TechSpot

[A] Svchost malware

By wilin03
Dec 28, 2011
  1. ComboFix 11-12-28.03 - apriljenee 12/28/2011 14:33:25.1.2 - x64
    Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3894.2646 [GMT -8:00]
    Running from: c:\users\apriljenee\Desktop\ComboFix.exe
    AV: ESET Smart Security 4.2 *Disabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
    FW: ESET Personal firewall *Enabled* {4FE52EC8-CB26-1113-0EFE-8842E2773BAA}
    SP: ESET Smart Security 4.2 *Disabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\program files (x86)\TNod User & Password Finder\TNODUP.exe
    c:\users\apriljenee\AppData\Local\{66D362D8-F0B9-417C-AF24-E39D9D3A311F}
    c:\users\apriljenee\AppData\Local\{66D362D8-F0B9-417C-AF24-E39D9D3A311F}\chrome.manifest
    c:\users\apriljenee\AppData\Local\{66D362D8-F0B9-417C-AF24-E39D9D3A311F}\chrome\content\_cfg.js
    c:\users\apriljenee\AppData\Local\{66D362D8-F0B9-417C-AF24-E39D9D3A311F}\chrome\content\overlay.xul
    c:\users\apriljenee\AppData\Local\{66D362D8-F0B9-417C-AF24-E39D9D3A311F}\install.rdf
    c:\users\apriljenee\AppData\Roaming\2hg0nzps.exe
    c:\users\apriljenee\AppData\Roaming\3v93w6d11.bat
    c:\users\apriljenee\AppData\Roaming\Remote
    c:\users\apriljenee\AppData\Roaming\Remote\mnj.dat
    c:\users\apriljenee\AppData\Roaming\Remote\mxd1.txt
    c:\users\apriljenee\AppData\Roaming\Remote\owlctx
    c:\users\apriljenee\AppData\Roaming\Remote\ppkk.dat
    c:\users\apriljenee\AppData\Roaming\Remote\srjmh47_shrd
    c:\users\apriljenee\AppData\Roaming\Remote\uuoo.dat
    c:\users\apriljenee\AppData\Roaming\udsrbya03.exe
    c:\users\apriljenee\Taskmgr.exe
    c:\windows\system32\Thumbs.db
    c:\windows\SysWow64\0.054410689698314196.exe
    c:\windows\SysWow64\0.1455340944811917.exe
    c:\windows\SysWow64\0.1875753987663049.exe
    c:\windows\SysWow64\0.20843436864912046.exe
    c:\windows\SysWow64\0.2432700155842411.exe
    c:\windows\SysWow64\0.2842985312871139.exe
    c:\windows\SysWow64\0.30815082316653053.exe
    c:\windows\SysWow64\0.4315071251896824.exe
    c:\windows\SysWow64\0.44932328206709415.exe
    c:\windows\SysWow64\0.4614540076226207.exe
    c:\windows\SysWow64\0.4716843091807835.exe
    c:\windows\SysWow64\0.5549772387400985.exe
    c:\windows\SysWow64\0.5687428994847039.exe
    c:\windows\SysWow64\0.5746887872544426.exe
    c:\windows\SysWow64\0.669955017105266.exe
    c:\windows\SysWow64\0.7721035988210655.exe
    c:\windows\SysWow64\0.9253472137483397.exe
    c:\windows\SysWow64\0.9574511809901914.exe
    c:\windows\SysWow64\0.9636297490089208.exe
    c:\windows\SysWow64\0.977886694115052.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-28 )))))))))))))))))))))))))))))))
    .
    .
    2011-12-28 22:40 . 2011-12-28 22:40 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-12-27 05:55 . 2011-12-28 22:39 -------- d-----w- c:\program files (x86)\TNod User & Password Finder
    2011-12-27 05:53 . 2011-12-27 05:53 -------- d-----w- c:\program files\ESET
    2011-12-27 05:41 . 2011-12-27 05:41 -------- d-----w- c:\program files (x86)\Common Files\Java
    2011-12-27 05:41 . 2011-11-10 13:54 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
    2011-12-25 10:44 . 2011-12-25 10:44 -------- d-----w- c:\windows\9013B37099D4404B9DB9779B51CEB5FF.TMP
    2011-12-25 10:44 . 2011-12-25 10:44 -------- d-----w- c:\program files\DIFX
    2011-12-25 10:42 . 2011-12-25 10:44 -------- d-----w- c:\program files (x86)\LeapFrog
    2011-12-25 10:42 . 2011-12-25 10:42 -------- d-----w- c:\programdata\Leapfrog
    2011-12-19 04:24 . 2011-12-19 04:24 1554 ----a-w- c:\programdata\1324268672.bdinstall.bin
    2011-12-19 04:24 . 2011-12-19 04:24 1554 ----a-w- c:\programdata\1324268664.bdinstall.bin
    2011-12-19 04:24 . 2011-12-19 04:24 1554 ----a-w- c:\programdata\1324268651.bdinstall.bin
    2011-12-19 02:07 . 2011-12-19 02:07 -------- d-----w- c:\users\apriljenee\AppData\Roaming\Malwarebytes
    2011-12-19 02:07 . 2011-12-19 02:07 -------- d-----w- c:\programdata\Malwarebytes
    2011-12-19 02:07 . 2011-09-01 01:00 25416 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-12-19 02:07 . 2011-12-19 02:07 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2011-12-14 21:40 . 2011-10-26 05:19 43520 ----a-w- c:\windows\system32\csrsrv.dll
    2011-12-14 21:36 . 2011-11-24 05:00 3141632 ----a-w- c:\windows\system32\win32k.sys
    2011-12-14 21:35 . 2011-10-15 06:25 723456 ----a-w- c:\windows\system32\EncDec.dll
    2011-12-14 21:35 . 2011-10-15 05:48 534528 ----a-w- c:\windows\SysWow64\EncDec.dll
    2011-12-14 21:35 . 2011-11-05 05:17 2048 ----a-w- c:\windows\system32\tzres.dll
    2011-12-14 21:35 . 2011-11-05 04:30 2048 ----a-w- c:\windows\SysWow64\tzres.dll
    2011-12-14 21:22 . 2011-12-14 21:22 -------- d-----w- c:\program files\iPod
    2011-12-14 21:22 . 2011-12-14 21:23 -------- d-----w- c:\program files\iTunes
    2011-12-14 21:22 . 2011-12-14 21:23 -------- d-----w- c:\program files (x86)\iTunes
    2011-12-11 00:42 . 2011-12-11 00:42 -------- d-----w- c:\users\apriljenee\AppData\Roaming\SSK
    2011-12-11 00:40 . 2001-08-23 22:00 1700352 ----a-w- c:\windows\SysWow64\gdiplus.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-12-08 16:49 . 2011-03-05 06:58 270720 ------w- c:\windows\system32\MpSigStub.exe
    2011-11-25 14:55 . 2011-11-25 14:55 158056 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10139.bin
    2011-11-21 11:40 . 2011-12-27 16:12 8822856 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{D54D1685-54B6-499B-9A01-37A09A7C9B0C}\mpengine.dll
    2011-11-04 18:56 . 2011-11-04 18:56 770384 ----a-w- c:\windows\SysWow64\msvcr100.dll
    2011-11-04 18:56 . 2011-11-04 18:56 421200 ----a-w- c:\windows\SysWow64\msvcp100.dll
    2011-10-30 15:43 . 2011-10-30 15:43 1554 ----a-w- c:\programdata\1319989408.bdinstall.bin
    2011-10-30 15:43 . 2011-10-30 15:43 1554 ----a-w- c:\programdata\1319989406.bdinstall.bin
    2011-10-30 15:43 . 2011-10-30 15:43 1554 ----a-w- c:\programdata\1319989401.bdinstall.bin
    2011-10-27 23:14 . 2011-10-27 23:14 1554 ----a-w- c:\programdata\1319757272.bdinstall.bin
    2011-10-27 23:14 . 2011-10-27 23:14 1554 ----a-w- c:\programdata\1319757269.bdinstall.bin
    2011-10-27 23:09 . 2011-10-27 23:09 1554 ----a-w- c:\programdata\1319756996.bdinstall.bin
    2011-10-27 23:08 . 2011-10-27 23:08 1554 ----a-w- c:\programdata\1319756925.bdinstall.bin
    2011-10-24 21:29 . 2011-10-24 21:29 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx
    2011-10-24 21:29 . 2011-10-24 21:29 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts
    2011-10-23 03:07 . 2011-10-23 03:07 166453 ----a-w- c:\programdata\1319339141.bdinstall.bin
    2011-10-18 09:43 . 2011-10-18 09:43 203320 ----a-w- c:\windows\system32\drivers\ssudmdm.sys
    2011-10-18 09:43 . 2011-10-18 09:43 95928 ----a-w- c:\windows\system32\drivers\ssudbus.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
    "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
    "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
    "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-12-08 421736]
    "Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-09-01 449608]
    "Monitor"="c:\program files (x86)\LeapFrog\LeapFrog Connect\Monitor.exe" [2011-11-12 268640]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - c:\program files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2011-11-17 113664]
    .
    c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Best Buy pc app.lnk - c:\programdata\Best Buy pc app\ClickOnceSetup.exe [2010-6-24 9216]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "Taskman"=""
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R3 bdsandbox;bdsandbox;c:\windows\system32\drivers\bdsandbox.sys [x]
    R3 clwvd;CyberLink WebCam Virtual Driver;c:\windows\system32\DRIVERS\clwvd.sys [x]
    R3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudbus.sys [x]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
    R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
    R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [x]
    R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [x]
    R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [x]
    R3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudmdm.sys [x]
    R3 TMachInfo;TMachInfo;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2009-10-06 51512]
    R3 Update Server;BitDefender Update Server v2;c:\program files\Common Files\Bitdefender\Bitdefender Arrakis Server\bin\arrakis3.exe [x]
    R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys [x]
    R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
    S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [x]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
    S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-10-20 821664]
    S2 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [x]
    S2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\x86\ekrn.exe [2011-01-13 810144]
    S2 epfwwfp;epfwwfp;c:\windows\system32\DRIVERS\epfwwfp.sys [x]
    S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-09-01 366152]
    S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2010-09-14 508264]
    S2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\TOSHIBA\TECO\TecoService.exe [2010-02-26 252928]
    S2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\DRIVERS\TVALZFL.sys [x]
    S2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2010-03-18 2320920]
    S3 avchv;avchv Function Driver;c:\windows\system32\DRIVERS\avchv.sys [x]
    S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
    S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [x]
    S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys [x]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
    S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [x]
    S3 QIOMem;Generic IO & Memory Access;c:\windows\system32\DRIVERS\QIOMem.sys [x]
    S3 rtl8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;c:\windows\system32\DRIVERS\rtl8192Ce.sys [x]
    S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
    S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
    S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
    S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
    S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2010-09-14 219496]
    S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-02-06 137560]
    S3 TPCHSrv;TPCH Service;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe [2010-02-24 835952]
    S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-12-28 c:\windows\Tasks\AWC AutoSweep.job
    - c:\program files (x86)\IObit\Advanced SystemCare 3\AutoSweep.exe [2011-10-27 21:11]
    .
    2011-10-27 c:\windows\Tasks\AWC Startup.job
    - c:\program files (x86)\IObit\Advanced SystemCare 3\AWC.exe [2011-10-27 20:24]
    .
    2011-12-28 c:\windows\Tasks\AWC Update.job
    - c:\program files (x86)\IObit\Advanced SystemCare 3\IObitUpdate.exe [2011-10-27 20:38]
    .
    2011-12-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3574345781-4107334157-2243546197-1000Core.job
    - c:\users\apriljenee\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-30 18:34]
    .
    2011-12-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3574345781-4107334157-2243546197-1000UA.job
    - c:\users\apriljenee\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-30 18:34]
    .
    .
    --------- x86-64 -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TosVolRegulator"="c:\program files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe" [2009-11-11 24376]
    "TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2010-02-06 709976]
    "AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-30 499608]
    "egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2011-01-13 2918656]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x0
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://start.toshiba.com/g/
    mStart Page = about:blank
    uInternet Settings,ProxyOverride = <local>
    TCP: DhcpNameServer = 192.168.0.1 205.171.3.25
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    Toolbar-Locked - (no file)
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    HKLM-Run-(Default) - (no file)
    HKLM-Run-TPwrMain - c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE
    HKLM-Run-TosWaitSrv - c:\program files (x86)\TOSHIBA\TPHM\TosWaitSrv.exe
    HKLM-Run-TNOD UP - c:\program files (x86)\TNod User & Password Finder\TNODUP.exe
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files (x86)\LeapFrog\LeapFrog Connect\CommandService.exe
    c:\program files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
    .
    **************************************************************************
    .
    Completion time: 2011-12-28 14:47:34 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-12-28 22:47
    .
    Pre-Run: 213,580,922,880 bytes free
    Post-Run: 217,567,592,448 bytes free
    .
    - - End Of File - - C59CE2612F8552B30B900C125410B41F
     
  2. wilin03

    wilin03 TS Rookie Topic Starter

    part 2 eset

    Scan Log
    Version of virus signature database: 6750 (20111228)
    Date: 12/28/2011 Time: 11:25:30 AM
    Scanned disks, folders and files: Operating memory;C:\Boot sector;C:\
    Operating memory - Win32/Olmarik.TDL4 trojan - unable to clean
    Operating memory » svchost.exe(3484) - a variant of Win32/Olmarik.AWO trojan - unable to clean
    Operating memory » \\.\globalroot\systemroot\svchost.exe - error opening [4]
    C:\hiberfil.sys - error opening [4]
    C:\pagefile.sys - error opening [4]
    C:\ProgramData\Microsoft\Application Virtualization Client\SoftGrid Client\sftfs.fsd - error opening [4]
    C:\ProgramData\Microsoft\Application Virtualization Client\SoftGrid Client\sftfs.fsG - error opening [4]
    C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log - error opening [4]
    C:\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb - error opening [4]
    C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb - error opening [4]
    C:\ProgramData\Microsoft\Windows Defender\IMpService925A3ACA-C353-458A-AC8D-A7E5EB378092.lock - error opening [4]
    C:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\MpSfc.bin - error opening [4]
    C:\System Volume Information\Syscache.hve - error opening [4]
    C:\System Volume Information\Syscache.hve.LOG1 - error opening [4]
    C:\System Volume Information\Syscache.hve.LOG2 - error opening [4]
    C:\System Volume Information\{262d6e0b-269a-11e1-a17b-ddc7474b01a9}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
    C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
    C:\System Volume Information\{39080622-26c7-11e1-a96f-f973e4e7578c}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
    C:\System Volume Information\{6005035b-309f-11e1-8ed2-ae1317dc4787}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
    C:\System Volume Information\{81780e79-2802-11e1-a7ad-8578d4adde87}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
    C:\System Volume Information\{93b63dc8-304b-11e1-8ec2-85fbe0e14788}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
    C:\System Volume Information\{9799f087-304e-11e1-88b8-b7f9d198079e}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
    C:\System Volume Information\{d0ff8cf4-228c-11e1-920e-c5ffe1c02f8b}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
    C:\System Volume Information\{d1b41af9-2d84-11e1-9bb0-bba07c210788}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
    C:\System Volume Information\{d636c478-2b35-11e1-91bb-f43c5b07508a}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
    C:\Users\All Users\Microsoft\Application Virtualization Client\SoftGrid Client\sftfs.fsd - error opening [4]
    C:\Users\All Users\Microsoft\Application Virtualization Client\SoftGrid Client\sftfs.fsG - error opening [4]
    C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\MSS.log - error opening [4]
    C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\tmp.edb - error opening [4]
    C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Windows.edb - error opening [4]
    C:\Users\All Users\Microsoft\Windows Defender\IMpService925A3ACA-C353-458A-AC8D-A7E5EB378092.lock - error opening [4]
    C:\Users\All Users\Microsoft\Windows Defender\Scans\History\CacheManager\MpSfc.bin - error opening [4]
    C:\Users\apriljenee\ntuser.dat - error opening [4]
    C:\Users\apriljenee\ntuser.dat.LOG1 - error opening [4]
    C:\Users\apriljenee\ntuser.dat.LOG2 - error opening [4]
    C:\Users\apriljenee\AppData\Local\Google\Chrome\User Data\Default\Current Session - error opening [4]
    C:\Users\apriljenee\AppData\Local\Google\Chrome\User Data\Default\Current Tabs - error opening [4]
    C:\Users\apriljenee\AppData\Local\Microsoft\Windows\UsrClass.dat - error opening [4]
    C:\Users\apriljenee\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 - error opening [4]
    C:\Users\apriljenee\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 - error opening [4]
    C:\Users\apriljenee\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2EFW7BCX\dnserrordiagoff_webOC[2] - error opening [4]
    C:\Users\apriljenee\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2EFW7BCX\ErrorPageTemplate[1] - error opening [4]
    C:\Users\apriljenee\AppData\Local\Temp\flaF2EE.tmp - error opening [4]
    C:\Users\apriljenee\Creative Suite 5.5 Design Premium\Adobe CS5_5\payloads\AdobeFlashCatalyst-mul\Assets1_1.zip » ZIP » _657_c9dc20f1a14b0bfc724206d6ef3df077 » ZIP » org/eclipse/jdt/internal/compiler/parser/part1.rsc » SMARTINSTALLMAKER;VER=2 - error - unknown compression method
    C:\Users\apriljenee\Creative Suite 5.5 Design Premium\Adobe CS5_5\payloads\AdobeFlashCatalyst-mul\Assets1_1.zip » ZIP » _657_c9dc20f1a14b0bfc724206d6ef3df077 » ZIP » org/eclipse/jdt/internal/compiler/parser/start1.rsc » SMARTINSTALLMAKER;VER=2 - error - unknown compression method
    C:\Users\apriljenee\Downloads\chromeinstall.exe » CAB » jusched - archive damaged - the file could not be extracted.
    C:\Users\apriljenee\Downloads\chromeinstall.exe » CAB » task.xml - archive damaged - the file could not be extracted.
    C:\Users\apriljenee\Downloads\chromeinstall.exe » CAB » task64.xml - archive damaged - the file could not be extracted.
    C:\Windows\ServiceProfiles\LocalService\ntuser.dat - error opening [4]
    C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT.LOG1 - error opening [4]
    C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT.LOG2 - error opening [4]
    C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat - error opening [4]
    C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat - error opening [4]
    C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\PeerNetworking\33fe306360f9f3dce978d33ac7ac1e702d62e4e8.HomeGroupClassifier\b73177e64611999879dad8eb1f9f34cc\grouping\db.mdb - error opening [4]
    C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\PeerNetworking\33fe306360f9f3dce978d33ac7ac1e702d62e4e8.HomeGroupClassifier\b73177e64611999879dad8eb1f9f34cc\grouping\edb.log - error opening [4]
    C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\PeerNetworking\33fe306360f9f3dce978d33ac7ac1e702d62e4e8.HomeGroupClassifier\b73177e64611999879dad8eb1f9f34cc\grouping\tmp.edb - error opening [4]
    C:\Windows\ServiceProfiles\NetworkService\ntuser.dat - error opening [4]
    C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT.LOG1 - error opening [4]
    C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT.LOG2 - error opening [4]
    C:\Windows\SoftwareDistribution\Download\488053cdbca3231eeb2c2af7236d09ed\microsoft-windows-help-coreclientuapee-package~31bf3856ad364e35~amd64~uk-ua~6.1.7601.17514.mum - error opening [4]
    C:\Windows\SoftwareDistribution\Download\488053cdbca3231eeb2c2af7236d09ed\microsoft-windows-help-coreclientuapse-package~31bf3856ad364e35~amd64~ro-ro~6.1.7601.17514.mum - error opening [4]
    C:\Windows\System32\log.txt - error opening [4]
    C:\Windows\System32\catroot2\edb.log - error opening [4]
    C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb - error opening [4]
    C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb - error opening [4]
    C:\Windows\SysWOW64\log.txt - error opening [4]
    C:\Windows\winsxs\amd64_microsoft-windows-ie-iexpress_31bf3856ad364e35_8.0.7600.16385_none_db2b15bfcf64f104\wextract.exe » SWEXTRACT » - bad archive
    Number of scanned objects: 776072
    Number of threats found: 2
    Number of cleaned objects: 0
    Time of completion: 1:10:06 PM Total scanning time: 6276 sec (01:44:36)

    Notes:
    [4] Object cannot be opened. It may be in use by another application or operating system.
     
  3. wilin03

    wilin03 TS Rookie Topic Starter

    part3 Malwarebytes

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 911122801

    Windows 6.1.7600
    Internet Explorer 8.0.7600.16385

    12/28/2011 2:19:02 PM
    mbam-log-2011-12-28 (14-19-02).txt

    Scan type: Quick scan
    Objects scanned: 180119
    Time elapsed: 3 minute(s), 32 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\Windows\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
     
  4. wilin03

    wilin03 TS Rookie Topic Starter

    Help greatly appreciated
     
  5. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Welcome aboard [​IMG]

    1. NEVER run Combofix on your own.
    2. Read forum rules:
    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...