BleepingComputer.com: Infected with Win 7 2012, can't access firewall, internet

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

Infected with Win 7 2012, can't access firewall, internet Ran fixncr.reg, rkill, malwarebytes & still have problems

#1 User is offline   miznat722 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 10
  • Joined: 19-December 11
  • Gender:Female
  • Location:MKE, WI

Posted 26 December 2011 - 01:40 PM

Original post in "Am I infected" : http://www.bleepingcomputer.com/forums/topic433481.html/page__p__2516546__fromsearch__1#entry2516546
Was infected with Win 7 2012 Security virus on 12/9/2011. Security warning pop-ups, web page redirects, then system went into windows update which was not successful and no internet access after system restarted. Tried self-help steps including system restore (received error message that could not restore due to windows update not completed) with final try being bleepingcomputer removal instructions. Still seeing fake security symbol next to anti-virus programs (avg, malwarebytes, iexplore.exe, ddr.scr, etc.) and many options in control panel (system restore, network center, etc.). Still cannot access internet - connection to wireless network is there, but connection from network to internet in constant "identifying" mode. Troubleshooter identifies this due to not being connected to Homegroup, but when I try to change to "Home" network, the "save changes" button has fake security shield and does not make change. Cannot turn off system restore or enable firewall (error code Ox80070424). Have tried all in both safe mode and regular mode.

.
DDS (Ver_2011-08-26.01) - NTFSx86 MINIMAL
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_18
Run by miznat at 9:46:34 on 2011-12-26
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\Explorer.EXE
C:\windows\system32\ctfmon.exe
C:\windows\system32\DllHost.exe
F:\dds.scr
C:\windows\system32\conhost.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k NetworkService
.
============== Pseudo HJT Report ===============
.
uStart Page = https://epic.picbusiness.com/5000/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110920002325.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [Google Update] "c:\users\miznat\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [googletalk] c:\users\miznat\appdata\roaming\google\google talk\googletalk.exe /autostart
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Spyware Doctor] c:\users\miznat\desktop\sdsetup_revwire207.exe -min
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [MDS_Menu] "c:\program files\lenovo\mediashow\muitransfer\muistartmenu.exe" "c:\program files\lenovo\mediashow" updatewithcreateonce "software\cyberlink\mediashow\4.1"
mRun: [IdeaNotesUser] c:\program files\ddni\lenovo idea notes\DDNIMSGUser.exe
mRun: [Alive Idea Desktop] %ProgramFiles%\Lenovo\Alive Idea Desktop\Alive Idea Desktop.exe -hang45000
mRun: [Lenovo SlideNav] "c:\program files\lenovo\lenovo slidenav\slidebarnavigator\SlidebarNavigator.exe"
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [OnekeyDM] c:\program files\lenovo\onekeydm\OnekeyDM.exe
mRun: [VeriFaceManager] c:\program files\lenovo\veriface\PManage.exe
mRun: [UpdateP2GShortCut] "c:\program files\lenovo\power2go\muitransfer\muistartmenu.exe" "c:\program files\lenovo\power2go" updatewithcreateonce "software\cyberlink\power2go\5.0"
mRun: [EnergyUtility] c:\program files\lenovo\energy management\utility.exe
mRun: [Energy Management] c:\program files\lenovo\energy management\Energy Management.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
dRunOnce: [WLStart] "c:\program files\windows live\installer\wlstart.exe" /nosearch /nohomepage
dRunOnce: [osk.exe] osk.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\lenovo\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\lenovo\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\lenovo\bluetooth software\btsendto_ie.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} - hxxps://epic.picbusiness.com/5000/script/smsx.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{27C0F791-317A-4E69-9339-46E72B74E9FC} : DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{27C0F791-317A-4E69-9339-46E72B74E9FC}\24C696E6B6138323E36416C6C6F6574724F697 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{27C0F791-317A-4E69-9339-46E72B74E9FC}\7534D455359434 : DhcpNameServer = 172.16.50.5
TCP: Interfaces\{27C0F791-317A-4E69-9339-46E72B74E9FC}\76F676F696E666C696768647 : DhcpNameServer = 172.19.134.2
TCP: Interfaces\{27C0F791-317A-4E69-9339-46E72B74E9FC}\C696E6B6379737 : DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{2AE78028-2F4E-43B8-A705-36834DF5DA0E} : DhcpNameServer = 192.168.1.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\miznat\appdata\roaming\mozilla\firefox\profiles\q8t5foau.default\
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\mozilla firefox\distribution\bundles\{d19ca586-dd6c-4a0a-96f8-14644f340d60}\components\scriptff.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\miznat\appdata\local\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
.
============= SERVICES / DRIVERS ===============
.
R? aswFsBlk;aswFsBlk
R? aswMonFlt;aswMonFlt
R? aswSnx;aswSnx
R? aswSP;aswSP
R? avast! Antivirus;avast! Antivirus
R? b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0
R? Bridge0;Bridge0
R? btwl2cap;Bluetooth L2CAP Service
R? cfwids;McAfee Inc. cfwids
R? DDNIMSGService;DDNIMSGService
R? DDNIService;DDNIService
R? funfrm;funfrm
R? gupdate;Google Update Service (gupdate)
R? gupdatem;Google Update Service (gupdatem)
R? IGRS;IGRS
R? IntcHdmiAddService;Intel® High Definition Audio HDMI
R? k57nd60x;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0
R? Lenovo ReadyComm AppSvc;Lenovo ReadyComm AppSvc
R? Lenovo ReadyComm ConnSvc;Lenovo ReadyComm ConnSvc
R? MBAMProtector;MBAMProtector
R? MBAMService;MBAMService
R? McMPFSvc;McAfee Personal Firewall Service
R? McShield;McAfee McShield
R? mfeavfk;McAfee Inc. mfeavfk
R? mfebopk;McAfee Inc. mfebopk
R? mfefire;McAfee Firewall Core Service
R? mfefirek;McAfee Inc. mfefirek
R? mfehidk;McAfee Inc. mfehidk
R? mfenlfk;McAfee NDIS Light Filter
R? mferkdet;McAfee Inc. mferkdet
R? mfevtp;McAfee Validation Trust Protection Service
R? mfewfpk;McAfee Inc. mfewfpk
R? netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit
R? PS_MDP;ReadyComm Presentation Space Helper Service
R? ReadyComm.DirectRouter;ReadyComm.DirectRouter
R? RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader
R? usbsmi;Lenovo EasyCamera
R? vwififlt;Virtual WiFi Filter Driver
R? vwifimp;Microsoft Virtual WiFi Miniport Service
R? WatAdminSvc;Windows Activation Technologies Service
R? wdmirror;wdmirror
R? wsvd;wsvd
S? ACPIVPC;Lenovo Virtual Power Controller Driver
S? enecir;ENE CIR Receiver
S? enecirhid;ENE CIR HID Receiver
S? enecirhidma;ENE CIR HIDmini Filter
.
=============== Created Last 30 ================
.
2011-12-19 14:41:43 -------- d-----w- c:\users\miznat\appdata\local\NPE
2011-12-19 14:41:43 -------- d-----w- c:\programdata\Norton
2011-12-19 13:56:45 -------- d-----w- c:\programdata\PC Tools
2011-12-19 13:51:17 -------- d-----w- c:\programdata\RegCure
2011-12-18 05:15:07 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-18 04:50:25 -------- d--h--w- c:\programdata\Common Files
2011-12-18 04:49:25 -------- d-----w- c:\programdata\MFAData
2011-12-13 01:42:55 -------- d-----w- c:\users\miznat\appdata\roaming\Malwarebytes
2011-12-13 01:42:50 -------- d-----w- c:\programdata\Malwarebytes
2011-12-13 01:42:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-10 01:29:51 240008 ----a-w- c:\windows\system32\drivers\netio.sys
2011-12-09 15:53:18 -------- d-----w- c:\windows\system32\SPReview
2011-12-09 13:57:27 -------- d-----w- c:\programdata\AVAST Software
.
==================== Find3M ====================
.
2011-11-28 17:01:25 41184 ----a-w- c:\windows\avastSS.scr
2011-11-28 16:53:53 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-11-28 16:52:07 55128 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-10-01 02:59:14 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-09-29 15:43:37 1285488 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-09-29 04:20:25 2339840 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 9:47:28.45 ===============

Attached File(s)

  • Attached File  Attach.txt (4.25K)
    Number of downloads: 0
  • Attached File  ark.zip (36.62K)
    Number of downloads: 0

#2 User is offline   HelpBot 

  • Bleepin' Binary Bot
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Bots
  • Posts: 5,607
  • Joined: 05-October 07
  • Gender:Male

Posted 01 January 2012 - 01:45 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/434556 <<< CLICK THIS LINK

If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.

  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.


Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 User is offline   miznat722 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 10
  • Joined: 19-December 11
  • Gender:Female
  • Location:MKE, WI

Posted 02 January 2012 - 09:17 AM

Cannot connect to the internet, fake "security" shield by control panel programs, cannot enable firewall. Computer is basically inoperable as all work I do on it is internet so not sure what else is not working. Haven't used it other than to create logs. Have re-run and attached logs (screwed up original gmer log - did not uncheck show all but current log is correct). Also, did have a problem running the gmer this time - got a blue screen with a serious error message and the program canceled a couple of times. Ran RKill again and then the log successfully. Please help! Do not have windows cd - did not come with laptop. Recovery files are located in hidden partition and to be accessed using OneKey recovery, but this program also has fake security shield attached to it.

.
DDS (Ver_2011-08-26.01) - NTFSx86 MINIMAL
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_18
Run by miznat at 7:33:08 on 2012-01-02
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\Explorer.EXE
C:\windows\system32\ctfmon.exe
C:\Users\miznat\Desktop\dds.scr
C:\windows\system32\conhost.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k NetworkService
.
============== Pseudo HJT Report ===============
.
uStart Page = https://epic.picbusiness.com/5000/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110920002325.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [Google Update] "c:\users\miznat\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [googletalk] c:\users\miznat\appdata\roaming\google\google talk\googletalk.exe /autostart
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Spyware Doctor] c:\users\miznat\desktop\sdsetup_revwire207.exe -min
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [MDS_Menu] "c:\program files\lenovo\mediashow\muitransfer\muistartmenu.exe" "c:\program files\lenovo\mediashow" updatewithcreateonce "software\cyberlink\mediashow\4.1"
mRun: [IdeaNotesUser] c:\program files\ddni\lenovo idea notes\DDNIMSGUser.exe
mRun: [Alive Idea Desktop] %ProgramFiles%\Lenovo\Alive Idea Desktop\Alive Idea Desktop.exe -hang45000
mRun: [Lenovo SlideNav] "c:\program files\lenovo\lenovo slidenav\slidebarnavigator\SlidebarNavigator.exe"
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [OnekeyDM] c:\program files\lenovo\onekeydm\OnekeyDM.exe
mRun: [VeriFaceManager] c:\program files\lenovo\veriface\PManage.exe
mRun: [UpdateP2GShortCut] "c:\program files\lenovo\power2go\muitransfer\muistartmenu.exe" "c:\program files\lenovo\power2go" updatewithcreateonce "software\cyberlink\power2go\5.0"
mRun: [EnergyUtility] c:\program files\lenovo\energy management\utility.exe
mRun: [Energy Management] c:\program files\lenovo\energy management\Energy Management.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
dRunOnce: [WLStart] "c:\program files\windows live\installer\wlstart.exe" /nosearch /nohomepage
dRunOnce: [osk.exe] osk.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\lenovo\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\lenovo\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\lenovo\bluetooth software\btsendto_ie.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} - hxxps://epic.picbusiness.com/5000/script/smsx.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{27C0F791-317A-4E69-9339-46E72B74E9FC} : DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{27C0F791-317A-4E69-9339-46E72B74E9FC}\24C696E6B6138323E36416C6C6F6574724F697 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{27C0F791-317A-4E69-9339-46E72B74E9FC}\7534D455359434 : DhcpNameServer = 172.16.50.5
TCP: Interfaces\{27C0F791-317A-4E69-9339-46E72B74E9FC}\76F676F696E666C696768647 : DhcpNameServer = 172.19.134.2
TCP: Interfaces\{27C0F791-317A-4E69-9339-46E72B74E9FC}\C696E6B6379737 : DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{2AE78028-2F4E-43B8-A705-36834DF5DA0E} : DhcpNameServer = 192.168.1.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\miznat\appdata\roaming\mozilla\firefox\profiles\q8t5foau.default\
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\mozilla firefox\distribution\bundles\{d19ca586-dd6c-4a0a-96f8-14644f340d60}\components\scriptff.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\miznat\appdata\local\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
.
============= SERVICES / DRIVERS ===============
.
R? aswFsBlk;aswFsBlk
R? aswMonFlt;aswMonFlt
R? aswSnx;aswSnx
R? aswSP;aswSP
R? avast! Antivirus;avast! Antivirus
R? b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0
R? Bridge0;Bridge0
R? btwl2cap;Bluetooth L2CAP Service
R? cfwids;McAfee Inc. cfwids
R? DDNIMSGService;DDNIMSGService
R? DDNIService;DDNIService
R? funfrm;funfrm
R? gupdate;Google Update Service (gupdate)
R? gupdatem;Google Update Service (gupdatem)
R? IGRS;IGRS
R? IntcHdmiAddService;Intel® High Definition Audio HDMI
R? k57nd60x;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0
R? Lenovo ReadyComm AppSvc;Lenovo ReadyComm AppSvc
R? Lenovo ReadyComm ConnSvc;Lenovo ReadyComm ConnSvc
R? MBAMProtector;MBAMProtector
R? MBAMService;MBAMService
R? McMPFSvc;McAfee Personal Firewall Service
R? McShield;McAfee McShield
R? mfeavfk;McAfee Inc. mfeavfk
R? mfebopk;McAfee Inc. mfebopk
R? mfefire;McAfee Firewall Core Service
R? mfefirek;McAfee Inc. mfefirek
R? mfehidk;McAfee Inc. mfehidk
R? mfenlfk;McAfee NDIS Light Filter
R? mferkdet;McAfee Inc. mferkdet
R? mfevtp;McAfee Validation Trust Protection Service
R? mfewfpk;McAfee Inc. mfewfpk
R? netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit
R? PS_MDP;ReadyComm Presentation Space Helper Service
R? ReadyComm.DirectRouter;ReadyComm.DirectRouter
R? RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader
R? usbsmi;Lenovo EasyCamera
R? vwififlt;Virtual WiFi Filter Driver
R? vwifimp;Microsoft Virtual WiFi Miniport Service
R? WatAdminSvc;Windows Activation Technologies Service
R? wdmirror;wdmirror
R? wsvd;wsvd
S? ACPIVPC;Lenovo Virtual Power Controller Driver
S? enecir;ENE CIR Receiver
S? enecirhid;ENE CIR HID Receiver
S? enecirhidma;ENE CIR HIDmini Filter
.
=============== Created Last 30 ================
.
2012-01-01 22:21:48 -------- d-----w- c:\users\miznat\appdata\local\CrashDumps
2011-12-19 14:41:43 -------- d-----w- c:\users\miznat\appdata\local\NPE
2011-12-19 14:41:43 -------- d-----w- c:\programdata\Norton
2011-12-19 13:56:45 -------- d-----w- c:\programdata\PC Tools
2011-12-19 13:51:17 -------- d-----w- c:\programdata\RegCure
2011-12-18 05:15:07 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-18 04:50:25 -------- d--h--w- c:\programdata\Common Files
2011-12-18 04:49:25 -------- d-----w- c:\programdata\MFAData
2011-12-13 01:42:55 -------- d-----w- c:\users\miznat\appdata\roaming\Malwarebytes
2011-12-13 01:42:50 -------- d-----w- c:\programdata\Malwarebytes
2011-12-13 01:42:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-10 01:29:51 240008 ----a-w- c:\windows\system32\drivers\netio.sys
2011-12-09 15:53:18 -------- d-----w- c:\windows\system32\SPReview
2011-12-09 13:57:27 -------- d-----w- c:\programdata\AVAST Software
.
==================== Find3M ====================
.
2011-11-28 17:01:25 41184 ----a-w- c:\windows\avastSS.scr
2011-11-28 16:53:53 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-11-28 16:52:07 55128 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
.
============= FINISH: 7:34:05.42 ===============

Attached File(s)

  • Attached File  ark.txt (115.9K)
    Number of downloads: 2
  • Attached File  Attach.txt (4.25K)
    Number of downloads: 1

#4 User is offline   nasdaq 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 5,061
  • Joined: 16-June 06
  • Gender:Male
  • Location:Montreal, QC. Canada

Posted 02 January 2012 - 10:20 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

In all you logs I was not able to identify your Operating system.
This fix is for XP if this is not your operating system do not execute this, let me know what your have.

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Close any open browsers, and all other programs working. Make sure you save your file if working on a document.

  • Do not install any other programs until this if fixed.[/b]

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall
===

Third party programs if not up to date can be the cause of infiltration an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

===

Please post the logs and let me know if the problem persists.

#5 User is offline   miznat722 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 10
  • Joined: 19-December 11
  • Gender:Female
  • Location:MKE, WI

Posted 02 January 2012 - 11:57 AM

Nasdaq - I am running Windows 7 on the laptop.
MizNat

#6 User is offline   nasdaq 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 5,061
  • Joined: 16-June 06
  • Gender:Male
  • Location:Montreal, QC. Canada

Posted 02 January 2012 - 03:59 PM

Execute ComboFix this way.

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.

How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
    When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt

Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

#7 User is offline   miznat722 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 10
  • Joined: 19-December 11
  • Gender:Female
  • Location:MKE, WI

Posted 02 January 2012 - 07:53 PM

ComboFix 12-01-02.01 - miznat 01/02/2012 18:39:01.3.2 - x86
Running from: c:\users\miznat\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-12-03 to 2012-01-03 )))))))))))))))))))))))))))))))
.
.
2012-01-03 00:48 . 2012-01-03 00:48 -------- d-----w- c:\users\ReeBee\AppData\Local\temp
2012-01-03 00:48 . 2012-01-03 00:48 -------- d-----w- c:\users\Mona\AppData\Local\temp
2012-01-03 00:48 . 2012-01-03 00:48 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-03 00:48 . 2012-01-03 00:48 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2012-01-02 23:53 . 2012-01-03 00:48 -------- d-----w- c:\users\miznat\AppData\Local\temp
2012-01-02 23:52 . 2010-11-20 08:39 74752 ----a-w- c:\windows\system32\drivers\tdx.sys
2012-01-02 23:16 . 2009-07-13 23:11 80896 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2012-01-01 22:21 . 2012-01-01 23:16 -------- d-----w- c:\users\miznat\AppData\Local\CrashDumps
2011-12-19 14:41 . 2011-12-19 15:04 -------- d-----w- c:\users\miznat\AppData\Local\NPE
2011-12-19 14:41 . 2011-12-19 14:41 -------- d-----w- c:\programdata\Norton
2011-12-19 13:56 . 2011-12-19 13:56 -------- d-----w- c:\programdata\PC Tools
2011-12-19 13:51 . 2011-12-19 13:56 -------- d-----w- c:\programdata\RegCure
2011-12-18 05:15 . 2011-08-31 23:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-18 04:50 . 2011-12-18 04:50 -------- d--h--w- c:\programdata\Common Files
2011-12-18 04:49 . 2011-12-18 04:50 -------- d-----w- c:\programdata\MFAData
2011-12-13 01:42 . 2011-12-13 01:42 -------- d-----w- c:\users\miznat\AppData\Roaming\Malwarebytes
2011-12-13 01:42 . 2011-12-13 01:42 -------- d-----w- c:\programdata\Malwarebytes
2011-12-13 01:42 . 2011-12-18 05:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-10 01:29 . 2010-04-09 07:24 240008 ----a-w- c:\windows\system32\drivers\netio.sys
2011-12-09 15:53 . 2011-12-17 13:48 -------- d-----w- c:\windows\system32\SPReview
2011-12-09 13:57 . 2011-11-03 12:30 -------- d-----w- c:\programdata\AVAST Software
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-28 17:01 . 2011-11-03 12:30 41184 ----a-w- c:\windows\avastSS.scr
2011-11-28 17:01 . 2011-11-03 12:30 199816 ----a-w- c:\windows\system32\aswBoot.exe
2011-11-28 16:53 . 2011-11-03 12:30 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-11-28 16:53 . 2011-11-03 12:30 314456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-11-28 16:52 . 2011-11-03 12:30 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-11-28 16:52 . 2011-11-03 12:30 52952 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-11-28 16:52 . 2011-11-03 12:30 55128 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-11-28 16:51 . 2011-11-03 12:30 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-11-28 17:01 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VeriFace Enc]
@="{771C7324-DA80-49D3-8017-753B0AF60951}"
[HKEY_CLASSES_ROOT\CLSID\{771C7324-DA80-49D3-8017-753B0AF60951}]
2010-01-06 08:27 1410312 ----a-w- c:\windows\System32\IcnOvrly.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"googletalk"="c:\users\miznat\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-08-07 186904]
"MDS_Menu"="c:\program files\Lenovo\MediaShow\MUITransfer\MUIStartMenu.exe" [2008-11-14 218408]
"IdeaNotesUser"="c:\program files\DDNI\Lenovo Idea Notes\DDNIMSGUser.exe" [2009-08-24 221872]
"Alive Idea Desktop"="c:\program files\Lenovo\Alive Idea Desktop\Alive Idea Desktop.exe" [2009-10-16 300544]
"Lenovo SlideNav"="c:\program files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlidebarNavigator.exe" [2009-10-22 845640]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-07-30 1545512]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-12-17 8120864]
"OnekeyDM"="c:\program files\Lenovo\OnekeyDM\OnekeyDM.exe" [2009-03-27 335872]
"VeriFaceManager"="c:\program files\Lenovo\VeriFace\PManage.exe" [2010-01-06 3122440]
"UpdateP2GShortCut"="c:\program files\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-12-03 218408]
"EnergyUtility"="c:\program files\Lenovo\Energy Management\utility.exe" [2009-09-29 4114288]
"Energy Management"="c:\program files\Lenovo\Energy Management\Energy Management.exe" [2009-09-29 5064560]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-23 620152]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 136216]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 170520]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-11-28 3744552]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"WLStart"="c:\program files\Windows Live\Installer\wlstart.exe" [2009-07-26 768336]
"osk.exe"="osk.exe" [2009-07-14 646144]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer2"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-18 136176]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [x]
R3 Bridge0;Bridge0;c:\windows\system32\drivers\WDBridge.sys [2009-07-28 63240]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-08-15 57432]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-18 136176]
R3 Lenovo ReadyComm AppSvc;Lenovo ReadyComm AppSvc;c:\program files\Lenovo\ReadyComm\AppSvc.exe [2009-08-14 509192]
R3 Lenovo ReadyComm ConnSvc;Lenovo ReadyComm ConnSvc;c:\program files\Lenovo\ReadyComm\ConnSvc.exe [2009-09-22 579400]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-08-15 87808]
R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
R3 PS_MDP;ReadyComm Presentation Space Helper Service;c:\windows\System32\IgrsSvcs.exe [2009-07-14 20992]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2009-09-30 175104]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-02 1343400]
R3 wsvd;wsvd;c:\windows\system32\DRIVERS\wsvd.sys [2009-07-21 81704]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 funfrm;funfrm; [x]
S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [2011-08-15 64712]
S1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2011-08-15 164776]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-11-28 55128]
S2 DDNIMSGService;DDNIMSGService;c:\program files\DDNI\Lenovo Idea Notes\DDNIMSGService.exe [2009-08-24 172720]
S2 DDNIService;DDNIService;c:\program files\DDNI\DIBS\DDNIService.exe [2009-09-11 160432]
S2 IGRS;IGRS;c:\program files\Lenovo\ReadyComm\common\IGRS.exe [2009-07-14 38152]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2011-08-19 160344]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-08-19 148520]
S2 ReadyComm.DirectRouter;ReadyComm.DirectRouter;c:\windows\System32\IgrsSvcs.exe [2009-07-14 20992]
S3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\DRIVERS\AcpiVpc.sys [2009-05-19 21520]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2009-04-07 29472]
S3 enecir;ENE CIR Receiver;c:\windows\system32\DRIVERS\enecir.sys [2009-06-29 59904]
S3 enecirhid;ENE CIR HID Receiver;c:\windows\system32\DRIVERS\enecirhid.sys [2009-05-19 11776]
S3 enecirhidma;ENE CIR HIDmini Filter;c:\windows\system32\DRIVERS\enecirhidma.sys [2008-04-24 5632]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2009-07-09 122880]
S3 k57nd60x;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [2009-06-07 273448]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-08-31 22216]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-08-15 338040]
S3 usbsmi;Lenovo EasyCamera;c:\windows\system32\DRIVERS\SMIksdrv.sys [2009-08-21 171520]
S3 wdmirror;wdmirror;c:\windows\system32\DRIVERS\WDMirror.sys [2009-07-16 11792]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc SensrSvc Mcx2Svc
IgrsSvcs REG_MULTI_SZ ReadyComm.DirectRouter PS_MDP
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-04 04:23]
.
2012-01-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-04 04:23]
.
2012-01-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-16573216-359777476-720796809-1003Core1cb0e8c33637bfe.job
- c:\users\miznat\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-16 01:14]
.
2012-01-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-16573216-359777476-720796809-1003UA.job
- c:\users\miznat\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-16 01:14]
.
2012-01-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-16573216-359777476-720796809-1007Core.job
- c:\users\Mona\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-19 14:01]
.
2012-01-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-16573216-359777476-720796809-1007UA.job
- c:\users\Mona\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-19 14:01]
.
.
------- Supplementary Scan -------
.
uStart Page = https://epic.picbusiness.com/5000/
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\Lenovo\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\Lenovo\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
FF - ProfilePath - c:\users\miznat\AppData\Roaming\Mozilla\Firefox\Profiles\q8t5foau.default\
FF - prefs.js: network.proxy.type - 4
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-01-02 18:50:15
ComboFix-quarantined-files.txt 2012-01-03 00:50
ComboFix2.txt 2012-01-03 00:31
ComboFix3.txt 2012-01-03 00:12
.
Pre-Run: 217,244,581,888 bytes free
Post-Run: 217,190,375,424 bytes free
.
- - End Of File - - 995C6C13005D99E947EFC77972E63F04

#8 User is offline   nasdaq 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 5,061
  • Joined: 16-June 06
  • Gender:Male
  • Location:Montreal, QC. Canada

Posted 03 January 2012 - 09:36 AM

I'm missing the beginning of the ComboFix report.

Open C:\ComboFix.txtwith Notepad.
Right click the text and click "Select ALL"

Right Click the highlighted text and select Copy.

Post the complete result in your next reply.
===

I also need to see this result.

Third party programs if not up to date can be the cause infiltration of an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

===

Post the logs and let me know what problem persists.

#9 User is offline   miznat722 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 10
  • Joined: 19-December 11
  • Gender:Female
  • Location:MKE, WI

Posted 05 January 2012 - 09:33 AM

hello nasdaq - info pasted was all of the information in the text file. wondering if I screwed something up? when the program ran I received a pop up stating I had a rootkit infection and to let combofix restart my machine. I did this but when I returned to check on status, was at the login screen. logged in and nothing happened so ran combofix again and the results were what I posted. I did run again this morning to see if any different result and that is posted below.

I am unable to run the security check - receive message "Illegal operation attempted on a registry key that has been marked for deletion". should I be attempting this in safe mode? your advice is greatly needed and appreciated.
miznat

ComboFix 12-01-02.01 - miznat 01/05/2012 8:04.4.2 - x86
Running from: c:\users\miznat\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-12-05 to 2012-01-05 )))))))))))))))))))))))))))))))
.
.
2012-01-05 14:14 . 2012-01-05 14:14 -------- d-----w- c:\users\ReeBee\AppData\Local\temp
2012-01-05 14:14 . 2012-01-05 14:14 -------- d-----w- c:\users\Mona\AppData\Local\temp
2012-01-05 14:14 . 2012-01-05 14:14 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-05 14:14 . 2012-01-05 14:14 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2012-01-03 00:50 . 2012-01-05 14:14 -------- d-----w- c:\users\miznat\AppData\Local\temp
2012-01-02 23:52 . 2010-11-20 08:39 74752 ----a-w- c:\windows\system32\drivers\tdx.sys
2012-01-02 23:16 . 2009-07-13 23:11 80896 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2012-01-01 22:21 . 2012-01-01 23:16 -------- d-----w- c:\users\miznat\AppData\Local\CrashDumps
2011-12-19 14:41 . 2011-12-19 15:04 -------- d-----w- c:\users\miznat\AppData\Local\NPE
2011-12-19 14:41 . 2011-12-19 14:41 -------- d-----w- c:\programdata\Norton
2011-12-19 13:56 . 2011-12-19 13:56 -------- d-----w- c:\programdata\PC Tools
2011-12-19 13:51 . 2011-12-19 13:56 -------- d-----w- c:\programdata\RegCure
2011-12-18 05:15 . 2011-08-31 23:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-18 04:50 . 2011-12-18 04:50 -------- d--h--w- c:\programdata\Common Files
2011-12-18 04:49 . 2011-12-18 04:50 -------- d-----w- c:\programdata\MFAData
2011-12-13 01:42 . 2011-12-13 01:42 -------- d-----w- c:\users\miznat\AppData\Roaming\Malwarebytes
2011-12-13 01:42 . 2011-12-13 01:42 -------- d-----w- c:\programdata\Malwarebytes
2011-12-13 01:42 . 2011-12-18 05:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-10 01:29 . 2010-04-09 07:24 240008 ----a-w- c:\windows\system32\drivers\netio.sys
2011-12-09 15:53 . 2011-12-17 13:48 -------- d-----w- c:\windows\system32\SPReview
2011-12-09 13:57 . 2011-11-03 12:30 -------- d-----w- c:\programdata\AVAST Software
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-28 17:01 . 2011-11-03 12:30 41184 ----a-w- c:\windows\avastSS.scr
2011-11-28 17:01 . 2011-11-03 12:30 199816 ----a-w- c:\windows\system32\aswBoot.exe
2011-11-28 16:53 . 2011-11-03 12:30 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-11-28 16:53 . 2011-11-03 12:30 314456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-11-28 16:52 . 2011-11-03 12:30 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-11-28 16:52 . 2011-11-03 12:30 52952 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-11-28 16:52 . 2011-11-03 12:30 55128 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-11-28 16:51 . 2011-11-03 12:30 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-11-28 17:01 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VeriFace Enc]
@="{771C7324-DA80-49D3-8017-753B0AF60951}"
[HKEY_CLASSES_ROOT\CLSID\{771C7324-DA80-49D3-8017-753B0AF60951}]
2010-01-06 08:27 1410312 ----a-w- c:\windows\System32\IcnOvrly.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"googletalk"="c:\users\miznat\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-08-07 186904]
"MDS_Menu"="c:\program files\Lenovo\MediaShow\MUITransfer\MUIStartMenu.exe" [2008-11-14 218408]
"IdeaNotesUser"="c:\program files\DDNI\Lenovo Idea Notes\DDNIMSGUser.exe" [2009-08-24 221872]
"Alive Idea Desktop"="c:\program files\Lenovo\Alive Idea Desktop\Alive Idea Desktop.exe" [2009-10-16 300544]
"Lenovo SlideNav"="c:\program files\Lenovo\Lenovo SlideNav\SlidebarNavigator\SlidebarNavigator.exe" [2009-10-22 845640]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-07-30 1545512]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-12-17 8120864]
"OnekeyDM"="c:\program files\Lenovo\OnekeyDM\OnekeyDM.exe" [2009-03-27 335872]
"VeriFaceManager"="c:\program files\Lenovo\VeriFace\PManage.exe" [2010-01-06 3122440]
"UpdateP2GShortCut"="c:\program files\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-12-03 218408]
"EnergyUtility"="c:\program files\Lenovo\Energy Management\utility.exe" [2009-09-29 4114288]
"Energy Management"="c:\program files\Lenovo\Energy Management\Energy Management.exe" [2009-09-29 5064560]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-23 620152]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 136216]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 170520]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-11-28 3744552]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"WLStart"="c:\program files\Windows Live\Installer\wlstart.exe" [2009-07-26 768336]
"osk.exe"="osk.exe" [2009-07-14 646144]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer2"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-18 136176]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [x]
R3 Bridge0;Bridge0;c:\windows\system32\drivers\WDBridge.sys [2009-07-28 63240]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-08-15 57432]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-18 136176]
R3 Lenovo ReadyComm AppSvc;Lenovo ReadyComm AppSvc;c:\program files\Lenovo\ReadyComm\AppSvc.exe [2009-08-14 509192]
R3 Lenovo ReadyComm ConnSvc;Lenovo ReadyComm ConnSvc;c:\program files\Lenovo\ReadyComm\ConnSvc.exe [2009-09-22 579400]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-08-15 87808]
R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
R3 PS_MDP;ReadyComm Presentation Space Helper Service;c:\windows\System32\IgrsSvcs.exe [2009-07-14 20992]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2009-09-30 175104]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-02 1343400]
R3 wsvd;wsvd;c:\windows\system32\DRIVERS\wsvd.sys [2009-07-21 81704]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 funfrm;funfrm; [x]
S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [2011-08-15 64712]
S1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2011-08-15 164776]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-11-28 55128]
S2 DDNIMSGService;DDNIMSGService;c:\program files\DDNI\Lenovo Idea Notes\DDNIMSGService.exe [2009-08-24 172720]
S2 DDNIService;DDNIService;c:\program files\DDNI\DIBS\DDNIService.exe [2009-09-11 160432]
S2 IGRS;IGRS;c:\program files\Lenovo\ReadyComm\common\IGRS.exe [2009-07-14 38152]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2011-08-19 160344]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-08-19 148520]
S2 ReadyComm.DirectRouter;ReadyComm.DirectRouter;c:\windows\System32\IgrsSvcs.exe [2009-07-14 20992]
S3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\DRIVERS\AcpiVpc.sys [2009-05-19 21520]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2009-04-07 29472]
S3 enecir;ENE CIR Receiver;c:\windows\system32\DRIVERS\enecir.sys [2009-06-29 59904]
S3 enecirhid;ENE CIR HID Receiver;c:\windows\system32\DRIVERS\enecirhid.sys [2009-05-19 11776]
S3 enecirhidma;ENE CIR HIDmini Filter;c:\windows\system32\DRIVERS\enecirhidma.sys [2008-04-24 5632]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2009-07-09 122880]
S3 k57nd60x;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [2009-06-07 273448]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-08-31 22216]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-08-15 338040]
S3 usbsmi;Lenovo EasyCamera;c:\windows\system32\DRIVERS\SMIksdrv.sys [2009-08-21 171520]
S3 wdmirror;wdmirror;c:\windows\system32\DRIVERS\WDMirror.sys [2009-07-16 11792]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc SensrSvc Mcx2Svc
IgrsSvcs REG_MULTI_SZ ReadyComm.DirectRouter PS_MDP
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-04 04:23]
.
2012-01-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-04 04:23]
.
2012-01-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-16573216-359777476-720796809-1003Core1cb0e8c33637bfe.job
- c:\users\miznat\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-16 01:14]
.
2012-01-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-16573216-359777476-720796809-1003UA.job
- c:\users\miznat\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-16 01:14]
.
2012-01-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-16573216-359777476-720796809-1007Core.job
- c:\users\Mona\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-19 14:01]
.
2012-01-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-16573216-359777476-720796809-1007UA.job
- c:\users\Mona\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-19 14:01]
.
.
------- Supplementary Scan -------
.
uStart Page = https://epic.picbusiness.com/5000/
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\Lenovo\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\Lenovo\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
FF - ProfilePath - c:\users\miznat\AppData\Roaming\Mozilla\Firefox\Profiles\q8t5foau.default\
FF - prefs.js: network.proxy.type - 4
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(5484)
c:\windows\system32\IcnOvrly.dll
c:\program files\Lenovo\Bluetooth Software\btmmhook.dll
c:\program files\Lenovo\Bluetooth Software\btkeyind.dll
c:\program files\Lenovo\Bluetooth Software\BtwNamespaceExt.dll
c:\program files\Lenovo\Bluetooth Software\BtwNeLib.dll
c:\program files\Lenovo\Bluetooth Software\btwapi.dll
c:\program files\Lenovo\Bluetooth Software\btosif.dll
c:\program files\Lenovo\Bluetooth Software\btwpimif.dll
.
Completion time: 2012-01-05 08:17:36
ComboFix-quarantined-files.txt 2012-01-05 14:17
ComboFix2.txt 2012-01-03 00:50
ComboFix3.txt 2012-01-03 00:31
ComboFix4.txt 2012-01-03 00:12
.
Pre-Run: 216,911,872,000 bytes free
Post-Run: 217,746,386,944 bytes free
.
- - End Of File - - 67A71ED5E47840ED9498312B603735EB

#10 User is offline   nasdaq 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 5,061
  • Joined: 16-June 06
  • Gender:Male
  • Location:Montreal, QC. Canada

Posted 05 January 2012 - 09:52 AM

Quote

I am unable to run the security check - receive message "Illegal operation attempted on a registry key that has been marked for deletion".

After a restart of the computer you should be able to run this tool.
Post the log for my review.
===

Your ComboFix log is clean.

What are the current issues with this computer.

#11 User is offline   miznat722 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 10
  • Joined: 19-December 11
  • Gender:Female
  • Location:MKE, WI

Posted 10 January 2012 - 08:54 AM

nasdaq thank you for your assistance but you can close the help inquiry. even after a reboot, everything I tried to do returned an "Illegal operation" prompt. I was able to get to my one key recovery in safe mode to restore system to original state. Thank you again.
miznat

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users