FakeSysDef virus probleem

Jan2222 · 10 mei 2012

Hi,

Ik vrees dat het niet veel opgelost heeft.

De AMService bestond niet, dus ook geen gestopt/gedeleted.

Hijack gedraaid, met fix en clean, CCclearner gedraaid, daarna ook nog Unhide, en ge-reboot. En tenslotte weer de Hijack, zie log hieronder.

Echter bijv. de B6232F3AFAD.exe zit er nog steeds in (lijkt onuitroeibaar).

En mijn files via Start menu, bijv LInkSys, bijv Panda zijn weg (empty). Maar als eerder gezegd ook via Windows Explorer zijn ook niet te vinden (ook niet na diverse Unhide's). Zouden ze echt geheel gedeleted kunnen zijn ?

Bij het aanloggen van jullie site kreeg ik nu een MBAM foutmedling:

... malacious process attempting to start ... C:\USERS\TALSBAK\APPDATA\LOCAL\TEMP\0.9530072868350183.EXE EXPLOIT.DROP.4

Ik heb maar Quarantine gedaan.

Dank voor de hulp !

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 22:32:58, on 10-May-12

Platform: Windows 7 SP1 (WinNT 6.00.3505)

MSIE: Internet Explorer v8.00 (8.00.7601.17514)

Boot mode: Normal

Running processes:

C:\Program Files (x86)\Roxio\BackOnTrack\App\SaibSVC.exe

C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files (x86)\Roxio\BackOnTrack\App\BService.exe

C:\Windows\SysWOW64\svchost.exe

c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe

C:\Program Files (x86)\Linksys\Linksys Updater\bin\LinksysUpdater.exe

C:\Windows\SysWOW64\java.exe

C:\Program Files (x86)\Common Files\PCTV Systems\RemoTerm\remoterm.exe

C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe

C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe

C:\Program Files (x86)\hp\Digital Imaging\bin\HpqSRmon.exe

C:\Program Files (x86)\Roxio\CinePlayer\5.0\CPMonitor.exe

C:\0 PROGRAMS\Apple iTunes\iTunesHelper.exe

C:\0 PROGRAMS\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Windows\SysWOW64\ping.exe

C:\0 PROGRAMS\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Windows\SysWOW64\ping.exe

C:\Users\Talsbak\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Bing

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Sign In

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Bing

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Bing

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

F2 - REG:system.ini: UserInit=c:\windows\syswow64\userinit.exe,

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

O4 - HKLM\..\Run: [hpsysdrv] c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe

O4 - HKLM\..\Run: [Easybits Recovery] C:\Program Files (x86)\EasyBits For Kids\ezRecover.exe

O4 - HKLM\..\Run: [nmctxth] "C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe"

O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe

O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\13.0\SharedCOM\RoxWatchTray13.exe"

O4 - HKLM\..\Run: [CPMonitor] "C:\Program Files (x86)\Roxio\CinePlayer\5.0\CPMonitor.exe"

O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\0 PROGRAMS\Apple iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\0 PROGRAMS\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

O4 - HKCU\..\Run: [RemoTerm.exe] C:\Program Files (x86)\Common Files\PCTV Systems\RemoTerm\RemoTerm.exe

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [4Y3Y0C3AWF7W0VWDBNJJC] C:\Recycle.Bin\B6232F3AFAD.exe /q (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [4Y3Y0C3AWF7W0VWDBNJJC] C:\Recycle.Bin\B6232F3AFAD.exe /q (User 'Default user')

O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll

O15 - Trusted Zone: Free Downloads Encyclopedia - Softpedia

O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab

O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -

O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

O23 - Service: Roxio SAIB Service (9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269) - Unknown owner - C:\Program Files (x86)\Roxio\BackOnTrack\App\SaibSVC.exe

O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: BOT4Service - Unknown owner - C:\Program Files (x86)\Roxio\BackOnTrack\App\BService.exe

O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)

O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)

O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files (x86)\HP Games\HP Game Console\GameConsoleService.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe

O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe

O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files (x86)\Linksys\Linksys Updater\bin\LinksysUpdater.exe

O23 - Service: MBAMService - Malwarebytes Corporation - C:\0 PROGRAMS\Malwarebytes' Anti-Malware\mbamservice.exe

O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)

O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)

O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: RoxMediaDB13 - Sonic Solutions - C:\Program Files (x86)\Common Files\Roxio Shared\13.0\SharedCOM\RoxMediaDB13.exe

O23 - Service: Roxio Hard Drive Watcher 12 (RoxWatch12) - Sonic Solutions - C:\Program Files (x86)\Common Files\Roxio Shared\13.0\SharedCOM\RoxWatch13.exe

O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)

O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)

O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)

O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)

O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)

O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)

O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)

O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)

O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)

O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--

End of file - 9919 bytes

kweezie wabbit · 11 mei 2012

Bij het aanloggen van jullie site kreeg ik nu een MBAM foutmedling:
... malacious process attempting to start ... C:\USERS\TALSBAK\APPDATA\LOCAL\TEMP\0.9530072868350183.EXE EXPLOIT.DROP.4

Ik heb maar Quarantine gedaan.

Heel goed, dat was de juiste reactie

Start de pc op in veilige modus met netwerkmogelijkheden.

Start Hijackthis op. Klik met de rechter muisknop op de icoon en kies dan voor “Run as administrator" of "Uitvoeren als administrator".

Selecteer “Do a system scan only”.

Vink alleen de items aan die hieronder zijn genoemd:

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O4 - HKUS\S-1-5-18\..\Run: [4Y3Y0C3AWF7W0VWDBNJJC] C:\Recycle.Bin\B6232F3AFAD.exe /q (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [4Y3Y0C3AWF7W0VWDBNJJC] C:\Recycle.Bin\B6232F3AFAD.exe /q (User 'Default user')

Klik op 'Fix checked' om de items te verwijderen.

Onderstaande mag je ook uitvoeren in veilige modus.

Download ComboFix van één van deze locaties:

Link 1

Link 2

* BELANGRIJK !!! Sla ComboFix.exe op je Bureaublad op

1. Schakel alle antivirus- en antispywareprogramma's uit, want anders kunnen ze misschien conflicteren met ComboFix. Hier is een handleiding over hoe je ze kan uitschakelen:

Klik hier

2. Het kan voorkomen dat de computer meerdere malen opnieuw gestart moet worden, dit is normaal.

3. Dubbelklik op "Combofix.exe" om de tool te starten.

4. Klik niet in het scherm van Combofix als deze actief is, hierdoor kan de 'tool' vastlopen.

Noot !!! Als er een error wordt getoond met de melding "Illegal operation attempted on a registery key that has been marked for deletion", herstart dan de computer.

5. Wanneer ComboFix klaar is, zal het het een logbestand voor je maken. Post de inhoud van dit logbestand (te vinden als C:\ComboFix.txt) in je volgende bericht.

Jan2222 · 11 mei 2012

Hi,

Bijgaand de log van combofix, en ook alvast daarna de laatste log van hijackthis.

Maar ik zie wel dat die C:\Recycle.Bin\B6232F3AFAD.exe erg hardnekkig is, het is er nog steeds.

En de diverse programmas in Startmenu staan nog steeds op <empty> en ook nog steeds onvindbar in explorer. Kan het zijn dat de diverse .exe files toch gewoon gewist zijn ? NB. Ik had in begin gemeld dat 'ik' wel bij het eerste optreden van het virus perongeluk die S.M.A.R.T. had opgestart, kan dat de oorzaak zijn ?

Veel dank voor de hulp !

ComboFix 12-05-11.03 - Talsbak 11-May-12 21:54:47.1.2 - x64 NETWORK

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3071.2112 [GMT 2:00]

Running from: c:\users\Talsbak\Desktop\ComboFix.exe

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\users\Marit\Documents\~WRL0099.tmp

c:\users\Marit\Documents\~WRL0394.tmp

c:\users\Talsbak\AppData\Roaming\Adobe\plugs

c:\users\Talsbak\AppData\Roaming\Adobe\shed

c:\users\Talsbak\WINDOWS

c:\windows\SysWow64\Temp

c:\windows\SysWow64\Temp\ROL\MemoryRead_afterDec_1327273388.xml

c:\windows\SysWow64\Temp\ROL\MemoryRead_afterDec_1331767812.xml

c:\windows\SysWow64\Temp\ROL\MemoryRead_beforeDec_1331767810.dat

.

((((((((((((((((((((((((( Files Created from 2012-04-11 to 2012-05-11 )))))))))))))))))))))))))))))))

.

2012-05-11 19:59 . 2012-05-11 19:59 -------- d-----w- c:\users\Tessa\AppData\Local\temp

2012-05-11 19:59 . 2012-05-11 19:59 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-05-11 19:59 . 2012-05-11 19:59 -------- d-----w- c:\users\Administrator\AppData\Local\temp

2012-05-11 19:59 . 2012-05-11 19:59 -------- d-----w- c:\users\Marit\AppData\Local\temp

2012-05-10 20:10 . 2012-05-10 20:10 -------- d-----w- c:\program files\CCleaner

2012-05-08 17:35 . 2012-05-08 17:35 -------- d-----w- c:\users\Talsbak\AppData\Roaming\Malwarebytes

2012-05-08 17:35 . 2012-05-08 17:35 -------- d-----w- c:\programdata\Malwarebytes

2012-05-08 17:35 . 2012-04-04 13:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-05-06 23:30 . 2012-04-13 08:46 8917360 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{8763E0E7-C835-47C2-8A06-E6E51174CF18}\mpengine.dll

2012-05-06 22:50 . 2012-05-06 23:07 -------- d-----w- c:\windows\system32\MpEngineStore

2012-05-02 11:48 . 2012-05-02 11:48 -------- d-----w- c:\users\Tessa\.jordan

2012-04-30 15:48 . 2012-04-30 15:49 -------- d-----w- c:\users\Talsbak\AppData\Local\Google

2012-04-30 15:48 . 2012-04-30 15:49 -------- d-----w- c:\program files (x86)\Google

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-03-01 15:20 . 2012-03-01 15:20 162664 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10140.bin

2012-02-23 08:18 . 2010-08-30 19:44 279656 ------w- c:\windows\system32\MpSigStub.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RemoTerm.exe"="c:\program files (x86)\Common Files\PCTV Systems\RemoTerm\RemoTerm.exe" [2010-02-24 220944]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"hpsysdrv"="c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe" [2008-11-20 62768]

"Easybits Recovery"="c:\program files (x86)\EasyBits For Kids\ezRecover.exe" [2009-09-02 60464]

"nmctxth"="c:\program files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-12 642856]

"hpqSRMon"="c:\program files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-07-22 150528]

"RoxWatchTray"="c:\program files (x86)\Common Files\Roxio Shared\13.0\SharedCOM\RoxWatchTray13.exe" [2010-07-16 307184]

"CPMonitor"="c:\program files (x86)\Roxio\CinePlayer\5.0\CPMonitor.exe" [2010-08-25 84464]

"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]

"iTunesHelper"="c:\0 programs\Apple iTunes\iTunesHelper.exe" [2011-11-12 421736]

"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]

"Malwarebytes' Anti-Malware"="c:\0 programs\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[hkey_local_machine\software\Wow6432Node\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

.

R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-04-30 116648]

R2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files (x86)\Common Files\Roxio Shared\13.0\SharedCOM\RoxWatch13.exe [2010-07-16 354288]

R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-04-30 116648]

R3 PCTV340_801;YUAN based TV tuner device;c:\windows\system32\Drivers\dvb7700all.sys [x]

R3 Prot6Flt;Prot6Flt;c:\windows\system32\DRIVERS\Prot6Flt.sys [x]

R3 RoxMediaDB13;RoxMediaDB13;c:\program files (x86)\Common Files\Roxio Shared\13.0\SharedCOM\RoxMediaDB13.exe [2010-07-16 1099248]

R3 ss_bbus;SAMSUNG USB Mobile Device (WDM);c:\windows\system32\DRIVERS\ss_bbus.sys [x]

R3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);c:\windows\system32\DRIVERS\ss_bmdfl.sys [x]

R3 ss_bmdm;SAMSUNG USB Mobile Modem;c:\windows\system32\DRIVERS\ss_bmdm.sys [x]

R3 TFsExDisk;TFsExDisk;c:\windows\System32\Drivers\TFsExDisk.sys [2010-06-14 16448]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]

R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]

R3 vtcdrv;GoGear Recovery Mode;c:\windows\system32\DRIVERS\vtcdrv_amd64.sys [x]

S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot64.sys [x]

S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]

S0 Sahdad64;HDD Filter Driver;c:\windows\System32\Drivers\Sahdad64.sys [x]

S0 Saibad64;Volume Filter Driver;c:\windows\System32\Drivers\Saibad64.sys [x]

S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]

S1 SaibVdAd64;Virtual Disk Driver;c:\windows\system32\Drivers\SaibVdAd64.sys [x]

S2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files (x86)\Roxio\BackOnTrack\App\SaibSVC.exe [2009-06-02 457200]

S2 BOT4Service;BOT4Service;c:\program files (x86)\Roxio\BackOnTrack\App\BService.exe [2010-09-13 39408]

S2 ezSharedSvc;Easybits Shared Services for Windows;c:\windows\system32\svchost.exe [2009-07-14 27136]

S2 LinksysUpdater;Linksys Updater;c:\program files (x86)\Linksys\Linksys Updater\bin\LinksysUpdater.exe [2008-11-13 204800]

S2 MBAMService;MBAMService;c:\0 programs\Malwarebytes' Anti-Malware\mbamservice.exe [2012-04-04 654408]

S3 azvusb;Virtual USB Hub;c:\windows\system32\DRIVERS\azvusb.sys [x]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]

S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]

S3 SrvHsfPCI;SrvHsfPCI;c:\windows\system32\DRIVERS\VSTBS26.SYS [x]

S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [x]

S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [x]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WS2IFSL

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

ezSharedSvc

.

Contents of the 'Scheduled Tasks' folder

.

2012-05-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-04-30 15:48]

.

2012-05-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-04-30 15:48]

.

2010-12-31 c:\windows\Tasks\PCDRScheduledMaintenance.job

- c:\program files\PC-Doctor for Windows\pcdrcui.exe [2009-09-18 07:11]

.

--------- x86-64 -----------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-09-29 16335464]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"LoadAppInit_DLLs"=0x0

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.hotmail.com/

uLocal Page = c:\windows\system32\blank.htm

mStart Page = hxxp://www.bing.com

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = *.local

Trusted Zone: softpedia.com\www

TCP: DhcpNameServer = 88.159.1.200 88.159.1.201

.

- - - - ORPHANS REMOVED - - - -

.

Wow6432Node-HKLM-Run-NPSStartup - (no file)

Wow6432Node-HKU-Default-Run-4Y3Y0C3AWF7W0VWDBNJJC - c:\recycle.bin\B6232F3AFAD.exe

Wow6432Node-HKU-Default-Run-KB828131.exe - c:\windows\system32\config\systemprofile\AppData\Roaming\KB828131.exe

AddRemove-EasyBits Magic Desktop - c:\windows\system32\ezMDUninstall.exe

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.10"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

"MSCurrentCountry"=dword:0000007b

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe

c:\windows\SysWOW64\java.exe

c:\windows\SysWOW64\ping.exe

.

**************************************************************************

.

Completion time: 2012-05-11 22:13:13 - machine was rebooted

ComboFix-quarantined-files.txt 2012-05-11 20:13

.

Pre-Run: 183,856,726,016 bytes free

Post-Run: 184,425,504,768 bytes free

.

- - End Of File - - 5D4F8681D1CBE14F874570C530FA13A1