Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"Windows Antivirus 2007" scam downloaded


  • This topic is locked This topic is locked
43 replies to this topic

#1 Master slacker

Master slacker

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:01:56 AM

Posted 12 February 2012 - 09:51 PM

My mother-in-law has a Dell Inspiron Mini and in October, she had a pop-up indicate the computer was infected and she needed to download "Windows Antivirus 2007" or something of similar naming. Of course, it is a scam, she got scammed, and I'm trying to undo all the mess it has made. Long story short, she finally gave me the computer to work on yesterday. I found a few problems with MalwareBytes and Microsoft Fixit, but not everything was found / eliminated. She also cannot access the internet either wirelessly or with the cable. WinsockXPfix did nothing. Finally, I tried to install ZoneAlarm, but cannot because the following warning pops up - The ordinal 1110 could not be located in the dynamic link library WSOCK232.dll.

Below and attached are my logs. I know this will take a while, but she's been without this computer for a couple of months already. Thanks for the help. :)

****************************DDS******************************
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7600.16385
Run by Heidi at 19:39:31 on 2012-02-12
Microsoft Windows 7 Starter 6.1.7600.0.1252.1.1033.18.1013.299 [GMT -6:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRYSVC.EXE
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Dell\DellDock\DellDock.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Windows\System32\svchost.exe -k NetworkService
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRAY.EXE
C:\Program Files\Microsoft\BingBar\SeaPort.EXE
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Windows\system32\mfevtps.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Battery Meter\BTMeter.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\WSED\WSED.exe
C:\Program Files\CapsLKNotify\CapsLKNotify.exe
C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Lavasoft\Ad-Aware\AWSC.exe
C:\Program Files\Lavasoft\Ad-Aware\AWSC.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/ig
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20111217032946.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"
BHO: Windows 7 Starter Helper: {d381ff29-7cfb-4d4e-b92a-c4eddc696614} - c:\program files\oceanis\systemsetting\StarterHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Broadcom Wireless Manager UI] c:\program files\dell\dell wireless wlan card\WLTRAY.exe
mRun: [BTMeter] c:\program files\battery meter\BTMeter.exe
mRun: [WSED] c:\program files\wsed\WSED.exe
mRun: [CapsLKNotify] c:\program files\capslknotify\CapsLKNotify.exe
mRun: [Dell DataSafe Online] "c:\program files\dell datasafe online\DataSafeOnline.exe" /m
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\users\heidi\appdata\roaming\micros~1\windows\startm~1\programs\startup\delldo~1.lnk - c:\program files\dell\delldock\DellDock.exe
StartupFolder: c:\users\heidi\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://pcpitstop.com/betapit/PCPitStop.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
TCP: Interfaces\{259ED5FC-1120-4931-87AE-6407A54353D8} : DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
Handler: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} - c:\program files\cozi express\CoziProtocolHandler.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\615\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
.
============= SERVICES / DRIVERS ===============
.
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [2010-1-25 143840]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-1-21 56064]
.
=============== Created Last 30 ================
.
2012-02-12 22:19:39 -------- d-----w- c:\windows\system32\Profiles
2012-02-12 20:56:52 -------- d-----w- c:\program files\Free Window Registry Repair
2012-02-12 20:44:17 -------- d-----w- c:\programdata\ErrorEND
2012-02-12 20:27:51 -------- d--h--w- c:\programdata\Common Files
2012-02-12 20:27:33 -------- d-----w- c:\programdata\MFAData
2012-02-12 19:50:34 -------- d-----w- C:\install
2012-02-12 19:39:00 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2012-02-12 19:38:33 -------- d-----w- c:\program files\Lavasoft
2012-02-10 13:17:23 -------- d-----w- c:\windows\pss
2012-02-10 02:43:23 -------- d-----w- c:\users\heidi\appdata\roaming\SUPERAntiSpyware.com
2012-02-10 02:43:23 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-02-10 02:01:33 -------- d-----w- c:\windows\system32\MpEngineStore
2012-02-09 22:09:41 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-02-04 20:22:05 -------- d-----w- c:\windows\system32\EventProviders
2012-02-04 19:53:42 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-02-04 19:47:43 1037312 ----a-w- c:\windows\system32\lsasrv.dll
2012-02-04 19:47:41 369352 ----a-w- c:\windows\system32\drivers\cng.sys
2012-02-04 19:47:41 224768 ----a-w- c:\windows\system32\schannel.dll
2012-02-04 19:47:41 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-02-04 19:47:40 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-02-04 19:47:38 99840 ----a-w- c:\windows\system32\sspicli.dll
2012-02-04 19:47:38 314368 ----a-w- c:\windows\system32\webio.dll
2012-02-04 19:47:38 22528 ----a-w- c:\windows\system32\lsass.exe
2012-02-04 19:47:38 22016 ----a-w- c:\windows\system32\secur32.dll
2012-02-04 19:47:37 15360 ----a-w- c:\windows\system32\sspisrv.dll
2012-01-14 11:43:59 1288984 ----a-w- c:\windows\system32\ntdll.dll
2012-01-14 11:43:50 67072 ----a-w- c:\windows\system32\packager.dll
2012-01-14 11:43:40 1328640 ----a-w- c:\windows\system32\quartz.dll
2012-01-14 11:43:39 514560 ----a-w- c:\windows\system32\qdvd.dll
.
==================== Find3M ====================
.
2012-02-10 02:01:24 74240 ----a-w- c:\windows\system32\drivers\tdx.sys
2011-12-26 13:31:05 103784 ----a-w- c:\users\heidi\GoToAssistDownloadHelper.exe
2011-12-10 21:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-24 04:23:31 2340352 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 19:43:12.44 ===============


***********************************************************************

Attached File  Attach.txt   10.76KB   1 downloads

Attached File  ark.txt   69.3KB   1 downloads

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:56 AM

Posted 15 February 2012 - 11:56 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Master slacker

Master slacker
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:01:56 AM

Posted 16 February 2012 - 09:17 PM

Okay, so here is what has happened so far:

1) I downloaded ComboFix, ended all firewall and AV activity, and ran CF.
2) CF reported I still had firewall and AV scanning active even though they were off per the links in your post.
3) Restarted computer, confirmed firewall and AV still "off", and ran ComboFix.
4) Same problem as mentioned in #2, continued with ComboFix anyway. After an hour, the screen below never changed.

Posted Image

5) Decided to uninstall McAfee firewall and AV security suite. The computer has no network / internet access anyway.
6) Restarted computer and ran CF again.
7) After 18 minutes of scanning, and the same screen shown above never changing, the program "stopped working".

Attached File  combofix_error.jpg   76.94KB   2 downloads

8) This has repeated several times and have not yet been able to complete a scan.

At no time did I even move the cursor, much less click on any window or program. I haven't tried this, but would it be beneficial at all to run CF while in Safe Mode?

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:56 AM

Posted 16 February 2012 - 09:30 PM

Hello

Ok lets try this, I want you to run combofix in safe mode but it is very important that when combofix reboots the computer for you to direct it back into safe mode so it can finish the scan.

Boot into Safe Mode

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.

after combofix has finished its scan please post the report back here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Master slacker

Master slacker
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:01:56 AM

Posted 16 February 2012 - 10:08 PM

Well, got a notification from CF that the computer is infected with Rootkit.ZeroAccess! It has inserted itself into the tcp/ip stack. This is a particularly difficult blah blah blah.

Rebooted, but didn't go into safe mode. Will retry this again, if necessary, but it's still chugging along.

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:56 AM

Posted 16 February 2012 - 10:11 PM

if it is still going leave it alone and let me know if it finishes


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Master slacker

Master slacker
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:01:56 AM

Posted 16 February 2012 - 10:38 PM

Alright, now we're getting somewhere! :)
_______________________________________________

ComboFix 12-02-15.01 - Heidi 02/16/2012 21:07:24.1.2 - x86
Microsoft Windows 7 Starter 6.1.7600.0.1252.1.1033.18.1013.546 [GMT -6:00]
Running from: c:\users\Heidi\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Heidi\GoToAssistDownloadHelper.exe
c:\windows\$NtUninstallKB12567$\2196091890\@
c:\windows\$NtUninstallKB12567$\2196091890\cfg.ini
c:\windows\$NtUninstallKB12567$\2196091890\Desktop.ini
c:\windows\$NtUninstallKB12567$\2196091890\L\xadqgnnk
c:\windows\$NtUninstallKB12567$\62221816
.
Infected copy of c:\windows\system32\drivers\netbt.sys was found and disinfected
Restored copy from - The cat found it :)
.
((((((((((((((((((((((((( Files Created from 2012-01-17 to 2012-02-17 )))))))))))))))))))))))))))))))
.
.
2012-02-17 03:24 . 2012-02-17 03:28 -------- d-----w- c:\users\Heidi\AppData\Local\temp
2012-02-12 22:19 . 2012-02-12 22:19 -------- d-----w- c:\windows\system32\Profiles
2012-02-12 20:56 . 2012-02-12 22:11 -------- d-----w- c:\program files\Free Window Registry Repair
2012-02-12 20:44 . 2012-02-12 20:44 -------- d-----w- c:\programdata\ErrorEND
2012-02-12 20:27 . 2012-02-12 20:27 -------- d--h--w- c:\programdata\Common Files
2012-02-12 20:27 . 2012-02-12 20:27 -------- d-----w- c:\programdata\MFAData
2012-02-12 19:50 . 2012-02-12 19:51 -------- d-----w- C:\install
2012-02-12 19:39 . 2012-02-16 23:18 -------- dc----w- c:\windows\system32\DRVSTORE
2012-02-12 19:38 . 2012-02-12 19:38 -------- d-----w- c:\program files\Lavasoft
2012-02-12 19:38 . 2012-02-16 23:18 -------- d-----w- c:\programdata\Lavasoft
2012-02-10 02:43 . 2012-02-10 02:43 -------- d-----w- c:\users\Heidi\AppData\Roaming\SUPERAntiSpyware.com
2012-02-10 02:43 . 2012-02-10 02:43 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-02-10 02:01 . 2012-02-10 02:02 -------- d-----w- c:\windows\system32\MpEngineStore
2012-02-09 22:09 . 2012-02-09 22:38 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-02-04 20:22 . 2012-02-04 20:22 -------- d-----w- c:\windows\system32\EventProviders
2012-02-04 19:47 . 2011-11-17 05:38 1037312 ----a-w- c:\windows\system32\lsasrv.dll
2012-02-04 19:47 . 2011-11-17 05:48 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-02-04 19:47 . 2011-11-17 05:42 369352 ----a-w- c:\windows\system32\drivers\cng.sys
2012-02-04 19:47 . 2011-11-17 05:39 224768 ----a-w- c:\windows\system32\schannel.dll
2012-02-04 19:47 . 2011-11-17 05:48 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-02-04 19:47 . 2011-11-17 05:39 314368 ----a-w- c:\windows\system32\webio.dll
2012-02-04 19:47 . 2011-11-17 05:39 99840 ----a-w- c:\windows\system32\sspicli.dll
2012-02-04 19:47 . 2011-11-17 05:39 22016 ----a-w- c:\windows\system32\secur32.dll
2012-02-04 19:47 . 2011-11-17 05:36 22528 ----a-w- c:\windows\system32\lsass.exe
2012-02-04 19:47 . 2011-11-17 05:39 15360 ----a-w- c:\windows\system32\sspisrv.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-10 02:01 . 2009-07-13 23:12 74240 ----a-w- c:\windows\system32\drivers\tdx.sys
2011-11-24 04:23 . 2011-12-17 09:51 2340352 ----a-w- c:\windows\system32\win32k.sys
2011-11-19 14:06 . 2012-01-14 11:43 67072 ----a-w- c:\windows\system32\packager.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2012-02-10 02:01 . !HASH: COULD NOT OPEN FILE !!!!! . 74240 . . [------] . . c:\windows\System32\drivers\tdx.sys
[7] 2010-11-20 . B459575348C20E8121D6039DA063C704 . 74752 . . [6.1.7601.17514] . . c:\windows\SoftwareDistribution\Download\18e2c83e42cc8f0cc17b5dbfaf982690\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.1.7601.17514_none_ec4532373a57c1c2\tdx.sys
[7] 2010-11-20 . B459575348C20E8121D6039DA063C704 . 74752 . . [6.1.7601.17514] . . c:\windows\SoftwareDistribution\Download\bd60fbfcf1ac006bf26f6afa5c1dff1a\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.1.7601.17514_none_ec4532373a57c1c2\tdx.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-11-05 1594664]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-11-17 7866912]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-10-05 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-10-05 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-10-05 150552]
"Broadcom Wireless Manager UI"="c:\program files\Dell\Dell Wireless WLAN Card\WLTRAY.exe" [2009-07-17 4562944]
"BTMeter"="c:\program files\Battery Meter\BTMeter.exe" [2009-09-17 632176]
"WSED"="c:\program files\WSED\WSED.exe" [2009-05-27 247080]
"CapsLKNotify"="c:\program files\CapsLKNotify\CapsLKNotify.exe" [2009-06-09 320880]
"Dell DataSafe Online"="c:\program files\Dell DataSafe Online\DataSafeOnline.exe" [2009-09-11 1779952]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]
.
c:\users\Heidi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-9-21 1316192]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-9-21 1316192]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2011-12-26 13:31 13672 ----a-w- c:\program files\Citrix\GoToAssist\615\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 23:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
R1 bqhmfgmi;bqhmfgmi;c:\windows\system32\drivers\bqhmfgmi.sys [x]
R1 SASDIFSV;SASDIFSV;c:\users\Heidi\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV.SYS [x]
R1 SASKUTIL;SASKUTIL;c:\users\Heidi\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL.SYS [x]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2009-09-22 174592]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-08-20 189440]
S0 EMSC;COMPAL Embedded System Control;c:\windows\system32\DRIVERS\EMSC.SYS [2009-06-26 13680]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2011-10-21 196176]
S2 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\SeaPort.EXE [2011-10-13 249648]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2009-06-09 155648]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [2009-03-12 143840]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
sonicatheaterinstallerservice
mail2ec
zendcoreapache
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
LSP: mswsock.dll
TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
HKLM-Run-Malwarebytes' Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Dell\Dell Wireless WLAN Card\WLTRYSVC.EXE
c:\windows\system32\WLANExt.exe
c:\windows\system32\conhost.exe
c:\program files\Dell\Dell Wireless WLAN Card\bcmwltry.exe
c:\windows\system32\conhost.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\windows\system32\sppsvc.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2012-02-16 21:35:51 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-17 03:35
.
Pre-Run: 120,666,734,592 bytes free
Post-Run: 120,585,342,976 bytes free
.
- - End Of File - - 2A26E07B9B4B302A74830F46AF8CEAAB

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:56 AM

Posted 16 February 2012 - 11:45 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 Master slacker

Master slacker
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:01:56 AM

Posted 17 February 2012 - 12:36 PM

Please download aswMBR to your desktop.

  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know


Seeing how the computer still doesn't have internet / network abilities, is it possible to download the definitions file onto my computer and paste to the infected one?

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:56 AM

Posted 17 February 2012 - 10:27 PM

Hello

Lets check your internet connection

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure all the boxes are checked
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 Master slacker

Master slacker
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:01:56 AM

Posted 17 February 2012 - 10:54 PM

Farbar Service Scanner Version: 14-02-2012
Ran by Heidi (administrator) on 17-02-2012 at 21:53:37
Running from "C:\Users\Heidi\Desktop\Kevin"
Microsoft Windows 7 Starter (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

tdx Service is not running. Checking service configuration:
The start type of tdx service is OK.
The ImagePath of tdx service is OK.

afd Service is not running. Checking service configuration:
The start type of afd service is OK.
The ImagePath of afd service is OK.


Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============
MpsSvc Service is not running. Checking service configuration:
The start type of MpsSvc service is OK.
The ImagePath of MpsSvc service is OK.
The ServiceDll of MpsSvc service is OK.


Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.

BITS Service is not running. Checking service configuration:
The start type of BITS service is OK.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.


Windows Defender:
==============

File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
Attention! C:\Windows\system32\Drivers\afd.sys is missing.
C:\Windows\system32\Drivers\tdx.sys
[2009-07-13 17:12] - [2012-02-09 20:01] - 0074240 ____A () D41D8CD98F00B204E9800998ECF8427E

C:\Windows\system32\Drivers\tcpip.sys
[2011-12-17 03:55] - [2011-09-29 09:43] - 1285488 ____A (Microsoft Corporation) 56C198AC82EFA622DD93E9E43575F79C

C:\Windows\system32\dnsrslvr.dll
[2011-12-17 03:43] - [2011-03-02 23:29] - 0132608 ____A (Microsoft Corporation) B15BE77A2BACF9C3177D27518AFE26A9

C:\Windows\system32\mpssvc.dll
[2009-07-13 17:53] - [2009-07-13 19:15] - 0565760 ____A (Microsoft Corporation) 5CD996CECF45CBC3E8D109C86B82D69E

C:\Windows\system32\bfe.dll
[2009-07-13 17:54] - [2009-07-13 19:14] - 0493568 ____A (Microsoft Corporation) 85AC71C045CEB054ED48A7841AAE0C11

C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll
[2009-07-13 17:23] - [2009-07-13 19:16] - 0125952 ____A (Microsoft Corporation) 5FD90ABDBFAEE85986802622CBB03446

C:\Windows\system32\vssvc.exe
[2009-07-13 17:24] - [2009-07-13 19:14] - 1025536 ____A (Microsoft Corporation) 7EA2BCD94D9CFAF4C556F5CC94532A6C

C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll
[2009-07-13 18:15] - [2009-07-13 19:16] - 1912832 ____A (Microsoft Corporation) A33408CC036F9C08142B11BE5E93F0A1

C:\Windows\system32\qmgr.dll
[2009-07-13 17:30] - [2009-07-13 19:16] - 0589312 ____A (Microsoft Corporation) 53F476476F55A27F580661BDE09C4EC4

C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:56 AM

Posted 18 February 2012 - 12:04 AM

SystemLook:

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
:filefind
afd.sys
tdx.sys
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 Master slacker

Master slacker
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:01:56 AM

Posted 18 February 2012 - 02:23 PM

SystemLook 30.07.11 by jpshortstuff
Log created at 13:09 on 18/02/2012 by Heidi
Administrator - Elevation successful

========== filefind ==========

Searching for "afd.sys"
C:\Windows\SoftwareDistribution\Download\18e2c83e42cc8f0cc17b5dbfaf982690\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17514_none_d9efac7dbcaf385b\afd.sys --a---- 338944 bytes [11:17 21/12/2011] [08:40 20/11/2010] 1151FD4FB0216CFED887BFDE29EBD516
C:\Windows\SoftwareDistribution\Download\bd60fbfcf1ac006bf26f6afa5c1dff1a\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17514_none_d9efac7dbcaf385b\afd.sys --a---- 338944 bytes [21:41 04/02/2012] [08:40 20/11/2010] 1151FD4FB0216CFED887BFDE29EBD516
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7600.16385_none_d7be98b5bfc0b4c1\afd.sys --a---- 338944 bytes [23:12 13/07/2009] [23:12 13/07/2009] DDC040FDB01EF1712A6B13E52AFB104C
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7600.16802_none_d81220b5bf827af7\afd.sys --a---- 338944 bytes [09:57 17/12/2011] [02:35 25/04/2011] 3399BA25B53DE355C41F30E5B74F11CF
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7600.20951_none_d864ad9ad8c98d1f\afd.sys --a---- 338944 bytes [09:57 17/12/2011] [02:27 25/04/2011] C114AB7A1550D42EA1700FFD4179CF5A
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17603_none_d9f97e05bca8003a\afd.sys --a---- 338944 bytes [09:57 17/12/2011] [02:18 25/04/2011] 9EBBBA55060F786F0FCAA3893BFA2806
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.21712_none_da774a9ad5cea29e\afd.sys --a---- 338944 bytes [09:57 17/12/2011] [03:24 25/04/2011] C427F91A748CD342A2B3F9278D9FD6A5

Searching for "tdx.sys"
C:\Windows\SoftwareDistribution\Download\18e2c83e42cc8f0cc17b5dbfaf982690\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.1.7601.17514_none_ec4532373a57c1c2\tdx.sys --a---- 74752 bytes [11:16 21/12/2011] [08:39 20/11/2010] B459575348C20E8121D6039DA063C704
C:\Windows\SoftwareDistribution\Download\bd60fbfcf1ac006bf26f6afa5c1dff1a\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.1.7601.17514_none_ec4532373a57c1c2\tdx.sys --a---- 74752 bytes [21:38 04/02/2012] [08:39 20/11/2010] B459575348C20E8121D6039DA063C704
C:\Windows\System32\drivers\tdx.sys --a---- 74240 bytes [23:12 13/07/2009] [02:01 10/02/2012] (Unable to calculate MD5)

-= EOF =-

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:56 AM

Posted 18 February 2012 - 10:11 PM

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

FCopy::
C:\Windows\SoftwareDistribution\Download\18e2c83e42cc8f0cc17b5dbfaf982690\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17514_none_d9efac7dbcaf385b\afd.sys | C:\Windows\system32\Drivers\afd.sys
C:\Windows\SoftwareDistribution\Download\18e2c83e42cc8f0cc17b5dbfaf982690\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.1.7601.17514_none_ec4532373a57c1c2\tdx.sys | C:\Windows\System32\drivers\tdx.sys


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

[b]"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 Master slacker

Master slacker
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:01:56 AM

Posted 19 February 2012 - 02:14 PM

Ran CF and the log is below. Once completed, I had what appeared to be a connection to the network. Tried to install AVG, but there was a pop-up stating it couldn't install because of a file in the registry to be deleted. Ok, so I restarted the computer. After restarting, there was no more network connection and couldn't install either AVG (no internet connection) or ZoneAlarm (ordinal 1110) just like from the first post of this thread. Anywho, the log is below.

***************************************

ComboFix 12-02-15.01 - Heidi 02/19/2012 12:43:01.2.2 - x86 MINIMAL
Microsoft Windows 7 Starter 6.1.7600.0.1252.1.1033.18.1013.626 [GMT -6:00]
Running from: c:\users\Heidi\Desktop\ComboFix.exe
Command switches used :: c:\users\Heidi\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB12567$
c:\windows\$NtUninstallKB12567$\2196091890\@
c:\windows\$NtUninstallKB12567$\2196091890\cfg.ini
c:\windows\$NtUninstallKB12567$\2196091890\Desktop.ini
c:\windows\$NtUninstallKB12567$\2196091890\L\xadqgnnk
c:\windows\$NtUninstallKB12567$\4209018068
.
Infected copy of c:\windows\system32\drivers\dfsc.sys was found and disinfected
Restored copy from - The cat found it :)
c:\windows\system32\drivers\netbt.sys was missing
Restored copy from - c:\windows\SoftwareDistribution\Download\18e2c83e42cc8f0cc17b5dbfaf982690\x86_microsoft-windows-netbt_31bf3856ad364e35_6.1.7601.17514_none_626c324d55864070\netbt.sys
.
.
--------------- FCopy ---------------
.
c:\windows\SoftwareDistribution\Download\18e2c83e42cc8f0cc17b5dbfaf982690\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17514_none_d9efac7dbcaf385b\afd.sys --> c:\windows\system32\Drivers\afd.sys
c:\windows\SoftwareDistribution\Download\18e2c83e42cc8f0cc17b5dbfaf982690\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.1.7601.17514_none_ec4532373a57c1c2\tdx.sys --> c:\windows\System32\drivers\tdx.sys
.
((((((((((((((((((((((((( Files Created from 2012-01-19 to 2012-02-19 )))))))))))))))))))))))))))))))
.
.
2012-02-19 18:56 . 2012-02-19 18:58 -------- d-----w- c:\users\Heidi\AppData\Local\temp
2012-02-19 18:56 . 2012-02-19 18:56 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-19 18:56 . 2010-11-20 08:39 187904 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-02-19 18:43 . 2010-11-20 08:40 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2012-02-19 18:39 . 2011-04-27 02:33 78336 ----a-w- c:\windows\system32\drivers\dfsc.sys
2012-02-12 22:19 . 2012-02-12 22:19 -------- d-----w- c:\windows\system32\Profiles
2012-02-12 20:56 . 2012-02-12 22:11 -------- d-----w- c:\program files\Free Window Registry Repair
2012-02-12 20:44 . 2012-02-12 20:44 -------- d-----w- c:\programdata\ErrorEND
2012-02-12 20:27 . 2012-02-12 20:27 -------- d--h--w- c:\programdata\Common Files
2012-02-12 20:27 . 2012-02-12 20:27 -------- d-----w- c:\programdata\MFAData
2012-02-12 19:50 . 2012-02-12 19:51 -------- d-----w- C:\install
2012-02-12 19:39 . 2012-02-16 23:18 -------- dc----w- c:\windows\system32\DRVSTORE
2012-02-12 19:38 . 2012-02-12 19:38 -------- d-----w- c:\program files\Lavasoft
2012-02-12 19:38 . 2012-02-16 23:18 -------- d-----w- c:\programdata\Lavasoft
2012-02-10 02:43 . 2012-02-10 02:43 -------- d-----w- c:\users\Heidi\AppData\Roaming\SUPERAntiSpyware.com
2012-02-10 02:43 . 2012-02-10 02:43 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-02-10 02:01 . 2012-02-10 02:02 -------- d-----w- c:\windows\system32\MpEngineStore
2012-02-09 22:09 . 2012-02-19 18:57 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-02-04 20:22 . 2012-02-04 20:22 -------- d-----w- c:\windows\system32\EventProviders
2012-02-04 19:47 . 2011-11-17 05:38 1037312 ----a-w- c:\windows\system32\lsasrv.dll
2012-02-04 19:47 . 2011-11-17 05:48 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-02-04 19:47 . 2011-11-17 05:42 369352 ----a-w- c:\windows\system32\drivers\cng.sys
2012-02-04 19:47 . 2011-11-17 05:39 224768 ----a-w- c:\windows\system32\schannel.dll
2012-02-04 19:47 . 2011-11-17 05:48 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-02-04 19:47 . 2011-11-17 05:39 314368 ----a-w- c:\windows\system32\webio.dll
2012-02-04 19:47 . 2011-11-17 05:39 99840 ----a-w- c:\windows\system32\sspicli.dll
2012-02-04 19:47 . 2011-11-17 05:39 22016 ----a-w- c:\windows\system32\secur32.dll
2012-02-04 19:47 . 2011-11-17 05:36 22528 ----a-w- c:\windows\system32\lsass.exe
2012-02-04 19:47 . 2011-11-17 05:39 15360 ----a-w- c:\windows\system32\sspisrv.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-24 04:23 . 2011-12-17 09:51 2340352 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-11-05 1594664]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-11-17 7866912]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-10-05 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-10-05 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-10-05 150552]
"Broadcom Wireless Manager UI"="c:\program files\Dell\Dell Wireless WLAN Card\WLTRAY.exe" [2009-07-17 4562944]
"BTMeter"="c:\program files\Battery Meter\BTMeter.exe" [2009-09-17 632176]
"WSED"="c:\program files\WSED\WSED.exe" [2009-05-27 247080]
"CapsLKNotify"="c:\program files\CapsLKNotify\CapsLKNotify.exe" [2009-06-09 320880]
"Dell DataSafe Online"="c:\program files\Dell DataSafe Online\DataSafeOnline.exe" [2009-09-11 1779952]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]
.
c:\users\Heidi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-9-21 1316192]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-9-21 1316192]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2011-12-26 13:31 13672 ----a-w- c:\program files\Citrix\GoToAssist\615\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 23:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
R1 bqhmfgmi;bqhmfgmi;c:\windows\system32\drivers\bqhmfgmi.sys [x]
R1 SASDIFSV;SASDIFSV;c:\users\Heidi\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV.SYS [x]
R1 SASKUTIL;SASKUTIL;c:\users\Heidi\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL.SYS [x]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2009-09-22 174592]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-08-20 189440]
S0 EMSC;COMPAL Embedded System Control;c:\windows\system32\DRIVERS\EMSC.SYS [2009-06-26 13680]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2011-10-21 196176]
S2 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\SeaPort.EXE [2011-10-13 249648]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2009-06-09 155648]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [2009-03-12 143840]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
sonicatheaterinstallerservice
mail2ec
zendcoreapache
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLANExt.exe
c:\windows\system32\conhost.exe
c:\program files\Dell\Dell Wireless WLAN Card\WLTRYSVC.EXE
c:\program files\Dell\Dell Wireless WLAN Card\bcmwltry.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\windows\System32\rundll32.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\windows\system32\sppsvc.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
c:\windows\system32\taskhost.exe
.
**************************************************************************
.
Completion time: 2012-02-19 13:06:04 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-19 19:06
ComboFix2.txt 2012-02-17 03:35
.
Pre-Run: 120,615,055,360 bytes free
Post-Run: 120,547,823,616 bytes free
.
- - End Of File - - 039BD47357C8001F507EF2BD435CF0D4




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users