Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows 7 Programs Mozilla/IE/Programs freezing crashing


  • This topic is locked This topic is locked
13 replies to this topic

#1 juice2222

juice2222

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 01 June 2011 - 06:14 PM

Issue abruptly started about 1 week ago. All programs I open freeze and sometimes crash. If I try to copy past, I'll get a "Not responding" from explorer.exe. The only program that works is Steam. I can't scan with Malwarebytes of Spybot as the programs crash. Sometimes I can surf the web for a few minutes before it all crashes again. Tried a system restore, that failed - said it could not restore.

Also startup and shutdown time has increased from about 1 minute each to about 3 minutes each minimum

Here is my DDS log - Attach is attached

.
DDS (Ver_2011-06-01.06) - NTFSAMD64
Internet Explorer: 8.0.7600.16385
Run by Zach at 18:57:01 on 2011-06-01
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.6103.5117 [GMT -4:00]
.
AV: Norton Internet Security *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe
C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe
C:\Program Files (x86)\PDF Complete\pdfsvc.exe
C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\Steam\Steam.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Common Files\Steam\SteamService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\explorer.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mWinlogon: Userinit=userinit.exe
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\IPS\IPSBHO.DLL
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\coIEPlg.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
uRun: [HPAdvisorDock] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\DOCK\HPAdvisorDock.exe
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [Steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent
mRun: [PDF Complete] C:\Program Files (x86)\PDF Complete\pdfsty.exe
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [HP Software Update] c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [Norton Online Backup] C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe
mRun: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SNAPFI~1.LNK - C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - C:\Windows\system32\GPhotos.scr/200
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{44B7B99C-D83D-43F2-8BA5-829681AE29E6} : DhcpNameServer = 192.168.1.1
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
BHO-X64: Symantec NCO BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\coIEPlg.dll
BHO-X64: Symantec NCO BHO - No File
BHO-X64: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\IPS\IPSBHO.DLL
BHO-X64: Symantec Intrusion Prevention - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
TB-X64: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\coIEPlg.dll
TB-X64: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
mRun-x64: [PDF Complete] C:\Program Files (x86)\PDF Complete\pdfsty.exe
mRun-x64: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun-x64: [HP Software Update] c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun-x64: [(Default)]
mRun-x64: [Norton Online Backup] C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe
mRun-x64: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Zach\AppData\Roaming\Mozilla\Firefox\Profiles\vnd9eznw.default\
FF - prefs.js: network.proxy.type - 0
FF - component: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\coFFPlgn\components\coFFPlgn.dll
FF - component: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\eMusic Download Manager\plugin\npemusic.dll
FF - plugin: C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60310.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\Default\AppData\Local\HuluDesktop\instances\0.9.13.1\nphdplg.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;C:\Windows\system32\drivers\NISx64\1206000.01D\SYMDS64.SYS --> C:\Windows\system32\drivers\NISx64\1206000.01D\SYMDS64.SYS [?]
R0 SymEFA;Symantec Extended File Attributes;C:\Windows\system32\drivers\NISx64\1206000.01D\SYMEFA64.SYS --> C:\Windows\system32\drivers\NISx64\1206000.01D\SYMEFA64.SYS [?]
R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\Definitions\BASHDefs\20110518.001\BHDrvx64.sys [2011-5-18 1127032]
R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\Definitions\IPSDefs\20110527.001_f41\IDSviA64.sys [2011-5-31 476792]
R1 SymIRON;Symantec Iron Driver;C:\Windows\system32\drivers\NISx64\1206000.01D\Ironx64.SYS --> C:\Windows\system32\drivers\NISx64\1206000.01D\Ironx64.SYS [?]
R1 SymNetS;Symantec Network Security WFP Driver;C:\Windows\system32\Drivers\NISx64\1206000.01D\SYMNETS.SYS --> C:\Windows\system32\Drivers\NISx64\1206000.01D\SYMNETS.SYS [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 CinemaNow Service;CinemaNow Service;C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemaNowSvc.exe [2010-6-12 400368]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2010-2-28 821664]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-5-10 136824]
R3 HECIx64;Intel® Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
R3 netr28x;Ralink 802.11n Extensible Wireless Driver;C:\Windows\system32\DRIVERS\netr28x.sys --> C:\Windows\system32\DRIVERS\netr28x.sys [?]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\system32\drivers\nvhda64v.sys --> C:\Windows\system32\drivers\nvhda64v.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
R3 Sftfs;Sftfs;C:\Windows\system32\DRIVERS\Sftfslh.sys --> C:\Windows\system32\DRIVERS\Sftfslh.sys [?]
R3 Sftplay;Sftplay;C:\Windows\system32\DRIVERS\Sftplaylh.sys --> C:\Windows\system32\DRIVERS\Sftplaylh.sys [?]
R3 Sftredir;Sftredir;C:\Windows\system32\DRIVERS\Sftredirlh.sys --> C:\Windows\system32\DRIVERS\Sftredirlh.sys [?]
R3 Sftvol;Sftvol;C:\Windows\system32\DRIVERS\Sftvollh.sys --> C:\Windows\system32\DRIVERS\Sftvollh.sys [?]
S2 CLKMSVC10_C6F09094;CyberLink Product - 2010/11/19 03:32:14;C:\Program Files (x86)\Hewlett-Packard\Media\DVD\Kernel\HDDVD\NavFilter\kmsvc.exe [2010-11-19 245232]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 BBSvc;Bing Bar Update Service;C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-2-28 183560]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
.
=============== Created Last 30 ================
.
2011-05-10 21:41:14 5509504 ----a-w- C:\Windows\System32\ntoskrnl.exe
2011-05-10 21:41:13 3957632 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2011-05-10 21:41:13 3901824 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2011-05-10 21:41:10 98816 ----a-w- C:\Windows\System32\drivers\usbccgp.sys
2011-05-10 21:41:10 7936 ----a-w- C:\Windows\System32\drivers\usbd.sys
2011-05-10 21:41:10 52224 ----a-w- C:\Windows\System32\drivers\usbehci.sys
2011-05-10 21:41:10 343040 ----a-w- C:\Windows\System32\drivers\usbhub.sys
2011-05-10 21:41:10 324608 ----a-w- C:\Windows\System32\drivers\usbport.sys
2011-05-10 21:41:10 30720 ----a-w- C:\Windows\System32\drivers\usbuhci.sys
2011-05-10 21:41:10 25600 ----a-w- C:\Windows\System32\drivers\usbohci.sys
2011-05-10 02:12:08 -------- d-----w- C:\ProgramData\{E91883C8-8CDC-46A4-A45F-CB40EB82ED60}
2011-05-10 00:22:06 912504 ----a-w- C:\Windows\System32\drivers\NISx64\1206000.01D\symefa64.sys
2011-05-10 00:22:06 744568 ----a-w- C:\Windows\System32\drivers\NISx64\1206000.01D\srtsp64.sys
2011-05-10 00:22:06 450680 ----a-w- C:\Windows\System32\drivers\NISx64\1206000.01D\symds64.sys
2011-05-10 00:22:06 40568 ----a-w- C:\Windows\System32\drivers\NISx64\1206000.01D\srtspx64.sys
2011-05-10 00:22:06 382584 ----a-w- C:\Windows\System32\drivers\NISx64\1206000.01D\symnets.sys
2011-05-10 00:22:06 171128 ----a-w- C:\Windows\System32\drivers\NISx64\1206000.01D\ironx64.sys
2011-05-10 00:21:58 -------- d-----w- C:\Windows\System32\drivers\NISx64\1206000.01D
2011-05-03 21:36:22 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy
2011-05-03 21:36:22 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy
.
==================== Find3M ====================
.
2011-05-11 20:53:11 174200 ----a-w- C:\Windows\System32\drivers\SYMEVENT64x86.SYS
2011-04-13 22:40:10 4284416 ----a-w- C:\Windows\SysWow64\GPhotos.scr
2011-03-12 12:03:46 662528 ----a-w- C:\Windows\System32\XpsPrint.dll
2011-03-12 11:31:58 442880 ----a-w- C:\Windows\SysWow64\XpsPrint.dll
2011-03-11 06:23:13 187264 ----a-w- C:\Windows\System32\drivers\storport.sys
2011-03-11 06:23:06 166272 ----a-w- C:\Windows\System32\drivers\nvstor.sys
2011-03-11 06:23:06 1657216 ----a-w- C:\Windows\System32\drivers\ntfs.sys
2011-03-11 06:23:06 148352 ----a-w- C:\Windows\System32\drivers\nvraid.sys
2011-03-11 06:23:00 410496 ----a-w- C:\Windows\System32\drivers\iaStorV.sys
2011-03-11 06:22:41 107904 ----a-w- C:\Windows\System32\drivers\amdsata.sys
2011-03-11 06:22:40 27008 ----a-w- C:\Windows\System32\drivers\amdxata.sys
2011-03-11 06:19:26 1395712 ----a-w- C:\Windows\System32\mfc42.dll
2011-03-11 06:19:26 1359872 ----a-w- C:\Windows\System32\mfc42u.dll
2011-03-11 06:18:20 2566144 ----a-w- C:\Windows\System32\esent.dll
2011-03-11 06:15:54 96768 ----a-w- C:\Windows\System32\fsutil.exe
2011-03-11 05:40:24 1164288 ----a-w- C:\Windows\SysWow64\mfc42u.dll
2011-03-11 05:40:24 1137664 ----a-w- C:\Windows\SysWow64\mfc42.dll
2011-03-11 05:39:35 1686016 ----a-w- C:\Windows\SysWow64\esent.dll
2011-03-11 05:37:34 74240 ----a-w- C:\Windows\SysWow64\fsutil.exe
2011-03-08 06:14:30 976896 ----a-w- C:\Windows\System32\inetcomm.dll
2011-03-08 05:38:13 740864 ----a-w- C:\Windows\SysWow64\inetcomm.dll
2011-03-04 06:17:25 135168 ----a-w- C:\Windows\apppatch\AppPatch64\AcXtrnal.dll
2011-03-04 06:17:24 347648 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll
.
============= FINISH: 18:58:08.65 ===============

Attached Files


Edited by juice2222, 01 June 2011 - 07:08 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:33 AM

Posted 09 June 2011 - 05:38 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 juice2222

juice2222
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 10 June 2011 - 07:36 PM

Yes, I am here and ready.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:33 AM

Posted 11 June 2011 - 03:04 AM

Please visit this site and run the File association fix for .exe. Instructions are at the top of the page.

Now please run Combofix

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#5 juice2222

juice2222
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 11 June 2011 - 05:11 PM

The exe fix failed to work, when it tried to install the message said

"Not all data was successfully written to the registry. Some keys are open by the system or other processes.

Combofix ran but my computer crashed and rebooted - it continued running and produced a log, here is the log

ComboFix 11-06-11.01 - Zach 06/11/2011 17:46:53.1.8 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.6103.4633 [GMT -4:00]
Running from: c:\users\Zach\Desktop\Comfix.exe
AV: Norton Internet Security *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Internet Security *Disabled/Outdated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2011-05-11 to 2011-06-11 )))))))))))))))))))))))))))))))
.
.
2011-06-11 21:50 . 2011-06-11 21:50 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-06-11 21:43 . 2011-06-11 21:44 -------- d-----w- C:\Comfix
2011-06-04 17:57 . 2011-06-04 17:57 -------- d-----w- c:\users\Zach\AppData\Local\Activision
2011-06-04 14:50 . 2008-10-27 14:04 25936 ----a-w- c:\windows\system32\X3DAudio1_5.dll
2011-06-03 21:54 . 2011-04-09 06:58 142336 ----a-w- c:\windows\system32\poqexec.exe
2011-06-03 21:54 . 2011-04-09 05:56 123904 ----a-w- c:\windows\SysWow64\poqexec.exe
2011-06-03 21:54 . 2011-04-22 20:18 27008 ----a-w- c:\windows\system32\drivers\Diskdump.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-11 20:53 . 2010-12-12 20:40 174200 ----a-w- c:\windows\system32\drivers\SYMEVENT64x86.SYS
2011-04-13 22:40 . 2011-04-13 22:40 4284416 ----a-w- c:\windows\SysWow64\GPhotos.scr
2011-04-09 06:45 . 2011-05-10 21:41 5509504 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-04-09 06:13 . 2011-05-10 21:41 3957632 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2011-04-09 06:13 . 2011-05-10 21:41 3901824 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2011-03-31 03:00 . 2011-05-10 00:22 744568 ----a-w- c:\windows\system32\drivers\NISx64\1206000.01D\srtsp64.sys
2011-03-31 03:00 . 2011-05-10 00:22 40568 ----a-w- c:\windows\system32\drivers\NISx64\1206000.01D\srtspx64.sys
2011-03-25 03:23 . 2011-05-10 21:41 343040 ----a-w- c:\windows\system32\drivers\usbhub.sys
2011-03-25 03:23 . 2011-05-10 21:41 98816 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2011-03-25 03:23 . 2011-05-10 21:41 324608 ----a-w- c:\windows\system32\drivers\usbport.sys
2011-03-25 03:22 . 2011-05-10 21:41 52224 ----a-w- c:\windows\system32\drivers\usbehci.sys
2011-03-25 03:22 . 2011-05-10 21:41 25600 ----a-w- c:\windows\system32\drivers\usbohci.sys
2011-03-25 03:22 . 2011-05-10 21:41 30720 ----a-w- c:\windows\system32\drivers\usbuhci.sys
2011-03-25 03:22 . 2011-05-10 21:41 7936 ----a-w- c:\windows\system32\drivers\usbd.sys
2011-03-22 00:39 . 2011-05-10 00:22 382584 ----a-w- c:\windows\system32\drivers\NISx64\1206000.01D\symnets.sys
2011-03-21 13:17 . 2010-06-24 16:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-03-15 02:31 . 2011-05-10 00:22 912504 ----a-w- c:\windows\system32\drivers\NISx64\1206000.01D\symefa64.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPAdvisorDock"="c:\program files (x86)\Hewlett-Packard\HP Advisor\DOCK\HPAdvisorDock.exe" [2010-09-28 1715768]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1475072]
"Steam"="c:\program files (x86)\Steam\Steam.exe" [2011-04-27 1242448]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"PDF Complete"="c:\program files (x86)\PDF Complete\pdfsty.exe" [2009-10-14 563736]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-03-04 284696]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"Norton Online Backup"="c:\program files (x86)\Symantec\Norton Online Backup\NOBuClient.exe" [2010-06-01 1155928]
"Microsoft Default Manager"="c:\program files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-11-12 288088]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2010-12-13 421160]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Snapfish PictureMover.lnk - c:\program files (x86)\PictureMover\Bin\PictureMover.exe [2010-6-17 1040952]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 CLKMSVC10_C6F09094;CyberLink Product - 2010/11/19 03:32;c:\program files (x86)\Hewlett-Packard\Media\DVD\Kernel\HDDVD\NavFilter\kmsvc.exe [2010-06-30 245232]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-02-28 183560]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NISx64\1206000.01D\SYMDS64.SYS [x]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NISx64\1206000.01D\SYMEFA64.SYS [x]
S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\Definitions\BASHDefs\20110518.001\BHDrvx64.sys [2011-04-15 1127032]
S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\Definitions\IPSDefs\20110602.001\IDSvia64.sys [2011-03-14 476792]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NISx64\1206000.01D\Ironx64.SYS [x]
S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\NISx64\1206000.01D\SYMNETS.SYS [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 CinemaNow Service;CinemaNow Service;c:\program files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe [2010-06-13 400368]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-02-28 821664]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-01-25 92216]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-03-04 13336]
S2 NIS;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe [2011-04-17 130008]
S2 NOBU;Norton Online Backup;c:\program files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe SERVICE [x]
S2 pdfcDispatcher;PDF Document Manager;c:\program files (x86)\PDF Complete\pdfsvc.exe [2009-10-14 635416]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2010-04-24 483688]
S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2009-10-01 2320920]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-05-10 136824]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
S3 netr28x;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\DRIVERS\netr28x.sys [x]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2010-04-24 209768]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - CLKMDRV10_C6F09094
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-10 c:\windows\Tasks\HPCeeScheduleForZach.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-01-05 11:53]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe" [2008-11-20 62768]
"SmartMenu"="c:\program files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [2010-01-18 568888]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uDefault_Search_URL = hxxp://www.google.com/ie
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Zach\AppData\Roaming\Mozilla\Firefox\Profiles\vnd9eznw.default\
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-{E92D47A1-D27D-430A-8368-0BAFD956507D} - c:\program files (x86)\InstallShield Installation Information\{E92D47A1-D27D-430A-8368-0BAFD956507D}\setup.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NIS]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files (x86)\Norton Internet Security\Engine\18.6.0.29\diMaster.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\pdfcDispatcher]
"ImagePath"="c:\program files (x86)\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1164520812-1483664975-4137575523-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-1164520812-1483664975-4137575523-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Bonjour\mDNSResponder.exe
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE
c:\program files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe
.
**************************************************************************
.
Completion time: 2011-06-11 18:07:41 - machine was rebooted
ComboFix-quarantined-files.txt 2011-06-11 22:07
.
Pre-Run: 1,181,304,803,328 bytes free
Post-Run: 1,181,116,747,776 bytes free
.
- - End Of File - - BB6C9B4C2EFC1750D980EA3CD4BF720E

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:33 AM

Posted 11 June 2011 - 05:34 PM

The log suggests that that run was the eighth time Combofix was run. Can you grab the quarantine log

Please go to Start >Run > and copy/paste the following, then press Enter

C:\QooBox\ComboFix-quarantined-files.txt

A log file should open. Please post that in your next reply.
Posted Image
m0le is a proud member of UNITE

#7 juice2222

juice2222
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 12 June 2011 - 02:35 PM

Here is the log

2011-06-11 22:07:13 . 2011-06-11 22:07:13 3,932 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-{E92D47A1-D27D-430A-8368-0BAFD956507D}.reg.dat
2011-06-11 21:49:40 . 2011-06-11 21:49:40 5,529 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2011-06-11 21:43:49 . 2011-06-11 21:44:34 102 ----a-w- C:\Qoobox\Quarantine\catchme.log

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:33 AM

Posted 12 June 2011 - 07:03 PM

The Combofix program hasn't found anything wrong. It may be that this is not a malware issue but we need to dig a bit deeper before I can determine that.

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.


Then


Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.
Posted Image
m0le is a proud member of UNITE

#9 juice2222

juice2222
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 13 June 2011 - 02:38 PM

ASW Log

aswMBR version 0.9.6.399 Copyright© 2011 AVAST Software
Run date: 2011-06-13 15:34:12
-----------------------------
15:34:12.691 OS Version: Windows x64 6.1.7600
15:34:12.691 Number of processors: 8 586 0x1E05
15:34:12.692 ComputerName: ZACHPC UserName: Zach
15:34:17.269 Initialize success
15:34:21.842 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
15:34:21.844 Disk 0 Vendor: ST315003 HP23 Size: 1430799MB BusType: 8
15:34:21.856 Disk 0 MBR read successfully
15:34:21.859 Disk 0 MBR scan
15:34:21.860 Disk 0 unknown MBR code
15:34:21.862 Service scanning
15:34:22.667 Disk 0 trace - called modules:
15:34:22.674 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
15:34:22.681 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80062bf790]
15:34:22.695 3 CLASSPNP.SYS[fffff880015bc43f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8005f36050]
15:34:22.701 Scan finished successfully
15:35:03.139 Disk 0 MBR has been saved successfully to "J:\MBR.dat"
15:35:03.149 The log file has been saved successfully to "J:\aswMBR log.txt"


and


Here is the MBR Log

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows 7 Home Premium Edition
Windows Information: (build 7600), 64-bit
Base Board Manufacturer: MSI
BIOS Manufacturer: American Megatrends Inc.
System Manufacturer: Hewlett-Packard
System Product Name: HPE-410t
Logical Drives Mask: 0x000103fc

Kernel Drivers (total 182):
0x02C61000 \SystemRoot\system32\ntoskrnl.exe
0x02C18000 \SystemRoot\system32\hal.dll
0x00BB5000 \SystemRoot\system32\kdcom.dll
0x00C34000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x00C78000 \SystemRoot\system32\PSHED.dll
0x00C8C000 \SystemRoot\system32\CLFS.SYS
0x00CEA000 \SystemRoot\system32\CI.dll
0x00ED5000 \SystemRoot\system32\drivers\Wdf01000.sys
0x00F79000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x00F88000 \SystemRoot\system32\DRIVERS\ACPI.sys
0x00FDF000 \SystemRoot\system32\DRIVERS\WMILIB.SYS
0x00FE8000 \SystemRoot\system32\DRIVERS\msisadrv.sys
0x00E00000 \SystemRoot\system32\DRIVERS\pci.sys
0x00E33000 \SystemRoot\system32\DRIVERS\vdrvroot.sys
0x00E40000 \SystemRoot\System32\drivers\partmgr.sys
0x00E55000 \SystemRoot\system32\DRIVERS\volmgr.sys
0x00E6A000 \SystemRoot\System32\drivers\volmgrx.sys
0x00DAA000 \SystemRoot\System32\drivers\mountmgr.sys
0x010EB000 \SystemRoot\system32\DRIVERS\iaStor.sys
0x012F5000 \SystemRoot\system32\drivers\amdxata.sys
0x01300000 \SystemRoot\system32\drivers\fltmgr.sys
0x0134C000 \SystemRoot\system32\drivers\NISx64\1206000.01D\SYMDS64.SYS
0x013BD000 \SystemRoot\system32\drivers\fileinfo.sys
0x01000000 \SystemRoot\system32\drivers\NISx64\1206000.01D\SYMEFA64.SYS
0x01419000 \SystemRoot\System32\Drivers\Ntfs.sys
0x0164A000 \SystemRoot\System32\Drivers\msrpc.sys
0x016A8000 \SystemRoot\System32\Drivers\ksecdd.sys
0x016C2000 \SystemRoot\System32\Drivers\cng.sys
0x01735000 \SystemRoot\System32\drivers\pcw.sys
0x01746000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x0181D000 \SystemRoot\system32\drivers\ndis.sys
0x0190F000 \SystemRoot\system32\drivers\NETIO.SYS
0x0196F000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x01A01000 \SystemRoot\System32\drivers\tcpip.sys
0x0199A000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x01750000 \SystemRoot\system32\DRIVERS\volsnap.sys
0x019E4000 \SystemRoot\System32\Drivers\spldr.sys
0x0179C000 \SystemRoot\System32\drivers\rdyboost.sys
0x019EC000 \SystemRoot\System32\Drivers\mup.sys
0x01800000 \SystemRoot\System32\drivers\hwpolicy.sys
0x01600000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x017D6000 \SystemRoot\system32\DRIVERS\disk.sys
0x015BB000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
0x04471000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x0449B000 \SystemRoot\System32\Drivers\Null.SYS
0x044A4000 \SystemRoot\System32\Drivers\Beep.SYS
0x044AB000 \SystemRoot\System32\drivers\vga.sys
0x044B9000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x044DE000 \SystemRoot\System32\drivers\watchdog.sys
0x044EE000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x044F7000 \SystemRoot\system32\drivers\rdpencdd.sys
0x04500000 \SystemRoot\system32\drivers\rdprefmp.sys
0x04509000 \SystemRoot\System32\Drivers\Msfs.SYS
0x04514000 \SystemRoot\System32\Drivers\Npfs.SYS
0x04525000 \SystemRoot\system32\DRIVERS\tdx.sys
0x04543000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x04550000 \SystemRoot\system32\drivers\afd.sys
0x04200000 \SystemRoot\System32\DRIVERS\netbt.sys
0x04245000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x045DA000 \SystemRoot\system32\DRIVERS\pacer.sys
0x01400000 \SystemRoot\system32\DRIVERS\vwififlt.sys
0x017EC000 \SystemRoot\system32\DRIVERS\netbios.sys
0x013D1000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x015EB000 \SystemRoot\system32\DRIVERS\termdd.sys
0x02EFC000 \SystemRoot\System32\Drivers\NISx64\1206000.01D\SYMNETS.SYS
0x02F62000 \??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS
0x02F98000 \SystemRoot\system32\drivers\NISx64\1206000.01D\Ironx64.SYS
0x02FC5000 \SystemRoot\system32\drivers\NISx64\1206000.01D\SRTSPX64.SYS
0x02E00000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x02E51000 \SystemRoot\system32\drivers\nsiproxy.sys
0x02E5D000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x02E68000 \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\Definitions\IPSDefs\20110604.001\IDSvia64.sys
0x046C8000 \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys
0x04741000 \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
0x04767000 \SystemRoot\System32\drivers\discache.sys
0x04776000 \SystemRoot\System32\Drivers\dfsc.sys
0x04794000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x04AC5000 \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\Definitions\BASHDefs\20110518.001\BHDrvx64.sys
0x04A00000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x04A26000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x05800000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
0x063E0000 \SystemRoot\system32\DRIVERS\nvBridge.kmd
0x04C57000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x04D4B000 \SystemRoot\System32\drivers\dxgmms1.sys
0x04D91000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x04DB5000 \SystemRoot\system32\DRIVERS\HECIx64.sys
0x04DC6000 \SystemRoot\system32\drivers\usbehci.sys
0x04C00000 \SystemRoot\system32\drivers\USBPORT.SYS
0x04A3C000 \SystemRoot\system32\DRIVERS\Rt64win7.sys
0x047A5000 \SystemRoot\system32\DRIVERS\1394ohci.sys
0x050B4000 \SystemRoot\system32\DRIVERS\netr28x.sys
0x0518A000 \SystemRoot\system32\DRIVERS\vwifibus.sys
0x05197000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0x051A4000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0x051AD000 \SystemRoot\system32\DRIVERS\CompositeBus.sys
0x051BD000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x051D3000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x05000000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x0500C000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x0503B000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x05056000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x05077000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x05091000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x050A0000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x050AF000 \SystemRoot\system32\DRIVERS\swenum.sys
0x04600000 \SystemRoot\system32\DRIVERS\ks.sys
0x04DD7000 \SystemRoot\system32\DRIVERS\umbus.sys
0x04643000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x04DE9000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x063E2000 \SystemRoot\system32\drivers\nvhda64v.sys
0x06E2D000 \SystemRoot\system32\drivers\portcls.sys
0x06E6A000 \SystemRoot\system32\drivers\drmk.sys
0x06E8C000 \SystemRoot\system32\drivers\ksthunk.sys
0x0742A000 \SystemRoot\system32\drivers\RTKVHD64.sys
0x07671000 \SystemRoot\System32\Drivers\crashdmp.sys
0x0424E000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0x0767F000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x00070000 \SystemRoot\System32\win32k.sys
0x07692000 \SystemRoot\System32\drivers\Dxapi.sys
0x0769E000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x076BB000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x076BD000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x076CB000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x076E4000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x076ED000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x076FB000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x07708000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0x07723000 \SystemRoot\system32\DRIVERS\monitor.sys
0x00570000 \SystemRoot\System32\TSDDD.dll
0x00760000 \SystemRoot\System32\cdd.dll
0x008D0000 \SystemRoot\System32\ATMFD.DLL
0x07731000 \SystemRoot\system32\drivers\luafv.sys
0x07754000 \SystemRoot\system32\DRIVERS\Sftvollh.sys
0x0775F000 \SystemRoot\system32\drivers\WudfPf.sys
0x07780000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x07795000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x077E8000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x07400000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x06E92000 \SystemRoot\System32\Drivers\fastfat.SYS
0x06EC8000 \SystemRoot\system32\drivers\HTTP.sys
0x06F90000 \SystemRoot\system32\DRIVERS\bowser.sys
0x06FAE000 \SystemRoot\System32\drivers\mpsdrv.sys
0x06FC6000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x070C9000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x07117000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x09A30000 \??\C:\Windows\system32\Drivers\rikvm_C6F09094.sys
0x0713A000 \SystemRoot\system32\drivers\peauth.sys
0x09BE6000 \SystemRoot\System32\Drivers\secdrv.SYS
0x07000000 \SystemRoot\system32\DRIVERS\Sftfslh.sys
0x0A00A000 \SystemRoot\system32\DRIVERS\Sftplaylh.sys
0x0A057000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x0A084000 \SystemRoot\System32\drivers\tcpipreg.sys
0x0A096000 \SystemRoot\System32\DRIVERS\srv2.sys
0x0A0FD000 \SystemRoot\System32\DRIVERS\srv.sys
0x0A192000 \SystemRoot\system32\DRIVERS\Sftredirlh.sys
0x0AC8A000 \SystemRoot\System32\Drivers\NISx64\1206000.01D\SRTSP64.SYS
0x0AD6A000 \SystemRoot\system32\DRIVERS\WUDFRd.sys
0x0AE0C000 \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\Definitions\VirusDefs\20110613.005\EX64.SYS
0x0AD4A000 \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\Definitions\VirusDefs\20110613.005\ENG64.SYS
0x0AD9B000 \??\C:\Users\Zach\AppData\Local\Temp\aswMBR.sys
0x774E0000 \Windows\System32\ntdll.dll
0x47B30000 \Windows\System32\smss.exe
0xFF800000 \Windows\System32\apisetschema.dll
0xFF6E0000 \Windows\System32\autochk.exe
0xFF6E0000 \Windows\System32\autochk.exe
0xFF640000 \Windows\System32\clbcatq.dll
0xFF5C0000 \Windows\System32\shlwapi.dll
0xFF3E0000 \Windows\System32\setupapi.dll
0xFF390000 \Windows\System32\Wldap32.dll
0x776B0000 \Windows\System32\psapi.dll
0xFF180000 \Windows\System32\ole32.dll
0xFF130000 \Windows\System32\ws2_32.dll
0xFE3A0000 \Windows\System32\shell32.dll
0x776A0000 \Windows\System32\normaliz.dll
0xFE300000 \Windows\System32\comdlg32.dll
0xFE2E0000 \Windows\System32\sechost.dll
0xFE260000 \Windows\System32\difxapi.dll
0xFE240000 \Windows\System32\imagehlp.dll
0xFE1D0000 \Windows\System32\gdi32.dll
0xFE0F0000 \Windows\System32\oleaut32.dll
0xFE020000 \Windows\System32\usp10.dll
0xFDF40000 \Windows\System32\advapi32.dll

Processes (total 71):
0 System Idle Process
4 System
364 C:\Windows\System32\smss.exe
520 csrss.exe
596 C:\Windows\System32\wininit.exe
612 csrss.exe
684 C:\Windows\System32\winlogon.exe
712 C:\Windows\System32\services.exe
720 C:\Windows\System32\lsass.exe
728 C:\Windows\System32\lsm.exe
828 C:\Windows\System32\svchost.exe
896 C:\Windows\System32\nvvsvc.exe
936 C:\Windows\System32\svchost.exe
1012 C:\Windows\System32\svchost.exe
380 C:\Windows\System32\svchost.exe
504 C:\Windows\System32\svchost.exe
1052 C:\Windows\System32\svchost.exe
1132 C:\Windows\System32\svchost.exe
1256 C:\Windows\System32\nvvsvc.exe
1492 C:\Windows\System32\svchost.exe
1580 C:\Windows\System32\svchost.exe
1608 C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
1652 C:\Program Files (x86)\Bonjour\mDNSResponder.exe
1684 C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemaNowSvc.exe
1760 C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
1788 C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
1812 C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
1856 C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\ccsvchst.exe
1924 C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe
2012 C:\Program Files (x86)\PDF Complete\pdfsvc.exe
1600 C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
2428 C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
2456 C:\Windows\System32\svchost.exe
2568 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
2620 C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
2648 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
920 C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE
3412 C:\Windows\System32\svchost.exe
3444 WUDFHost.exe
3760 C:\Windows\System32\taskhost.exe
3812 C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\ccsvchst.exe
3892 C:\Windows\System32\dwm.exe
4016 C:\Windows\explorer.exe
3616 C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
3668 C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
3804 C:\Program Files\Windows Sidebar\sidebar.exe
4480 C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
4528 C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe
4568 C:\Windows\System32\SearchIndexer.exe
4576 C:\Program Files (x86)\iTunes\iTunesHelper.exe
4688 C:\Program Files\Windows Media Player\wmpnetwk.exe
4940 C:\Program Files\iPod\bin\iPodService.exe
4472 C:\Windows\System32\svchost.exe
5344 dllhost.exe
6036 C:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Service.exe
6096 C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
5224 C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
1756 C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe
3120 C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
3568 C:\Windows\System32\taskeng.exe
1028 C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe
5728 WmiPrvSE.exe
5756 C:\Windows\System32\spoolsv.exe
5936 C:\Windows\System32\audiodg.exe
628 C:\Windows\System32\SearchProtocolHost.exe
5944 C:\Windows\System32\SearchFilterHost.exe
1464 dllhost.exe
4276 dllhost.exe
5552 C:\Users\Zach\Desktop\MBRCheck.exe
2672 C:\Windows\System32\conhost.exe
5988 C:\Windows\System32\dllhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`06500000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x0000015a`27e00000 (NTFS)
\\.\Q: --> error 5

PhysicalDrive0 Model Number: ST31500341AS, Rev: HP23

Size Device Name MBR Status
--------------------------------------------
1397 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: A459FC1F809D00367C2FEEDD3759E42D5160FB15


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:33 AM

Posted 13 June 2011 - 06:27 PM

Unknown MBR usually means that the program doesn't recognise the MBR on the machine (non-standard) as opposed to it being infected.

Please upload it so I can check it. This must be done offline using a Linux program called xPUD - basically a Linux operating system which bypasses your Windows one. You will need a USB drive.

Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer
  • Insert your USB drive
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded
  • Press Run then OK
  • Select the DiskImage option then click the browse button located on the right side of the textbox field.
  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will install a little bootable OS on your USB device
  • Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
  • After it has completed do not choose to reboot the clean computer simply close the installer
  • Next download dumpit to your USB
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer
  • Press F12 and choose to boot from the USB
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • Click on sdb1 (sdb1 represents the USB drive).
  • Double click on the dumpit file.
  • A black window will pop-up and it will dump and zip the MBR to your USB drive.
  • Press Enter to exit the black window.
  • Click on HOME tab and choose Power Off to turn off xPUD.
  • Remove the USB drive and insert it back on your working computer.
  • Locate the mbr.zip file in your USB drive and attach it when you reply.

Posted Image
m0le is a proud member of UNITE

#11 juice2222

juice2222
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 13 June 2011 - 07:27 PM

xpud failed to boot correctly, it claimed a "fatal server error" and told me to consult the forums.

#12 juice2222

juice2222
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 13 June 2011 - 07:34 PM

I will also note that general computer performance has improved substantially over the course of this treatment. I can run additional programs with some success. Have some freezes every now and then, but much better in general.

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:33 AM

Posted 13 June 2011 - 07:46 PM

I think the fact that you had problems running xPUD convinces me that you have other issues than malware.

Post on the Windows 7 forum and see if the members/mods/advisors can help you further.

Let's clear up first

You're clean. Good stuff! :thumbup2:

Let's do some clearing up

If you used DeFogger now is the time to enable your CD emulation software again.

Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
    (For Vista/Windows 7 please click Start -> All Programs -> Accessories -> Run)
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between "Combofix" and "/")
  • Please follow the prompts to uninstall Combofix.
  • You will then receive a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything associated with it.


We Need to Clean Up our Mess
Download and Run OTC

We will now remove the tools we used during this fix using OTC.

  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.
------------------------------------------------------------------------------------------------------------------------

Here's some advice on how you can keep your PC clean


Use and update your AntiVirus Software

You must have a good antivirus. There are plenty to choose from but I personally recommend the free options of Avast and Avira Antivir. If you want to purchase a security program then I recommend any of the following: AVG, Norton, McAfee, Kaspersky and ESET Nod32.

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

Use this next program to check for updates for programs already on your system. Download Security Check by screen317 from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically, make sure that updates on any that are flagged are carried out as soon as possible

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Installing this or another recommended program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.


Finally, here's a treasure trove of antivirus, antimalware and antispyware resources


That's it, happy surfing!

Cheers.

m0le
Posted Image
m0le is a proud member of UNITE

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:33 AM

Posted 19 June 2011 - 06:35 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users