Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

No Internet after removing Win 7 Antivirus 2012


  • This topic is locked This topic is locked
27 replies to this topic

#1 akshatm

akshatm

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 14 January 2012 - 11:43 AM

My computer was infected with Win7 Antivirus 2012 malware. I could not access the internet on the PC anymore. I downloaded Malware Bytes (on another PC) and transferred the SW to infected PC. After running Malware Bytes in safe mode, I was able to get rid of it (At least I hope so, I am no longer getting the Antivirus errors and Malware Bytes full scan is not showing anything new). Everything is back to normal BUT I still do not have internet. I was previously connected to home wifi but it shows up as "Limited Connectivity" now. Connecting through wired LAN also shows the limited connectivity error. I connect to the network but no internet.

I am attaching the GMER, DDS and FSS logs that I ran on the PC.


Not sure how to proceed. Please help.

Attached Files

  • Attached File  ark.txt   14KB   0 downloads
  • Attached File  DDS.txt   15.99KB   2 downloads
  • Attached File  log.txt   4.6KB   2 downloads


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:29 AM

Posted 17 January 2012 - 12:10 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 akshatm

akshatm
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 19 January 2012 - 09:19 PM

Hi,

I ran the Combofix and it told me that the computer is infected with ZeroAccess Rootkit which has corrupted TCPIP. This explains why I can't connect to any network. I am attaching the log below. I still can not connect to the internet. I do not see any new warnings generated by Malware Bytes but network access is still not restored.

Please let me know how to proceed.


ComboFix 12-01-17.01 - yousuf 01/17/2012 9:19.1.2 - x86
Microsoft Windows 7 Starter 6.1.7600.0.1252.1.1033.18.1013.578 [GMT -6:00]
Running from: c:\users\yousuf\Desktop\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\yousuf\AppData\Local\iji.exe
c:\users\yousuf\g2mdlhlpx.exe
c:\windows\$NtUninstallKB49916$\2327962271
.
.
((((((((((((((((((((((((( Files Created from 2011-12-17 to 2012-01-17 )))))))))))))))))))))))))))))))
.
.
2012-01-17 15:48 . 2012-01-17 15:51 -------- d-----w- c:\users\yousuf\AppData\Local\temp
2012-01-17 15:48 . 2012-01-17 15:48 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-17 15:14 . 2012-01-17 15:50 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0092AF6E-1A5B-40E0-BF51-9F5CBBC92836}\offreg.dll
2012-01-17 15:11 . 2009-07-13 23:11 80896 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2012-01-14 04:48 . 2010-02-23 00:03 66600 ----a-w- c:\windows\system32\drivers\L1C62x86.sys
2012-01-14 04:45 . 2009-11-06 18:53 1227776 ----a-w- c:\windows\system32\drivers\athr.sys
2012-01-14 04:45 . 2009-11-06 18:53 1227776 ----a-w- c:\windows\system32\athr.sys
2012-01-14 04:45 . 2012-01-14 04:45 -------- d-----w- c:\program files\Atheros
2012-01-14 04:44 . 2012-01-14 04:47 -------- d-----w- c:\programdata\Atheros
2012-01-14 04:43 . 2012-01-14 04:43 -------- d-----w- c:\users\yousuf\AppData\Roaming\InstallShield
2012-01-14 04:37 . 2012-01-14 21:54 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-01-14 02:47 . 2012-01-14 02:47 -------- d-----w- c:\users\yousuf\AppData\Roaming\Malwarebytes
2012-01-14 02:47 . 2012-01-14 02:47 -------- d-----w- c:\programdata\Malwarebytes
2012-01-14 02:47 . 2012-01-14 02:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-14 02:47 . 2011-12-10 21:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-14 02:18 . 2012-01-14 02:18 -------- d-----w- c:\users\yousuf\AppData\Local\ElevatedDiagnostics
2012-01-14 01:44 . 2010-07-16 20:59 656320 ----a-w- c:\windows\system32\drivers\pctEFA.sys
2012-01-14 01:44 . 2010-07-16 20:59 338880 ----a-w- c:\windows\system32\drivers\pctDS.sys
2012-01-14 01:44 . 2011-05-12 14:59 105280 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2012-01-14 01:44 . 2011-05-06 19:26 251560 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2012-01-14 01:43 . 2011-05-11 19:35 160576 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2012-01-14 01:43 . 2011-05-11 15:55 263888 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2012-01-14 01:43 . 2011-03-10 15:08 233976 ----a-w- c:\windows\system32\drivers\PCTSD.sys
2012-01-14 01:42 . 2011-05-06 19:28 70664 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2012-01-14 01:40 . 2012-01-14 01:46 -------- d-----w- c:\program files\Common Files\PC Tools
2012-01-14 01:40 . 2012-01-14 02:22 -------- d-----w- c:\program files\PC Tools Security
2012-01-14 01:40 . 2012-01-14 01:43 -------- d-----w- c:\programdata\PC Tools
2012-01-12 04:29 . 2011-11-21 10:47 6823496 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0092AF6E-1A5B-40E0-BF51-9F5CBBC92836}\mpengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-10 02:03 . 2011-12-10 02:03 158056 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10139.bin
2011-11-24 04:23 . 2011-12-15 02:55 2340352 ----a-w- c:\windows\system32\win32k.sys
2011-11-21 10:47 . 2010-07-26 00:05 6823496 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-11-05 04:35 . 2011-12-15 02:56 981504 ----a-w- c:\windows\system32\wininet.dll
2011-11-05 04:34 . 2011-12-15 02:56 44544 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-05 04:30 . 2011-12-15 02:55 2048 ----a-w- c:\windows\system32\tzres.dll
2011-11-05 03:28 . 2011-12-15 02:56 386048 ----a-w- c:\windows\system32\html.iec
2011-11-05 02:55 . 2011-12-15 02:56 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-10-26 04:42 . 2011-12-15 02:55 3901808 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-26 04:42 . 2011-12-15 02:55 3957104 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-26 04:25 . 2011-12-15 02:55 38912 ----a-w- c:\windows\system32\csrsrv.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2009-09-10 13:41 120104 ----a-w- c:\program files\EgisTec\MyWinLocker 3\x86\PSDProtect.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]
"cacaoweb"="c:\users\yousuf\AppData\Roaming\cacaoweb\cacaoweb.exe" [2012-01-11 412160]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-05 186904]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-08-12 7707168]
"Acer ePower Management"="c:\program files\Acer\Acer ePower Management\ePowerTray.exe" [2009-09-30 703008]
"EgisTecLiveUpdate"="c:\program files\EgisTec Egis Software Update\EgisUpdate.exe" [2009-08-04 199464]
"mwlDaemon"="c:\program files\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe" [2009-09-10 349480]
"NortonOnlineBackupReminder"="c:\program files\Symantec\Norton Online Backup\Activation\NobuActivation.exe" [2009-07-25 588648]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-10-05 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-10-05 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-10-05 150552]
"LManager"="c:\program files\Launch Manager\LManager.exe" [2009-10-07 1157640]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2009-10-08 233472]
"PLFSetI"="c:\windows\PLFSetI.exe" [2009-08-13 200704]
"Acer Assist Launcher"="c:\program files\Acer\Acer Assist\launcher.exe" [2007-11-19 1261568]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2010-12-19 274608]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Acer VCM.lnk - c:\program files\Acer\Acer VCM\AcerVCM.exe [2009-11-5 708608]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdAuxService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdCoreService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R1 MpKsl00a0cfef;MpKsl00a0cfef;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1D4C8D73-C3CF-4E7E-AE69-385111294209}\MpKsl00a0cfef.sys [x]
R1 MpKsl076ab1fd;MpKsl076ab1fd;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0092AF6E-1A5B-40E0-BF51-9F5CBBC92836}\MpKsl076ab1fd.sys [2012-01-12 29904]
R1 MpKsl1ffb9040;MpKsl1ffb9040;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{481A0580-5D88-44C6-A500-645AA2DD22B8}\MpKsl1ffb9040.sys [x]
R1 MpKsl285a562f;MpKsl285a562f;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{65B881B4-D711-4CF5-8D79-5316DF917E03}\MpKsl285a562f.sys [x]
R1 MpKsl34ff6efb;MpKsl34ff6efb;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8BDF6305-FF98-4E1F-9026-77D0E7BCC969}\MpKsl34ff6efb.sys [x]
R1 MpKsl351e8141;MpKsl351e8141;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9AB33D1C-38E3-4DC8-9A67-850F4F323F1D}\MpKsl351e8141.sys [x]
R1 MpKsl421bfc61;MpKsl421bfc61;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0727546E-33CD-4516-887A-06AD92741382}\MpKsl421bfc61.sys [x]
R1 MpKsl53cfc833;MpKsl53cfc833;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0092AF6E-1A5B-40E0-BF51-9F5CBBC92836}\MpKsl53cfc833.sys [x]
R1 MpKsl5e036e06;MpKsl5e036e06;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{73A80560-6161-444B-B437-FE35602F5642}\MpKsl5e036e06.sys [x]
R1 MpKsl69537fe1;MpKsl69537fe1;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6C13BE6C-78C1-43F0-9142-CF52BB80DCAE}\MpKsl69537fe1.sys [x]
R1 MpKsl72968566;MpKsl72968566;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0092AF6E-1A5B-40E0-BF51-9F5CBBC92836}\MpKsl72968566.sys [x]
R1 MpKsl7897acdc;MpKsl7897acdc;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0092AF6E-1A5B-40E0-BF51-9F5CBBC92836}\MpKsl7897acdc.sys [2012-01-12 29904]
R1 MpKsl9347e7a8;MpKsl9347e7a8;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{86F9793F-9090-450C-872C-14C008AC114A}\MpKsl9347e7a8.sys [x]
R1 MpKsla517c25b;MpKsla517c25b;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9BF4270E-7F84-4428-8F01-18A2F2B54086}\MpKsla517c25b.sys [x]
R1 MpKslac1aca4f;MpKslac1aca4f;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0092AF6E-1A5B-40E0-BF51-9F5CBBC92836}\MpKslac1aca4f.sys [x]
R1 MpKslc78e9f3b;MpKslc78e9f3b;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7B76FB69-FB34-4E61-9301-E613B786B24F}\MpKslc78e9f3b.sys [x]
R1 MpKslddb50840;MpKslddb50840;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{06C4824E-D0B1-41AF-8AC7-D82D4DECEF29}\MpKslddb50840.sys [x]
R1 MpKsle58d54d2;MpKsle58d54d2;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E7193014-6665-49B6-B3C5-765FC094008D}\MpKsle58d54d2.sys [x]
R1 MpKsle5e92128;MpKsle5e92128;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{ACAEFD9B-475B-47EC-BC4B-794CE355D950}\MpKsle5e92128.sys [x]
R1 MpKslffa5df4a;MpKslffa5df4a;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{DD3510FA-E29F-425B-B9E7-0E7B1C3F3FD8}\MpKslffa5df4a.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 Greg_Service;GRegService;c:\program files\Acer\Registration\GregHSRW.exe [2009-08-28 1150496]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-09-04 136176]
R2 Updater Service;Updater Service;c:\program files\Acer\Acer Updater\UpdaterService.exe [2009-07-04 240160]
R3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\DRIVERS\motfilt.sys [2009-01-29 6016]
R3 EUCR;EUCR;c:\windows\system32\DRIVERS\EUCR6SK.SYS [2009-10-09 102784]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [2011-02-04 15232]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-01-14 40776]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
R3 motandroidusb;Mot ADB Interface Driver;c:\windows\system32\Drivers\motoandroid.sys [2009-07-10 25856]
R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2010-12-03 20352]
R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2009-01-29 8320]
R3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\DRIVERS\Motousbnet.sys [2010-04-01 23424]
R3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\DRIVERS\motusbdevice.sys [2011-02-08 9472]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2011-04-18 43392]
R3 MWLService;MyWinLocker Service;c:\program files\EgisTec\MyWinLocker 3\x86\\MWLService.exe [2009-09-10 305448]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2011-04-27 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 208944]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools Security\pctsAuxs.exe [2011-02-18 371472]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-12-03 64288]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2011-05-11 263888]
S0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2010-07-16 338880]
S0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [2010-07-16 656320]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-12-01 691696]
S1 mwlPSDFilter;mwlPSDFilter;c:\windows\system32\DRIVERS\mwlPSDFilter.sys [2009-06-02 18992]
S1 mwlPSDNServ;mwlPSDNServ;c:\windows\system32\DRIVERS\mwlPSDNServ.sys [2009-06-02 16432]
S1 mwlPSDVDisk;mwlPSDVDisk;c:\windows\system32\DRIVERS\mwlPSDVDisk.sys [2009-06-02 60976]
S1 PCTSD;PC Tools Spyware Doctor Driver;c:\windows\system32\Drivers\PCTSD.sys [2011-03-10 233976]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 DsiWMIService;Dritek WMI Service;c:\program files\Launch Manager\dsiwmis.exe [2009-08-24 107016]
S2 ePowerSvc;Acer ePower Service;c:\program files\Acer\Acer ePower Management\ePowerSvc.exe [2009-09-30 727584]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2011-09-02 2152152]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-12-24 652872]
S2 RS_Service;Raw Socket Service;c:\program files\Acer\Acer VCM\RS_Service.exe [2009-07-10 253952]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x86.sys [2010-02-23 66600]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-10 20464]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-17 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-12-03 07:40]
.
2012-01-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-04 14:06]
.
2012-01-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-04 14:06]
.
2012-01-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1179316519-4230841679-437978511-1000Core.job
- c:\users\yousuf\AppData\Local\Google\Update\GoogleUpdate.exe [2010-11-26 04:30]
.
2012-01-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1179316519-4230841679-437978511-1000UA.job
- c:\users\yousuf\AppData\Local\Google\Update\GoogleUpdate.exe [2010-11-26 04:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = wwwgate0.mot.com:1080
uInternet Settings,ProxyOverride = *.mot.com;*.mot-mobility.com;*.mot-solutions.com;<local>
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
Trusted Zone: intuit.com\ttlc
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
SafeBoot-mcmscsvc
SafeBoot-MCODS
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(1212)
c:\program files\EgisTec\MyWinLocker 3\x86\psdprotect.dll
c:\program files\EgisTec\MyWinLocker 3\x86\sysenv.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\UI0Detect.exe
c:\windows\system32\conhost.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
.
**************************************************************************
.
Completion time: 2012-01-17 10:02:32 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-17 16:02
.
Pre-Run: 55,898,857,472 bytes free
Post-Run: 57,099,751,424 bytes free
.
- - End Of File - - EC77FF61DC71308986555EED589B514D

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:29 AM

Posted 19 January 2012 - 10:22 PM

Hello

Lets check your internet connection

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure all the boxes are checked
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 akshatm

akshatm
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 20 January 2012 - 12:14 AM

I ran the FSS before Combofix and attached it to the initial post but I ran it again. I hope this helps.

Below is the log:

Farbar Service Scanner Version: 18-01-2012 01
Ran by yousuf (administrator) on 19-01-2012 at 23:11:39
Microsoft Windows 7 Starter (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============
MpsSvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open MpsSvc registry key. The service key does not exist.

mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.


Firewall Disabled Policy:
==================


System Restore:
============
SDRSVC Service is not running. Checking service configuration:
The start type of SDRSVC service is OK.
The ImagePath of SDRSVC service is OK.
The ServiceDll of SDRSVC service is OK.

VSS Service is not running. Checking service configuration:
The start type of VSS service is OK.
The ImagePath of VSS service is OK.


System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.


Windows Update:
===========
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.

BITS Service is not running. Checking service configuration:
The start type of BITS service is OK.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys
[2011-06-16 19:28] - [2011-04-24 20:35] - 0338944 ____A () 438B535B55F0FD05544EE5FB277FF32F

C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys
[2011-11-21 20:24] - [2011-09-29 09:43] - 1285488 ____A (Microsoft Corporation) 56C198AC82EFA622DD93E9E43575F79C

C:\Windows\system32\dnsrslvr.dll
[2011-04-12 18:26] - [2011-03-02 23:29] - 0132608 ____A (Microsoft Corporation) B15BE77A2BACF9C3177D27518AFE26A9

C:\Windows\system32\mpssvc.dll
[2009-07-13 17:53] - [2009-07-13 19:15] - 0565760 ____A (Microsoft Corporation) 5CD996CECF45CBC3E8D109C86B82D69E

C:\Windows\system32\bfe.dll
[2009-07-13 17:54] - [2009-07-13 19:14] - 0493568 ____A (Microsoft Corporation) 85AC71C045CEB054ED48A7841AAE0C11

C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll
[2009-07-13 17:23] - [2009-07-13 19:16] - 0125952 ____A (Microsoft Corporation) 5FD90ABDBFAEE85986802622CBB03446

C:\Windows\system32\vssvc.exe
[2009-07-13 17:24] - [2009-07-13 19:14] - 1025536 ____A (Microsoft Corporation) 7EA2BCD94D9CFAF4C556F5CC94532A6C

C:\Windows\system32\wscsvc.dll
[2011-02-22 11:55] - [2010-12-20 23:38] - 0073728 ____A (Microsoft Corporation) A661A76333057B383A06E65F0073222F

C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll
[2009-07-13 18:15] - [2009-07-13 19:16] - 1912832 ____A (Microsoft Corporation) A33408CC036F9C08142B11BE5E93F0A1

C:\Windows\system32\qmgr.dll
[2009-07-13 17:30] - [2009-07-13 19:16] - 0589312 ____A (Microsoft Corporation) 53F476476F55A27F580661BDE09C4EC4

C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll
[2009-07-13 17:33] - [2009-07-13 19:15] - 0135680 ____A (Microsoft Corporation) 9C231178CE4FB385F4B54B0A9080B8A4

C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:29 AM

Posted 20 January 2012 - 01:06 AM

SystemLook:

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
:filefind
afd.sys
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 akshatm

akshatm
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 20 January 2012 - 09:43 AM

Here is the log:

SystemLook 30.07.11 by jpshortstuff
Log created at 08:28 on 20/01/2012 by yousuf
Administrator - Elevation successful

========== filefind ==========

Searching for "afd.sys"
C:\Windows\SoftwareDistribution\Download\18e2c83e42cc8f0cc17b5dbfaf982690\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17514_none_d9efac7dbcaf385b\afd.sys --a---- 338944 bytes [05:25 03/07/2011] [08:40 20/11/2010] 1151FD4FB0216CFED887BFDE29EBD516
C:\Windows\System32\drivers\afd.sys --a---- 338944 bytes [01:28 17/06/2011] [02:35 25/04/2011] 438B535B55F0FD05544EE5FB277FF32F
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7600.16385_none_d7be98b5bfc0b4c1\afd.sys --a---- 338944 bytes [23:12 13/07/2009] [23:12 13/07/2009] DDC040FDB01EF1712A6B13E52AFB104C
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7600.16802_none_d81220b5bf827af7\afd.sys --a---- 338944 bytes [01:28 17/06/2011] [02:35 25/04/2011] 438B535B55F0FD05544EE5FB277FF32F
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7600.20951_none_d864ad9ad8c98d1f\afd.sys --a---- 338944 bytes [01:28 17/06/2011] [02:27 25/04/2011] C114AB7A1550D42EA1700FFD4179CF5A
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17603_none_d9f97e05bca8003a\afd.sys --a---- 338944 bytes [01:28 17/06/2011] [02:18 25/04/2011] 9EBBBA55060F786F0FCAA3893BFA2806
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.21712_none_da774a9ad5cea29e\afd.sys --a---- 338944 bytes [01:28 17/06/2011] [03:24 25/04/2011] C427F91A748CD342A2B3F9278D9FD6A5

-= EOF =-

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:29 AM

Posted 20 January 2012 - 02:36 PM

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

FCopy::
C:\Windows\SoftwareDistribution\Download\18e2c83e42cc8f0cc17b5dbfaf982690\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17514_none_d9efac7dbcaf385b\afd.sys | C:\Windows\System32\drivers\afd.sys

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 akshatm

akshatm
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 20 January 2012 - 06:55 PM

Hi,

I can finally connect to the network now. Below is the log. Can you please tell me what was wrong?


Below is the log.

ComboFix 12-01-17.01 - yousuf 01/20/2012 16:55:54.2.2 - x86
Microsoft Windows 7 Starter 6.1.7600.0.1252.1.1033.18.1013.568 [GMT -6:00]
Running from: c:\users\yousuf\Desktop\ComboFix.exe
Command switches used :: c:\users\yousuf\Desktop\CFScript.txt
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Search Toolbar
c:\program files\Search Toolbar\SearchToolbar.dll
c:\users\yousuf\AppData\Roaming\cacaoweb
c:\users\yousuf\AppData\Roaming\cacaoweb\cacaoweb.exe
c:\users\yousuf\AppData\Roaming\cacaoweb\downloadat9wx48qdXYi195130615.cacao
c:\users\yousuf\AppData\Roaming\cacaoweb\downloadRJ8UD2VO756406003.cacao
c:\users\yousuf\AppData\Roaming\cacaoweb\downloadSu7973HgZ9OO203958263.cacao
c:\users\yousuf\AppData\Roaming\cacaoweb\downloadytWcNsWvb0OR381618214.cacao
c:\users\yousuf\AppData\Roaming\cacaoweb\npdfile.dat
c:\users\yousuf\AppData\Roaming\cacaoweb\storage.db
.
.
--------------- FCopy ---------------
.
c:\windows\SoftwareDistribution\Download\18e2c83e42cc8f0cc17b5dbfaf982690\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17514_none_d9efac7dbcaf385b\afd.sys --> c:\windows\System32\drivers\afd.sys
.
((((((((((((((((((((((((( Files Created from 2011-12-20 to 2012-01-20 )))))))))))))))))))))))))))))))
.
.
2012-01-20 23:23 . 2012-01-20 23:26 -------- d-----w- c:\users\yousuf\AppData\Local\temp
2012-01-20 23:23 . 2012-01-20 23:23 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-20 22:51 . 2012-01-20 23:24 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0092AF6E-1A5B-40E0-BF51-9F5CBBC92836}\offreg.dll
2012-01-20 22:48 . 2009-07-13 23:11 53760 ----a-w- c:\windows\system32\drivers\intelppm.sys
2012-01-17 15:11 . 2009-07-13 23:11 80896 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2012-01-14 04:48 . 2010-02-23 00:03 66600 ----a-w- c:\windows\system32\drivers\L1C62x86.sys
2012-01-14 04:45 . 2009-11-06 18:53 1227776 ----a-w- c:\windows\system32\drivers\athr.sys
2012-01-14 04:45 . 2009-11-06 18:53 1227776 ----a-w- c:\windows\system32\athr.sys
2012-01-14 04:45 . 2012-01-14 04:45 -------- d-----w- c:\program files\Atheros
2012-01-14 04:44 . 2012-01-14 04:47 -------- d-----w- c:\programdata\Atheros
2012-01-14 04:43 . 2012-01-14 04:43 -------- d-----w- c:\users\yousuf\AppData\Roaming\InstallShield
2012-01-14 04:37 . 2012-01-20 05:13 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-01-14 02:47 . 2012-01-14 02:47 -------- d-----w- c:\users\yousuf\AppData\Roaming\Malwarebytes
2012-01-14 02:47 . 2012-01-14 02:47 -------- d-----w- c:\programdata\Malwarebytes
2012-01-14 02:47 . 2012-01-14 02:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-14 02:47 . 2011-12-10 21:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-14 02:18 . 2012-01-14 02:18 -------- d-----w- c:\users\yousuf\AppData\Local\ElevatedDiagnostics
2012-01-14 01:44 . 2010-07-16 20:59 656320 ----a-w- c:\windows\system32\drivers\pctEFA.sys
2012-01-14 01:44 . 2010-07-16 20:59 338880 ----a-w- c:\windows\system32\drivers\pctDS.sys
2012-01-14 01:44 . 2011-05-12 14:59 105280 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2012-01-14 01:44 . 2011-05-06 19:26 251560 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2012-01-14 01:43 . 2011-05-11 19:35 160576 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2012-01-14 01:43 . 2011-05-11 15:55 263888 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2012-01-14 01:43 . 2011-03-10 15:08 233976 ----a-w- c:\windows\system32\drivers\PCTSD.sys
2012-01-14 01:42 . 2011-05-06 19:28 70664 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2012-01-14 01:40 . 2012-01-14 01:46 -------- d-----w- c:\program files\Common Files\PC Tools
2012-01-14 01:40 . 2012-01-14 02:22 -------- d-----w- c:\program files\PC Tools Security
2012-01-14 01:40 . 2012-01-14 01:43 -------- d-----w- c:\programdata\PC Tools
2012-01-12 04:29 . 2011-11-21 10:47 6823496 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0092AF6E-1A5B-40E0-BF51-9F5CBBC92836}\mpengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-10 02:03 . 2011-12-10 02:03 158056 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10139.bin
2011-11-24 04:23 . 2011-12-15 02:55 2340352 ----a-w- c:\windows\system32\win32k.sys
2011-11-21 10:47 . 2010-07-26 00:05 6823496 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-11-05 04:35 . 2011-12-15 02:56 981504 ----a-w- c:\windows\system32\wininet.dll
2011-11-05 04:34 . 2011-12-15 02:56 44544 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-05 04:30 . 2011-12-15 02:55 2048 ----a-w- c:\windows\system32\tzres.dll
2011-11-05 03:28 . 2011-12-15 02:56 386048 ----a-w- c:\windows\system32\html.iec
2011-11-05 02:55 . 2011-12-15 02:56 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-10-26 04:42 . 2011-12-15 02:55 3901808 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-26 04:42 . 2011-12-15 02:55 3957104 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-26 04:25 . 2011-12-15 02:55 38912 ----a-w- c:\windows\system32\csrsrv.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2009-09-10 13:41 120104 ----a-w- c:\program files\EgisTec\MyWinLocker 3\x86\PSDProtect.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-05 186904]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-08-12 7707168]
"Acer ePower Management"="c:\program files\Acer\Acer ePower Management\ePowerTray.exe" [2009-09-30 703008]
"EgisTecLiveUpdate"="c:\program files\EgisTec Egis Software Update\EgisUpdate.exe" [2009-08-04 199464]
"mwlDaemon"="c:\program files\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe" [2009-09-10 349480]
"NortonOnlineBackupReminder"="c:\program files\Symantec\Norton Online Backup\Activation\NobuActivation.exe" [2009-07-25 588648]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-10-05 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-10-05 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-10-05 150552]
"LManager"="c:\program files\Launch Manager\LManager.exe" [2009-10-07 1157640]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2009-10-08 233472]
"PLFSetI"="c:\windows\PLFSetI.exe" [2009-08-13 200704]
"Acer Assist Launcher"="c:\program files\Acer\Acer Assist\launcher.exe" [2007-11-19 1261568]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2010-12-19 274608]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Acer VCM.lnk - c:\program files\Acer\Acer VCM\AcerVCM.exe [2009-11-5 708608]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdAuxService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdCoreService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R1 MpKsl00a0cfef;MpKsl00a0cfef;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1D4C8D73-C3CF-4E7E-AE69-385111294209}\MpKsl00a0cfef.sys [x]
R1 MpKsl076ab1fd;MpKsl076ab1fd;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0092AF6E-1A5B-40E0-BF51-9F5CBBC92836}\MpKsl076ab1fd.sys [2012-01-12 29904]
R1 MpKsl1ffb9040;MpKsl1ffb9040;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{481A0580-5D88-44C6-A500-645AA2DD22B8}\MpKsl1ffb9040.sys [x]
R1 MpKsl285a562f;MpKsl285a562f;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{65B881B4-D711-4CF5-8D79-5316DF917E03}\MpKsl285a562f.sys [x]
R1 MpKsl34ff6efb;MpKsl34ff6efb;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8BDF6305-FF98-4E1F-9026-77D0E7BCC969}\MpKsl34ff6efb.sys [x]
R1 MpKsl351e8141;MpKsl351e8141;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9AB33D1C-38E3-4DC8-9A67-850F4F323F1D}\MpKsl351e8141.sys [x]
R1 MpKsl421bfc61;MpKsl421bfc61;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0727546E-33CD-4516-887A-06AD92741382}\MpKsl421bfc61.sys [x]
R1 MpKsl53cfc833;MpKsl53cfc833;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0092AF6E-1A5B-40E0-BF51-9F5CBBC92836}\MpKsl53cfc833.sys [x]
R1 MpKsl5e036e06;MpKsl5e036e06;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{73A80560-6161-444B-B437-FE35602F5642}\MpKsl5e036e06.sys [x]
R1 MpKsl69537fe1;MpKsl69537fe1;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6C13BE6C-78C1-43F0-9142-CF52BB80DCAE}\MpKsl69537fe1.sys [x]
R1 MpKsl72968566;MpKsl72968566;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0092AF6E-1A5B-40E0-BF51-9F5CBBC92836}\MpKsl72968566.sys [x]
R1 MpKsl7897acdc;MpKsl7897acdc;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0092AF6E-1A5B-40E0-BF51-9F5CBBC92836}\MpKsl7897acdc.sys [2012-01-12 29904]
R1 MpKsl9347e7a8;MpKsl9347e7a8;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{86F9793F-9090-450C-872C-14C008AC114A}\MpKsl9347e7a8.sys [x]
R1 MpKsla517c25b;MpKsla517c25b;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9BF4270E-7F84-4428-8F01-18A2F2B54086}\MpKsla517c25b.sys [x]
R1 MpKslac1aca4f;MpKslac1aca4f;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0092AF6E-1A5B-40E0-BF51-9F5CBBC92836}\MpKslac1aca4f.sys [x]
R1 MpKslc78e9f3b;MpKslc78e9f3b;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7B76FB69-FB34-4E61-9301-E613B786B24F}\MpKslc78e9f3b.sys [x]
R1 MpKslddb50840;MpKslddb50840;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{06C4824E-D0B1-41AF-8AC7-D82D4DECEF29}\MpKslddb50840.sys [x]
R1 MpKsle58d54d2;MpKsle58d54d2;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E7193014-6665-49B6-B3C5-765FC094008D}\MpKsle58d54d2.sys [x]
R1 MpKsle5e92128;MpKsle5e92128;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{ACAEFD9B-475B-47EC-BC4B-794CE355D950}\MpKsle5e92128.sys [x]
R1 MpKslffa5df4a;MpKslffa5df4a;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{DD3510FA-E29F-425B-B9E7-0E7B1C3F3FD8}\MpKslffa5df4a.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-09-04 136176]
R2 Updater Service;Updater Service;c:\program files\Acer\Acer Updater\UpdaterService.exe [2009-07-04 240160]
R3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\DRIVERS\motfilt.sys [2009-01-29 6016]
R3 EUCR;EUCR;c:\windows\system32\DRIVERS\EUCR6SK.SYS [2009-10-09 102784]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [2011-02-04 15232]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-01-20 40776]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
R3 motandroidusb;Mot ADB Interface Driver;c:\windows\system32\Drivers\motoandroid.sys [2009-07-10 25856]
R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2010-12-03 20352]
R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2009-01-29 8320]
R3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\DRIVERS\Motousbnet.sys [2010-04-01 23424]
R3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\DRIVERS\motusbdevice.sys [2011-02-08 9472]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2011-04-18 43392]
R3 MWLService;MyWinLocker Service;c:\program files\EgisTec\MyWinLocker 3\x86\\MWLService.exe [2009-09-10 305448]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2011-04-27 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 208944]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools Security\pctsAuxs.exe [2011-02-18 371472]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-12-03 64288]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2011-05-11 263888]
S0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2010-07-16 338880]
S0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [2010-07-16 656320]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-12-01 691696]
S1 mwlPSDFilter;mwlPSDFilter;c:\windows\system32\DRIVERS\mwlPSDFilter.sys [2009-06-02 18992]
S1 mwlPSDNServ;mwlPSDNServ;c:\windows\system32\DRIVERS\mwlPSDNServ.sys [2009-06-02 16432]
S1 mwlPSDVDisk;mwlPSDVDisk;c:\windows\system32\DRIVERS\mwlPSDVDisk.sys [2009-06-02 60976]
S1 PCTSD;PC Tools Spyware Doctor Driver;c:\windows\system32\Drivers\PCTSD.sys [2011-03-10 233976]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 DsiWMIService;Dritek WMI Service;c:\program files\Launch Manager\dsiwmis.exe [2009-08-24 107016]
S2 ePowerSvc;Acer ePower Service;c:\program files\Acer\Acer ePower Management\ePowerSvc.exe [2009-09-30 727584]
S2 Greg_Service;GRegService;c:\program files\Acer\Registration\GregHSRW.exe [2009-08-28 1150496]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2011-09-02 2152152]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-12-24 652872]
S2 RS_Service;Raw Socket Service;c:\program files\Acer\Acer VCM\RS_Service.exe [2009-07-10 253952]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x86.sys [2010-02-23 66600]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-10 20464]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - HTTP
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-04 14:06]
.
2012-01-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-04 14:06]
.
2012-01-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1179316519-4230841679-437978511-1000Core.job
- c:\users\yousuf\AppData\Local\Google\Update\GoogleUpdate.exe [2010-11-26 04:30]
.
2012-01-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1179316519-4230841679-437978511-1000UA.job
- c:\users\yousuf\AppData\Local\Google\Update\GoogleUpdate.exe [2010-11-26 04:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = wwwgate0.mot.com:1080
uInternet Settings,ProxyOverride = *.mot.com;*.mot-mobility.com;*.mot-solutions.com;<local>
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-cacaoweb - c:\users\yousuf\AppData\Roaming\cacaoweb\cacaoweb.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(4016)
c:\program files\EgisTec\MyWinLocker 3\x86\psdprotect.dll
c:\program files\EgisTec\MyWinLocker 3\x86\sysenv.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\windows\system32\taskhost.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\UI0Detect.exe
c:\windows\system32\conhost.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\windows\servicing\TrustedInstaller.exe
c:\windows\system32\vssvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\SoftwareDistribution\Download\Install\NDP40-KB2656351-x86.exe
c:\66b5b6ed1d2815fc7ddb74300ac04f\Setup.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\MsiExec.exe
c:\windows\system32\RunDll32.exe
c:\windows\system32\WUDFHost.exe
.
**************************************************************************
.
Completion time: 2012-01-20 17:39:29 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-20 23:39
ComboFix2.txt 2012-01-17 16:02
.
Pre-Run: 57,287,806,976 bytes free
Post-Run: 57,139,036,160 bytes free
.
- - End Of File - - CAD342BF445811CEDEDE8C4F4DD64A53

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:29 AM

Posted 20 January 2012 - 08:44 PM

Hello

the program infected a driver that is needed for you to access the internet and when the virus was removed caused the infected driver not to work properly

I would ike to see a report that combofix makes.

extra combofix report

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
C:\Qoobox\Add-Remove Programs.txt
  • click ok

copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 akshatm

akshatm
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 20 January 2012 - 10:43 PM

Hi Gringo

After I got internet back again, I proceeded to update Windows and that triggered a reboot. After the reboot, I can not connect to the internet again. I don't know why that happened. I am attaching the Add Remove Program list. Should I rerun the ComboFix?



Acer Assist
Acer Crystal Eye Webcam
Acer ePower Management
Acer eRecovery Management
Acer Registration
Acer ScreenSaver
Acer Updater
Acer VCM
Acrobat.com
Ad-Aware
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.4.2
ALPS Touch Pad Driver
Atheros Communications Inc.® AR81Family Gigabit/Fast Ethernet Driver
Atheros Driver Installation Program
Compatibility Pack for the 2007 Office system
Definition update for Microsoft Office 2010 (KB982726) 32-Bit Edition
Download Guard for Internet Explorer
Google Earth Plug-in
Google Talk (remove only)
Google Talk Plugin
Google Update Helper
GoToMeeting 4.5.0.457
Identity Card
Intel® Graphics Media Accelerator Driver
Intel® Matrix Storage Manager
Java Auto Updater
Java™ 6 Update 24
Juniper Networks Host Checker
Juniper Networks Network Connect 6.5.0
Juniper Networks Setup Client
Junk Mail filter update
Launch Manager
Malwarebytes Anti-Malware version 1.60.0.1800
Microsoft .NET Framework 4 Client Profile
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office 2010 Service Pack 1 (SP1)
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Groove MUI (English) 2010
Microsoft Office InfoPath MUI (English) 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Professional Plus 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Suite Activation Assistant
Microsoft Office Word MUI (English) 2010
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Works
Motorola Mobile Drivers PreRelease 4.9.2
MSVCRT
MyWinLocker
Norton Online Backup
OGA Notifier 2.0.0048.0
Picasa 3
QuickTime
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
Realtek High Definition Audio Driver
RealUpgrade 1.1
RSA SecurID Software Token
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft Office 2010 (KB2553091)
Security Update for Microsoft Office 2010 (KB2553096)
Security Update for Microsoft Office 2010 (KB2553353) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition
Security Update for Microsoft PowerPoint 2010 (KB2553185) 32-Bit Edition
Security Update for Microsoft SharePoint Workspace 2010 (KB2566445)
Spyware Doctor 8.0
TurboTax 2010
TurboTax 2010 widiper
TurboTax 2010 wiliper
TurboTax 2010 WinPerFedFormset
TurboTax 2010 WinPerReleaseEngine
TurboTax 2010 WinPerTaxSupport
TurboTax 2010 wrapper
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft Excel 2010 (KB2553439) 32-Bit Edition
Update for Microsoft Office 2010 (KB2494150)
Update for Microsoft Office 2010 (KB2553065)
Update for Microsoft Office 2010 (KB2553092)
Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553270) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553385) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553455) 32-Bit Edition
Update for Microsoft Office 2010 (KB2566458)
Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2553323) 32-Bit Edition
Update for Microsoft Outlook Social Connector (KB2583935)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VLC media player 1.1.5
Welcome Center
Windows Driver Package - ENE (EUCR) USB (10/09/2009 5.89.0.59)
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Movie Maker
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Live Writer
Windows Media Player Firefox Plugin
Windows Mobile Device Center
WinRAR archiver

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:29 AM

Posted 20 January 2012 - 10:52 PM

yes rerun combofix and let me know if you can connect

gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 akshatm

akshatm
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 21 January 2012 - 12:02 AM

Here is the latest combofix log. I still don't have any network access. Trying to open Firefox or Notepad causes the following error, "Illegal operation attempted on a register key that has been marked for deletion."



ComboFix 12-01-17.01 - yousuf 01/20/2012 22:00:42.3.2 - x86
Microsoft Windows 7 Starter 6.1.7600.0.1252.1.1033.18.1013.410 [GMT -6:00]
Running from: c:\users\yousuf\Desktop\ComboFix.exe
Command switches used :: c:\users\yousuf\Desktop\CFScript.txt
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB49916$ . . . . Failed to delete
.
Infected copy of c:\windows\system32\drivers\afd.sys was found and disinfected
Restored copy from - The cat found it :)
.
((((((((((((((((((((((((( Files Created from 2011-12-21 to 2012-01-21 )))))))))))))))))))))))))))))))
.
.
2012-01-21 04:38 . 2012-01-21 04:42 -------- d-----w- c:\users\yousuf\AppData\Local\temp
2012-01-21 04:38 . 2012-01-21 04:38 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-21 00:56 . 2012-01-21 00:56 -------- d-----w- c:\windows\system32\x64
2012-01-21 00:33 . 2012-01-21 00:33 -------- d-----w- c:\windows\system32\SPReview
2012-01-21 00:31 . 2012-01-21 00:31 -------- d-----w- c:\program files\Common Files\Java
2012-01-21 00:30 . 2012-01-21 00:30 -------- d-----w- c:\windows\system32\EventProviders
2012-01-21 00:28 . 2009-10-10 02:57 12800 ----a-w- c:\windows\system32\drivers\sffp_sd.sys
2012-01-21 00:16 . 2012-01-06 04:19 6557240 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9389B2A2-FE1C-4C8B-81AE-6E086306C4C1}\mpengine.dll
2012-01-20 22:48 . 2009-07-13 23:11 53760 ----a-w- c:\windows\system32\drivers\intelppm.sys
2012-01-14 04:48 . 2010-02-23 00:03 66600 ----a-w- c:\windows\system32\drivers\L1C62x86.sys
2012-01-14 04:45 . 2009-11-06 18:53 1227776 ----a-w- c:\windows\system32\drivers\athr.sys
2012-01-14 04:45 . 2009-11-06 18:53 1227776 ----a-w- c:\windows\system32\athr.sys
2012-01-14 04:45 . 2012-01-14 04:45 -------- d-----w- c:\program files\Atheros
2012-01-14 04:44 . 2012-01-14 04:47 -------- d-----w- c:\programdata\Atheros
2012-01-14 04:43 . 2012-01-14 04:43 -------- d-----w- c:\users\yousuf\AppData\Roaming\InstallShield
2012-01-14 02:47 . 2012-01-14 02:47 -------- d-----w- c:\users\yousuf\AppData\Roaming\Malwarebytes
2012-01-14 02:47 . 2012-01-14 02:47 -------- d-----w- c:\programdata\Malwarebytes
2012-01-14 02:47 . 2012-01-14 02:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-14 02:47 . 2011-12-10 21:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-14 02:18 . 2012-01-14 02:18 -------- d-----w- c:\users\yousuf\AppData\Local\ElevatedDiagnostics
2012-01-14 01:44 . 2010-07-16 20:59 656320 ----a-w- c:\windows\system32\drivers\pctEFA.sys
2012-01-14 01:44 . 2010-07-16 20:59 338880 ----a-w- c:\windows\system32\drivers\pctDS.sys
2012-01-14 01:44 . 2011-05-12 14:59 105280 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2012-01-14 01:44 . 2011-05-06 19:26 251560 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2012-01-14 01:43 . 2011-05-11 19:35 160576 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2012-01-14 01:43 . 2011-05-11 15:55 263888 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2012-01-14 01:43 . 2011-03-10 15:08 233976 ----a-w- c:\windows\system32\drivers\PCTSD.sys
2012-01-14 01:42 . 2011-05-06 19:28 70664 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2012-01-14 01:40 . 2012-01-14 01:46 -------- d-----w- c:\program files\Common Files\PC Tools
2012-01-14 01:40 . 2012-01-14 02:22 -------- d-----w- c:\program files\PC Tools Security
2012-01-14 01:40 . 2012-01-14 01:43 -------- d-----w- c:\programdata\PC Tools
2012-01-12 04:30 . 2011-11-17 05:41 1288984 ----a-w- c:\windows\system32\ntdll.dll
2012-01-12 04:30 . 2011-11-19 14:06 67072 ----a-w- c:\windows\system32\packager.dll
2012-01-12 04:28 . 2011-10-26 04:28 1328640 ----a-w- c:\windows\system32\quartz.dll
2012-01-12 04:28 . 2011-10-26 04:28 514560 ----a-w- c:\windows\system32\qdvd.dll
2012-01-12 04:28 . 2011-11-17 05:38 1037312 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-12 04:28 . 2011-11-17 05:48 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-01-12 04:28 . 2011-11-17 05:39 224768 ----a-w- c:\windows\system32\schannel.dll
2012-01-12 04:28 . 2011-11-17 05:42 369352 ----a-w- c:\windows\system32\drivers\cng.sys
2012-01-12 04:28 . 2011-11-17 05:48 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-12 04:28 . 2011-11-17 05:39 314368 ----a-w- c:\windows\system32\webio.dll
2012-01-12 04:28 . 2011-11-17 05:39 99840 ----a-w- c:\windows\system32\sspicli.dll
2012-01-12 04:28 . 2011-11-17 05:36 22528 ----a-w- c:\windows\system32\lsass.exe
2012-01-12 04:28 . 2011-11-17 05:39 15360 ----a-w- c:\windows\system32\sspisrv.dll
2012-01-12 04:28 . 2011-11-17 05:39 22016 ----a-w- c:\windows\system32\secur32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-21 02:06 . 2009-07-14 02:05 152064 ----a-w- c:\windows\system32\msclmd.dll
2011-12-10 02:03 . 2011-12-10 02:03 158056 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10139.bin
2011-11-24 04:23 . 2011-12-15 02:55 2340352 ----a-w- c:\windows\system32\win32k.sys
2011-11-21 10:47 . 2010-07-26 00:05 6823496 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-11-15 20:29 . 2010-07-23 23:45 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-11-10 11:54 . 2010-07-23 23:35 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-05 04:30 . 2011-12-15 02:55 2048 ----a-w- c:\windows\system32\tzres.dll
2011-10-26 04:42 . 2011-12-15 02:55 3901808 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-26 04:42 . 2011-12-15 02:55 3957104 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-26 04:25 . 2011-12-15 02:55 38912 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-21 07:24 . 2012-01-21 00:26 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2009-09-10 13:41 120104 ----a-w- c:\program files\EgisTec\MyWinLocker 3\x86\PSDProtect.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-05 186904]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-08-12 7707168]
"Acer ePower Management"="c:\program files\Acer\Acer ePower Management\ePowerTray.exe" [2009-09-30 703008]
"EgisTecLiveUpdate"="c:\program files\EgisTec Egis Software Update\EgisUpdate.exe" [2009-08-04 199464]
"mwlDaemon"="c:\program files\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe" [2009-09-10 349480]
"NortonOnlineBackupReminder"="c:\program files\Symantec\Norton Online Backup\Activation\NobuActivation.exe" [2009-07-25 588648]
"LManager"="c:\program files\Launch Manager\LManager.exe" [2009-10-07 1157640]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2009-10-08 233472]
"PLFSetI"="c:\windows\PLFSetI.exe" [2009-08-13 200704]
"Acer Assist Launcher"="c:\program files\Acer\Acer Assist\launcher.exe" [2007-11-19 1261568]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2010-12-19 274608]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-10-25 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-10-25 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-10-25 150552]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Acer VCM.lnk - c:\program files\Acer\Acer VCM\AcerVCM.exe [2009-11-5 708608]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdAuxService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdCoreService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R1 MpKsl00a0cfef;MpKsl00a0cfef;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1D4C8D73-C3CF-4E7E-AE69-385111294209}\MpKsl00a0cfef.sys [x]
R1 MpKsl076ab1fd;MpKsl076ab1fd;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0092AF6E-1A5B-40E0-BF51-9F5CBBC92836}\MpKsl076ab1fd.sys [x]
R1 MpKsl1ffb9040;MpKsl1ffb9040;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{481A0580-5D88-44C6-A500-645AA2DD22B8}\MpKsl1ffb9040.sys [x]
R1 MpKsl285a562f;MpKsl285a562f;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{65B881B4-D711-4CF5-8D79-5316DF917E03}\MpKsl285a562f.sys [x]
R1 MpKsl34ff6efb;MpKsl34ff6efb;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8BDF6305-FF98-4E1F-9026-77D0E7BCC969}\MpKsl34ff6efb.sys [x]
R1 MpKsl351e8141;MpKsl351e8141;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9AB33D1C-38E3-4DC8-9A67-850F4F323F1D}\MpKsl351e8141.sys [x]
R1 MpKsl421bfc61;MpKsl421bfc61;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0727546E-33CD-4516-887A-06AD92741382}\MpKsl421bfc61.sys [x]
R1 MpKsl53cfc833;MpKsl53cfc833;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0092AF6E-1A5B-40E0-BF51-9F5CBBC92836}\MpKsl53cfc833.sys [x]
R1 MpKsl5e036e06;MpKsl5e036e06;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{73A80560-6161-444B-B437-FE35602F5642}\MpKsl5e036e06.sys [x]
R1 MpKsl69537fe1;MpKsl69537fe1;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6C13BE6C-78C1-43F0-9142-CF52BB80DCAE}\MpKsl69537fe1.sys [x]
R1 MpKsl72968566;MpKsl72968566;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0092AF6E-1A5B-40E0-BF51-9F5CBBC92836}\MpKsl72968566.sys [x]
R1 MpKsl7897acdc;MpKsl7897acdc;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0092AF6E-1A5B-40E0-BF51-9F5CBBC92836}\MpKsl7897acdc.sys [x]
R1 MpKsl9347e7a8;MpKsl9347e7a8;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{86F9793F-9090-450C-872C-14C008AC114A}\MpKsl9347e7a8.sys [x]
R1 MpKsla517c25b;MpKsla517c25b;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9BF4270E-7F84-4428-8F01-18A2F2B54086}\MpKsla517c25b.sys [x]
R1 MpKslac1aca4f;MpKslac1aca4f;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0092AF6E-1A5B-40E0-BF51-9F5CBBC92836}\MpKslac1aca4f.sys [x]
R1 MpKslc78e9f3b;MpKslc78e9f3b;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7B76FB69-FB34-4E61-9301-E613B786B24F}\MpKslc78e9f3b.sys [x]
R1 MpKslddb50840;MpKslddb50840;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{06C4824E-D0B1-41AF-8AC7-D82D4DECEF29}\MpKslddb50840.sys [x]
R1 MpKsle58d54d2;MpKsle58d54d2;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E7193014-6665-49B6-B3C5-765FC094008D}\MpKsle58d54d2.sys [x]
R1 MpKsle5e92128;MpKsle5e92128;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{ACAEFD9B-475B-47EC-BC4B-794CE355D950}\MpKsle5e92128.sys [x]
R1 MpKslffa5df4a;MpKslffa5df4a;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{DD3510FA-E29F-425B-B9E7-0E7B1C3F3FD8}\MpKslffa5df4a.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 Greg_Service;GRegService;c:\program files\Acer\Registration\GregHSRW.exe [2009-08-28 1150496]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-09-04 136176]
R2 Updater Service;Updater Service;c:\program files\Acer\Acer Updater\UpdaterService.exe [2009-07-04 240160]
R3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\DRIVERS\motfilt.sys [2009-01-29 6016]
R3 EUCR;EUCR;c:\windows\system32\DRIVERS\EUCR6SK.SYS [2009-10-09 102784]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-09-04 136176]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [2011-02-04 15232]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
R3 motandroidusb;Mot ADB Interface Driver;c:\windows\system32\Drivers\motoandroid.sys [2009-07-10 25856]
R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2010-12-03 20352]
R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2009-01-29 8320]
R3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\DRIVERS\Motousbnet.sys [2010-04-01 23424]
R3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\DRIVERS\motusbdevice.sys [2011-02-08 9472]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2011-04-18 43392]
R3 MWLService;MyWinLocker Service;c:\program files\EgisTec\MyWinLocker 3\x86\\MWLService.exe [2009-09-10 305448]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2011-04-27 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 208944]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools Security\pctsAuxs.exe [2011-02-18 371472]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-12-03 64288]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2011-05-11 263888]
S0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2010-07-16 338880]
S0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [2010-07-16 656320]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-12-01 691696]
S1 mwlPSDFilter;mwlPSDFilter;c:\windows\system32\DRIVERS\mwlPSDFilter.sys [2009-06-02 18992]
S1 mwlPSDNServ;mwlPSDNServ;c:\windows\system32\DRIVERS\mwlPSDNServ.sys [2009-06-02 16432]
S1 mwlPSDVDisk;mwlPSDVDisk;c:\windows\system32\DRIVERS\mwlPSDVDisk.sys [2009-06-02 60976]
S1 PCTSD;PC Tools Spyware Doctor Driver;c:\windows\system32\Drivers\PCTSD.sys [2011-03-10 233976]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 DsiWMIService;Dritek WMI Service;c:\program files\Launch Manager\dsiwmis.exe [2009-08-24 107016]
S2 ePowerSvc;Acer ePower Service;c:\program files\Acer\Acer ePower Management\ePowerSvc.exe [2009-09-30 727584]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2011-09-02 2152152]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-12-24 652872]
S2 RS_Service;Raw Socket Service;c:\program files\Acer\Acer VCM\RS_Service.exe [2009-07-10 253952]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x86.sys [2010-02-23 66600]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-10 20464]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-21 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-12-03 07:40]
.
2012-01-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-04 14:06]
.
2012-01-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-04 14:06]
.
2012-01-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1179316519-4230841679-437978511-1000Core.job
- c:\users\yousuf\AppData\Local\Google\Update\GoogleUpdate.exe [2010-11-26 04:30]
.
2012-01-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1179316519-4230841679-437978511-1000UA.job
- c:\users\yousuf\AppData\Local\Google\Update\GoogleUpdate.exe [2010-11-26 04:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = wwwgate0.mot.com:1080
uInternet Settings,ProxyOverride = *.mot.com;*.mot-mobility.com;*.mot-solutions.com;<local>
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
Trusted Zone: intuit.com\ttlc
FF - ProfilePath - c:\users\yousuf\AppData\Roaming\Mozilla\Firefox\Profiles\mx4c4mps.default\
FF - prefs.js: network.proxy.ftp - wwwgate0.mot.com
FF - prefs.js: network.proxy.ftp_port - 1080
FF - prefs.js: network.proxy.http - wwwgate0.mot.com
FF - prefs.js: network.proxy.http_port - 1080
FF - prefs.js: network.proxy.socks - wwwgate0.mot.com
FF - prefs.js: network.proxy.socks_port - 1080
FF - prefs.js: network.proxy.ssl - wwwgate0.mot.com
FF - prefs.js: network.proxy.ssl_port - 1080
FF - prefs.js: network.proxy.type - 0
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(2852)
c:\program files\EgisTec\MyWinLocker 3\x86\psdprotect.dll
c:\program files\EgisTec\MyWinLocker 3\x86\sysenv.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\UI0Detect.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\windows\system32\conhost.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
.
**************************************************************************
.
Completion time: 2012-01-20 22:53:52 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-21 04:53
ComboFix2.txt 2012-01-20 23:39
ComboFix3.txt 2012-01-17 16:02
.
Pre-Run: 62,655,938,560 bytes free
Post-Run: 62,540,292,096 bytes free
.
- - End Of File - - C17E674638D100875A289C2CAE857F79

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:29 AM

Posted 21 January 2012 - 12:17 AM

Hello

Restart the computer and run this for me


Lets check your internet connection

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure all the boxes are checked
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 akshatm

akshatm
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 21 January 2012 - 01:22 AM

Here is the output of FSS.

Farbar Service Scanner Version: 18-01-2012 01
Ran by yousuf (administrator) on 21-01-2012 at 00:18:27
Microsoft Windows 7 Starter (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============
MpsSvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to retrieve start type of MpsSvc. The value does not exist.
Checking ImagePath: Attention! Unable to retrieve ImagePath of MpsSvc. The value does not exist.
Unable to retrieve ServiceDll of MpsSvc. The value does not exist.

mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.


Firewall Disabled Policy:
==================


System Restore:
============
SDRSVC Service is not running. Checking service configuration:
The start type of SDRSVC service is OK.
The ImagePath of SDRSVC service is OK.
The ServiceDll of SDRSVC service is OK.

VSS Service is not running. Checking service configuration:
The start type of VSS service is OK.
The ImagePath of VSS service is OK.


System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.


Windows Update:
===========
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.

BITS Service is not running. Checking service configuration:
The start type of BITS service is OK.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys
[2011-06-16 19:28] - [2011-04-24 20:35] - 0338944 ____A () 438B535B55F0FD05544EE5FB277FF32F

C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys
[2011-11-21 20:24] - [2011-09-29 09:43] - 1285488 ____A (Microsoft Corporation) 56C198AC82EFA622DD93E9E43575F79C

C:\Windows\system32\dnsrslvr.dll
[2011-04-12 18:26] - [2011-03-02 23:29] - 0132608 ____A (Microsoft Corporation) B15BE77A2BACF9C3177D27518AFE26A9

C:\Windows\system32\mpssvc.dll
[2009-07-13 17:53] - [2009-07-13 19:15] - 0565760 ____A (Microsoft Corporation) 5CD996CECF45CBC3E8D109C86B82D69E

C:\Windows\system32\bfe.dll
[2009-07-13 17:54] - [2009-07-13 19:14] - 0493568 ____A (Microsoft Corporation) 85AC71C045CEB054ED48A7841AAE0C11

C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll
[2009-07-13 17:23] - [2009-07-13 19:16] - 0125952 ____A (Microsoft Corporation) 5FD90ABDBFAEE85986802622CBB03446

C:\Windows\system32\vssvc.exe
[2009-07-13 17:24] - [2009-07-13 19:14] - 1025536 ____A (Microsoft Corporation) 7EA2BCD94D9CFAF4C556F5CC94532A6C

C:\Windows\system32\wscsvc.dll
[2011-02-22 11:55] - [2010-12-20 23:38] - 0073728 ____A (Microsoft Corporation) A661A76333057B383A06E65F0073222F

C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll
[2009-07-13 18:15] - [2009-07-13 19:16] - 1912832 ____A (Microsoft Corporation) A33408CC036F9C08142B11BE5E93F0A1

C:\Windows\system32\qmgr.dll
[2009-07-13 17:30] - [2009-07-13 19:16] - 0589312 ____A (Microsoft Corporation) 53F476476F55A27F580661BDE09C4EC4

C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll
[2009-07-13 17:33] - [2009-07-13 19:15] - 0135680 ____A (Microsoft Corporation) 9C231178CE4FB385F4B54B0A9080B8A4

C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users