Skip to content


Reply
Stone Emissary
sidebside
Posts: 35
Registered: ‎02-13-2012

Re: Web Threats over 300,000

New ComboFix log below.  Do u still want me 2 run the other stuff or wait?  Thanks....

 

ComboFix 12-02-15.01 - owner 02/20/2012   0:34.3.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.1917.1304 [GMT -5:00]
Running from: c:\users\owner\Desktop\ComboFix.exe
Command switches used :: c:\users\owner\Desktop\CFScript.txt
AV: Trend Micro Titanium Internet Security *Disabled/Updated* {68F968AC-2AA0-091D-848C-803E83E35902}
SP: Trend Micro Titanium Internet Security *Disabled/Updated* {D3988948-0C9A-0693-BE3C-BB4CF86413BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\MRI_DISABLED"
.
.
(((((((((((((((((((((((((   Files Created from 2012-01-20 to 2012-02-20  )))))))))))))))))))))))))))))))
.
.
2012-02-20 05:42 . 2012-02-20 05:42 -------- d-----w- c:\users\owner\AppData\Local\temp
2012-02-20 05:42 . 2012-02-20 05:42 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-17 17:40 . 2012-01-17 09:39 6557240 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{D0ABB968-16FA-4DE9-B764-1D02609BF5A2}\mpengine.dll
2012-02-16 21:49 . 2012-02-16 21:49 -------- d-----w- c:\users\owner\AppData\Roaming\Malwarebytes
2012-02-16 21:48 . 2012-02-16 21:48 -------- d-----w- c:\programdata\Malwarebytes
2012-02-16 21:48 . 2012-02-16 21:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-16 21:48 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-14 01:22 . 2012-02-14 01:33 -------- d-----w- c:\users\owner\AppData\Local\Browser Guard
2012-02-14 00:10 . 2012-02-14 00:10 -------- d-----w- c:\program files\WinPcap
2012-02-13 23:52 . 2012-02-13 23:52 388096 ----a-r- c:\users\owner\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-29 10:10 . 2009-10-02 21:46 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-18 23:33 . 2011-03-28 23:36 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-11-25 15:59 . 2012-01-11 01:19 376320 ----a-w- c:\windows\system32\winsrv.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2012-01-03 1514152]
.
[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2012-01-03 21:31 1514152 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
2011-04-13 23:48 194912 ------w- c:\program files\Yontoo Layers\YontooIEClient.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2012-01-03 1514152]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2012-01-03 1514152]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2008-01-30 430080]
"Sidebar"="c:\program files\Windows Sidebar\Sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"lxdlmon.exe"="c:\program files\Lexmark 7500 Series\lxdlmon.exe" [2007-06-11 455600]
"lxdlamon"="c:\program files\Lexmark 7500 Series\lxdlamon.exe" [2007-06-01 20480]
"Lexmark 7500 Series Fax Server"="c:\program files\Lexmark 7500 Series\fm3032.exe" [2007-06-11 308144]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-02-01 385024]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-30 4911104]
"Trend Micro Titanium"="c:\program files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" [2011-10-08 1111568]
"Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2011-02-10 116752]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2010-05-20 119152]
"Trend Micro RUBotted V2.0 Beta"="c:\program files\Trend Micro\RUBotted\RUBottedGUI.exe" [2010-12-17 1103184]
"Trend Micro Browser Guard"="c:\program files\Trend Micro\Browser Guard\BGUI.EXE" [2011-02-26 787984]
"ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2012-01-03 1391272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2008-01-30 02:51 4911104 ----a-w- c:\windows\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3850138164-68269979-4277157850-1000]
"EnableNotificationsRef"=dword:00000001
.
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ    FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-09-17 21:12]
.
2012-02-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-09-17 21:12]
.
2010-12-17 c:\windows\Tasks\User_Feed_Synchronization-{7B9A655B-F2D3-48EA-9917-0A7AE6F57785}.job
- c:\windows\system32\msfeedssync.exe [2012-02-16 04:44]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?ilc=16
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-20 00:42
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(5564)
c:\program files\Trend Micro\Titanium\plugin\TMAS\TMAS_OE\TMAS_OEHook.dll
.
Completion time: 2012-02-20  00:45:27
ComboFix-quarantined-files.txt  2012-02-20 05:45
ComboFix2.txt  2012-02-19 19:54
ComboFix3.txt  2012-02-16 00:37
.
Pre-Run: 126,821,728,256 bytes free
Post-Run: 126,793,519,104 bytes free
.
- - End Of File - - 1E6EDC5AE1A3594C9AC376E093AB2834

Please use plain text.
Legendary Emissary
malwarekiller
Posts: 3,926
Registered: ‎08-08-2011

Re: Web Threats over 300,000

[ Edited ]

Hi if u are still suffering with mouse dragging and slowdowns then yes please run the step B If u are fine report back and i will continue with a few more check ups.

—————
Was this post helpful? Say “thanks” by giving me a “Kudo”!
Was your question answered or issue solved? Mark that post as an “Accepted Solution”!
Please use plain text.
Stone Emissary
sidebside
Posts: 35
Registered: ‎02-13-2012

Re: Web Threats over 300,000

Checkhd log said:

 

Access Denied as you do not have sufficient privileges.
You have to invoke this utility running in elevated mode.

 

purgecache didn't work either

Please use plain text.
Legendary Emissary
malwarekiller
Posts: 3,926
Registered: ‎08-08-2011

Re: Web Threats over 300,000

[ Edited ]

OK.. We have to do it in a different way.

 

Download Windows Repair (all in one) from this site

Install the program then run

Go to step 2 and allow it to run Disc check


Posted Image


Once that is done then go to step 3 and allow it to run SFC


Posted Image


On the start repairs tab select advanced mode and click start


Posted Image


Select all the items and tick restart system when finished then click Start


Posted Image

—————
Was this post helpful? Say “thanks” by giving me a “Kudo”!
Was your question answered or issue solved? Mark that post as an “Accepted Solution”!
Please use plain text.
Stone Emissary
sidebside
Posts: 35
Registered: ‎02-13-2012

Re: Web Threats over 300,000

2012-01-19 01:16:22, Info                  CBS    Archived log file: C:\Windows\Logs\CBS\CBS.log to: C:\Windows\Logs\CBS\CBS.persist.log
2012-01-19 01:16:22, Info                  CBS    Loaded Servicing Stack v6.0.6002.18005 with Core: C:\Windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\cbscore.dll
2012-01-19 01:16:22, Info                  CSI    00000001@2012/1/19:06:16:22.557 WcpInitialize (wcp.dll version 0.0.0.5) called (stack @0x5fa68a50 @0x60f9854e @0x60f763a1 @0x51392 @0x51ed4 @0x517cb)
2012-01-19 01:16:22, Info                  CSI    00000002@2012/1/19:06:16:22.900 WcpInitialize (wcp.dll version 0.0.0.5) called (stack @0x5fa68a50 @0x60fce7b6 @0x60fb0f93 @0x51392 @0x51ed4 @0x517cb)
2012-01-19 01:16:22, Info                  CSI    00000003@2012/1/19:06:16:22.907 WcpInitialize (wcp.dll version 0.0.0.5) called (stack @0x5fa68a50 @0x73ba1a0d @0x73ba1794 @0x5360b @0x52be3 @0x517cb)
2012-01-19 01:16:23, Info                  CBS    NonStart: Checking to ensure startup processing was not required.
2012-01-19 01:16:23, Info                  CSI    00000004 IAdvancedInstallerAwareStore_ResolvePendingTransactions (call 1) (flags = 00000004, progress = NULL, phase = 0, pdwDisposition = @0x102f7dc
2012-01-19 01:16:23, Info                  CBS    NonStart: Success, startup processing not required as expected.
2012-01-19 01:16:23, Info                  CSI    00000005 CSI Store 3010256 (0x002deed0) initialized
2012-01-19 01:16:23, Info                  CBS    Session: 30201457:3733059728 initialized.
2012-01-19 01:16:23, Info                  CBS    Read out cached package applicability for package: Package_for_KB2641690~31bf3856ad364e35~x86~~6.0.1.0, ApplicableState: 7, CurrentState:7
2012-01-19 01:16:23, Info                  CBS    Session: 30201457:3733059728 finalized.  Reboot required: no
2012-01-19 01:16:24, Info                  CBS    Session: 30201457:3735469728 initialized.
2012-01-19 01:16:24, Info                  CBS    Read out cached package applicability for package: Package_for_KB2507618~31bf3856ad364e35~x86~~6.0.1.0, ApplicableState: 7, CurrentState:7
2012-01-19 01:16:24, Info                  CBS    Session: 30201457:3735469728 finalized.  Reboot required: no
2012-01-19 01:16:24, Info                  CBS    Session: 30201457:3735839728 initialized.
2012-01-19 01:16:24, Info                  CBS    Read out cached package applicability for package: Package_for_KB2508429~31bf3856ad364e35~x86~~6.0.1.1, ApplicableState: 7, CurrentState:7
2012-01-19 01:16:24, Info                  CBS    Session: 30201457:3735839728 finalized.  Reboot required: no
2012-01-19 01:16:24, Info                  CBS    Session: 30201457:3735939728 initialized.

Please use plain text.
Stone Emissary
sidebside
Posts: 35
Registered: ‎02-13-2012

Re: Web Threats over 300,000

2012-01-19 01:16:24, Info                  CBS    Session: 30201457:3735939728 finalized.  Reboot required: no
2012-01-19 01:16:24, Info                  CBS    Session: 30201457:3743389728 initialized.
2012-01-19 01:16:25, Info                  CBS    Read out cached package applicability for package: Package_for_KB2633171~31bf3856ad364e35~x86~~6.0.1.0, ApplicableState: 7, CurrentState:7
2012-01-19 01:16:25, Info                  CBS    Session: 30201457:3743389728 finalized.  Reboot required: no
2012-01-19 01:16:25, Info                  CBS    Session: 30201457:3743499728 initialized.
2012-01-19 01:16:25, Info                  CBS    Read out cached package applicability for package: Package_for_KB2621146~31bf3856ad364e35~x86~~6.0.1.0, ApplicableState: 0, CurrentState:0
2012-01-19 01:16:25, Info                  CBS    Session: 30201457:3743499728 finalized.  Reboot required: no
2012-01-19 01:16:25, Info                  CBS    Session: 30201457:3743589728 initialized.
2012-01-19 01:16:25, Info                  CBS    Read out cached package applicability for package: Package_for_KB2601626~31bf3856ad364e35~x86~~6.0.1.0, ApplicableState: 0, CurrentState:0
2012-01-19 01:16:25, Info                  CBS    Session: 30201457:3743589728 finalized.  Reboot required: no
2012-01-19 01:16:25, Info                  CBS    Session: 30201457:3743679728 initialized.
2012-01-19 01:16:25, Info                  CBS    Read out cached package applicability for package: Package_for_KB2579686~31bf3856ad364e35~x86~~6.0.1.0, ApplicableState: 7, CurrentState:7
2012-01-19 01:16:25, Info                  CBS    Session: 30201457:3743679728 finalized.  Reboot required: no
2012-01-19 01:16:25, Info                  CBS    Session: 30201457:3743769728 initialized.
2012-01-19 01:16:25, Info                  CBS    Read out cached package applicability for package: Package_for_KB946253~31bf3856ad364e35~x86~~6.0.1.0, ApplicableState: 7, CurrentState:0
2012-01-19 01:16:25, Info                  CBS    Session: 30201457:3743769728 finalized.  Reboot required: no
2012-01-19 01:16:25, Info                  CBS    Session: 30201457:3743869728 initialized.
2012-01-19 01:16:25, Info                  CBS    Session: 30201457:3743869728 finalized.  Reboot required: no
2012-01-19 01:16:25, Info                  CBS    Session: 30201457:3743929728 initialized.

Please use plain text.
Stone Emissary
sidebside
Posts: 35
Registered: ‎02-13-2012

Re: Web Threats over 300,000

2012-01-19 01:16:25, Info                  CBS    Read out cached package applicability for package: Package_for_KB2419640~31bf3856ad364e35~x86~~6.0.1.2, ApplicableState: 7, CurrentState:7
2012-01-19 01:16:25, Info                  CBS    Session: 30201457:3743929728 finalized.  Reboot required: no
2012-01-19 01:16:25, Info                  CBS    Session: 30201457:3744189728 initialized.
2012-01-19 01:16:25, Info                  CBS    Read out cached package applicability for package: Package_for_KB2628642~31bf3856ad364e35~x86~~6.1.1.0, ApplicableState: 0, CurrentState:0
2012-01-19 01:16:25, Info                  CBS    Session: 30201457:3744189728 finalized.  Reboot required: no
2012-01-19 01:16:25, Info                  CBS    Session: 30201457:3744879728 initialized.
2012-01-19 01:16:25, Info                  CBS    Read out cached package applicability for package: Package_for_KB982480~31bf3856ad364e35~x86~~6.0.1.0, ApplicableState: 7, CurrentState:7
2012-01-19 01:16:25, Info                  CBS    Session: 30201457:3744879728 finalized.  Reboot required: no
2012-01-19 01:16:25, Info                  CBS    Session: 30201457:3746779728 initialized.
2012-01-19 01:16:25, Info                  CBS    Read out cached package applicability for package: Package_for_KB2646524~31bf3856ad364e35~x86~~6.0.1.0, ApplicableState: 7, CurrentState:7
2012-01-19 01:16:25, Info                  CBS    Session: 30201457:3746779728 finalized.  Reboot required: no
2012-01-19 01:16:25, Info                  CBS    Session: 30201457:3747129728 initialized.
2012-01-19 01:16:25, Info                  CBS    Read out cached package applicability for package: Package_for_KB2639417~31bf3856ad364e35~x86~~6.0.1.2, ApplicableState: 7, CurrentState:7
2012-01-19 01:16:25, Info                  CBS    Session: 30201457:3747129728 finalized.  Reboot required: no
2012-01-19 01:16:25, Info                  CBS    Session: 30201457:3747569728 initialized.
2012-01-19 01:16:25, Info                  CBS    Read out cached package applicability for package: Package_for_KB967723~31bf3856ad364e35~x86~~6.0.1.7, ApplicableState: 7, CurrentState:7
2012-01-19 01:16:25, Info                  CBS    Session: 30201457:3747569728 finalized.  Reboot required: no
2012-01-19 01:16:25, Info                  CBS    Session: 30201457:3752589728 initialized.

Please use plain text.
Stone Emissary
sidebside
Posts: 35
Registered: ‎02-13-2012

Re: Web Threats over 300,000

sending as attachments (I think)

Please use plain text.
Stone Emissary
sidebside
Posts: 35
Registered: ‎02-13-2012

Re: Web Threats over 300,000

>

Please use plain text.
Stone Emissary
sidebside
Posts: 35
Registered: ‎02-13-2012

Re: Web Threats over 300,000

>

Please use plain text.