Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

system check / google redirect - tdss runs, but finds no threats


  • This topic is locked This topic is locked
30 replies to this topic

#1 clumper

clumper

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 14 January 2012 - 05:21 PM

hi, i posted earlier in the "am i infected" section:
http://www.bleepingcomputer.com/forums/topic438048.html

about a week ago i got the "win7 home security 2012" virus and followed the bleepingcomputer instructions to get rid of it. i think i may have skipped the tdss step at the time because i wasn't experiencing redirects.
it seemed to work, or perhaps did work, but a couple of days ago the redirects started, and a few hours later i restarted my computer. twenty-four (i think) warning windows popped up as soon as i'd logged in, each giving me a similar warning about unreadable, corrupted files. i don't remember them word for word, but i think they all said "windows\system32" and then some numbers. (i'm in safe mode now, but if you need to know what the warnings were exactly i could restart and read them) and then a few moments later a window labelled "system check" popped up and appeared to be scanning my computer, finding viruses, and that was followed by a bunch of warnings saying that my computer was out of hard drive space, running at 20%, etc etc. all files and programs on my desktop as well as my start menu disappeared.

i followed the instructions on bleepingcomputer's "system check uninstall" (this time i included the tdss step)... more specifically, in safe mode i ran rkill, then i ran TDSSKiller. tdss found no threats, and then i ran the malwarebytes, rebooted in safemode and ran unhide. everything seemed to be back to normal, so rebooted my computer as i would normally, and the virus was still there just as it had been before. i repeated all these steps again in safe mode, with the same results. then i repeated all these steps in standard(?) mode instead of safe mode. each time tdss found no threats, and each time i ran malwarebytes, when it asked me to reboot my computer the virus was there to greet me at the end.

sorry this is such a book, i may be taking the "be specific" thing too literally... i was directed to the "perparation guide..." and started with step 6. i skipped step 8 because i (am pretty sure i) have the 64-bit version of windows 7.

so here we are.


.
DDS (Ver_2011-08-26.01) - NTFSAMD64 NETWORK
Internet Explorer: 8.0.7600.16385
Run by ryan stack at 16:18:18 on 2012-01-14
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.5876.4547 [GMT -5:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\mfevtps.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\SysWOW64\ping.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uDefault_Page_URL = about:blank
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: jZip Toolbar: {1e48c56f-08cd-43aa-a6ef-c1ec891551ab} - C:\PROGRA~2\WIF0E7~1\Datamngr\ToolBar\jzipdtx.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: UrlHelper Class: {41c4aa37-1ddd-4345-b8dc-734e4b38414d} - C:\PROGRA~2\WIF0E7~1\Datamngr\IEBHO.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20110302170726.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
TB: jZip Toolbar: {1e48c56f-08cd-43aa-a6ef-c1ec891551ab} - C:\PROGRA~2\WIF0E7~1\Datamngr\ToolBar\jzipdtx.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
uRun: [Facebook Update] "C:\Users\ryan stack\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver
uRun: [Spotify] "C:\Users\ryan stack\AppData\Roaming\Spotify\Spotify.exe" /uri spotify:autostart
uRun: [LHUnnGkTMirhwy.exe] C:\ProgramData\LHUnnGkTMirhwy.exe
mRun: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [RemoteControl9] "C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe"
mRun: [PDVD9LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD9\Language\Language.exe"
mRun: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [DATAMNGR] C:\PROGRA~2\WIF0E7~1\Datamngr\DATAMN~1.EXE
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
LSP: mswsock.dll
Trusted Zone: youtube.com\www
DPF: Cab1 - hxxps://registration.rr.com/RegHelper.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{60BC24EF-F7BD-400F-9A5E-274F46080075} : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{BAE7ECF2-3DF2-4B8F-8BF3-E3ABF705AA6C} : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{BAE7ECF2-3DF2-4B8F-8BF3-E3ABF705AA6C}\05162716C6C61687 : DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{BAE7ECF2-3DF2-4B8F-8BF3-E3ABF705AA6C}\2456C6B696E6E233635313 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{BAE7ECF2-3DF2-4B8F-8BF3-E3ABF705AA6C}\4716C6C65697 : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{BAE7ECF2-3DF2-4B8F-8BF3-E3ABF705AA6C}\47865676275656E6265616E6 : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{BAE7ECF2-3DF2-4B8F-8BF3-E3ABF705AA6C}\C696E6B6379737 : DhcpNameServer = 192.168.15.1
AppInit_DLLs: C:\PROGRA~2\WIF0E7~1\Datamngr\datamngr.dll C:\PROGRA~2\WIF0E7~1\Datamngr\IEBHO.dll C:\Windows\SysWOW64\nvinit.dll
SubSystems: Windows = basesrv,1 winsrv:UserServerDllInitialization,3 consrv:ConServerDllInitialization,2 sxssrv,4
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: jZip Toolbar: {1e48c56f-08cd-43aa-a6ef-c1ec891551ab} - C:\PROGRA~2\WIF0E7~1\Datamngr\ToolBar\jzipdtx.dll
BHO-X64: jZip Toolbar - No File
BHO-X64: McAfee Phishing Filter: {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO-X64: McAfee Phishing Filter - No File
BHO-X64: UrlHelper Class: {41C4AA37-1DDD-4345-B8DC-734E4B38414D} - C:\PROGRA~2\WIF0E7~1\Datamngr\IEBHO.dll
BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO-X64: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
BHO-X64: Search Helper - No File
BHO-X64: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20110302170726.dll
BHO-X64: scriptproxy - No File
BHO-X64: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: Windows Live Toolbar Helper: {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
TB-X64: &Windows Live Toolbar: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
TB-X64: jZip Toolbar: {1e48c56f-08cd-43aa-a6ef-c1ec891551ab} - C:\PROGRA~2\WIF0E7~1\Datamngr\ToolBar\jzipdtx.dll
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
mRun-x64: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2
mRun-x64: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun-x64: [RemoteControl9] "C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe"
mRun-x64: [PDVD9LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD9\Language\Language.exe"
mRun-x64: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe"
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [DATAMNGR] C:\PROGRA~2\WIF0E7~1\Datamngr\DATAMN~1.EXE
AppInit_DLLs-X64: C:\PROGRA~2\WIF0E7~1\Datamngr\datamngr.dll C:\PROGRA~2\WIF0E7~1\Datamngr\IEBHO.dll C:\Windows\SysWOW64\nvinit.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;C:\Windows\system32\drivers\mfehidk.sys --> C:\Windows\system32\drivers\mfehidk.sys [?]
R0 nvpciflt;nvpciflt;C:\Windows\system32\DRIVERS\nvpciflt.sys --> C:\Windows\system32\DRIVERS\nvpciflt.sys [?]
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R0 stdcfltn;Disk Class Filter Driver for Accelerometer;C:\Windows\system32\DRIVERS\stdcfltn.sys --> C:\Windows\system32\DRIVERS\stdcfltn.sys [?]
R1 mfenlfk;McAfee NDIS Light Filter;C:\Windows\system32\DRIVERS\mfenlfk.sys --> C:\Windows\system32\DRIVERS\mfenlfk.sys [?]
R1 mfewfpk;McAfee Inc. mfewfpk;C:\Windows\system32\drivers\mfewfpk.sys --> C:\Windows\system32\drivers\mfewfpk.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 mfefire;McAfee Firewall Core Service;C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe [2011-3-2 245352]
R2 mfevtp;McAfee Validation Trust Protection Service;"C:\Windows\system32\mfevtps.exe" --> C:\Windows\system32\mfevtps.exe [?]
R3 Acceler;Accelerometer Service;C:\Windows\system32\DRIVERS\Accelern.sys --> C:\Windows\system32\DRIVERS\Accelern.sys [?]
R3 HECIx64;Intel® Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
R3 mfefirek;McAfee Inc. mfefirek;C:\Windows\system32\drivers\mfefirek.sys --> C:\Windows\system32\drivers\mfefirek.sys [?]
R3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\system32\DRIVERS\NETw5s64.sys --> C:\Windows\system32\DRIVERS\NETw5s64.sys [?]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\Windows\system32\DRIVERS\nusb3hub.sys --> C:\Windows\system32\DRIVERS\nusb3hub.sys [?]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\Windows\system32\DRIVERS\nusb3xhc.sys --> C:\Windows\system32\DRIVERS\nusb3xhc.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
S2 AERTFilters;Andrea RT Filters Service;C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe [2011-2-23 98208]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-11-23 136176]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-2-23 13336]
S2 McMPFSvc;McAfee Personal Firewall Service;C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-3-2 355440]
S2 McNaiAnn;McAfee VirusScan Announcer;C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-3-2 355440]
S2 McProxy;McAfee Proxy Service;C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-3-2 355440]
S2 McShield;McShield;C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe [2011-3-2 200056]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-8-25 235624]
S2 UNS;Intel® Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-2-23 2533400]
S3 cfwids;McAfee Inc. cfwids;C:\Windows\system32\drivers\cfwids.sys --> C:\Windows\system32\drivers\cfwids.sys [?]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;C:\Windows\system32\DRIVERS\CtClsFlt.sys --> C:\Windows\system32\DRIVERS\CtClsFlt.sys [?]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-11-23 136176]
S3 Impcd;Impcd;C:\Windows\system32\DRIVERS\Impcd.sys --> C:\Windows\system32\DRIVERS\Impcd.sys [?]
S3 IntcDAud;Intel® Display Audio;C:\Windows\system32\DRIVERS\IntcDAud.sys --> C:\Windows\system32\DRIVERS\IntcDAud.sys [?]
S3 JMCR;JMCR;C:\Windows\system32\DRIVERS\jmcr.sys --> C:\Windows\system32\DRIVERS\jmcr.sys [?]
S3 mfeavfk;McAfee Inc. mfeavfk;C:\Windows\system32\drivers\mfeavfk.sys --> C:\Windows\system32\drivers\mfeavfk.sys [?]
S3 mferkdet;McAfee Inc. mferkdet;C:\Windows\system32\drivers\mferkdet.sys --> C:\Windows\system32\drivers\mferkdet.sys [?]
S3 qicflt;upper Device Filter Driver;C:\Windows\system32\DRIVERS\qicflt.sys --> C:\Windows\system32\DRIVERS\qicflt.sys [?]
.
=============== Created Last 30 ================
.
2012-01-14 05:16:48 357120 ---ha-w- C:\ProgramData\zuz2VaLZg8gDZQ.exe
2012-01-13 07:55:42 454400 ---ha-w- C:\ProgramData\LHUnnGkTMirhwy.exe
2012-01-07 23:52:59 -------- d--h--w- C:\Users\ryan stack\AppData\Roaming\Malwarebytes
2012-01-07 23:52:54 -------- d--h--w- C:\ProgramData\Malwarebytes
2012-01-07 23:52:51 23152 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-01-07 23:52:51 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-01-07 18:16:38 -------- d-----we C:\Windows\system64
.
==================== Find3M ====================
.
2011-11-23 08:06:54 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
.
============= FINISH: 16:19:21.66 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:45 AM

Posted 14 January 2012 - 06:17 PM

Hi,

Please do the following:


Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • When asked if you want to download Avast's virus definitions please select Yes.
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.
  • You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 clumper

clumper
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 14 January 2012 - 08:23 PM

my computer wouldn't allow me to zip MBR.dat
i clicked send to and it didn't give me any options.
i also tried to use j-zip and it gave me a run-time error,
should i just send the whole file, or is there another way to compress it?





aswMBR version 0.9.9.1297 Copyright© 2011 AVAST Software
Run date: 2012-01-14 19:45:32
-----------------------------
19:45:32.452 OS Version: Windows x64 6.1.7600
19:45:32.452 Number of processors: 4 586 0x2505
19:45:32.452 ComputerName: MININT-M6CAL1N UserName: ryan stack
19:45:35.237 Initialize success
19:46:44.032 AVAST engine defs: 12011401
19:47:51.902 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
19:47:51.902 Disk 0 Vendor: ST975042 0001 Size: 715404MB BusType: 3
19:47:51.942 Disk 0 MBR read successfully
19:47:51.947 Disk 0 MBR scan
19:47:51.952 Disk 0 Windows 7 default MBR code
19:47:51.952 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 701402 MB offset 2048
19:47:51.987 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 14000 MB offset 1436473344
19:47:51.992 Service scanning
19:47:53.282 Modules scanning
19:47:53.282 Disk 0 trace - called modules:
19:47:53.292 ntoskrnl.exe CLASSPNP.SYS disk.sys stdcfltn.sys iaStor.sys hal.dll
19:47:53.297 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8006978060]
19:47:53.302 3 CLASSPNP.SYS[fffff8800186b43f] -> nt!IofCallDriver -> [0xfffffa8006975af0]
19:47:53.307 5 stdcfltn.sys[fffff88001601c52] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa80067e3050]
19:47:54.877 AVAST engine scan C:\Windows
19:47:56.687 AVAST engine scan C:\Windows\system32
19:48:03.487 File: C:\Windows\system32\consrv.dll **INFECTED** Win32:Sirefef-HO [Rtk]
19:49:09.072 AVAST engine scan C:\Windows\system32\drivers
19:49:19.372 AVAST engine scan C:\Users\ryan stack
19:51:22.058 File: C:\Users\ryan stack\AppData\Local\Temp\4659.tmp **INFECTED** Win32:Malware-gen
19:51:37.093 File: C:\Users\ryan stack\AppData\Local\Temp\Realtek_High_Definition_Audio_Codec.exe **INFECTED** Win32:Malware-gen
19:51:37.503 File: C:\Users\ryan stack\AppData\Local\Temp\s0IuRbXg9nOpB6.exe.tmp **INFECTED** Win32:FakeAlert-BVS [Trj]
19:51:59.098 File: C:\Users\ryan stack\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\50\58b127f2-3ddd8314 **INFECTED** Win32:FakeAlert-BVS [Trj]
19:57:01.239 AVAST engine scan C:\ProgramData
19:57:02.019 File: C:\ProgramData\LHUnnGkTMirhwy.exe **INFECTED** Win32:FakeAlert-BVS [Trj]
20:11:31.994 File: C:\ProgramData\zuz2VaLZg8gDZQ.exe **INFECTED** Win32:FakeAlert-BVS [Trj]
20:11:32.025 Scan finished successfully
20:12:54.019 Disk 0 MBR has been saved successfully to "C:\Users\ryan stack\Desktop\MBR.dat"
20:12:54.019 The log file has been saved successfully to "C:\Users\ryan stack\Desktop\aswMBR.txt"

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:45 AM

Posted 14 January 2012 - 08:37 PM

If your context menu is completely empty, here are the instructions to rebuild it:

http://www.sevenforums.com/tutorials/45421-send-context-menu-remove-restore-default-items.html

You should wait till we clean up your computer first as it may have been corrupted by the infection

please do the following:

Refer to the ComboFix User's Guide

  • Download ComboFix from one of these locations:

    Link 1
    Link 2

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 clumper

clumper
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 14 January 2012 - 09:24 PM

ComboFix 12-01-13.05 - ryan stack 01/14/2012 21:07:13.1.4 - x64 NETWORK
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.5876.4621 [GMT -5:00]
Running from: c:\users\ryan stack\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\~cP0oF7Ys1aATjU
c:\programdata\~zuz2VaLZg8gDZQ
c:\programdata\~zuz2VaLZg8gDZQr
c:\programdata\cP0oF7Ys1aATjU
c:\programdata\izwjaalw4I5Y4G
c:\programdata\LHUnnGkTMirhwy.exe
c:\programdata\NvpcSIk9Zd99dB
c:\programdata\zuz2VaLZg8gDZQ
c:\programdata\zuz2VaLZg8gDZQ.exe
c:\users\ryan stack\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check
c:\users\ryan stack\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check\System Check.lnk
c:\users\ryan stack\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check\Uninstall System Check.lnk
c:\users\ryan stack\Desktop\System Check.lnk
c:\windows\assembly\temp\@
c:\windows\assembly\temp\bckfg.tmp
c:\windows\assembly\temp\cfg.ini
c:\windows\assembly\temp\keywords
c:\windows\assembly\temp\kwrd.dll
c:\windows\system32\consrv.dll
c:\windows\System64
.
.
((((((((((((((((((((((((( Files Created from 2011-12-15 to 2012-01-15 )))))))))))))))))))))))))))))))
.
.
2012-01-15 02:10 . 2012-01-15 02:10 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-07 23:52 . 2012-01-07 23:52 -------- d--h--w- c:\users\ryan stack\AppData\Roaming\Malwarebytes
2012-01-07 23:52 . 2012-01-07 23:52 -------- d--h--w- c:\programdata\Malwarebytes
2012-01-07 23:52 . 2012-01-14 01:13 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-01-07 23:52 . 2011-12-10 20:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-29 05:08 . 2011-11-29 05:08 158056 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10139.bin
2011-11-23 08:06 . 2011-07-18 01:46 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Facebook Update"="c:\users\ryan stack\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2011-08-18 137536]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Dell Webcam Central"="c:\program files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2009-06-24 409744]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-03-04 284696]
"RemoteControl9"="c:\program files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe" [2009-07-06 87336]
"PDVD9LanguageShortcut"="c:\program files (x86)\CyberLink\PowerDVD9\Language\Language.exe" [2010-04-29 50472]
"Desktop Disc Tool"="c:\program files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [2009-10-15 498160]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~2\WIF0E7~1\Datamngr\datamngr.dll c:\progra~2\WIF0E7~1\Datamngr\IEBHO.dll c:\windows\SysWOW64\nvinit.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 0002231326592720mcinstcleanup;McAfee Application Installer Cleanup (0002231326592720);c:\users\RYANST~1\AppData\Local\Temp\000223~1.EXE [x]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-23 136176]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-23 136176]
R3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [x]
R3 PCDSRVC{67F2314B-25F2B3C0-06020101}_0;PCDSRVC{67F2314B-25F2B3C0-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\gencotst\pcdsrvc_x64.pkms [x]
S0 nvpciflt;nvpciflt;c:\windows\system32\DRIVERS\nvpciflt.sys [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S0 stdcfltn;Disk Class Filter Driver for Accelerometer;c:\windows\system32\DRIVERS\stdcfltn.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-11-18 98208]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-03-04 13336]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-08-25 235624]
S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-07-01 2533400]
S3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\Accelern.sys [x]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [x]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [x]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [x]
S3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETw5s64.sys [x]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [x]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [x]
S3 qicflt;upper Device Filter Driver;c:\windows\system32\DRIVERS\qicflt.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-12 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3662471028-578440783-1738224185-1003Core.job
- c:\users\ryan stack\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-08-18 21:58]
.
2012-01-14 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3662471028-578440783-1738224185-1003UA.job
- c:\users\ryan stack\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-08-18 21:58]
.
2012-01-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-23 08:05]
.
2012-01-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-23 08:05]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{41C4AA37-1DDD-4345-B8DC-734E4B38414D}]
2011-06-05 16:29 1791936 ----a-w- c:\progra~2\WIF0E7~1\Datamngr\x64\IEBHO.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtkNGUI64.exe" [2010-11-09 6539880]
"RtHDVBg"="c:\program files\Realtek\Audio\HDA\RAVBg64.exe" [2010-11-04 2181224]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2010-08-25 283240]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-09-03 161304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-09-03 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-09-03 415256]
"QuickSet"="c:\program files\Dell\QuickSet\QuickSet.exe" [2010-08-04 3206816]
"combofix"="c:\combofix\CF1490.3XE" [2009-07-14 344576]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x1
"AppInit_DLLs"=c:\progra~2\WIF0E7~1\Datamngr\x64\datamngr.dll c:\progra~2\WIF0E7~1\Datamngr\x64\IEBHO.dll c:\windows\System32\nvinitx.dll
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
Trusted Zone: youtube.com\www
TCP: DhcpNameServer = 192.168.2.1
DPF: Cab1 - hxxps://registration.rr.com/RegHelper.cab
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Toolbar-10 - (no file)
Wow6432Node-HKCU-Run-Spotify - c:\users\ryan stack\AppData\Roaming\Spotify\Spotify.exe
Wow6432Node-HKCU-Run-LHUnnGkTMirhwy.exe - c:\programdata\LHUnnGkTMirhwy.exe
Toolbar-Locked - (no file)
Toolbar-10 - (no file)
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCDSRVC{67F2314B-25F2B3C0-06020101}_0]
"ImagePath"="\??\c:\gencotst\pcdsrvc_x64.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files (x86)\Windows jZip Toolbar\Datamngr\datamngrUI.exe
c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
.
**************************************************************************
.
Completion time: 2012-01-14 21:15:53 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-15 02:15
.
Pre-Run: 688,630,169,600 bytes free
Post-Run: 688,752,721,920 bytes free
.
- - End Of File - - F37CD1E93BDF6AA84AC95682D4463D54

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:45 AM

Posted 14 January 2012 - 09:37 PM

Hi

Please do the following:

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 clumper

clumper
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 14 January 2012 - 11:55 PM

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.14.05

Windows 7 x64 NTFS
Internet Explorer 8.0.7600.16385
ryan stack :: MININT-M6CAL1N [administrator]

1/14/2012 11:13:54 PM
mbam-log-2012-01-14 (23-13-54).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 176035
Time elapsed: 1 minute(s), 22 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)




C:\Program Files (x86)\Windows jZip Toolbar\Datamngr\datamngr.dll a variant of Win32/Toolbar.SearchSuite application
C:\Program Files (x86)\Windows jZip Toolbar\Datamngr\datamngrUI.exe a variant of Win32/Toolbar.SearchSuite application
C:\Program Files (x86)\Windows jZip Toolbar\Datamngr\IEBHO.dll probably a variant of Win32/Toolbar.SearchSuite application
C:\Qoobox\Quarantine\C\ProgramData\LHUnnGkTMirhwy.exe.vir a variant of Win32/Kryptik.YWK trojan
C:\Qoobox\Quarantine\C\ProgramData\zuz2VaLZg8gDZQ.exe.vir a variant of Win32/Kryptik.YWK trojan
C:\Qoobox\Quarantine\C\Windows\System32\consrv.dll.vir Win64/Sirefef.G trojan
C:\Users\ryan stack\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\10\30f8808a-61b0bab5 multiple threats
C:\Users\ryan stack\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\6e684651-52613326 a variant of Java/Agent.DZ trojan
C:\Users\ryan stack\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\22\363037d6-18257a3e Java/Exploit.CVE-2011-3544.X trojan
C:\Users\ryan stack\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\31\3ba0d75f-59692eb4 Java/TrojanDownloader.OpenStream.NBV trojan
C:\Users\ryan stack\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\38\5958c3a6-42c11f76 Java/Exploit.CVE-2011-3544.T trojan
C:\Users\ryan stack\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\42\3d47b3ea-4964e8d8 Java/Agent.EA trojan
C:\Users\ryan stack\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\50\58b127f2-3ddd8314 a variant of Win32/Kryptik.YWK trojan
C:\Windows\assembly\temp\U\80000032.@ probably a variant of Win32/Olmarik.AVQ trojan
Operating memory a variant of Win32/Toolbar.SearchSuite application

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:45 AM

Posted 15 January 2012 - 09:57 AM

Hi

Please run the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

File::
C:\Program Files (x86)\Windows jZip Toolbar\Datamngr\datamngr.dll 
C:\Program Files (x86)\Windows jZip Toolbar\Datamngr\datamngrUI.exe 
C:\Program Files (x86)\Windows jZip Toolbar\Datamngr\IEBHO.dll 
C:\Users\ryan stack\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\10\30f8808a-61b0bab5 
C:\Users\ryan stack\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\6e684651-52613326 
C:\Users\ryan stack\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\22\363037d6-18257a3e 
C:\Users\ryan stack\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\31\3ba0d75f-59692eb4 
C:\Users\ryan stack\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\38\5958c3a6-42c11f76 
C:\Users\ryan stack\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\42\3d47b3ea-4964e8d8 
C:\Users\ryan stack\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\50\58b127f2-3ddd8314 
C:\Windows\assembly\temp\U\80000032.@

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT


Visit ADOBE and download the latest version of Acrobat Reader (version X)
Having the latest updates ensures there are no security vulnerabilities in your system.


NEXT


Posted Image Your Java is out of date.
Java™ 6 Update 24 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now.
An update should begin; > follow the prompts.


NEXT


Please advise how your computer is running and if there are any outstanding issues

Edited by CatByte, 15 January 2012 - 09:58 AM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 clumper

clumper
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 15 January 2012 - 12:27 PM

two things happened that struck me as odd:
1- when i ran combofix it told me that mcafee antivirus/antispyware were running and that i should turn them off. but i uninstalled mcafee yesterday, so it shouldn't be running at all. i ran combofix anyway.
2- after combofix rebooted my computer, one warning window (with a red circle with an "X" inside of it) popped up. it says C:\Windows\system32\GFxUI.exe A device attached to the system is not functioning.

other than that, everything seems to be running great so far.
is there a recommended anti-virus that i should download, since i uninstalled mine?




ComboFix 12-01-15.01 - ryan stack 01/15/2012 12:09:34.2.4 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.5876.4311 [GMT -5:00]
Running from: c:\users\ryan stack\Desktop\ComboFix.exe
Command switches used :: c:\users\ryan stack\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\program files (x86)\Windows jZip Toolbar\Datamngr\datamngr.dll"
"c:\program files (x86)\Windows jZip Toolbar\Datamngr\datamngrUI.exe"
"c:\program files (x86)\Windows jZip Toolbar\Datamngr\IEBHO.dll"
"c:\users\ryan stack\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\10\30f8808a-61b0bab5"
"c:\users\ryan stack\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\6e684651-52613326"
"c:\users\ryan stack\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\22\363037d6-18257a3e"
"c:\users\ryan stack\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\31\3ba0d75f-59692eb4"
"c:\users\ryan stack\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\38\5958c3a6-42c11f76"
"c:\users\ryan stack\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\42\3d47b3ea-4964e8d8"
"c:\users\ryan stack\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\50\58b127f2-3ddd8314"
"c:\windows\assembly\temp\U\80000032.@"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\Windows jZip Toolbar\Datamngr\datamngr.dll
c:\program files (x86)\Windows jZip Toolbar\Datamngr\datamngrUI.exe
c:\program files (x86)\Windows jZip Toolbar\Datamngr\IEBHO.dll
c:\windows\assembly\temp\U\80000032.@
.
.
((((((((((((((((((((((((( Files Created from 2011-12-15 to 2012-01-15 )))))))))))))))))))))))))))))))
.
.
2012-01-15 17:12 . 2012-01-15 17:12 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-15 04:20 . 2012-01-15 04:20 -------- d-----w- c:\program files (x86)\ESET
2012-01-07 23:52 . 2012-01-07 23:52 -------- d-----w- c:\users\ryan stack\AppData\Roaming\Malwarebytes
2012-01-07 23:52 . 2012-01-07 23:52 -------- d-----w- c:\programdata\Malwarebytes
2012-01-07 23:52 . 2012-01-14 01:13 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-01-07 23:52 . 2011-12-10 20:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-29 05:08 . 2011-11-29 05:08 158056 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10139.bin
2011-11-23 08:06 . 2011-07-18 01:46 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((( SnapShot@2012-01-15_02.11.41 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-14 05:10 . 2012-01-15 02:13 26908 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-03-02 03:55 . 2012-01-15 02:13 10836 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3662471028-578440783-1738224185-1003_UserData.bin
+ 2009-07-14 05:30 . 2012-01-15 02:49 86016 c:\windows\system32\DriverStore\infpub.dat
- 2009-07-14 05:30 . 2012-01-15 01:58 86016 c:\windows\system32\DriverStore\infpub.dat
+ 2011-03-01 23:04 . 2012-01-15 02:15 32768 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-03-01 23:04 . 2012-01-15 00:16 32768 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-03-01 23:04 . 2012-01-15 00:16 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-03-01 23:04 . 2012-01-15 02:15 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-01-15 02:15 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-01-15 00:16 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-03-05 02:42 . 2012-01-15 17:12 3386 c:\windows\system32\wdi\ERCQueuedResolutions.dat
- 2012-01-15 02:11 . 2012-01-15 02:11 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-01-15 17:13 . 2012-01-15 17:13 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-01-15 17:13 . 2012-01-15 17:13 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-01-15 02:11 . 2012-01-15 02:11 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 04:54 . 2012-01-15 02:11 425984 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-01-15 17:13 425984 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-03-02 00:02 . 2012-01-15 17:03 229104 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2009-07-14 02:36 . 2012-01-15 02:16 615360 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-01-15 02:16 103702 c:\windows\system32\perfc009.dat
+ 2009-07-14 05:30 . 2012-01-15 02:49 239616 c:\windows\system32\DriverStore\infstrng.dat
- 2009-07-14 05:30 . 2012-01-15 01:58 239616 c:\windows\system32\DriverStore\infstrng.dat
+ 2009-07-14 04:54 . 2012-01-15 17:13 4440064 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-01-15 02:11 4440064 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-01-15 02:11 4243456 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-01-15 17:13 4243456 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 02:34 . 2012-01-15 00:13 10223616 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
+ 2009-07-14 02:34 . 2012-01-15 03:00 10223616 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Facebook Update"="c:\users\ryan stack\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2011-08-18 137536]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-11-23 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Dell Webcam Central"="c:\program files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2009-06-24 409744]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-03-04 284696]
"RemoteControl9"="c:\program files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe" [2009-07-06 87336]
"PDVD9LanguageShortcut"="c:\program files (x86)\CyberLink\PowerDVD9\Language\Language.exe" [2010-04-29 50472]
"Desktop Disc Tool"="c:\program files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [2009-10-15 498160]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\SysWOW64\nvinit.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 0002231326592720mcinstcleanup;McAfee Application Installer Cleanup (0002231326592720);c:\users\RYANST~1\AppData\Local\Temp\000223~1.EXE [x]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-23 136176]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-23 136176]
R3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [x]
R3 PCDSRVC{67F2314B-25F2B3C0-06020101}_0;PCDSRVC{67F2314B-25F2B3C0-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\gencotst\pcdsrvc_x64.pkms [x]
S0 nvpciflt;nvpciflt;c:\windows\system32\DRIVERS\nvpciflt.sys [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S0 stdcfltn;Disk Class Filter Driver for Accelerometer;c:\windows\system32\DRIVERS\stdcfltn.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-11-18 98208]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-03-04 13336]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-08-25 235624]
S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-07-01 2533400]
S3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\Accelern.sys [x]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [x]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [x]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [x]
S3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETw5s64.sys [x]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [x]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [x]
S3 qicflt;upper Device Filter Driver;c:\windows\system32\DRIVERS\qicflt.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-12 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3662471028-578440783-1738224185-1003Core.job
- c:\users\ryan stack\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-08-18 21:58]
.
2012-01-15 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3662471028-578440783-1738224185-1003UA.job
- c:\users\ryan stack\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-08-18 21:58]
.
2012-01-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-23 08:05]
.
2012-01-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-23 08:05]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtkNGUI64.exe" [2010-11-09 6539880]
"RtHDVBg"="c:\program files\Realtek\Audio\HDA\RAVBg64.exe" [2010-11-04 2181224]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2010-08-25 283240]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-09-03 161304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-09-03 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-09-03 415256]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=c:\progra~2\WIF0E7~1\Datamngr\x64\datamngr.dll c:\progra~2\WIF0E7~1\Datamngr\x64\IEBHO.dll c:\windows\System32\nvinitx.dll
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
Trusted Zone: youtube.com\www
TCP: DhcpNameServer = 192.168.2.1
DPF: Cab1 - hxxps://registration.rr.com/RegHelper.cab
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Toolbar-10 - (no file)
Wow6432Node-HKLM-Run-DATAMNGR - c:\progra~2\WIF0E7~1\Datamngr\DATAMN~1.EXE
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCDSRVC{67F2314B-25F2B3C0-06020101}_0]
"ImagePath"="\??\c:\gencotst\pcdsrvc_x64.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
.
**************************************************************************
.
Completion time: 2012-01-15 12:16:19 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-15 17:16
ComboFix2.txt 2012-01-15 02:15
.
Pre-Run: 688,116,912,128 bytes free
Post-Run: 688,094,003,200 bytes free
.
- - End Of File - - 48F3C2562B87D23BF00B1D1CBCCCAE7C

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:45 AM

Posted 15 January 2012 - 12:37 PM

I can script out all the McAfee remnants

Personally I use Microsoft Security Essentials, it's excellent and free,Avira AntiVir and Avast are also excellent free products, for a paid for AV, I'd Recommend Kaspersky


Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

SecCenter::
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}

Folder::
C:\Program Files\Common Files\McAfee

Driver::
0002231326592720mcinstcleanup

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


Let me know how the computer is running now

please install the AV of your choice and give it a run, let me know if it finds anything in any place other than quarantine (qoobox) or old system restore points

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 clumper

clumper
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 15 January 2012 - 12:53 PM

the warning message i got last time i restarted did NOT come up this time.
so far still running smoothly... i have to go to work, i'll download an AV and do the scan when i get home in a few hours.
you're a superhero.



ComboFix 12-01-15.01 - ryan stack 01/15/2012 12:42:14.3.4 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.5876.4602 [GMT -5:00]
Running from: c:\users\ryan stack\Desktop\ComboFix.exe
Command switches used :: c:\users\ryan stack\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Common Files\McAfee
c:\program files\Common Files\McAfee\MSC\mcuc64.inf
c:\program files\Common Files\McAfee\MSC\McUICnt.exe
c:\program files\Common Files\McAfee\NMC\1033\nmcdef.inf
c:\program files\Common Files\McAfee\NMC\1033\nmclang64.inf
c:\program files\Common Files\McAfee\NMC\nmcuicfg.dat
c:\program files\Common Files\McAfee\VSCore\av64.inf
c:\program files\Common Files\McAfee\VSCore\cfwids.cat
c:\program files\Common Files\McAfee\VSCore\cfwids.inf
c:\program files\Common Files\McAfee\VSCore\cfwids.sys
c:\program files\Common Files\McAfee\VSCore\DAInstall.exe
c:\program files\Common Files\McAfee\VSCore\ftl.dll
c:\program files\Common Files\McAfee\VSCore\fw64.inf
c:\program files\Common Files\McAfee\VSCore\lockdown.dll
c:\program files\Common Files\McAfee\VSCore\McShield.dll
c:\program files\Common Files\McAfee\VSCore\Mcshield.exe
c:\program files\Common Files\McAfee\VSCore\mfeapfa.dll
c:\program files\Common Files\McAfee\VSCore\mfeapfk.cat
c:\program files\Common Files\McAfee\VSCore\mfeapfk.inf
c:\program files\Common Files\McAfee\VSCore\mfeapfk.sys
c:\program files\Common Files\McAfee\VSCore\mfeavfa.dll
c:\program files\Common Files\McAfee\VSCore\mfeavfk.cat
c:\program files\Common Files\McAfee\VSCore\mfeavfk.inf
c:\program files\Common Files\McAfee\VSCore\mfeavfk.sys
c:\program files\Common Files\McAfee\VSCore\mfeclnk.cat
c:\program files\Common Files\McAfee\VSCore\mfeclnk.inf
c:\program files\Common Files\McAfee\VSCore\mfeclnk.sys
c:\program files\Common Files\McAfee\VSCore\mfefire.exe
c:\program files\Common Files\McAfee\VSCore\mfefirek.cat
c:\program files\Common Files\McAfee\VSCore\mfefirek.inf
c:\program files\Common Files\McAfee\VSCore\mfefirek.sys
c:\program files\Common Files\McAfee\VSCore\mfefwctl.dll
c:\program files\Common Files\McAfee\VSCore\mfehida.dll
c:\program files\Common Files\McAfee\VSCore\mfehidin.exe
c:\program files\Common Files\McAfee\VSCore\mfehidk.cat
c:\program files\Common Files\McAfee\VSCore\mfehidk.inf
c:\program files\Common Files\McAfee\VSCore\mfehidk.sys
c:\program files\Common Files\McAfee\VSCore\mfehidk_messages.dll
c:\program files\Common Files\McAfee\VSCore\mfendisk.cat
c:\program files\Common Files\McAfee\VSCore\mfendisk.inf
c:\program files\Common Files\McAfee\VSCore\mfendisk.sys
c:\program files\Common Files\McAfee\VSCore\mfendisk_m.cat
c:\program files\Common Files\McAfee\VSCore\mfendisk_m.inf
c:\program files\Common Files\McAfee\VSCore\mfenlfk.cat
c:\program files\Common Files\McAfee\VSCore\mfenlfk.inf
c:\program files\Common Files\McAfee\VSCore\mfenlfk.sys
c:\program files\Common Files\McAfee\VSCore\mferkda.dll
c:\program files\Common Files\McAfee\VSCore\mferkdet.cat
c:\program files\Common Files\McAfee\VSCore\mferkdet.inf
c:\program files\Common Files\McAfee\VSCore\mferkdet.sys
c:\program files\Common Files\McAfee\VSCore\mfetdi2k.cat
c:\program files\Common Files\McAfee\VSCore\mfetdi2k.inf
c:\program files\Common Files\McAfee\VSCore\mfetdi2k.sys
c:\program files\Common Files\McAfee\VSCore\mfevtpa.dll
c:\program files\Common Files\McAfee\VSCore\mfevtps.exe
c:\program files\Common Files\McAfee\VSCore\mfewfpk.cat
c:\program files\Common Files\McAfee\VSCore\mfewfpk.inf
c:\program files\Common Files\McAfee\VSCore\mfewfpk.sys
c:\program files\Common Files\McAfee\VSCore\mytilus3.dll
c:\program files\Common Files\McAfee\VSCore\mytilus3_server.dll
c:\program files\Common Files\McAfee\VSCore\mytilus3_worker.dll
c:\program files\Common Files\McAfee\VSCore\NaEvent.dll
c:\program files\Common Files\McAfee\VSCore\NaiEvent.dll
c:\program files\Common Files\McAfee\VSCore\scriptsn.dll
c:\program files\Common Files\McAfee\VSCore\strings.bin
c:\program files\Common Files\McAfee\VSCore\vscore.xml
c:\program files\Common Files\McAfee\VSCore\vscore64.inf
c:\program files\Common Files\McAfee\VSCore\VSCVer.dll
c:\program files\Common Files\McAfee\VSCore\x86\DAInstall.exe
c:\program files\Common Files\McAfee\VSCore\x86\lockdown.dll
c:\program files\Common Files\McAfee\VSCore\x86\McShield.dll
c:\program files\Common Files\McAfee\VSCore\x86\mfefwctl.dll
c:\program files\Common Files\McAfee\VSCore\x86\mytilus3.dll
c:\program files\Common Files\McAfee\VSCore\x86\mytilus3_worker.dll
c:\program files\Common Files\McAfee\VSCore\x86\scriptff.dll
c:\program files\Common Files\McAfee\VSCore\x86\scriptsn.dll
c:\program files\Common Files\McAfee\VSCore\x86\strings.bin
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_0002231326592720mcinstcleanup
.
.
((((((((((((((((((((((((( Files Created from 2011-12-15 to 2012-01-15 )))))))))))))))))))))))))))))))
.
.
2012-01-15 17:45 . 2012-01-15 17:45 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-15 04:20 . 2012-01-15 04:20 -------- d-----w- c:\program files (x86)\ESET
2012-01-07 23:52 . 2012-01-07 23:52 -------- d-----w- c:\users\ryan stack\AppData\Roaming\Malwarebytes
2012-01-07 23:52 . 2012-01-07 23:52 -------- d-----w- c:\programdata\Malwarebytes
2012-01-07 23:52 . 2012-01-14 01:13 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-01-07 23:52 . 2011-12-10 20:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-29 05:08 . 2011-11-29 05:08 158056 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10139.bin
2011-11-23 08:06 . 2011-07-18 01:46 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((( SnapShot@2012-01-15_02.11.41 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-14 05:10 . 2012-01-15 17:14 27054 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-03-02 03:55 . 2012-01-15 17:14 10956 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3662471028-578440783-1738224185-1003_UserData.bin
- 2009-07-14 05:30 . 2012-01-15 01:58 86016 c:\windows\system32\DriverStore\infpub.dat
+ 2009-07-14 05:30 . 2012-01-15 02:49 86016 c:\windows\system32\DriverStore\infpub.dat
+ 2011-03-01 23:04 . 2012-01-15 02:15 32768 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-03-01 23:04 . 2012-01-15 00:16 32768 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-03-01 23:04 . 2012-01-15 00:16 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-03-01 23:04 . 2012-01-15 02:15 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-01-15 00:16 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-01-15 02:15 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-03-02 04:28 . 2012-01-15 17:47 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-03-02 04:28 . 2012-01-15 02:11 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-03-02 04:28 . 2012-01-15 02:11 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-03-02 04:28 . 2012-01-15 17:47 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2011-03-02 04:28 . 2012-01-15 02:11 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-03-02 04:28 . 2012-01-15 17:47 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-03-01 23:08 . 2012-01-15 02:11 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-03-01 23:08 . 2012-01-15 17:47 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-03-01 23:08 . 2012-01-15 02:11 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-03-01 23:08 . 2012-01-15 17:47 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-03-05 02:42 . 2012-01-15 17:12 3386 c:\windows\system32\wdi\ERCQueuedResolutions.dat
+ 2012-01-15 17:46 . 2012-01-15 17:46 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-01-15 02:11 . 2012-01-15 02:11 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-01-15 17:46 . 2012-01-15 17:46 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-01-15 02:11 . 2012-01-15 02:11 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-14 04:54 . 2012-01-15 17:46 425984 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2012-01-15 02:11 425984 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-03-02 00:02 . 2012-01-15 17:03 229104 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2009-07-14 02:36 . 2012-01-15 17:17 615360 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-01-15 17:17 103702 c:\windows\system32\perfc009.dat
- 2009-07-14 05:30 . 2012-01-15 01:58 239616 c:\windows\system32\DriverStore\infstrng.dat
+ 2009-07-14 05:30 . 2012-01-15 02:49 239616 c:\windows\system32\DriverStore\infstrng.dat
- 2009-07-14 04:54 . 2012-01-15 02:11 4440064 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-01-15 17:46 4440064 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-01-15 02:11 4243456 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-01-15 17:46 4243456 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 02:34 . 2012-01-15 00:13 10223616 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
+ 2009-07-14 02:34 . 2012-01-15 17:27 10223616 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Facebook Update"="c:\users\ryan stack\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2011-08-18 137536]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-11-23 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Dell Webcam Central"="c:\program files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2009-06-24 409744]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-03-04 284696]
"RemoteControl9"="c:\program files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe" [2009-07-06 87336]
"PDVD9LanguageShortcut"="c:\program files (x86)\CyberLink\PowerDVD9\Language\Language.exe" [2010-04-29 50472]
"Desktop Disc Tool"="c:\program files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [2009-10-15 498160]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\SysWOW64\nvinit.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-23 136176]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-23 136176]
R3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [x]
R3 PCDSRVC{67F2314B-25F2B3C0-06020101}_0;PCDSRVC{67F2314B-25F2B3C0-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\gencotst\pcdsrvc_x64.pkms [x]
S0 nvpciflt;nvpciflt;c:\windows\system32\DRIVERS\nvpciflt.sys [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S0 stdcfltn;Disk Class Filter Driver for Accelerometer;c:\windows\system32\DRIVERS\stdcfltn.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-11-18 98208]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-03-04 13336]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-08-25 235624]
S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-07-01 2533400]
S3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\Accelern.sys [x]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [x]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [x]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [x]
S3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETw5s64.sys [x]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [x]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [x]
S3 qicflt;upper Device Filter Driver;c:\windows\system32\DRIVERS\qicflt.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-12 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3662471028-578440783-1738224185-1003Core.job
- c:\users\ryan stack\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-08-18 21:58]
.
2012-01-15 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3662471028-578440783-1738224185-1003UA.job
- c:\users\ryan stack\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-08-18 21:58]
.
2012-01-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-23 08:05]
.
2012-01-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-23 08:05]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtkNGUI64.exe" [2010-11-09 6539880]
"RtHDVBg"="c:\program files\Realtek\Audio\HDA\RAVBg64.exe" [2010-11-04 2181224]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2010-08-25 283240]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-09-03 161304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-09-03 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-09-03 415256]
"combofix"="c:\combofix\CF21084.3XE" [2009-07-14 344576]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=c:\progra~2\WIF0E7~1\Datamngr\x64\datamngr.dll c:\progra~2\WIF0E7~1\Datamngr\x64\IEBHO.dll c:\windows\System32\nvinitx.dll
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
Trusted Zone: youtube.com\www
TCP: DhcpNameServer = 192.168.2.1
DPF: Cab1 - hxxps://registration.rr.com/RegHelper.cab
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Toolbar-10 - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCDSRVC{67F2314B-25F2B3C0-06020101}_0]
"ImagePath"="\??\c:\gencotst\pcdsrvc_x64.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
.
**************************************************************************
.
Completion time: 2012-01-15 12:49:38 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-15 17:49
ComboFix2.txt 2012-01-15 17:16
ComboFix3.txt 2012-01-15 02:15
.
Pre-Run: 688,141,324,288 bytes free
Post-Run: 688,093,585,408 bytes free
.
- - End Of File - - 94EB7293AD42A4E789E502CC459CC235

#12 clumper

clumper
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 15 January 2012 - 12:56 PM

oh, and i haven't downloaded the adobe or java yet, but i'll do that then as well.

#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:45 AM

Posted 15 January 2012 - 01:14 PM

:thumbup2:

Ok, let me know how that goes, then if all is well we have an important clean-up routine to perform

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#14 clumper

clumper
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 15 January 2012 - 07:02 PM

downloaded microsoft security essentials.
while i was installing it, it told me that my firewall was turned off and that it would turn it back on while it was installing.
but THEN it said it couldn't turn it back on, and i tried to turn it on manually and was unable to as well.
it says that i need to use the recommended settings, but when i click the button that says "use recommended settings" a window pops up that says:
windows firewall can't change some of your settings
error code 0x80070424

microsoft security essentials automatically ran a "quick scan" and found no threats on my computer.

#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:45 AM

Posted 15 January 2012 - 07:05 PM

OK

let's see what's going on with the firewall

please run Farbar Service scanner

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewallsfc
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users