Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 24

Thread: Smitfraud-C.generic--Help w/ removal!

  1. #11
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi,

    Let's give ComboFix another go
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  2. #12
    Junior Member
    Join Date
    Jun 2012
    Posts
    13

    Default It worked!!

    ComboFix 12-06-21.02 - Shelby 06/21/2012 16:24:47.5.2 - x64
    Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.4056.2973 [GMT -4:00]
    Running from: c:\users\Shelby\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DWR4Z2OK\ComboFix.exe
    AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
    FW: McAfee Firewall *Disabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
    SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\svchost.exe
    .
    ---- Previous Run -------
    .
    c:\windows\svchost.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-05-21 to 2012-06-21 )))))))))))))))))))))))))))))))
    .
    .
    2012-06-21 20:34 . 2012-06-21 20:34 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-06-21 19:44 . 2012-06-21 19:44 -------- d-----w- C:\TDSSKiller_Quarantine
    2012-06-21 15:16 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
    2012-06-21 15:16 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe
    2012-06-21 15:16 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll
    2012-06-21 15:16 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll
    2012-06-21 15:15 . 2012-06-02 19:19 186752 ----a-w- c:\windows\system32\wuwebv.dll
    2012-06-21 15:15 . 2012-06-02 19:15 36864 ----a-w- c:\windows\system32\wuapp.exe
    2012-06-19 22:18 . 2012-05-02 05:32 208896 ----a-w- c:\windows\system32\profsvc.dll
    2012-06-19 22:18 . 2012-04-26 05:34 76288 ----a-w- c:\windows\system32\rdpwsx.dll
    2012-06-19 22:18 . 2012-04-26 05:34 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
    2012-06-19 22:18 . 2012-04-26 05:28 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
    2012-06-19 22:18 . 2012-05-15 01:32 3144192 ----a-w- c:\windows\system32\win32k.sys
    2012-06-19 22:16 . 2012-04-28 03:50 204800 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2012-06-19 22:16 . 2012-04-07 12:18 3213824 ----a-w- c:\windows\system32\msi.dll
    2012-06-19 22:16 . 2012-04-07 11:34 2342400 ----a-w- c:\windows\SysWow64\msi.dll
    2012-06-19 22:14 . 2012-04-24 05:59 1460224 ----a-w- c:\windows\system32\crypt32.dll
    2012-06-19 22:14 . 2012-04-24 04:47 1156608 ----a-w- c:\windows\SysWow64\crypt32.dll
    2012-06-19 22:14 . 2012-04-24 05:59 182272 ----a-w- c:\windows\system32\cryptsvc.dll
    2012-06-19 22:14 . 2012-04-24 05:59 140288 ----a-w- c:\windows\system32\cryptnet.dll
    2012-06-19 22:14 . 2012-04-24 04:47 139264 ----a-w- c:\windows\SysWow64\cryptsvc.dll
    2012-06-19 22:14 . 2012-04-24 04:47 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll
    2012-06-13 21:09 . 2012-06-21 18:22 -------- d-----w- c:\program files (x86)\Common Files\Adobe
    2012-06-11 19:29 . 2011-03-25 03:22 52224 ----a-w- c:\windows\system32\drivers\usbehci.sys
    2012-06-11 19:29 . 2011-03-25 03:23 343040 ----a-w- c:\windows\system32\drivers\usbhub.sys
    2012-06-11 19:29 . 2011-03-25 03:23 98816 ----a-w- c:\windows\system32\drivers\usbccgp.sys
    2012-06-11 19:29 . 2011-03-25 03:23 324608 ----a-w- c:\windows\system32\drivers\usbport.sys
    2012-06-11 19:29 . 2011-03-25 03:22 25600 ----a-w- c:\windows\system32\drivers\usbohci.sys
    2012-06-11 19:29 . 2011-03-25 03:22 30720 ----a-w- c:\windows\system32\drivers\usbuhci.sys
    2012-06-11 19:29 . 2011-03-25 03:22 7936 ----a-w- c:\windows\system32\drivers\usbd.sys
    2012-06-11 19:25 . 2011-03-11 06:23 1657216 ----a-w- c:\windows\system32\drivers\ntfs.sys
    2012-06-11 19:25 . 2011-03-11 06:23 166272 ----a-w- c:\windows\system32\drivers\nvstor.sys
    2012-06-11 19:25 . 2011-03-11 06:23 148352 ----a-w- c:\windows\system32\drivers\nvraid.sys
    2012-06-11 19:25 . 2011-03-11 06:22 107904 ----a-w- c:\windows\system32\drivers\amdsata.sys
    2012-06-11 19:25 . 2011-03-11 06:18 2566144 ----a-w- c:\windows\system32\esent.dll
    2012-06-11 19:25 . 2011-03-11 06:23 187264 ----a-w- c:\windows\system32\drivers\storport.sys
    2012-06-11 19:25 . 2011-03-11 06:22 27008 ----a-w- c:\windows\system32\drivers\amdxata.sys
    2012-06-11 19:25 . 2011-03-11 05:39 1686016 ----a-w- c:\windows\SysWow64\esent.dll
    2012-06-11 19:25 . 2011-03-11 06:23 410496 ----a-w- c:\windows\system32\drivers\iaStorV.sys
    2012-06-11 19:25 . 2011-03-11 06:15 96768 ----a-w- c:\windows\system32\fsutil.exe
    2012-06-11 19:25 . 2011-03-11 05:37 74240 ----a-w- c:\windows\SysWow64\fsutil.exe
    2012-06-11 18:55 . 2012-06-11 18:55 -------- d-----w- c:\windows\SysWow64\Wat
    2012-06-11 18:55 . 2012-06-11 18:55 -------- d-----w- c:\windows\system32\Wat
    2012-06-10 20:36 . 2010-09-14 06:45 367104 ----a-w- c:\windows\system32\wcncsvc.dll
    2012-06-10 20:36 . 2010-09-14 06:07 276992 ----a-w- c:\windows\SysWow64\wcncsvc.dll
    2012-06-10 20:12 . 2009-09-10 06:28 311808 ----a-w- c:\windows\system32\msv1_0.dll
    2012-06-10 20:12 . 2009-09-10 05:52 257024 ----a-w- c:\windows\SysWow64\msv1_0.dll
    2012-06-10 19:52 . 2009-11-25 16:47 99176 ----a-w- c:\windows\SysWow64\PresentationHostProxy.dll
    2012-06-10 19:52 . 2009-11-25 16:47 49472 ----a-w- c:\windows\SysWow64\netfxperf.dll
    2012-06-10 19:52 . 2009-11-25 16:47 48960 ----a-w- c:\windows\system32\netfxperf.dll
    2012-06-10 19:52 . 2009-11-25 16:47 297808 ----a-w- c:\windows\SysWow64\mscoree.dll
    2012-06-10 19:52 . 2009-11-25 16:47 295264 ----a-w- c:\windows\SysWow64\PresentationHost.exe
    2012-06-10 19:52 . 2009-11-25 16:47 1130824 ----a-w- c:\windows\SysWow64\dfshim.dll
    2012-06-10 19:52 . 2009-11-25 16:47 109912 ----a-w- c:\windows\system32\PresentationHostProxy.dll
    2012-06-10 19:52 . 2009-11-25 16:47 444752 ----a-w- c:\windows\system32\mscoree.dll
    2012-06-10 19:52 . 2009-11-25 16:47 320352 ----a-w- c:\windows\system32\PresentationHost.exe
    2012-06-10 19:52 . 2009-11-25 16:47 1942856 ----a-w- c:\windows\system32\dfshim.dll
    2012-06-10 19:36 . 2012-06-10 19:36 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help
    2012-06-10 19:27 . 2012-03-01 06:54 22896 ----a-w- c:\windows\system32\drivers\fs_rec.sys
    2012-06-10 19:27 . 2012-03-01 06:45 220672 ----a-w- c:\windows\system32\wintrust.dll
    2012-06-10 19:27 . 2012-03-01 06:40 80896 ----a-w- c:\windows\system32\imagehlp.dll
    2012-06-10 19:27 . 2012-03-01 06:35 5120 ----a-w- c:\windows\system32\wmi.dll
    2012-06-10 19:27 . 2012-03-01 05:49 172544 ----a-w- c:\windows\SysWow64\wintrust.dll
    2012-06-10 19:27 . 2012-03-01 05:45 158720 ----a-w- c:\windows\SysWow64\imagehlp.dll
    2012-06-10 19:27 . 2012-03-01 05:40 5120 ----a-w- c:\windows\SysWow64\wmi.dll
    2012-06-10 18:55 . 2012-06-19 21:47 -------- d-----w- c:\program files (x86)\Microsoft Works
    2012-06-10 18:55 . 2012-06-11 19:12 -------- d-----w- c:\program files (x86)\Microsoft.NET
    2012-06-10 18:55 . 2012-06-10 18:55 -------- d-----w- c:\windows\PCHEALTH
    2012-06-10 18:51 . 2012-06-20 00:07 -------- d-----w- c:\programdata\Microsoft Help
    2012-06-10 17:48 . 2011-10-01 05:28 886784 ----a-w- c:\program files\Common Files\System\wab32.dll
    2012-06-10 17:46 . 2011-10-26 05:22 1572864 ----a-w- c:\windows\system32\quartz.dll
    2012-06-10 17:46 . 2011-10-26 04:28 1328640 ----a-w- c:\windows\SysWow64\quartz.dll
    2012-06-10 17:46 . 2011-10-26 05:22 366592 ----a-w- c:\windows\system32\qdvd.dll
    2012-06-10 17:46 . 2011-10-26 04:28 514560 ----a-w- c:\windows\SysWow64\qdvd.dll
    2012-06-10 17:46 . 2012-01-04 09:58 509952 ----a-w- c:\windows\system32\ntshrui.dll
    2012-06-10 17:46 . 2012-01-04 09:03 442880 ----a-w- c:\windows\SysWow64\ntshrui.dll
    2012-06-10 17:46 . 2010-06-29 05:35 4582912 ----a-w- c:\program files\Windows NT\Accessories\wordpad.exe
    2012-06-10 17:46 . 2010-06-29 05:39 2085376 ----a-w- c:\windows\system32\ole32.dll
    2012-06-10 17:46 . 2010-06-29 04:57 4247040 ----a-w- c:\program files (x86)\Windows NT\Accessories\wordpad.exe
    2012-06-10 17:46 . 2010-06-29 05:02 1413632 ----a-w- c:\windows\SysWow64\ole32.dll
    2012-06-10 17:46 . 2011-05-04 05:28 2228224 ----a-w- c:\windows\system32\mssrch.dll
    2012-06-10 17:44 . 2010-01-19 09:05 422912 ----a-w- c:\windows\system32\secproc_isv.dll
    2012-06-10 17:43 . 2012-01-03 06:24 515584 ----a-w- c:\windows\system32\timedate.cpl
    2012-06-10 17:42 . 2010-06-19 06:53 52224 ----a-w- c:\windows\system32\rtutils.dll
    2012-06-10 17:41 . 2011-04-22 20:18 27008 ----a-w- c:\windows\system32\drivers\Diskdump.sys
    2012-06-10 17:40 . 2011-12-28 03:59 499200 ----a-w- c:\windows\system32\drivers\afd.sys
    2012-06-10 17:40 . 2012-03-17 07:55 75632 ----a-w- c:\windows\system32\drivers\partmgr.sys
    2012-06-10 17:40 . 2010-08-27 06:14 236032 ----a-w- c:\windows\system32\srvsvc.dll
    2012-06-10 17:40 . 2010-08-27 05:46 9728 ----a-w- c:\windows\SysWow64\sscore.dll
    2012-06-10 17:40 . 2010-10-12 05:05 35328 ----a-w- c:\program files\Windows Mail\wabfind.dll
    2012-06-10 17:40 . 2010-10-12 05:00 516096 ----a-w- c:\program files\Windows Mail\wab.exe
    2012-06-10 17:40 . 2010-10-12 04:25 516096 ----a-w- c:\program files (x86)\Windows Mail\wab.exe
    2012-06-10 17:40 . 2011-08-17 05:32 613888 ----a-w- c:\windows\system32\psisdecd.dll
    2012-06-10 17:40 . 2011-08-17 05:27 288256 ----a-w- c:\windows\system32\MSNP.ax
    2012-06-10 17:40 . 2011-08-17 05:27 108032 ----a-w- c:\windows\system32\psisrndr.ax
    2012-06-10 17:40 . 2011-08-17 04:22 75776 ----a-w- c:\windows\SysWow64\psisrndr.ax
    2012-06-10 17:38 . 2011-07-16 05:04 4608 ---ha-w- c:\windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
    2012-06-10 17:37 . 2011-05-24 11:21 404992 ----a-w- c:\windows\system32\umpnpmgr.dll
    2012-06-10 17:37 . 2011-05-24 10:34 145920 ----a-w- c:\windows\SysWow64\cfgmgr32.dll
    2012-06-10 17:37 . 2011-05-24 10:32 252928 ----a-w- c:\windows\SysWow64\drvinst.exe
    2012-06-10 17:37 . 2011-05-24 10:34 64512 ----a-w- c:\windows\SysWow64\devobj.dll
    2012-06-10 17:37 . 2011-05-24 10:34 44544 ----a-w- c:\windows\SysWow64\devrtl.dll
    2012-06-10 17:37 . 2011-02-12 06:14 267776 ----a-w- c:\windows\system32\FXSCOVER.exe
    2012-06-10 17:25 . 2011-05-03 05:21 976896 ----a-w- c:\windows\system32\inetcomm.dll
    2012-06-10 17:25 . 2011-05-03 04:50 740864 ----a-w- c:\windows\SysWow64\inetcomm.dll
    2012-06-10 17:25 . 2011-12-16 08:42 634368 ----a-w- c:\windows\system32\msvcrt.dll
    2012-06-10 17:25 . 2011-12-16 07:59 690688 ----a-w- c:\windows\SysWow64\msvcrt.dll
    2012-06-10 17:25 . 2010-10-16 05:23 112000 ----a-w- c:\windows\system32\consent.exe
    2012-06-10 17:25 . 2011-02-23 05:15 90624 ----a-w- c:\windows\system32\drivers\bowser.sys
    2012-06-10 17:25 . 2011-08-27 05:40 861184 ----a-w- c:\windows\system32\oleaut32.dll
    2012-06-10 17:25 . 2011-08-27 05:40 331776 ----a-w- c:\windows\system32\oleacc.dll
    2012-06-10 17:25 . 2011-08-27 04:43 571904 ----a-w- c:\windows\SysWow64\oleaut32.dll
    2012-06-10 17:25 . 2011-08-27 04:43 233472 ----a-w- c:\windows\SysWow64\oleacc.dll
    2012-06-10 17:25 . 2011-10-15 06:25 723456 ----a-w- c:\windows\system32\EncDec.dll
    2012-06-10 17:25 . 2011-10-15 05:48 534528 ----a-w- c:\windows\SysWow64\EncDec.dll
    2012-06-10 17:24 . 2011-11-05 05:17 2048 ----a-w- c:\windows\system32\tzres.dll
    2012-06-10 17:24 . 2011-11-05 04:30 2048 ----a-w- c:\windows\SysWow64\tzres.dll
    2012-06-10 17:24 . 2012-03-30 11:09 1895280 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2012-06-10 17:24 . 2012-04-02 05:26 1732096 ----a-w- c:\program files\Windows Journal\NBDoc.DLL
    2012-06-10 17:24 . 2012-04-02 05:24 1367552 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\journal.dll
    2012-06-10 17:24 . 2012-04-02 05:24 1393664 ----a-w- c:\program files\Windows Journal\JNTFiltr.dll
    2012-06-10 17:24 . 2012-04-02 04:40 936960 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\ink\journal.dll
    2012-06-10 17:24 . 2012-04-02 05:24 1402880 ----a-w- c:\program files\Windows Journal\JNWDRV.dll
    2012-06-10 17:23 . 2010-10-16 05:17 720896 ----a-w- c:\windows\system32\odbc32.dll
    2012-06-10 17:23 . 2010-10-16 05:16 1425408 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "PDVDDXSrv"="c:\program files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-06-25 140520]
    "mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2012-03-22 1675160]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]
    .
    c:\users\Shelby\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-10 257224]
    R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    S0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [x]
    S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [x]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-04-04 63928]
    S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-01-27 249936]
    S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-01-27 249936]
    S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-01-27 249936]
    S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2012-03-20 210584]
    S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [x]
    S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
    S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [x]
    S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [x]
    S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *Deregistered* - mfeavfk01
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-06-21 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-10 02:33]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x0
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    mLocal Page = c:\windows\SysWOW64\blank.htm
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.1.1
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
    @Denied: (2) (LocalSystem)
    "{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064}"=hex:51,66,7a,6c,4c,1d,38,12,26,bd,a8,
    0a,e6,f4,22,0e,f1,4c,12,2a,bb,94,a4,70
    "{53707962-6F74-2D53-2644-206D7942484F}"=hex:51,66,7a,6c,4c,1d,38,12,0c,7a,63,
    57,46,21,3d,68,59,52,63,2d,7c,1c,0c,5b
    "{7DB2D5A0-7241-4E79-B68D-6309F01C5231}"=hex:51,66,7a,6c,4c,1d,38,12,ce,d6,a1,
    79,73,3c,17,0b,c9,9b,20,49,f5,42,16,25
    "{B164E929-A1B6-4A06-B104-2CD0E90A88FF}"=hex:51,66,7a,6c,4c,1d,38,12,47,ea,77,
    b5,84,ef,68,0f,ce,12,6f,90,ec,54,cc,eb
    "{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,
    fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17
    "{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,
    b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
    @Denied: (2) (LocalSystem)
    "Timestamp"=hex:35,db,6f,37,cf,4f,cd,01
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\McAfee]
    "SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
    00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\SysWOW64\rundll32.exe
    .
    **************************************************************************
    .
    Completion time: 2012-06-21 16:51:44 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-06-21 20:51
    .
    Pre-Run: 148,951,822,336 bytes free
    Post-Run: 148,862,464,000 bytes free
    .
    - - End Of File - - DD79FE68C47986692CC47B118DE6AB75

  3. #13
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi,

    Please place the ComboFix.exe file to your desktop.


    * Go here to run an online scanner from ESET.
    • Note: You will need to use Internet explorer for this scan
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the activex control to install
    • Click Start
    • Make sure that the option Remove found threats is UNchecked and the option Scan unwanted applications is checkmarked.
    • Click Scan
    • Wait for the scan to finish.




    Post back its report & a fresh dds.txt log. Any issues present?
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  4. #14
    Junior Member
    Join Date
    Jun 2012
    Posts
    13

    Default Need a bit more time...

    Sorry for the delay. This scan has literally been running for the past 2 days and it just finished. Unfortunately, when I clicked finish, the details disappeared, and the screen jumped to an add for the company. Needless to say I am going to have to run the scan again, which will most likely take an additional 2 days. So far, I haven't seen any problems, they seem to have gone away. However, this scan did come up with 63 issues, and I want to see this through. Thank you for your patience, and I will get back to you as soon as the scan is finished.

  5. #15
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi,

    Make sure your McAfee antivirus protection is disabled when running ESET scanner. That may speed up the scanning process.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  6. #16
    Junior Member
    Join Date
    Jun 2012
    Posts
    13

    Default Eset but no dds

    Hi,

    So here is the ESET but now I am having troubles with the dds links. I turned off mcaffe but the link would just act like it's loading but never appear. I will try again in the morning. So far, no issues though. Thanks again for all of your help so far; you're amazing!

  7. #17
    Junior Member
    Join Date
    Jun 2012
    Posts
    13

    Default Whoops!

    Here is the report haha.

    C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric.zip Win32/Bagle.gen.zip worm
    C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric1.zip Win32/Bagle.gen.zip worm
    C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric2.zip Win32/Bagle.gen.zip worm
    C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric3.zip Win32/Bagle.gen.zip worm
    C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric4.zip Win32/Bagle.gen.zip worm
    C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric5.zip Win32/Bagle.gen.zip worm
    C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric6.zip Win32/Bagle.gen.zip worm
    C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric7.zip Win32/Bagle.gen.zip worm
    C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric8.zip Win32/Bagle.gen.zip worm
    C:\TDSSKiller_Quarantine\21.06.2012_15.44.02\mbr0000\tdlfs0000\tsk0000.dta Win64/Olmarik.AK trojan
    C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric.zip Win32/Bagle.gen.zip worm
    C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric1.zip Win32/Bagle.gen.zip worm
    C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric2.zip Win32/Bagle.gen.zip worm
    C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric3.zip Win32/Bagle.gen.zip worm
    C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric4.zip Win32/Bagle.gen.zip worm
    C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric5.zip Win32/Bagle.gen.zip worm
    C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric6.zip Win32/Bagle.gen.zip worm
    C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric7.zip Win32/Bagle.gen.zip worm
    C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric8.zip Win32/Bagle.gen.zip worm
    C:\Windows.old\Documents and Settings\Shelby\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Content.IE5\13NEMFE3\daclips-300x250-default[1].htm HTML/ScrInject.B.Gen virus
    C:\Windows.old\Documents and Settings\Shelby\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Content.IE5\1P238XEW\xitnf0qeioodcbb478d6[1].htm HTML/Iframe.B.Gen virus
    C:\Windows.old\Documents and Settings\Shelby\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\JQABFQSB\daclips-300x250-default[1].htm HTML/ScrInject.B.Gen virus
    C:\Windows.old\Documents and Settings\Shelby\AppData\Local\Application Data\Temporary Internet Files\Content.IE5\13NEMFE3\daclips-300x250-default[1].htm HTML/ScrInject.B.Gen virus
    C:\Windows.old\Documents and Settings\Shelby\AppData\Local\Application Data\Temporary Internet Files\Content.IE5\1P238XEW\xitnf0qeioodcbb478d6[1].htm HTML/Iframe.B.Gen virus
    C:\Windows.old\Documents and Settings\Shelby\AppData\Local\Application Data\Temporary Internet Files\Low\Content.IE5\JQABFQSB\daclips-300x250-default[1].htm HTML/ScrInject.B.Gen virus
    C:\Windows.old\Documents and Settings\Shelby\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\13NEMFE3\daclips-300x250-default[1].htm HTML/ScrInject.B.Gen virus
    C:\Windows.old\Documents and Settings\Shelby\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1P238XEW\xitnf0qeioodcbb478d6[1].htm HTML/Iframe.B.Gen virus
    C:\Windows.old\Documents and Settings\Shelby\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\JQABFQSB\daclips-300x250-default[1].htm HTML/ScrInject.B.Gen virus
    C:\Windows.old\Documents and Settings\Shelby\AppData\Local\Temporary Internet Files\Content.IE5\13NEMFE3\daclips-300x250-default[1].htm HTML/ScrInject.B.Gen virus
    C:\Windows.old\Documents and Settings\Shelby\AppData\Local\Temporary Internet Files\Content.IE5\1P238XEW\xitnf0qeioodcbb478d6[1].htm HTML/Iframe.B.Gen virus
    C:\Windows.old\Documents and Settings\Shelby\AppData\Local\Temporary Internet Files\Low\Content.IE5\JQABFQSB\daclips-300x250-default[1].htm HTML/ScrInject.B.Gen virus
    C:\Windows.old\Documents and Settings\Shelby\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\11\ec625cb-7627966d multiple threats
    C:\Windows.old\Documents and Settings\Shelby\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\14\57a3fb8e-3775af0e a variant of Win32/Kryptik.AFDK trojan
    C:\Windows.old\Documents and Settings\Shelby\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\29\1b0b81d-22fff9be multiple threats
    C:\Windows.old\Documents and Settings\Shelby\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\53784821-4355561b a variant of Java/TrojanDownloader.Agent.NDJ trojan
    C:\Windows.old\Documents and Settings\Shelby\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\e5a51ab-236f96ea a variant of Java/TrojanDownloader.Agent.NDJ trojan
    C:\Windows.old\Documents and Settings\Shelby\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\5\3eb5fd45-6b8d64b6 a variant of Java/TrojanDownloader.Agent.NDJ trojan
    C:\Windows.old\Documents and Settings\Shelby\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\64a5ca89-58885d98 a variant of Java/TrojanDownloader.Agent.NDJ trojan
    C:\Windows.old\Documents and Settings\Shelby\Local Settings\Microsoft\Windows\Temporary Internet Files\Content.IE5\13NEMFE3\daclips-300x250-default[1].htm HTML/ScrInject.B.Gen virus
    C:\Windows.old\Documents and Settings\Shelby\Local Settings\Microsoft\Windows\Temporary Internet Files\Content.IE5\1P238XEW\xitnf0qeioodcbb478d6[1].htm HTML/Iframe.B.Gen virus
    C:\Windows.old\Documents and Settings\Shelby\Local Settings\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\JQABFQSB\daclips-300x250-default[1].htm HTML/ScrInject.B.Gen virus
    C:\Windows.old\Documents and Settings\Shelby\Local Settings\Temporary Internet Files\Content.IE5\13NEMFE3\daclips-300x250-default[1].htm HTML/ScrInject.B.Gen virus
    C:\Windows.old\Documents and Settings\Shelby\Local Settings\Temporary Internet Files\Content.IE5\1P238XEW\xitnf0qeioodcbb478d6[1].htm HTML/Iframe.B.Gen virus
    C:\Windows.old\Documents and Settings\Shelby\Local Settings\Temporary Internet Files\Low\Content.IE5\JQABFQSB\daclips-300x250-default[1].htm HTML/ScrInject.B.Gen virus
    C:\Windows.old\Users\Shelby\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\13NEMFE3\daclips-300x250-default[1].htm HTML/ScrInject.B.Gen virus
    C:\Windows.old\Users\Shelby\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1P238XEW\xitnf0qeioodcbb478d6[1].htm HTML/Iframe.B.Gen virus
    C:\Windows.old\Users\Shelby\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\JQABFQSB\daclips-300x250-default[1].htm HTML/ScrInject.B.Gen virus
    C:\Windows.old\Users\Shelby\AppData\Local\Temporary Internet Files\Content.IE5\13NEMFE3\daclips-300x250-default[1].htm HTML/ScrInject.B.Gen virus
    C:\Windows.old\Users\Shelby\AppData\Local\Temporary Internet Files\Content.IE5\1P238XEW\xitnf0qeioodcbb478d6[1].htm HTML/Iframe.B.Gen virus
    C:\Windows.old\Users\Shelby\AppData\Local\Temporary Internet Files\Low\Content.IE5\JQABFQSB\daclips-300x250-default[1].htm HTML/ScrInject.B.Gen virus
    C:\Windows.old\Users\Shelby\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\11\ec625cb-7627966d multiple threats
    C:\Windows.old\Users\Shelby\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\14\57a3fb8e-3775af0e a variant of Win32/Kryptik.AFDK trojan
    C:\Windows.old\Users\Shelby\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\29\1b0b81d-22fff9be multiple threats
    C:\Windows.old\Users\Shelby\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\53784821-4355561b a variant of Java/TrojanDownloader.Agent.NDJ trojan
    C:\Windows.old\Users\Shelby\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\e5a51ab-236f96ea a variant of Java/TrojanDownloader.Agent.NDJ trojan
    C:\Windows.old\Users\Shelby\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\5\3eb5fd45-6b8d64b6 a variant of Java/TrojanDownloader.Agent.NDJ trojan
    C:\Windows.old\Users\Shelby\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\64a5ca89-58885d98 a variant of Java/TrojanDownloader.Agent.NDJ trojan
    C:\Windows.old\Users\Shelby\Local Settings\Microsoft\Windows\Temporary Internet Files\Content.IE5\13NEMFE3\daclips-300x250-default[1].htm HTML/ScrInject.B.Gen virus
    C:\Windows.old\Users\Shelby\Local Settings\Microsoft\Windows\Temporary Internet Files\Content.IE5\1P238XEW\xitnf0qeioodcbb478d6[1].htm HTML/Iframe.B.Gen virus
    C:\Windows.old\Users\Shelby\Local Settings\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\JQABFQSB\daclips-300x250-default[1].htm HTML/ScrInject.B.Gen virus
    C:\Windows.old\Users\Shelby\Local Settings\Temporary Internet Files\Content.IE5\13NEMFE3\daclips-300x250-default[1].htm HTML/ScrInject.B.Gen virus
    C:\Windows.old\Users\Shelby\Local Settings\Temporary Internet Files\Content.IE5\1P238XEW\xitnf0qeioodcbb478d6[1].htm HTML/Iframe.B.Gen virus
    C:\Windows.old\Users\Shelby\Local Settings\Temporary Internet Files\Low\Content.IE5\JQABFQSB\daclips-300x250-default[1].htm HTML/ScrInject.B.Gen virus

  8. #18
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi,

    So here is the ESET but now I am having troubles with the dds links. I turned off mcaffe but the link would just act like it's loading but never appear. I will try again in the morning.
    Both DDS links listed here work. I'll get back to dealing with those ESET findings after seeing DDS report first
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  9. #19
    Junior Member
    Join Date
    Jun 2012
    Posts
    13

    Default DDS log

    .
    DDS (Ver_2011-08-26.01) - NTFSAMD64
    Internet Explorer: 9.0.8112.16421
    Run by Shelby at 8:38:06 on 2012-06-26
    Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.4056.2998 [GMT -4:00]
    .
    AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
    FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
    C:\Windows\system32\rundll32.exe
    C:\Windows\system32\rundll32.exe
    C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\mfevtps.exe
    C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\WUDFHost.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\System32\StikyNot.exe
    C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Program Files\Microsoft Games\minesweeper\minesweeper.exe
    C:\Windows\system32\wuauclt.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\SysWOW64\cscript.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~2\mcafee\sitead~1\mcieplg.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
    BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20120611170811.dll
    BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~2\mcafee\sitead~1\mcieplg.dll
    TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~2\mcafee\sitead~1\mcieplg.dll
    uRun: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe
    mRun: [PDVDDXSrv] "C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
    mRun: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
    mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    StartupFolder: C:\Users\Shelby\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
    TCP: DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{23ABA2C2-32B0-4CD4-A2A1-593D5A68FE43} : DhcpNameServer = 192.168.1.1
    Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\PROGRA~2\McAfee\MSC\McSnIePl.dll
    Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\McAfee\SITEAD~1\McIEPlg.dll
    Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\McAfee\SITEAD~1\McIEPlg.dll
    BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO-X64: AcroIEHelperStub - No File
    BHO-X64: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
    BHO-X64: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20120611170811.dll
    BHO-X64: scriptproxy - No File
    BHO-X64: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\progra~2\mcafee\sitead~1\mcieplg.dll
    TB-X64: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\progra~2\mcafee\sitead~1\mcieplg.dll
    mRun-x64: [PDVDDXSrv] "C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
    mRun-x64: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
    mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 mfehidk;McAfee Inc. mfehidk;C:\Windows\system32\drivers\mfehidk.sys --> C:\Windows\system32\drivers\mfehidk.sys [?]
    R0 mfewfpk;McAfee Inc. mfewfpk;C:\Windows\system32\drivers\mfewfpk.sys --> C:\Windows\system32\drivers\mfewfpk.sys [?]
    R1 mfenlfk;McAfee NDIS Light Filter;C:\Windows\system32\DRIVERS\mfenlfk.sys --> C:\Windows\system32\DRIVERS\mfenlfk.sys [?]
    R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
    R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-4-4 63928]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [2012-6-9 249936]
    R2 McMPFSvc;McAfee Personal Firewall Service;C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [2012-6-9 249936]
    R2 McNaiAnn;McAfee VirusScan Announcer;C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [2012-6-9 249936]
    R2 McProxy;McAfee Proxy Service;C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [2012-6-9 249936]
    R2 McShield;McAfee McShield;C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe [2012-6-9 199272]
    R2 mfefire;McAfee Firewall Core Service;C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe [2012-6-9 210584]
    R2 mfevtp;McAfee Validation Trust Protection Service;"C:\Windows\system32\mfevtps.exe" --> C:\Windows\system32\mfevtps.exe [?]
    R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2012-6-9 1153368]
    R3 cfwids;McAfee Inc. cfwids;C:\Windows\system32\drivers\cfwids.sys --> C:\Windows\system32\drivers\cfwids.sys [?]
    R3 mfeavfk;McAfee Inc. mfeavfk;C:\Windows\system32\drivers\mfeavfk.sys --> C:\Windows\system32\drivers\mfeavfk.sys [?]
    R3 mfefirek;McAfee Inc. mfefirek;C:\Windows\system32\drivers\mfefirek.sys --> C:\Windows\system32\drivers\mfefirek.sys [?]
    R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk62x64.sys --> C:\Windows\system32\DRIVERS\yk62x64.sys [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-6-9 257224]
    S3 mferkdet;McAfee Inc. mferkdet;C:\Windows\system32\drivers\mferkdet.sys --> C:\Windows\system32\drivers\mferkdet.sys [?]
    S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
    .
    =============== Created Last 30 ================
    .
    2012-06-22 19:29:41 -------- d-----w- C:\Program Files (x86)\ESET
    2012-06-22 13:42:50 -------- d-sh--w- C:\$RECYCLE.BIN
    2012-06-21 19:44:57 -------- d-----w- C:\TDSSKiller_Quarantine
    2012-06-21 15:16:42 2622464 ----a-w- C:\Windows\System32\wucltux.dll
    2012-06-21 15:16:11 99840 ----a-w- C:\Windows\System32\wudriver.dll
    2012-06-21 15:15:42 36864 ----a-w- C:\Windows\System32\wuapp.exe
    2012-06-21 15:15:42 186752 ----a-w- C:\Windows\System32\wuwebv.dll
    2012-06-20 18:41:28 98816 ----a-w- C:\Windows\sed.exe
    2012-06-20 18:41:28 518144 ----a-w- C:\Windows\SWREG.exe
    2012-06-20 18:41:28 256000 ----a-w- C:\Windows\PEV.exe
    2012-06-20 18:41:28 208896 ----a-w- C:\Windows\MBR.exe
    2012-06-19 22:18:57 208896 ----a-w- C:\Windows\System32\profsvc.dll
    2012-06-19 22:18:53 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe
    2012-06-19 22:18:53 76288 ----a-w- C:\Windows\System32\rdpwsx.dll
    2012-06-19 22:18:53 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll
    2012-06-19 22:18:33 3144192 ----a-w- C:\Windows\System32\win32k.sys
    2012-06-19 22:16:16 204800 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
    2012-06-19 22:16:10 3213824 ----a-w- C:\Windows\System32\msi.dll
    2012-06-19 22:16:09 2342400 ----a-w- C:\Windows\SysWow64\msi.dll
    2012-06-19 22:14:48 1460224 ----a-w- C:\Windows\System32\crypt32.dll
    2012-06-19 22:14:48 1156608 ----a-w- C:\Windows\SysWow64\crypt32.dll
    2012-06-19 22:14:47 182272 ----a-w- C:\Windows\System32\cryptsvc.dll
    2012-06-19 22:14:47 140288 ----a-w- C:\Windows\System32\cryptnet.dll
    2012-06-19 22:14:46 139264 ----a-w- C:\Windows\SysWow64\cryptsvc.dll
    2012-06-19 22:14:46 103936 ----a-w- C:\Windows\SysWow64\cryptnet.dll
    2012-06-13 21:14:55 -------- d-----w- C:\Users\Shelby\AppData\Local\Adobe
    2012-06-13 19:30:01 5505392 ----a-w- C:\Windows\System32\ntoskrnl.exe
    2012-06-13 19:29:58 3958128 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
    2012-06-13 19:29:58 3902320 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
    2012-06-11 19:29:29 52224 ----a-w- C:\Windows\System32\drivers\usbehci.sys
    2012-06-11 19:29:28 98816 ----a-w- C:\Windows\System32\drivers\usbccgp.sys
    2012-06-11 19:29:28 343040 ----a-w- C:\Windows\System32\drivers\usbhub.sys
    2012-06-11 19:29:28 324608 ----a-w- C:\Windows\System32\drivers\usbport.sys
    2012-06-11 19:29:27 7936 ----a-w- C:\Windows\System32\drivers\usbd.sys
    2012-06-11 19:29:27 30720 ----a-w- C:\Windows\System32\drivers\usbuhci.sys
    2012-06-11 19:29:27 25600 ----a-w- C:\Windows\System32\drivers\usbohci.sys
    2012-06-11 19:25:26 1657216 ----a-w- C:\Windows\System32\drivers\ntfs.sys
    2012-06-11 19:25:25 2566144 ----a-w- C:\Windows\System32\esent.dll
    2012-06-11 19:25:25 166272 ----a-w- C:\Windows\System32\drivers\nvstor.sys
    2012-06-11 19:25:25 148352 ----a-w- C:\Windows\System32\drivers\nvraid.sys
    2012-06-11 19:25:25 107904 ----a-w- C:\Windows\System32\drivers\amdsata.sys
    2012-06-11 19:25:24 27008 ----a-w- C:\Windows\System32\drivers\amdxata.sys
    2012-06-11 19:25:24 187264 ----a-w- C:\Windows\System32\drivers\storport.sys
    2012-06-11 19:25:24 1686016 ----a-w- C:\Windows\SysWow64\esent.dll
    2012-06-11 19:25:23 96768 ----a-w- C:\Windows\System32\fsutil.exe
    2012-06-11 19:25:23 410496 ----a-w- C:\Windows\System32\drivers\iaStorV.sys
    2012-06-11 19:25:22 74240 ----a-w- C:\Windows\SysWow64\fsutil.exe
    2012-06-11 18:55:04 -------- d-----w- C:\Windows\SysWow64\Wat
    2012-06-11 18:55:04 -------- d-----w- C:\Windows\System32\Wat
    2012-06-10 20:36:57 367104 ----a-w- C:\Windows\System32\wcncsvc.dll
    2012-06-10 20:36:57 276992 ----a-w- C:\Windows\SysWow64\wcncsvc.dll
    2012-06-10 20:12:12 311808 ----a-w- C:\Windows\System32\msv1_0.dll
    2012-06-10 20:12:12 257024 ----a-w- C:\Windows\SysWow64\msv1_0.dll
    2012-06-10 19:52:54 99176 ----a-w- C:\Windows\SysWow64\PresentationHostProxy.dll
    2012-06-10 19:52:54 49472 ----a-w- C:\Windows\SysWow64\netfxperf.dll
    2012-06-10 19:52:54 48960 ----a-w- C:\Windows\System32\netfxperf.dll
    2012-06-10 19:52:54 444752 ----a-w- C:\Windows\System32\mscoree.dll
    2012-06-10 19:52:54 320352 ----a-w- C:\Windows\System32\PresentationHost.exe
    2012-06-10 19:52:54 297808 ----a-w- C:\Windows\SysWow64\mscoree.dll
    2012-06-10 19:52:54 295264 ----a-w- C:\Windows\SysWow64\PresentationHost.exe
    2012-06-10 19:52:54 1942856 ----a-w- C:\Windows\System32\dfshim.dll
    2012-06-10 19:52:54 1130824 ----a-w- C:\Windows\SysWow64\dfshim.dll
    2012-06-10 19:52:54 109912 ----a-w- C:\Windows\System32\PresentationHostProxy.dll
    2012-06-10 19:27:45 80896 ----a-w- C:\Windows\System32\imagehlp.dll
    2012-06-10 19:27:45 5120 ----a-w- C:\Windows\SysWow64\wmi.dll
    2012-06-10 19:27:45 5120 ----a-w- C:\Windows\System32\wmi.dll
    2012-06-10 19:27:45 22896 ----a-w- C:\Windows\System32\drivers\fs_rec.sys
    2012-06-10 19:27:45 220672 ----a-w- C:\Windows\System32\wintrust.dll
    2012-06-10 19:27:45 172544 ----a-w- C:\Windows\SysWow64\wintrust.dll
    2012-06-10 19:27:45 158720 ----a-w- C:\Windows\SysWow64\imagehlp.dll
    2012-06-10 18:55:20 -------- d-----w- C:\Windows\PCHEALTH
    2012-06-10 18:52:02 -------- d-----w- C:\Users\Shelby\AppData\Local\Microsoft Help
    2012-06-10 17:48:56 886784 ----a-w- C:\Program Files\Common Files\System\wab32.dll
    2012-06-10 17:46:44 1572864 ----a-w- C:\Windows\System32\quartz.dll
    2012-06-10 17:46:44 1328640 ----a-w- C:\Windows\SysWow64\quartz.dll
    2012-06-10 17:46:43 514560 ----a-w- C:\Windows\SysWow64\qdvd.dll
    2012-06-10 17:46:43 366592 ----a-w- C:\Windows\System32\qdvd.dll
    2012-06-10 17:46:31 509952 ----a-w- C:\Windows\System32\ntshrui.dll
    2012-06-10 17:46:31 442880 ----a-w- C:\Windows\SysWow64\ntshrui.dll
    2012-06-10 17:46:26 4582912 ----a-w- C:\Program Files\Windows NT\Accessories\wordpad.exe
    2012-06-10 17:46:25 4247040 ----a-w- C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
    2012-06-10 17:46:25 2085376 ----a-w- C:\Windows\System32\ole32.dll
    2012-06-10 17:46:24 1413632 ----a-w- C:\Windows\SysWow64\ole32.dll
    2012-06-10 17:46:00 2228224 ----a-w- C:\Windows\System32\mssrch.dll
    2012-06-10 17:44:39 422912 ----a-w- C:\Windows\System32\secproc_isv.dll
    2012-06-10 17:43:54 515584 ----a-w- C:\Windows\System32\timedate.cpl
    2012-06-10 17:42:57 52224 ----a-w- C:\Windows\System32\rtutils.dll
    2012-06-10 17:41:44 27008 ----a-w- C:\Windows\System32\drivers\Diskdump.sys
    2012-06-10 17:40:14 499200 ----a-w- C:\Windows\System32\drivers\afd.sys
    2012-06-10 17:40:11 75632 ----a-w- C:\Windows\System32\drivers\partmgr.sys
    2012-06-10 17:40:09 236032 ----a-w- C:\Windows\System32\srvsvc.dll
    2012-06-10 17:40:08 9728 ----a-w- C:\Windows\SysWow64\sscore.dll
    2012-06-10 17:40:06 516096 ----a-w- C:\Program Files\Windows Mail\wab.exe
    2012-06-10 17:40:06 516096 ----a-w- C:\Program Files (x86)\Windows Mail\wab.exe
    2012-06-10 17:40:06 35328 ----a-w- C:\Program Files\Windows Mail\wabfind.dll
    2012-06-10 17:40:01 613888 ----a-w- C:\Windows\System32\psisdecd.dll
    2012-06-10 17:40:01 288256 ----a-w- C:\Windows\System32\MSNP.ax
    2012-06-10 17:40:00 75776 ----a-w- C:\Windows\SysWow64\psisrndr.ax
    2012-06-10 17:40:00 108032 ----a-w- C:\Windows\System32\psisrndr.ax
    2012-06-10 17:38:59 4608 ---ha-w- C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll
    2012-06-10 17:37:55 404992 ----a-w- C:\Windows\System32\umpnpmgr.dll
    2012-06-10 17:37:54 252928 ----a-w- C:\Windows\SysWow64\drvinst.exe
    2012-06-10 17:37:54 145920 ----a-w- C:\Windows\SysWow64\cfgmgr32.dll
    2012-06-10 17:37:53 64512 ----a-w- C:\Windows\SysWow64\devobj.dll
    2012-06-10 17:37:53 44544 ----a-w- C:\Windows\SysWow64\devrtl.dll
    2012-06-10 17:37:44 267776 ----a-w- C:\Windows\System32\FXSCOVER.exe
    2012-06-10 17:25:41 976896 ----a-w- C:\Windows\System32\inetcomm.dll
    2012-06-10 17:25:40 740864 ----a-w- C:\Windows\SysWow64\inetcomm.dll
    2012-06-10 17:25:37 634368 ----a-w- C:\Windows\System32\msvcrt.dll
    2012-06-10 17:25:36 690688 ----a-w- C:\Windows\SysWow64\msvcrt.dll
    2012-06-10 17:25:33 112000 ----a-w- C:\Windows\System32\consent.exe
    2012-06-10 17:25:30 90624 ----a-w- C:\Windows\System32\drivers\bowser.sys
    2012-06-10 17:25:24 861184 ----a-w- C:\Windows\System32\oleaut32.dll
    2012-06-10 17:25:24 331776 ----a-w- C:\Windows\System32\oleacc.dll
    2012-06-10 17:25:23 571904 ----a-w- C:\Windows\SysWow64\oleaut32.dll
    2012-06-10 17:25:23 233472 ----a-w- C:\Windows\SysWow64\oleacc.dll
    2012-06-10 17:25:16 723456 ----a-w- C:\Windows\System32\EncDec.dll
    2012-06-10 17:25:15 534528 ----a-w- C:\Windows\SysWow64\EncDec.dll
    2012-06-10 17:24:55 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
    2012-06-10 17:24:55 2048 ----a-w- C:\Windows\System32\tzres.dll
    2012-06-10 17:24:13 1895280 ----a-w- C:\Windows\System32\drivers\tcpip.sys
    2012-06-10 17:24:05 1732096 ----a-w- C:\Program Files\Windows Journal\NBDoc.DLL
    2012-06-10 17:24:05 1367552 ----a-w- C:\Program Files\Common Files\Microsoft Shared\ink\journal.dll
    2012-06-10 17:24:04 936960 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\ink\journal.dll
    2012-06-10 17:24:04 1393664 ----a-w- C:\Program Files\Windows Journal\JNTFiltr.dll
    2012-06-10 17:24:03 1402880 ----a-w- C:\Program Files\Windows Journal\JNWDRV.dll
    2012-06-10 17:23:57 720896 ----a-w- C:\Windows\System32\odbc32.dll
    2012-06-10 17:23:56 573440 ----a-w- C:\Windows\SysWow64\odbc32.dll
    2012-06-10 17:23:56 1425408 ----a-w- C:\Program Files\Common Files\System\ado\msado15.dll
    2012-06-10 17:23:55 495616 ----a-w- C:\Program Files\Common Files\System\ado\msadox.dll
    2012-06-10 17:23:55 466944 ----a-w- C:\Program Files\Common Files\System\ado\msadomd.dll
    2012-06-10 17:23:55 258048 ----a-w- C:\Program Files\Common Files\System\msadc\msadco.dll
    2012-06-10 17:23:54 987136 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msado15.dll
    2012-06-10 17:23:53 372736 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msadox.dll
    2012-06-10 17:23:53 352256 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msadomd.dll
    2012-06-10 17:23:53 208896 ----a-w- C:\Program Files (x86)\Common Files\System\msadc\msadco.dll
    2012-06-10 17:23:34 1739160 ----a-w- C:\Windows\System32\ntdll.dll
    2012-06-10 17:23:33 1292592 ----a-w- C:\Windows\SysWow64\ntdll.dll
    2012-06-10 17:19:56 77312 ----a-w- C:\Windows\System32\packager.dll
    2012-06-10 17:19:55 67072 ----a-w- C:\Windows\SysWow64\packager.dll
    2012-06-10 13:05:44 243712 ----a-w- C:\Windows\System32\drivers\ks.sys
    2012-06-10 13:05:44 184832 ----a-w- C:\Windows\System32\drivers\usbvideo.sys
    2012-06-10 07:15:54 -------- d-----w- C:\Windows\Panther
    2012-06-10 07:15:25 -------- d-----w- C:\Windows\System32\oem
    2012-06-10 06:49:54 -------- d-----w- C:\Windows.old
    2012-06-10 03:12:00 -------- d-----w- C:\Users\Shelby\AppData\Local\Microsoft Games
    2012-06-10 02:33:09 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-06-10 02:33:09 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
    2012-06-10 01:29:43 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy
    2012-06-10 01:29:43 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy
    2012-06-10 01:17:50 -------- d-----w- C:\Program Files (x86)\McAfee.com
    2012-06-10 01:17:38 10248 ----a-w- C:\Windows\System32\drivers\mfeclnk.sys
    2012-06-10 01:17:38 -------- d-----w- C:\Program Files (x86)\Common Files\McAfee
    2012-06-10 01:16:44 75936 ----a-w- C:\Windows\System32\drivers\mfenlfk.sys
    2012-06-10 01:16:44 65264 ----a-w- C:\Windows\System32\drivers\cfwids.sys
    2012-06-10 01:16:44 487296 ----a-w- C:\Windows\System32\drivers\mfefirek.sys
    2012-06-10 01:16:44 289664 ----a-w- C:\Windows\System32\drivers\mfewfpk.sys
    2012-06-10 01:16:44 229528 ----a-w- C:\Windows\System32\drivers\mfeavfk.sys
    2012-06-10 01:16:44 100912 ----a-w- C:\Windows\System32\drivers\mferkdet.sys
    2012-06-10 01:16:32 -------- d-----w- C:\Program Files\McAfee.com
    2012-06-10 01:16:32 -------- d-----w- C:\Program Files\McAfee
    2012-06-10 01:16:32 -------- d-----w- C:\Program Files\Common Files\McAfee
    2012-06-10 01:16:29 -------- d-----w- C:\Program Files (x86)\McAfee
    2012-06-10 01:07:34 162192 ----a-w- C:\Windows\System32\mfevtps.exe
    2012-06-10 00:35:54 -------- d-----w- C:\Users\Shelby\AppData\Local\Diagnostics
    2012-06-10 00:27:50 8955792 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{7250C547-3BEC-4613-AECF-28596846A027}\mpengine.dll
    2012-06-10 00:27:49 279656 ------w- C:\Windows\System32\MpSigStub.exe
    2012-06-10 00:04:13 45056 ----a-r- C:\Users\Shelby\AppData\Roaming\Microsoft\Installer\{42929F0F-CE14-47AF-9FC7-FF297A603021}\NewShortcut1_42929F0FCE1447AF9FC7FF297A603021_1.exe
    2012-06-10 00:04:12 -------- d-----w- C:\Windows\SysWow64\vmm32
    2012-06-10 00:04:12 -------- d-----w- C:\Program Files (x86)\Dell
    2012-06-10 00:03:44 -------- d-sh--w- C:\Windows\Installer
    2012-06-09 23:58:08 89088 ----a-w- C:\Windows\SysWow64\atl71.dll
    2012-06-09 23:58:08 499712 ----a-w- C:\Windows\SysWow64\msvcp71.dll
    2012-06-09 23:58:08 348160 ----a-w- C:\Windows\SysWow64\msvcr71.dll
    2012-06-09 23:58:08 1060864 ----a-w- C:\Windows\SysWow64\MFC71.dll
    2012-06-09 23:58:08 1047552 ----a-w- C:\Windows\SysWow64\MFC71u.dll
    2012-06-09 23:56:07 139264 ----a-w- C:\Windows\System32\cabview.dll
    2012-06-09 23:56:07 132608 ----a-w- C:\Windows\SysWow64\cabview.dll
    2012-06-09 23:56:05 826368 ----a-w- C:\Windows\SysWow64\rdpcore.dll
    2012-06-09 23:56:05 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
    2012-06-09 23:56:05 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
    2012-06-09 23:52:56 -------- d-----w- C:\Recovery
    .
    ==================== Find3M ====================
    .
    2012-05-18 02:06:48 2311680 ----a-w- C:\Windows\System32\jscript9.dll
    2012-05-18 01:59:14 1392128 ----a-w- C:\Windows\System32\wininet.dll
    2012-05-18 01:58:39 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
    2012-05-18 01:55:22 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
    2012-05-18 01:51:30 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
    2012-05-17 22:45:37 1800192 ----a-w- C:\Windows\SysWow64\jscript9.dll
    2012-05-17 22:35:47 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
    2012-05-17 22:35:39 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
    2012-05-17 22:29:45 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
    2012-05-17 22:24:45 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
    .
    ============= FINISH: 8:40:20.13 ===============

  10. #20
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi again,


    Open notepad and copy/paste the text in the quotebox below into it:

    Code:
    Folder::
    C:\TDSSKiller_Quarantine
    File::
    C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric.zip
    C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric1.zip
    C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric2.zip
    C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric3.zip
    C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric4.zip
    C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric5.zip
    C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric6.zip
    C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric7.zip
    C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric8.zip
    C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric.zip
    C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric1.zip
    C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric2.zip
    C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric3.zip
    C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric4.zip
    C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric5.zip
    C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric6.zip
    C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric7.zip
    C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric8.zip
    C:\Windows.old\Documents and Settings\Shelby\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Content.IE5\13NEMFE3\daclips-300x250-default[1].htm
    C:\Windows.old\Documents and Settings\Shelby\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Content.IE5\1P238XEW\xitnf0qeioodcbb478d6[1].htm
    C:\Windows.old\Documents and Settings\Shelby\AppData\Local\Application Data\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\JQABFQSB\daclips-300x250-default[1].htm
    C:\Windows.old\Documents and Settings\Shelby\AppData\Local\Application Data\Temporary Internet Files\Content.IE5\13NEMFE3\daclips-300x250-default[1].htm
    C:\Windows.old\Documents and Settings\Shelby\AppData\Local\Application Data\Temporary Internet Files\Content.IE5\1P238XEW\xitnf0qeioodcbb478d6[1].htm
    C:\Windows.old\Documents and Settings\Shelby\AppData\Local\Application Data\Temporary Internet Files\Low\Content.IE5\JQABFQSB\daclips-300x250-default[1].htm
    C:\Windows.old\Documents and Settings\Shelby\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\13NEMFE3\daclips-300x250-default[1].htm
    C:\Windows.old\Documents and Settings\Shelby\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1P238XEW\xitnf0qeioodcbb478d6[1].htm
    C:\Windows.old\Documents and Settings\Shelby\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\JQABFQSB\daclips-300x250-default[1].htm
    C:\Windows.old\Documents and Settings\Shelby\AppData\Local\Temporary Internet Files\Content.IE5\13NEMFE3\daclips-300x250-default[1].htm
    C:\Windows.old\Documents and Settings\Shelby\AppData\Local\Temporary Internet Files\Content.IE5\1P238XEW\xitnf0qeioodcbb478d6[1].htm
    C:\Windows.old\Documents and Settings\Shelby\AppData\Local\Temporary Internet Files\Low\Content.IE5\JQABFQSB\daclips-300x250-default[1].htm
    C:\Windows.old\Documents and Settings\Shelby\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\11\ec625cb-7627966d
    C:\Windows.old\Documents and Settings\Shelby\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\14\57a3fb8e-3775af0e
    C:\Windows.old\Documents and Settings\Shelby\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\29\1b0b81d-22fff9be
    C:\Windows.old\Documents and Settings\Shelby\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\53784821-4355561b
    C:\Windows.old\Documents and Settings\Shelby\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\e5a51ab-236f96ea
    C:\Windows.old\Documents and Settings\Shelby\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\5\3eb5fd45-6b8d64b6
    C:\Windows.old\Documents and Settings\Shelby\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\64a5ca89-58885d98
    C:\Windows.old\Documents and Settings\Shelby\Local Settings\Microsoft\Windows\Temporary Internet Files\Content.IE5\13NEMFE3\daclips-300x250-default[1].htm
    C:\Windows.old\Documents and Settings\Shelby\Local Settings\Microsoft\Windows\Temporary Internet Files\Content.IE5\1P238XEW\xitnf0qeioodcbb478d6[1].htm
    C:\Windows.old\Documents and Settings\Shelby\Local Settings\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\JQABFQSB\daclips-300x250-default[1].htm
    C:\Windows.old\Documents and Settings\Shelby\Local Settings\Temporary Internet Files\Content.IE5\13NEMFE3\daclips-300x250-default[1].htm
    C:\Windows.old\Documents and Settings\Shelby\Local Settings\Temporary Internet Files\Content.IE5\1P238XEW\xitnf0qeioodcbb478d6[1].htm
    C:\Windows.old\Documents and Settings\Shelby\Local Settings\Temporary Internet Files\Low\Content.IE5\JQABFQSB\daclips-300x250-default[1].htm
    C:\Windows.old\Users\Shelby\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\13NEMFE3\daclips-300x250-default[1].htm
    C:\Windows.old\Users\Shelby\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1P238XEW\xitnf0qeioodcbb478d6[1].htm
    C:\Windows.old\Users\Shelby\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\JQABFQSB\daclips-300x250-default[1].htm
    C:\Windows.old\Users\Shelby\AppData\Local\Temporary Internet Files\Content.IE5\13NEMFE3\daclips-300x250-default[1].htm
    C:\Windows.old\Users\Shelby\AppData\Local\Temporary Internet Files\Content.IE5\1P238XEW\xitnf0qeioodcbb478d6[1].htm
    C:\Windows.old\Users\Shelby\AppData\Local\Temporary Internet Files\Low\Content.IE5\JQABFQSB\daclips-300x250-default[1].htm
    C:\Windows.old\Users\Shelby\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\11\ec625cb-7627966d
    C:\Windows.old\Users\Shelby\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\14\57a3fb8e-3775af0e
    C:\Windows.old\Users\Shelby\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\29\1b0b81d-22fff9be
    C:\Windows.old\Users\Shelby\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\53784821-4355561b
    C:\Windows.old\Users\Shelby\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\e5a51ab-236f96ea
    C:\Windows.old\Users\Shelby\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\5\3eb5fd45-6b8d64b6
    C:\Windows.old\Users\Shelby\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\64a5ca89-58885d98
    C:\Windows.old\Users\Shelby\Local Settings\Microsoft\Windows\Temporary Internet Files\Content.IE5\13NEMFE3\daclips-300x250-default[1].htm
    C:\Windows.old\Users\Shelby\Local Settings\Microsoft\Windows\Temporary Internet Files\Content.IE5\1P238XEW\xitnf0qeioodcbb478d6[1].htm
    C:\Windows.old\Users\Shelby\Local Settings\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\JQABFQSB\daclips-300x250-default[1].htm
    C:\Windows.old\Users\Shelby\Local Settings\Temporary Internet Files\Content.IE5\13NEMFE3\daclips-300x250-default[1].htm
    C:\Windows.old\Users\Shelby\Local Settings\Temporary Internet Files\Content.IE5\1P238XEW\xitnf0qeioodcbb478d6[1].htm
    C:\Windows.old\Users\Shelby\Local Settings\Temporary Internet Files\Low\Content.IE5\JQABFQSB\daclips-300x250-default[1].htm

    Save this as
    CFScript

    A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.



    Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe (let the tool to update itself if prompted).
    Then post the resultant log.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •