also @ TechSpot: Congress pressures Google on Glass privacy concerns

[A] AVG detects a Trojan in system file; "smb.sys" causing Windows Update to fail

Discussion in 'Virus and Malware Removal' started by Romeo J. Chacon, Oct 21, 2012.

Page 2 of 3

  1. Broni Malware Annihilator Posts: 39,285   +175

    You have to read my instructions more carefully:
    Yes.
    Broni, Oct 21, 2012
    #21

  2. Romeo J. Chacon TechSpot Member Posts: 27

    Thanks for your patience, I'll post the new log after its completed.
    Romeo J. Chacon, Oct 22, 2012
    #22

  3. Romeo J. Chacon TechSpot Member Posts: 27

    I tried uninstalling AVG using both the Appremover and the basic "remove programs"
    now I'm getting an error when trying to uninstall it. here is one out of a few other logs

    === Verbose logging started: 10/21/2012 21:21:05 Build type: SHIP UNICODE 4.05.6002.00 Calling process: C:\Users\ROMEOJ~1\AppData\Local\Temp\7zS52D0.tmp\avgmfapx.exe ===
    MSI (c) (38:48) [21:21:05:816]: SOFTWARE RESTRICTION POLICY: Verifying package --> 'C:\ProgramData\MFAData\pack\AVGx86.msi' against software restriction policy
    MSI (c) (38:48) [21:21:05:816]: SOFTWARE RESTRICTION POLICY: C:\ProgramData\MFAData\pack\AVGx86.msi has a digital signature
    MSI (c) (38:48) [21:21:06:003]: SOFTWARE RESTRICTION POLICY: C:\ProgramData\MFAData\pack\AVGx86.msi is permitted to run at the 'unrestricted' authorization level.
    MSI (c) (38:48) [21:21:06:003]: Failed to connect to server. Error: 0x800401F0

    MSI (c) (38:48) [21:21:06:019]: End dialog not enabled
    MSI (c) (38:48) [21:21:06:019]: Original package ==> C:\ProgramData\MFAData\pack\AVGx86.msi
    MSI (c) (38:48) [21:21:06:019]: Package we're running from ==> C:\ProgramData\MFAData\pack\AVGx86.msi
    MSI (c) (38:48) [21:21:06:019]: APPCOMPAT: looking for appcompat database entry with ProductCode '{013C4AC1-64FB-46EA-9320-D34CEB65BDBC}'.
    MSI (c) (38:48) [21:21:06:019]: APPCOMPAT: no matching ProductCode found in database.
    MSI (c) (38:48) [21:21:06:034]: MSCOREE not loaded loading copy from system32
    MSI (c) (38:48) [21:21:06:034]: Machine policy value 'DisablePatch' is 0
    MSI (c) (38:48) [21:21:06:034]: Machine policy value 'AllowLockdownPatch' is 0
    MSI (c) (38:48) [21:21:06:034]: Machine policy value 'DisableLUAPatching' is 0
    MSI (c) (38:48) [21:21:06:034]: Machine policy value 'DisableFlyWeightPatching' is 0
    MSI (c) (38:48) [21:21:06:034]: APPCOMPAT: looking for appcompat database entry with ProductCode '{013C4AC1-64FB-46EA-9320-D34CEB65BDBC}'.
    MSI (c) (38:48) [21:21:06:034]: APPCOMPAT: no matching ProductCode found in database.
    MSI (c) (38:48) [21:21:06:034]: Transforms are not secure.
    MSI (c) (38:48) [21:21:06:034]: PROPERTY CHANGE: Adding MsiLogFileLocation property. Its value is 'C:\Users\Romeo Jr Chacon\AppData\Local\MFAData\logs\msi-20121022-042057.log'.
    MSI (c) (38:48) [21:21:06:034]: No Command Line.
    MSI (c) (38:48) [21:21:06:034]: PROPERTY CHANGE: Adding PackageCode property. Its value is '{038CDECC-53CA-49AA-B8EF-DF555DDF9B72}'.
    MSI (c) (38:48) [21:21:06:034]: Product Code passed to Engine.Initialize: '(none)'
    MSI (c) (38:48) [21:21:06:034]: Product Code from property table before transforms: '{013C4AC1-64FB-46EA-9320-D34CEB65BDBC}'
    MSI (c) (38:48) [21:21:06:034]: Product Code from property table after transforms: '{013C4AC1-64FB-46EA-9320-D34CEB65BDBC}'
    MSI (c) (38:48) [21:21:06:034]: Product registered: entering maintenance mode
    MSI (c) (38:48) [21:21:06:034]: PROPERTY CHANGE: Adding ProductState property. Its value is '5'.
    MSI (c) (38:48) [21:21:06:034]: PROPERTY CHANGE: Adding ProductToBeRegistered property. Its value is '1'.
    MSI (c) (38:48) [21:21:06:034]: Entering CMsiConfigurationManager::SetLastUsedSource.
    MSI (c) (38:48) [21:21:06:034]: Specifed source is not already in a list.
    MSI (c) (38:48) [21:21:06:034]: User policy value 'SearchOrder' is 'nmu'
    MSI (c) (38:48) [21:21:06:034]: Machine policy value 'DisableBrowse' is 0
    MSI (c) (38:48) [21:21:06:034]: Machine policy value 'AllowLockdownBrowse' is 0
    MSI (c) (38:48) [21:21:06:034]: Adding new sources is allowed.
    MSI (c) (38:48) [21:21:06:034]: Package name retrieved from configuration data: 'Avgx86.msi'
    MSI (c) (38:48) [21:21:06:034]: Determined that existing product (either this product or the product being upgraded with a patch) is installed per-machine.
    MSI (c) (38:48) [21:21:06:034]: Note: 1: 2262 2: AdminProperties 3: -2147287038
    MSI (c) (38:48) [21:21:06:034]: Machine policy value 'DisableMsi' is 0
    MSI (c) (38:48) [21:21:06:034]: Machine policy value 'AlwaysInstallElevated' is 0
    MSI (c) (38:48) [21:21:06:034]: User policy value 'AlwaysInstallElevated' is 0
    MSI (c) (38:48) [21:21:06:034]: Product {013C4AC1-64FB-46EA-9320-D34CEB65BDBC} is admin assigned: LocalSystem owns the publish key.
    MSI (c) (38:48) [21:21:06:034]: Product {013C4AC1-64FB-46EA-9320-D34CEB65BDBC} is managed.
    MSI (c) (38:48) [21:21:06:034]: Running product '{013C4AC1-64FB-46EA-9320-D34CEB65BDBC}' with elevated privileges: Product is assigned.
    MSI (c) (38:48) [21:21:06:034]: TRANSFORMS property is now:
    MSI (c) (38:48) [21:21:06:034]: PROPERTY CHANGE: Adding PRODUCTLANGUAGE property. Its value is '1033'.
    MSI (c) (38:48) [21:21:06:034]: PROPERTY CHANGE: Adding VersionDatabase property. Its value is '300'.
    MSI (c) (38:48) [21:21:06:034]: SHELL32::SHGetFolderPath returned: C:\Users\Romeo Jr Chacon\AppData\Roaming
    MSI (c) (38:48) [21:21:06:034]: SHELL32::SHGetFolderPath returned: C:\Users\Romeo Jr Chacon\Favorites
    MSI (c) (38:48) [21:21:06:034]: SHELL32::SHGetFolderPath returned: C:\Users\Romeo Jr Chacon\AppData\Roaming\Microsoft\Windows\Network Shortcuts
    MSI (c) (38:48) [21:21:06:034]: SHELL32::SHGetFolderPath returned: C:\Users\Romeo Jr Chacon\Documents
    MSI (c) (38:48) [21:21:06:050]: SHELL32::SHGetFolderPath returned: C:\Users\Romeo Jr Chacon\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
    MSI (c) (38:48) [21:21:06:050]: SHELL32::SHGetFolderPath returned: C:\Users\Romeo Jr Chacon\AppData\Roaming\Microsoft\Windows\Recent
    MSI (c) (38:48) [21:21:06:050]: SHELL32::SHGetFolderPath returned: C:\Users\Romeo Jr Chacon\AppData\Roaming\Microsoft\Windows\SendTo
    MSI (c) (38:48) [21:21:06:050]: SHELL32::SHGetFolderPath returned: C:\Users\Romeo Jr Chacon\AppData\Roaming\Microsoft\Windows\Templates
    MSI (c) (38:48) [21:21:06:050]: SHELL32::SHGetFolderPath returned: C:\ProgramData
    MSI (c) (38:48) [21:21:06:050]: SHELL32::SHGetFolderPath returned: C:\Users\Romeo Jr Chacon\AppData\Local
    MSI (c) (38:48) [21:21:06:050]: SHELL32::SHGetFolderPath returned: C:\Users\Romeo Jr Chacon\Pictures
    MSI (c) (38:48) [21:21:06:050]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools
    MSI (c) (38:48) [21:21:06:050]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
    MSI (c) (38:48) [21:21:06:050]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu\Programs
    MSI (c) (38:48) [21:21:06:050]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Start Menu
    MSI (c) (38:48) [21:21:06:050]: SHELL32::SHGetFolderPath returned: C:\Users\Public\Desktop
    MSI (c) (38:48) [21:21:06:050]: SHELL32::SHGetFolderPath returned: C:\Users\Romeo Jr Chacon\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
    MSI (c) (38:48) [21:21:06:050]: SHELL32::SHGetFolderPath returned: C:\Users\Romeo Jr Chacon\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
    MSI (c) (38:48) [21:21:06:050]: SHELL32::SHGetFolderPath returned: C:\Users\Romeo Jr Chacon\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
    MSI (c) (38:48) [21:21:06:050]: SHELL32::SHGetFolderPath returned: C:\Users\Romeo Jr Chacon\AppData\Roaming\Microsoft\Windows\Start Menu
    MSI (c) (38:48) [21:21:06:050]: SHELL32::SHGetFolderPath returned: C:\Users\Romeo Jr Chacon\Desktop
    MSI (c) (38:48) [21:21:06:050]: SHELL32::SHGetFolderPath returned: C:\ProgramData\Microsoft\Windows\Templates
    MSI (c) (38:48) [21:21:06:050]: SHELL32::SHGetFolderPath returned: C:\Windows\Fonts
    MSI (c) (38:48) [21:21:06:050]: Note: 1: 2898 2: MS Sans Serif 3: MS Sans Serif 4: 0 5: 16
    MSI (c) (38:48) [21:21:06:050]: MSI_LUA: Setting AdminUser property to 1 because this is the client or the user has already permitted elevation
    MSI (c) (38:48) [21:21:06:050]: MSI_LUA: Setting MsiRunningElevated property to 1 because the install is already running elevated.
    MSI (c) (38:48) [21:21:06:050]: PROPERTY CHANGE: Adding MsiRunningElevated property. Its value is '1'.
    MSI (c) (38:48) [21:21:06:050]: PROPERTY CHANGE: Adding Privileged property. Its value is '1'.
    MSI (c) (38:48) [21:21:06:050]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info 3: 2
    MSI (c) (38:48) [21:21:06:050]: PROPERTY CHANGE: Adding USERNAME property. Its value is 'Romeo Jr Chacon'.
    MSI (c) (38:48) [21:21:06:050]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info 3: 2
    MSI (c) (38:48) [21:21:06:050]: PROPERTY CHANGE: Adding Installed property. Its value is '00:00:00'.
    MSI (c) (38:48) [21:21:06:050]: PROPERTY CHANGE: Adding DATABASE property. Its value is 'C:\ProgramData\MFAData\pack\AVGx86.msi'.
    MSI (c) (38:48) [21:21:06:050]: PROPERTY CHANGE: Adding OriginalDatabase property. Its value is 'C:\ProgramData\MFAData\pack\AVGx86.msi'.
    MSI (c) (38:48) [21:21:06:050]: Machine policy value 'MsiDisableEmbeddedUI' is 0
    MSI (c) (38:48) [21:21:06:050]: EEUI - Disabling MsiEmbeddedUI due to existing external or embedded UI
    MSI (c) (38:48) [21:21:06:050]: EEUI - Disabling MsiEmbeddedUI in quiet mode
    === Logging started: 10/21/2012 21:21:06 ===
    MSI (c) (38:48) [21:21:06:065]: Note: 1: 2205 2: 3: PatchPackage
    MSI (c) (38:48) [21:21:06:065]: Machine policy value 'DisableRollback' is 0
    MSI (c) (38:48) [21:21:06:065]: User policy value 'DisableRollback' is 0
    MSI (c) (38:48) [21:21:06:065]: PROPERTY CHANGE: Adding UILevel property. Its value is '2'.
    MSI (c) (38:48) [21:21:06:065]: MsiOpenPackageEx is returning 0
    MSI (c) (38:48) [21:21:06:065]: MsiOpenPackage is returning 0
    MSI (c) (38:48) [21:21:06:065]: PROPERTY CHANGE: Modifying UIBYMFA property. Its current value is '0'. Its new value: '1'.
    MSI (c) (38:48) [21:21:06:065]: PROPERTY CHANGE: Modifying PRODTYPE property. Its current value is 'AVG'. Its new value: 'IS'.
    MSI (c) (38:48) [21:21:06:065]: Doing action: FatalError
    Action 21:21:06: FatalError.
    Action start 21:21:06: FatalError.
    Action ended 21:21:06: FatalError. Return value 0.
    MSI (c) (38:48) [21:21:06:065]: Doing action: UserExit
    Action 21:21:06: UserExit.
    Action start 21:21:06: UserExit.
    Action ended 21:21:06: UserExit. Return value 0.
    MSI (c) (38:48) [21:21:06:065]: Doing action: ExitDialog
    Action 21:21:06: ExitDialog.
    Action start 21:21:06: ExitDialog.
    Action ended 21:21:06: ExitDialog. Return value 0.
    MSI (c) (38:48) [21:21:06:081]: Doing action: CA_PublishMsiPhase1
    Action 21:21:06: CA_PublishMsiPhase1.
    Action start 21:21:06: CA_PublishMsiPhase1.
    MSI (c) (38:88) [21:21:06:143]: Invoking remote custom action. DLL: C:\Users\ROMEOJ~1\AppData\Local\Temp\MSI7A5D.tmp, Entrypoint: CA_PublishMsiPhase1
    MSI (c) (38:84) [21:21:06:159]: Failed to connect to server. Error: 0x80070424

    Action ended 21:21:06: CA_PublishMsiPhase1. Return value 1.
    MSI (c) (38:48) [21:21:06:159]: Doing action: LaunchConditions
    Action 21:21:06: LaunchConditions. Evaluating launch conditions
    Action start 21:21:06: LaunchConditions.
    MSI (c) (38:48) [21:21:06:159]: Note: 1: 2205 2: 3: LaunchCondition
    MSI (c) (38:48) [21:21:06:159]: Note: 1: 2228 2: 3: LaunchCondition 4: SELECT `Condition`, `Description` FROM `LaunchCondition`
    Action ended 21:21:06: LaunchConditions. Return value 0.
    MSI (c) (38:48) [21:21:06:159]: Doing action: PrepareDlg
    Action 21:21:06: PrepareDlg.
    Action start 21:21:06: PrepareDlg.
    Action ended 21:21:06: PrepareDlg. Return value 0.
    MSI (c) (38:48) [21:21:06:159]: Doing action: SetReinstallMode_Inst
    Action 21:21:06: SetReinstallMode_Inst.
    Action start 21:21:06: SetReinstallMode_Inst.
    MSI (c) (38:48) [21:21:06:159]: PROPERTY CHANGE: Adding REINSTALLMODE property. Its value is 'ocmus'.
    Action ended 21:21:06: SetReinstallMode_Inst. Return value 1.
    MSI (c) (38:48) [21:21:06:159]: Doing action: FindRelatedProducts
    Action 21:21:06: FindRelatedProducts. Searching for related applications
    Action start 21:21:06: FindRelatedProducts.
    MSI (c) (38:48) [21:21:06:175]: Skipping FindRelatedProducts action: not run in maintenance mode
    Action ended 21:21:06: FindRelatedProducts. Return value 0.
    MSI (c) (38:48) [21:21:06:175]: Doing action: CA_InitInstallation
    Action 21:21:06: CA_InitInstallation.
    Action start 21:21:06: CA_InitInstallation.
    MSI (c) (38:A4) [21:21:06:237]: Invoking remote custom action. DLL: C:\Users\ROMEOJ~1\AppData\Local\Temp\MSI7ABB.tmp, Entrypoint: CA_InitInstallation
    MSI (c) (38:84) [21:21:06:237]: Failed to connect to server. Error: 0x80070424

    MSI (c) (38:48) [21:21:06:237]: Note: 1: 1719
    Error 1719. SA_Error1719: StandardAction(0xC00706B7): The Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode, or if the Windows Installer is not correctly installed. Contact your support personnel for assistance.
    MSI (c) (38:48) [21:21:06:237]: SA_Error1709: StandardAction(0xC00706AD): Product: AVG 2013 -- Error 1719. SA_Error1719: StandardAction(0xC00706B7): The Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode, or if the Windows Installer is not correctly installed. Contact your support personnel for assistance.
    Romeo J. Chacon, Oct 22, 2012
    #23

  4. Romeo J. Chacon TechSpot Member Posts: 27

    Never mind, I got it to work by removing AVG using the AVGRemover from their site.
    Okay, I got the right log now. Here is the log:

    ComboFix 12-10-21.02 - Romeo Jr Chacon 10/21/2012 21:38:11.2.1 - x86
    Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1919.1150 [GMT -7:00]
    Running from: c:\users\Romeo Jr Chacon\Desktop\ComboFix.exe
    AV: AVG Internet Security 2013 *Disabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
    FW: AVG Internet Security 2013 *Disabled* {36AFA1E1-4CDC-7EF8-11EE-C77C3581ABA2}
    SP: AVG Internet Security 2013 *Disabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\logboot_22.10.2012.tureg.log
    .
    ---- Previous Run -------
    .
    C:\data
    c:\data\Lp_setup.exe
    c:\users\Romeo Jr Chacon\AppData\Roaming\Microsoft\~DFK37c542.tmp
    c:\users\Romeo Jr Chacon\AppData\Roaming\Microsoft\1eaadjc.dll
    c:\users\Romeo Jr Chacon\AppData\Roaming\Microsoft\bass.dll
    c:\users\Romeo Jr Chacon\AppData\Roaming\Microsoft\engine_vx.dll
    c:\users\Romeo Jr Chacon\AppData\Roaming\Microsoft\kfgresk.dll
    c:\users\Romeo Jr Chacon\AppData\Roaming\Microsoft\mjcriu.dll
    c:\users\Romeo Jr Chacon\AppData\Roaming\Microsoft\peaadje.dll
    c:\users\Romeo Jr Chacon\AppData\Roaming\Microsoft\qwadjb.dll
    c:\users\Romeo Jr Chacon\AppData\Roaming\Microsoft\rsaadjd.dll
    c:\windows\$NtUninstallKB20050$
    c:\windows\$NtUninstallKB20050$\1830475237
    c:\windows\$NtUninstallKB20050$\853113995\Desktop.ini
    c:\windows\system32\tmpDFD0.tmp
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Service_nvsvc
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-09-22 to 2012-10-22 )))))))))))))))))))))))))))))))
    .
    .
    2012-10-22 04:47 . 2012-10-22 04:47--------d-----w-c:\users\Default\AppData\Local\temp
    2012-10-21 07:20 . 2012-08-23 18:3132120----a-w-c:\windows\system32\TURegOpt.exe
    2012-10-21 07:20 . 2012-08-23 18:3121880----a-w-c:\windows\system32\authuitu.dll
    2012-10-16 19:46 . 2012-10-22 00:43--------d-----w-c:\windows\system32\catroot2
    2012-10-13 15:55 . 2012-10-13 15:55--------d-----w-c:\users\Default\AppData\Roaming\TuneUp Software
    2012-10-12 04:13 . 2012-10-12 06:3373656----a-w-c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-10-12 04:13 . 2012-10-12 06:33696760----a-w-c:\windows\system32\FlashPlayerApp.exe
    2012-10-12 03:27 . 2012-10-12 03:27--------d-----w-c:\programdata\Norton
    2012-10-11 03:36 . 2012-10-02 19:292557288----a-w-c:\windows\system32\nvsvcr.dll
    2012-10-11 03:32 . 2012-10-02 22:206127464----a-w-c:\windows\system32\nvopencl.dll
    2012-10-11 03:32 . 2012-10-02 22:202574696----a-w-c:\windows\system32\nvcuvid.dll
    2012-10-11 03:32 . 2012-10-02 22:2019906920----a-w-c:\windows\system32\nvoglv32.dll
    2012-10-11 03:32 . 2012-10-02 22:2010837352----a-w-c:\windows\system32\drivers\nvlddmkm.sys
    2012-10-11 03:32 . 2012-10-02 22:201867112----a-w-c:\windows\system32\nvcuvenc.dll
    2012-10-11 03:32 . 2012-10-02 22:207697768----a-w-c:\windows\system32\nvcuda.dll
    2012-10-11 03:32 . 2012-10-02 22:2017559912----a-w-c:\windows\system32\nvcompiler.dll
    2012-10-10 17:48 . 2012-09-13 13:282048----a-w-c:\windows\system32\tzres.dll
    2012-10-10 17:48 . 2012-06-02 00:02985088----a-w-c:\windows\system32\crypt32.dll
    2012-10-10 17:48 . 2012-06-02 00:0298304----a-w-c:\windows\system32\cryptnet.dll
    2012-10-10 17:48 . 2012-06-02 00:02133120----a-w-c:\windows\system32\cryptsvc.dll
    2012-10-10 17:48 . 2012-08-24 15:53172544----a-w-c:\windows\system32\wintrust.dll
    2012-10-10 17:48 . 2012-08-29 11:273602816----a-w-c:\windows\system32\ntkrnlpa.exe
    2012-10-10 17:48 . 2012-08-29 11:273550080----a-w-c:\windows\system32\ntoskrnl.exe
    2012-10-09 19:49 . 2012-10-09 19:49--------d-----w-c:\programdata\stw-audio
    2012-10-07 23:56 . 2012-10-07 23:56--------d-----w-c:\programdata\Leawo
    2012-10-07 23:56 . 2011-03-02 10:43175616----a-w-c:\windows\system32\unrar.dll
    2012-10-05 03:07 . 2012-10-05 03:07--------d-----w-c:\program files\Novation
    2012-10-03 22:21 . 2012-10-05 02:58--------d-----w-c:\program files\Rob Papen
    2012-10-01 22:28 . 2012-10-01 22:28159744----a-w-c:\program files\Internet Explorer\Plugins\npqtplugin7.dll
    2012-10-01 22:28 . 2012-10-01 22:28159744----a-w-c:\program files\Internet Explorer\Plugins\npqtplugin6.dll
    2012-10-01 22:28 . 2012-10-01 22:28159744----a-w-c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
    2012-10-01 22:28 . 2012-10-01 22:28159744----a-w-c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
    2012-10-01 22:28 . 2012-10-01 22:28159744----a-w-c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
    2012-10-01 22:28 . 2012-10-01 22:28159744----a-w-c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
    2012-10-01 22:28 . 2012-10-01 22:28159744----a-w-c:\program files\Internet Explorer\Plugins\npqtplugin.dll
    2012-10-01 22:28 . 2012-10-01 22:28--------d-----w-c:\program files\QuickTime
    2012-10-01 22:26 . 2012-10-01 22:26--------d-----w-c:\program files\NewBlue
    2012-10-01 22:12 . 2011-02-26 23:17506824----a-w-c:\windows\system32\prodad-codec.dll
    2012-10-01 22:11 . 2012-10-01 22:16--------d-----w-c:\programdata\proDAD
    2012-10-01 22:11 . 2012-10-01 22:12--------d-----w-c:\program files\proDAD
    2012-10-01 22:11 . 2003-07-09 16:4345056----a-w-c:\windows\system32\BFXSrcFilter.ax
    2012-10-01 22:11 . 2003-07-01 22:4969632----a-w-c:\windows\system32\MtxPreview.dll
    2012-10-01 22:11 . 2003-07-01 22:4949152----a-w-c:\windows\system32\MtxParhBFXPreview.dll
    2012-10-01 22:11 . 2003-06-26 16:04237568----a-r-c:\windows\system32\qtmlClient.dll
    2012-10-01 22:11 . 2003-01-20 15:0849152----a-w-c:\windows\system32\CvoAPI.dll
    2012-10-01 22:11 . 2012-10-01 22:11--------d-----w-c:\program files\Boris FX, Inc
    2012-10-01 22:06 . 2012-10-01 22:29--------d-----w-c:\programdata\eSellerate
    2012-10-01 22:05 . 2012-10-01 22:06--------d-----w-c:\program files\SmartSound Software
    2012-10-01 22:05 . 2012-10-01 22:06--------d-----w-c:\programdata\SmartSound Software Inc
    2012-10-01 22:04 . 2012-10-01 22:04--------d-----w-c:\programdata\InterVideo
    2012-10-01 22:01 . 2012-10-01 22:01--------d-----w-c:\program files\Windows Media Components
    2012-10-01 02:43 . 2012-10-01 02:45--------d-----w-c:\program files\CCleaner
    2012-09-30 04:47 . 2012-09-30 04:47--------d-----w-c:\program files\Common Files\Wondershare
    2012-09-30 04:46 . 2011-11-17 23:0816640----a-w-c:\windows\system32\drivers\WsAudioDevice_383.sys
    2012-09-30 04:46 . 2012-09-30 04:46--------d-----w-c:\program files\Wondershare
    2012-09-30 03:52 . 2012-09-30 03:52--------d-----w-c:\program files\Common Files\xing shared
    2012-09-30 03:52 . 2012-09-30 03:52--------d-----w-c:\program files\Real
    2012-09-28 22:07 . 2005-05-26 22:342297552----a-w-c:\windows\system32\d3dx9_26.dll
    2012-09-28 22:04 . 2012-10-12 18:40--------d--h--w-c:\windows\msdownld.tmp
    2012-09-28 22:04 . 2012-10-14 02:48--------d-----w-C:\Games
    2012-09-28 21:38 . 2012-09-28 21:38--------d-----w-c:\program files\LUXONIX
    2012-09-28 21:38 . 2005-03-24 15:26491520----a-w-c:\windows\system32\msvcr80.dll
    2012-09-28 21:37 . 2012-09-28 21:372249----a-w-C:\FLVDirect.exe
    2012-09-28 20:55 . 2012-09-28 20:55--------d-----w-c:\program files\IK Multimedia
    2012-09-28 17:38 . 2012-09-28 17:40--------d-----w-c:\programdata\Protexis
    2012-09-28 17:36 . 2012-10-01 22:03--------d-----w-c:\programdata\Corel
    2012-09-28 17:36 . 2012-09-28 17:36--------d-----w-c:\program files\Common Files\Protexis
    2012-09-28 17:35 . 2012-10-01 22:01--------d-----w-c:\program files\Corel
    2012-09-28 16:42 . 2012-09-28 16:44--------d-----w-c:\programdata\regid.1986-12.com.adobe
    2012-09-28 16:37 . 2012-09-28 16:37--------d-----w-c:\program files\Common Files\Adobe AIR
    2012-09-28 14:48 . 2012-09-28 14:48--------d-----w-c:\program files\Edirol
    2012-09-28 14:11 . 2012-09-28 14:11--------d-----w-c:\programdata\4Front
    2012-09-28 14:10 . 2012-09-28 14:11--------d-----w-c:\program files\TruePianos
    2012-09-28 02:42 . 2012-09-28 02:421060864----a-w-c:\windows\system32\mfc71.dll
    2012-09-28 02:42 . 2003-06-20 19:281777664----a-w-c:\windows\system32\gdiplus.dll
    2012-09-27 18:12 . 2012-09-30 03:52499712----a-w-c:\windows\system32\msvcp71.dll
    2012-09-27 18:12 . 2012-09-30 03:52348160----a-w-c:\windows\system32\msvcr71.dll
    2012-09-27 17:38 . 2011-05-23 09:52153088----a-w-c:\windows\system32\xvid.ax
    2012-09-27 17:38 . 2011-05-23 07:46645632----a-w-c:\windows\system32\xvidcore.dll
    2012-09-27 17:38 . 2011-05-30 13:42240640----a-w-c:\windows\system32\xvidvfw.dll
    2012-09-27 17:38 . 2012-09-27 17:38--------d-----w-c:\program files\Xvid
    2012-09-27 17:31 . 2012-09-27 17:31--------dc----w-c:\windows\system32\DRVSTORE
    2012-09-27 17:31 . 2012-08-21 20:0126840----a-w-c:\windows\system32\drivers\GEARAspiWDM.sys
    2012-09-27 17:31 . 2012-09-27 17:31--------d-----w-c:\program files\iPod
    2012-09-27 17:31 . 2012-09-27 17:31--------d-----w-c:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E1
    2012-09-27 17:31 . 2012-09-27 17:31--------d-----w-c:\programdata\Apple Computer
    2012-09-27 17:31 . 2012-09-27 17:31--------d-----w-c:\program files\iTunes
    2012-09-27 17:22 . 2012-09-27 17:22--------d-----w-c:\program files\Apple Software Update
    2012-09-27 17:20 . 2012-09-27 17:20--------d-----w-c:\program files\Bonjour
    2012-09-27 17:20 . 2012-09-27 21:57--------d-----w-c:\program files\Common Files\Apple
    2012-09-27 17:20 . 2012-09-27 17:22--------d-----w-c:\programdata\Apple
    2012-09-27 13:21 . 2012-09-27 13:21--------d-----w-c:\program files\PlatinumHideIP
    2012-09-27 12:57 . 2012-09-27 12:57--------d-----w-c:\programdata\PlatinumHideIP
    2012-09-27 12:06 . 2012-09-27 12:06--------d-----w-c:\program files\PowerISO
    2012-09-27 03:59 . 2012-09-27 03:59--------dc-h--w-c:\programdata\{E26B3878-7CEC-469C-B449-5CAA336DF8CD}
    2012-09-27 03:59 . 2012-09-27 03:59--------d-----w-c:\program files\Common Files\Native Instruments
    2012-09-27 03:59 . 2012-09-27 03:59--------dc-h--w-c:\programdata\{C78336EC-F2EB-4640-99A4-DFE96581B90B}
    2012-09-27 03:59 . 2012-09-29 15:44--------d-----w-c:\program files\Native Instruments
    2012-09-27 03:59 . 2012-09-27 03:59--------d-----w-c:\programdata\Native Instruments
    2012-09-26 20:00 . 2012-09-26 20:00413696----a-w-c:\windows\system32\wrap_oal.dll
    2012-09-26 20:00 . 2012-09-26 20:00110592----a-w-c:\windows\system32\OpenAL32.dll
    2012-09-26 11:26 . 2012-10-01 22:04--------d-----w-c:\program files\Common Files\InstallShield
    2012-09-26 11:15 . 2012-09-26 11:15--------d-----w-c:\program files\ASIO4ALL v2
    2012-09-26 11:15 . 2012-10-09 19:52--------d-----w-c:\program files\VstPlugins
    2012-09-26 11:15 . 2011-10-11 14:451431552----a-w-c:\windows\system32\rewire.dll
    2012-09-26 11:15 . 2009-09-15 09:141554944----a-w-c:\windows\system32\vorbis.acm
    2012-09-26 11:14 . 2012-09-26 11:14--------d-----w-c:\program files\Outsim
    2012-09-26 11:11 . 2012-09-26 11:15--------d-----w-c:\program files\Image-Line
    2012-09-26 02:01 . 2012-09-26 02:01679936----a-w-c:\windows\system32\Fliqlo.scr
    2012-09-26 02:01 . 2012-09-26 02:01--------d-----w-c:\programdata\Screentime
    2012-09-26 01:59 . 2012-09-26 01:59--------d-----w-c:\windows\system32\Macromed
    2012-09-25 22:53 . 2012-09-25 22:54--------d-----w-c:\programdata\WinZip
    2012-09-25 22:41 . 2012-09-25 22:43--------d-----w-c:\programdata\AVG
    2012-09-25 22:41 . 2012-09-25 22:41--------d-sh--w-c:\programdata\{D1D4879F-2279-49C9-AEBF-3B95C84EAA8F}
    2012-09-25 22:31 . 2012-09-25 22:31--------d-----w-C:\$AVG
    2012-09-25 22:29 . 2012-10-22 04:34--------d-----w-c:\program files\AVG
    2012-09-25 22:27 . 2012-09-25 22:27--------d--h--w-c:\programdata\Common Files
    2012-09-25 22:21 . 2012-09-25 22:21--------d-----w-c:\program files\FrostWire 5
    2012-09-25 22:10 . 2012-09-25 22:10--------d-----w-c:\program files\RocketDock
    2012-09-25 22:08 . 2012-10-22 04:34--------d-----w-c:\users\UpdatusUser
    2012-09-25 22:07 . 2012-10-02 19:29645992----a-w-c:\windows\system32\nvvsvc.exe
    2012-09-25 22:07 . 2012-10-02 19:2962312----a-w-c:\windows\system32\nvshext.dll
    2012-09-25 22:07 . 2012-10-02 19:29108392----a-w-c:\windows\system32\nvmctray.dll
    2012-09-25 22:07 . 2012-10-02 19:292853224----a-w-c:\windows\system32\nvsvc.dll
    2012-09-25 22:07 . 2012-10-02 19:283965288----a-w-c:\windows\system32\nvcpl.dll
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-10-02 22:20 . 2012-02-10 05:431009512----a-w-c:\windows\system32\nvdispco32.dll
    2012-10-02 22:20 . 2008-01-21 02:3215309160----a-w-c:\windows\system32\nvd3dum.dll
    2012-09-25 21:21 . 2012-09-25 21:214096----a-w-c:\windows\system32\drivers\en-US\dxgkrnl.sys.mui
    2012-08-24 07:57 . 2012-08-24 07:57113104----a-w-c:\windows\system32\drivers\scdemu.sys
    2012-08-21 20:01 . 2012-08-21 20:01106928----a-w-c:\windows\system32\GEARAspi.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
    "Xvid"="c:\program files\Xvid\CheckUpdate.exe" [2011-01-17 8192]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "P17RunE"="P17RunE.dll" [2008-03-28 14848]
    "VolPanel"="c:\program files\Creative\SBAudigy\Volume Panel\VolPanlu.exe" [2007-03-01 180224]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-28 59280]
    "AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2012-09-20 444904]
    "SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
    "AdobeCS5.5ServiceManager"="c:\program files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]
    "Wondershare Helper Compact.exe"="c:\program files\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe" [2012-02-28 1679360]
    "TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2012-09-30 296096]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Wireless Connection Manager.lnk - c:\program files\D-Link\DWA-552 revA\wirelesscm.exe [2012-9-25 517440]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "Google Update"="c:\users\Romeo Jr Chacon\AppData\Local\Google\Update\GoogleUpdate.exe" /c
    "WindowsWelcomeCenter"=rundll32.exe oobefldr.dll,ShowWelcomeCenter
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    "UpdReg"=c:\windows\UpdReg.EXE
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
    "TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" -osboot
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
    .
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceNoNetworkREG_MULTI_SZ PLA DPS BFE mpssvc
    LocalServiceAndNoImpersonationREG_MULTI_SZ FontCache
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-10-22 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-10-12 06:33]
    .
    2012-10-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2321283058-4084574830-2792957718-1000Core.job
    - c:\users\Romeo Jr Chacon\AppData\Local\Google\Update\GoogleUpdate.exe [2012-09-25 21:54]
    .
    2012-10-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2321283058-4084574830-2792957718-1000UA.job
    - c:\users\Romeo Jr Chacon\AppData\Local\Google\Update\GoogleUpdate.exe [2012-09-25 21:54]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyServer = http=;ftp=;https=;
    TCP: DhcpNameServer = 10.0.1.1
    .
    - - - - ORPHANS REMOVED - - - -
    .
    ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-10-21 21:48
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Creative\Shared Files\CTAudSvc.exe
    c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
    c:\program files\AVG\AVG PC TuneUp\TuneUpUtilitiesService32.exe
    c:\program files\AVG\AVG PC TuneUp\TuneUpUtilitiesApp32.exe
    c:\windows\System32\rundll32.exe
    c:\program files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
    c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
    c:\windows\servicing\TrustedInstaller.exe
    .
    **************************************************************************
    .
    Completion time: 2012-10-21 21:53:23 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-10-22 04:53
    .
    Pre-Run: 583,820,800,000 bytes free
    Post-Run: 583,651,385,344 bytes free
    .
    - - End Of File - - 832070482FBF08F1264B34EADB21DD13
    Romeo J. Chacon, Oct 22, 2012
    #24

  5. Broni Malware Annihilator Posts: 39,285   +175

    Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders, UN-check Hide protected operating system files.
    NOTE. Make sure to reverse the above changes, when done with this step.
    Upload following files to http://www.virustotal.com/ for security check:
    - C:\Windows\system32\drivers\smb.sys
    IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.
    Post scan results.

    ==================================

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2
    64-bit users go HERE
    • Double-click SystemLook.exe to run it.
    • Vista users:: Right click on SystemLook.exe, click Run As Administrator
    • Copy the content of the following box and paste it into the main textfield:
      Code:
      :filefind
smb.sys
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
    Broni, Oct 22, 2012
    #25

  6. Romeo J. Chacon TechSpot Member Posts: 27

    AntivirusResultUpdate
    Agnitum - 20121021
    AntiVir - 20121022
    Antiy-AVL - 20121022
    Avast Win32:Sirefef-AMS [Rtk] 20121022
    AVG ZeroAccess.IH 20121022
    BitDefender Gen:Variant.Symmi.2296 20121022
    ByteHero - 20121019
    CAT-QuickHeal - 20121022
    ClamAV - 20121022
    Commtouch - 20121022
    Comodo - 20121022
    DrWeb BackDoor.Maxplus 20121022
    Emsisoft Gen:Variant.Symmi.2296 (B) 20121022
    eSafe - 20121017
    ESET-NOD32 Win32/Sirefef.DA 20121022
    F-Prot - 20121022
    F-Secure Gen:Variant.Symmi.2296 20121022
    Fortinet W32/Sirefef.DA!tr 20121022
    GData Gen:Variant.Symmi.2296 20121022
    Ikarus Trojan.ZeroAccess 20121022
    Jiangmin Trojan/Genome.czgd 20121022
    K7AntiVirus - 20121022
    Kaspersky HEUR:Backdoor.Win32.Generic 20121022
    Kingsoft - 20121008
    McAfee - 20121022
    McAfee-GW-Edition Heuristic.BehavesLike.Win32.Suspicious-BAY.K 20121022
    Microsoft - 20121022
    MicroWorld-eScan Gen:Variant.Symmi.2296 20121022
    Norman - 20121022
    nProtect - 20121022
    Panda - 20121022
    PCTools Trojan.Zeroaccess 20121022
    Rising Malware.XPACK!4904 20121022
    Sophos - 20121022
    SUPERAntiSpyware - 20121022
    Symantec Trojan.Zeroaccess!i11 20121022
    TheHacker - 20121021
    TotalDefense - 20121022
    TrendMicro - 20121022
    TrendMicro-HouseCall - 20121022
    VBA32 - 20121022
    VIPRE Lookslike.Win32.Sirefef.t (v) 20121022
    ViRobot - 20121022
    Romeo J. Chacon, Oct 22, 2012
    #26
     

  7. Romeo J. Chacon TechSpot Member Posts: 27

    Continued...

    ssdeep

    1536:g0TjNxUGKinE0KWfYmsBlgAolx6FuNMvLbYAg:g0TjN6MCIT7NibYB
    TrID

    Win32 Executable Generic (68.0%)
    Generic Win/DOS Executable (15.9%)
    DOS Executable Generic (15.9%)
    Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
    ExifTool

    MIMEType.................: application/octet-stream
    Subsystem................: Native
    MachineType..............: Intel 386 or later, and compatibles
    TimeStamp................: 2012:10:09 21:34:55+01:00
    FileType.................: Win32 DLL
    PEType...................: PE32
    CodeSize.................: 39424
    LinkerVersion............: 6.238
    EntryPoint...............: 0x6077
    InitializedDataSize......: 14848
    SubsystemVersion.........: 5.1
    ImageVersion.............: 0.0
    OSVersion................: 5.1
    UninitializedDataSize....: 0
    Portable Executable structural information

    Compilation timedatestamp.....: 2012-10-09 20:34:55
    Target machine................: 0x14C (Intel 386 or later processors and compatible processors)
    Entry point address...........: 0x00006077

    PE Sections...................:

    Name Virtual Address Virtual Size Raw Size Entropy MD5
    .code 4096 40 512 0.17 2edcb377efa91cd4d13a9e03c2a19235
    .icode 8192 40 512 0.76 303844500971a9544e816b6a8ab3a461
    .text 12288 23080 23552 7.18 4967b97470e20c579600e6b0a33cead6
    .ghfhj 36864 15445 15872 7.13 4bd6360b70af9faeac00d98153378349
    .data 53248 1510 1536 5.83 e6848d5290c317b444960216541f1337
    .jihfd 57344 872 1024 7.09 7025ce1a6319857b2b553c87a3a421b2
    .oiyuh 61440 1760 2048 7.30 1e433ddb5e1078302bcb011bdd56d001
    .vcxv 65536 1320 1536 7.26 99174bb39d99939a9569a3ae0fa89dce
    .oiuhgf 69632 1320 1536 7.28 1c9088b7d3a5ea3193d498e50aca5543
    .ryfg 73728 1760 2048 7.30 4a274483ac8276ad13694e5837414a6e
    .fdsgf 77824 1760 2048 7.29 002837f372a5e7dbef4f0ebe68dbfdb9
    .rsrc 81920 20709 1024 4.85 89b802f65ad45d5db8ccbd2b4d3ec4a5
    .reloc 106496 792 1024 5.37 fff7a42855ede4d409d1f026443b3d43

    PE Imports....................:

    [[ntoskrnl.exe]]
    ZwReadFile, KeInitializeMutex, HalExamineMBR, KeDetachProcess, KeUnstackDetachProcess, RtlUpcaseUnicodeChar, PsGetProcessId, MmFlushImageSection, wcslen, IoGetCurrentProcess, RtlVolumeDeviceToDosName, CcSetReadAheadGranularity, RtlTimeToSecondsSince1980, ExUuidCreate, IoAllocateWorkItem, MmAddVerifierThunks, KeSetTimer, FsRtlLookupLastLargeMcbEntry, IoReadPartitionTable, IoCreateSymbolicLink, FsRtlNotifyUninitializeSync, RtlCompareMemoryUlong, wcsspn, RtlSecondsSince1980ToTime, CcInitializeCacheMap

    PE Resources..................:

    Resource type Number of resources
    RT_MESSAGETABLE 1

    Resource language Number of resources
    ENGLISH US 1
    First seen by VirusTotal

    2012-10-22 20:13:24 UTC ( 2 minutes ago )
    Last seen by VirusTotal

    2012-10-22 20:13:24 UTC ( 2 minutes ago )
    File names (max. 25)

    1. smb.sys
    Romeo J. Chacon, Oct 22, 2012
    #27

  8. Romeo J. Chacon TechSpot Member Posts: 27

    SystemLook 30.07.11 by jpshortstuff
    Log created at 13:19 on 22/10/2012 by Romeo Jr Chacon
    Administrator - Elevation successful
    ========== filefind ==========
    Searching for "smb.sys"
    C:\Windows\System32\drivers\smb.sys--a---- 66560 bytes[20:29 25/09/2012][04:45 11/04/2009] F31D7577BE73DF2B6B512C44E241B284
    C:\Windows\winsxs\x86_microsoft-windows-nbsmb_31bf3856ad364e35_6.0.6001.18000_none_5f6a9133f7f64138\smb.sys--a---- 66560 bytes[02:34 21/01/2008][02:34 21/01/2008] 031E6BCD53C9B2B9ACE111EAFEC347B6
    -= EOF =-
    Romeo J. Chacon, Oct 22, 2012
    #28

  9. Broni Malware Annihilator Posts: 39,285   +175

    1. Please open Notepad (Start>All Programs>Accessories>Notepad).

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    FCopy::
C:\Windows\winsxs\x86_microsoft-windows-nbsmb_31bf3856ad364e35_6.0.6001.18000_none_5f6a9133f7f64138\smb.sys | C:\Windows\System32\drivers\smb.sys

ClearJavaCache::

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
    Broni, Oct 22, 2012
    #29

  10. Romeo J. Chacon TechSpot Member Posts: 27

    ComboFix 12-10-22.02 - Romeo Jr Chacon 10/22/2012 14:08:06.3.1 - x86
    Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1919.1143 [GMT -7:00]
    Running from: c:\users\Romeo Jr Chacon\Desktop\ComboFix.exe
    Command switches used :: c:\users\Romeo Jr Chacon\Desktop\CFScript.txt
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    .
    --------------- FCopy ---------------
    .
    c:\windows\winsxs\x86_microsoft-windows-nbsmb_31bf3856ad364e35_6.0.6001.18000_none_5f6a9133f7f64138\smb.sys --> c:\windows\System32\drivers\smb.sys
    .
    ((((((((((((((((((((((((( Files Created from 2012-09-22 to 2012-10-22 )))))))))))))))))))))))))))))))
    .
    .
    2012-10-22 21:15 . 2012-10-22 21:15--------d-----w-c:\users\Default\AppData\Local\temp
    2012-10-21 07:20 . 2012-08-23 18:3132120----a-w-c:\windows\system32\TURegOpt.exe
    2012-10-21 07:20 . 2012-08-23 18:3121880----a-w-c:\windows\system32\authuitu.dll
    2012-10-16 19:46 . 2012-10-22 00:43--------d-----w-c:\windows\system32\catroot2
    2012-10-13 15:55 . 2012-10-13 15:55--------d-----w-c:\users\Default\AppData\Roaming\TuneUp Software
    2012-10-12 04:13 . 2012-10-12 06:3373656----a-w-c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-10-12 04:13 . 2012-10-12 06:33696760----a-w-c:\windows\system32\FlashPlayerApp.exe
    2012-10-12 03:27 . 2012-10-12 03:27--------d-----w-c:\programdata\Norton
    2012-10-11 03:36 . 2012-10-02 19:292557288----a-w-c:\windows\system32\nvsvcr.dll
    2012-10-11 03:32 . 2012-10-02 22:206127464----a-w-c:\windows\system32\nvopencl.dll
    2012-10-11 03:32 . 2012-10-02 22:202574696----a-w-c:\windows\system32\nvcuvid.dll
    2012-10-11 03:32 . 2012-10-02 22:2019906920----a-w-c:\windows\system32\nvoglv32.dll
    2012-10-11 03:32 . 2012-10-02 22:2010837352----a-w-c:\windows\system32\drivers\nvlddmkm.sys
    2012-10-11 03:32 . 2012-10-02 22:201867112----a-w-c:\windows\system32\nvcuvenc.dll
    2012-10-11 03:32 . 2012-10-02 22:207697768----a-w-c:\windows\system32\nvcuda.dll
    2012-10-11 03:32 . 2012-10-02 22:2017559912----a-w-c:\windows\system32\nvcompiler.dll
    2012-10-10 17:48 . 2012-09-13 13:282048----a-w-c:\windows\system32\tzres.dll
    2012-10-10 17:48 . 2012-06-02 00:02985088----a-w-c:\windows\system32\crypt32.dll
    2012-10-10 17:48 . 2012-06-02 00:0298304----a-w-c:\windows\system32\cryptnet.dll
    2012-10-10 17:48 . 2012-06-02 00:02133120----a-w-c:\windows\system32\cryptsvc.dll
    2012-10-10 17:48 . 2012-08-24 15:53172544----a-w-c:\windows\system32\wintrust.dll
    2012-10-10 17:48 . 2012-08-29 11:273602816----a-w-c:\windows\system32\ntkrnlpa.exe
    2012-10-10 17:48 . 2012-08-29 11:273550080----a-w-c:\windows\system32\ntoskrnl.exe
    2012-10-09 19:49 . 2012-10-09 19:49--------d-----w-c:\programdata\stw-audio
    2012-10-07 23:56 . 2012-10-07 23:56--------d-----w-c:\programdata\Leawo
    2012-10-07 23:56 . 2011-03-02 10:43175616----a-w-c:\windows\system32\unrar.dll
    2012-10-05 03:07 . 2012-10-05 03:07--------d-----w-c:\program files\Novation
    2012-10-03 22:21 . 2012-10-05 02:58--------d-----w-c:\program files\Rob Papen
    2012-10-01 22:28 . 2012-10-01 22:28159744----a-w-c:\program files\Internet Explorer\Plugins\npqtplugin7.dll
    2012-10-01 22:28 . 2012-10-01 22:28159744----a-w-c:\program files\Internet Explorer\Plugins\npqtplugin6.dll
    2012-10-01 22:28 . 2012-10-01 22:28159744----a-w-c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
    2012-10-01 22:28 . 2012-10-01 22:28159744----a-w-c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
    2012-10-01 22:28 . 2012-10-01 22:28159744----a-w-c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
    2012-10-01 22:28 . 2012-10-01 22:28159744----a-w-c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
    2012-10-01 22:28 . 2012-10-01 22:28159744----a-w-c:\program files\Internet Explorer\Plugins\npqtplugin.dll
    2012-10-01 22:28 . 2012-10-01 22:28--------d-----w-c:\program files\QuickTime
    2012-10-01 22:26 . 2012-10-01 22:26--------d-----w-c:\program files\NewBlue
    2012-10-01 22:12 . 2011-02-26 23:17506824----a-w-c:\windows\system32\prodad-codec.dll
    2012-10-01 22:11 . 2012-10-01 22:16--------d-----w-c:\programdata\proDAD
    2012-10-01 22:11 . 2012-10-01 22:12--------d-----w-c:\program files\proDAD
    2012-10-01 22:11 . 2003-07-09 16:4345056----a-w-c:\windows\system32\BFXSrcFilter.ax
    2012-10-01 22:11 . 2003-07-01 22:4969632----a-w-c:\windows\system32\MtxPreview.dll
    2012-10-01 22:11 . 2003-07-01 22:4949152----a-w-c:\windows\system32\MtxParhBFXPreview.dll
    2012-10-01 22:11 . 2003-06-26 16:04237568----a-r-c:\windows\system32\qtmlClient.dll
    2012-10-01 22:11 . 2003-01-20 15:0849152----a-w-c:\windows\system32\CvoAPI.dll
    2012-10-01 22:11 . 2012-10-01 22:11--------d-----w-c:\program files\Boris FX, Inc
    2012-10-01 22:06 . 2012-10-01 22:29--------d-----w-c:\programdata\eSellerate
    2012-10-01 22:05 . 2012-10-01 22:06--------d-----w-c:\program files\SmartSound Software
    2012-10-01 22:05 . 2012-10-01 22:06--------d-----w-c:\programdata\SmartSound Software Inc
    2012-10-01 22:04 . 2012-10-01 22:04--------d-----w-c:\programdata\InterVideo
    2012-10-01 22:01 . 2012-10-01 22:01--------d-----w-c:\program files\Windows Media Components
    2012-10-01 02:43 . 2012-10-01 02:45--------d-----w-c:\program files\CCleaner
    2012-09-30 04:47 . 2012-09-30 04:47--------d-----w-c:\program files\Common Files\Wondershare
    2012-09-30 04:46 . 2011-11-17 23:0816640----a-w-c:\windows\system32\drivers\WsAudioDevice_383.sys
    2012-09-30 04:46 . 2012-09-30 04:46--------d-----w-c:\program files\Wondershare
    2012-09-30 03:52 . 2012-09-30 03:52--------d-----w-c:\program files\Common Files\xing shared
    2012-09-30 03:52 . 2012-09-30 03:52--------d-----w-c:\program files\Real
    2012-09-28 22:07 . 2005-05-26 22:342297552----a-w-c:\windows\system32\d3dx9_26.dll
    2012-09-28 22:04 . 2012-10-12 18:40--------d--h--w-c:\windows\msdownld.tmp
    2012-09-28 22:04 . 2012-10-14 02:48--------d-----w-C:\Games
    2012-09-28 21:38 . 2012-09-28 21:38--------d-----w-c:\program files\LUXONIX
    2012-09-28 21:38 . 2005-03-24 15:26491520----a-w-c:\windows\system32\msvcr80.dll
    2012-09-28 21:37 . 2012-09-28 21:372249----a-w-C:\FLVDirect.exe
    2012-09-28 20:55 . 2012-09-28 20:55--------d-----w-c:\program files\IK Multimedia
    2012-09-28 17:38 . 2012-09-28 17:40--------d-----w-c:\programdata\Protexis
    2012-09-28 17:36 . 2012-10-01 22:03--------d-----w-c:\programdata\Corel
    2012-09-28 17:36 . 2012-09-28 17:36--------d-----w-c:\program files\Common Files\Protexis
    2012-09-28 17:35 . 2012-10-01 22:01--------d-----w-c:\program files\Corel
    2012-09-28 16:42 . 2012-09-28 16:44--------d-----w-c:\programdata\regid.1986-12.com.adobe
    2012-09-28 16:37 . 2012-09-28 16:37--------d-----w-c:\program files\Common Files\Adobe AIR
    2012-09-28 14:48 . 2012-09-28 14:48--------d-----w-c:\program files\Edirol
    2012-09-28 14:11 . 2012-09-28 14:11--------d-----w-c:\programdata\4Front
    2012-09-28 14:10 . 2012-09-28 14:11--------d-----w-c:\program files\TruePianos
    2012-09-28 02:42 . 2012-09-28 02:421060864----a-w-c:\windows\system32\mfc71.dll
    2012-09-28 02:42 . 2003-06-20 19:281777664----a-w-c:\windows\system32\gdiplus.dll
    2012-09-27 18:12 . 2012-09-30 03:52499712----a-w-c:\windows\system32\msvcp71.dll
    2012-09-27 18:12 . 2012-09-30 03:52348160----a-w-c:\windows\system32\msvcr71.dll
    2012-09-27 17:38 . 2011-05-23 09:52153088----a-w-c:\windows\system32\xvid.ax
    2012-09-27 17:38 . 2011-05-23 07:46645632----a-w-c:\windows\system32\xvidcore.dll
    2012-09-27 17:38 . 2011-05-30 13:42240640----a-w-c:\windows\system32\xvidvfw.dll
    2012-09-27 17:38 . 2012-09-27 17:38--------d-----w-c:\program files\Xvid
    2012-09-27 17:31 . 2012-09-27 17:31--------dc----w-c:\windows\system32\DRVSTORE
    2012-09-27 17:31 . 2012-08-21 20:0126840----a-w-c:\windows\system32\drivers\GEARAspiWDM.sys
    2012-09-27 17:31 . 2012-09-27 17:31--------d-----w-c:\program files\iPod
    2012-09-27 17:31 . 2012-09-27 17:31--------d-----w-c:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E1
    2012-09-27 17:31 . 2012-09-27 17:31--------d-----w-c:\programdata\Apple Computer
    2012-09-27 17:31 . 2012-09-27 17:31--------d-----w-c:\program files\iTunes
    2012-09-27 17:22 . 2012-09-27 17:22--------d-----w-c:\program files\Apple Software Update
    2012-09-27 17:20 . 2012-09-27 17:20--------d-----w-c:\program files\Bonjour
    2012-09-27 17:20 . 2012-09-27 21:57--------d-----w-c:\program files\Common Files\Apple
    2012-09-27 17:20 . 2012-09-27 17:22--------d-----w-c:\programdata\Apple
    2012-09-27 13:21 . 2012-09-27 13:21--------d-----w-c:\program files\PlatinumHideIP
    2012-09-27 12:57 . 2012-09-27 12:57--------d-----w-c:\programdata\PlatinumHideIP
    2012-09-27 12:06 . 2012-09-27 12:06--------d-----w-c:\program files\PowerISO
    2012-09-27 03:59 . 2012-09-27 03:59--------dc-h--w-c:\programdata\{E26B3878-7CEC-469C-B449-5CAA336DF8CD}
    2012-09-27 03:59 . 2012-09-27 03:59--------d-----w-c:\program files\Common Files\Native Instruments
    2012-09-27 03:59 . 2012-09-27 03:59--------dc-h--w-c:\programdata\{C78336EC-F2EB-4640-99A4-DFE96581B90B}
    2012-09-27 03:59 . 2012-09-29 15:44--------d-----w-c:\program files\Native Instruments
    2012-09-27 03:59 . 2012-09-27 03:59--------d-----w-c:\programdata\Native Instruments
    2012-09-26 20:00 . 2012-09-26 20:00413696----a-w-c:\windows\system32\wrap_oal.dll
    2012-09-26 20:00 . 2012-09-26 20:00110592----a-w-c:\windows\system32\OpenAL32.dll
    2012-09-26 11:26 . 2012-10-01 22:04--------d-----w-c:\program files\Common Files\InstallShield
    2012-09-26 11:15 . 2012-09-26 11:15--------d-----w-c:\program files\ASIO4ALL v2
    2012-09-26 11:15 . 2012-10-09 19:52--------d-----w-c:\program files\VstPlugins
    2012-09-26 11:15 . 2011-10-11 14:451431552----a-w-c:\windows\system32\rewire.dll
    2012-09-26 11:15 . 2009-09-15 09:141554944----a-w-c:\windows\system32\vorbis.acm
    2012-09-26 11:14 . 2012-09-26 11:14--------d-----w-c:\program files\Outsim
    2012-09-26 11:11 . 2012-09-26 11:15--------d-----w-c:\program files\Image-Line
    2012-09-26 02:01 . 2012-09-26 02:01679936----a-w-c:\windows\system32\Fliqlo.scr
    2012-09-26 02:01 . 2012-09-26 02:01--------d-----w-c:\programdata\Screentime
    2012-09-26 01:59 . 2012-09-26 01:59--------d-----w-c:\windows\system32\Macromed
    2012-09-25 22:53 . 2012-09-25 22:54--------d-----w-c:\programdata\WinZip
    2012-09-25 22:41 . 2012-09-25 22:43--------d-----w-c:\programdata\AVG
    2012-09-25 22:41 . 2012-09-25 22:41--------d-sh--w-c:\programdata\{D1D4879F-2279-49C9-AEBF-3B95C84EAA8F}
    2012-09-25 22:31 . 2012-09-25 22:31--------d-----w-C:\$AVG
    2012-09-25 22:29 . 2012-10-22 04:34--------d-----w-c:\program files\AVG
    2012-09-25 22:27 . 2012-09-25 22:27--------d--h--w-c:\programdata\Common Files
    2012-09-25 22:21 . 2012-09-25 22:21--------d-----w-c:\program files\FrostWire 5
    2012-09-25 22:10 . 2012-09-25 22:10--------d-----w-c:\program files\RocketDock
    2012-09-25 22:08 . 2012-10-22 04:34--------d-----w-c:\users\UpdatusUser
    2012-09-25 22:07 . 2012-10-02 19:29645992----a-w-c:\windows\system32\nvvsvc.exe
    2012-09-25 22:07 . 2012-10-02 19:2962312----a-w-c:\windows\system32\nvshext.dll
    2012-09-25 22:07 . 2012-10-02 19:29108392----a-w-c:\windows\system32\nvmctray.dll
    2012-09-25 22:07 . 2012-10-02 19:292853224----a-w-c:\windows\system32\nvsvc.dll
    2012-09-25 22:07 . 2012-10-02 19:283965288----a-w-c:\windows\system32\nvcpl.dll
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-10-02 22:20 . 2012-02-10 05:431009512----a-w-c:\windows\system32\nvdispco32.dll
    2012-10-02 22:20 . 2008-01-21 02:3215309160----a-w-c:\windows\system32\nvd3dum.dll
    2012-09-25 21:21 . 2012-09-25 21:214096----a-w-c:\windows\system32\drivers\en-US\dxgkrnl.sys.mui
    2012-08-24 07:57 . 2012-08-24 07:57113104----a-w-c:\windows\system32\drivers\scdemu.sys
    2012-08-21 20:01 . 2012-08-21 20:01106928----a-w-c:\windows\system32\GEARAspi.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
    "Xvid"="c:\program files\Xvid\CheckUpdate.exe" [2011-01-17 8192]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "P17RunE"="P17RunE.dll" [2008-03-28 14848]
    "VolPanel"="c:\program files\Creative\SBAudigy\Volume Panel\VolPanlu.exe" [2007-03-01 180224]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-28 59280]
    "AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2012-09-20 444904]
    "SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
    "AdobeCS5.5ServiceManager"="c:\program files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]
    "Wondershare Helper Compact.exe"="c:\program files\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe" [2012-02-28 1679360]
    "TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2012-09-30 296096]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Wireless Connection Manager.lnk - c:\program files\D-Link\DWA-552 revA\wirelesscm.exe [2012-9-25 517440]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "Google Update"="c:\users\Romeo Jr Chacon\AppData\Local\Google\Update\GoogleUpdate.exe" /c
    "WindowsWelcomeCenter"=rundll32.exe oobefldr.dll,ShowWelcomeCenter
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    "UpdReg"=c:\windows\UpdReg.EXE
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
    "TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" -osboot
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
    .
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceNoNetworkREG_MULTI_SZ PLA DPS BFE mpssvc
    LocalServiceAndNoImpersonationREG_MULTI_SZ FontCache
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-10-22 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-10-12 06:33]
    .
    2012-10-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2321283058-4084574830-2792957718-1000Core.job
    - c:\users\Romeo Jr Chacon\AppData\Local\Google\Update\GoogleUpdate.exe [2012-09-25 21:54]
    .
    2012-10-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2321283058-4084574830-2792957718-1000UA.job
    - c:\users\Romeo Jr Chacon\AppData\Local\Google\Update\GoogleUpdate.exe [2012-09-25 21:54]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyServer = http=;ftp=;https=;
    TCP: DhcpNameServer = 10.0.1.1
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-10-22 14:15
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    Completion time: 2012-10-22 14:17:23
    ComboFix-quarantined-files.txt 2012-10-22 21:17
    ComboFix2.txt 2012-10-22 04:53
    .
    Pre-Run: 583,559,942,144 bytes free
    Post-Run: 583,537,700,864 bytes free
    .
    - - End Of File - - E3BA1419E0B18091CBFE81BF2E0D17B8
    Romeo J. Chacon, Oct 22, 2012
    #30

  11. Broni Malware Annihilator Posts: 39,285   +175

    You can reinstall AVG now.

    Please post new aswMBR log.
    Broni, Oct 22, 2012
    #31

  12. Romeo J. Chacon TechSpot Member Posts: 27

    Should I run aswMRB now or after installing AVG?
    Romeo J. Chacon, Oct 22, 2012
    #32

  13. Broni Malware Annihilator Posts: 39,285   +175

    AVG first.
    Broni, Oct 22, 2012
    #33

  14. Romeo J. Chacon TechSpot Member Posts: 27

    Can I download a different Antivirus? Maybe Norton. AVG is acting up and I keep getting the Windows Installer could not be accessed error.
    Romeo J. Chacon, Oct 22, 2012
    #34

  15. Broni Malware Annihilator Posts: 39,285   +175

    Broni, Oct 22, 2012
    #35
    Romeo J. Chacon likes this.

  16. Romeo J. Chacon TechSpot Member Posts: 27

    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-10-21 15:06:43
    -----------------------------
    15:06:43.944 OS Version: Windows 6.0.6002 Service Pack 2
    15:06:43.945 Number of processors: 1 586 0x7F02
    15:06:43.946 ComputerName: STUDIO UserName:
    15:06:45.716 Initialize success
    15:10:57.293 AVAST engine defs: 12102101
    15:11:03.937 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000058
    15:11:03.942 Disk 0 Vendor: WDC_WD75 15.0 Size: 715404MB BusType: 6
    15:11:03.951 Disk 0 MBR read successfully
    15:11:03.956 Disk 0 MBR scan
    15:11:03.962 Disk 0 Windows VISTA default MBR code
    15:11:03.968 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 715402 MB offset 2048
    15:11:04.015 Disk 0 scanning sectors +1465145344
    15:11:04.122 Disk 0 scanning C:\Windows\system32\drivers
    15:11:12.955 File: C:\Windows\system32\drivers\smb.sys **INFECTED** Win32:Sirefef-AMS [Rtk]
    15:11:16.518 Disk 0 trace - called modules:
    15:11:16.534 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll storport.sys nvstor32.sys
    15:11:16.539 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x84a37a28]
    15:11:16.546 3 CLASSPNP.SYS[875a38b3] -> nt!IofCallDriver -> [0x83b90aa0]
    15:11:16.562 5 acpi.sys[8060f6bc] -> nt!IofCallDriver -> \Device\00000058[0x83b8aa88]
    15:11:18.112 AVAST engine scan C:\Windows
    15:11:21.294 AVAST engine scan C:\Windows\system32
    15:14:57.262 AVAST engine scan C:\Windows\system32\drivers
    15:15:06.426 File: C:\Windows\system32\drivers\smb.sys **INFECTED** Win32:Sirefef-AMS [Rtk]
    15:15:10.430 AVAST engine scan C:\Users\Romeo Jr Chacon
    15:28:38.631 Disk 0 MBR has been saved successfully to "C:\Users\Romeo Jr Chacon\Desktop\MBR.dat"
    15:28:38.633 The log file has been saved successfully to "C:\Users\Romeo Jr Chacon\Desktop\aswMBR.txt"


    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-10-22 15:08:27
    -----------------------------
    15:08:27.234 OS Version: Windows 6.0.6002 Service Pack 2
    15:08:27.234 Number of processors: 1 586 0x7F02
    15:08:27.250 ComputerName: STUDIO UserName:
    15:08:41.290 Initialize success
    15:08:41.415 AVAST engine defs: 12082100
    15:08:53.629 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000053
    15:08:53.629 Disk 0 Vendor: WDC_WD75 15.0 Size: 715404MB BusType: 6
    15:08:53.645 Disk 0 MBR read successfully
    15:08:53.645 Disk 0 MBR scan
    15:08:53.661 Disk 0 Windows VISTA default MBR code
    15:08:53.661 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 715402 MB offset 2048
    15:08:53.661 Disk 0 scanning sectors +1465145344
    15:08:53.739 Disk 0 scanning C:\Windows\system32\drivers
    15:09:00.774 Service scanning
    15:09:14.611 Modules scanning
    15:09:18.823 Disk 0 trace - called modules:
    15:09:18.839 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll storport.sys nvstor32.sys
    15:09:18.855 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x84430740]
    15:09:18.855 3 CLASSPNP.SYS[86fa48b3] -> nt!IofCallDriver -> [0x83597e00]
    15:09:18.870 5 acpi.sys[806116bc] -> nt!IofCallDriver -> \Device\00000053[0x835a29c0]
    15:09:20.508 AVAST engine scan C:\Windows
    15:09:26.218 AVAST engine scan C:\Windows\system32
    15:11:46.821 AVAST engine scan C:\Windows\system32\drivers
    15:12:01.890 AVAST engine scan C:\Users\Romeo Jr Chacon
    15:18:17.261 Disk 0 MBR has been saved successfully to "C:\Users\Romeo Jr Chacon\Desktop\MBR.dat"
    15:18:17.308 The log file has been saved successfully to "C:\Users\Romeo Jr Chacon\Desktop\aswMBR.txt"
    Romeo J. Chacon, Oct 22, 2012
    #36

  17. Broni Malware Annihilator Posts: 39,285   +175

    Looks good :)

    Any current issues?

    ==============================

    Download OTL to your Desktop.
    Alternate download: http://www.itxassociates.com/OT-Tools/OTL.exe

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
    Broni, Oct 22, 2012
    #37

  18. Romeo J. Chacon TechSpot Member Posts: 27

    Yes, the file is still infected.
    I ran a complete scan using AVAST and it detected the same infection.

    I'll be posting the OTL log here in a bit.
    Romeo J. Chacon, Oct 22, 2012
    #38

  19. Broni Malware Annihilator Posts: 39,285   +175

    Smb.sys?
    Broni, Oct 22, 2012
    #39

  20. Broni Malware Annihilator Posts: 39,285   +175

    Still with me?
    Broni, Oct 28, 2012
    #40
Page 2 of 3
Topic Status:
Not open for further replies.

Add New Comment

Social Login & Guest Posting

TechSpot Members
Login here or sign up for free,
it takes about a minute.
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.