Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Support
Windows Malware Removal Help & Support
ZeroAccess Possible Issues
Message
<blockquote data-quote="Holt" data-source="post: 95383" data-attributes="member: 4525"><p>I uninstalled and reinstalled combofix via the C prompt. The scan results are below:</p><p></p><p>ComboFix 13-01-08.01 - David 01/10/2013 4:29.4.1 - x86</p><p>Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1582 [GMT -5:00]</p><p>Running from: c:\documents and settings\David\Desktop\ComboFix.exe</p><p>Command switches used :: c:\documents and settings\David\Desktop\CFscript.txt</p><p>AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}</p><p>.</p><p>.</p><p>((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))</p><p>.</p><p>.</p><p>c:\documents and settings\All Users\Application Data\TEMP</p><p>.</p><p>.</p><p>--------------- FCopy ---------------</p><p>.</p><p>c:\windows\ServicePackFiles\i386\mspmsnsv.dll --> c:\windows\System32\mspmsnsv.dll</p><p>.</p><p>((((((((((((((((((((((((( Files Created from 2012-12-10 to 2013-01-10 )))))))))))))))))))))))))))))))</p><p>.</p><p>.</p><p>2013-01-10 09:16 . 2012-11-08 15:00 6812136 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D3AE0307-1561-4DFF-8B74-AB46AA95EFDE}\mpengine.dll</p><p>2013-01-10 03:42 . 2004-06-11 23:33 290304 ----a-w- C:\subinacl.exe</p><p>2013-01-10 02:06 . 2013-01-10 03:43 181064 ----a-w- c:\windows\PSEXESVC.EXE</p><p>2013-01-10 02:05 . 2013-01-10 02:05 -------- d-----w- C:\RegBackup</p><p>2013-01-10 02:01 . 2013-01-10 03:43 -------- d-----w- C:\Tweaking.com_Windows_Repair_Logs</p><p>2013-01-08 15:01 . 2012-11-08 15:00 6812136 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll</p><p>2013-01-08 07:00 . 2013-01-08 07:00 -------- d-----w- C:\_OTL</p><p>2013-01-07 17:44 . 2013-01-07 17:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\Ipswitch</p><p>2013-01-07 08:33 . 2013-01-07 08:33 -------- d-----w- c:\documents and settings\David\Application Data\ElevatedDiagnostics</p><p>2013-01-07 08:03 . 2013-01-07 08:03 -------- d-----w- c:\documents and settings\Administrator\PrivacIE</p><p>2013-01-07 08:02 . 2008-04-14 07:06 13952 ----a-w- c:\windows\system32\drivers\CmBatt.sys</p><p>2013-01-07 08:02 . 2008-04-14 07:06 10240 ----a-w- c:\windows\system32\drivers\compbatt.sys</p><p>2013-01-07 08:02 . 2008-04-14 07:06 14208 ----a-w- c:\windows\system32\drivers\battc.sys</p><p>2013-01-07 08:02 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys</p><p>2013-01-07 08:02 . 2001-08-17 16:11 35328 ----a-w- c:\windows\system32\drivers\pcntpci5.sys</p><p>2013-01-07 07:38 . 2013-01-07 07:38 9216 ----a-w- c:\windows\system32\Native.exe</p><p>2013-01-07 07:38 . 2013-01-07 08:06 -------- d-----w- C:\ReimageUndo</p><p>2013-01-07 04:58 . 2013-01-07 08:06 -------- d-----w- C:\rei</p><p>2013-01-07 04:58 . 2013-01-07 04:58 -------- d-----w- c:\program files\Reimage</p><p>2013-01-07 04:09 . 2013-01-07 04:09 -------- d-----w- c:\program files\Microsoft Security Client</p><p>2013-01-07 02:38 . 2013-01-07 02:48 12872 ----a-w- c:\windows\system32\bootdelete.exe</p><p>2013-01-07 02:33 . 2013-01-07 02:33 -------- d-----w- c:\program files\HitmanPro</p><p>2013-01-07 02:33 . 2013-01-07 02:38 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro</p><p>2013-01-06 22:57 . 2013-01-06 22:57 -------- d-----w- c:\documents and settings\All Users\Application Data\01014CE1ACC253E7000001014BE457DE</p><p>2012-12-12 21:13 . 2012-12-12 21:13 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Jasc Software Inc</p><p>.</p><p>.</p><p>.</p><p>(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))</p><p>.</p><p>2013-01-09 17:50 . 2012-07-15 01:53 697864 ----a-w- c:\windows\system32\FlashPlayerApp.exe</p><p>2013-01-09 17:50 . 2011-05-21 16:01 74248 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl</p><p>2012-12-16 12:23 . 2002-08-29 11:00 290560 ----a-w- c:\windows\system32\atmfd.dll</p><p>2012-12-14 21:49 . 2011-12-11 01:51 21104 ----a-w- c:\windows\system32\drivers\mbam.sys</p><p>2012-11-28 22:04 . 2010-10-13 18:26 1699936 ----a-w- c:\windows\SERecat.exe</p><p>2012-11-28 22:04 . 2010-09-06 17:16 1761760 ----a-w- c:\windows\system32\seinst.dll</p><p>2012-11-28 22:03 . 2010-09-06 17:16 341360 ----a-w- c:\windows\system32\ICF.dll</p><p>2012-11-28 22:03 . 2010-09-06 17:16 1715392 ----a-w- c:\windows\sediag.exe</p><p>2012-11-13 01:25 . 2002-08-29 11:00 1866368 ----a-w- c:\windows\system32\win32k.sys</p><p>2012-11-06 02:01 . 2008-09-03 19:52 1371648 ----a-w- c:\windows\system32\msxml6.dll</p><p>2012-11-02 02:02 . 2002-08-29 11:00 375296 ----a-w- c:\windows\system32\dpnet.dll</p><p>2012-11-01 12:17 . 2004-02-06 22:05 916992 ----a-w- c:\windows\system32\wininet.dll</p><p>2012-11-01 12:17 . 2002-08-29 11:00 43520 ------w- c:\windows\system32\licmgr10.dll</p><p>2012-11-01 12:17 . 2002-08-29 11:00 1469440 ------w- c:\windows\system32\inetcpl.cpl</p><p>2012-11-01 00:35 . 2004-08-04 05:59 385024 ------w- c:\windows\system32\html.iec</p><p>2012-12-05 16:12 . 2012-12-05 16:10 262112 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll</p><p>.</p><p>.</p><p>(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))</p><p>.</p><p>---- Directory of c:\documents and settings\All Users\Application Data\{32364CEA-7855-4A3C-B674-53D8E9B97936} ----</p><p>.</p><p>2012-09-26 23:53 . 2012-09-26 23:54 24039424 ----a-w- c:\documents and settings\All Users\Application Data\{32364CEA-7855-4A3C-B674-53D8E9B97936}\{D3742F82-1C1A-4DCC-ABBD-0E831C0185CC}.msi</p><p>.</p><p>---- Directory of c:\documents and settings\All Users\Application Data\01014CE1ACC253E7000001014BE457DE ----</p><p>.</p><p>.</p><p>.</p><p>((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))</p><p>.</p><p>.</p><p>*Note* empty entries & legit default entries are not shown </p><p>REGEDIT4</p><p>.</p><p>[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]</p><p>"ICF"="c:\program files\Internet Content Filter\SafeEyes.exe" [2012-11-28 3267072]</p><p>"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 947176]</p><p>.</p><p>[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]</p><p>"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]</p><p>.</p><p>[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]</p><p>"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]</p><p>.</p><p>[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]</p><p>@=""</p><p>.</p><p>[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]</p><p>@=""</p><p>.</p><p>[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]</p><p>@=""</p><p>.</p><p>[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]</p><p>@=""</p><p>.</p><p>[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]</p><p>@="Service"</p><p>.</p><p>[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]</p><p>backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup</p><p>.</p><p>[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]</p><p>backup=c:\windows\pss\Windows Search.lnkCommon Startup</p><p>.</p><p>[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SB Audigy 2 Startup Menu]</p><p>/L:ENG [X]</p><p>.</p><p>[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]</p><p>2012-07-27 20:51 919008 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe</p><p>.</p><p>[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsioReg]</p><p>2003-02-20 22:27 110592 ----a-w- c:\windows\SYSTEM32\CTASIO.DLL</p><p>.</p><p>[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDet]</p><p>2002-09-30 06:00 45056 ----a-w- c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDET.exe</p><p>.</p><p>[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]</p><p>2008-04-14 00:12 15360 ----a-w- c:\windows\SYSTEM32\ctfmon.exe</p><p>.</p><p>[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]</p><p>2003-02-20 22:45 28672 ----a-w- c:\windows\SYSTEM32\CTHELPER.EXE</p><p>.</p><p>[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]</p><p>2002-10-29 14:18 49152 ----a-w- c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe</p><p>.</p><p>[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DesktopMaestro]</p><p>2009-11-11 15:22 3401688 ----a-w- c:\program files\Desktop Maestro\DeskMech.exe</p><p>.</p><p>[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]</p><p>2002-05-18 17:04 327680 ------w- c:\progra~1\VERIZO~1\SMARTB~1\MotiveSB.exe</p><p>.</p><p>[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]</p><p>2008-02-22 08:25 144784 ----a-w- c:\program files\Java\jre1.6.0_05\bin\jusched.exe</p><p>.</p><p>[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]</p><p>2012-09-15 03:42 296096 ----a-w- c:\program files\Real\RealPlayer\Update\realsched.exe</p><p>.</p><p>[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]</p><p>2000-05-11 06:00 90112 ------w- c:\windows\Updreg.EXE</p><p>.</p><p>[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]</p><p>"SDhelper"=2 (0x2)</p><p>"PNMSRV"=2 (0x2)</p><p>"AVP"=2 (0x2)</p><p>.</p><p>[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]</p><p>"%windir%\\system32\\sessmgr.exe"=</p><p>.</p><p>R1 A2DDA;A2 Direct Disk Access Support Driver;c:\documents and settings\David\Desktop\fffu\EmsisoftEmergencyKit\Run\a2ddax86.sys [1/7/2013 11:04 AM 17904]</p><p>R1 RCFOX;SonicWALL IPsec Driver;c:\windows\SYSTEM32\DRIVERS\RCFOX.SYS [4/14/2006 3:02 PM 91136]</p><p>R1 SBRE;SBRE;c:\windows\SYSTEM32\DRIVERS\SBREDrv.sys [10/30/2009 10:35 AM 98392]</p><p>R2 ASFAgent;ASF Agent;c:\program files\intel\ASF Agent\ASFAgent.exe [8/7/2002 6:34 AM 221184]</p><p>R2 DLSDB;Dell Printer Status Database;c:\program files\Dell Printers\Additional Color Laser Software\Status Monitor\dlsdbnt.exe [10/14/2004 3:09 AM 135168]</p><p>R2 FGLRYUtil;FGLRYUTIL;c:\program files\ATI Technologies\Fire GL Control Panel\atiisrgl.exe [2/11/2004 12:35 AM 49152]</p><p>R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [9/24/2012 7:31 PM 398184]</p><p>R2 mfeicfupdate;McAfee Internet Content Filter Update Service;c:\program files\Internet Content Filter\UpdateService.exe [9/6/2010 12:16 PM 1695816]</p><p>R2 NetAlrt;NetAlrt;c:\windows\SYSTEM32\DRIVERS\Netalrt.sys [5/7/2002 5:05 PM 39680]</p><p>R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [1/20/2010 4:56 PM 583640]</p><p>R2 PlatAlrt;PlatAlrt;c:\windows\SYSTEM32\DRIVERS\platalrt.sys [5/7/2002 5:06 PM 23744]</p><p>R2 seUpdateSvc;Safe Eyes Update Service;c:\program files\Internet Content Filter\UpdateService.exe [9/6/2010 12:16 PM 1695816]</p><p>R3 MBAMProtector;MBAMProtector;c:\windows\SYSTEM32\DRIVERS\mbam.sys [12/10/2011 8:51 PM 21104]</p><p>S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/10/2011 8:52 PM 682344]</p><p>S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys --> c:\windows\system32\Drivers\BW2NDIS5.sys [?]</p><p>S3 cpuz134;cpuz134;\??\c:\docume~1\David\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys --> c:\docume~1\David\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys [?]</p><p>S3 dlttape;dlttape;c:\windows\SYSTEM32\DRIVERS\dlttape.sys [2/3/2004 9:10 AM 8320]</p><p>S3 QntmDLT;QntmDLT;c:\windows\SYSTEM32\DRIVERS\QntmDLT.sys [11/20/2003 12:03 PM 9728]</p><p>S3 rcvpn;SonicWALL VPN Adapter;c:\windows\SYSTEM32\DRIVERS\rcvpn.sys [4/14/2006 3:01 PM 23180]</p><p>S3 RkPavproc1;RkPavproc1;\??\c:\windows\system32\drivers\RkPavproc1.sys --> c:\windows\system32\drivers\RkPavproc1.sys [?]</p><p>S3 RkPavproc2;RkPavproc2;\??\c:\windows\system32\drivers\RkPavproc2.sys --> c:\windows\system32\drivers\RkPavproc2.sys [?]</p><p>S3 RkPavproc3;RkPavproc3;\??\c:\windows\system32\drivers\RkPavproc3.sys --> c:\windows\system32\drivers\RkPavproc3.sys [?]</p><p>.</p><p>Contents of the 'Scheduled Tasks' folder</p><p>.</p><p>2013-01-10 c:\windows\Tasks\Adobe Flash Player Updater.job</p><p>- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-15 17:50]</p><p>.</p><p>2013-01-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job</p><p>- c:\program files\Google\Update\GoogleUpdate.exe [2012-11-05 15:19]</p><p>.</p><p>2013-01-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job</p><p>- c:\program files\Google\Update\GoogleUpdate.exe [2012-11-05 15:19]</p><p>.</p><p>2013-01-10 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job</p><p>- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-09-12 22:25]</p><p>.</p><p>2013-01-10 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-989678199-2234712002-1868543911-1006.job</p><p>- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-07-27 18:27]</p><p>.</p><p>2013-01-10 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-989678199-2234712002-1868543911-1006.job</p><p>- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-07-27 18:27]</p><p>.</p><p>.</p><p>------- Supplementary Scan -------</p><p>.</p><p>uStart Page = hxxp://www.google.com/</p><p>uDefault_Search_URL = hxxp://www.earthlink.net/partner/more/msie/button/search.html</p><p>uInternet Connection Wizard,ShellNext = iexplore</p><p>uSearchAssistant = hxxp://www.google.com/ie</p><p>uSearchURL,(Default) = hxxp://www.google.com/search?q=%s</p><p>LSP: ICF.dll</p><p>Trusted Zone: cj.com\members</p><p>Trusted Zone: cj.com\signup</p><p>Trusted Zone: cj.com\www</p><p>Trusted Zone: linkshare.com</p><p>Trusted Zone: overture.com\secure</p><p>Trusted Zone: shareasale.com</p><p>TCP: DhcpNameServer = 209.18.47.61 209.18.47.62</p><p>DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab</p><p>FF - ProfilePath - c:\documents and settings\David\Application Data\Mozilla\Firefox\Profiles\ch1ntccj.default\</p><p>FF - prefs.js: browser.search.selectedEngine - Google</p><p>FF - prefs.js: browser.startup.homepage - hxxp://www.christcenteredmall.com/stores/art/</p><p>FF - prefs.js: network.proxy.type - 0</p><p>FF - ExtSQL: 2012-12-15 15:34; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\documents and settings\David\Application Data\Mozilla\Firefox\Profiles\ch1ntccj.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi</p><p>.</p><p>.</p><p>**************************************************************************</p><p>.</p><p>catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net</p><p>Rootkit scan 2013-01-10 04:34</p><p>Windows 5.1.2600 Service Pack 3 NTFS</p><p>.</p><p>scanning hidden processes ... </p><p>.</p><p>scanning hidden autostart entries ... </p><p>.</p><p>scanning hidden files ... </p><p>.</p><p>scan completed successfully</p><p>hidden files: 0</p><p>.</p><p>**************************************************************************</p><p>.</p><p>--------------------- LOCKED REGISTRY KEYS ---------------------</p><p>.</p><p>[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]</p><p>@DACL=(02 0010)</p><p>@Denied: (A 2) (Everyone)</p><p>@="FlashBroker"</p><p>"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101"</p><p>.</p><p>[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]</p><p>@DACL=(02 0010)</p><p>"Enabled"=dword:00000001</p><p>.</p><p>[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]</p><p>@DACL=(02 0010)</p><p>@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe"</p><p>.</p><p>[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]</p><p>@DACL=(02 0010)</p><p>@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"</p><p>.</p><p>[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]</p><p>@Denied: (A 2) (Everyone)</p><p>@="IFlashBroker5"</p><p>.</p><p>[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]</p><p>@="{00020424-0000-0000-C000-000000000046}"</p><p>.</p><p>[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]</p><p>@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"</p><p>"Version"="1.0"</p><p>.</p><p>[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*]</p><p>@="?????????????????? v1"</p><p>.</p><p>[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID]</p><p>@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"</p><p>.</p><p>[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*]</p><p>@="?????????????????? v2"</p><p>.</p><p>[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID]</p><p>@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"</p><p>.</p><p>[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]</p><p>"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,</p><p> 00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\</p><p>.</p><p>[HKEY_LOCAL_MACHINE\software\Microsoft\Driver Signing]</p><p>@Denied: (2) (Administrators)</p><p>"Policy"=hex:00,00,00,00</p><p>.</p><p>--------------------- DLLs Loaded Under Running Processes ---------------------</p><p>.</p><p>- - - - - - - > 'lsass.exe'(1124)</p><p>c:\windows\system32\ICF.dll</p><p>.</p><p>- - - - - - - > 'explorer.exe'(3840)</p><p>c:\windows\system32\WININET.dll</p><p>c:\windows\system32\ieframe.dll</p><p>c:\windows\system32\webcheck.dll</p><p>c:\windows\system32\WPDShServiceObj.dll</p><p>c:\windows\system32\PortableDeviceTypes.dll</p><p>c:\windows\system32\PortableDeviceApi.dll</p><p>.</p><p>Completion time: 2013-01-10 04:37:09</p><p>ComboFix-quarantined-files.txt 2013-01-10 09:37</p><p>.</p><p>Pre-Run: 48,035,827,712 bytes free</p><p>Post-Run: 48,035,979,264 bytes free</p><p>.</p><p>- - End Of File - - C1D2C3D1611DFB5C3441B615CC939BE4</p><p></p><p></p><p>Regarding the OTL scan, I did not disable Microsoft Security Essentials like I did with the ComboFix scan. After starting the scan, I saw the green logo go to red and then shut down. I'm not sure if there was a conflict or not. Anyway, here is the log:</p><p></p><p>All processes killed</p><p>========== OTL ==========</p><p>Unable to delete ADS C:\Documents and Settings\All Users\Application Data\TEMP:0D786AE3 .</p><p>File PTYTEMP] not found.</p><p>File SETHOSTS] not found.</p><p>File boot] not found.</p><p> </p><p>OTL by OldTimer - Version 3.2.69.0 log created on 01102013_044107</p><p></p><p>Files\Folders moved on Reboot...</p><p></p><p>PendingFileRenameOperations files...</p><p></p><p>Registry entries deleted on Reboot...</p><p></p><p></p><p></p><p></p><p></p><p></p><p></p><hr /><p></p><p></p><p>I'm still worried about seeing that BOM rootkit yesterday when I ran a scan with HitmanPro and wondered why the scan locks up at 98%. I have not run anymore scans since you told me not to.</p></blockquote><p></p>
[QUOTE="Holt, post: 95383, member: 4525"] I uninstalled and reinstalled combofix via the C prompt. The scan results are below: ComboFix 13-01-08.01 - David 01/10/2013 4:29.4.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1582 [GMT -5:00] Running from: c:\documents and settings\David\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\David\Desktop\CFscript.txt AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\All Users\Application Data\TEMP . . --------------- FCopy --------------- . c:\windows\ServicePackFiles\i386\mspmsnsv.dll --> c:\windows\System32\mspmsnsv.dll . ((((((((((((((((((((((((( Files Created from 2012-12-10 to 2013-01-10 ))))))))))))))))))))))))))))))) . . 2013-01-10 09:16 . 2012-11-08 15:00 6812136 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D3AE0307-1561-4DFF-8B74-AB46AA95EFDE}\mpengine.dll 2013-01-10 03:42 . 2004-06-11 23:33 290304 ----a-w- C:\subinacl.exe 2013-01-10 02:06 . 2013-01-10 03:43 181064 ----a-w- c:\windows\PSEXESVC.EXE 2013-01-10 02:05 . 2013-01-10 02:05 -------- d-----w- C:\RegBackup 2013-01-10 02:01 . 2013-01-10 03:43 -------- d-----w- C:\Tweaking.com_Windows_Repair_Logs 2013-01-08 15:01 . 2012-11-08 15:00 6812136 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll 2013-01-08 07:00 . 2013-01-08 07:00 -------- d-----w- C:\_OTL 2013-01-07 17:44 . 2013-01-07 17:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\Ipswitch 2013-01-07 08:33 . 2013-01-07 08:33 -------- d-----w- c:\documents and settings\David\Application Data\ElevatedDiagnostics 2013-01-07 08:03 . 2013-01-07 08:03 -------- d-----w- c:\documents and settings\Administrator\PrivacIE 2013-01-07 08:02 . 2008-04-14 07:06 13952 ----a-w- c:\windows\system32\drivers\CmBatt.sys 2013-01-07 08:02 . 2008-04-14 07:06 10240 ----a-w- c:\windows\system32\drivers\compbatt.sys 2013-01-07 08:02 . 2008-04-14 07:06 14208 ----a-w- c:\windows\system32\drivers\battc.sys 2013-01-07 08:02 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys 2013-01-07 08:02 . 2001-08-17 16:11 35328 ----a-w- c:\windows\system32\drivers\pcntpci5.sys 2013-01-07 07:38 . 2013-01-07 07:38 9216 ----a-w- c:\windows\system32\Native.exe 2013-01-07 07:38 . 2013-01-07 08:06 -------- d-----w- C:\ReimageUndo 2013-01-07 04:58 . 2013-01-07 08:06 -------- d-----w- C:\rei 2013-01-07 04:58 . 2013-01-07 04:58 -------- d-----w- c:\program files\Reimage 2013-01-07 04:09 . 2013-01-07 04:09 -------- d-----w- c:\program files\Microsoft Security Client 2013-01-07 02:38 . 2013-01-07 02:48 12872 ----a-w- c:\windows\system32\bootdelete.exe 2013-01-07 02:33 . 2013-01-07 02:33 -------- d-----w- c:\program files\HitmanPro 2013-01-07 02:33 . 2013-01-07 02:38 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro 2013-01-06 22:57 . 2013-01-06 22:57 -------- d-----w- c:\documents and settings\All Users\Application Data\01014CE1ACC253E7000001014BE457DE 2012-12-12 21:13 . 2012-12-12 21:13 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Jasc Software Inc . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2013-01-09 17:50 . 2012-07-15 01:53 697864 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2013-01-09 17:50 . 2011-05-21 16:01 74248 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-12-16 12:23 . 2002-08-29 11:00 290560 ----a-w- c:\windows\system32\atmfd.dll 2012-12-14 21:49 . 2011-12-11 01:51 21104 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-11-28 22:04 . 2010-10-13 18:26 1699936 ----a-w- c:\windows\SERecat.exe 2012-11-28 22:04 . 2010-09-06 17:16 1761760 ----a-w- c:\windows\system32\seinst.dll 2012-11-28 22:03 . 2010-09-06 17:16 341360 ----a-w- c:\windows\system32\ICF.dll 2012-11-28 22:03 . 2010-09-06 17:16 1715392 ----a-w- c:\windows\sediag.exe 2012-11-13 01:25 . 2002-08-29 11:00 1866368 ----a-w- c:\windows\system32\win32k.sys 2012-11-06 02:01 . 2008-09-03 19:52 1371648 ----a-w- c:\windows\system32\msxml6.dll 2012-11-02 02:02 . 2002-08-29 11:00 375296 ----a-w- c:\windows\system32\dpnet.dll 2012-11-01 12:17 . 2004-02-06 22:05 916992 ----a-w- c:\windows\system32\wininet.dll 2012-11-01 12:17 . 2002-08-29 11:00 43520 ------w- c:\windows\system32\licmgr10.dll 2012-11-01 12:17 . 2002-08-29 11:00 1469440 ------w- c:\windows\system32\inetcpl.cpl 2012-11-01 00:35 . 2004-08-04 05:59 385024 ------w- c:\windows\system32\html.iec 2012-12-05 16:12 . 2012-12-05 16:10 262112 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . (((((((((((((((((((((((((((((((((((((((((((( Look ))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . ---- Directory of c:\documents and settings\All Users\Application Data\{32364CEA-7855-4A3C-B674-53D8E9B97936} ---- . 2012-09-26 23:53 . 2012-09-26 23:54 24039424 ----a-w- c:\documents and settings\All Users\Application Data\{32364CEA-7855-4A3C-B674-53D8E9B97936}\{D3742F82-1C1A-4DCC-ABBD-0E831C0185CC}.msi . ---- Directory of c:\documents and settings\All Users\Application Data\01014CE1ACC253E7000001014BE457DE ---- . . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ICF"="c:\program files\Internet Content Filter\SafeEyes.exe" [2012-11-28 3267072] "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 947176] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160] . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128] . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk] backup=c:\windows\pss\Windows Search.lnkCommon Startup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SB Audigy 2 Startup Menu] /L:ENG [X] . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM] 2012-07-27 20:51 919008 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsioReg] 2003-02-20 22:27 110592 ----a-w- c:\windows\SYSTEM32\CTASIO.DLL . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDet] 2002-09-30 06:00 45056 ----a-w- c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDET.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] 2008-04-14 00:12 15360 ----a-w- c:\windows\SYSTEM32\ctfmon.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper] 2003-02-20 22:45 28672 ----a-w- c:\windows\SYSTEM32\CTHELPER.EXE . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol] 2002-10-29 14:18 49152 ----a-w- c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DesktopMaestro] 2009-11-11 15:22 3401688 ----a-w- c:\program files\Desktop Maestro\DeskMech.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge] 2002-05-18 17:04 327680 ------w- c:\progra~1\VERIZO~1\SMARTB~1\MotiveSB.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2008-02-22 08:25 144784 ----a-w- c:\program files\Java\jre1.6.0_05\bin\jusched.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] 2012-09-15 03:42 296096 ----a-w- c:\program files\Real\RealPlayer\Update\realsched.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg] 2000-05-11 06:00 90112 ------w- c:\windows\Updreg.EXE . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "SDhelper"=2 (0x2) "PNMSRV"=2 (0x2) "AVP"=2 (0x2) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= . R1 A2DDA;A2 Direct Disk Access Support Driver;c:\documents and settings\David\Desktop\fffu\EmsisoftEmergencyKit\Run\a2ddax86.sys [1/7/2013 11:04 AM 17904] R1 RCFOX;SonicWALL IPsec Driver;c:\windows\SYSTEM32\DRIVERS\RCFOX.SYS [4/14/2006 3:02 PM 91136] R1 SBRE;SBRE;c:\windows\SYSTEM32\DRIVERS\SBREDrv.sys [10/30/2009 10:35 AM 98392] R2 ASFAgent;ASF Agent;c:\program files\intel\ASF Agent\ASFAgent.exe [8/7/2002 6:34 AM 221184] R2 DLSDB;Dell Printer Status Database;c:\program files\Dell Printers\Additional Color Laser Software\Status Monitor\dlsdbnt.exe [10/14/2004 3:09 AM 135168] R2 FGLRYUtil;FGLRYUTIL;c:\program files\ATI Technologies\Fire GL Control Panel\atiisrgl.exe [2/11/2004 12:35 AM 49152] R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [9/24/2012 7:31 PM 398184] R2 mfeicfupdate;McAfee Internet Content Filter Update Service;c:\program files\Internet Content Filter\UpdateService.exe [9/6/2010 12:16 PM 1695816] R2 NetAlrt;NetAlrt;c:\windows\SYSTEM32\DRIVERS\Netalrt.sys [5/7/2002 5:05 PM 39680] R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [1/20/2010 4:56 PM 583640] R2 PlatAlrt;PlatAlrt;c:\windows\SYSTEM32\DRIVERS\platalrt.sys [5/7/2002 5:06 PM 23744] R2 seUpdateSvc;Safe Eyes Update Service;c:\program files\Internet Content Filter\UpdateService.exe [9/6/2010 12:16 PM 1695816] R3 MBAMProtector;MBAMProtector;c:\windows\SYSTEM32\DRIVERS\mbam.sys [12/10/2011 8:51 PM 21104] S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/10/2011 8:52 PM 682344] S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys --> c:\windows\system32\Drivers\BW2NDIS5.sys [?] S3 cpuz134;cpuz134;\??\c:\docume~1\David\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys --> c:\docume~1\David\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys [?] S3 dlttape;dlttape;c:\windows\SYSTEM32\DRIVERS\dlttape.sys [2/3/2004 9:10 AM 8320] S3 QntmDLT;QntmDLT;c:\windows\SYSTEM32\DRIVERS\QntmDLT.sys [11/20/2003 12:03 PM 9728] S3 rcvpn;SonicWALL VPN Adapter;c:\windows\SYSTEM32\DRIVERS\rcvpn.sys [4/14/2006 3:01 PM 23180] S3 RkPavproc1;RkPavproc1;\??\c:\windows\system32\drivers\RkPavproc1.sys --> c:\windows\system32\drivers\RkPavproc1.sys [?] S3 RkPavproc2;RkPavproc2;\??\c:\windows\system32\drivers\RkPavproc2.sys --> c:\windows\system32\drivers\RkPavproc2.sys [?] S3 RkPavproc3;RkPavproc3;\??\c:\windows\system32\drivers\RkPavproc3.sys --> c:\windows\system32\drivers\RkPavproc3.sys [?] . Contents of the 'Scheduled Tasks' folder . 2013-01-10 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-15 17:50] . 2013-01-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2012-11-05 15:19] . 2013-01-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2012-11-05 15:19] . 2013-01-10 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job - c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-09-12 22:25] . 2013-01-10 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-989678199-2234712002-1868543911-1006.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2012-07-27 18:27] . 2013-01-10 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-989678199-2234712002-1868543911-1006.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2012-07-27 18:27] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uDefault_Search_URL = hxxp://www.earthlink.net/partner/more/msie/button/search.html uInternet Connection Wizard,ShellNext = iexplore uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s LSP: ICF.dll Trusted Zone: cj.com\members Trusted Zone: cj.com\signup Trusted Zone: cj.com\www Trusted Zone: linkshare.com Trusted Zone: overture.com\secure Trusted Zone: shareasale.com TCP: DhcpNameServer = 209.18.47.61 209.18.47.62 DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab FF - ProfilePath - c:\documents and settings\David\Application Data\Mozilla\Firefox\Profiles\ch1ntccj.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://www.christcenteredmall.com/stores/art/ FF - prefs.js: network.proxy.type - 0 FF - ExtSQL: 2012-12-15 15:34; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\documents and settings\David\Application Data\Mozilla\Firefox\Profiles\ch1ntccj.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2013-01-10 04:34 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @DACL=(02 0010) @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] @DACL=(02 0010) "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @DACL=(02 0010) @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @DACL=(02 0010) @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*] @="?????????????????? v1" . [HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID] @="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}" . [HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*] @="?????????????????? v2" . [HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID] @="{9BE31822-FDAD-461B-AD51-BE1D1C159921}" . [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters] "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79, 00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\ . [HKEY_LOCAL_MACHINE\software\Microsoft\Driver Signing] @Denied: (2) (Administrators) "Policy"=hex:00,00,00,00 . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'lsass.exe'(1124) c:\windows\system32\ICF.dll . - - - - - - - > 'explorer.exe'(3840) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Completion time: 2013-01-10 04:37:09 ComboFix-quarantined-files.txt 2013-01-10 09:37 . Pre-Run: 48,035,827,712 bytes free Post-Run: 48,035,979,264 bytes free . - - End Of File - - C1D2C3D1611DFB5C3441B615CC939BE4 Regarding the OTL scan, I did not disable Microsoft Security Essentials like I did with the ComboFix scan. After starting the scan, I saw the green logo go to red and then shut down. I'm not sure if there was a conflict or not. Anyway, here is the log: All processes killed ========== OTL ========== Unable to delete ADS C:\Documents and Settings\All Users\Application Data\TEMP:0D786AE3 . File PTYTEMP] not found. File SETHOSTS] not found. File boot] not found. OTL by OldTimer - Version 3.2.69.0 log created on 01102013_044107 Files\Folders moved on Reboot... PendingFileRenameOperations files... Registry entries deleted on Reboot... [hr] I'm still worried about seeing that BOM rootkit yesterday when I ran a scan with HitmanPro and wondered why the scan locks up at 98%. I have not run anymore scans since you told me not to.[/hr] [/QUOTE]
Insert quotes…
Verification
Post reply
Top
