Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple Trojan infection and svchost.exe infected?


  • This topic is locked This topic is locked
50 replies to this topic

#1 Nicossh

Nicossh

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:50 PM

Posted 18 December 2011 - 11:05 AM

Hello,
First of all, thanks a lot for your precious time. I apologize for my mediocre English skills.
Here is the issue:
I frequently switch Avira off to improve the performance of TRAKTOR on my computer. A few days ago, I forgot to switch it back on, and got hit by something nasty while watching a few series in streaming. First Avira detected a few items (SPY.GEn, smad.exe, TR/offend.kdv )and failed to put them in quarantine, then I also realised I couldnt Update Avira anymore because the 'task scheduler' that was stopped or something. I tried to uninstall but it failed for the same reason.
After a few reboots, I also realised that most my UC was used by PING.EXE(never seen that one before in my process list). I could stop the process but it would start again a few minutes later.
From one forum to another I ended here, had the time to download GMER and DDS. The next day, I used Safe mode to uninstall AVIRA manually, reinstalled it and updated it successfully.
After the first scan, I saw no more Trojan alerts, but in the logfile I saw this :

Scan process 'svchost.exe' - '68' Module(s) have been scanned
Module is OK -> <\\.\globalroot\systemroot\system32\mswsock.dll>
[WARNING] The file could not be opened!


The same issue with mswsock.dll happened for few other processes.
Then I realised I couldnt connect to the Internet anymore, nor could I activate the Windows Firewall (error 0x80070424). When I open Task Manager, I dont see svchost.exe anymore, at least half of the other processes seem to be gone too.

Now I have no idea what to do next.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_30
Run by city at 15:50:08 on 2011-12-18
Microsoft Windows 7 Édition Familiale Premium 6.1.7601.1.1252.32.1036.18.3566.2657 [GMT 1:00]
.
AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\nvvsvc.exe
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\windows\system32\nvvsvc.exe
C:\windows\system32\svchost.exe -k NetworkService
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe
C:\windows\SYSTEM32\Rezip.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\windows\system32\conhost.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\WUDFHost.exe
C:\windows\system32\vssvc.exe
C:\windows\System32\svchost.exe -k swprv
C:\windows\system32\DllHost.exe
C:\windows\system32\DllHost.exe
C:\windows\system32\conhost.exe
C:\windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=smsn&bmod=smsn
uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=smsn&bmod=smsn
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Programme d'aide de l'Assistant de connexion Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Launch LgDeviceAgent] "c:\program files\logitech\gamepanel software\LgDevAgt.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xporter vers Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
TCP: DhcpNameServer = 192.168.20.1
TCP: Interfaces\{ACB1DF38-28A9-4AFB-B851-46EA09261ABF} : DhcpNameServer = 192.168.20.1
TCP: Interfaces\{ACB1DF38-28A9-4AFB-B851-46EA09261ABF}\2626F68723D243160356 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{ACB1DF38-28A9-4AFB-B851-46EA09261ABF}\27576696E6 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{ACB1DF38-28A9-4AFB-B851-46EA09261ABF}\350756564645F6573686533354445313 : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{ACB1DF38-28A9-4AFB-B851-46EA09261ABF}\350756564645F6573686534303136324 : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{ACB1DF38-28A9-4AFB-B851-46EA09261ABF}\75966496F52343 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{ACB1DF38-28A9-4AFB-B851-46EA09261ABF}\75966496F52423 : DhcpNameServer = 192.168.1.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\city\appdata\roaming\mozilla\firefox\profiles\6hkgyli4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.be/webhp?rls=ig
FF - prefs.js: network.proxy.ftp - localhost
FF - prefs.js: network.proxy.ftp_port - 8800
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 8800
FF - prefs.js: network.proxy.socks - localhost
FF - prefs.js: network.proxy.socks_port - 8800
FF - prefs.js: network.proxy.ssl - localhost
FF - prefs.js: network.proxy.ssl_port - 8800
FF - prefs.js: network.proxy.type - 0
FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\city\appdata\roaming\mozilla\firefox\profiles\6hkgyli4.default\extensions\devicedetection@logitech.com\plugins\npLogitechDeviceDetection.dll
.
============= SERVICES / DRIVERS ===============
.
R0 RRamdisk;Ramdisk Driver;c:\windows\system32\drivers\rramdisk.sys [2011-8-19 12288]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2011-10-23 36000]
R1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\drivers\SABI.sys [2009-12-14 10752]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]
R2 AntiVirSchedulerService;Avira AntiVir Planificateur;c:\program files\avira\antivir desktop\sched.exe [2011-12-13 136360]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-12-13 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-10-23 66616]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-12-13 366152]
R2 NIHardwareService;NIHardwareService;c:\program files\common files\native instruments\hardware\NIHardwareService.exe [2011-10-12 4176896]
R2 Rezip;Rezip;c:\windows\system32\Rezip.exe [2009-12-14 311296]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2009-12-14 125696]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-13 22216]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2011-6-2 139368]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2011-5-26 317728]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia updatus\daemonu.exe [2011-8-19 2255464]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2011-4-14 1153368]
S3 a2djavs;Audio 2 DJ WDM Audio;c:\windows\system32\drivers\a2djavs.sys [2011-4-11 346192]
S3 a2djusb;a2djusb;c:\windows\system32\drivers\a2djusb.sys [2011-4-11 93776]
S3 a2djusb_svc;Audio 2 DJ;c:\windows\system32\drivers\a2djusb.sys [2011-4-11 93776]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2009-12-14 43944]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2010-5-19 54632]
S3 fsssvc;Service Windows Live Contrôle parental;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]
S3 kx1avs;Traktor Kontrol X1 Midi;c:\windows\system32\drivers\kx1avs.sys [2011-7-7 346192]
S3 kx1usb_svc;Traktor Kontrol X1;c:\windows\system32\drivers\kx1usb.sys [2011-7-7 70736]
S3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [2009-11-23 19720]
S3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows\system32\drivers\LGVirHid.sys [2009-11-23 14856]
S3 rspAux;rspAux;c:\windows\system32\drivers\rspAux32.sys [2011-8-18 15928]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-10 139776]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-8-18 52224]
S3 WatAdminSvc;Service Windows Activation Technologies;c:\windows\system32\wat\WatAdminSvc.exe [2010-8-16 1343400]
.
=============== Created Last 30 ================
.
2011-12-14 16:24:09 -------- d-----w- c:\users\city\appdata\local\ElevatedDiagnostics
2011-12-13 20:22:40 -------- d-----w- c:\users\city\appdata\roaming\Avira
2011-12-13 20:20:39 -------- d-----w- c:\programdata\Avira
2011-12-13 20:20:39 -------- d-----w- c:\program files\Avira
2011-12-13 19:47:34 -------- d-----w- c:\program files\Trend Micro
2011-12-13 18:01:09 -------- d-----w- c:\users\city\appdata\roaming\Malwarebytes
2011-12-13 18:00:59 -------- d-----w- c:\programdata\Malwarebytes
2011-12-13 18:00:52 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-13 18:00:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-13 17:25:23 -------- d-----w- C:\CONFIG
2011-12-09 17:54:53 -------- d-----w- C:\avrescue
2011-12-09 17:38:03 -------- d-----w- C:\REPORTS
2011-12-09 17:38:03 -------- d-----w- C:\INFECTED
2011-12-09 17:37:42 -------- d-----w- C:\TEMP
2011-12-09 17:37:38 -------- d-----w- C:\LOGFILES
2011-12-09 17:37:19 -------- d-----w- C:\EVENTDB
2011-12-07 01:19:10 -------- d-----w- c:\users\city\appdata\local\SanctionedMedia
2011-12-06 22:34:23 -------- dc-h--w- c:\programdata\{BED8681D-E6A2-4463-8EEA-09588F09C890}
2011-12-06 22:31:43 -------- dc-h--w- c:\programdata\{3F0C2804-D89B-4455-8526-CBE9A2C32C5F}
2011-12-06 22:29:44 -------- dc-h--w- c:\programdata\{E6A5D1F3-568D-4BA2-B7B6-7B6E93D9DA97}
.
==================== Find3M ====================
.
2011-12-13 17:37:39 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2011-11-10 04:54:13 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-21 16:03:34 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-11 13:00:34 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2011-09-29 16:03:04 1290608 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-09-29 03:37:56 2341888 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 15:50:31,25 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,729 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:50 PM

Posted 24 December 2011 - 11:10 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/433167 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 Nicossh

Nicossh
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:50 PM

Posted 25 December 2011 - 07:42 AM

new logs provided as requested...
I dont have my Window CD available

Hello,
First of all, thanks a lot for your precious time. I apologize for my mediocre English skills.
Here is the issue:
I frequently switch Avira off to improve the performance of TRAKTOR on my computer. A few days ago, I forgot to switch it back on, and got hit by something nasty while watching a few series in streaming. First Avira detected a few items (SPY.GEn, smad.exe, TR/offend.kdv )and failed to put them in quarantine, then I also realised I couldnt Update Avira anymore because the 'task scheduler' that was stopped or something. I tried to uninstall but it failed for the same reason.
After a few reboots, I also realised that most my UC was used by PING.EXE(never seen that one before in my process list). I could stop the process but it would start again a few minutes later.
From one forum to another I ended here, had the time to download GMER and DDS. The next day, I used Safe mode to uninstall AVIRA manually, reinstalled it and updated it successfully.
After the first scan, I saw no more Trojan alerts, but in the logfile I saw this :

Scan process 'svchost.exe' - '68' Module(s) have been scanned
Module is OK -> <\\.\globalroot\systemroot\system32\mswsock.dll>
[WARNING] The file could not be opened!

The same issue with mswsock.dll happened for few other processes.
Then I realised I couldnt connect to the Internet anymore, nor could I activate the Windows Firewall (error 0x80070424). When I open Task Manager, I dont see svchost.exe anymore, at least half of the other processes seem to be gone too.

Now I have no idea what to do next.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_30
Run by city at 13:04:04 on 2011-12-25
Microsoft Windows 7 Édition Familiale Premium 6.1.7601.1.1252.32.1036.18.3566.2737 [GMT 1:00]
.
AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\nvvsvc.exe
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\windows\system32\nvvsvc.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\windows\SYSTEM32\Rezip.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\windows\system32\conhost.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\system32\WUDFHost.exe
C:\windows\system32\sppsvc.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\system32\DllHost.exe
C:\windows\system32\DllHost.exe
C:\windows\system32\conhost.exe
C:\windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=smsn&bmod=smsn
uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=smsn&bmod=smsn
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Programme d'aide de l'Assistant de connexion Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Launch LgDeviceAgent] "c:\program files\logitech\gamepanel software\LgDevAgt.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xporter vers Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
TCP: DhcpNameServer = 192.168.20.1
TCP: Interfaces\{ACB1DF38-28A9-4AFB-B851-46EA09261ABF} : DhcpNameServer = 192.168.20.1
TCP: Interfaces\{ACB1DF38-28A9-4AFB-B851-46EA09261ABF}\2626F68723D243160356 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{ACB1DF38-28A9-4AFB-B851-46EA09261ABF}\27576696E6 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{ACB1DF38-28A9-4AFB-B851-46EA09261ABF}\350756564645F6573686533354445313 : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{ACB1DF38-28A9-4AFB-B851-46EA09261ABF}\350756564645F6573686534303136324 : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{ACB1DF38-28A9-4AFB-B851-46EA09261ABF}\75966496F52343 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{ACB1DF38-28A9-4AFB-B851-46EA09261ABF}\75966496F52423 : DhcpNameServer = 192.168.1.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\city\appdata\roaming\mozilla\firefox\profiles\6hkgyli4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.be/webhp?rls=ig
FF - prefs.js: network.proxy.ftp - localhost
FF - prefs.js: network.proxy.ftp_port - 8800
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 8800
FF - prefs.js: network.proxy.socks - localhost
FF - prefs.js: network.proxy.socks_port - 8800
FF - prefs.js: network.proxy.ssl - localhost
FF - prefs.js: network.proxy.ssl_port - 8800
FF - prefs.js: network.proxy.type - 0
FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\city\appdata\roaming\mozilla\firefox\profiles\6hkgyli4.default\extensions\devicedetection@logitech.com\plugins\npLogitechDeviceDetection.dll
.
============= SERVICES / DRIVERS ===============
.
R0 RRamdisk;Ramdisk Driver;c:\windows\system32\drivers\rramdisk.sys [2011-8-19 12288]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2011-10-23 36000]
R1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\drivers\SABI.sys [2009-12-14 10752]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]
R2 AntiVirSchedulerService;Avira AntiVir Planificateur;c:\program files\avira\antivir desktop\sched.exe [2011-12-13 136360]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-12-13 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-10-23 66616]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-12-13 366152]
R2 NIHardwareService;NIHardwareService;c:\program files\common files\native instruments\hardware\NIHardwareService.exe [2011-10-12 4176896]
R2 Rezip;Rezip;c:\windows\system32\Rezip.exe [2009-12-14 311296]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2009-12-14 125696]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-13 22216]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2011-6-2 139368]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2011-5-26 317728]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia updatus\daemonu.exe [2011-8-19 2255464]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2011-4-14 1153368]
S3 a2djavs;Audio 2 DJ WDM Audio;c:\windows\system32\drivers\a2djavs.sys [2011-4-11 346192]
S3 a2djusb;a2djusb;c:\windows\system32\drivers\a2djusb.sys [2011-4-11 93776]
S3 a2djusb_svc;Audio 2 DJ;c:\windows\system32\drivers\a2djusb.sys [2011-4-11 93776]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2009-12-14 43944]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2010-5-19 54632]
S3 fsssvc;Service Windows Live Contrôle parental;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]
S3 kx1avs;Traktor Kontrol X1 Midi;c:\windows\system32\drivers\kx1avs.sys [2011-7-7 346192]
S3 kx1usb_svc;Traktor Kontrol X1;c:\windows\system32\drivers\kx1usb.sys [2011-7-7 70736]
S3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [2009-11-23 19720]
S3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows\system32\drivers\LGVirHid.sys [2009-11-23 14856]
S3 rspAux;rspAux;c:\windows\system32\drivers\rspAux32.sys [2011-8-18 15928]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-10 139776]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-8-18 52224]
S3 WatAdminSvc;Service Windows Activation Technologies;c:\windows\system32\wat\WatAdminSvc.exe [2010-8-16 1343400]
.
=============== Created Last 30 ================
.
2011-12-14 16:24:09 -------- d-----w- c:\users\city\appdata\local\ElevatedDiagnostics
2011-12-13 20:22:40 -------- d-----w- c:\users\city\appdata\roaming\Avira
2011-12-13 20:20:39 -------- d-----w- c:\programdata\Avira
2011-12-13 20:20:39 -------- d-----w- c:\program files\Avira
2011-12-13 19:47:34 -------- d-----w- c:\program files\Trend Micro
2011-12-13 18:01:09 -------- d-----w- c:\users\city\appdata\roaming\Malwarebytes
2011-12-13 18:00:59 -------- d-----w- c:\programdata\Malwarebytes
2011-12-13 18:00:52 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-13 18:00:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-13 17:25:23 -------- d-----w- C:\CONFIG
2011-12-09 17:54:53 -------- d-----w- C:\avrescue
2011-12-09 17:38:03 -------- d-----w- C:\REPORTS
2011-12-09 17:38:03 -------- d-----w- C:\INFECTED
2011-12-09 17:37:42 -------- d-----w- C:\TEMP
2011-12-09 17:37:38 -------- d-----w- C:\LOGFILES
2011-12-09 17:37:19 -------- d-----w- C:\EVENTDB
2011-12-07 01:19:10 -------- d-----w- c:\users\city\appdata\local\SanctionedMedia
2011-12-06 22:34:23 -------- dc-h--w- c:\programdata\{BED8681D-E6A2-4463-8EEA-09588F09C890}
2011-12-06 22:31:43 -------- dc-h--w- c:\programdata\{3F0C2804-D89B-4455-8526-CBE9A2C32C5F}
2011-12-06 22:29:44 -------- dc-h--w- c:\programdata\{E6A5D1F3-568D-4BA2-B7B6-7B6E93D9DA97}
.
==================== Find3M ====================
.
2011-12-13 17:37:39 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2011-11-10 04:54:13 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-21 16:03:34 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-11 13:00:34 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2011-09-29 16:03:04 1290608 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-09-29 03:37:56 2341888 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 13:04:56,39 ===============

Attached Files



#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:50 PM

Posted 26 December 2011 - 11:06 AM

Hi,

Please download the following program to another computer and transfer over to the infected computer via USB


Refer to the ComboFix User's Guide

  • Download ComboFix from one of these locations:

    Link 1
    Link 2

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 Nicossh

Nicossh
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:50 PM

Posted 27 December 2011 - 09:06 AM

Thanks for your fast reply, Catbyte

Here is the log I received from Combofix

ComboFix 11-12-26.03 - city 27/12/2011 14:47:56.1.4 - x86
Microsoft Windows 7 Édition Familiale Premium 6.1.7601.1.1252.32.1036.18.3566.2828 [GMT 1:00]
Lancé depuis: c:\users\city\Desktop\ComboFix.exe
AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Un nouveau point de restauration a été créé
.
.
(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\FullRemove.exe
c:\windows\$NtUninstallKB41728$
c:\windows\$NtUninstallKB41728$\1089004520\@
c:\windows\$NtUninstallKB41728$\1089004520\bckfg.tmp
c:\windows\$NtUninstallKB41728$\1089004520\cfg.ini
c:\windows\$NtUninstallKB41728$\1089004520\Desktop.ini
c:\windows\$NtUninstallKB41728$\1089004520\kwrd.dll
c:\windows\$NtUninstallKB41728$\1089004520\L\xadqgnnk
c:\windows\$NtUninstallKB41728$\1089004520\U\00000001.@
c:\windows\$NtUninstallKB41728$\1089004520\U\00000002.@
c:\windows\$NtUninstallKB41728$\1089004520\U\00000004.@
c:\windows\$NtUninstallKB41728$\1089004520\U\80000000.@
c:\windows\$NtUninstallKB41728$\1089004520\U\80000004.@
c:\windows\$NtUninstallKB41728$\1089004520\U\80000032.@
c:\windows\$NtUninstallKB41728$\2158203920
.
c:\windows\system32\drivers\afd.sys était absent
Copie restaurée à partir de - c:\windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.21712_none_da774a9ad5cea29e\afd.sys
.
.
((((((((((((((((((((((((((((( Fichiers créés du 2011-11-27 au 2011-12-27 ))))))))))))))))))))))))))))))))))))
.
.
2011-12-27 13:54 . 2011-12-27 13:55 -------- d-----w- c:\users\city\AppData\Local\temp
2011-12-27 13:54 . 2011-12-27 13:54 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2011-12-27 13:54 . 2011-12-27 13:54 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-12-14 16:24 . 2011-12-14 17:41 -------- d-----w- c:\users\city\AppData\Local\ElevatedDiagnostics
2011-12-14 08:55 . 2011-12-14 08:55 -------- d-----w- c:\program files\Common Files\Java
2011-12-13 20:22 . 2011-12-13 20:22 -------- d-----w- c:\users\city\AppData\Roaming\Avira
2011-12-13 20:20 . 2011-12-13 20:20 -------- d-----w- c:\programdata\Avira
2011-12-13 20:20 . 2011-12-13 20:20 -------- d-----w- c:\program files\Avira
2011-12-13 19:47 . 2011-12-13 19:47 -------- d-----w- c:\program files\Trend Micro
2011-12-13 18:01 . 2011-12-13 18:01 -------- d-----w- c:\users\city\AppData\Roaming\Malwarebytes
2011-12-13 18:00 . 2011-12-13 18:00 -------- d-----w- c:\programdata\Malwarebytes
2011-12-13 18:00 . 2011-12-13 18:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-13 18:00 . 2011-08-31 16:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-13 17:25 . 2011-12-13 17:25 -------- d-----w- C:\CONFIG
2011-12-09 17:54 . 2011-12-09 17:54 -------- d-----w- C:\avrescue
2011-12-09 17:38 . 2011-12-13 18:56 -------- d-----w- C:\REPORTS
2011-12-09 17:38 . 2011-12-13 18:56 -------- d-----w- C:\INFECTED
2011-12-09 17:37 . 2011-12-13 20:02 -------- d-----w- C:\TEMP
2011-12-09 17:37 . 2011-12-13 19:36 -------- d-----w- C:\LOGFILES
2011-12-09 17:37 . 2011-12-13 20:02 -------- d-----w- C:\EVENTDB
2011-12-07 01:19 . 2011-12-07 01:19 -------- d-----w- c:\users\city\AppData\Local\SanctionedMedia
2011-12-06 22:34 . 2011-12-06 22:34 -------- dc-h--w- c:\programdata\{BED8681D-E6A2-4463-8EEA-09588F09C890}
2011-12-06 22:31 . 2011-12-06 22:31 -------- dc-h--w- c:\programdata\{3F0C2804-D89B-4455-8526-CBE9A2C32C5F}
2011-12-06 22:29 . 2011-12-06 22:29 -------- dc-h--w- c:\programdata\{E6A5D1F3-568D-4BA2-B7B6-7B6E93D9DA97}
2011-12-04 07:52 . 2011-12-04 07:52 -------- d-----w- c:\programdata\Logitech
.
.
.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-13 17:37 . 2010-08-30 10:31 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2011-11-10 04:54 . 2011-02-15 19:38 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-21 16:03 . 2011-06-16 09:08 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-11 13:00 . 2011-10-23 06:50 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2011-09-29 16:03 . 2011-11-15 17:19 1290608 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-09-29 03:37 . 2011-11-15 17:18 2341888 ----a-w- c:\windows\system32\win32k.sys
2011-11-10 11:11 . 2011-05-11 17:57 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-10-10 1578280]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-06-26 1311312]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2011-08-16 10820200]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"Launch LgDeviceAgent"="c:\program files\Logitech\GamePanel Software\LgDevAgt.exe" [2010-08-03 358472]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-21 281768]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2010-05-06 09:29 64592 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 04:59 937920 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-09-07 22:58 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 12:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UCam_Menu]
2009-05-19 20:16 222504 ------w- c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-08-03 2255464]
R3 a2djavs;Audio 2 DJ WDM Audio;c:\windows\system32\Drivers\a2djavs.sys [2011-04-11 346192]
R3 a2djusb;a2djusb;c:\windows\system32\Drivers\a2djusb.sys [2011-04-11 93776]
R3 a2djusb_svc;Audio 2 DJ;c:\windows\system32\Drivers\a2djusb.sys [2011-04-11 93776]
R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2009-07-01 43944]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
R3 kx1avs;Traktor Kontrol X1 Midi;c:\windows\system32\Drivers\kx1avs.sys [2011-07-07 346192]
R3 kx1usb_svc;Traktor Kontrol X1;c:\windows\system32\Drivers\kx1usb.sys [2011-07-07 70736]
R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [2009-11-23 19720]
R3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows\system32\drivers\LGVirHid.sys [2009-11-23 14856]
R3 rspAux;rspAux;c:\windows\system32\DRIVERS\rspAux32.sys [2011-06-07 15928]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 WatAdminSvc;Service Windows Activation Technologies;c:\windows\system32\Wat\WatAdminSvc.exe [2010-08-16 1343400]
S0 RRamdisk;Ramdisk Driver;c:\windows\system32\DRIVERS\rramdisk.sys [2008-11-12 12288]
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys [2011-10-11 36000]
S1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\Drivers\SABI.sys [2009-05-28 10752]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AntiVirSchedulerService;Avira AntiVir Planificateur;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-04-21 136360]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]
S2 NIHardwareService;NIHardwareService;c:\program files\Common Files\Native Instruments\Hardware\NIHardwareService.exe [2011-10-12 4176896]
S2 Rezip;Rezip;c:\windows\SYSTEM32\Rezip.exe [2009-03-05 311296]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2009-10-26 125696]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-08-31 22216]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2011-05-10 139368]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2011-05-26 317728]
.
.
.
------- Examen supplémentaire -------
.
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=smsn&bmod=smsn
IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.20.1
FF - ProfilePath - c:\users\city\AppData\Roaming\Mozilla\Firefox\Profiles\6hkgyli4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.be/webhp?rls=ig
FF - prefs.js: network.proxy.ftp - localhost
FF - prefs.js: network.proxy.ftp_port - 8800
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 8800
FF - prefs.js: network.proxy.socks - localhost
FF - prefs.js: network.proxy.socks_port - 8800
FF - prefs.js: network.proxy.ssl - localhost
FF - prefs.js: network.proxy.ssl_port - 8800
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHELINS SUPPRIMES - - - -
.
Toolbar-Locked - (no file)
Notify-mestrim - (no file)
SafeBoot-mcmscsvc
SafeBoot-MCODS
MSConfigStartUp-Dyyno Launcher - c:\program files\Dyyno\Dyyno Broadcaster\dyyno_launcher.exe
MSConfigStartUp-TkBellExe - c:\program files\Real\RealPlayer\Update\realsched.exe
AddRemove-Native Instruments Audio 2 DJ Driver - c:\programdata\{C50F95A0-0BCB-41D8-AB22-E8C0FEF70AB7}\Audio 2 DJ Driver Setup.exe
.
.
.
--------------------- CLES DE REGISTRE BLOQUEES ---------------------
.
[HKEY_USERS\S-1-5-21-2894551929-1337578169-2700716509-1000\Software\SecuROM\License information*]
"datasecu"=hex:6b,d4,4d,62,8a,38,44,0d,74,15,b4,cf,2e,eb,3e,77,db,30,13,11,53,
a4,84,5e,ce,20,64,57,98,67,72,7d,e1,62,08,bf,77,2e,77,d3,4f,5d,08,a3,89,ba,\
"rkeysecu"=hex:5e,48,9b,61,02,b9,76,84,b7,7d,bc,39,42,18,74,b8
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Autres processus actifs ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\NVIDIA Corporation\Display\nvxdsync.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\conhost.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\conhost.exe
c:\program files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\windows\system32\sppsvc.exe
.
**************************************************************************
.
Heure de fin: 2011-12-27 14:58:44 - La machine a redémarré
ComboFix-quarantined-files.txt 2011-12-27 13:58
.
Avant-CF: 183.860.834.304 octets libres
Après-CF: 183.708.110.848 octets libres
.
- - End Of File - - DE3580BDE0774879C1E31C7C761EEE9D

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:50 PM

Posted 27 December 2011 - 09:31 AM

Hi,

Did you create all these folders yourself? Check the contents to see if there is anything you need in them/

C:\CONFIG
C:\avrescue
C:\REPORTS
C:\INFECTED
C:\TEMP
C:\LOGFILES
C:\EVENTDB


Did you set up this proxy server? What is it used for?

FF - prefs.js: network.proxy.ftp_port - 8800



NEXT



Note: Please allow ComboFix to update if it asks to do so.

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

Folder::
c:\programdata\{BED8681D-E6A2-4463-8EEA-09588F09C890}
c:\programdata\{3F0C2804-D89B-4455-8526-CBE9A2C32C5F}
c:\programdata\{E6A5D1F3-568D-4BA2-B7B6-7B6E93D9DA97}

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 Nicossh

Nicossh
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:50 PM

Posted 28 December 2011 - 03:02 AM

Hello,

Did you create all these folders yourself? Check the contents to see if there is anything you need in them/

C:\CONFIG
C:\avrescue
C:\REPORTS
C:\INFECTED
C:\TEMP
C:\LOGFILES
C:\EVENTDB


These are remnants of an AVIRA previous installation, I suppose. Some folders contained the quarantined files and logs that were processed at the time most of the problems started.

Did you set up this proxy server? What is it used for?

FF - prefs.js: network.proxy.ftp_port - 8800

As far as I can remember, I didnt create anything like that. I dont even know what its supposed to be ^^

New Combofix log


ComboFix 11-12-26.03 - city 27/12/2011 19:29:56.2.4 - x86
Microsoft Windows 7 Édition Familiale Premium 6.1.7601.1.1252.32.1036.18.3566.2530 [GMT 1:00]
Lancé depuis: c:\users\city\Desktop\ComboFix.exe
Commutateurs utilisés :: c:\users\city\Desktop\CFScript.txt
AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\{3F0C2804-D89B-4455-8526-CBE9A2C32C5F}
c:\programdata\{3F0C2804-D89B-4455-8526-CBE9A2C32C5F}\instance.dat
c:\programdata\{3F0C2804-D89B-4455-8526-CBE9A2C32C5F}\mia.lib
c:\programdata\{3F0C2804-D89B-4455-8526-CBE9A2C32C5F}\Traktor 2 Setup PC.dat
c:\programdata\{3F0C2804-D89B-4455-8526-CBE9A2C32C5F}\Traktor 2 Setup PC.exe
c:\programdata\{3F0C2804-D89B-4455-8526-CBE9A2C32C5F}\Traktor 2 Setup PC.msi
c:\programdata\{3F0C2804-D89B-4455-8526-CBE9A2C32C5F}\Traktor 2 Setup PC.par
c:\programdata\{3F0C2804-D89B-4455-8526-CBE9A2C32C5F}\Traktor 2 Setup PC.res
c:\programdata\{BED8681D-E6A2-4463-8EEA-09588F09C890}
c:\programdata\{BED8681D-E6A2-4463-8EEA-09588F09C890}\instance.dat
c:\programdata\{BED8681D-E6A2-4463-8EEA-09588F09C890}\mia.lib
c:\programdata\{BED8681D-E6A2-4463-8EEA-09588F09C890}\Traktor Kontrol X1 Setup PC.dat
c:\programdata\{BED8681D-E6A2-4463-8EEA-09588F09C890}\Traktor Kontrol X1 Setup PC.exe
c:\programdata\{BED8681D-E6A2-4463-8EEA-09588F09C890}\Traktor Kontrol X1 Setup PC.msi
c:\programdata\{BED8681D-E6A2-4463-8EEA-09588F09C890}\Traktor Kontrol X1 Setup PC.par
c:\programdata\{BED8681D-E6A2-4463-8EEA-09588F09C890}\Traktor Kontrol X1 Setup PC.res
c:\programdata\{E6A5D1F3-568D-4BA2-B7B6-7B6E93D9DA97}
c:\programdata\{E6A5D1F3-568D-4BA2-B7B6-7B6E93D9DA97}\Controller Editor Setup PC.dat
c:\programdata\{E6A5D1F3-568D-4BA2-B7B6-7B6E93D9DA97}\Controller Editor Setup PC.exe
c:\programdata\{E6A5D1F3-568D-4BA2-B7B6-7B6E93D9DA97}\Controller Editor Setup PC.msi
c:\programdata\{E6A5D1F3-568D-4BA2-B7B6-7B6E93D9DA97}\Controller Editor Setup PC.par
c:\programdata\{E6A5D1F3-568D-4BA2-B7B6-7B6E93D9DA97}\Controller Editor Setup PC.res
c:\programdata\{E6A5D1F3-568D-4BA2-B7B6-7B6E93D9DA97}\instance.dat
c:\programdata\{E6A5D1F3-568D-4BA2-B7B6-7B6E93D9DA97}\mia.lib
.
.
((((((((((((((((((((((((((((( Fichiers créés du 2011-11-27 au 2011-12-27 ))))))))))))))))))))))))))))))))))))
.
.
2011-12-27 18:33 . 2011-12-27 18:33 -------- d-----w- c:\users\city\AppData\Local\temp
2011-12-27 18:33 . 2011-12-27 18:33 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2011-12-27 18:33 . 2011-12-27 18:33 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-12-27 18:33 . 2011-12-27 18:33 -------- d-----w- c:\users\Administrateur\AppData\Local\temp
2011-12-27 13:54 . 2011-04-25 03:24 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2011-12-27 13:45 . 2009-07-13 23:11 80896 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-12-14 16:24 . 2011-12-14 17:41 -------- d-----w- c:\users\city\AppData\Local\ElevatedDiagnostics
2011-12-14 08:55 . 2011-12-14 08:55 -------- d-----w- c:\program files\Common Files\Java
2011-12-13 20:22 . 2011-12-13 20:22 -------- d-----w- c:\users\city\AppData\Roaming\Avira
2011-12-13 20:20 . 2011-12-13 20:20 -------- d-----w- c:\programdata\Avira
2011-12-13 20:20 . 2011-12-13 20:20 -------- d-----w- c:\program files\Avira
2011-12-13 19:47 . 2011-12-13 19:47 -------- d-----w- c:\program files\Trend Micro
2011-12-13 18:01 . 2011-12-13 18:01 -------- d-----w- c:\users\city\AppData\Roaming\Malwarebytes
2011-12-13 18:00 . 2011-12-13 18:00 -------- d-----w- c:\programdata\Malwarebytes
2011-12-13 18:00 . 2011-12-13 18:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-13 18:00 . 2011-08-31 16:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-13 17:25 . 2011-12-13 17:25 -------- d-----w- C:\CONFIG
2011-12-09 17:54 . 2011-12-09 17:54 -------- d-----w- C:\avrescue
2011-12-09 17:38 . 2011-12-13 18:56 -------- d-----w- C:\REPORTS
2011-12-09 17:38 . 2011-12-13 18:56 -------- d-----w- C:\INFECTED
2011-12-09 17:37 . 2011-12-13 20:02 -------- d-----w- C:\TEMP
2011-12-09 17:37 . 2011-12-13 19:36 -------- d-----w- C:\LOGFILES
2011-12-09 17:37 . 2011-12-13 20:02 -------- d-----w- C:\EVENTDB
2011-12-07 01:19 . 2011-12-07 01:19 -------- d-----w- c:\users\city\AppData\Local\SanctionedMedia
2011-12-04 07:52 . 2011-12-04 07:52 -------- d-----w- c:\programdata\Logitech
.
.
.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-13 17:37 . 2010-08-30 10:31 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2011-11-10 04:54 . 2011-02-15 19:38 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-21 16:03 . 2011-06-16 09:08 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-11 13:00 . 2011-10-23 06:50 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2011-09-29 16:03 . 2011-11-15 17:19 1290608 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-09-29 03:37 . 2011-11-15 17:18 2341888 ----a-w- c:\windows\system32\win32k.sys
2011-11-10 11:11 . 2011-05-11 17:57 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-10-10 1578280]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-06-26 1311312]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2011-08-16 10820200]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"Launch LgDeviceAgent"="c:\program files\Logitech\GamePanel Software\LgDevAgt.exe" [2010-08-03 358472]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-21 281768]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2010-05-06 09:29 64592 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 04:59 937920 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-09-07 22:58 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 12:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UCam_Menu]
2009-05-19 20:16 222504 ------w- c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-08-03 2255464]
R3 a2djavs;Audio 2 DJ WDM Audio;c:\windows\system32\Drivers\a2djavs.sys [2011-04-11 346192]
R3 a2djusb;a2djusb;c:\windows\system32\Drivers\a2djusb.sys [2011-04-11 93776]
R3 a2djusb_svc;Audio 2 DJ;c:\windows\system32\Drivers\a2djusb.sys [2011-04-11 93776]
R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2009-07-01 43944]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
R3 kx1avs;Traktor Kontrol X1 Midi;c:\windows\system32\Drivers\kx1avs.sys [2011-07-07 346192]
R3 kx1usb_svc;Traktor Kontrol X1;c:\windows\system32\Drivers\kx1usb.sys [2011-07-07 70736]
R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [2009-11-23 19720]
R3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows\system32\drivers\LGVirHid.sys [2009-11-23 14856]
R3 rspAux;rspAux;c:\windows\system32\DRIVERS\rspAux32.sys [2011-06-07 15928]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 WatAdminSvc;Service Windows Activation Technologies;c:\windows\system32\Wat\WatAdminSvc.exe [2010-08-16 1343400]
S0 RRamdisk;Ramdisk Driver;c:\windows\system32\DRIVERS\rramdisk.sys [2008-11-12 12288]
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys [2011-10-11 36000]
S1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\Drivers\SABI.sys [2009-05-28 10752]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AntiVirSchedulerService;Avira AntiVir Planificateur;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-04-21 136360]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]
S2 NIHardwareService;NIHardwareService;c:\program files\Common Files\Native Instruments\Hardware\NIHardwareService.exe [2011-10-12 4176896]
S2 Rezip;Rezip;c:\windows\SYSTEM32\Rezip.exe [2009-03-05 311296]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2009-10-26 125696]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-08-31 22216]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2011-05-10 139368]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2011-05-26 317728]
.
.
.
------- Examen supplémentaire -------
.
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=smsn&bmod=smsn
IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.20.1
FF - ProfilePath - c:\users\city\AppData\Roaming\Mozilla\Firefox\Profiles\6hkgyli4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.be/webhp?rls=ig
FF - prefs.js: network.proxy.ftp - localhost
FF - prefs.js: network.proxy.ftp_port - 8800
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 8800
FF - prefs.js: network.proxy.socks - localhost
FF - prefs.js: network.proxy.socks_port - 8800
FF - prefs.js: network.proxy.ssl - localhost
FF - prefs.js: network.proxy.ssl_port - 8800
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHELINS SUPPRIMES - - - -
.
AddRemove-Native Instruments Controller Editor - c:\programdata\{E6A5D1F3-568D-4BA2-B7B6-7B6E93D9DA97}\Controller Editor Setup PC.exe
AddRemove-Native Instruments Traktor 2 - c:\programdata\{3F0C2804-D89B-4455-8526-CBE9A2C32C5F}\Traktor 2 Setup PC.exe
AddRemove-Native Instruments Traktor Kontrol X1 - c:\programdata\{BED8681D-E6A2-4463-8EEA-09588F09C890}\Traktor Kontrol X1 Setup PC.exe
AddRemove-{0886900B-B2F3-452C-B580-60F1253F7F80} - c:\programdata\{E6A5D1F3-568D-4BA2-B7B6-7B6E93D9DA97}\Controller Editor Setup PC.exe
AddRemove-{612601db-4776-4127-bab5-d84b8644e530} - c:\programdata\{BED8681D-E6A2-4463-8EEA-09588F09C890}\Traktor Kontrol X1 Setup PC.exe
AddRemove-{A8EC0CC0-AD8D-4244-B080-424EDF7A7634} - c:\programdata\{3F0C2804-D89B-4455-8526-CBE9A2C32C5F}\Traktor 2 Setup PC.exe
.
.
.
--------------------- CLES DE REGISTRE BLOQUEES ---------------------
.
[HKEY_USERS\S-1-5-21-2894551929-1337578169-2700716509-1000\Software\SecuROM\License information*]
"datasecu"=hex:6b,d4,4d,62,8a,38,44,0d,74,15,b4,cf,2e,eb,3e,77,db,30,13,11,53,
a4,84,5e,ce,20,64,57,98,67,72,7d,e1,62,08,bf,77,2e,77,d3,4f,5d,08,a3,89,ba,\
"rkeysecu"=hex:5e,48,9b,61,02,b9,76,84,b7,7d,bc,39,42,18,74,b8
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Heure de fin: 2011-12-27 19:34:40
ComboFix-quarantined-files.txt 2011-12-27 18:34
ComboFix2.txt 2011-12-27 13:58
.
Avant-CF: 183.567.511.552 octets libres
Après-CF: 183.492.972.544 octets libres
.
- - End Of File - - 86096CD289AC415AB56EB8D0FD877E5F

Since my computer refuses to connect to the Internet, I had to make a manual update of MBAM. I suppose the manual update does not update the user interface, but I can assure you that I copy/pasted the updated rules.ref file from a healthy computer to the infected one, using an USB stick.
The MBAM log follows


Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7622

Windows 6.1.7601 Service Pack 1
Internet Explorer 8.0.7601.17514

27/12/2011 21:41:27
mbam-log-2011-12-27 (21-41-27).txt

Scan type: Full scan (C:\|D:\|R:\|)
Objects scanned: 317089
Time elapsed: 37 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I couldnt make the ESET scan since the Internet access was down on that computer

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:50 PM

Posted 28 December 2011 - 09:59 AM

Hi,

Let's see if we can find the service that is blocking the use of the internet

Please run the following:

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


NEXT


Please download MiniToolBox, save it to your desktop and run it.

Place a checkmark in the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size.
  • List Minidump Files
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using the "Reset FF Proxy Settings" option, Firefox should be closed.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 Nicossh

Nicossh
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:50 PM

Posted 28 December 2011 - 01:42 PM

Hi,
Thanks again for your time.
The FSS log:


Farbar Service Scanner
Ran by city (administrator) on 28-12-2011 at 19:33:32
Microsoft Windows 7 Édition Familiale Premium Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp: "%SystemRoot%\system32\dhcpcore.dll".

afd Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to retrieve start type of afd. The value does not exist.
Checking ImagePath: Attention! Unable to retrieve ImagePath of afd. The value does not exist.


Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============
MpsSvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open MpsSvc registry key. The service key does not exist.

bfe Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open bfe registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open bfe registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open bfe registry key. The service key does not exist.

mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.


Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============
SDRSVC Service is not running. Checking service configuration:
The start type of SDRSVC service is OK.
The ImagePath of SDRSVC service is OK.
The ServiceDll of SDRSVC service is OK.

VSS Service is not running. Checking service configuration:
The start type of VSS service is OK.
The ImagePath of VSS service is OK.


System Restore Disabled Policy:
========================


File Check:
========
C:\windows\system32\nsisvc.dll => MD5 is legit
C:\windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\windows\system32\Drivers\nsiproxy.sys
[2009-07-14 00:12] - [2009-07-14 00:12] - 0016896 ____A (Microsoft Corporation) E9A0A4D07E53D8FEA2BB8387A3293C58

C:\windows\system32\Drivers\afd.sys
[2011-12-27 14:54] - [2011-04-25 04:24] - 0338944 ____A (Microsoft Corporation) C427F91A748CD342A2B3F9278D9FD6A5

C:\windows\system32\Drivers\tdx.sys => MD5 is legit
C:\windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\windows\system32\dnsrslvr.dll => MD5 is legit
C:\windows\system32\mpssvc.dll => MD5 is legit
C:\windows\system32\bfe.dll => MD5 is legit
C:\windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\windows\system32\SDRSVC.dll => MD5 is legit
C:\windows\system32\vssvc.exe => MD5 is legit
C:\windows\system32\svchost.exe => MD5 is legit
C:\windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

Minitoolbox log

MiniToolBox by Farbar
Ran by city (administrator) on 28-12-2011 at 19:36:37
Microsoft Windows 7 Édition Familiale Premium Service Pack 1 (X86)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Configuration IP de Windows

Cache de r‚solution DNS vid‚.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================

"network.proxy.backup.ftp", "localhost"
"network.proxy.backup.ftp_port", 8800
"network.proxy.backup.socks", "localhost"
"network.proxy.backup.socks_port", 8800
"network.proxy.backup.ssl", "localhost"
"network.proxy.backup.ssl_port", 8800
"network.proxy.ftp", "localhost"
"network.proxy.ftp_port", 8800
"network.proxy.http", "localhost"
"network.proxy.http_port", 8800
"network.proxy.no_proxies_on", ""
"network.proxy.share_proxy_settings", true
"network.proxy.socks", "localhost"
"network.proxy.socks_port", 8800
"network.proxy.ssl", "localhost"
"network.proxy.ssl_port", 8800
"network.proxy.type", 0

"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================

127.0.0.1 localhost

========================= IP Configuration: ================================

Atheros AR9285 Wireless Network Adapter = Connexion réseau sans fil (Connected)
Marvell Yukon 88E8059 Family PCI-E Gigabit Ethernet Controller = Connexion au réseau local (Media disconnected)


# ----------------------------------
# Configuration du protocole IPv4
# ----------------------------------
pushd interface ipv4

reset
set global


popd
# Fin de la configuration du protocole IPv4



Configuration IP de Windows

Nom de l'h“te . . . . . . . . . . : Nicossh
Suffixe DNS principal . . . . . . :
Type de noeud. . . . . . . . . . : Hybride
Routage IP activ‚ . . . . . . . . : Non
Proxy WINS activ‚ . . . . . . . . : Non

Carte r‚seau sans fil Connexion r‚seau sans filÿ:

Suffixe DNS propre … la connexion. . . : home
Description. . . . . . . . . . . . . . : Atheros AR9285 Wireless Network Adapter
Adresse physique . . . . . . . . . . . : C4-17-FE-C9-C3-A7
DHCP activ‚. . . . . . . . . . . . . . : Oui
Configuration automatique activ‚e. . . : Oui
Adresse IPv6 de liaison locale. . . . .: fe80::e8e1:e195:4015:fb88%17(pr‚f‚r‚)
Adresse d'autoconfiguration IPv4 . . . : 169.254.251.136(pr‚f‚r‚)
Masque de sous-r‚seau. . . .ÿ. . . . . : 255.255.0.0
Passerelle par d‚faut. . . .ÿ. . . . . :
Serveurs DNS. . . . . . . . . . . . . : 192.168.20.1
NetBIOS sur Tcpip. . . . . . . . . . . : Activ‚

Carte Ethernet Connexion au r‚seau local :

Statut du m‚dia. . . . . . . . . . . . : M‚dia d‚connect‚
Suffixe DNS propre … la connexion. . . :
Description. . . . . . . . . . . . . . : Marvell Yukon 88E8059 Family PCI-E Gigabit Ethernet Controller
Adresse physique . . . . . . . . . . . : 00-24-54-5F-84-7E
DHCP activ‚. . . . . . . . . . . . . . : Oui
Configuration automatique activ‚e. . . : Oui

Carte Tunnel isatap.home :

Statut du m‚dia. . . . . . . . . . . . : M‚dia d‚connect‚
Suffixe DNS propre … la connexion. . . :
Description. . . . . . . . . . . . . . : Carte Microsoft ISATAP #2
Adresse physique . . . . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP activ‚. . . . . . . . . . . . . . : Non
Configuration automatique activ‚e. . . : Oui

Carte Tunnel Teredo Tunneling Pseudo-Interface :

Statut du m‚dia. . . . . . . . . . . . : M‚dia d‚connect‚
Suffixe DNS propre … la connexion. . . :
Description. . . . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Adresse physique . . . . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP activ‚. . . . . . . . . . . . . . : Non
Configuration automatique activ‚e. . . : Oui
Serveur : UnKnown
Address: 192.168.20.1

La requˆte Ping n'a pas pu trouver l'h“te google.com. V‚rifiez le nom et essayez … nouveau.
Serveur : UnKnown
Address: 192.168.20.1

La requˆte Ping n'a pas pu trouver l'h“te yahoo.com. V‚rifiez le nom et essayez … nouveau.
Serveur : UnKnown
Address: 192.168.20.1

La requˆte Ping n'a pas pu trouver l'h“te bleepingcomputer.com. V‚rifiez le nom et essayez … nouveau.

Envoi d'une requˆte 'Ping' 127.0.0.1 avec 32 octets de donn‚esÿ:
R‚ponse de 127.0.0.1ÿ: octets=32 temps<1ms TTL=128
R‚ponse de 127.0.0.1ÿ: octets=32 temps<1ms TTL=128

Statistiques Ping pour 127.0.0.1:
Paquetsÿ: envoy‚s = 2, re‡us = 2, perdus = 0 (perte 0%),
Dur‚e approximative des boucles en millisecondes :
Minimum = 0ms, Maximum = 0ms, Moyenne = 0ms
===========================================================================
Liste d'Interfaces
17...c4 17 fe c9 c3 a7 ......Atheros AR9285 Wireless Network Adapter
12...00 24 54 5f 84 7e ......Marvell Yukon 88E8059 Family PCI-E Gigabit Ethernet Controller
1...........................Software Loopback Interface 1
23...00 00 00 00 00 00 00 e0 Carte Microsoft ISATAP #2
20...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Table de routage
===========================================================================
Itin‚raires actifsÿ:
Destination r‚seau Masque r‚seau Adr. passerelle Adr. interface M‚trique
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
169.254.0.0 255.255.0.0 On-link 169.254.251.136 281
169.254.251.136 255.255.255.255 On-link 169.254.251.136 281
169.254.255.255 255.255.255.255 On-link 169.254.251.136 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 169.254.251.136 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 169.254.251.136 281
===========================================================================
Itin‚raires persistantsÿ:
Aucun

IPv6 Table de routage
===========================================================================
Itin‚raires actifsÿ:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
17 281 fe80::/64 On-link
17 281 fe80::e8e1:e195:4015:fb88/128
On-link
1 306 ff00::/8 On-link
17 281 ff00::/8 On-link
===========================================================================
Itin‚raires persistantsÿ:
Aucun

========================= Event log errors: ===============================

Application errors:
==================
Error: (12/28/2011 07:30:50 PM) (Source: Schedule) (User: )
Description: Schedule error: 10050Initialize call failed, bailing out

Error: (12/28/2011 08:29:13 AM) (Source: Schedule) (User: )
Description: Schedule error: 10050Initialize call failed, bailing out

Error: (12/27/2011 08:18:30 PM) (Source: Schedule) (User: )
Description: Schedule error: 10050Initialize call failed, bailing out

Error: (12/27/2011 07:52:01 PM) (Source: Schedule) (User: )
Description: Schedule error: 10050Initialize call failed, bailing out

Error: (12/27/2011 07:42:48 PM) (Source: Schedule) (User: )
Description: Schedule error: 10050Initialize call failed, bailing out

Error: (12/27/2011 07:37:21 PM) (Source: Schedule) (User: )
Description: Schedule error: 10050Initialize call failed, bailing out

Error: (12/27/2011 07:18:51 PM) (Source: Schedule) (User: )
Description: Schedule error: 10050Initialize call failed, bailing out

Error: (12/27/2011 03:07:23 PM) (Source: Schedule) (User: )
Description: Schedule error: 10050Initialize call failed, bailing out

Error: (12/27/2011 02:54:56 PM) (Source: Schedule) (User: )
Description: Schedule error: 10050Initialize call failed, bailing out

Error: (12/27/2011 02:47:00 PM) (Source: Schedule) (User: )
Description: Schedule error: 10050Initialize call failed, bailing out


System errors:
=============
Error: (12/28/2011 07:36:46 PM) (Source: Service Control Manager) (User: )
Description: Le service HTTP n’a pas pu démarrer en raison de l’erreur :
%%22

Error: (12/28/2011 07:35:17 PM) (Source: Service Control Manager) (User: )
Description: Le service Hôte du fournisseur de découverte de fonctions dépend du service HTTP qui n’a pas pu démarrer en raison de l’erreur :
%%22

Error: (12/28/2011 07:35:17 PM) (Source: Service Control Manager) (User: )
Description: Le service HTTP n’a pas pu démarrer en raison de l’erreur :
%%22

Error: (12/28/2011 07:35:17 PM) (Source: Service Control Manager) (User: )
Description: Le service Hôte du fournisseur de découverte de fonctions dépend du service HTTP qui n’a pas pu démarrer en raison de l’erreur :
%%22

Error: (12/28/2011 07:35:17 PM) (Source: Service Control Manager) (User: )
Description: Le service HTTP n’a pas pu démarrer en raison de l’erreur :
%%22

Error: (12/28/2011 07:33:07 PM) (Source: Service Control Manager) (User: )
Description: Le service Windows Update s’est arrêté avec l’erreur :
%%-2147014846

Error: (12/28/2011 07:33:04 PM) (Source: Service Control Manager) (User: )
Description: Le service Service de transfert intelligent en arrière-plan s’est arrêté avec l’erreur service particulière %%-2147014846.

Error: (12/28/2011 07:33:04 PM) (Source: Microsoft-Windows-Bits-Client) (User: Système)
Description: Échec du démarrage du service BITS. Erreur 2147952450.

Error: (12/28/2011 07:32:40 PM) (Source: Service Control Manager) (User: )
Description: Le service Découverte SSDP dépend du service HTTP qui n’a pas pu démarrer en raison de l’erreur :
%%22

Error: (12/28/2011 07:32:40 PM) (Source: Service Control Manager) (User: )
Description: Le service HTTP n’a pas pu démarrer en raison de l’erreur :
%%22


Microsoft Office Sessions:
=========================
Error: (12/28/2011 07:30:50 PM) (Source: Schedule)(User: )
Description: Schedule error: 10050Initialize call failed, bailing out

Error: (12/28/2011 08:29:13 AM) (Source: Schedule)(User: )
Description: Schedule error: 10050Initialize call failed, bailing out

Error: (12/27/2011 08:18:30 PM) (Source: Schedule)(User: )
Description: Schedule error: 10050Initialize call failed, bailing out

Error: (12/27/2011 07:52:01 PM) (Source: Schedule)(User: )
Description: Schedule error: 10050Initialize call failed, bailing out

Error: (12/27/2011 07:42:48 PM) (Source: Schedule)(User: )
Description: Schedule error: 10050Initialize call failed, bailing out

Error: (12/27/2011 07:37:21 PM) (Source: Schedule)(User: )
Description: Schedule error: 10050Initialize call failed, bailing out

Error: (12/27/2011 07:18:51 PM) (Source: Schedule)(User: )
Description: Schedule error: 10050Initialize call failed, bailing out

Error: (12/27/2011 03:07:23 PM) (Source: Schedule)(User: )
Description: Schedule error: 10050Initialize call failed, bailing out

Error: (12/27/2011 02:54:56 PM) (Source: Schedule)(User: )
Description: Schedule error: 10050Initialize call failed, bailing out

Error: (12/27/2011 02:47:00 PM) (Source: Schedule)(User: )
Description: Schedule error: 10050Initialize call failed, bailing out


=========================== Installed Programs ============================

Adobe Flash Player 11 Plugin (Version: 11.0.1.152)
Adobe Flash Player ActiveX (Version: 9.0.124.0)
Adobe Reader 9.4.6 - Français (Version: 9.4.6)
Adobe Shockwave Player 11.6 (Version: 11.6.1.629)
Assistant de connexion Windows Live (Version: 5.000.818.5)
Atheros Client Installation Program (Version: 1.0.1.0805)
Audacity 1.3.13 (Unicode)
Avira AntiVir Personal - Free Antivirus (Version: 10.2.0.151)
BatteryLifeExtender (Version: 1.0.1)
CanoScan Toolbox Ver4.1
CCleaner (Version: 3.13)
ChargeableUSB (Version: 1.0.0.0)
CyberLink YouCam (Version: 2.0.3304)
Easy Display Manager (Version: 3.0)
Easy Network Manager (Version: 4.2.4)
Easy SpeedUp Manager (Version: 3.0.0.5)
EasyBatteryManager (Version: 4.0.0.3)
eReg (Version: 1.20.138.34)
Galerie de photos Windows Live (Version: 14.0.8117.416)
HijackThis 2.0.2 (Version: 2.0.2)
Installation Windows Live (Version: 14.0.8117.0416)
Installation Windows Live (Version: 14.0.8117.416)
Intel® Rapid Storage Technology (Version: 9.5.4.1001)
Intel® Turbo Boost Technology Driver (Version: 01.00.01.1002)
Java Auto Updater (Version: 2.0.6.1)
Java™ 6 Update 20 (Version: 6.0.200)
Java™ 6 Update 22 (Version: 6.0.220)
Java™ 6 Update 30 (Version: 6.0.300)
Junk Mail filter update (Version: 14.0.8117.416)
LatencyMon 2.05
Logiciel d'archivage WinRAR
Logitech GamePanel Software 3.06.109 (Version: 3.06.109)
Logitech SetPoint 6.15 (Version: 6.15.25)
Malwarebytes' Anti-Malware version 1.51.2.1300 (Version: 1.51.2.1300)
Marvell Miniport Driver (Version: 11.43.1.3)
MediaMonkey 3.2 (Version: 3.2)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Choice Guard (Version: 2.0.48.0)
Microsoft Office Live Add-in 1.3 (Version: 2.0.2313.0)
Microsoft SQL Server 2005 Compact Edition [ENU] (Version: 3.1.0000)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (Version: 10.0.40219)
Mises à jour NVIDIA 1.4.28 (Version: 1.4.28)
Mozilla Firefox 8.0 (x86 fr) (Version: 8.0)
MSVCRT (Version: 14.0.1468.721)
Native Instruments Audio 2 DJ
Native Instruments Audio 2 DJ (Version: 3.0.0.625)
Native Instruments Service Center
Native Instruments Service Center (Version: 2.2.6.676)
NVIDIA 3D Vision Controller Driver (Version: 280.19)
NVIDIA Install Application (Version: 2.1000.25.170)
NVIDIA Logiciel système PhysX 9.10.0514 (Version: 9.10.0514)
NVIDIA PhysX (Version: 9.10.0514)
NVIDIA Pilote audio HD : 1.2.23.3 (Version: 1.2.23.3)
NVIDIA Pilote du contrôleur 3D Vision 280.19 (Version: 280.19)
NVIDIA Pilote graphique 280.26 (Version: 280.26)
NVIDIA Update Components (Version: 1.4.28)
OpenOffice.org 3.3 (Version: 3.3.9567)
Outil de téléchargement Windows Live (Version: 14.0.8014.1029)
Panneau de configuration NVIDIA 280.26 (Version: 280.26)
Realtek High Definition Audio Driver (Version: 6.0.1.6438)
REALTEK Wireless LAN Software (Version: 1.01.0088)
Samsung R-Series (Version: 1.0)
Skype™ 5.1 (Version: 5.1.112)
Spybot - Search & Destroy (Version: 1.6.2)
swMSM (Version: 12.0.0.1)
Synaptics Pointing Device Driver (Version: 14.0.10.0)
System Requirements Lab for Intel (Version: 4.4.24.0)
VLC media player 1.1.11 (Version: 1.1.11)
Windows Driver Package - Broadcom Bluetooth (07/30/2009 6.2.0.9405) (Version: 07/30/2009 6.2.0.9405)
Windows Driver Package - Broadcom Bluetooth (09/11/2009 6.2.0.9407) (Version: 09/11/2009 6.2.0.9407)
Windows Driver Package - Broadcom HIDClass (07/28/2009 6.2.0.9800) (Version: 07/28/2009 6.2.0.9800)
Windows Live Call (Version: 14.0.8117.0416)
Windows Live Communications Platform (Version: 14.0.8117.416)
Windows Live Contrôle parental (Version: 14.0.8118.427)
Windows Live FolderShare (Version: 14.0.8117.416)
Windows Live Mail (Version: 14.0.8117.0416)
Windows Live Messenger (Version: 14.0.8117.0416)
Windows Live Movie Maker (Version: 14.0.8117.0416)
Windows Live Writer (Version: 14.0.8117.0416)

========================= Memory info: ===================================

Percentage of memory in use: 22%
Total physical RAM: 3565.63 MB
Available physical RAM: 2764.1 MB
Total Pagefile: 7479.54 MB
Available Pagefile: 6659.75 MB
Total Virtual: 2047.88 MB
Available Virtual: 1941.05 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:225.33 GB) (Free:170.98 GB) NTFS
2 Drive d: (Hector) (Fixed) (Total:225.33 GB) (Free:86.29 GB) NTFS
4 Drive f: () (Removable) (Total:1.9 GB) (Free:0.84 GB) FAT
5 Drive r: (RamDisk-PAE) (Fixed) (Total:0.37 GB) (Free:0.03 GB) FAT32

========================= Users: ========================================

comptes d'utilisateurs de \\

Administrateur city Invit‚
UpdatusUser
Des erreurs ont affect‚ l'ex‚cution de la commande.

========================= Minidump Files ==================================

No minidump file found

**** End of log ****

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:50 PM

Posted 28 December 2011 - 02:33 PM

please re-run Farbar Service Scanner

type the following into the Search window:

afd

Now press the export service button

post the resulting log

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 Nicossh

Nicossh
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:50 PM

Posted 28 December 2011 - 04:00 PM

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\afd]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\afd\Parameters]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\afd\Enum]
"0"="Root\\LEGACY_AFD\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
"INITSTARTFAILED"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_afd]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_afd\0000]
"Service"="AFD"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000400
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="@%systemroot%\\system32\\drivers\\afd.sys,-1000"
"Capabilities"=dword:00000000

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:50 PM

Posted 28 December 2011 - 04:14 PM

Hi,

Please run the following:


Press the WinKey + R to open a run box > copy/paste the following command into the open run box > press OK


swreg.exe ACL "HKLM\SYSTEM\CurrentControlSet\Enum\Root" /E GE:F




Now merge this following Registry Fix:


Click WinKey + R to open a run box > type notepad into the open run box > OK > this will open Notepad

Click Format and make certain that Word Wrap is NOT checked.

Copy/Paste the text inside of the code box into the open Notepad



registry fix edited as it was created specifically for this user


Now go to File > and click Save As,
From the drop down menu at the top of the box choose Desktop as the location to save this file.
Go down to the File Name box and type in fixme.reg as the file name, then choose All Files as the save as file type.
Then click the save button.

Once you have clicked the save button, close Notepad.

You should now see a file on your desktop that looks like this:

Posted Image

Locate the fixme.reg icon on your desktop and double click it, an information box will pop up asking if you want to merge the information in the file into the registry, click YES.

Once the file has run, the information will have merged with your registry so you can delete fixme.reg from your desktop as you won't be needing it any more.



Once the reg fix has been successfully merged run this following command


Press the WinKey + R to open a run box > copy/paste the following command into the open run box > press OK


swreg.exe ACL "HKLM\SYSTEM\CurrentControlSet\Enum\Root" /E RE:F



now reboot and let me know if you can now connect


Please post a fresh scan with Farbar Service Scanner > Post the resulting log

Edited by CatByte, 29 December 2011 - 03:44 PM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 Nicossh

Nicossh
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:50 PM

Posted 28 December 2011 - 04:35 PM

Hi,
The merge of fixme.reg was not successful.
Impossible d'importer C:\Users\city\Desktop\fixme.reg : erreur d'accès au registre

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:50 PM

Posted 28 December 2011 - 04:58 PM

did you run the command first in the run box?

Did you receive an error message with that too?


Please try this fix instead: also are you running from an Administrators account? As you need Administrator privileges)


Click WinKey + R to open a run box > type notepad into the open run box > OK > this will open Notepad

Click Format and make certain that Word Wrap is NOT checked.

Copy/Paste the text inside of the code box into the open Notepad


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\afd]
"BootFlags"=dword:00000001
"DisplayName"="@%systemroot%\\system32\\drivers\\afd.sys,-1000"
"Group"="PNP_TDI"
"ImagePath"=hex(2):5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,72,\
  00,69,00,76,00,65,00,72,00,73,00,5c,00,61,00,66,00,64,00,2e,00,73,00,79,00,\
  73,00,00,00
"Description"="@%systemroot%\\system32\\drivers\\afd.sys,-1000"
"ErrorControl"=dword:00000001
"Start"=dword:00000001
"Type"=dword:00000001



Now go to File > and click Save As,
From the drop down menu at the top of the box choose Desktop as the location to save this file.
Go down to the File Name box and type in fixme.reg as the file name, then choose All Files as the save as file type.
Then click the save button.

Once you have clicked the save button, close Notepad.

You should now see a file on your desktop that looks like this:

Posted Image

Locate the fixme.reg icon on your desktop and double click it, an information box will pop up asking if you want to merge the information in the file into the registry, click YES.

Once the file has run, the information will have merged with your registry so you can delete fixme.reg from your desktop as you won't be needing it any more.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 Nicossh

Nicossh
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:50 PM

Posted 29 December 2011 - 03:09 AM

Hi,

did you run the command first in the run box?

Yes

Anyways, today when I woke up, the connection was working :-) I suppose the first fixme.reg finally did its job...Here's the FSS log obtained after the reboot


Farbar Service Scanner
Ran by city (administrator) on 29-12-2011 at 09:06:36
Microsoft Windows 7 Édition Familiale Premium Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============
MpsSvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open MpsSvc registry key. The service key does not exist.

bfe Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open bfe registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open bfe registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open bfe registry key. The service key does not exist.

mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.


Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============
SDRSVC Service is not running. Checking service configuration:
The start type of SDRSVC service is OK.
The ImagePath of SDRSVC service is OK.
The ServiceDll of SDRSVC service is OK.

VSS Service is not running. Checking service configuration:
The start type of VSS service is OK.
The ImagePath of VSS service is OK.


System Restore Disabled Policy:
========================


File Check:
========
C:\windows\system32\nsisvc.dll => MD5 is legit
C:\windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\windows\system32\Drivers\nsiproxy.sys
[2009-07-14 00:12] - [2009-07-14 00:12] - 0016896 ____A (Microsoft Corporation) E9A0A4D07E53D8FEA2BB8387A3293C58

C:\windows\system32\Drivers\afd.sys
[2011-12-27 14:54] - [2011-04-25 04:24] - 0338944 ____A (Microsoft Corporation) C427F91A748CD342A2B3F9278D9FD6A5

C:\windows\system32\Drivers\tdx.sys => MD5 is legit
C:\windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\windows\system32\dnsrslvr.dll => MD5 is legit
C:\windows\system32\mpssvc.dll => MD5 is legit
C:\windows\system32\bfe.dll => MD5 is legit
C:\windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\windows\system32\SDRSVC.dll => MD5 is legit
C:\windows\system32\vssvc.exe => MD5 is legit
C:\windows\system32\svchost.exe => MD5 is legit
C:\windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

Edited by Nicossh, 29 December 2011 - 05:39 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users