Inactive [A] Svchost malware

Status
Not open for further replies.
ComboFix 11-12-28.03 - apriljenee 12/28/2011 14:33:25.1.2 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3894.2646 [GMT -8:00]
Running from: c:\users\apriljenee\Desktop\ComboFix.exe
AV: ESET Smart Security 4.2 *Disabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
FW: ESET Personal firewall *Enabled* {4FE52EC8-CB26-1113-0EFE-8842E2773BAA}
SP: ESET Smart Security 4.2 *Disabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\TNod User & Password Finder\TNODUP.exe
c:\users\apriljenee\AppData\Local\{66D362D8-F0B9-417C-AF24-E39D9D3A311F}
c:\users\apriljenee\AppData\Local\{66D362D8-F0B9-417C-AF24-E39D9D3A311F}\chrome.manifest
c:\users\apriljenee\AppData\Local\{66D362D8-F0B9-417C-AF24-E39D9D3A311F}\chrome\content\_cfg.js
c:\users\apriljenee\AppData\Local\{66D362D8-F0B9-417C-AF24-E39D9D3A311F}\chrome\content\overlay.xul
c:\users\apriljenee\AppData\Local\{66D362D8-F0B9-417C-AF24-E39D9D3A311F}\install.rdf
c:\users\apriljenee\AppData\Roaming\2hg0nzps.exe
c:\users\apriljenee\AppData\Roaming\3v93w6d11.bat
c:\users\apriljenee\AppData\Roaming\Remote
c:\users\apriljenee\AppData\Roaming\Remote\mnj.dat
c:\users\apriljenee\AppData\Roaming\Remote\mxd1.txt
c:\users\apriljenee\AppData\Roaming\Remote\owlctx
c:\users\apriljenee\AppData\Roaming\Remote\ppkk.dat
c:\users\apriljenee\AppData\Roaming\Remote\srjmh47_shrd
c:\users\apriljenee\AppData\Roaming\Remote\uuoo.dat
c:\users\apriljenee\AppData\Roaming\udsrbya03.exe
c:\users\apriljenee\Taskmgr.exe
c:\windows\system32\Thumbs.db
c:\windows\SysWow64\0.054410689698314196.exe
c:\windows\SysWow64\0.1455340944811917.exe
c:\windows\SysWow64\0.1875753987663049.exe
c:\windows\SysWow64\0.20843436864912046.exe
c:\windows\SysWow64\0.2432700155842411.exe
c:\windows\SysWow64\0.2842985312871139.exe
c:\windows\SysWow64\0.30815082316653053.exe
c:\windows\SysWow64\0.4315071251896824.exe
c:\windows\SysWow64\0.44932328206709415.exe
c:\windows\SysWow64\0.4614540076226207.exe
c:\windows\SysWow64\0.4716843091807835.exe
c:\windows\SysWow64\0.5549772387400985.exe
c:\windows\SysWow64\0.5687428994847039.exe
c:\windows\SysWow64\0.5746887872544426.exe
c:\windows\SysWow64\0.669955017105266.exe
c:\windows\SysWow64\0.7721035988210655.exe
c:\windows\SysWow64\0.9253472137483397.exe
c:\windows\SysWow64\0.9574511809901914.exe
c:\windows\SysWow64\0.9636297490089208.exe
c:\windows\SysWow64\0.977886694115052.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-28 )))))))))))))))))))))))))))))))
.
.
2011-12-28 22:40 . 2011-12-28 22:40 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-12-27 05:55 . 2011-12-28 22:39 -------- d-----w- c:\program files (x86)\TNod User & Password Finder
2011-12-27 05:53 . 2011-12-27 05:53 -------- d-----w- c:\program files\ESET
2011-12-27 05:41 . 2011-12-27 05:41 -------- d-----w- c:\program files (x86)\Common Files\Java
2011-12-27 05:41 . 2011-11-10 13:54 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2011-12-25 10:44 . 2011-12-25 10:44 -------- d-----w- c:\windows\9013B37099D4404B9DB9779B51CEB5FF.TMP
2011-12-25 10:44 . 2011-12-25 10:44 -------- d-----w- c:\program files\DIFX
2011-12-25 10:42 . 2011-12-25 10:44 -------- d-----w- c:\program files (x86)\LeapFrog
2011-12-25 10:42 . 2011-12-25 10:42 -------- d-----w- c:\programdata\Leapfrog
2011-12-19 04:24 . 2011-12-19 04:24 1554 ----a-w- c:\programdata\1324268672.bdinstall.bin
2011-12-19 04:24 . 2011-12-19 04:24 1554 ----a-w- c:\programdata\1324268664.bdinstall.bin
2011-12-19 04:24 . 2011-12-19 04:24 1554 ----a-w- c:\programdata\1324268651.bdinstall.bin
2011-12-19 02:07 . 2011-12-19 02:07 -------- d-----w- c:\users\apriljenee\AppData\Roaming\Malwarebytes
2011-12-19 02:07 . 2011-12-19 02:07 -------- d-----w- c:\programdata\Malwarebytes
2011-12-19 02:07 . 2011-09-01 01:00 25416 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-19 02:07 . 2011-12-19 02:07 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-12-14 21:40 . 2011-10-26 05:19 43520 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-14 21:36 . 2011-11-24 05:00 3141632 ----a-w- c:\windows\system32\win32k.sys
2011-12-14 21:35 . 2011-10-15 06:25 723456 ----a-w- c:\windows\system32\EncDec.dll
2011-12-14 21:35 . 2011-10-15 05:48 534528 ----a-w- c:\windows\SysWow64\EncDec.dll
2011-12-14 21:35 . 2011-11-05 05:17 2048 ----a-w- c:\windows\system32\tzres.dll
2011-12-14 21:35 . 2011-11-05 04:30 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2011-12-14 21:22 . 2011-12-14 21:22 -------- d-----w- c:\program files\iPod
2011-12-14 21:22 . 2011-12-14 21:23 -------- d-----w- c:\program files\iTunes
2011-12-14 21:22 . 2011-12-14 21:23 -------- d-----w- c:\program files (x86)\iTunes
2011-12-11 00:42 . 2011-12-11 00:42 -------- d-----w- c:\users\apriljenee\AppData\Roaming\SSK
2011-12-11 00:40 . 2001-08-23 22:00 1700352 ----a-w- c:\windows\SysWow64\gdiplus.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-08 16:49 . 2011-03-05 06:58 270720 ------w- c:\windows\system32\MpSigStub.exe
2011-11-25 14:55 . 2011-11-25 14:55 158056 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10139.bin
2011-11-21 11:40 . 2011-12-27 16:12 8822856 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{D54D1685-54B6-499B-9A01-37A09A7C9B0C}\mpengine.dll
2011-11-04 18:56 . 2011-11-04 18:56 770384 ----a-w- c:\windows\SysWow64\msvcr100.dll
2011-11-04 18:56 . 2011-11-04 18:56 421200 ----a-w- c:\windows\SysWow64\msvcp100.dll
2011-10-30 15:43 . 2011-10-30 15:43 1554 ----a-w- c:\programdata\1319989408.bdinstall.bin
2011-10-30 15:43 . 2011-10-30 15:43 1554 ----a-w- c:\programdata\1319989406.bdinstall.bin
2011-10-30 15:43 . 2011-10-30 15:43 1554 ----a-w- c:\programdata\1319989401.bdinstall.bin
2011-10-27 23:14 . 2011-10-27 23:14 1554 ----a-w- c:\programdata\1319757272.bdinstall.bin
2011-10-27 23:14 . 2011-10-27 23:14 1554 ----a-w- c:\programdata\1319757269.bdinstall.bin
2011-10-27 23:09 . 2011-10-27 23:09 1554 ----a-w- c:\programdata\1319756996.bdinstall.bin
2011-10-27 23:08 . 2011-10-27 23:08 1554 ----a-w- c:\programdata\1319756925.bdinstall.bin
2011-10-24 21:29 . 2011-10-24 21:29 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx
2011-10-24 21:29 . 2011-10-24 21:29 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts
2011-10-23 03:07 . 2011-10-23 03:07 166453 ----a-w- c:\programdata\1319339141.bdinstall.bin
2011-10-18 09:43 . 2011-10-18 09:43 203320 ----a-w- c:\windows\system32\drivers\ssudmdm.sys
2011-10-18 09:43 . 2011-10-18 09:43 95928 ----a-w- c:\windows\system32\drivers\ssudbus.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-12-08 421736]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-09-01 449608]
"Monitor"="c:\program files (x86)\LeapFrog\LeapFrog Connect\Monitor.exe" [2011-11-12 268640]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2011-11-17 113664]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Best Buy pc app.lnk - c:\programdata\Best Buy pc app\ClickOnceSetup.exe [2010-6-24 9216]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Taskman"=""
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 bdsandbox;bdsandbox;c:\windows\system32\drivers\bdsandbox.sys [x]
R3 clwvd;CyberLink WebCam Virtual Driver;c:\windows\system32\DRIVERS\clwvd.sys [x]
R3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudbus.sys [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [x]
R3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudmdm.sys [x]
R3 TMachInfo;TMachInfo;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2009-10-06 51512]
R3 Update Server;BitDefender Update Server v2;c:\program files\Common Files\Bitdefender\Bitdefender Arrakis Server\bin\arrakis3.exe [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-10-20 821664]
S2 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [x]
S2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\x86\ekrn.exe [2011-01-13 810144]
S2 epfwwfp;epfwwfp;c:\windows\system32\DRIVERS\epfwwfp.sys [x]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-09-01 366152]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2010-09-14 508264]
S2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\TOSHIBA\TECO\TecoService.exe [2010-02-26 252928]
S2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\DRIVERS\TVALZFL.sys [x]
S2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2010-03-18 2320920]
S3 avchv;avchv Function Driver;c:\windows\system32\DRIVERS\avchv.sys [x]
S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [x]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [x]
S3 QIOMem;Generic IO & Memory Access;c:\windows\system32\DRIVERS\QIOMem.sys [x]
S3 rtl8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;c:\windows\system32\DRIVERS\rtl8192Ce.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2010-09-14 219496]
S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-02-06 137560]
S3 TPCHSrv;TPCH Service;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe [2010-02-24 835952]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-28 c:\windows\Tasks\AWC AutoSweep.job
- c:\program files (x86)\IObit\Advanced SystemCare 3\AutoSweep.exe [2011-10-27 21:11]
.
2011-10-27 c:\windows\Tasks\AWC Startup.job
- c:\program files (x86)\IObit\Advanced SystemCare 3\AWC.exe [2011-10-27 20:24]
.
2011-12-28 c:\windows\Tasks\AWC Update.job
- c:\program files (x86)\IObit\Advanced SystemCare 3\IObitUpdate.exe [2011-10-27 20:38]
.
2011-12-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3574345781-4107334157-2243546197-1000Core.job
- c:\users\apriljenee\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-30 18:34]
.
2011-12-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3574345781-4107334157-2243546197-1000UA.job
- c:\users\apriljenee\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-30 18:34]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TosVolRegulator"="c:\program files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe" [2009-11-11 24376]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2010-02-06 709976]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-30 499608]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2011-01-13 2918656]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://start.toshiba.com/g/
mStart Page = about:blank
uInternet Settings,ProxyOverride = <local>
TCP: DhcpNameServer = 192.168.0.1 205.171.3.25
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Toolbar-Locked - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-(Default) - (no file)
HKLM-Run-TPwrMain - c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE
HKLM-Run-TosWaitSrv - c:\program files (x86)\TOSHIBA\TPHM\TosWaitSrv.exe
HKLM-Run-TNOD UP - c:\program files (x86)\TNod User & Password Finder\TNODUP.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\LeapFrog\LeapFrog Connect\CommandService.exe
c:\program files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
.
**************************************************************************
.
Completion time: 2011-12-28 14:47:34 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-28 22:47
.
Pre-Run: 213,580,922,880 bytes free
Post-Run: 217,567,592,448 bytes free
.
- - End Of File - - C59CE2612F8552B30B900C125410B41F
 
part 2 eset

Scan Log
Version of virus signature database: 6750 (20111228)
Date: 12/28/2011 Time: 11:25:30 AM
Scanned disks, folders and files: Operating memory;C:\Boot sector;C:\
Operating memory - Win32/Olmarik.TDL4 trojan - unable to clean
Operating memory » svchost.exe(3484) - a variant of Win32/Olmarik.AWO trojan - unable to clean
Operating memory » \\.\globalroot\systemroot\svchost.exe - error opening [4]
C:\hiberfil.sys - error opening [4]
C:\pagefile.sys - error opening [4]
C:\ProgramData\Microsoft\Application Virtualization Client\SoftGrid Client\sftfs.fsd - error opening [4]
C:\ProgramData\Microsoft\Application Virtualization Client\SoftGrid Client\sftfs.fsG - error opening [4]
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log - error opening [4]
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb - error opening [4]
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb - error opening [4]
C:\ProgramData\Microsoft\Windows Defender\IMpService925A3ACA-C353-458A-AC8D-A7E5EB378092.lock - error opening [4]
C:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\MpSfc.bin - error opening [4]
C:\System Volume Information\Syscache.hve - error opening [4]
C:\System Volume Information\Syscache.hve.LOG1 - error opening [4]
C:\System Volume Information\Syscache.hve.LOG2 - error opening [4]
C:\System Volume Information\{262d6e0b-269a-11e1-a17b-ddc7474b01a9}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
C:\System Volume Information\{39080622-26c7-11e1-a96f-f973e4e7578c}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
C:\System Volume Information\{6005035b-309f-11e1-8ed2-ae1317dc4787}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
C:\System Volume Information\{81780e79-2802-11e1-a7ad-8578d4adde87}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
C:\System Volume Information\{93b63dc8-304b-11e1-8ec2-85fbe0e14788}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
C:\System Volume Information\{9799f087-304e-11e1-88b8-b7f9d198079e}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
C:\System Volume Information\{d0ff8cf4-228c-11e1-920e-c5ffe1c02f8b}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
C:\System Volume Information\{d1b41af9-2d84-11e1-9bb0-bba07c210788}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
C:\System Volume Information\{d636c478-2b35-11e1-91bb-f43c5b07508a}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
C:\Users\All Users\Microsoft\Application Virtualization Client\SoftGrid Client\sftfs.fsd - error opening [4]
C:\Users\All Users\Microsoft\Application Virtualization Client\SoftGrid Client\sftfs.fsG - error opening [4]
C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\MSS.log - error opening [4]
C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\tmp.edb - error opening [4]
C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Windows.edb - error opening [4]
C:\Users\All Users\Microsoft\Windows Defender\IMpService925A3ACA-C353-458A-AC8D-A7E5EB378092.lock - error opening [4]
C:\Users\All Users\Microsoft\Windows Defender\Scans\History\CacheManager\MpSfc.bin - error opening [4]
C:\Users\apriljenee\ntuser.dat - error opening [4]
C:\Users\apriljenee\ntuser.dat.LOG1 - error opening [4]
C:\Users\apriljenee\ntuser.dat.LOG2 - error opening [4]
C:\Users\apriljenee\AppData\Local\Google\Chrome\User Data\Default\Current Session - error opening [4]
C:\Users\apriljenee\AppData\Local\Google\Chrome\User Data\Default\Current Tabs - error opening [4]
C:\Users\apriljenee\AppData\Local\Microsoft\Windows\UsrClass.dat - error opening [4]
C:\Users\apriljenee\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 - error opening [4]
C:\Users\apriljenee\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 - error opening [4]
C:\Users\apriljenee\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2EFW7BCX\dnserrordiagoff_webOC[2] - error opening [4]
C:\Users\apriljenee\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2EFW7BCX\ErrorPageTemplate[1] - error opening [4]
C:\Users\apriljenee\AppData\Local\Temp\flaF2EE.tmp - error opening [4]
C:\Users\apriljenee\Creative Suite 5.5 Design Premium\Adobe CS5_5\payloads\AdobeFlashCatalyst-mul\Assets1_1.zip » ZIP » _657_c9dc20f1a14b0bfc724206d6ef3df077 » ZIP » org/eclipse/jdt/internal/compiler/parser/part1.rsc » SMARTINSTALLMAKER;VER=2 - error - unknown compression method
C:\Users\apriljenee\Creative Suite 5.5 Design Premium\Adobe CS5_5\payloads\AdobeFlashCatalyst-mul\Assets1_1.zip » ZIP » _657_c9dc20f1a14b0bfc724206d6ef3df077 » ZIP » org/eclipse/jdt/internal/compiler/parser/start1.rsc » SMARTINSTALLMAKER;VER=2 - error - unknown compression method
C:\Users\apriljenee\Downloads\chromeinstall.exe » CAB » jusched - archive damaged - the file could not be extracted.
C:\Users\apriljenee\Downloads\chromeinstall.exe » CAB » task.xml - archive damaged - the file could not be extracted.
C:\Users\apriljenee\Downloads\chromeinstall.exe » CAB » task64.xml - archive damaged - the file could not be extracted.
C:\Windows\ServiceProfiles\LocalService\ntuser.dat - error opening [4]
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT.LOG1 - error opening [4]
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT.LOG2 - error opening [4]
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat - error opening [4]
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat - error opening [4]
C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\PeerNetworking\33fe306360f9f3dce978d33ac7ac1e702d62e4e8.HomeGroupClassifier\b73177e64611999879dad8eb1f9f34cc\grouping\db.mdb - error opening [4]
C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\PeerNetworking\33fe306360f9f3dce978d33ac7ac1e702d62e4e8.HomeGroupClassifier\b73177e64611999879dad8eb1f9f34cc\grouping\edb.log - error opening [4]
C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\PeerNetworking\33fe306360f9f3dce978d33ac7ac1e702d62e4e8.HomeGroupClassifier\b73177e64611999879dad8eb1f9f34cc\grouping\tmp.edb - error opening [4]
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat - error opening [4]
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT.LOG1 - error opening [4]
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT.LOG2 - error opening [4]
C:\Windows\SoftwareDistribution\Download\488053cdbca3231eeb2c2af7236d09ed\microsoft-windows-help-coreclientuapee-package~31bf3856ad364e35~amd64~uk-ua~6.1.7601.17514.mum - error opening [4]
C:\Windows\SoftwareDistribution\Download\488053cdbca3231eeb2c2af7236d09ed\microsoft-windows-help-coreclientuapse-package~31bf3856ad364e35~amd64~ro-ro~6.1.7601.17514.mum - error opening [4]
C:\Windows\System32\log.txt - error opening [4]
C:\Windows\System32\catroot2\edb.log - error opening [4]
C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb - error opening [4]
C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb - error opening [4]
C:\Windows\SysWOW64\log.txt - error opening [4]
C:\Windows\winsxs\amd64_microsoft-windows-ie-iexpress_31bf3856ad364e35_8.0.7600.16385_none_db2b15bfcf64f104\wextract.exe » SWEXTRACT » - bad archive
Number of scanned objects: 776072
Number of threats found: 2
Number of cleaned objects: 0
Time of completion: 1:10:06 PM Total scanning time: 6276 sec (01:44:36)

Notes:
[4] Object cannot be opened. It may be in use by another application or operating system.
 
part3 Malwarebytes

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 911122801

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

12/28/2011 2:19:02 PM
mbam-log-2011-12-28 (14-19-02).txt

Scan type: Quick scan
Objects scanned: 180119
Time elapsed: 3 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
 
Welcome aboard
yahooo.gif


1. NEVER run Combofix on your own.
2. Read forum rules:
Please, complete all steps listed here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/
Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
Attached logs won't be reviewed.

Please, observe following rules:
  • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
  • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
  • Please refrain from running tools or applying updates other than those I suggest.
  • Never run more than one scan at a time.
  • Keep updating me regarding your computer behavior, good, or bad.
  • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
  • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
  • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
 
Status
Not open for further replies.
Back