Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

No windows services or basic features


  • This topic is locked This topic is locked
16 replies to this topic

#1 goetze

goetze

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:44 AM

Posted 07 March 2012 - 11:54 PM

I am unable to access much of anything on my computer. It seems all of the local saved files that I have are working fine. However I am unable to start aero, most windows services, power control options, or any network options. I thought it was a maleware/spyware issue and ran Malewarebytes but it was unable to locate anything.

When I ran gmer it did not allow me to select/deselect any options from System to Libraries, or Show all. So the scan was run with just Services, registry, files, c:, and ADS checked.

DDS.log


.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Candy at 20:39:01 on 2012-03-07
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3838.2738 [GMT -6:00]
.
AV: Norton Internet Security *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=nv53&r=27360410n6b6l0410z185a44m1x55p
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - C:\Program Files (x86)\Norton Internet Security\Engine\16.8.3.6\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton Internet Security\Engine\16.8.3.6\IPSBHO.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - C:\Program Files (x86)\Norton Internet Security\Engine\16.8.3.6\coIEPlg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
Trusted Zone: bing.com
Trusted Zone: doccentral.com
Trusted Zone: fnismls.com
Trusted Zone: getmedianow.com
Trusted Zone: intuit.com\ttlc
Trusted Zone: live.com
Trusted Zone: rdesk.com
Trusted Zone: realtytools.com
Trusted Zone: rexplorer.net
Trusted Zone: safemls.net
Trusted Zone: showingtime.com
Trusted Zone: sitexdata.com
Trusted Zone: spellchecker.net
Trusted Zone: toolkitcma.com
Trusted Zone: toolkitcma2.com
Trusted Zone: transactionpoint.com
Trusted Zone: trpoint.com
Trusted Zone: xmlsweb.com
DPF: {0854D220-A90A-466D-BC02-6683183802B7} - hxxp://daar.fnismls.com/Paragon/Codebase/FNISPrintControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://firstphoto.lifepics.com/net/Uploader/LPUploader57.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.0.1 205.171.3.25
TCP: Interfaces\{9195186F-2D67-41E1-A485-B0F15165F3D5} : DhcpNameServer = 199.21.240.66 8.8.8.8
TCP: Interfaces\{FBC514C3-BAD6-4AC8-90B1-E8F17D81FF26} : DhcpNameServer = 192.168.0.1 205.171.3.25
TCP: Interfaces\{FBC514C3-BAD6-4AC8-90B1-E8F17D81FF26}\44141425 : DhcpNameServer = 68.115.71.53 24.156.64.53
TCP: Interfaces\{FBC514C3-BAD6-4AC8-90B1-E8F17D81FF26}\64F63747562737F57457563747 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{FBC514C3-BAD6-4AC8-90B1-E8F17D81FF26}\762796A7A7C69737261627 : DhcpNameServer = 192.168.0.1 205.171.3.65
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - C:\Program Files (x86)\Norton Internet Security\Engine\16.8.3.6\CoIEPlg.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO-X64: Symantec NCO BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\16.8.3.6\coIEPlg.dll
BHO-X64: Symantec NCO BHO - No File
BHO-X64: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\16.8.3.6\IPSBHO.DLL
BHO-X64: Symantec Intrusion Prevention - No File
BHO-X64: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\16.8.3.6\coIEPlg.dll
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
.
============= SERVICES / DRIVERS ===============
.
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R0 SymEFA;Symantec Extended File Attributes;C:\Windows\system32\drivers\NISx64\1008030.006\SYMEFA64.SYS --> C:\Windows\system32\drivers\NISx64\1008030.006\SYMEFA64.SYS [?]
R1 BHDrvx64;Symantec Heuristics Driver;C:\Windows\system32\Drivers\NISx64\1008030.006\BHDrvx64.sys --> C:\Windows\system32\Drivers\NISx64\1008030.006\BHDrvx64.sys [?]
R1 ccHP;Symantec Hash Provider;C:\Windows\system32\Drivers\NISx64\1008030.006\ccHPx64.sys --> C:\Windows\system32\Drivers\NISx64\1008030.006\ccHPx64.sys [?]
R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20120305.001\IDSviA64.sys [2012-3-6 488568]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-3-6 652360]
R3 CAXHWAZL;CAXHWAZL;C:\Windows\system32\DRIVERS\CAXHWAZL.sys --> C:\Windows\system32\DRIVERS\CAXHWAZL.sys [?]
R3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\k57nd60a.sys --> C:\Windows\system32\DRIVERS\k57nd60a.sys [?]
R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
R3 SYMNDISV;Symantec Network Filter Driver;C:\Windows\system32\Drivers\NISx64\1008030.006\SYMNDISV.SYS --> C:\Windows\system32\Drivers\NISx64\1008030.006\SYMNDISV.SYS [?]
R3 usbfilter;AMD USB Filter Driver;C:\Windows\system32\DRIVERS\usbfilter.sys --> C:\Windows\system32\DRIVERS\usbfilter.sys [?]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-6-3 136176]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-6-3 136176]
S3 netr28x;Ralink 802.11n Wireless Driver for Windows Vista;C:\Windows\system32\DRIVERS\netr28x.sys --> C:\Windows\system32\DRIVERS\netr28x.sys [?]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\System32\drivers\RtsUStor.sys [2009-10-29 225280]
S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\system32\DRIVERS\VSTAZL6.SYS --> C:\Windows\system32\DRIVERS\VSTAZL6.SYS [?]
S3 SrvHsfV92;SrvHsfV92;C:\Windows\system32\DRIVERS\VSTDPV6.SYS --> C:\Windows\system32\DRIVERS\VSTDPV6.SYS [?]
S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\system32\DRIVERS\VSTCNXT6.SYS --> C:\Windows\system32\DRIVERS\VSTCNXT6.SYS [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]
S4 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
S4 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S4 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S4 ePowerSvc;Acer ePower Service;C:\Program Files\Gateway\Gateway Power Management\ePowerSvc.exe [2010-1-19 844320]
S4 Greg_Service;GRegService;C:\Program Files (x86)\Gateway\Registration\GregHSRW.exe [2009-8-28 1150496]
S4 HsfXAudioService;HsfXAudioService;C:\Windows\system32\svchost.exe -k HsfXAudioService [2009-7-13 20992]
S4 McComponentHostService;McAfee Security Scan Component Host Service;C:\Program Files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S4 Norton Internet Security;Norton Internet Security;C:\Program Files (x86)\Norton Internet Security\Engine\16.8.3.6\ccSvcHst.exe [2011-10-11 117648]
S4 NTI IScheduleSvc;NTI IScheduleSvc;C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe [2009-9-24 62720]
S4 Updater Service;Updater Service;C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe [2009-10-29 240160]
S4 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2012-03-08 02:25:42 -------- d-----w- C:\6eff88d9ec083d062f6da870209e53
2012-03-07 04:57:28 -------- d-----w- C:\Users\Candy\AppData\Roaming\Malwarebytes
2012-03-07 04:57:17 23152 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-03-07 04:57:17 -------- d-----w- C:\ProgramData\Malwarebytes
2012-03-07 04:57:16 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-03-07 04:44:57 -------- d-----w- C:\$RECYCLE.BIN
2012-03-07 04:34:47 -------- d-----w- C:\ComboFix
2012-03-07 04:14:20 -------- d-----w- C:\39e885d28ea2024400e2
2012-03-07 04:11:42 -------- d-----w- C:\e6ee3f33985797e462c12fcda793bb
2012-03-07 03:42:43 -------- d-----w- C:\a417c97734e0311c70e2986c6a
2012-03-07 03:29:30 -------- d-----w- C:\644e1d8db288828ae3c55c167d
2012-03-07 02:59:37 98816 ----a-w- C:\Windows\sed.exe
2012-03-07 02:59:37 518144 ----a-w- C:\Windows\SWREG.exe
2012-03-07 02:59:37 256000 ----a-w- C:\Windows\PEV.exe
2012-03-07 02:59:37 208896 ----a-w- C:\Windows\MBR.exe
2012-03-06 16:14:05 -------- d-----w- C:\Users\Candy\AppData\Local\ElevatedDiagnostics
2012-03-06 14:56:28 -------- d-----w- C:\Users\Candy\AppData\Local\Symantec
.
==================== Find3M ====================
.
.
============= FINISH: 20:42:17.89 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:44 PM

Posted 12 March 2012 - 07:24 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 goetze

goetze
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:44 AM

Posted 12 March 2012 - 07:56 PM

I am here and ready to go. Thank you in advance for your help.



#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:44 PM

Posted 12 March 2012 - 07:58 PM

It sounds like you still have some accessibility to tools being run so please run aswMBR so we can look for, what I suspect you have been hit by, ZeroAccess.

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Posted Image
m0le is a proud member of UNITE

#5 goetze

goetze
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:44 AM

Posted 12 March 2012 - 09:54 PM

aswMBR version 0.9.9.1649 Copyright© 2011 AVAST Software
Run date: 2012-03-12 21:52:26
-----------------------------
21:52:26.020 OS Version: Windows x64 6.1.7600
21:52:26.020 Number of processors: 2 586 0x602
21:52:26.020 ComputerName: CANDY-PC UserName: Candy
21:52:27.362 Initialize success
21:52:48.874 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000060
21:52:48.874 Disk 0 Vendor: ST950032 0001 Size: 476940MB BusType: 11
21:52:48.890 Disk 0 MBR read successfully
21:52:48.890 Disk 0 MBR scan
21:52:48.890 Disk 0 Windows VISTA default MBR code
21:52:48.905 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 12000 MB offset 2048
21:52:48.921 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 24578048
21:52:48.937 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 464838 MB offset 24782848
21:52:48.952 Disk 0 scanning C:\Windows\system32\drivers
21:52:57.704 Service scanning
21:53:22.508 Modules scanning
21:53:22.508 Disk 0 trace - called modules:
21:53:22.570 ntoskrnl.exe CLASSPNP.SYS disk.sys amdxata.sys ACPI.sys storport.sys hal.dll amdsata.sys
21:53:22.570 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80045ed060]
21:53:22.586 3 CLASSPNP.SYS[fffff8800199643f] -> nt!IofCallDriver -> [0xfffffa80045da770]
21:53:22.586 5 amdxata.sys[fffff880010bd8b9] -> nt!IofCallDriver -> [0xfffffa80045dae40]
21:53:22.586 7 ACPI.sys[fffff88000f93781] -> nt!IofCallDriver -> \Device\00000060[0xfffffa80045d65d0]
21:53:22.601 Scan finished successfully
21:53:57.858 Disk 0 MBR has been saved successfully to "E:\MBR.dat"
21:53:57.889 The log file has been saved successfully to "E:\aswMBR.txt"

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:44 PM

Posted 13 March 2012 - 05:15 PM

That looks fine. Please now run FSS

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Posted Image
m0le is a proud member of UNITE

#7 goetze

goetze
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:44 AM

Posted 14 March 2012 - 12:36 PM

Farbar Service Scanner Version: 01-03-2012
Ran by Candy (administrator) on 14-03-2012 at 12:35:16
Running from "E:\"
Microsoft Windows 7 Home Premium (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is set to Disabled. The default start type is Auto.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is set to Disabled. The default start type is Auto.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

Nsi Service is not running. Checking service configuration:
The start type of Nsi service is set to Disabled. The default start type is Auto.
The ImagePath of Nsi service is OK.
The ServiceDll of Nsi service is OK.


Connection Status:
==============
Localhost is blocked.
LAN connected.
Attempt to access Google IP returned error: Other errors
Attempt to access Yahoo IP returend error: Other errors


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:44 PM

Posted 14 March 2012 - 06:15 PM

We need to take a look into the system through the recovery environment

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Scan your computer's memory for errors.
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it in your next reply.[/list]
Posted Image
m0le is a proud member of UNITE

#9 goetze

goetze
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:44 AM

Posted 15 March 2012 - 01:20 PM

Scan result of Farbar Recovery Scan Tool Version: 14-03-2012 02
Ran by SYSTEM at 15-03-2012 13:16:17
Running from G:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet002

========================== Registry (Whitelisted) =============

HKLM-x32\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [460872 2012-01-13] (Malwarebytes Corporation)
HKU\Candy\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2009-10-29] (Google Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1 205.171.3.25

==================== Services (Whitelisted) ======

4 Bonjour Service; "C:\Program Files\Bonjour\mDNSResponder.exe" [462184 2011-08-30] (Apple Inc.)
4 IntuitUpdateService; "C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe" [13672 2010-08-23] (Intuit Inc.)
2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [652360 2012-01-13] (Malwarebytes Corporation)
4 McComponentHostService; "C:\Program Files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe" [227232 2010-01-15] (McAfee, Inc.)
4 Norton Internet Security; "C:\Program Files (x86)\Norton Internet Security\Engine\16.8.3.6\ccSvcHst.exe" /s "Norton Internet Security" /m "C:\Program Files (x86)\Norton Internet Security\Engine\16.8.3.6\diMaster.dll" /prefetch:1 [135024 2011-10-11] (Symantec Corporation)
4 NTI IScheduleSvc; C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe [62720 2009-09-24] (NewTech Infosystems, Inc.)
3 aspnet_state; C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [x]

========================== Drivers (Whitelisted) =============

1 BHDrvx64; C:\Windows\System32\Drivers\NISx64\1008030.006\BHDrvx64.sys [334384 2010-01-20] (Symantec Corporation)
3 BridgeMP; C:\Windows\System32\DRIVERS\bridge.sys [95232 2009-07-13] (Microsoft Corporation)
1 ccHP; C:\Windows\System32\Drivers\NISx64\1008030.006\ccHPx64.sys [561800 2011-10-11] (Symantec Corporation)
1 eeCtrl; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [482936 2012-02-03] (Symantec Corporation)
1 IDSVia64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20120305.001\IDSvia64.sys [488568 2011-12-15] (Symantec Corporation)
3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [23152 2011-12-10] (Malwarebytes Corporation)
3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20120305.032\ENG64.SYS [117880 2011-08-04] (Symantec Corporation)
3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20120305.032\EX64.SYS [2048632 2011-08-04] (Symantec Corporation)
3 NTIDrvr; C:\Windows\System32\Drivers\NTIDrvr.sys [18432 2009-05-05] (NewTech Infosystems, Inc.)
3 SRTSP; C:\Windows\System32\Drivers\NISx64\1008030.006\SRTSP64.SYS [476720 2009-10-29] (Symantec Corporation)
1 SRTSPX; C:\Windows\System32\drivers\NISx64\1008030.006\SRTSPX64.SYS [32304 2009-10-29] (Symantec Corporation)
0 SymEFA; C:\Windows\System32\drivers\NISx64\1008030.006\SYMEFA64.SYS [402992 2009-10-29] (Symantec Corporation)
3 SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [172592 2010-04-12] (Symantec Corporation)
3 SYMFW; C:\Windows\System32\Drivers\NISx64\1008030.006\SYMFW.SYS [120952 2011-09-21] (Symantec Corporation)
1 SymIM; C:\Windows\System32\DRIVERS\SymIMv.sys [31280 2009-10-29] (Symantec Corporation)
3 SYMNDISV; C:\Windows\System32\Drivers\NISx64\1008030.006\SYMNDISV.SYS [56952 2011-09-21] (Symantec Corporation)
1 SYMTDI; C:\Windows\System32\Drivers\NISx64\1008030.006\SYMTDI.SYS [279160 2011-09-21] (Symantec Corporation)
3 UBHelper; C:\Windows\System32\Drivers\UBHelper.sys [16896 2009-05-05] (NewTech Infosystems Corporation)
3 catchme; \??\C:\ComboFix\catchme.sys [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-03-15 13:16 - 2012-03-15 13:16 - 0000000 ____D C:\FRST
2012-03-12 18:52 - 2012-03-12 17:44 - 4730880 ____A (AVAST Software) C:\Users\Candy\Desktop\aswMBR.exe
2012-03-08 19:50 - 2012-03-08 19:50 - 0000000 ____D C:\a0fd52d02cc681c904
2012-03-08 19:47 - 2012-03-08 19:47 - 0000000 ____D C:\Users\Public\OEM
2012-03-07 20:48 - 2012-03-07 20:48 - 0000000 ____A C:\Users\Candy\Desktop\ark.txt
2012-03-07 19:38 - 2012-03-07 19:38 - 0000000 ____D C:\Users\Candy\Desktop\gmer
2012-03-07 19:38 - 2012-03-07 19:37 - 0294216 ____A C:\Users\Candy\Desktop\gmer.zip
2012-03-07 19:36 - 2012-03-07 19:32 - 0302592 ____A C:\Users\Candy\Desktop\p5ef73v4 (1).exe
2012-03-07 18:38 - 2012-03-07 18:37 - 0607260 ____R (Swearware) C:\Users\Candy\Desktop\dds.scr
2012-03-06 20:57 - 2012-03-06 20:57 - 0001120 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-03-06 20:57 - 2012-03-06 20:57 - 0000000 ____D C:\Users\Candy\AppData\Roaming\Malwarebytes
2012-03-06 20:57 - 2012-03-06 20:57 - 0000000 ____D C:\Users\All Users\Malwarebytes
2012-03-06 20:57 - 2012-03-06 20:57 - 0000000 ____D C:\ProgramData\Malwarebytes
2012-03-06 20:57 - 2012-03-06 20:57 - 0000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-03-06 20:57 - 2011-12-10 13:24 - 0023152 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-03-06 20:49 - 2012-03-06 20:49 - 0015182 ____A C:\ComboFix.txt
2012-03-06 20:44 - 2012-03-06 20:44 - 0000000 ____D C:\$RECYCLE.BIN
2012-03-06 20:34 - 2012-03-06 20:50 - 0000000 ____D C:\ComboFix
2012-03-06 20:14 - 2012-03-06 20:14 - 0000000 ____D C:\39e885d28ea2024400e2
2012-03-06 20:11 - 2012-03-06 20:11 - 0000000 ____D C:\e6ee3f33985797e462c12fcda793bb
2012-03-06 19:42 - 2012-03-06 19:42 - 0000000 ____D C:\a417c97734e0311c70e2986c6a
2012-03-06 19:29 - 2012-03-06 19:29 - 0000000 ____D C:\644e1d8db288828ae3c55c167d
2012-03-06 18:59 - 2012-03-06 20:50 - 0000000 ____D C:\Qoobox
2012-03-06 18:59 - 2012-03-06 19:16 - 0000000 ____D C:\Windows\ERDNT
2012-03-06 18:59 - 2011-06-25 22:45 - 0256000 ____A C:\Windows\PEV.exe
2012-03-06 18:59 - 2010-11-07 09:20 - 0208896 ____A C:\Windows\MBR.exe
2012-03-06 18:59 - 2009-04-19 20:56 - 0060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-03-06 18:59 - 2000-08-30 16:00 - 0518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-03-06 18:59 - 2000-08-30 16:00 - 0406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-03-06 18:59 - 2000-08-30 16:00 - 0098816 ____A C:\Windows\sed.exe
2012-03-06 18:59 - 2000-08-30 16:00 - 0080412 ____A C:\Windows\grep.exe
2012-03-06 18:59 - 2000-08-30 16:00 - 0068096 ____A C:\Windows\zip.exe
2012-03-06 08:16 - 2012-03-06 08:17 - 0000000 ____D C:\Users\Candy\Desktop\candys pictures
2012-03-06 08:14 - 2012-03-06 19:21 - 0000000 ____D C:\Users\Candy\AppData\Local\ElevatedDiagnostics
2012-03-06 08:12 - 2012-03-06 19:57 - 0487478 ____A C:\Windows\ntbtlog.txt
2012-03-06 06:56 - 2012-03-06 06:56 - 0000000 ____D C:\Users\Candy\AppData\Local\Symantec
2012-03-06 06:38 - 2012-03-06 06:38 - 0009216 ____A C:\Users\Candy\Documents\Untitled Document.wps

============ 3 Months Modified Files and Folders =============

2012-03-15 10:11 - 2010-01-19 04:55 - 1341080 ____A C:\Windows\WindowsUpdate.log
2012-03-15 10:11 - 2009-07-13 20:45 - 0017600 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-03-15 10:11 - 2009-07-13 20:45 - 0017600 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-03-15 10:04 - 2010-06-03 16:31 - 0000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-03-15 10:04 - 2009-07-13 21:08 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2012-03-15 10:03 - 2010-01-19 04:50 - 3018608640 __ASH C:\hiberfil.sys
2012-03-15 10:00 - 2011-10-04 07:44 - 0000908 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2075825655-4226795555-3135508559-1000UA.job
2012-03-15 09:18 - 2010-06-03 16:31 - 0000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-03-14 09:33 - 2009-07-13 21:13 - 0739790 ____A C:\Windows\System32\PerfStringBackup.INI
2012-03-12 17:44 - 2012-03-12 18:52 - 4730880 ____A (AVAST Software) C:\Users\Candy\Desktop\aswMBR.exe
2012-03-12 08:10 - 2009-10-29 12:25 - 0010716 ____A C:\Windows\PFRO.log
2012-03-08 19:50 - 2012-03-08 19:50 - 0000000 ____D C:\a0fd52d02cc681c904
2012-03-08 19:47 - 2012-03-08 19:47 - 0000000 ____D C:\Users\Public\OEM
2012-03-08 19:47 - 2009-07-13 19:20 - 0000000 ___RD C:\users\Public
2012-03-08 12:00 - 2011-10-04 07:44 - 0000856 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2075825655-4226795555-3135508559-1000Core.job
2012-03-07 21:00 - 2010-04-24 08:36 - 0002452 ____A C:\Users\Candy\AppData\Roaming\wklnhst.dat
2012-03-07 21:00 - 2009-07-13 21:32 - 0000000 ____D C:\Windows\System32\FxsTmp
2012-03-07 20:48 - 2012-03-07 20:48 - 0000000 ____A C:\Users\Candy\Desktop\ark.txt
2012-03-07 19:38 - 2012-03-07 19:38 - 0000000 ____D C:\Users\Candy\Desktop\gmer
2012-03-07 19:37 - 2012-03-07 19:38 - 0294216 ____A C:\Users\Candy\Desktop\gmer.zip
2012-03-07 19:32 - 2012-03-07 19:36 - 0302592 ____A C:\Users\Candy\Desktop\p5ef73v4 (1).exe
2012-03-07 18:37 - 2012-03-07 18:38 - 0607260 ____R (Swearware) C:\Users\Candy\Desktop\dds.scr
2012-03-06 20:57 - 2012-03-06 20:57 - 0001120 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-03-06 20:57 - 2012-03-06 20:57 - 0000000 ____D C:\Users\Candy\AppData\Roaming\Malwarebytes
2012-03-06 20:57 - 2012-03-06 20:57 - 0000000 ____D C:\Users\All Users\Malwarebytes
2012-03-06 20:57 - 2012-03-06 20:57 - 0000000 ____D C:\ProgramData\Malwarebytes
2012-03-06 20:57 - 2012-03-06 20:57 - 0000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-03-06 20:50 - 2012-03-06 20:34 - 0000000 ____D C:\ComboFix
2012-03-06 20:50 - 2012-03-06 18:59 - 0000000 ____D C:\Qoobox
2012-03-06 20:49 - 2012-03-06 20:49 - 0015182 ____A C:\ComboFix.txt
2012-03-06 20:44 - 2012-03-06 20:44 - 0000000 ____D C:\$RECYCLE.BIN
2012-03-06 20:44 - 2009-07-13 18:34 - 0000215 ____A C:\Windows\system.ini
2012-03-06 20:44 - 2009-07-13 18:34 - 0000027 ____A C:\Windows\System32\Drivers\etc\hosts
2012-03-06 20:14 - 2012-03-06 20:14 - 0000000 ____D C:\39e885d28ea2024400e2
2012-03-06 20:11 - 2012-03-06 20:11 - 0000000 ____D C:\e6ee3f33985797e462c12fcda793bb
2012-03-06 19:57 - 2012-03-06 08:12 - 0487478 ____A C:\Windows\ntbtlog.txt
2012-03-06 19:42 - 2012-03-06 19:42 - 0000000 ____D C:\a417c97734e0311c70e2986c6a
2012-03-06 19:29 - 2012-03-06 19:29 - 0000000 ____D C:\644e1d8db288828ae3c55c167d
2012-03-06 19:21 - 2012-03-06 08:14 - 0000000 ____D C:\Users\Candy\AppData\Local\ElevatedDiagnostics
2012-03-06 19:16 - 2012-03-06 18:59 - 0000000 ____D C:\Windows\ERDNT
2012-03-06 09:56 - 2010-04-12 11:16 - 0000000 ____D C:\Users\Candy\Tracing
2012-03-06 08:17 - 2012-03-06 08:16 - 0000000 ____D C:\Users\Candy\Desktop\candys pictures
2012-03-06 08:17 - 2010-09-07 07:25 - 0000000 ____D C:\Users\Candy\Desktop\mis. real estate pics
2012-03-06 06:56 - 2012-03-06 06:56 - 0000000 ____D C:\Users\Candy\AppData\Local\Symantec
2012-03-06 06:44 - 2011-10-18 11:32 - 0187904 __ASH C:\Users\Candy\Desktop\Thumbs.db
2012-03-06 06:38 - 2012-03-06 06:38 - 0009216 ____A C:\Users\Candy\Documents\Untitled Document.wps
2012-03-06 06:02 - 2010-04-12 13:00 - 0000000 ____D C:\Users\Candy\Desktop\Scans
2012-03-06 05:57 - 2009-07-13 20:51 - 0203857 ____A C:\Windows\setupact.log
2012-03-02 06:41 - 2011-10-13 14:02 - 0000000 ____D C:\Users\Candy\AppData\Roaming\Dropbox
2012-02-17 05:32 - 2011-08-04 08:57 - 54585368 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-02-16 13:20 - 2011-10-04 07:46 - 0002409 ____A C:\Users\Candy\Desktop\Google Chrome.lnk
2012-02-07 14:44 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\NDF
2012-02-07 12:52 - 2011-12-30 07:01 - 0000000 ____A C:\Users\Candy\Documents\NULL
2012-01-25 10:21 - 2012-01-25 10:21 - 8914866 ____A C:\Users\Candy\Documents\cherra 2.pdf
2012-01-24 13:15 - 2012-01-24 13:15 - 3391152 ____A C:\Users\Candy\Desktop\cherra ma.pdf
2012-01-24 12:25 - 2012-01-24 12:25 - 0000000 ____D C:\Users\Candy\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2012-01-24 12:25 - 2010-04-12 11:10 - 0000000 ____D C:\Users\Candy\AppData\Roaming\Adobe
2012-01-11 13:08 - 2012-01-11 13:08 - 1656330 ____A C:\Users\Candy\Desktop\271-880297Appraisal.pdf
2012-01-03 12:02 - 2012-01-03 12:02 - 0000210 ____A C:\Users\Candy\Desktop\SafeMLS Scout Login.url
2011-12-30 07:12 - 2011-12-30 07:12 - 0000000 ___RD C:\Users\Candy\Documents\Scanned Documents
2011-12-30 07:12 - 2011-12-30 07:12 - 0000000 ____D C:\Users\Candy\Documents\Fax
2011-12-21 09:14 - 2011-12-21 09:14 - 0279031 ____A C:\Users\Candy\Desktop\271-880297_HUDSalesContract.pdf
2011-12-20 07:38 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\rescache


========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

========================= Memory info ======================

Percentage of memory in use: 17%
Total physical RAM: 3838.36 MB
Available physical RAM: 3155.84 MB
Total Pagefile: 3836.51 MB
Available Pagefile: 3137.11 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB

======================= Partitions =========================

1 Drive c: (Gateway) (Fixed) (Total:453.94 GB) (Free:405.46 GB) NTFS
2 Drive e: (PQSERVICE) (Fixed) (Total:11.72 GB) (Free:4.18 GB) NTFS ==>[System with boot components (obtained from reading drive)]
4 Drive g: (USB DISK) (Removable) (Total:0.12 GB) (Free:0.12 GB) FAT
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
6 Drive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B
Disk 1 Online 125 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Recovery 11 GB 1024 KB
Partition 2 Primary 100 MB 11 GB
Partition 3 Primary 453 GB 11 GB

======================================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E PQSERVICE NTFS Partition 11 GB Healthy Hidden

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y SYSTEM RESE NTFS Partition 100 MB Healthy

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C Gateway NTFS Partition 453 GB Healthy

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 125 MB 16 KB

======================================================================================================

Disk: 1
Partition 1
Type : 06
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G USB DISK FAT Removable 125 MB Healthy

======================================================================================================

==========================================================

Last Boot: 2012-03-12 19:23

======================= End Of Log ==========================

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:44 PM

Posted 15 March 2012 - 07:31 PM

Please run Combofix, there seems to be no rootkit on board

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#11 goetze

goetze
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:44 AM

Posted 16 March 2012 - 12:25 PM

I did not get any option regarding Windows Recovery Console.


------



ComboFix 12-03-16.03 - Candy 03/16/2012 11:57:13.4.2 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3838.2940 [GMT -5:00]
Running from: c:\users\Candy\Desktop\CombFix.exe
AV: Norton Internet Security *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Internet Security *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2012-02-16 to 2012-03-16 )))))))))))))))))))))))))))))))
.
.
2012-03-16 17:07 . 2012-03-16 17:07 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-15 21:16 . 2012-03-15 21:17 -------- d-----w- C:\FRST
2012-03-09 03:50 . 2012-03-09 03:50 -------- d-----w- C:\a0fd52d02cc681c904
2012-03-09 03:47 . 2012-03-09 03:47 -------- d-----w- c:\users\Public\OEM
2012-03-07 04:57 . 2012-03-07 04:57 -------- d-----w- c:\users\Candy\AppData\Roaming\Malwarebytes
2012-03-07 04:57 . 2012-03-07 04:57 -------- d-----w- c:\programdata\Malwarebytes
2012-03-07 04:57 . 2011-12-10 21:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-07 04:57 . 2012-03-07 04:57 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-03-07 04:34 . 2012-03-16 16:55 -------- d-----w- C:\ComboFix
2012-03-07 04:14 . 2012-03-07 04:14 -------- d-----w- C:\39e885d28ea2024400e2
2012-03-07 04:11 . 2012-03-07 04:11 -------- d-----w- C:\e6ee3f33985797e462c12fcda793bb
2012-03-07 03:42 . 2012-03-07 03:42 -------- d-----w- C:\a417c97734e0311c70e2986c6a
2012-03-07 03:29 . 2012-03-07 03:29 -------- d-----w- C:\644e1d8db288828ae3c55c167d
2012-03-06 16:14 . 2012-03-07 03:21 -------- d-----w- c:\users\Candy\AppData\Local\ElevatedDiagnostics
2012-03-06 14:56 . 2012-03-06 14:56 -------- d-----w- c:\users\Candy\AppData\Local\Symantec
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((( SnapShot@2012-03-07_03.13.05 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-01-19 13:05 . 2012-03-13 03:26 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-01-19 13:05 . 2012-01-18 14:30 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-01-19 13:05 . 2012-01-18 14:30 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-01-19 13:05 . 2012-03-13 03:26 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-01-18 14:30 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-03-13 03:26 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2012-03-07 03:12 . 2012-03-07 03:12 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-03-16 17:09 . 2012-03-16 17:09 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-03-16 17:09 . 2012-03-16 17:09 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-03-07 03:12 . 2012-03-07 03:12 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 02:36 . 2011-11-14 13:50 632946 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-03-14 17:33 632946 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-03-14 17:33 110548 c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2011-11-14 13:50 110548 c:\windows\system32\perfc009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Candy\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Candy\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Candy\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-10-29 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Best Buy Software Installer.lnk - c:\program files\Best Buy Software Installer\Best Buy Software Installer.exe [2009-10-28 1132984]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"
.
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-06-04 136176]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-06-04 136176]
R3 netr28x;Ralink 802.11n Wireless Driver for Windows Vista;c:\windows\system32\DRIVERS\netr28x.sys [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2009-09-02 225280]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
R4 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
R4 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R4 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R4 ePowerSvc;Acer ePower Service;c:\program files\Gateway\Gateway Power Management\ePowerSvc.exe [2009-09-30 844320]
R4 Greg_Service;GRegService;c:\program files (x86)\Gateway\Registration\GregHSRW.exe [2009-08-28 1150496]
R4 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [2009-07-14 27136]
R4 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
R4 Norton Internet Security;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\16.8.3.6\ccSvcHst.exe [2011-09-22 117648]
R4 NTI IScheduleSvc;NTI IScheduleSvc;c:\program files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe [2009-09-24 62720]
R4 Updater Service;Updater Service;c:\program files\Gateway\Gateway Updater\UpdaterService.exe [2009-07-04 240160]
R4 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NISx64\1008030.006\SYMEFA64.SYS [x]
S1 BHDrvx64;Symantec Heuristics Driver;c:\windows\System32\Drivers\NISx64\1008030.006\BHDrvx64.sys [x]
S1 ccHP;Symantec Hash Provider;c:\windows\System32\Drivers\NISx64\1008030.006\ccHPx64.sys [x]
S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20120305.001\IDSvia64.sys [2011-12-15 488568]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-13 652360]
S3 CAXHWAZL;CAXHWAZL;c:\windows\system32\DRIVERS\CAXHWAZL.sys [x]
S3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\Drivers\NISx64\1008030.006\SYMNDISV.SYS [x]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-06-04 00:31]
.
2012-03-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-06-04 00:31]
.
2012-03-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2075825655-4226795555-3135508559-1000Core.job
- c:\users\Candy\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-04 15:11]
.
2012-03-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2075825655-4226795555-3135508559-1000UA.job
- c:\users\Candy\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-04 15:11]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\Candy\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\Candy\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\Candy\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\Candy\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=nv53&r=27360410n6b6l0410z185a44m1x55p
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: bing.com
Trusted Zone: doccentral.com
Trusted Zone: fnismls.com
Trusted Zone: getmedianow.com
Trusted Zone: intuit.com\ttlc
Trusted Zone: live.com
Trusted Zone: rdesk.com
Trusted Zone: realtytools.com
Trusted Zone: rexplorer.net
Trusted Zone: safemls.net
Trusted Zone: showingtime.com
Trusted Zone: sitexdata.com
Trusted Zone: spellchecker.net
Trusted Zone: toolkitcma.com
Trusted Zone: toolkitcma2.com
Trusted Zone: transactionpoint.com
Trusted Zone: trpoint.com
Trusted Zone: xmlsweb.com
TCP: DhcpNameServer = 192.168.0.1 205.171.3.25
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\Norton Internet Security]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\16.8.3.6\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files (x86)\Norton Internet Security\Engine\16.8.3.6\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-03-16 12:21:22 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-16 17:21
ComboFix2.txt 2012-03-07 04:49
ComboFix3.txt 2012-03-07 04:04
ComboFix4.txt 2012-03-07 03:18
.
Pre-Run: 435,320,832,000 bytes free
Post-Run: 435,176,005,632 bytes free
.
- - End Of File - - A4667EAE84D00299B9E1FFCF513ED822


#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:44 PM

Posted 16 March 2012 - 08:22 PM

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

RegLock::
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\PCW\Security]


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

If the program requests for you to update Combofix then click Yes.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Please click here and run the file which should set some defaults on the Start Menu

Please let me know which symptoms remain now.
Posted Image
m0le is a proud member of UNITE

#13 goetze

goetze
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:44 AM

Posted 16 March 2012 - 11:32 PM

Still don't have:

Aero/transparency abilities
Network access (wireless/cat5)
It appears numerous services still are not running


-----





ComboFix 12-03-16.03 - Candy 03/16/2012 23:04:04.5.2 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3838.3068 [GMT -5:00]
Running from: c:\users\Candy\Desktop\CombFix.exe
Command switches used :: E:\CFScript.txt
AV: Norton Internet Security *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Internet Security *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2012-02-17 to 2012-03-17 )))))))))))))))))))))))))))))))
.
.
2012-03-17 04:13 . 2012-03-17 04:13 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-16 16:55 . 2012-03-16 17:21 -------- d-----w- C:\CombFix
2012-03-15 21:16 . 2012-03-15 21:17 -------- d-----w- C:\FRST
2012-03-09 03:50 . 2012-03-09 03:50 -------- d-----w- C:\a0fd52d02cc681c904
2012-03-09 03:47 . 2012-03-09 03:47 -------- d-----w- c:\users\Public\OEM
2012-03-07 04:57 . 2012-03-07 04:57 -------- d-----w- c:\users\Candy\AppData\Roaming\Malwarebytes
2012-03-07 04:57 . 2012-03-07 04:57 -------- d-----w- c:\programdata\Malwarebytes
2012-03-07 04:57 . 2011-12-10 21:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-07 04:57 . 2012-03-07 04:57 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-03-07 04:34 . 2012-03-16 16:55 -------- d-----w- C:\ComboFix
2012-03-07 04:14 . 2012-03-07 04:14 -------- d-----w- C:\39e885d28ea2024400e2
2012-03-07 04:11 . 2012-03-07 04:11 -------- d-----w- C:\e6ee3f33985797e462c12fcda793bb
2012-03-07 03:42 . 2012-03-07 03:42 -------- d-----w- C:\a417c97734e0311c70e2986c6a
2012-03-07 03:29 . 2012-03-07 03:29 -------- d-----w- C:\644e1d8db288828ae3c55c167d
2012-03-06 16:14 . 2012-03-07 03:21 -------- d-----w- c:\users\Candy\AppData\Local\ElevatedDiagnostics
2012-03-06 14:56 . 2012-03-06 14:56 -------- d-----w- c:\users\Candy\AppData\Local\Symantec
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((( SnapShot@2012-03-07_03.13.05 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-01-19 13:05 . 2012-03-13 03:26 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-01-19 13:05 . 2012-01-18 14:30 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-01-19 13:05 . 2012-01-18 14:30 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-01-19 13:05 . 2012-03-13 03:26 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-01-18 14:30 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-03-13 03:26 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2012-03-07 03:12 . 2012-03-07 03:12 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-03-17 04:14 . 2012-03-17 04:14 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-03-17 04:14 . 2012-03-17 04:14 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-03-07 03:12 . 2012-03-07 03:12 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 02:36 . 2011-11-14 13:50 632946 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-03-14 17:33 632946 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-03-14 17:33 110548 c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2011-11-14 13:50 110548 c:\windows\system32\perfc009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Candy\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Candy\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Candy\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-10-29 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Best Buy Software Installer.lnk - c:\program files\Best Buy Software Installer\Best Buy Software Installer.exe [2009-10-28 1132984]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"
.
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-06-04 136176]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-06-04 136176]
R3 netr28x;Ralink 802.11n Wireless Driver for Windows Vista;c:\windows\system32\DRIVERS\netr28x.sys [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2009-09-02 225280]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
R4 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
R4 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R4 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R4 ePowerSvc;Acer ePower Service;c:\program files\Gateway\Gateway Power Management\ePowerSvc.exe [2009-09-30 844320]
R4 Greg_Service;GRegService;c:\program files (x86)\Gateway\Registration\GregHSRW.exe [2009-08-28 1150496]
R4 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [2009-07-14 27136]
R4 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
R4 Norton Internet Security;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\16.8.3.6\ccSvcHst.exe [2011-09-22 117648]
R4 NTI IScheduleSvc;NTI IScheduleSvc;c:\program files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe [2009-09-24 62720]
R4 Updater Service;Updater Service;c:\program files\Gateway\Gateway Updater\UpdaterService.exe [2009-07-04 240160]
R4 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NISx64\1008030.006\SYMEFA64.SYS [x]
S1 BHDrvx64;Symantec Heuristics Driver;c:\windows\System32\Drivers\NISx64\1008030.006\BHDrvx64.sys [x]
S1 ccHP;Symantec Hash Provider;c:\windows\System32\Drivers\NISx64\1008030.006\ccHPx64.sys [x]
S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20120305.001\IDSvia64.sys [2011-12-15 488568]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-13 652360]
S3 CAXHWAZL;CAXHWAZL;c:\windows\system32\DRIVERS\CAXHWAZL.sys [x]
S3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\Drivers\NISx64\1008030.006\SYMNDISV.SYS [x]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-06-04 00:31]
.
2012-03-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-06-04 00:31]
.
2012-03-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2075825655-4226795555-3135508559-1000Core.job
- c:\users\Candy\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-04 15:11]
.
2012-03-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2075825655-4226795555-3135508559-1000UA.job
- c:\users\Candy\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-04 15:11]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\Candy\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\Candy\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\Candy\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\Candy\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=nv53&r=27360410n6b6l0410z185a44m1x55p
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: bing.com
Trusted Zone: doccentral.com
Trusted Zone: fnismls.com
Trusted Zone: getmedianow.com
Trusted Zone: intuit.com\ttlc
Trusted Zone: live.com
Trusted Zone: rdesk.com
Trusted Zone: realtytools.com
Trusted Zone: rexplorer.net
Trusted Zone: safemls.net
Trusted Zone: showingtime.com
Trusted Zone: sitexdata.com
Trusted Zone: spellchecker.net
Trusted Zone: toolkitcma.com
Trusted Zone: toolkitcma2.com
Trusted Zone: transactionpoint.com
Trusted Zone: trpoint.com
Trusted Zone: xmlsweb.com
TCP: DhcpNameServer = 192.168.0.1 205.171.3.25
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\Norton Internet Security]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\16.8.3.6\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files (x86)\Norton Internet Security\Engine\16.8.3.6\diMaster.dll\" /prefetch:1"
.
Completion time: 2012-03-16 23:27:19 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-17 04:27
ComboFix2.txt 2012-03-16 17:21
ComboFix3.txt 2012-03-07 04:49
ComboFix4.txt 2012-03-07 04:04
ComboFix5.txt 2012-03-17 04:02
.
Pre-Run: 435,312,549,888 bytes free
Post-Run: 435,175,555,072 bytes free
.
- - End Of File - - 73AA7DFC2F7703B854FDC7074B428E63

#14 goetze

goetze
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:44 AM

Posted 16 March 2012 - 11:43 PM

/sigh

I guess I was channeling idiocracy.

I forgot to check msconfig and it had been set to selective start up. Selected normal and things seem to be working well. Will run it through the paces tonight.

Thanks for the help m0le

#15 goetze

goetze
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:44 AM

Posted 16 March 2012 - 11:48 PM

I guess 1 more question. I've been using Microsoft Security Essentials on it's own.

Would you recommend a different antivirus?

Would you recommend running that with Maleware Bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users