New
#21
I've got plenty of free space.
About 8 of the 10 hours was spent on the Mac side of the hard drive (I'm running Bootcamp.) I have no idea why it took so long; there's only 14 GB of stuff on that partition.
Anyway, so far so good, although I haven't started up Firefox. Not sure I should...
Download Combofix from any of the links below, and save it to your desktop.<--Important
Link 1
Link 2
Link 3
Click on this link Here to see a list of programs that should be disabled.
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
Next: Disconnect from the internet. If you are on Cable or DSL, unplug your computer from the modem.
Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
This includes Antivirus, Firewall, and any Spyware scanners that run in the background.
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
- Double click combofix.exe and follow the prompts.
- When finished, it will produce a log for you. Post that log
Please be patient while the scan runs, at times it may appear to stall.
When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt. Post this log in your next reply
After rebooting ensure your Security applications have been re-enabled.
In your next reply post:
ComboFix.txt
***A guide and tutorial on "How to use Combofix" can be found here:
A guide and tutorial on using ComboFix
IF CF won't run:
During the download, rename Combofix.exe to sVchost.exe
Well, so far so good, and I've even started using Firefox again. Looks like Avast and MSERT together solved the problem.
I did run the ComboFix program above, but I forgot to save the log, and now I can't find it.
Hiyya mikenmar Mate I know you are sick of scans but a couple I didn't see mentioned here were Kaspersky's TDSS killer and Drwebcureit both of which have got me out of strife before, and worth keeping in mind.
You can keep them in downloads and use again hope this might help a little.
Dr.Web CureIt! — download free anti-virus! Cure viruses, Best free anti-virus scanner!
Virus-fighting utilities << you will find more in here as well.
John
Please look in C:\ComboFix.txt file ... that is where the log is. Copy and paste the log back here in your next reply.
@ ICit2lol, please don't confuse mikenmar with your requests :) Thanks!
Aha, OK, here you go:
Code:ComboFix 11-12-17.02 - Mike 12/17/2011 12:00:47.1.2 - x64 Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.4072.2777 [GMT -8:00] Running from: c:\users\Mike\Desktop\ComboFix.exe AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160} SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} * Created a new restore point . . ((((((((((((((((((((((((( Files Created from 2011-11-17 to 2011-12-17 ))))))))))))))))))))))))))))))) . . 2011-12-17 20:08 . 2011-12-17 20:08 -------- d-----w- c:\users\Default\AppData\Local\temp 2011-12-15 19:19 . 2011-12-15 19:20 -------- d-----w- C:\6a3aed104f82fdcbf0d570 2011-12-15 19:09 . 2011-12-15 19:09 -------- d-----w- c:\program files\Java 2011-12-15 18:48 . 2011-12-15 19:09 750488 ----a-w- c:\windows\system32\npdeployJava1.dll 2011-12-15 18:48 . 2011-12-15 19:09 660368 ----a-w- c:\windows\system32\deployJava1.dll 2011-12-14 18:33 . 2011-11-28 17:51 24408 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys 2011-12-14 18:33 . 2011-11-28 17:53 304472 ----a-w- c:\windows\system32\drivers\aswSP.sys 2011-12-14 18:33 . 2011-11-28 17:52 42328 ----a-w- c:\windows\system32\drivers\aswRdr.sys 2011-12-14 18:33 . 2011-11-28 17:52 58712 ----a-w- c:\windows\system32\drivers\aswTdi.sys 2011-12-14 18:33 . 2011-11-28 17:54 591192 ----a-w- c:\windows\system32\drivers\aswSnx.sys 2011-12-14 18:33 . 2011-11-28 18:01 256960 ----a-w- c:\windows\system32\aswBoot.exe 2011-12-14 18:33 . 2011-11-28 17:52 66904 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys 2011-12-14 18:33 . 2011-11-28 18:01 41184 ----a-w- c:\windows\avastSS.scr 2011-12-14 18:33 . 2011-11-28 18:01 199816 ----a-w- c:\windows\SysWow64\aswBoot.exe 2011-12-14 18:33 . 2011-12-14 18:33 -------- d-----w- c:\programdata\AVAST Software 2011-12-14 18:33 . 2011-12-14 18:33 -------- d-----w- c:\program files\AVAST Software 2011-12-14 01:56 . 2011-10-26 05:21 43520 ----a-w- c:\windows\system32\csrsrv.dll 2011-12-14 01:56 . 2011-11-05 05:32 2048 ----a-w- c:\windows\system32\tzres.dll 2011-12-14 01:56 . 2011-11-05 04:26 2048 ----a-w- c:\windows\SysWow64\tzres.dll 2011-12-14 01:56 . 2011-10-15 06:31 723456 ----a-w- c:\windows\system32\EncDec.dll 2011-12-14 01:56 . 2011-10-15 05:38 534528 ----a-w- c:\windows\SysWow64\EncDec.dll 2011-12-14 01:55 . 2011-11-24 04:52 3145216 ----a-w- c:\windows\system32\win32k.sys 2011-12-13 20:22 . 2011-12-13 20:22 -------- d-----w- c:\users\Mike\AppData\Roaming\SUPERAntiSpyware.com 2011-12-13 20:22 . 2011-12-13 20:22 -------- d-----w- c:\programdata\SUPERAntiSpyware.com 2011-12-13 19:55 . 2011-12-15 18:54 -------- d-----w- c:\users\Mike\AppData\Local\NPE 2011-12-10 19:02 . 2011-12-10 19:02 -------- d-----we c:\windows\system64 2011-11-30 18:46 . 2011-11-30 18:47 -------- d-----w- c:\program files\iTunes 2011-11-30 18:46 . 2011-11-30 18:47 -------- d-----w- c:\program files (x86)\iTunes 2011-11-30 18:46 . 2011-11-30 18:46 -------- d-----w- c:\program files\iPod 2011-11-27 05:04 . 2011-11-27 05:04 -------- d-----w- c:\users\Mike\AppData\Roaming\Malwarebytes 2011-11-27 05:04 . 2011-11-27 05:04 -------- d-----w- c:\programdata\Malwarebytes 2011-11-27 05:04 . 2011-09-01 01:00 25416 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-11-27 01:46 . 2011-11-27 01:50 -------- d-----w- c:\users\Mike\AppData\Roaming\AVG 2011-11-27 01:38 . 2011-11-27 01:38 -------- d--h--w- c:\programdata\Common Files 2011-11-27 01:30 . 2011-11-27 04:47 -------- d-----w- c:\programdata\MFAData 2011-11-25 19:51 . 2011-10-07 04:16 8570192 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{35B7F154-271A-4064-94BE-90E35A9D6FCE}\mpengine.dll 2011-11-22 18:44 . 2011-11-22 18:44 -------- d-----w- c:\windows\system32\Macromed . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-11-22 18:44 . 2011-06-17 01:49 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl 2011-10-24 21:29 . 2011-10-24 21:29 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx 2011-10-24 21:29 . 2011-10-24 21:29 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts 2011-09-29 16:29 . 2011-11-09 19:33 1923952 ----a-w- c:\windows\system32\drivers\tcpip.sys . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240] "AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-09-27 59240] "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888] "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-11-13 421736] "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-11-28 3744552] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 0 (0x0) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) "PromptOnSecureDesktop"= 0 (0x0) . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp . R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384] R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576] R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-01 136176] R3 appliandMP;appliandMP;c:\windows\system32\DRIVERS\appliand.sys [x] R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [x] R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [x] R3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2010-02-21 1038088] R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-01 136176] R3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\DRIVERS\netaapl64.sys [x] R3 pdcv2;DEQX PDC2-6;c:\windows\system32\DRIVERS\pdcv2.sys [x] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x] R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x] R4 AppleOSSMgr;Apple OS Switch Manager;c:\windows\system32\AppleOSSMgr.exe [x] R4 AppleTimeSrv;Apple Time Service;c:\windows\system32\AppleTimeSrv.exe [x] R4 CronService;Cron Service for Prey;c:\prey\platform\windows\cronsvc.exe [2011-02-15 19968] R4 TomTomHOMEService;TomTomHOMEService;c:\program files (x86)\TomTom HOME 2\TomTomHOMEService.exe [2011-03-09 92592] S0 AppleHFS;AppleHFS; [x] S0 AppleMNT;AppleMNT; [x] S1 aswSnx;aswSnx; [x] S1 aswSP;aswSP; [x] S1 SASDIFSV;SASDIFSV;c:\users\Mike\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV64.SYS [x] S1 SASKUTIL;SASKUTIL;c:\users\Mike\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL64.SYS [x] S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x] S2 aswFsBlk;aswFsBlk; [x] S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x] S2 KeyAgent;KeyAgent;c:\windows\system32\drivers\KeyAgent.sys [x] S2 MacHALDriver;Mac HAL;c:\windows\system32\drivers\MacHALDriver.sys [x] S3 applemtm;Apple Multitouch Mouse;c:\windows\system32\DRIVERS\applemtm.sys [x] S3 applemtp;Apple Multitouch;c:\windows\system32\DRIVERS\applemtp.sys [x] S3 IRRemoteFlt;IR Receiver Filter Driver;c:\windows\system32\DRIVERS\IRFilter.sys [x] S3 KeyMagic;USB Keyboard HID Filter;c:\windows\system32\DRIVERS\KeyMagic.sys [x] S3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\DRIVERS\LEqdUsb.Sys [x] S3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\DRIVERS\LHidEqd.Sys [x] S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x] . . Contents of the 'Scheduled Tasks' folder . 2011-12-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-01 21:42] . 2011-12-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-01 21:42] . . --------- x86-64 ----------- . . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast] @="{472083B0-C522-11CF-8763-00608CC02F24}" [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}] 2011-11-28 18:01 134384 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "LoadAppInit_DLLs"=0x1 . ------- Supplementary Scan ------- . uLocal Page = c:\windows\system32\blank.htm uStart Page = hxxp://google.com/ mLocal Page = c:\windows\SysWOW64\blank.htm uInternet Settings,ProxyOverride = *.local IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Append to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert Link Target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000 IE: Open with WordPerfect - c:\program files (x86)\WordPerfect Office X3\Programs\WPLauncher.hta IE: Send To CaseMap - c:\windows\system32\lnToCM.htm TCP: DhcpNameServer = 192.168.1.1 68.87.76.182 68.87.78.134 FF - ProfilePath - c:\users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\v8180n0a.default\ FF - prefs.js: browser.search.selectedEngine - Xfinity FF - prefs.js: browser.startup.homepage - google.com FF - prefs.js: keyword.URL - hxxp://dts.search-results.com/sr?src=ffb&appid=0&systemid=102&q= FF - user.js: network.cookie.cookieBehavior - 0 FF - user.js: privacy.clearOnShutdown.cookies - false FF - user.js: security.warn_viewing_mixed - false FF - user.js: security.warn_viewing_mixed.show_once - false FF - user.js: security.warn_submit_insecure - false FF - user.js: security.warn_submit_insecure.show_once - false . - - - - ORPHANS REMOVED - - - - . Toolbar-10 - (no file) Toolbar-10 - (no file) WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file) AddRemove-dBpowerAMP - c:\windows\system32\SpoonUninstall.exe AddRemove-dBpoweramp DSP Effects - c:\windows\system32\SpoonUninstall.exe AddRemove-dBpoweramp FLAC Codec - c:\windows\system32\SpoonUninstall.exe AddRemove-dBpoweramp Music Converter - c:\windows\system32\SpoonUninstall.exe . . . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Shockwave Flash Object" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus] @="0" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID] @="ShockwaveFlash.ShockwaveFlash.10" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx, 1" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="ShockwaveFlash.ShockwaveFlash" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Macromedia Flash Factory Object" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID] @="FlashFactory.FlashFactory.1" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx, 1" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="FlashFactory.FlashFactory" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . Completion time: 2011-12-17 12:11:00 ComboFix-quarantined-files.txt 2011-12-17 20:11 . Pre-Run: 243,834,499,072 bytes free Post-Run: 243,748,184,064 bytes free . - - End Of File - - 48CBD83BE030047CE209787990520D4F