Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System Security 2011


  • This topic is locked This topic is locked
39 replies to this topic

#1 danicabc

danicabc

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:49 AM

Posted 28 October 2011 - 06:06 PM

I have System Security 2011 virus on my computer (I think), big popup that says Security and it keeps trying to scan my computer, millions of pop ups and won't open any programs, I'm also now getting hard drive errors that are popping up. I've ran Super Antispyware and Malware Bytes and it doesn't seem to be helping. I can only use my computer in Safe Mode now. Please help :)

.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.7600.16385
Run by BC Leasing 2 at 16:04:29 on 2011-10-28
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3037.2241 [GMT -6:00]
.
AV: McAfee VirusScan *Enabled/Outdated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee VirusScan *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
FW: McAfee Personal Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Windows\helppane.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\PROGRA~1\mcafee\msc\mcupdmgr.exe
c:\PROGRA~1\mcafee\msc\mcupdui.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.learnatalliance.com/Home/tabid/36/Default.aspx?returnurl=%2fManuals%2ftabid%2f704%2fDefault.aspx
uSearch Bar = Preserve
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [gkUVelOBtPyAiD] c:\users\bc leasing 2\appdata\roaming\dwme.exe
uRun: [proxybootcore.exe] "c:\windows\system32\config\systemprofile\appdata\roaming\proxybootcore.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Broadcom Wireless Manager UI] c:\program files\dell\dell wireless wlan card\WLTRAY.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Dell Webcam Central] "c:\program files\dell webcam\dell webcam central\WebcamDell2.exe" /mode2
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [TplOuqDpnMuvYNx.exe] c:\programdata\TplOuqDpnMuvYNx.exe
mRun: [Pyx0vS2bFpG8234A] c:\windows\system32\PIBryxA1vb3.exe
mRun: [uEbCDYfXYYdjrgc.exe] c:\programdata\uEbCDYfXYYdjrgc.exe
dRun: [SmartAudio] c:\program files\conexant\saii\SAIICpl.exe /c
dRun: [vb70hmodx.exe] "c:\windows\system32\config\systemprofile\appdata\roaming\4b2cc85e3a2cb018f3352b5203aebbeb\vb70hmodx.exe"
uPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: DISABLETASKMGR = 1 (0x1)
dPolicies-system: DISABLETASKMGR = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CED616F0-2859-4BF8-8538-9DAF544AF2CB} - hxxps://www.yardiaspla1.com/9238alliance/ysiComm.CAB
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://classifiedventures.webex.com/client/T27LB/webex/ieatgpc1.cab
DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} - hxxp://www.disneyphotopass.com/software/ImageUploader4.cab
TCP: DhcpNameServer = 204.130.255.3 209.63.6.6
TCP: Interfaces\{567CE121-664F-4358-9B85-A1314DF2FBFD} : DhcpNameServer = 204.130.255.3 209.63.6.6
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: igfxcui - igfxdev.dll
Notify: PCANotify - PCANotify.dll
AppInit_DLLs: c:\progra~1\google\google~1\GO36F4~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\bc leasing 2\appdata\roaming\mozilla\firefox\profiles\waqkevnp.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\bc leasing 2\appdata\local\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
.
============= SERVICES / DRIVERS ===============
.
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2010-1-23 167936]
R3 VIACRX86;VIACRX86;c:\windows\system32\drivers\viacr.sys [2010-1-23 59392]
S1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-1-23 214664]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-12 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
S2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\McProxy.exe [2010-2-23 359952]
S2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2010-2-23 144704]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 CtAudDrv;Provides advanced audio effects for audio devices.;c:\windows\system32\drivers\CtAudDrv.sys [2010-1-23 134144]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [2010-1-23 143968]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2010-7-2 30192]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-3-18 41272]
S3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2010-2-23 606736]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-1-23 79816]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-1-23 35272]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2010-1-23 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2010-1-23 40552]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
.
=============== Created Last 30 ================
.
2011-10-28 20:56:09 404368 ---ha-w- c:\programdata\uEbCDYfXYYdjrgc.exe
2011-10-28 20:42:34 -------- d--h--w- c:\users\bc leasing 2\appdata\roaming\j7fEL8gTZhCkVlB
2011-10-28 20:42:33 -------- d--h--w- c:\users\bc leasing 2\appdata\roaming\ZP0ucS1ib3n4m6W
2011-10-28 20:27:14 -------- d--h--w- c:\users\bc leasing 2\appdata\roaming\qaQJ6dWK8TqCkrx
2011-10-28 20:27:07 -------- d--h--w- c:\users\bc leasing 2\appdata\roaming\d8ZqhCUVrOtPySi
2011-10-28 20:27:04 1773568 ---ha-w- c:\windows\system32\PIBryxA1vb3.exe
2011-10-28 20:14:10 1773568 ---ha-w- c:\users\bc leasing 2\appdata\roaming\iexplore.exe
2011-10-28 20:13:33 -------- d--h--w- c:\users\bc leasing 2\appdata\roaming\frzONyxA0v2b3n5
2011-10-28 20:13:32 -------- d--h--w- c:\users\bc leasing 2\appdata\roaming\T9hTXqjUC
2011-10-28 19:27:53 328080 ---ha-w- c:\programdata\6DSS92c31Apgjk.exe
2011-10-28 19:24:32 -------- d--h--w- c:\users\bc leasing 2\appdata\roaming\IvD2onF4pHsJdKg
2011-10-28 19:24:32 -------- d--h--w- c:\users\bc leasing 2\appdata\roaming\dqhYXwkUVlBz0c1
2011-10-28 18:52:31 809614 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-10-28 18:43:42 403344 ---ha-w- c:\programdata\TplOuqDpnMuvYNx.exe
2011-10-28 18:33:15 -------- d--h--w- c:\users\bc leasing 2\appdata\roaming\pUVelOBtz0c1
2011-10-28 18:33:14 -------- d--h--w- c:\users\bc leasing 2\appdata\roaming\FamH5sWJ7E8RqYw
2011-10-28 18:24:10 -------- d--h--w- c:\users\bc leasing 2\appdata\roaming\SZqhYXwkUeOtP
2011-10-28 18:24:10 -------- d--h--w- c:\users\bc leasing 2\appdata\roaming\CycA1ivD2n4m5Q7
2011-10-28 18:24:05 100352 ---ha-w- c:\users\bc leasing 2\appdata\roaming\dwme.exe
2011-10-28 18:24:05 -------- d--h--w- c:\users\bc leasing 2\appdata\roaming\AiDna5JdE8Rh
2011-10-28 18:24:03 -------- d--h--w- c:\users\bc leasing 2\appdata\roaming\ezONtxA0uSiDpG
2011-10-28 18:24:02 -------- d--h--w- c:\users\bc leasing 2\appdata\roaming\ZONyxA0uv2b3n5Q
2011-10-28 18:23:57 -------- d--h--w- c:\users\bc leasing 2\appdata\roaming\Internet Exprorer Add-on
2011-10-18 19:49:02 -------- dc-h--w- c:\users\bc leasing 2\appdata\local\MigWiz
.
==================== Find3M ====================
.
2011-10-01 02:59:14 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-09-06 02:38:14 2332672 ----a-w- c:\windows\system32\win32k.sys
2011-08-27 04:43:07 571904 ----a-w- c:\windows\system32\oleaut32.dll
2011-08-27 04:43:06 233472 ----a-w- c:\windows\system32\oleacc.dll
2011-08-20 04:38:10 981504 ----a-w- c:\windows\system32\wininet.dll
2011-08-20 04:35:20 44544 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-20 03:26:38 386048 ----a-w- c:\windows\system32\html.iec
2011-08-17 04:26:02 465408 ----a-w- c:\windows\system32\psisdecd.dll
2011-08-17 04:22:23 75776 ----a-w- c:\windows\system32\psisrndr.ax
2011-08-17 04:22:23 72704 ----a-w- c:\windows\system32\Mpeg2Data.ax
2011-08-17 04:22:23 59904 ----a-w- c:\windows\system32\MSDvbNP.ax
2011-08-17 04:22:23 204288 ----a-w- c:\windows\system32\MSNP.ax
.
============= FINISH: 16:11:26.60 ===============





GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-10-28 16:48:47
Windows 6.1.7600
Running: gmer.exe; Driver: C:\Users\BCLEAS~1\AppData\Local\Temp\awlciaob.sys


---- Files - GMER 1.0.15 ----

File C:\Windows\$NtUninstallKB53855$\3322287193 0 bytes
File C:\Windows\$NtUninstallKB53855$\3322287193\@ 2048 bytes
File C:\Windows\$NtUninstallKB53855$\3322287193\bckfg.tmp 844 bytes
File C:\Windows\$NtUninstallKB53855$\3322287193\cfg.ini 198 bytes
File C:\Windows\$NtUninstallKB53855$\3322287193\Desktop.ini 4608 bytes
File C:\Windows\$NtUninstallKB53855$\3322287193\kwrd.dll 208896 bytes
File C:\Windows\$NtUninstallKB53855$\3322287193\L 0 bytes
File C:\Windows\$NtUninstallKB53855$\3322287193\L\xadqgnnk 338944 bytes
File C:\Windows\$NtUninstallKB53855$\3322287193\U 0 bytes
File C:\Windows\$NtUninstallKB53855$\3322287193\U\00000001.@ 2048 bytes
File C:\Windows\$NtUninstallKB53855$\3322287193\U\00000002.@ 209920 bytes
File C:\Windows\$NtUninstallKB53855$\3322287193\U\00000004.@ 1024 bytes
File C:\Windows\$NtUninstallKB53855$\3322287193\U\80000000.@ 1024 bytes
File C:\Windows\$NtUninstallKB53855$\3322287193\U\80000004.@ 12800 bytes
File C:\Windows\$NtUninstallKB53855$\3322287193\U\80000032.@ 73216 bytes
File C:\Windows\$NtUninstallKB53855$\4028614572 0 bytes

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:07:49 PM

Posted 29 October 2011 - 10:13 AM

Hello danicabc ! Welcome to BleepingComputer Forums! :welcome:

My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.





Please download ComboFix from the link below:

Combofix

Save it to your Desktop <-- Important!!!

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.

  • Double click it & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    Notes: Skip the Recovery Console part as you're running Vista. You can use the Windows DVD to boot into the Vista Recovery Environment if something goes awry.
  • Click on Yes, to continue scanning for malware.
  • If you receive a UAC prompt asking if you want to continue running the program, you should press the Continue button.
  • When finished, it will produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.
  • Note: After running Combofix, you may receive an error about "illegal operation on a registry key that has been marked for deletion." If you receive this error, please reboot and it should disappear.
  • If you no longer have access to your Internet connection after running ComboFix, please reboot to restore it. If that does not restore the connection, then follow the instructions for Manually restoring the Internet connection provided in the "How to Guide" you printed out earlier.



-- Do not touch your mouse/keyboard until the ComboFix scan has completed, as this may cause the process to stall or the computer to lock.




Regards,
Georgi

cXfZ4wS.png


#3 danicabc

danicabc
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:49 AM

Posted 31 October 2011 - 06:27 PM

Thank you for your help. Here is the log:

ComboFix 11-10-30.04 - BC Leasing 2 10/31/2011 16:02:00.1.2 - x86
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3037.2465 [GMT -6:00]
Running from: c:\users\BC Leasing 2\Desktop\ComboFix.exe
AV: McAfee VirusScan *Enabled/Outdated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: McAfee Personal Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: McAfee VirusScan *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\6DSS92c31Apgjk.exe
c:\programdata\TplOuqDpnMuvYNx.exe
c:\programdata\uEbCDYfXYYdjrgc.exe
c:\users\BC Leasing 2\AppData\Roaming\CycA1ivD2n4m5Q7
c:\users\BC Leasing 2\AppData\Roaming\CycA1ivD2n4m5Q7\System Security 2011.ico
c:\users\BC Leasing 2\AppData\Roaming\dwme.exe
c:\users\BC Leasing 2\AppData\Roaming\frzONyxA0v2b3n5
c:\users\BC Leasing 2\AppData\Roaming\frzONyxA0v2b3n5\System Security 2011.ico
c:\users\BC Leasing 2\AppData\Roaming\iexplore.exe
c:\users\BC Leasing 2\AppData\Roaming\IvD2onF4pHsJdKg
c:\users\BC Leasing 2\AppData\Roaming\IvD2onF4pHsJdKg\System Security 2011.ico
c:\users\BC Leasing 2\AppData\Roaming\j7fEL8gTZhCkVlB
c:\users\BC Leasing 2\AppData\Roaming\j7fEL8gTZhCkVlB\System Security 2011.ico
c:\users\BC Leasing 2\AppData\Roaming\ldr.ini
c:\users\BC Leasing 2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Restore
c:\users\BC Leasing 2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Restore\System Restore.lnk
c:\users\BC Leasing 2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Restore\Uninstall System Restore.lnk
c:\users\BC Leasing 2\AppData\Roaming\pUVelOBtz0c1
c:\users\BC Leasing 2\AppData\Roaming\pUVelOBtz0c1\System Security 2011.ico
c:\users\BC Leasing 2\g2mdlhlpx.exe
c:\users\scan\AppData\Roaming\G0ycS1ivDoFaHsJ
c:\users\scan\AppData\Roaming\G0ycS1ivDoFaHsJ\System Security 2011.ico
c:\users\scan\AppData\Roaming\ldr.ini
c:\users\scan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Security 2011
c:\users\scan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Security 2011\System Security 2011.lnk
c:\windows\$NtUninstallKB53855$
c:\windows\$NtUninstallKB53855$\3322287193\@
c:\windows\$NtUninstallKB53855$\3322287193\bckfg.tmp
c:\windows\$NtUninstallKB53855$\3322287193\cfg.ini
c:\windows\$NtUninstallKB53855$\3322287193\Desktop.ini
c:\windows\$NtUninstallKB53855$\3322287193\kwrd.dll
c:\windows\$NtUninstallKB53855$\3322287193\L\xadqgnnk
c:\windows\$NtUninstallKB53855$\3322287193\lsflt7.ver
c:\windows\$NtUninstallKB53855$\3322287193\U\00000001.@
c:\windows\$NtUninstallKB53855$\3322287193\U\00000002.@
c:\windows\$NtUninstallKB53855$\3322287193\U\00000004.@
c:\windows\$NtUninstallKB53855$\3322287193\U\80000000.@
c:\windows\$NtUninstallKB53855$\3322287193\U\80000004.@
c:\windows\$NtUninstallKB53855$\3322287193\U\80000032.@
c:\windows\$NtUninstallKB53855$\4028614572
.
Infected copy of c:\windows\system32\drivers\afd.sys was found and disinfected
Restored copy from - The cat found it :)
.
((((((((((((((((((((((((( Files Created from 2011-09-28 to 2011-10-31 )))))))))))))))))))))))))))))))
.
.
2011-10-31 22:39 . 2011-10-31 22:43 -------- d-----w- c:\users\BC Leasing 2\AppData\Local\temp
2011-10-31 22:39 . 2011-10-31 22:39 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-10-31 21:05 . 2011-04-25 02:35 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2011-10-31 20:10 . 2011-10-06 22:42 28504 ----a-w- c:\program files\Mozilla Firefox\ScriptFF.dll
2011-10-31 20:10 . 2011-08-15 16:00 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-10-31 20:10 . 2011-10-06 22:44 148520 ----a-w- c:\windows\system32\mfevtps.exe
2011-10-31 20:10 . 2011-08-15 16:00 87808 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-10-31 20:10 . 2011-08-15 16:00 64712 ----a-w- c:\windows\system32\drivers\mfenlfk.sys
2011-10-31 20:10 . 2011-08-15 16:00 59288 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-10-31 20:10 . 2011-08-15 16:00 57432 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-10-31 20:10 . 2011-08-15 16:00 461864 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-10-31 20:10 . 2011-08-15 16:00 338040 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-10-31 20:10 . 2011-08-15 16:00 180072 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-10-31 20:10 . 2011-08-15 16:00 164776 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2011-10-31 20:10 . 2011-08-15 16:00 119808 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2011-10-31 20:05 . 2011-10-31 20:05 -------- d--h--w- c:\users\BC Leasing 2\AppData\Roaming\CcS2ibD3pGaHsKf
2011-10-31 20:00 . 2011-10-31 20:05 -------- d--h--w- c:\users\BC Leasing 2\AppData\Roaming\qF4amH5sW7E8
2011-10-31 20:00 . 2011-10-31 20:00 -------- d--h--w- c:\users\BC Leasing 2\AppData\Roaming\TkUVrlOBtPySiDo
2011-10-28 20:50 . 2011-10-28 20:51 -------- d--h--w- c:\users\scan
2011-10-28 20:42 . 2011-10-28 20:42 -------- d--h--w- c:\users\BC Leasing 2\AppData\Roaming\ZP0ucS1ib3n4m6W
2011-10-28 20:27 . 2011-10-28 20:27 -------- d--h--w- c:\users\BC Leasing 2\AppData\Roaming\qaQJ6dWK8TqCkrx
2011-10-28 20:27 . 2011-10-28 20:27 -------- d--h--w- c:\users\BC Leasing 2\AppData\Roaming\d8ZqhCUVrOtPySi
2011-10-28 20:13 . 2011-10-28 20:13 -------- d--h--w- c:\users\BC Leasing 2\AppData\Roaming\T9hTXqjUC
2011-10-28 19:24 . 2011-10-28 19:24 -------- d--h--w- c:\users\BC Leasing 2\AppData\Roaming\dqhYXwkUVlBz0c1
2011-10-28 18:52 . 2011-10-31 21:12 809614 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-10-28 18:43 . 2011-10-28 18:43 -------- d--h--w- c:\windows\Sun
2011-10-28 18:33 . 2011-10-28 18:33 -------- d--h--w- c:\users\BC Leasing 2\AppData\Roaming\FamH5sWJ7E8RqYw
2011-10-28 18:24 . 2011-10-28 18:24 -------- d--h--w- c:\users\BC Leasing 2\AppData\Roaming\SZqhYXwkUeOtP
2011-10-28 18:24 . 2011-10-28 18:24 -------- d--h--w- c:\users\BC Leasing 2\AppData\Roaming\AiDna5JdE8Rh
2011-10-28 18:24 . 2011-10-28 18:24 -------- d--h--w- c:\users\BC Leasing 2\AppData\Roaming\ezONtxA0uSiDpG
2011-10-28 18:24 . 2011-10-28 18:24 -------- d--h--w- c:\users\BC Leasing 2\AppData\Roaming\ZONyxA0uv2b3n5Q
2011-10-28 18:23 . 2011-10-28 18:23 -------- d--h--w- c:\users\BC Leasing 2\AppData\Roaming\Internet Exprorer Add-on
2011-10-18 19:49 . 2011-10-18 19:49 -------- dc-h--w- c:\users\BC Leasing 2\AppData\Local\MigWiz
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-08 07:16 . 2011-07-25 17:01 142296 ---ha-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-10-28 2424192]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Broadcom Wireless Manager UI"="c:\program files\Dell\Dell Wireless WLAN Card\WLTRAY.exe" [2009-07-17 4562944]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-06-25 140520]
"Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2009-06-24 409744]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-08-25 30192]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 136216]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 170520]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-07-07 1047656]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-09-17 1318552]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2009-07-16 307768]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2007-04-27 19:10 18744 ---ha-w- c:\windows\System32\PCANotify.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-01-28 214904]
R3 CtAudDrv;Provides advanced audio effects for audio devices.;c:\windows\system32\Drivers\CtAudDrv.sys [2009-05-28 134144]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-08-25 30192]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-07-07 41272]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-08-15 87808]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-14 1343400]
S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [2011-08-15 64712]
S1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2011-08-15 164776]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2011-07-12 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2011-07-12 67664]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2011-01-28 214904]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2011-10-06 160344]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-10-06 148520]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-08-15 57432]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [2009-06-15 143968]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-08-15 338040]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-05-22 167936]
S3 VIACRX86;VIACRX86;c:\windows\system32\DRIVERS\viacr.sys [2009-07-14 59392]
.
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.learnatalliance.com/Home/tabid/36/Default.aspx?returnurl=%2fManuals%2ftabid%2f704%2fDefault.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 204.130.255.3 209.63.6.6
DPF: {CED616F0-2859-4BF8-8538-9DAF544AF2CB} - hxxps://www.yardiaspla1.com/9238alliance/ysiComm.CAB
FF - ProfilePath - c:\users\BC Leasing 2\AppData\Roaming\Mozilla\Firefox\Profiles\waqkevnp.default\
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
HKCU-Run-gkUVelOBtPyAiD - c:\users\BC Leasing 2\AppData\Roaming\dwme.exe
HKLM-Run-TplOuqDpnMuvYNx.exe - c:\programdata\TplOuqDpnMuvYNx.exe
HKLM-Run-Pyx0vS2bFpG8234A - c:\windows\system32\PIBryxA1vb3.exe
HKLM-Run-uEbCDYfXYYdjrgc.exe - c:\programdata\uEbCDYfXYYdjrgc.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Dell\Dell Wireless WLAN Card\WLTRYSVC.EXE
c:\program files\Dell\Dell Wireless WLAN Card\bcmwltry.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Common Files\McAfee\SystemCore\mfefire.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\windows\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2011-10-31 17:00:03 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-31 22:59
.
.
Post-Run: 263,880,486,912 bytes free
.
- - End Of File - - B7B515199C7B6637799C370891F74EA7

#4 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:07:49 PM

Posted 31 October 2011 - 07:40 PM

Hi danicabc,



Delete your copy of Combofix and download a fresh one from here.

Save it your desktop but do not run it yet ! <--- important !!!



We need to execute a CFScript to clean some remnants.

Please do this:


1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

2. Open notepad => navigate to format and make sure that wordwrap is unchecked. <--- important !!!

3. Copy/paste the text in the codebox below into it:

Folder::
c:\users\BC Leasing 2\AppData\Roaming\CcS2ibD3pGaHsKf
c:\users\BC Leasing 2\AppData\Roaming\qF4amH5sW7E8
c:\users\BC Leasing 2\AppData\Roaming\TkUVrlOBtPySiDo
c:\users\BC Leasing 2\AppData\Roaming\ZP0ucS1ib3n4m6W
c:\users\BC Leasing 2\AppData\Roaming\qaQJ6dWK8TqCkrx
c:\users\BC Leasing 2\AppData\Roaming\d8ZqhCUVrOtPySi
c:\users\BC Leasing 2\AppData\Roaming\T9hTXqjUC
c:\users\BC Leasing 2\AppData\Roaming\dqhYXwkUVlBz0c1
c:\users\BC Leasing 2\AppData\Roaming\FamH5sWJ7E8RqYw
c:\users\BC Leasing 2\AppData\Roaming\SZqhYXwkUeOtP
c:\users\BC Leasing 2\AppData\Roaming\AiDna5JdE8Rh
c:\users\BC Leasing 2\AppData\Roaming\ezONtxA0uSiDpG
c:\users\BC Leasing 2\AppData\Roaming\ZONyxA0uv2b3n5Q

4. Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

5. Close any open browsers.

6. Refering to the picture above, drag CFScript into ComboFix.exe


When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Also reply back to let me know how things are going.



Regards,
Georgi

cXfZ4wS.png


#5 danicabc

danicabc
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:49 AM

Posted 01 November 2011 - 12:45 PM

There is a radio station playing on the computer now and I have no idea how to turn it off.

Here is the log:

ComboFix 11-11-01.03 - BC Leasing 2 11/01/2011 10:21:33.2.2 - x86
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3037.2265 [GMT -6:00]
Running from: c:\users\BC Leasing 2\Desktop\ComboFix.exe
Command switches used :: c:\users\BC Leasing 2\Desktop\CFScript.txt
AV: McAfee VirusScan *Enabled/Outdated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: McAfee Personal Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: McAfee VirusScan *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\BC Leasing 2\AppData\Roaming\AiDna5JdE8Rh
c:\users\BC Leasing 2\AppData\Roaming\CcS2ibD3pGaHsKf
c:\users\BC Leasing 2\AppData\Roaming\d8ZqhCUVrOtPySi
c:\users\BC Leasing 2\AppData\Roaming\dqhYXwkUVlBz0c1
c:\users\BC Leasing 2\AppData\Roaming\ezONtxA0uSiDpG
c:\users\BC Leasing 2\AppData\Roaming\ezONtxA0uSiDpG\KaQH6sWK7E.exe
c:\users\BC Leasing 2\AppData\Roaming\FamH5sWJ7E8RqYw
c:\users\BC Leasing 2\AppData\Roaming\qaQJ6dWK8TqCkrx
c:\users\BC Leasing 2\AppData\Roaming\qF4amH5sW7E8
c:\users\BC Leasing 2\AppData\Roaming\SZqhYXwkUeOtP
c:\users\BC Leasing 2\AppData\Roaming\T9hTXqjUC
c:\users\BC Leasing 2\AppData\Roaming\TkUVrlOBtPySiDo
c:\users\BC Leasing 2\AppData\Roaming\ZONyxA0uv2b3n5Q
c:\users\BC Leasing 2\AppData\Roaming\ZP0ucS1ib3n4m6W
.
.
((((((((((((((((((((((((( Files Created from 2011-10-01 to 2011-11-01 )))))))))))))))))))))))))))))))
.
.
2011-11-01 16:52 . 2011-11-01 16:52 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-10-31 22:39 . 2011-11-01 16:53 -------- d-----w- c:\users\BC Leasing 2\AppData\Local\temp
2011-10-31 21:05 . 2011-04-25 02:35 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2011-10-31 20:10 . 2011-10-06 22:42 28504 ----a-w- c:\program files\Mozilla Firefox\ScriptFF.dll
2011-10-31 20:10 . 2011-08-15 16:00 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-10-31 20:10 . 2011-10-06 22:44 148520 ----a-w- c:\windows\system32\mfevtps.exe
2011-10-31 20:10 . 2011-08-15 16:00 87808 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-10-31 20:10 . 2011-08-15 16:00 64712 ----a-w- c:\windows\system32\drivers\mfenlfk.sys
2011-10-31 20:10 . 2011-08-15 16:00 59288 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-10-31 20:10 . 2011-08-15 16:00 57432 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-10-31 20:10 . 2011-08-15 16:00 461864 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-10-31 20:10 . 2011-08-15 16:00 338040 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-10-31 20:10 . 2011-08-15 16:00 180072 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-10-31 20:10 . 2011-08-15 16:00 164776 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2011-10-31 20:10 . 2011-08-15 16:00 119808 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2011-10-28 20:50 . 2011-10-28 20:51 -------- d-----w- c:\users\scan
2011-10-28 18:43 . 2011-10-28 18:43 -------- d-----w- c:\windows\Sun
2011-10-28 18:23 . 2011-10-28 18:23 -------- d-----w- c:\users\BC Leasing 2\AppData\Roaming\Internet Exprorer Add-on
2011-10-18 19:49 . 2011-10-18 19:49 -------- dc----w- c:\users\BC Leasing 2\AppData\Local\MigWiz
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-08 07:16 . 2011-07-25 17:01 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-10-31_22.42.55 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-14 04:55 . 2011-10-31 23:13 39738 c:\windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin
- 2011-10-28 18:34 . 2011-10-31 22:41 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-10-28 18:34 . 2011-10-31 23:11 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-10-28 18:34 . 2011-10-31 22:41 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-10-28 18:34 . 2011-10-31 23:11 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-10-28 18:34 . 2011-10-31 23:11 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-10-28 18:34 . 2011-10-31 22:41 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-02-10 16:58 . 2011-11-01 16:08 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-02-10 16:58 . 2011-10-31 21:00 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-02-10 16:58 . 2011-11-01 16:08 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-02-10 16:58 . 2011-10-31 21:00 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-02-23 18:42 . 2011-10-31 23:13 5742 c:\windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-4265215277-3160271482-2764608887-1000_UserData.bin
- 2011-10-31 21:08 . 2011-10-31 22:41 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-10-31 23:11 . 2011-10-31 23:11 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-10-31 21:08 . 2011-10-31 22:41 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-10-31 23:11 . 2011-10-31 23:11 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-02-10 20:12 . 2011-11-01 15:20 245864 c:\windows\System32\wdi\SuspendPerformanceDiagnostics_SystemData_FastS4.bin
+ 2009-07-14 02:05 . 2011-10-31 23:15 682812 c:\windows\System32\perfh009.dat
+ 2009-07-14 02:05 . 2011-10-31 23:15 129062 c:\windows\System32\perfc009.dat
- 2009-07-14 02:03 . 2011-10-31 20:31 7077888 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2009-07-14 02:03 . 2011-11-01 00:28 7077888 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-10-28 2424192]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Broadcom Wireless Manager UI"="c:\program files\Dell\Dell Wireless WLAN Card\WLTRAY.exe" [2009-07-17 4562944]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-06-25 140520]
"Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2009-06-24 409744]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-08-25 30192]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 136216]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 170520]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-07-07 1047656]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-09-17 1318552]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2009-07-16 307768]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2007-04-27 19:10 18744 ----a-w- c:\windows\System32\PCANotify.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-01-28 214904]
R3 CtAudDrv;Provides advanced audio effects for audio devices.;c:\windows\system32\Drivers\CtAudDrv.sys [2009-05-28 134144]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-08-25 30192]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-07-07 41272]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-08-15 87808]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-14 1343400]
S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [2011-08-15 64712]
S1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2011-08-15 164776]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2011-07-12 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2011-07-12 67664]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2011-01-28 214904]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2011-10-06 160344]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-10-06 148520]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-08-15 57432]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [2009-06-15 143968]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-08-15 338040]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-05-22 167936]
S3 VIACRX86;VIACRX86;c:\windows\system32\DRIVERS\viacr.sys [2009-07-14 59392]
.
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.learnatalliance.com/Home/tabid/36/Default.aspx?returnurl=%2fManuals%2ftabid%2f704%2fDefault.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 204.130.255.3 209.63.6.6
DPF: {CED616F0-2859-4BF8-8538-9DAF544AF2CB} - hxxps://www.yardiaspla1.com/9238alliance/ysiComm.CAB
FF - ProfilePath - c:\users\BC Leasing 2\AppData\Roaming\Mozilla\Firefox\Profiles\waqkevnp.default\
FF - prefs.js: network.proxy.type - 0
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-11-01 11:07:35
ComboFix-quarantined-files.txt 2011-11-01 17:07
ComboFix2.txt 2011-10-31 23:00
.
Pre-Run: 262,519,234,560 bytes free
Post-Run: 262,606,516,224 bytes free
.
- - End Of File - - 9166FC8CEE2230230D4CDBE9987E034E

#6 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:07:49 PM

Posted 01 November 2011 - 03:44 PM

Hello danicabc,



  • Please download Junction.zip and save it.
  • Unzip it and put junction.exe in the Windows directory (C:\Windows).
  • Go to Start => Run... => Copy and paste the following command in the run box and click OK:
    cmd /c junction -s c:\ >log.txt&log.txt& del log.txt
    A command window opens starting to scan the system. Wait until a log file opens. Copy and paste or attach the content of it.



Regards,
Georgi

cXfZ4wS.png


#7 danicabc

danicabc
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:49 AM

Posted 01 November 2011 - 05:18 PM

When I Try to run the program it pulls up black box that says:

Acess is denied.
'log.txt' is not recognized as an internal or external command, operable program or batch file.
Could Not Find C:\Windows\System32\log.txt

What do I do?

#8 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:07:49 PM

Posted 01 November 2011 - 05:50 PM

Hi,


Copy Junction.exe to your C:\ drive.
You should have this on system C:\Junction.exe

  • Press the Windows Logo in the bottom left corner of your screen.
  • In the Posted Image box, enter notepad and press Enter.
  • Highlight the contents of the following codebox, and copy and paste that text into notepad.
    @ECHO OFF
    cd c:\
    junction -s c:\>log.txt
    start log.txt
    del %0
    
  • Select File -> Save.
  • Press the Desktop button on the left side of the save dialog.
  • In the Posted Image box, type in Fix.bat.
  • Press Posted Image.
  • Close Notepad.
  • Right click Posted Image on your desktop, and choose Posted Image.
  • Press Yes if prompted by User Account Control.
  • Wait until a log file opens. Copy and paste or attach the content of it.


Regards,
Georgi

cXfZ4wS.png


#9 danicabc

danicabc
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:49 AM

Posted 01 November 2011 - 07:17 PM

Here is the log info:

'junction' is not recognized as an internal or external command,
operable command or batch file
Could not find c:\0

#10 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:07:49 PM

Posted 02 November 2011 - 07:13 AM

Hi,


Please copy Copy Junction.exe to your Windows directory (C:\Windows), so you have C:\Windows\junction.exe

I found a syntax error in the batch file
Please use this instead:

@ECHO OFF
junction -s c:\ > log.txt
start log.txt
del %0


Save the file, as check.bat and double click check.bat and let the program run. A small black dos window will flash, this is normal.
Wait until a log file opens. Copy and paste or attach the content of it.


Regards,
Georgi

cXfZ4wS.png


#11 danicabc

danicabc
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:49 AM

Posted 02 November 2011 - 10:21 AM

'junction' is not recognized as an internal or external command,
operable command or batch file
The batch file cannot be found

#12 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:07:49 PM

Posted 02 November 2011 - 08:02 PM

Hi there,


Where exactly did you put "junction.exe" file
Did you unzip it?
It must be placed in C:\Windows folder.


Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    Junction.exe
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


Regards,
Georgi

cXfZ4wS.png


#13 danicabc

danicabc
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:49 AM

Posted 03 November 2011 - 10:39 AM

I extracted the files to the desktop dragged the "junction.exe" file into the C://Windows folder.

here is what pulled up after i downloaded "Download Mirror #1"



SystemLook 30.07.11 by jpshortstuff
Log created at 09:29 on 03/11/2011 by BC Leasing 2
Administrator - Elevation successful

========== filefind ==========

Searching for "Junction.exe"
C:\$RECYCLE.BIN\S-1-5-21-4265215277-3160271482-2764608887-1000\$RCXB9OO\junction.exe --a---- 150392 bytes [21:39 07/09/2010] [21:00 01/11/2011] F1F23D4DF41C5DA5444C97781FF2CAB7
C:\Windows\junction.exe --a---- 150392 bytes [21:39 07/09/2010] [15:26 03/11/2011] F1F23D4DF41C5DA5444C97781FF2CAB7

-= EOF =-

#14 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:07:49 PM

Posted 03 November 2011 - 08:32 PM

Hello,

Try this instead:

Press the keyboard combination Windows key + R and type in cmd to open the command window.

A black windows will appear on the screen where you must enter the commands.

Type in the following and press Enter:

cd c:\windows

next type

junction.exe -s c:\>C:\junction.txt

and press Enter

There should be C:\junction.txt on the C:\ drive. Copy/paste the content of that file in your next reply.

cXfZ4wS.png


#15 danicabc

danicabc
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:49 AM

Posted 04 November 2011 - 11:05 AM

It says access is denied




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users