View Full Version : rootkit.0access.h
Hello, I'm here for help again, unfortunately.
I ran Malware Bytes recently and got three infections; after the quarantine -> delete -> reboot process, one infection, Rootkit.0Access.H was still there.
I'm not noticing any problems or irregular behavior on my computer at all.
I also turned off TeaTimer and ran TDSSKiller (verifying digital signatures and TDLFS) to get extra information on this, here's the log (skipped all of the infections by default).Log on next post because of the text limit.
Hm, looks like the TDSS log is too big to be posted here, so I will just post the other ones, sorry: (Edit: No need to post TDSS unless requested.) ;-)
The DDS log:
.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_22
Run by E at 10:34:15 on 2012-08-12
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.55.1046.18.3957.2507 [GMT -3:00]
.
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\nvvsvc.exe
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\windows\system32\nvvsvc.exe
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\WLANExt.exe
C:\windows\system32\conhost.exe
C:\windows\System32\spoolsv.exe
C:\windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\windows\System32\svchost.exe -k HPZ12
C:\windows\System32\svchost.exe -k HPZ12
C:\windows\SysWOW64\Rezip.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\windows\system32\taskhost.exe
C:\windows\system32\Dwm.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\windows\Explorer.EXE
C:\windows\system32\SearchIndexer.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files (x86)\Rainmeter\Rainmeter.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\windows\system32\taskeng.exe
C:\Program Files (x86)\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe
C:\Program Files (x86)\Samsung\Samsung Recovery Solution 4\WCScheduler.exe
C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe
C:\Program Files (x86)\Samsung\Samsung Support Center\SSCKbdHk.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\Program Files\Waterfox\waterfox.exe
C:\windows\system32\SearchProtocolHost.exe
C:\windows\system32\SearchFilterHost.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\system32\DllHost.exe
C:\windows\system32\DllHost.exe
C:\windows\SysWOW64\cmd.exe
C:\windows\system32\conhost.exe
C:\windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=smsn&bmod=smsn
uInternet Settings,ProxyOverride = *.local
BHO: Auxiliar de Conexão do Windows Live ID: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
{555d4d79-4bd2-4094-a395-cfc534424a05}
uRun: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
uRun: C:\Users\E\bkhu79m9pe.exe
mRun: [UCam_Menu] "C:\Program Files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\YouCam" UpdateWithCreateOnce "Software\CyberLink\YouCam\2.0"
StartupFolder: C:\Users\E\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ERUNTA~1.LNK - C:\Program Files (x86)\ERUNT\AUTOBACK.EXE
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\RAINME~1.LNK - C:\Program Files (x86)\Rainmeter\Rainmeter.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Enviar imagem para Dispositivo &Bluetooth... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Enviar página para Dispositivo &Bluetooth ... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{DACE21EB-C065-4551-A94F-E84A92815EA3} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{DACE21EB-C065-4551-A94F-E84A92815EA3}\D4943425F454C4544525F4E4943414 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{DACE21EB-C065-4551-A94F-E84A92815EA3}\E4F647560205164756C6C6960214365627 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{F37648D8-9DE9-4418-BD56-F15E07CCD79D} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{F7BABD8C-D1ED-4CB1-92B7-CD9B5C4B5BEF} : DhcpNameServer = 192.168.0.1
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
{9030D464-4C02-4ABF-8ECC-5164760863C6}
{DBC80044-A445-435b-BC74-9C25C1C588A9}
EB-X64: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File
mRun-x64: [UCam_Menu] "C:\Program Files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\YouCam" UpdateWithCreateOnce "Software\CyberLink\YouCam\2.0"
IE-X64: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Hosts: 127.0.0.1 www.spywareinfo.com (http://www.spywareinfo.com)
.
============= SERVICES / DRIVERS ===============
.
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\windows\system32\DRIVERS\dtsoftbus01.sys --> C:\windows\system32\DRIVERS\dtsoftbus01.sys [?]
R1 SABI;SAMSUNG Kernel Driver For Windows 7;\??\C:\windows\system32\Drivers\SABI.sys --> C:\windows\system32\Drivers\SABI.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\windows\system32\DRIVERS\vwififlt.sys --> C:\windows\system32\DRIVERS\vwififlt.sys [?]
R2 cpuz135;cpuz135;\??\C:\windows\system32\drivers\cpuz135_x64.sys --> C:\windows\system32\drivers\cpuz135_x64.sys [?]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2010-10-20 821664]
R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-6-3 1262400]
R2 Rezip;Rezip;C:\Windows\SysWOW64\Rezip.exe [2010-6-19 311296]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2009-12-2 483688]
R3 btwampfl;Bluetooth AMP USB Filter;C:\windows\system32\drivers\btwampfl.sys --> C:\windows\system32\drivers\btwampfl.sys [?]
R3 btwl2cap;Bluetooth L2CAP Service;C:\windows\system32\DRIVERS\btwl2cap.sys --> C:\windows\system32\DRIVERS\btwl2cap.sys [?]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\windows\system32\drivers\nvhda64v.sys --> C:\windows\system32\drivers\nvhda64v.sys [?]
R3 Sftfs;Sftfs;C:\windows\system32\DRIVERS\Sftfslh.sys --> C:\windows\system32\DRIVERS\Sftfslh.sys [?]
R3 Sftplay;Sftplay;C:\windows\system32\DRIVERS\Sftplaylh.sys --> C:\windows\system32\DRIVERS\Sftplaylh.sys [?]
R3 Sftredir;Sftredir;C:\windows\system32\DRIVERS\Sftredirlh.sys --> C:\windows\system32\DRIVERS\Sftredirlh.sys [?]
R3 Sftvol;Sftvol;C:\windows\system32\DRIVERS\Sftvollh.sys --> C:\windows\system32\DRIVERS\Sftvollh.sys [?]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2009-12-2 209768]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\windows\system32\DRIVERS\yk62x64.sys --> C:\windows\system32\DRIVERS\yk62x64.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2011-2-20 1153368]
S3 fssfltr;fssfltr;C:\windows\system32\DRIVERS\fssfltr.sys --> C:\windows\system32\DRIVERS\fssfltr.sys [?]
S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2012-3-8 1492840]
S3 Impcd;Impcd;C:\windows\system32\DRIVERS\Impcd.sys --> C:\windows\system32\DRIVERS\Impcd.sys [?]
S3 libusb0;LibUsb-Win32 - Kernel Driver 08/27/2006, 0.1.12.0;C:\windows\system32\DRIVERS\libusb0.sys --> C:\windows\system32\DRIVERS\libusb0.sys [?]
S3 npggsvc;nProtect GameGuard Service;C:\windows\system32\GameMon.des -service --> C:\windows\system32\GameMon.des -service [?]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 RTL8167;Realtek 8167 NT Driver;C:\windows\system32\DRIVERS\Rt64win7.sys --> C:\windows\system32\DRIVERS\Rt64win7.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\windows\system32\drivers\tsusbflt.sys --> C:\windows\system32\drivers\tsusbflt.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\windows\system32\Drivers\usbaapl64.sys --> C:\windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Serviço de Tecnologias de Ativação do Windows;C:\windows\system32\Wat\WatAdminSvc.exe --> C:\windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2012-08-12 12:50:43 -------- d-----w- C:\Users\E\AppData\Roaming\Waterfox Limited
2012-08-08 17:42:23 -------- d-----w- C:\Users\E\AppData\Local\{8BEA5AA3-3DEA-403B-8960-353571224847}
2012-08-08 17:42:12 -------- d-----w- C:\Users\E\AppData\Local\{69526FCE-8F3A-460D-9B7B-9062298D13DB}
2012-08-05 22:32:42 -------- d-----w- C:\Users\E\AppData\Local\{157D3345-0458-4A15-81E2-1FAD9047A4EC}
2012-08-05 22:32:16 -------- d-----w- C:\Users\E\AppData\Local\{2E5BEA6B-109E-4D78-A7C3-7A71FCAAD18E}
2012-07-31 17:03:06 -------- d-----w- C:\Users\E\AppData\Local\{FF6BFAE8-71B3-476A-8BB2-AD911829F449}
2012-07-31 17:02:55 -------- d-----w- C:\Users\E\AppData\Local\{C2E1472C-5186-49B3-8148-0450017E29F5}
2012-07-30 19:41:58 -------- d-----w- C:\Users\E\AppData\Local\{68A24E7A-F970-490F-BE22-1E948B7FE347}
2012-07-30 19:40:32 -------- d-----w- C:\Users\E\AppData\Local\{47429B24-DB6A-4D89-B444-E12957F722B5}
2012-07-27 18:49:28 -------- d-----w- C:\Users\E\AppData\Local\{8DD53C5C-B796-4A22-A5A5-19FC8A03F0E3}
2012-07-27 18:49:16 -------- d-----w- C:\Users\E\AppData\Local\{83F30B5C-71B4-4A46-B6B1-DB0ED8CAF706}
2012-07-26 14:51:44 -------- d-----w- C:\Users\E\AppData\Local\{E7D09EFA-1347-4B16-9C5C-FEF1C4EA655B}
2012-07-26 14:50:43 -------- d-----w- C:\Users\E\AppData\Local\{2271A012-447E-4D82-A789-9D71F39337BF}
2012-07-22 15:52:19 -------- d-----w- C:\Users\E\AppData\Local\{936A3A53-42BB-44BD-89A4-F89AE5E12A0A}
2012-07-22 15:52:07 -------- d-----w- C:\Users\E\AppData\Local\{84FFD483-962F-45E0-8BB7-835A1BE31776}
2012-07-21 15:53:31 -------- d-----w- C:\Users\E\AppData\Local\{4BD8EEB4-88CD-4186-8AC5-26B023258133}
2012-07-21 15:53:19 -------- d-----w- C:\Users\E\AppData\Local\{E58EB009-B144-4173-AFC7-F567B47331D6}
2012-07-17 18:05:16 -------- d-----w- C:\Users\E\AppData\Local\{F202B415-A55F-454D-95E1-326DF7AD1B54}
2012-07-17 18:05:01 -------- d-----w- C:\Users\E\AppData\Local\{C79E91D5-75F8-4BA4-9716-312212E2A4F7}
2012-07-16 18:04:46 -------- d-----w- C:\Users\E\AppData\Local\{9D45AFEE-B8ED-416D-AD59-9CCBCF000AF9}
2012-07-16 18:04:34 -------- d-----w- C:\Users\E\AppData\Local\{746F6216-440D-4F8E-AD9F-F1AF1A58286B}
2012-07-15 01:44:06 -------- d-----w- C:\Users\E\AppData\Local\{961E5217-325B-494C-A789-CAC43F927905}
2012-07-14 19:17:54 -------- d-----w- C:\Users\E\AppData\Roaming\com.doubleperfect.ggpo
2012-07-14 13:43:30 -------- d-----w- C:\Users\E\AppData\Local\{48B5B238-4EA8-44E9-A5BA-8E7DE4D79C53}
2012-07-14 13:43:16 -------- d-----w- C:\Users\E\AppData\Local\{FB6E49EE-7065-4639-B1B2-C41E8103819D}
2012-07-13 16:32:29 -------- d-----w- C:\Users\E\AppData\Local\{61542E56-B79B-46F5-8FDB-81585845DC09}
2012-07-13 16:32:18 -------- d-----w- C:\Users\E\AppData\Local\{319F67B1-76EB-4077-BA0D-BCED0686A5E7}
.
==================== Find3M ====================
.
2012-07-12 14:27:03 70344 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-12 14:27:03 426184 ----a-w- C:\windows\SysWow64\FlashPlayerApp.exe
2012-07-03 16:46:44 24904 ----a-w- C:\windows\System32\drivers\mbam.sys
2012-06-20 15:28:03 4145600 ----a-w- C:\windows\SysWow64\GameMon.des
2012-06-03 17:43:43 8769696 ----a-w- C:\windows\SysWow64\FlashPlayerInstaller.exe
2012-06-02 22:15:31 2622464 ----a-w- C:\windows\System32\wucltux.dll
2012-06-02 22:15:08 99840 ----a-w- C:\windows\System32\wudriver.dll
2012-06-02 18:19:42 186752 ----a-w- C:\windows\System32\wuwebv.dll
2012-06-02 18:15:12 36864 ----a-w- C:\windows\System32\wuapp.exe
2012-05-15 09:29:47 889664 ----a-w- C:\windows\System32\nvvsvc.exe
2012-05-15 09:29:46 63296 ----a-w- C:\windows\System32\nvshext.dll
2012-05-15 09:29:46 2561856 ----a-w- C:\windows\System32\nvsvcr.dll
2012-05-15 09:29:46 118080 ----a-w- C:\windows\System32\nvmctray.dll
2012-05-15 09:29:25 3149632 ----a-w- C:\windows\System32\nvsvc64.dll
2012-05-15 09:28:42 6151488 ----a-w- C:\windows\System32\nvcpl.dll
.
============= FINISH: 10:35:07,04 ===============
[B]aswMBR log:
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-08-12 10:42:53
-----------------------------
10:42:53.453 OS Version: Windows x64 6.1.7601 Service Pack 1
10:42:53.453 Number of processors: 4 586 0x2505
10:42:53.453 ComputerName: PC UserName: E
10:42:54.655 Initialze error C000010E - driver not loaded
10:47:55.817 AVAST engine defs: 12081200
10:51:25.667 Service scanning
10:51:51.750 Modules scanning
10:51:51.750 Disk 0 trace - called modules:
10:51:51.750
10:51:52.998 AVAST engine scan C:\windows
10:51:56.617 AVAST engine scan C:\windows\system32
10:55:32.521 AVAST engine scan C:\windows\system32\drivers
10:55:49.931 AVAST engine scan C:\Users\E
10:58:48.567 File: C:\Users\E\AppData\Local\{96ea3c96-34fa-21f9-8df8-0122e6f17a5b}\n **INFECTED** Win64:Sirefef-F [Rtk]
10:58:48.614 File: C:\Users\E\AppData\Local\{96ea3c96-34fa-21f9-8df8-0122e6f17a5b}\U\00000001.@ **INFECTED** Win32:Malware-gen
10:58:48.676 File: C:\Users\E\AppData\Local\{96ea3c96-34fa-21f9-8df8-0122e6f17a5b}\U\80000000.@ **INFECTED** Win32:Malware-gen
10:58:48.739 File: C:\Users\E\AppData\Local\{96ea3c96-34fa-21f9-8df8-0122e6f17a5b}\U\800000cb.@ **INFECTED** Win32:Trojan-gen
11:11:21.160 AVAST engine scan C:\ProgramData
11:12:41.235 Scan finished successfully
11:14:27.643 The log file has been saved successfully to "C:\Users\E\Desktop\aswMBR.txt"
Here's the log:
Malwarebytes Anti-Malware 1.62.0.1300
Versão da Base de Dados: v2012.08.12.03
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
E :: PC [administrador]
12/08/2012 09:53:25
mbam-log-2012-08-12 (09-53-25).txt
Tipo de Verificação: Verificação Rápida
Opções de verificações ativadas: Memória | Inicialização | Registro | Sistema de arquivos | Heurística/Extra | Heurística/Shuriken | PUP | PUM
Opções de verificação desativadas: P2P
Objetos escaneados: 213302
Tempo decorrido: 4 minuto(s), 48 segundo(s)
Processos de Memória Detectados: 0
(Não foram detectados ítens maliciosos)
Módulos de Memória Detectados: 0
(Não foram detectados ítens maliciosos)
Chaves de Registro Detectadas: 0
(Não foram detectados ítens maliciosos)
Valores de Registro Detectadas: 0
(Não foram detectados ítens maliciosos)
Itens de Dados no Registro Detectadas: 0
(Não foram detectados ítens maliciosos)
Pastas Detectadas: 0
(Não foram detectados ítens maliciosos)
Arquivos Detectados: 3
C:\Users\E\AppData\Local\Temp\EA86.tmp (Trojan.Agent.H) -> Enviado para a Quarentena e deletado com sucesso.
C:\Windows\Installer\{96ea3c96-34fa-21f9-8df8-0122e6f17a5b}\n (Trojan.Sirefef) -> Enviado para a Quarentena e deletado com sucesso.
C:\Windows\Installer\{96ea3c96-34fa-21f9-8df8-0122e6f17a5b}\U\00000001.@ (RootKit.0Access.H) -> Enviado para a Quarentena e deletado com sucesso.
(fim)
Hi,
Please post the TDSSKiller log you had there.
I'm attaching since it's too big to post.
Hi
Please visit this webpage for download links, and instructions for running ComboFix tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully first.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New dds log.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
A "system32/icacls.exe" file kept trying to run in the first moments Combfix was running/generating the log:
ComboFix 12-08-18.03 - E 19/08/2012 12:36:14.4.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.55.1046.18.3957.2829 [GMT -3:00]
Executando de: c:\users\E\Downloads\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\E\AppData\Local\{96ea3c96-34fa-21f9-8df8-0122e6f17a5b}
c:\users\E\AppData\Local\{96ea3c96-34fa-21f9-8df8-0122e6f17a5b}\@
c:\users\E\AppData\Local\{96ea3c96-34fa-21f9-8df8-0122e6f17a5b}\n
c:\users\E\AppData\Local\{96ea3c96-34fa-21f9-8df8-0122e6f17a5b}\U\00000001.@
c:\users\E\AppData\Local\{96ea3c96-34fa-21f9-8df8-0122e6f17a5b}\U\80000000.@
c:\users\E\AppData\Local\{96ea3c96-34fa-21f9-8df8-0122e6f17a5b}\U\800000cb.@
c:\users\E\bkhu79m9pe.exe
c:\windows\Installer\{96ea3c96-34fa-21f9-8df8-0122e6f17a5b}
c:\windows\Installer\{96ea3c96-34fa-21f9-8df8-0122e6f17a5b}\@
c:\windows\Installer\{96ea3c96-34fa-21f9-8df8-0122e6f17a5b}\U\00000001.@
c:\windows\Installer\{96ea3c96-34fa-21f9-8df8-0122e6f17a5b}\U\80000000.@
c:\windows\Installer\{96ea3c96-34fa-21f9-8df8-0122e6f17a5b}\U\800000cb.@
.
A cópia de c:\windows\system32\services.exe foi encontrada e desinfectada
Cópia restaurada de - c:\windows\ERDNT\cache64\services.exe
.
.
(((((((((((((((( Arquivos/Ficheiros criados de 2012-07-19 to 2012-08-19 ))))))))))))))))))))))))))))
.
.
2012-08-19 15:44 . 2012-08-19 15:44 69000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{CE0AF42B-5A32-4222-94DF-3FF0E63A5C94}\offreg.dll
2012-08-19 15:43 . 2012-08-19 15:43 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-08-19 15:43 . 2012-08-19 15:43 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-08-19 15:43 . 2012-08-19 15:43 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-12 12:50 . 2012-08-12 12:50 -------- d-----w- c:\users\E\AppData\Roaming\Waterfox Limited
2012-08-01 17:09 . 2012-08-01 17:16 -------- d-----w- c:\users\E\AppData\Roaming\ImgBurn
2012-08-01 16:54 . 2012-08-01 16:56 -------- d-----w- c:\program files (x86)\ImgBurn
.
.
.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-12 14:27 . 2012-06-27 01:20 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-07-12 14:27 . 2012-06-27 01:16 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-03 16:46 . 2011-12-23 13:07 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-20 15:28 . 2012-06-24 18:13 4145600 ----a-w- c:\windows\SysWow64\GameMon.des
2012-06-03 17:43 . 2012-06-03 17:43 8769696 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
2012-06-02 22:19 . 2012-06-23 18:51 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-23 18:51 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-23 18:51 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-23 18:51 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-23 18:51 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:15 . 2012-06-23 18:51 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-23 18:51 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 18:19 . 2012-06-23 18:51 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 18:15 . 2012-06-23 18:51 36864 ----a-w- c:\windows\system32\wuapp.exe
.
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por padrão não são apresentadas.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"UCam_Menu"="c:\program files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Rainmeter.lnk - c:\program files (x86)\Rainmeter\Rainmeter.exe [2011-2-6 99840]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2010-02-27 158976]
R3 libusb0;LibUsb-Win32 - Kernel Driver 08/27/2006, 0.1.12.0;c:\windows\system32\DRIVERS\libusb0.sys [2012-02-19 32768]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 40464]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-06-10 187392]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2010-12-14 51712]
R3 WatAdminSvc;Serviço de Tecnologias de Ativação do Windows;c:\windows\system32\Wat\WatAdminSvc.exe [2011-09-02 1255736]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2011-11-29 503352]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2011-02-22 254528]
S1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\Drivers\SABI.sys [2009-05-28 13824]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x64.sys [2011-01-19 21992]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-10-20 821664]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-05-15 1262400]
S2 Rezip;Rezip;c:\windows\SysWOW64\Rezip.exe [2009-03-05 311296]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2009-12-03 483688]
S3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys [2010-04-30 340520]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2010-04-30 39464]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [2012-04-18 188736]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2009-12-03 721768]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2009-12-03 269672]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2009-12-03 25960]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2009-12-03 22376]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2009-12-03 209768]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2009-09-28 395264]
.
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-12-15 9644576]
.
------- Scan Suplementar -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=smsn&bmod=smsn
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Enviar imagem para Dispositivo &Bluetooth... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Enviar página para Dispositivo &Bluetooth ... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORFÃOS REMOVIDOS - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKCU-Run-bkhu79m9pe - c:\users\E\bkhu79m9pe.exe
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------
.
[HKEY_USERS\S-1-5-21-2566226363-914769290-2283136121-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-2566226363-914769290-2283136121-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Outros Processos em Execução ------------------------
.
c:\program files (x86)\Samsung\Samsung Support Center\SSCKbdHk.exe
c:\program files (x86)\Samsung\Samsung Recovery Solution 4\WCScheduler.exe
.
**************************************************************************
.
Tempo para conclusão: 2012-08-19 12:53:06 - Máquina reiniciou
ComboFix-quarantined-files.txt 2012-08-19 15:53
.
Pré-execução: 45.001.482.240 bytes disponíveis
Pós execução: 44.954.902.528 bytes disponíveis
.
- - End Of File - - 5B3950D2F9F6A75A2053834AB50CB944
DDS:
.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_22
Run by E at 12:59:25 on 2012-08-19
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.55.1046.18.3957.2477 [GMT -3:00]
.
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\nvvsvc.exe
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\WLANExt.exe
C:\windows\system32\conhost.exe
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\windows\system32\taskeng.exe
C:\windows\System32\svchost.exe -k HPZ12
C:\windows\System32\svchost.exe -k HPZ12
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\windows\SysWOW64\Rezip.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\windows\system32\nvvsvc.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\windows\System32\svchost.exe -k secsvcs
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\windows\system32\SearchIndexer.exe
C:\windows\servicing\TrustedInstaller.exe
C:\windows\system32\taskhost.exe
C:\windows\system32\taskeng.exe
C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe
C:\Program Files (x86)\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe
C:\Program Files (x86)\Samsung\Samsung Support Center\SSCKbdHk.exe
C:\Program Files (x86)\Samsung\Samsung Recovery Solution 4\WCScheduler.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files (x86)\Rainmeter\Rainmeter.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\windows\System32\svchost.exe -k LocalServicePeerNet
C:\windows\system32\DllHost.exe
C:\Program Files\Waterfox\waterfox.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\windows\system32\sppsvc.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\system32\wuauclt.exe
C:\windows\system32\DllHost.exe
C:\windows\system32\DllHost.exe
C:\windows\SysWOW64\cmd.exe
C:\windows\system32\conhost.exe
C:\windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=smsn&bmod=smsn
uInternet Settings,ProxyOverride = *.local
BHO: Auxiliar de Conexão do Windows Live ID: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
{555d4d79-4bd2-4094-a395-cfc534424a05}
mRun: [UCam_Menu] "C:\Program Files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\YouCam" UpdateWithCreateOnce "Software\CyberLink\YouCam\2.0"
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\RAINME~1.LNK - C:\Program Files (x86)\Rainmeter\Rainmeter.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Enviar imagem para Dispositivo &Bluetooth... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Enviar página para Dispositivo &Bluetooth ... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0002-ABCDEFFEDCBA}
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{DACE21EB-C065-4551-A94F-E84A92815EA3} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{DACE21EB-C065-4551-A94F-E84A92815EA3}\D4943425F454C4544525F4E4943414 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{DACE21EB-C065-4551-A94F-E84A92815EA3}\E4F647560205164756C6C6960214365627 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{F37648D8-9DE9-4418-BD56-F15E07CCD79D} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{F7BABD8C-D1ED-4CB1-92B7-CD9B5C4B5BEF} : DhcpNameServer = 192.168.0.1
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
{9030D464-4C02-4ABF-8ECC-5164760863C6}
{DBC80044-A445-435b-BC74-9C25C1C588A9}
EB-X64: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File
mRun-x64: [UCam_Menu] "C:\Program Files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\YouCam" UpdateWithCreateOnce "Software\CyberLink\YouCam\2.0"
IE-X64: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
.
============= SERVICES / DRIVERS ===============
.
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\windows\system32\DRIVERS\dtsoftbus01.sys --> C:\windows\system32\DRIVERS\dtsoftbus01.sys [?]
R1 SABI;SAMSUNG Kernel Driver For Windows 7;\??\C:\windows\system32\Drivers\SABI.sys --> C:\windows\system32\Drivers\SABI.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\windows\system32\DRIVERS\vwififlt.sys --> C:\windows\system32\DRIVERS\vwififlt.sys [?]
R2 cpuz135;cpuz135;\??\C:\windows\system32\drivers\cpuz135_x64.sys --> C:\windows\system32\drivers\cpuz135_x64.sys [?]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2010-10-20 821664]
R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-6-3 1262400]
R2 Rezip;Rezip;C:\Windows\SysWOW64\Rezip.exe [2010-6-19 311296]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2011-2-20 1153368]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2009-12-2 483688]
R3 btwampfl;Bluetooth AMP USB Filter;C:\windows\system32\drivers\btwampfl.sys --> C:\windows\system32\drivers\btwampfl.sys [?]
R3 btwl2cap;Bluetooth L2CAP Service;C:\windows\system32\DRIVERS\btwl2cap.sys --> C:\windows\system32\DRIVERS\btwl2cap.sys [?]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\windows\system32\drivers\nvhda64v.sys --> C:\windows\system32\drivers\nvhda64v.sys [?]
R3 Sftfs;Sftfs;C:\windows\system32\DRIVERS\Sftfslh.sys --> C:\windows\system32\DRIVERS\Sftfslh.sys [?]
R3 Sftplay;Sftplay;C:\windows\system32\DRIVERS\Sftplaylh.sys --> C:\windows\system32\DRIVERS\Sftplaylh.sys [?]
R3 Sftredir;Sftredir;C:\windows\system32\DRIVERS\Sftredirlh.sys --> C:\windows\system32\DRIVERS\Sftredirlh.sys [?]
R3 Sftvol;Sftvol;C:\windows\system32\DRIVERS\Sftvollh.sys --> C:\windows\system32\DRIVERS\Sftvollh.sys [?]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2009-12-2 209768]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\windows\system32\DRIVERS\yk62x64.sys --> C:\windows\system32\DRIVERS\yk62x64.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 fssfltr;fssfltr;C:\windows\system32\DRIVERS\fssfltr.sys --> C:\windows\system32\DRIVERS\fssfltr.sys [?]
S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2012-3-8 1492840]
S3 Impcd;Impcd;C:\windows\system32\DRIVERS\Impcd.sys --> C:\windows\system32\DRIVERS\Impcd.sys [?]
S3 libusb0;LibUsb-Win32 - Kernel Driver 08/27/2006, 0.1.12.0;C:\windows\system32\DRIVERS\libusb0.sys --> C:\windows\system32\DRIVERS\libusb0.sys [?]
S3 npggsvc;nProtect GameGuard Service;C:\windows\system32\GameMon.des -service --> C:\windows\system32\GameMon.des -service [?]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 RTL8167;Realtek 8167 NT Driver;C:\windows\system32\DRIVERS\Rt64win7.sys --> C:\windows\system32\DRIVERS\Rt64win7.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\windows\system32\drivers\tsusbflt.sys --> C:\windows\system32\drivers\tsusbflt.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\windows\system32\Drivers\usbaapl64.sys --> C:\windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Serviço de Tecnologias de Ativação do Windows;C:\windows\system32\Wat\WatAdminSvc.exe --> C:\windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2012-08-19 15:55:22 -------- d-sh--w- C:\$RECYCLE.BIN
2012-08-19 15:55:02 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{CE0AF42B-5A32-4222-94DF-3FF0E63A5C94}\offreg.dll
2012-08-19 15:32:20 98816 ----a-w- C:\windows\sed.exe
2012-08-19 15:32:20 518144 ----a-w- C:\windows\SWREG.exe
2012-08-19 15:32:20 256000 ----a-w- C:\windows\PEV.exe
2012-08-19 15:32:20 208896 ----a-w- C:\windows\MBR.exe
2012-08-15 21:56:03 -------- d-----w- C:\Users\E\AppData\Local\{C238BA74-A336-484E-8546-2A0AFE84AD7D}
2012-08-15 21:55:52 -------- d-----w- C:\Users\E\AppData\Local\{DB37199D-B3F0-40F8-B1BC-CCFC3A2F5E15}
2012-08-12 12:50:43 -------- d-----w- C:\Users\E\AppData\Roaming\Waterfox Limited
2012-08-08 17:42:23 -------- d-----w- C:\Users\E\AppData\Local\{8BEA5AA3-3DEA-403B-8960-353571224847}
2012-08-08 17:42:12 -------- d-----w- C:\Users\E\AppData\Local\{69526FCE-8F3A-460D-9B7B-9062298D13DB}
2012-08-05 22:32:42 -------- d-----w- C:\Users\E\AppData\Local\{157D3345-0458-4A15-81E2-1FAD9047A4EC}
2012-08-05 22:32:16 -------- d-----w- C:\Users\E\AppData\Local\{2E5BEA6B-109E-4D78-A7C3-7A71FCAAD18E}
2012-07-31 17:03:06 -------- d-----w- C:\Users\E\AppData\Local\{FF6BFAE8-71B3-476A-8BB2-AD911829F449}
2012-07-31 17:02:55 -------- d-----w- C:\Users\E\AppData\Local\{C2E1472C-5186-49B3-8148-0450017E29F5}
2012-07-30 19:41:58 -------- d-----w- C:\Users\E\AppData\Local\{68A24E7A-F970-490F-BE22-1E948B7FE347}
2012-07-30 19:40:32 -------- d-----w- C:\Users\E\AppData\Local\{47429B24-DB6A-4D89-B444-E12957F722B5}
2012-07-27 18:49:28 -------- d-----w- C:\Users\E\AppData\Local\{8DD53C5C-B796-4A22-A5A5-19FC8A03F0E3}
2012-07-27 18:49:16 -------- d-----w- C:\Users\E\AppData\Local\{83F30B5C-71B4-4A46-B6B1-DB0ED8CAF706}
2012-07-26 14:51:44 -------- d-----w- C:\Users\E\AppData\Local\{E7D09EFA-1347-4B16-9C5C-FEF1C4EA655B}
2012-07-26 14:50:43 -------- d-----w- C:\Users\E\AppData\Local\{2271A012-447E-4D82-A789-9D71F39337BF}
2012-07-22 15:52:19 -------- d-----w- C:\Users\E\AppData\Local\{936A3A53-42BB-44BD-89A4-F89AE5E12A0A}
2012-07-22 15:52:07 -------- d-----w- C:\Users\E\AppData\Local\{84FFD483-962F-45E0-8BB7-835A1BE31776}
2012-07-21 15:53:31 -------- d-----w- C:\Users\E\AppData\Local\{4BD8EEB4-88CD-4186-8AC5-26B023258133}
2012-07-21 15:53:19 -------- d-----w- C:\Users\E\AppData\Local\{E58EB009-B144-4173-AFC7-F567B47331D6}
.
==================== Find3M ====================
.
2012-07-12 14:27:03 70344 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-12 14:27:03 426184 ----a-w- C:\windows\SysWow64\FlashPlayerApp.exe
2012-07-03 16:46:44 24904 ----a-w- C:\windows\System32\drivers\mbam.sys
2012-06-20 15:28:03 4145600 ----a-w- C:\windows\SysWow64\GameMon.des
2012-06-03 17:43:43 8769696 ----a-w- C:\windows\SysWow64\FlashPlayerInstaller.exe
2012-06-02 22:15:31 2622464 ----a-w- C:\windows\System32\wucltux.dll
2012-06-02 22:15:08 99840 ----a-w- C:\windows\System32\wudriver.dll
2012-06-02 18:19:42 186752 ----a-w- C:\windows\System32\wuwebv.dll
2012-06-02 18:15:12 36864 ----a-w- C:\windows\System32\wuapp.exe
.
============= FINISH: 13:02:00,39 ===============
Hi again,
Open notepad and copy/paste the text in the quotebox below into it:
DDS::
EB-X64: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe (let the tool to update itself if prompted).
Then post the resultant log.
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 7 Update 6 (http://www.oracle.com/technetwork/java/javase/downloads/index.html).
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-7u6-windows-i586.exe to install the newest version.
* Go here (http://www.eset.eu/online-scanner) to run an online scanner from ESET.
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is UNchecked and the option Scan unwanted applications is checkmarked.
Click Scan
Wait for the scan to finish.
Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.
Question: since I use both a 64bit OS and browser, shouldn't I use "jre-7u6-windows-x64.exe" instead of "jre-7u6-windows-i586.exe"?
Hi,
It depends what browser you're using. Firefox and 32-bit version of Internet Explorer need 32-bit Java.
ESET:
C:\Qoobox\Quarantine\C\Users\E\AppData\Local\{96ea3c96-34fa-21f9-8df8-0122e6f17a5b}\n.vir Win64/Sirefef.W trojan
C:\Qoobox\Quarantine\C\Users\E\AppData\Local\{96ea3c96-34fa-21f9-8df8-0122e6f17a5b}\U\00000001.@.vir Win64/Sirefef.AI trojan
C:\Qoobox\Quarantine\C\Users\E\AppData\Local\{96ea3c96-34fa-21f9-8df8-0122e6f17a5b}\U\80000000.@.vir Win64/Sirefef.AE trojan
C:\Qoobox\Quarantine\C\Users\E\AppData\Local\{96ea3c96-34fa-21f9-8df8-0122e6f17a5b}\U\800000cb.@.vir Win64/Sirefef.AH trojan
C:\Qoobox\Quarantine\C\Windows\Installer\{96ea3c96-34fa-21f9-8df8-0122e6f17a5b}\U\80000000.@.vir Win64/Sirefef.AL trojan
C:\Qoobox\Quarantine\C\Windows\Installer\{96ea3c96-34fa-21f9-8df8-0122e6f17a5b}\U\800000cb.@.vir Win64/Sirefef.AH trojan
C:\Qoobox\Quarantine\C\Windows\System32\services.exe.vir Win64/Patched.B.Gen trojan
Combofix:
ComboFix 12-08-18.03 - E 19/08/2012 18:58:45.5.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.55.1046.18.3957.2187 [GMT -3:00]
Executando de: c:\users\E\Downloads\ComboFix.exe
Comandos utilizados :: c:\users\E\Downloads\CFScript.txt
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((( Arquivos/Ficheiros criados de 2012-07-19 to 2012-08-19 ))))))))))))))))))))))))))))
.
.
2012-08-19 22:04 . 2012-08-19 22:04 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-08-19 22:04 . 2012-08-19 22:04 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-08-19 22:04 . 2012-08-19 22:04 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-19 15:55 . 2012-08-19 15:55 69000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{CE0AF42B-5A32-4222-94DF-3FF0E63A5C94}\offreg.dll
2012-08-12 12:50 . 2012-08-12 12:50 -------- d-----w- c:\users\E\AppData\Roaming\Waterfox Limited
2012-08-01 17:09 . 2012-08-01 17:16 -------- d-----w- c:\users\E\AppData\Roaming\ImgBurn
2012-08-01 16:54 . 2012-08-01 16:56 -------- d-----w- c:\program files (x86)\ImgBurn
.
.
.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-19 21:46 . 2012-06-27 01:20 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-08-19 21:46 . 2012-06-27 01:16 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-03 16:46 . 2011-12-23 13:07 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-20 15:28 . 2012-06-24 18:13 4145600 ----a-w- c:\windows\SysWow64\GameMon.des
2012-06-03 17:43 . 2012-06-03 17:43 8769696 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
2012-06-02 22:19 . 2012-06-23 18:51 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-23 18:51 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-23 18:51 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-23 18:51 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-23 18:51 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:15 . 2012-06-23 18:51 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-23 18:51 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 18:19 . 2012-06-23 18:51 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 18:15 . 2012-06-23 18:51 36864 ----a-w- c:\windows\system32\wuapp.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2012-08-19_15.44.57 )))))))))))))))))))))))))))))))))))))))))
.
- 2012-08-19 15:43 . 2012-08-19 15:43 13270 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
+ 2012-08-19 15:54 . 2012-08-19 15:54 13270 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
- 2009-07-14 04:54 . 2012-08-19 15:44 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-08-19 15:54 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2012-08-19 15:44 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-08-19 15:54 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-08-19 15:54 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-08-19 15:44 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-06-19 07:16 . 2012-08-19 15:56 51334 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
- 2010-06-19 07:16 . 2012-08-19 15:46 51334 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-08-19 15:56 41876 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-02-20 18:05 . 2012-08-19 15:56 17778 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2566226363-914769290-2283136121-1000_UserData.bin
- 2011-02-20 19:00 . 2012-08-19 15:09 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-02-20 19:00 . 2012-08-19 21:02 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-02-20 19:00 . 2012-08-19 21:02 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-02-20 19:00 . 2012-08-19 15:09 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2012-08-19 15:43 . 2012-08-19 15:43 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-08-19 15:54 . 2012-08-19 15:54 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-08-19 15:54 . 2012-08-19 15:54 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-08-19 15:43 . 2012-08-19 15:43 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-08-19 21:46 . 2012-08-19 21:46 686792 c:\windows\SysWOW64\Macromed\Flash\FlashUtil32_11_3_300_271_Plugin.exe
- 2012-06-27 01:20 . 2012-07-12 14:27 250056 c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
+ 2012-06-27 01:20 . 2012-08-19 21:46 250056 c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
+ 2012-08-19 21:46 . 2012-08-19 21:46 417992 c:\windows\system32\Macromed\Flash\FlashUtil64_11_3_300_271_Plugin.exe
+ 2009-07-14 05:01 . 2012-08-19 15:54 234216 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 05:01 . 2012-08-19 15:43 234216 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2012-08-19 21:46 . 2012-08-19 21:46 9465032 c:\windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_271.dll
+ 2012-08-19 21:46 . 2012-08-19 21:46 1536712 c:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_3_300_271.exe
+ 2012-08-19 21:46 . 2012-08-19 21:46 12315336 c:\windows\system32\Macromed\Flash\NPSWF64_11_3_300_271.dll
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por padrão não são apresentadas.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"UCam_Menu"="c:\program files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Rainmeter.lnk - c:\program files (x86)\Rainmeter\Rainmeter.exe [2011-2-6 99840]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2010-02-27 158976]
R3 libusb0;LibUsb-Win32 - Kernel Driver 08/27/2006, 0.1.12.0;c:\windows\system32\DRIVERS\libusb0.sys [2012-02-19 32768]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 40464]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-06-10 187392]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2010-12-14 51712]
R3 WatAdminSvc;Serviço de Tecnologias de Ativação do Windows;c:\windows\system32\Wat\WatAdminSvc.exe [2011-09-02 1255736]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2011-11-29 503352]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2011-02-22 254528]
S1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\Drivers\SABI.sys [2009-05-28 13824]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x64.sys [2011-01-19 21992]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-10-20 821664]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-05-15 1262400]
S2 Rezip;Rezip;c:\windows\SysWOW64\Rezip.exe [2009-03-05 311296]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2009-12-03 483688]
S3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys [2010-04-30 340520]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2010-04-30 39464]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [2012-04-18 188736]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2009-12-03 721768]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2009-12-03 269672]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2009-12-03 25960]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2009-12-03 22376]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2009-12-03 209768]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2009-09-28 395264]
.
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-12-15 9644576]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
.
------- Scan Suplementar -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=smsn&bmod=smsn
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Enviar imagem para Dispositivo &Bluetooth... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Enviar página para Dispositivo &Bluetooth ... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORFÃOS REMOVIDOS - - - -
.
Toolbar-Locked - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------
.
[HKEY_USERS\S-1-5-21-2566226363-914769290-2283136121-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-2566226363-914769290-2283136121-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Tempo para conclusão: 2012-08-19 19:09:09
ComboFix-quarantined-files.txt 2012-08-19 22:09
ComboFix2.txt 2012-08-19 15:53
.
Pré-execução: 45.580.820.480 bytes disponíveis
Pós execução: 45.495.615.488 bytes disponíveis
.
- - End Of File - - E9C5C2B493A8342A80BFC2CC85EEBD02
DDS:
.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_22
Run by E at 12:59:25 on 2012-08-19
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.55.1046.18.3957.2477 [GMT -3:00]
.
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\nvvsvc.exe
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\WLANExt.exe
C:\windows\system32\conhost.exe
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\windows\system32\taskeng.exe
C:\windows\System32\svchost.exe -k HPZ12
C:\windows\System32\svchost.exe -k HPZ12
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\windows\SysWOW64\Rezip.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\windows\system32\nvvsvc.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\windows\System32\svchost.exe -k secsvcs
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\windows\system32\SearchIndexer.exe
C:\windows\servicing\TrustedInstaller.exe
C:\windows\system32\taskhost.exe
C:\windows\system32\taskeng.exe
C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe
C:\Program Files (x86)\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe
C:\Program Files (x86)\Samsung\Samsung Support Center\SSCKbdHk.exe
C:\Program Files (x86)\Samsung\Samsung Recovery Solution 4\WCScheduler.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files (x86)\Rainmeter\Rainmeter.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\windows\System32\svchost.exe -k LocalServicePeerNet
C:\windows\system32\DllHost.exe
C:\Program Files\Waterfox\waterfox.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\windows\system32\sppsvc.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\system32\wuauclt.exe
C:\windows\system32\DllHost.exe
C:\windows\system32\DllHost.exe
C:\windows\SysWOW64\cmd.exe
C:\windows\system32\conhost.exe
C:\windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=smsn&bmod=smsn
uInternet Settings,ProxyOverride = *.local
BHO: Auxiliar de Conexão do Windows Live ID: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
{555d4d79-4bd2-4094-a395-cfc534424a05}
mRun: [UCam_Menu] "C:\Program Files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\YouCam" UpdateWithCreateOnce "Software\CyberLink\YouCam\2.0"
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\RAINME~1.LNK - C:\Program Files (x86)\Rainmeter\Rainmeter.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Enviar imagem para Dispositivo &Bluetooth... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Enviar página para Dispositivo &Bluetooth ... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0002-ABCDEFFEDCBA}
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{DACE21EB-C065-4551-A94F-E84A92815EA3} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{DACE21EB-C065-4551-A94F-E84A92815EA3}\D4943425F454C4544525F4E4943414 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{DACE21EB-C065-4551-A94F-E84A92815EA3}\E4F647560205164756C6C6960214365627 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{F37648D8-9DE9-4418-BD56-F15E07CCD79D} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{F7BABD8C-D1ED-4CB1-92B7-CD9B5C4B5BEF} : DhcpNameServer = 192.168.0.1
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
{9030D464-4C02-4ABF-8ECC-5164760863C6}
{DBC80044-A445-435b-BC74-9C25C1C588A9}
EB-X64: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File
mRun-x64: [UCam_Menu] "C:\Program Files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\YouCam" UpdateWithCreateOnce "Software\CyberLink\YouCam\2.0"
IE-X64: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
.
============= SERVICES / DRIVERS ===============
.
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\windows\system32\DRIVERS\dtsoftbus01.sys --> C:\windows\system32\DRIVERS\dtsoftbus01.sys [?]
R1 SABI;SAMSUNG Kernel Driver For Windows 7;\??\C:\windows\system32\Drivers\SABI.sys --> C:\windows\system32\Drivers\SABI.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\windows\system32\DRIVERS\vwififlt.sys --> C:\windows\system32\DRIVERS\vwififlt.sys [?]
R2 cpuz135;cpuz135;\??\C:\windows\system32\drivers\cpuz135_x64.sys --> C:\windows\system32\drivers\cpuz135_x64.sys [?]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2010-10-20 821664]
R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-6-3 1262400]
R2 Rezip;Rezip;C:\Windows\SysWOW64\Rezip.exe [2010-6-19 311296]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2011-2-20 1153368]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2009-12-2 483688]
R3 btwampfl;Bluetooth AMP USB Filter;C:\windows\system32\drivers\btwampfl.sys --> C:\windows\system32\drivers\btwampfl.sys [?]
R3 btwl2cap;Bluetooth L2CAP Service;C:\windows\system32\DRIVERS\btwl2cap.sys --> C:\windows\system32\DRIVERS\btwl2cap.sys [?]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\windows\system32\drivers\nvhda64v.sys --> C:\windows\system32\drivers\nvhda64v.sys [?]
R3 Sftfs;Sftfs;C:\windows\system32\DRIVERS\Sftfslh.sys --> C:\windows\system32\DRIVERS\Sftfslh.sys [?]
R3 Sftplay;Sftplay;C:\windows\system32\DRIVERS\Sftplaylh.sys --> C:\windows\system32\DRIVERS\Sftplaylh.sys [?]
R3 Sftredir;Sftredir;C:\windows\system32\DRIVERS\Sftredirlh.sys --> C:\windows\system32\DRIVERS\Sftredirlh.sys [?]
R3 Sftvol;Sftvol;C:\windows\system32\DRIVERS\Sftvollh.sys --> C:\windows\system32\DRIVERS\Sftvollh.sys [?]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2009-12-2 209768]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\windows\system32\DRIVERS\yk62x64.sys --> C:\windows\system32\DRIVERS\yk62x64.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 fssfltr;fssfltr;C:\windows\system32\DRIVERS\fssfltr.sys --> C:\windows\system32\DRIVERS\fssfltr.sys [?]
S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2012-3-8 1492840]
S3 Impcd;Impcd;C:\windows\system32\DRIVERS\Impcd.sys --> C:\windows\system32\DRIVERS\Impcd.sys [?]
S3 libusb0;LibUsb-Win32 - Kernel Driver 08/27/2006, 0.1.12.0;C:\windows\system32\DRIVERS\libusb0.sys --> C:\windows\system32\DRIVERS\libusb0.sys [?]
S3 npggsvc;nProtect GameGuard Service;C:\windows\system32\GameMon.des -service --> C:\windows\system32\GameMon.des -service [?]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 RTL8167;Realtek 8167 NT Driver;C:\windows\system32\DRIVERS\Rt64win7.sys --> C:\windows\system32\DRIVERS\Rt64win7.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\windows\system32\drivers\tsusbflt.sys --> C:\windows\system32\drivers\tsusbflt.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\windows\system32\Drivers\usbaapl64.sys --> C:\windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Serviço de Tecnologias de Ativação do Windows;C:\windows\system32\Wat\WatAdminSvc.exe --> C:\windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2012-08-19 15:55:22 -------- d-sh--w- C:\$RECYCLE.BIN
2012-08-19 15:55:02 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{CE0AF42B-5A32-4222-94DF-3FF0E63A5C94}\offreg.dll
2012-08-19 15:32:20 98816 ----a-w- C:\windows\sed.exe
2012-08-19 15:32:20 518144 ----a-w- C:\windows\SWREG.exe
2012-08-19 15:32:20 256000 ----a-w- C:\windows\PEV.exe
2012-08-19 15:32:20 208896 ----a-w- C:\windows\MBR.exe
2012-08-15 21:56:03 -------- d-----w- C:\Users\E\AppData\Local\{C238BA74-A336-484E-8546-2A0AFE84AD7D}
2012-08-15 21:55:52 -------- d-----w- C:\Users\E\AppData\Local\{DB37199D-B3F0-40F8-B1BC-CCFC3A2F5E15}
2012-08-12 12:50:43 -------- d-----w- C:\Users\E\AppData\Roaming\Waterfox Limited
2012-08-08 17:42:23 -------- d-----w- C:\Users\E\AppData\Local\{8BEA5AA3-3DEA-403B-8960-353571224847}
2012-08-08 17:42:12 -------- d-----w- C:\Users\E\AppData\Local\{69526FCE-8F3A-460D-9B7B-9062298D13DB}
2012-08-05 22:32:42 -------- d-----w- C:\Users\E\AppData\Local\{157D3345-0458-4A15-81E2-1FAD9047A4EC}
2012-08-05 22:32:16 -------- d-----w- C:\Users\E\AppData\Local\{2E5BEA6B-109E-4D78-A7C3-7A71FCAAD18E}
2012-07-31 17:03:06 -------- d-----w- C:\Users\E\AppData\Local\{FF6BFAE8-71B3-476A-8BB2-AD911829F449}
2012-07-31 17:02:55 -------- d-----w- C:\Users\E\AppData\Local\{C2E1472C-5186-49B3-8148-0450017E29F5}
2012-07-30 19:41:58 -------- d-----w- C:\Users\E\AppData\Local\{68A24E7A-F970-490F-BE22-1E948B7FE347}
2012-07-30 19:40:32 -------- d-----w- C:\Users\E\AppData\Local\{47429B24-DB6A-4D89-B444-E12957F722B5}
2012-07-27 18:49:28 -------- d-----w- C:\Users\E\AppData\Local\{8DD53C5C-B796-4A22-A5A5-19FC8A03F0E3}
2012-07-27 18:49:16 -------- d-----w- C:\Users\E\AppData\Local\{83F30B5C-71B4-4A46-B6B1-DB0ED8CAF706}
2012-07-26 14:51:44 -------- d-----w- C:\Users\E\AppData\Local\{E7D09EFA-1347-4B16-9C5C-FEF1C4EA655B}
2012-07-26 14:50:43 -------- d-----w- C:\Users\E\AppData\Local\{2271A012-447E-4D82-A789-9D71F39337BF}
2012-07-22 15:52:19 -------- d-----w- C:\Users\E\AppData\Local\{936A3A53-42BB-44BD-89A4-F89AE5E12A0A}
2012-07-22 15:52:07 -------- d-----w- C:\Users\E\AppData\Local\{84FFD483-962F-45E0-8BB7-835A1BE31776}
2012-07-21 15:53:31 -------- d-----w- C:\Users\E\AppData\Local\{4BD8EEB4-88CD-4186-8AC5-26B023258133}
2012-07-21 15:53:19 -------- d-----w- C:\Users\E\AppData\Local\{E58EB009-B144-4173-AFC7-F567B47331D6}
.
==================== Find3M ====================
.
2012-07-12 14:27:03 70344 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-12 14:27:03 426184 ----a-w- C:\windows\SysWow64\FlashPlayerApp.exe
2012-07-03 16:46:44 24904 ----a-w- C:\windows\System32\drivers\mbam.sys
2012-06-20 15:28:03 4145600 ----a-w- C:\windows\SysWow64\GameMon.des
2012-06-03 17:43:43 8769696 ----a-w- C:\windows\SysWow64\FlashPlayerInstaller.exe
2012-06-02 22:15:31 2622464 ----a-w- C:\windows\System32\wucltux.dll
2012-06-02 22:15:08 99840 ----a-w- C:\windows\System32\wudriver.dll
2012-06-02 18:19:42 186752 ----a-w- C:\windows\System32\wuwebv.dll
2012-06-02 18:15:12 36864 ----a-w- C:\windows\System32\wuapp.exe
.
============= FINISH: 13:02:00,39 ===============
Hi,
Your logs show old Java still. Did you update it yet?
Ok then it must have been installed after the posted DDS log. Please post fresh DDS logs + a description of remaining issues (if any).
Just ran it:
.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514
Run by E at 17:55:30 on 2012-08-27
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.55.1046.18.3957.2247 [GMT -3:00]
.
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\nvvsvc.exe
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\WLANExt.exe
C:\windows\system32\conhost.exe
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\windows\System32\svchost.exe -k HPZ12
C:\windows\System32\svchost.exe -k HPZ12
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\windows\SysWOW64\Rezip.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\windows\system32\nvvsvc.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\windows\System32\svchost.exe -k secsvcs
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\windows\system32\taskhost.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\windows\system32\SearchIndexer.exe
C:\windows\system32\taskeng.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files (x86)\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe
C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe
C:\Program Files (x86)\Samsung\Samsung Recovery Solution 4\WCScheduler.exe
C:\Program Files (x86)\Samsung\Samsung Support Center\SSCKbdHk.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files (x86)\Rainmeter\Rainmeter.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\windows\System32\svchost.exe -k LocalServicePeerNet
C:\windows\system32\DllHost.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\windows\system32\wuauclt.exe
C:\Program Files\Waterfox\waterfox.exe
C:\windows\system32\DllHost.exe
C:\windows\system32\DllHost.exe
C:\windows\system32\DllHost.exe
C:\windows\SysWOW64\cmd.exe
C:\windows\system32\conhost.exe
C:\windows\SysWOW64\cscript.exe
C:\windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=smsn&bmod=smsn
uInternet Settings,ProxyOverride = *.local
BHO: Auxiliar de Conexão do Windows Live ID: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
{555d4d79-4bd2-4094-a395-cfc534424a05}
mRun: [UCam_Menu] "C:\Program Files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\YouCam" UpdateWithCreateOnce "Software\CyberLink\YouCam\2.0"
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\RAINME~1.LNK - C:\Program Files (x86)\Rainmeter\Rainmeter.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Enviar imagem para Dispositivo &Bluetooth... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Enviar página para Dispositivo &Bluetooth ... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0002-ABCDEFFEDCBA}
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{DACE21EB-C065-4551-A94F-E84A92815EA3} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{DACE21EB-C065-4551-A94F-E84A92815EA3}\D4943425F454C4544525F4E4943414 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{DACE21EB-C065-4551-A94F-E84A92815EA3}\E4F647560205164756C6C6960214365627 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{F37648D8-9DE9-4418-BD56-F15E07CCD79D} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{F7BABD8C-D1ED-4CB1-92B7-CD9B5C4B5BEF} : DhcpNameServer = 192.168.0.1
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
{9030D464-4C02-4ABF-8ECC-5164760863C6}
{DBC80044-A445-435b-BC74-9C25C1C588A9}
EB-X64: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File
mRun-x64: [UCam_Menu] "C:\Program Files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\YouCam" UpdateWithCreateOnce "Software\CyberLink\YouCam\2.0"
IE-X64: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
.
============= SERVICES / DRIVERS ===============
.
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\windows\system32\DRIVERS\dtsoftbus01.sys --> C:\windows\system32\DRIVERS\dtsoftbus01.sys [?]
R1 SABI;SAMSUNG Kernel Driver For Windows 7;\??\C:\windows\system32\Drivers\SABI.sys --> C:\windows\system32\Drivers\SABI.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\windows\system32\DRIVERS\vwififlt.sys --> C:\windows\system32\DRIVERS\vwififlt.sys [?]
R2 cpuz135;cpuz135;\??\C:\windows\system32\drivers\cpuz135_x64.sys --> C:\windows\system32\drivers\cpuz135_x64.sys [?]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2010-10-20 821664]
R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-6-3 1262400]
R2 Rezip;Rezip;C:\Windows\SysWOW64\Rezip.exe [2010-6-19 311296]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2011-2-20 1153368]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2009-12-2 483688]
R3 btwampfl;Bluetooth AMP USB Filter;C:\windows\system32\drivers\btwampfl.sys --> C:\windows\system32\drivers\btwampfl.sys [?]
R3 btwl2cap;Bluetooth L2CAP Service;C:\windows\system32\DRIVERS\btwl2cap.sys --> C:\windows\system32\DRIVERS\btwl2cap.sys [?]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\windows\system32\drivers\nvhda64v.sys --> C:\windows\system32\drivers\nvhda64v.sys [?]
R3 Sftfs;Sftfs;C:\windows\system32\DRIVERS\Sftfslh.sys --> C:\windows\system32\DRIVERS\Sftfslh.sys [?]
R3 Sftplay;Sftplay;C:\windows\system32\DRIVERS\Sftplaylh.sys --> C:\windows\system32\DRIVERS\Sftplaylh.sys [?]
R3 Sftredir;Sftredir;C:\windows\system32\DRIVERS\Sftredirlh.sys --> C:\windows\system32\DRIVERS\Sftredirlh.sys [?]
R3 Sftvol;Sftvol;C:\windows\system32\DRIVERS\Sftvollh.sys --> C:\windows\system32\DRIVERS\Sftvollh.sys [?]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2009-12-2 209768]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\windows\system32\DRIVERS\yk62x64.sys --> C:\windows\system32\DRIVERS\yk62x64.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 fssfltr;fssfltr;C:\windows\system32\DRIVERS\fssfltr.sys --> C:\windows\system32\DRIVERS\fssfltr.sys [?]
S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2012-3-8 1492840]
S3 Impcd;Impcd;C:\windows\system32\DRIVERS\Impcd.sys --> C:\windows\system32\DRIVERS\Impcd.sys [?]
S3 libusb0;LibUsb-Win32 - Kernel Driver 08/27/2006, 0.1.12.0;C:\windows\system32\DRIVERS\libusb0.sys --> C:\windows\system32\DRIVERS\libusb0.sys [?]
S3 npggsvc;nProtect GameGuard Service;C:\windows\system32\GameMon.des -service --> C:\windows\system32\GameMon.des -service [?]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 RTL8167;Realtek 8167 NT Driver;C:\windows\system32\DRIVERS\Rt64win7.sys --> C:\windows\system32\DRIVERS\Rt64win7.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\windows\system32\drivers\tsusbflt.sys --> C:\windows\system32\drivers\tsusbflt.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\windows\system32\Drivers\usbaapl64.sys --> C:\windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Serviço de Tecnologias de Ativação do Windows;C:\windows\system32\Wat\WatAdminSvc.exe --> C:\windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2012-08-27 20:49:19 -------- d-----w- C:\Users\E\AppData\Local\{812390CF-02A1-4DD7-9971-1CEA14086E9F}
2012-08-27 16:26:02 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{CE0AF42B-5A32-4222-94DF-3FF0E63A5C94}\offreg.dll
2012-08-26 14:47:29 -------- d-----w- C:\Users\E\AppData\Local\{5E856F48-547C-4659-B7DF-1C3E5C5CA13A}
2012-08-21 21:05:39 -------- d-----w- C:\Program Files (x86)\ESET
2012-08-21 21:00:17 108008 ----a-w- C:\windows\System32\WindowsAccessBridge-64.dll
2012-08-20 19:32:22 -------- d-----w- C:\Users\E\AppData\Local\{D12E89D4-2675-4656-9804-5D7B631B0900}
2012-08-19 22:31:22 -------- d-sh--w- C:\$RECYCLE.BIN
2012-08-19 16:30:59 -------- d-----w- C:\Users\E\AppData\Local\{3B66DABE-DF26-47DD-8344-172A9DC87F6A}
2012-08-19 15:32:20 98816 ----a-w- C:\windows\sed.exe
2012-08-19 15:32:20 518144 ----a-w- C:\windows\SWREG.exe
2012-08-19 15:32:20 256000 ----a-w- C:\windows\PEV.exe
2012-08-19 15:32:20 208896 ----a-w- C:\windows\MBR.exe
2012-08-15 21:56:03 -------- d-----w- C:\Users\E\AppData\Local\{C238BA74-A336-484E-8546-2A0AFE84AD7D}
2012-08-15 21:55:52 -------- d-----w- C:\Users\E\AppData\Local\{DB37199D-B3F0-40F8-B1BC-CCFC3A2F5E15}
2012-08-12 12:50:43 -------- d-----w- C:\Users\E\AppData\Roaming\Waterfox Limited
2012-08-08 17:42:23 -------- d-----w- C:\Users\E\AppData\Local\{8BEA5AA3-3DEA-403B-8960-353571224847}
2012-08-08 17:42:12 -------- d-----w- C:\Users\E\AppData\Local\{69526FCE-8F3A-460D-9B7B-9062298D13DB}
2012-08-05 22:32:42 -------- d-----w- C:\Users\E\AppData\Local\{157D3345-0458-4A15-81E2-1FAD9047A4EC}
2012-08-05 22:32:16 -------- d-----w- C:\Users\E\AppData\Local\{2E5BEA6B-109E-4D78-A7C3-7A71FCAAD18E}
2012-07-31 17:03:06 -------- d-----w- C:\Users\E\AppData\Local\{FF6BFAE8-71B3-476A-8BB2-AD911829F449}
2012-07-31 17:02:55 -------- d-----w- C:\Users\E\AppData\Local\{C2E1472C-5186-49B3-8148-0450017E29F5}
2012-07-30 19:41:58 -------- d-----w- C:\Users\E\AppData\Local\{68A24E7A-F970-490F-BE22-1E948B7FE347}
2012-07-30 19:40:32 -------- d-----w- C:\Users\E\AppData\Local\{47429B24-DB6A-4D89-B444-E12957F722B5}
.
==================== Find3M ====================
.
2012-08-21 21:00:03 916456 ----a-w- C:\windows\System32\deployJava1.dll
2012-08-21 21:00:03 1034216 ----a-w- C:\windows\System32\npdeployJava1.dll
2012-08-19 21:46:06 70344 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-08-19 21:46:06 426184 ----a-w- C:\windows\SysWow64\FlashPlayerApp.exe
2012-07-03 16:46:44 24904 ----a-w- C:\windows\System32\drivers\mbam.sys
2012-06-20 15:28:03 4145600 ----a-w- C:\windows\SysWow64\GameMon.des
2012-06-03 17:43:43 8769696 ----a-w- C:\windows\SysWow64\FlashPlayerInstaller.exe
2012-06-02 22:15:31 2622464 ----a-w- C:\windows\System32\wucltux.dll
2012-06-02 22:15:08 99840 ----a-w- C:\windows\System32\wudriver.dll
2012-06-02 18:19:42 186752 ----a-w- C:\windows\System32\wuwebv.dll
2012-06-02 18:15:12 36864 ----a-w- C:\windows\System32\wuapp.exe
.
============= FINISH: 17:57:02,90 ===============
Hi,
attach.txt log contents is missing.
That looks ok :) Any symptoms left?
Malware Bytes is not detecting anything else and I'm not noticing anything abnormal too.
Thanks for your time Blade! =)
Wait, suddenly ""c:\windows\SysWOW64\cmd.exe" /c (something on AppData)" is trying to run by itself.
Not sure if it's related with the rootkit.
suddenly ""c:\windows\SysWOW64\cmd.exe" /c (something on AppData)" is trying to run by itself.Do you have exact path what is trying to run from AppData? Were you doing something when that notification popped up?
I couldn't make the Windows notification window show the entire path, unfortunately.It was a folder with random numbers at the start.
I was just browsing a couple of message boards at the time.
Hi,
I was just browsing a couple of message boards at the time.
Sounds like a possible infection attempt that Windows UAC warned about early enough.
If there're no symptoms left let's have a look at the final steps. At this point it's extremely important to get the system up-to-date. I'll give instructions for that further below in the message.
THESE STEPS ARE VERY IMPORTANT
Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.
A To disable the System Restore feature:
1. Click on the Start button.
2. Hover over the Computer option, right click on it and then click Properties.
3. On the left hand side, click Advanced Settings.
4. If asked to permit the action, click on Allow.
5. Click on the System Protection tab.
6. Select c: drive and click Configure...
7. Select Turn off protection
8. Press OK.
Repeat steps 6-8 for each hard drive.
B. Reboot.
C Turn ON System Restore.
Follow the steps like you did when disabling system restore but on step 7. select Restore system settings and previous versions of files -option.
Now lets uninstall ComboFix:
Click START then RUN
Now copy-paste Combofix /uninstall in the runbox and click OK
UPDATING WINDOWS AND INTERNET EXPLORER
IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.
Download and run Secunia Personal Software Inspector (PSI) (http://secunia.com/vulnerability_scanning/personal/) and fix its findings. Leave the program installed so you'll stay alarmed about vulnerable components in future too.
Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Once again, please post and tell me how things are going with your system... problems etc.
Have a great day,
Blade :cool:
Trying to update Windows, I'm getting the error 80246008.I try to activate the Windows BITS, but it isn't in the Services List.
Hi,
Please download Farbar Service Scanner (http://download.bleepingcomputer.com/farbar/FSS.exe) and run it on the computer with the issue.
Check these boxes:
-Internet Services
-Windows Firewall
-System Restore
-Security Center
-Windows Update
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.
Here it is:
Farbar Service Scanner Version: 06-08-2012
Ran by E (administrator) on 02-09-2012 at 18:06:22
Running from "C:\Users\E\Downloads"
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.
Windows Firewall:
=============
Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0
System Restore:
============
System Restore Disabled Policy:
========================
Action Center:
============
Windows Update:
============
BITS Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to retrieve start type of BITS. The value does not exist.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.
Windows Autoupdate Disabled Policy:
============================
Other Services:
==============
File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
**** End of log ****
Hi,
Download this (http://download.bleepingcomputer.com/win-services/7/BITS.reg) file to your desktop. Then run it and allow merging. Reboot and run the service scanner again. Post back the log.
Note: the file is meant to be used in this specific topic case only. Using it elsewhere may render system unbootable.
The log:
Farbar Service Scanner Version: 06-08-2012
Ran by E (administrator) on 03-09-2012 at 14:15:22
Running from "C:\Users\E\Downloads"
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.
Windows Firewall:
=============
Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0
System Restore:
============
System Restore Disabled Policy:
========================
Action Center:
============
Windows Update:
============
BITS Service is not running. Checking service configuration:
The start type of BITS service is OK.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.
Windows Autoupdate Disabled Policy:
============================
Other Services:
==============
File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
**** End of log ****
Hi,
Reboot if you haven't done so yet and then see if Windows Update works.
Ant, it worked! =)
Everything updated now.
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)
Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread.
If it has been less than three days since your last response and you need the thread re-opened, please send me or other MOD a private message (pm). A valid, working link to the closed topic is required.