010-06-19 07:16 . 2012-01-03 00:37 47642 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
- 2009-07-14 05:10 . 2011-12-30 16:17 41168 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-01-03 00:37 41168 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-02-20 18:05 . 2012-01-03 00:37 14292 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2566226363-914769290-2283136121-1000_UserData.bin
- 2011-02-20 19:00 . 2011-12-30 16:21 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-02-20 19:00 . 2012-01-03 01:11 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-02-20 19:00 . 2011-12-30 16:21 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-02-20 19:00 . 2012-01-03 01:11 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2012-01-03 00:35 . 2012-01-03 00:35 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-12-30 16:15 . 2011-12-30 16:15 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-12-30 16:15 . 2011-12-30 16:15 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-01-03 00:35 . 2012-01-03 00:35 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-11-10 11:35 . 2012-01-01 21:52 293298 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
- 2009-07-14 05:01 . 2011-12-29 03:26 243036 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-01-02 17:02 243036 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 02:34 . 2011-12-30 16:30 9961472 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
+ 2009-07-14 02:34 . 2012-01-03 00:45 9961472 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
+ 2011-05-18 19:40 . 2012-01-02 17:02 22235784 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2566226363-914769290-2283136121-1000-8192.dat
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por padrão não são apresentadas.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"UCam_Menu"="c:\program files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Rainmeter.lnk - c:\program files (x86)\Rainmeter\Rainmeter.exe [2011-2-6 99840]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Serviço de Tecnologias de Ativação do Windows;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]
S1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\Drivers\SABI.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x64.sys [x]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-02-28 821664]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-10-15 2253120]
S2 Rezip;Rezip;c:\windows\SysWOW64\Rezip.exe [2009-03-05 311296]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2009-12-03 483688]
S3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys [x]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2009-12-03 209768]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
.
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-12-15 9644576]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
.
------- Scan Suplementar -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=smsn&bmod=smsn
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Enviar imagem para Dispositivo &Bluetooth... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Enviar página para Dispositivo &Bluetooth ... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\E\AppData\Roaming\Mozilla\Firefox\Profiles\dw69y0it.default\
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnI=I%27m+Feeling+Lucky&ie=UTF-8&oe=UTF-8&q=
.
- - - - ORFÃOS REMOVIDOS - - - -
.
Toolbar-Locked - (no file)
.
.
.
--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------
.
[HKEY_USERS\S-1-5-21-2566226363-914769290-2283136121-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-2566226363-914769290-2283136121-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10x_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10x_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Tempo para conclusão: 2012-01-02 23:47:28
ComboFix-quarantined-files.txt 2012-01-03 01:47
ComboFix2.txt 2011-12-31 20:22
ComboFix3.txt 2011-12-30 16:36
.
Pré-execução: 78.345.531.392 bytes disponíveis
Pós execução: 78.205.067.264 bytes disponíveis
.
- - End Of File - - 62E230C91C7012C6163F570A5329F948


Sorry, I accidentally deleted the Attach.txt while reorganizing my desktop this morning (bunch of .exes and logs there now) =/

Today I had no mediashift redirects (yesterday I had though), and Windows is taking 3-5 extra seconds to boot (what I think I can fix with a defragmentation).

Thanks to all your time doing this during New Year jeff =)

jeffce
2012-01-03, 04:15
Hi,

I am glad to hear things are running better. :)

Please run a new scan with DDS and then post both of the logs that are created into your next reply.

Stick with me we are almost done. :bigthumb:

enzo11
2012-01-03, 17:57
Ok, here it is:

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_22
Run by E at 13:51:25 on 2012-01-03
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.55.1046.18.3957.2788 [GMT -2:00]
.
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\nvvsvc.exe
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\WLANExt.exe
C:\windows\system32\conhost.exe
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\windows\System32\svchost.exe -k HPZ12
C:\windows\System32\svchost.exe -k HPZ12
C:\windows\SysWOW64\Rezip.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\windows\system32\nvvsvc.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\windows\System32\svchost.exe -k secsvcs
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\windows\system32\taskhost.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\windows\system32\taskeng.exe
C:\windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Samsung\Samsung Recovery Solution 4\WCScheduler.exe
C:\Program Files (x86)\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe
C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe
C:\Program Files (x86)\Samsung\Samsung Support Center\SSCKbdHk.exe
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files (x86)\Rainmeter\Rainmeter.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\windows\system32\DllHost.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
C:\windows\system32\wuauclt.exe
C:\windows\system32\DllHost.exe
C:\windows\system32\DllHost.exe
C:\windows\SysWOW64\cmd.exe
C:\windows\system32\conhost.exe
C:\windows\SysWOW64\cscript.exe
C:\windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=smsn&bmod=smsn
uInternet Settings,ProxyOverride = *.local
BHO: Auxiliar de Conexão do Windows Live ID: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
{555d4d79-4bd2-4094-a395-cfc534424a05}
mRun: [UCam_Menu] "C:\Program Files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\YouCam" UpdateWithCreateOnce "Software\CyberLink\YouCam\2.0"
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\RAINME~1.LNK - C:\Program Files (x86)\Rainmeter\Rainmeter.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Enviar imagem para Dispositivo &Bluetooth... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Enviar página para Dispositivo &Bluetooth ... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{DACE21EB-C065-4551-A94F-E84A92815EA3} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{DACE21EB-C065-4551-A94F-E84A92815EA3}\D4943425F454C4544525F4E4943414 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{DACE21EB-C065-4551-A94F-E84A92815EA3}\E4F647560205164756C6C6960214365627 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{F37648D8-9DE9-4418-BD56-F15E07CCD79D} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{F7BABD8C-D1ED-4CB1-92B7-CD9B5C4B5BEF} : DhcpNameServer = 192.168.0.1
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
{9030D464-4C02-4ABF-8ECC-5164760863C6}
{DBC80044-A445-435b-BC74-9C25C1C588A9}
EB-X64: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File
mRun-x64: [UCam_Menu] "C:\Program Files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\YouCam" UpdateWithCreateOnce "Software\CyberLink\YouCam\2.0"
IE-X64: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\E\AppData\Roaming\Mozilla\Firefox\Profiles\dw69y0it.default\
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnI=I%27m+Feeling+Lucky&ie=UTF-8&oe=UTF-8&q=
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.50401.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\E\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: C:\Users\E\AppData\Roaming\Mozilla\Firefox\Profiles\dw69y0it.default\extensions\{1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}\plugins\npietab2.dll
FF - plugin: C:\windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\windows\system32\DRIVERS\dtsoftbus01.sys --> C:\windows\system32\DRIVERS\dtsoftbus01.sys [?]
R1 SABI;SAMSUNG Kernel Driver For Windows 7;\??\C:\windows\system32\Drivers\SABI.sys --> C:\windows\system32\Drivers\SABI.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\windows\system32\DRIVERS\vwififlt.sys --> C:\windows\system32\DRIVERS\vwififlt.sys [?]
R2 cpuz135;cpuz135;\??\C:\windows\system32\drivers\cpuz135_x64.sys --> C:\windows\system32\drivers\cpuz135_x64.sys [?]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2010-2-28 821664]
R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-12-20 2253120]
R2 Rezip;Rezip;C:\Windows\SysWOW64\Rezip.exe [2010-6-19 311296]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2011-2-20 1153368]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2009-12-2 483688]
R3 btwampfl;Bluetooth AMP USB Filter;C:\windows\system32\drivers\btwampfl.sys --> C:\windows\system32\drivers\btwampfl.sys [?]
R3 btwl2cap;Bluetooth L2CAP Service;C:\windows\system32\DRIVERS\btwl2cap.sys --> C:\windows\system32\DRIVERS\btwl2cap.sys [?]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\windows\system32\drivers\nvhda64v.sys --> C:\windows\system32\drivers\nvhda64v.sys [?]
R3 Sftfs;Sftfs;C:\windows\system32\DRIVERS\Sftfslh.sys --> C:\windows\system32\DRIVERS\Sftfslh.sys [?]
R3 Sftplay;Sftplay;C:\windows\system32\DRIVERS\Sftplaylh.sys --> C:\windows\system32\DRIVERS\Sftplaylh.sys [?]
R3 Sftredir;Sftredir;C:\windows\system32\DRIVERS\Sftredirlh.sys --> C:\windows\system32\DRIVERS\Sftredirlh.sys [?]
R3 Sftvol;Sftvol;C:\windows\system32\DRIVERS\Sftvollh.sys --> C:\windows\system32\DRIVERS\Sftvollh.sys [?]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2009-12-2 209768]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\windows\system32\DRIVERS\yk62x64.sys --> C:\windows\system32\DRIVERS\yk62x64.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 fssfltr;fssfltr;C:\windows\system32\DRIVERS\fssfltr.sys --> C:\windows\system32\DRIVERS\fssfltr.sys [?]
S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2011-5-13 1492840]
S3 Impcd;Impcd;C:\windows\system32\DRIVERS\Impcd.sys --> C:\windows\system32\DRIVERS\Impcd.sys [?]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 RTL8167;Realtek 8167 NT Driver;C:\windows\system32\DRIVERS\Rt64win7.sys --> C:\windows\system32\DRIVERS\Rt64win7.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\windows\system32\Drivers\usbaapl64.sys --> C:\windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Serviço de Tecnologias de Ativação do Windows;C:\windows\system32\Wat\WatAdminSvc.exe --> C:\windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2012-01-03 14:56:53 -------- d-sh--w- C:\$RECYCLE.BIN
2011-12-30 16:25:56 98816 ----a-w- C:\windows\sed.exe
2011-12-30 16:25:56 518144 ----a-w- C:\windows\SWREG.exe
2011-12-30 16:25:56 256000 ----a-w- C:\windows\PEV.exe
2011-12-30 16:25:56 208896 ----a-w- C:\windows\MBR.exe
2011-12-28 23:15:40 -------- d-----w- C:\Users\E\AppData\Local\{365BF5C9-BDB1-47C4-9496-E2CD86B09724}
2011-12-28 23:15:28 -------- d-----w- C:\Users\E\AppData\Local\{526CF1AE-03D0-4F3D-93CE-5AD0829E209E}
2011-12-24 15:46:06 -------- d-----w- C:\Users\E\AppData\Local\{81538477-4E11-463B-8289-16C410DF29D4}
2011-12-24 15:45:54 -------- d-----w- C:\Users\E\AppData\Local\{553E1D99-0358-4099-A1B3-705D570DF8C9}
2011-12-23 13:07:18 -------- d-----w- C:\Users\E\AppData\Roaming\Malwarebytes
2011-12-23 13:07:13 -------- d-----w- C:\ProgramData\Malwarebytes
2011-12-23 13:07:10 23152 ----a-w- C:\windows\System32\drivers\mbam.sys
2011-12-23 13:07:10 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-12-20 16:25:34 837952 ----a-w- C:\windows\System32\easyupdatusapiu64.dll
2011-12-20 16:25:34 5067584 ----a-w- C:\windows\System32\nvsvc64.dll
2011-12-20 16:25:34 3074368 ----a-w- C:\windows\System32\nvsvcr.dll
2011-12-20 16:25:34 222528 ----a-w- C:\windows\System32\nvmctray.dll
2011-12-20 16:25:34 1640768 ----a-w- C:\windows\System32\nvvsvc.exe
2011-12-20 16:25:34 137536 ----a-w- C:\windows\System32\nvshext.dll
2011-12-20 16:25:34 10406208 ----a-w- C:\windows\System32\nvcpl.dll
2011-12-20 16:25:28 -------- d-----w- C:\ProgramData\NVIDIA Corporation
2011-12-20 14:33:09 -------- d-----w- C:\windows\SysWow64\xlive
2011-12-20 14:33:09 -------- d-----w- C:\Program Files (x86)\Microsoft Games for Windows - LIVE
.
==================== Find3M ====================
.
2011-12-19 15:44:04 332288 ----a-w- C:\windows\System32\uxtheme.dll
2011-12-19 15:44:03 2851328 ----a-w- C:\windows\System32\themeui.dll
2011-12-19 15:44:01 44544 ----a-w- C:\windows\System32\themeservice.dll
2011-12-04 13:24:23 414368 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-11-29 20:28:23 503352 ----a-w- C:\windows\System32\drivers\sptd.sys
.
============= FINISH: 13:52:09,83 ===============

jeffce
2012-01-03, 20:05
Hi enzo11,

P2P - I see you have P2P software µTorrent installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections and possibly Identity Theft. It likely contributed to your current situation. This page (http://malwareremoval.com/p2pindex.php) will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

I would strongly recommend that you uninstall these now. You can do so via Control Panel >> Programs and Features.
----------

Please download JavaRa (http://raproducts.org/click/click.php?id=1) to your desktop and unzip it to its own
folder
Run JavaRa.exe (double-click for XP/right-click and Run as Administrator for Vista), pick the language of your choice and click Select. Then
click Remove Older Versions.
Accept any prompts.
Open JavaRa.exe (double-click for XP/right-click and Run as Administrator for Vista) again and select Search For Updates.
Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest
Java Runtime Environment (JRE) version for your computer.
----------

Let me know when you have this completed and if you had any problems with the instructions. :)

enzo11
2012-01-03, 20:39
JavaRa produced an empty log and I updated JRE (jre-7u2 from Sun's site).

jeffce
2012-01-03, 20:43
Sounds good. Providing there are no more problems I think we can clean up. :)
-------

IT APPEARS THAT YOUR LOGS ARE NOW CLEAN :D SO LETS DO A COUPLE OF THINGS TO WRAP THIS UP!! :D

This infection appears to have been cleaned, but I can not give you any absolute guarantees. As a precaution, I would go ahead and change all of your passwords as this is especially important after an infection.
----------

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following text into the Run box as shown and click OK.
Combofix /Uninstall
(Note: There is a space between the ..X and the /U that needs to be there.)

http://i1224.photobucket.com/albums/ee380/jeffce74/CF.jpg
----------

Any of the logs that you created for use in the forums or remaining tools that have not yet been removed can be deleted so they aren't cluttering up your desktop.

Here are some tips to reduce the potential for spyware infection in the future:

1. Make your Internet Explorer more secure - This can be done by following these simple instructions:

From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
2. Enable Protected Mode in Internet Explorer. This helps Windows Vista users stay more protected from attack by running Internet Explorer with restricted privileges as well as reducing the ability to write, alter or destroy data on your system or install malicious code. To make sure this is running follow these steps:
Open Internet Explorer
Click on Tools > Internet Options
Press Security tab
Select Internet zone then place check next to Enable Protected Mode if not already done
Do the same for Local Intranet, Trusted Sites and Restricted Sites and then press Apply
Restart Internet Explorer and in the bottom right corner of your screen you will see Protected Mode: On showing you it is enabled.
3. Use and update an anti-virus software - I can not overemphasize the need for you to use and update your anti-virus application on a regular basis. With the ever increasing number of new variants of malware arriving on the scene daily, you become very susceptible to an attack without updated protection.

4. Firewall
Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a firewall in its default configuration can lower your risk greatly. A tutorial on firewalls can be found here (http://www.bleepingcomputer.com/forums/tutorial60.html). **There are firewalls listed in this tutorial that could be downloaded and used but I would personally only recommend using one of the following two below:
Online Armor Free (http://download.cnet.com/Online-Armor-Free/3000-10435_4-10426782.html)
Agnitum Outpost Firewall Free (http://download.cnet.com/Agnitum-Outpost-Firewall-Free/3000-10435_4-10913746.html)

5. Make sure you keep your Windows OS current. Windows XP users can visit Windows update (http://v4.windowsupdate.microsoft.com/en/default.asp) regularly to download and install any critical updates and service packs. Windows Vista/7 users can open the Start menu > All Programs > Windows Update > Check for Updates (in left hand task pane) to update these systems. Without these you are leaving the back door open.

6. Consider a custom hosts file such as MVPS HOSTS (http://www.mvps.org/winhelp2002/hosts.htm). This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers. For information on how to download and install, please read this tutorial by WinHelp2002 (http://www.mvps.org/winhelp2002/hosts.htm)
Note: Be sure to follow the instructions to disable the DNS Client service before installing a custom hosts file.

7. WOT (http://www.mywot.com/) (Web of Trust) As "Googling" is such an integral part of internet life, this free browser add on warns you about risky websites that try to scam visitors, deliver malware or send spam. It is especially helpful when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites. WOT has an add-on available for Firefox, Internet Explorer as well as Google Chrome.

8.Finally, I strongly recommend that you read TonyKlein's good advice So how did I get infected in the first place? (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)

Please reply to this thread once more if you are satisfied so that we can mark the problem as resolved.

enzo11
2012-01-03, 22:58
Ok, thank you a lot jeff.

I'm looking into MVPS Hosts right now.And I think I don't need to worry about ActiveX since Firefox doesn't support it right?

Thanks for all your time again =)

jeffce
2012-01-03, 23:09
I don't need to worry about ActiveX since Firefox doesn't support it right?Correct.
----------

You are more than welcome. :)

jeffce
2012-01-05, 02:52
Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.

If you are the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.