Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win7 fails to boot after running Macaffe for first time


  • This topic is locked This topic is locked
9 replies to this topic

#1 maximal

maximal

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:17 AM

Posted 04 April 2012 - 04:20 PM

Hi guys, first post here after discovering this site via google trying to sort the problem.. seems to be a bloody good resource, going to bookmark it for future reference when I get going again (talking to you via the mirical of linux;) and thanks in advance.

Anyway, I installed Macaffe and ran a scan, 7 files were found to be infected and were removed, another 5 could not and I was propted to reboot, win7 failed to boot. Startup repair could not fix the problem, and recovery conssole could not find any restore points(maybe my fault). I ran the first 64 scan and posted them below, any help greatly aprreciated.. my files are safe so it's not a big deal to do a vanilla install, but having said that I'd really love to be able to fix it without having to resort to that, and obviously in the process find out what went wrong.

Scan result of Farbar Recovery Scan Tool Version: 15-03-2012
Ran by SYSTEM at 04-04-2012 21:30:42
Running from G:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [FreeFallProtection] C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe [703088 2010-12-17] ()
HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [525312 2011-03-21] (IDT, Inc.)
HKLM\...\Run: [] [x]
HKLM\...\Run: [Command Center Controllers] "C:\Program Files\Alienware\Command Center\AWCCStartupOrchestrator.exe" [13256 2011-02-04] (Microsoft)
HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [167256 2011-04-10] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [391512 2011-04-10] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [415064 2011-04-10] (Intel Corporation)
HKLM\...\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming [1744152 2011-06-23] (Logitech, Inc.)
HKLM\...\Run: [IntelPAN] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel PAN Tray [1935120 2011-05-02] (Intel® Corporation)
HKLM\...\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start [539456 2011-10-15] (NVIDIA Corporation)
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2735400 2011-03-31] (Synaptics Incorporated)
HKLM-x32\...\Run: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [113288 2011-03-03] (Renesas Electronics Corporation)
HKLM-x32\...\Run: [AlienwareOn-ScreenDisplay] C:\Program Files (x86)\Alienware On-Screen Display\AlienwareOn-ScreenDisplay.exe [1636208 2011-09-02] ()
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [FileServe Manager Task] "C:\Program Files (x86)\FileServe Manager\FSStarter.exe" [954648 2011-09-02] (FileServe Limited)
HKLM-x32\...\Run: [Jomantha] E:\programs\n52teHid.exe [x]
HKLM-x32\...\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284440 2011-05-20] (Intel Corporation)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2011-06-09] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW [1259376 2011-07-28] ()
HKLM-x32\...\Run: [facemoods] "C:\Program Files (x86)\facemoods.com\facemoods\1.4.17.11\facemoodssrv.exe" /md I [362200 2011-09-05] (facemoods.com)
HKLM-x32\...\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey [1675160 2011-11-22] (McAfee, Inc.)
HKU\alien\...\Run: [Steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent [1242448 2011-08-04] (Valve Corporation)
HKU\alien\...\Run: [RocketDock] "C:\Program Files (x86)\RocketDock\RocketDock.exe" [495616 2007-09-02] ()
HKU\alien\...\Run: [] [x]
HKU\alien\...\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun [3478336 2012-01-24] (DT Soft Ltd)
HKU\alien\...\Run: [SanDiskSecureAccess_Manager.exe] C:\Users\alien\AppData\Roaming\SanDisk\SanDiskSecureAccess_Manager.exe [30705792 2012-04-02] (Gemalto N.V.)
HKU\Default\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun [x]
HKU\Default User\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun [x]
HKU\UpdatusUser\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun [x]
HKU\UpdatusUser\...\Run: [Steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent [1242448 2011-08-04] (Valve Corporation)
HKU\UpdatusUser\...\Run: [] [x]
HKU\UpdatusUser\...\Run: [RocketDock] "C:\Program Files (x86)\RocketDock\RocketDock.exe" [495616 2007-09-02] ()
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Winlogon\Notify\LBTWlgn: c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll (Logitech, Inc.)
Tcpip\Parameters: [DhcpNameServer] 89.101.160.4 89.101.160.5
SubSystems: [Windows] ==> ZeroAccess

==================== Services (Whitelisted) ======

2 0251711333473897mcinstcleanup; C:\Users\alien\AppData\Local\Temp\025171~1.EXE C:\PROGRA~2\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [1494 2012-04-03] ()
3 AdobeFlashPlayerUpdateSvc; C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [253600 2012-04-02] (Adobe Systems Incorporated)
2 AlienFusionService; "C:\Program Files\Alienware\Command Center\AlienFusionService.exe" [15296 2011-02-04] (Alienware)
2 AMService; C:\Windows\TEMP\ilhegn\setup.exe run [54784 2012-04-03] ()
2 IAStorDataMgrSvc; "C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe" [13592 2011-05-20] (Intel Corporation)
2 IconMan_R; "C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe" [2372096 2011-03-03] (Realsil Microelectronics Inc.)
3 LBTServ; C:\Program Files\Common Files\LogiShrd\Bluetooth\lbtserv.exe [359192 2011-06-16] (Logitech, Inc.)
2 lvmvdrv; C:\Windows\System32\mcusrmgr.dll [6656 2009-07-13] (Oak Technology Inc.)
2 McAfee SiteAdvisor Service; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [249936 2011-01-27] (McAfee, Inc.)
2 McMPFSvc; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [249936 2011-01-27] (McAfee, Inc.)
2 mcmscsvc; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [249936 2011-01-27] (McAfee, Inc.)
2 McNaiAnn; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [249936 2011-01-27] (McAfee, Inc.)
2 McNASvc; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [249936 2011-01-27] (McAfee, Inc.)
3 McODS; "C:\Program Files\McAfee\VirusScan\mcods.exe" [502032 2011-10-18] (McAfee, Inc.)
2 McProxy; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [249936 2011-01-27] (McAfee, Inc.)
2 McShield; "C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe" [199272 2011-12-06] (McAfee, Inc.)
2 mfefire; "C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe" [208536 2011-12-06] (McAfee, Inc.)
2 mfevtp; "C:\Windows\system32\mfevtps.exe" [161168 2011-11-18] (McAfee, Inc.)
3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [340240 2011-05-02] ()
2 PnkBstrA; C:\Windows\SysWow64\PnkBstrA.exe [75064 2011-10-24] ()
2 ScrybeUpdater; "C:\Program Files (x86)\Synaptics\Scrybe\Service\ScrybeUpdater.exe" [1300264 2011-05-27] (Synaptics, Inc.)
3 ServiceLayer; "C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe" [718384 2011-10-27] (Nokia)
2 UNS; "C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe" [2656280 2011-03-03] (Intel Corporation)

========================== Drivers (Whitelisted) =============

3 cfwids; C:\Windows\System32\Drivers\cfwids.sys [65264 2011-10-15] (McAfee, Inc.)
1 dtsoftbus01; C:\Windows\System32\Drivers\dtsoftbus01.sys [283200 2012-01-27] (DT Soft Ltd)
0 EMSC; C:\Windows\System32\Drivers\EMSC.sys [16752 2009-06-26] (Windows ® Win 7 DDK provider)
0 EMSC; C:\Windows\SysWow64\Drivers\EMSC.sys [13680 2009-06-26] (Windows ® Win 7 DDK provider)
3 JmtFltr; C:\Windows\System32\Drivers\JmtFltr.sys [46464 2007-09-28] ()
3 LHidFilt; C:\Windows\System32\Drivers\LHidFilt.sys [66840 2011-04-30] (Logitech, Inc.)
3 LMouFilt; C:\Windows\System32\Drivers\LMouFilt.sys [60184 2011-04-30] (Logitech, Inc.)
3 mfeapfk; C:\Windows\System32\Drivers\mfeapfk.sys [160280 2011-10-15] (McAfee, Inc.)
3 mfeavfk; C:\Windows\System32\Drivers\mfeavfk.sys [229528 2011-10-15] (McAfee, Inc.)
3 mfefirek; C:\Windows\System32\Drivers\mfefirek.sys [481768 2011-10-15] (McAfee, Inc.)
0 mfehidk; C:\Windows\System32\Drivers\mfehidk.sys [647080 2011-10-15] (McAfee, Inc.)
1 mfenlfk; C:\Windows\System32\Drivers\mfenlfk.sys [75808 2011-10-15] (McAfee, Inc.)
3 mferkdet; C:\Windows\System32\Drivers\mferkdet.sys [100912 2011-10-15] (McAfee, Inc.)
0 mfewfpk; C:\Windows\System32\Drivers\mfewfpk.sys [284648 2011-10-15] (McAfee, Inc.)
2 MsiPcap; C:\Windows\System32\Drivers\MsiPcap.sys [28400 2011-11-14] (Migration Specialties International, Inc.)
3 NETwNs64; C:\Windows\System32\Drivers\NETwNs64.sys [8507392 2011-01-04] (Intel Corporation)
3 nmwcd; C:\Windows\System32\drivers\ccdcmbx64.sys [19968 2011-08-17] (Nokia)
3 nmwcdc; C:\Windows\System32\drivers\ccdcmbox64.sys [27136 2011-08-17] (Nokia)
3 pccsmcfd; C:\Windows\System32\DRIVERS\pccsmcfdx64.sys [25600 2008-08-28] (Nokia)
3 RSPCIESTOR; C:\Windows\System32\DRIVERS\RtsPStor.sys [335464 2011-03-03] (Realtek Semiconductor Corp.)
3 RTCore64; \??\C:\Program Files (x86)\EVGA Precision\RTCore64.sys [14440 2011-08-31] ()
3 upperdev; C:\Windows\System32\DRIVERS\usbser_lowerfltx64.sys [9216 2011-08-17] (Nokia)
3 USBMULCD; C:\Windows\System32\drivers\CM10664.sys [1307648 2009-09-29] (C-Media Electronics Inc)
3 usbser; C:\Windows\System32\Drivers\usbser.sys [32768 2010-11-20] (Microsoft Corporation)
3 vhidmini; C:\Windows\System32\Drivers\vhidmini.sys [13952 2007-09-28] (Windows ® Codename Longhorn DDK provider)
3 mfeapfk01; [x]
3 mfeavfk01; [x]
2 MsiNdis; [x]

========================== NetSvcs (Whitelisted) ===========
NETSVC: lvmvdrv

============ One Month Created Files and Folders ==============

2012-04-04 21:30 - 2012-04-04 21:30 - 0000000 ____D C:\FRST
2012-04-03 09:25 - 2012-04-03 09:31 - 0001828 ____A C:\Users\Public\Desktop\McAfee AntiVirus Plus.lnk
2012-04-03 09:24 - 2012-04-03 09:25 - 0000000 ____D C:\Program Files\McAfee
2012-04-03 09:24 - 2012-04-03 09:25 - 0000000 ____D C:\Program Files (x86)\McAfee
2012-04-03 09:24 - 2012-04-03 09:24 - 0000000 ____D C:\Program Files\McAfee.com
2012-04-03 09:24 - 2012-04-03 09:24 - 0000000 ____D C:\Program Files\Common Files\McAfee
2012-04-03 09:24 - 2012-04-03 09:24 - 0000000 ____D C:\Program Files (x86)\McAfee.com
2012-04-03 09:24 - 2011-10-15 03:16 - 0481768 ____A (McAfee, Inc.) C:\Windows\System32\Drivers\mfefirek.sys
2012-04-03 09:24 - 2011-10-15 03:16 - 0284648 ____A (McAfee, Inc.) C:\Windows\System32\Drivers\mfewfpk.sys
2012-04-03 09:24 - 2011-10-15 03:16 - 0229528 ____A (McAfee, Inc.) C:\Windows\System32\Drivers\mfeavfk.sys
2012-04-03 09:24 - 2011-10-15 03:16 - 0100912 ____A (McAfee, Inc.) C:\Windows\System32\Drivers\mferkdet.sys
2012-04-03 09:24 - 2011-10-15 03:16 - 0075808 ____A (McAfee, Inc.) C:\Windows\System32\Drivers\mfenlfk.sys
2012-04-03 09:24 - 2011-10-15 03:16 - 0065264 ____A (McAfee, Inc.) C:\Windows\System32\Drivers\cfwids.sys
2012-04-03 09:24 - 2011-10-15 03:16 - 0010248 ____A (McAfee, Inc.) C:\Windows\System32\Drivers\mfeclnk.sys
2012-04-03 09:15 - 2012-04-03 09:26 - 0000000 ____D C:\Users\All Users\McAfee
2012-04-03 09:15 - 2012-04-03 09:26 - 0000000 ____D C:\ProgramData\McAfee
2012-04-03 09:15 - 2011-11-18 07:36 - 0161168 ____A (McAfee, Inc.) C:\Windows\System32\mfevtps.exe
2012-04-02 12:33 - 2012-04-02 12:33 - 8738464 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2012-04-02 12:22 - 2012-04-02 14:11 - 0000344 ____A C:\Windows\Tasks\At47.job
2012-04-02 12:22 - 2012-04-02 13:11 - 0000344 ____A C:\Windows\Tasks\At45.job
2012-04-02 12:22 - 2012-04-02 13:07 - 0000344 ____A C:\Windows\Tasks\At9.job
2012-04-02 12:22 - 2012-04-02 13:07 - 0000344 ____A C:\Windows\Tasks\At7.job
2012-04-02 12:22 - 2012-04-02 13:07 - 0000344 ____A C:\Windows\Tasks\At5.job
2012-04-02 12:22 - 2012-04-02 13:07 - 0000344 ____A C:\Windows\Tasks\At43.job
2012-04-02 12:22 - 2012-04-02 13:07 - 0000344 ____A C:\Windows\Tasks\At41.job
2012-04-02 12:22 - 2012-04-02 13:07 - 0000344 ____A C:\Windows\Tasks\At39.job
2012-04-02 12:22 - 2012-04-02 13:04 - 0000112 ____A C:\Users\All Users\8U4Lu8QMU.dat
2012-04-02 12:22 - 2012-04-02 13:04 - 0000112 ____A C:\ProgramData\8U4Lu8QMU.dat
2012-04-02 12:12 - 2012-04-03 09:21 - 0000000 __ASH C:\Windows\System32\dds_trash_log.cmd
2012-04-02 12:11 - 2012-04-03 09:33 - 0000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-04-02 12:11 - 2012-04-02 12:33 - 0418464 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-04-02 12:11 - 2012-04-02 12:11 - 0000000 ____D C:\Windows\system64
2012-04-02 10:36 - 2012-04-02 10:36 - 0000000 ____D C:\Users\alien\AppData\Roaming\SanDisk SecureAccess
2012-04-01 09:09 - 2012-04-01 09:09 - 0000000 ____D C:\share
2012-03-31 20:30 - 2012-03-31 20:36 - 0000000 ____D C:\Users\alien\.yawcam
2012-03-31 20:30 - 2012-03-31 20:30 - 0000000 ____D C:\Program Files (x86)\Yawcam
2012-03-31 20:26 - 2012-03-31 20:26 - 0000000 ____D C:\Users\alien\AppData\Local\WMTools Downloaded Files
2012-03-31 20:25 - 2012-03-31 20:25 - 0000000 ____D C:\Program Files (x86)\Movie Maker 2.6
2012-03-23 09:31 - 2012-04-02 13:08 - 0000000 ____D C:\Users\alien\AppData\Roaming\SanDisk
2012-03-23 09:29 - 2012-03-23 09:29 - 0000288 ____A C:\Users\alien\AppData\Roaming\.backup.dm
2012-03-21 11:52 - 2012-03-21 11:52 - 0001445 ____A C:\Users\alien\.recently-used.xbel
2012-03-14 12:13 - 2011-11-19 07:20 - 5559152 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-03-14 12:13 - 2011-11-19 06:50 - 3968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-03-14 12:13 - 2011-11-19 06:50 - 3913584 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-03-13 13:44 - 2012-02-09 22:36 - 1544192 ____A (Microsoft Corporation) C:\Windows\System32\DWrite.dll
2012-03-13 13:44 - 2012-02-09 21:38 - 1077248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll
2012-03-13 13:44 - 2012-02-02 20:34 - 3145728 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-03-13 11:16 - 2012-02-16 22:38 - 1031680 ____A (Microsoft Corporation) C:\Windows\System32\rdpcore.dll
2012-03-13 11:16 - 2012-02-16 21:34 - 0826880 ____A (Microsoft Corporation) C:\Windows\SysWOW64\rdpcore.dll
2012-03-13 11:16 - 2012-02-16 20:58 - 0210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-03-13 11:16 - 2012-02-16 20:57 - 0023552 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tdtcp.sys
2012-03-13 11:16 - 2012-01-24 22:38 - 0149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-03-13 11:16 - 2012-01-24 22:38 - 0077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-03-13 11:16 - 2012-01-24 22:33 - 0009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe

============ 3 Months Modified Files and Folders =============

2012-04-03 22:23 - 2012-01-25 12:54 - 0306632 ____A C:\Windows\ntbtlog.txt
2012-04-03 22:23 - 2011-06-24 13:43 - 3180220416 __ASH C:\hiberfil.sys
2012-04-03 09:58 - 2011-07-01 11:10 - 0000000 ____D C:\Users\alien\AppData\Local\FileServe Manager
2012-04-03 09:58 - 2011-06-24 14:24 - 0008412 ____A C:\Windows\PFRO.log
2012-04-03 09:58 - 2011-06-24 13:49 - 1860174 ____A C:\Windows\WindowsUpdate.log
2012-04-03 09:33 - 2012-04-02 12:11 - 0000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-04-03 09:31 - 2012-04-03 09:25 - 0001828 ____A C:\Users\Public\Desktop\McAfee AntiVirus Plus.lnk
2012-04-03 09:27 - 2009-07-13 20:45 - 0014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-04-03 09:27 - 2009-07-13 20:45 - 0014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-04-03 09:26 - 2012-04-03 09:15 - 0000000 ____D C:\Users\All Users\McAfee
2012-04-03 09:26 - 2012-04-03 09:15 - 0000000 ____D C:\ProgramData\McAfee
2012-04-03 09:25 - 2012-04-03 09:24 - 0000000 ____D C:\Program Files\McAfee
2012-04-03 09:25 - 2012-04-03 09:24 - 0000000 ____D C:\Program Files (x86)\McAfee
2012-04-03 09:24 - 2012-04-03 09:24 - 0000000 ____D C:\Program Files\McAfee.com
2012-04-03 09:24 - 2012-04-03 09:24 - 0000000 ____D C:\Program Files\Common Files\McAfee
2012-04-03 09:24 - 2012-04-03 09:24 - 0000000 ____D C:\Program Files (x86)\McAfee.com
2012-04-03 09:24 - 2011-06-25 05:17 - 0000000 ____D C:\Program Files (x86)\Mozilla Firefox
2012-04-03 09:21 - 2012-04-02 12:12 - 0000000 __ASH C:\Windows\System32\dds_trash_log.cmd
2012-04-03 09:20 - 2012-02-21 13:58 - 0008763 ____A C:\Windows\setupact.log
2012-04-03 09:20 - 2011-06-24 14:56 - 0000000 ____D C:\Users\All Users\NVIDIA
2012-04-03 09:20 - 2011-06-24 14:56 - 0000000 ____D C:\ProgramData\NVIDIA
2012-04-03 09:20 - 2011-06-24 14:47 - 0000000 ____D C:\Program Files (x86)\Steam
2012-04-03 09:20 - 2009-07-13 21:08 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2012-04-03 09:18 - 2011-09-06 07:00 - 0000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-04-02 14:11 - 2012-04-02 12:22 - 0000344 ____A C:\Windows\Tasks\At47.job
2012-04-02 13:11 - 2012-04-02 12:22 - 0000344 ____A C:\Windows\Tasks\At45.job
2012-04-02 13:08 - 2012-03-23 09:31 - 0000000 ____D C:\Users\alien\AppData\Roaming\SanDisk
2012-04-02 13:07 - 2012-04-02 12:22 - 0000344 ____A C:\Windows\Tasks\At9.job
2012-04-02 13:07 - 2012-04-02 12:22 - 0000344 ____A C:\Windows\Tasks\At7.job
2012-04-02 13:07 - 2012-04-02 12:22 - 0000344 ____A C:\Windows\Tasks\At5.job
2012-04-02 13:07 - 2012-04-02 12:22 - 0000344 ____A C:\Windows\Tasks\At43.job
2012-04-02 13:07 - 2012-04-02 12:22 - 0000344 ____A C:\Windows\Tasks\At41.job
2012-04-02 13:07 - 2012-04-02 12:22 - 0000344 ____A C:\Windows\Tasks\At39.job
2012-04-02 13:04 - 2012-04-02 12:22 - 0000112 ____A C:\Users\All Users\8U4Lu8QMU.dat
2012-04-02 13:04 - 2012-04-02 12:22 - 0000112 ____A C:\ProgramData\8U4Lu8QMU.dat
2012-04-02 12:33 - 2012-04-02 12:33 - 8738464 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2012-04-02 12:33 - 2012-04-02 12:11 - 0418464 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-04-02 12:33 - 2011-06-25 01:34 - 0070304 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-04-02 12:27 - 2011-06-27 11:15 - 0000000 ____D C:\Users\alien\AppData\Roaming\Skype
2012-04-02 12:11 - 2012-04-02 12:11 - 0000000 ____D C:\Windows\system64
2012-04-02 10:36 - 2012-04-02 10:36 - 0000000 ____D C:\Users\alien\AppData\Roaming\SanDisk SecureAccess
2012-04-01 09:09 - 2012-04-01 09:09 - 0000000 ____D C:\share
2012-03-31 20:36 - 2012-03-31 20:30 - 0000000 ____D C:\Users\alien\.yawcam
2012-03-31 20:30 - 2012-03-31 20:30 - 0000000 ____D C:\Program Files (x86)\Yawcam
2012-03-31 20:30 - 2011-06-24 13:49 - 0000000 ____D C:\users\alien
2012-03-31 20:26 - 2012-03-31 20:26 - 0000000 ____D C:\Users\alien\AppData\Local\WMTools Downloaded Files
2012-03-31 20:25 - 2012-03-31 20:25 - 0000000 ____D C:\Program Files (x86)\Movie Maker 2.6
2012-03-31 20:24 - 2009-07-13 19:20 - 0000000 ___RD C:\users\Public
2012-03-31 20:14 - 2011-06-24 14:18 - 0000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2012-03-25 11:31 - 2011-06-28 11:37 - 0000000 ____D C:\Program Files (x86)\RapidShareManager
2012-03-23 09:29 - 2012-03-23 09:29 - 0000288 ____A C:\Users\alien\AppData\Roaming\.backup.dm
2012-03-21 13:18 - 2011-06-25 04:59 - 0000000 ____D C:\Users\alien\.gimp-2.6
2012-03-21 11:52 - 2012-03-21 11:52 - 0001445 ____A C:\Users\alien\.recently-used.xbel
2012-03-21 11:43 - 2011-06-25 05:05 - 0000000 ____D C:\Users\alien\AppData\Roaming\gtk-2.0
2012-03-14 12:29 - 2009-07-13 20:45 - 0289216 ____A C:\Windows\System32\FNTCACHE.DAT
2012-03-13 19:55 - 2011-06-30 04:01 - 56297240 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-03-05 11:33 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\NDF
2012-02-28 12:21 - 2012-01-25 13:29 - 0000000 ____D C:\Program Files (x86)\JDownloader
2012-02-27 13:32 - 2011-06-30 08:53 - 0000000 ____D C:\users\UpdatusUser
2012-02-23 01:18 - 2011-06-24 14:42 - 0279656 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2012-02-21 13:58 - 2012-02-21 13:58 - 0000000 ____A C:\Windows\setuperr.log
2012-02-20 14:06 - 2012-02-20 14:06 - 0001035 ____A C:\Users\UpdatusUser\Desktop\WinDirStat.lnk
2012-02-20 14:06 - 2012-02-20 14:06 - 0000000 ____D C:\Program Files (x86)\WinDirStat
2012-02-16 22:38 - 2012-03-13 11:16 - 1031680 ____A (Microsoft Corporation) C:\Windows\System32\rdpcore.dll
2012-02-16 21:34 - 2012-03-13 11:16 - 0826880 ____A (Microsoft Corporation) C:\Windows\SysWOW64\rdpcore.dll
2012-02-16 20:58 - 2012-03-13 11:16 - 0210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-02-16 20:57 - 2012-03-13 11:16 - 0023552 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tdtcp.sys
2012-02-16 03:43 - 2011-06-24 13:50 - 0000174 ___SH C:\Users\alien\Start Menu\Programs\Startup\desktop.ini
2012-02-16 03:43 - 2011-06-24 13:50 - 0000174 ___SH C:\Users\alien\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
2012-02-11 11:02 - 2011-06-26 04:45 - 0006656 ____A C:\Users\alien\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-02-11 11:00 - 2011-11-15 16:51 - 0000000 ____D C:\Users\alien\AppData\Roaming\DivX
2012-02-09 22:36 - 2012-03-13 13:44 - 1544192 ____A (Microsoft Corporation) C:\Windows\System32\DWrite.dll
2012-02-09 21:38 - 2012-03-13 13:44 - 1077248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll
2012-02-08 06:47 - 2011-06-25 16:49 - 0000000 ____D C:\Users\alien\AppData\Roaming\vlc
2012-02-02 20:34 - 2012-03-13 13:44 - 3145728 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-01-30 12:56 - 2012-01-30 12:56 - 0000000 ____D C:\Users\alien\AppData\Roaming\XBMC
2012-01-30 12:56 - 2012-01-30 12:56 - 0000000 ____D C:\Program Files (x86)\XBMC
2012-01-30 12:25 - 2011-06-24 13:49 - 0000000 ____D C:\Users\alien\AppData\LocalLow
2012-01-27 11:21 - 2012-01-27 11:19 - 0000000 ____D C:\Users\alien\AppData\Roaming\DAEMON Tools Lite
2012-01-27 11:20 - 2012-01-27 11:20 - 0283200 ____A (DT Soft Ltd) C:\Windows\System32\Drivers\dtsoftbus01.sys
2012-01-27 11:20 - 2012-01-27 11:20 - 0000000 ____D C:\Program Files (x86)\DAEMON Tools Lite
2012-01-27 11:20 - 2012-01-27 11:19 - 0000000 ____D C:\Users\All Users\DAEMON Tools Lite
2012-01-27 11:20 - 2012-01-27 11:19 - 0000000 ____D C:\ProgramData\DAEMON Tools Lite
2012-01-25 13:29 - 2012-01-25 13:29 - 0000000 ____D C:\Program Files (x86)\facemoods.com
2012-01-25 12:54 - 2012-01-25 12:54 - 0000000 ____D C:\Windows\pss
2012-01-24 22:38 - 2012-03-13 11:16 - 0149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-01-24 22:38 - 2012-03-13 11:16 - 0077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-01-24 22:33 - 2012-03-13 11:16 - 0009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
2012-01-20 14:43 - 2011-06-24 14:57 - 0066104 ____A C:\Users\alien\AppData\Local\GDIPFONTCACHEV1.DAT
2012-01-19 00:48 - 2011-06-27 11:15 - 0000000 ___RD C:\Program Files (x86)\Skype
2012-01-19 00:48 - 2011-06-27 11:15 - 0000000 ____D C:\Users\All Users\Skype
2012-01-19 00:48 - 2011-06-27 11:15 - 0000000 ____D C:\ProgramData\Skype
2012-01-18 07:11 - 2012-01-18 07:11 - 0001239 ____A C:\Users\alien\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk
2012-01-18 07:11 - 2012-01-18 07:11 - 0001239 ____A C:\Users\alien\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk
2012-01-18 07:11 - 2012-01-18 07:11 - 0000000 ____D C:\Users\alien\AppData\Roaming\OpenOffice.org
2012-01-18 07:09 - 2012-01-18 07:09 - 0000000 ____D C:\Program Files (x86)\OpenOffice.org 3
2012-01-18 07:09 - 2011-06-25 07:19 - 0000000 ____D C:\Program Files (x86)\Java


========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

========================= Memory info ======================

Percentage of memory in use: 16%
Total physical RAM: 4043.86 MB
Available physical RAM: 3388.13 MB
Total Pagefile: 4042.01 MB
Available Pagefile: 3375.84 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:37.17 GB) (Free:7.41 GB) NTFS
2 Drive d: (New Volume) (Fixed) (Total:298.05 GB) (Free:190.7 GB) NTFS
4 Drive g: () (Removable) (Total:29.8 GB) (Free:24.93 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
6 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 298 GB 0 B
Disk 1 Online 37 GB 0 B
Disk 2 Online 29 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 39 MB 31 KB
Partition 2 Primary 298 GB 40 MB

======================================================================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 NTFS Partition 39 MB Healthy Hidden

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 D New Volume NTFS Partition 298 GB Healthy

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 37 GB 101 MB

======================================================================================================

Disk: 1
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 Y System Rese NTFS Partition 100 MB Healthy

======================================================================================================

Disk: 1
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 C NTFS Partition 37 GB Healthy

======================================================================================================

Partitions of Disk 2:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 29 GB 16 KB

======================================================================================================

Disk: 2
Partition 1
Type : 0C
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G FAT32 Removable 29 GB Healthy

======================================================================================================

==========================================================

Last Boot: 2012-03-31 01:06

======================= End Of Log ==========================

Edit: Moved topic from Am I infected? What do I do? to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:17 PM

Posted 04 April 2012 - 06:01 PM

Hi

Please do the following:


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
HKLM\...\Run: [] [x]
HKU\alien\...\Run: [] [x]
HKU\UpdatusUser\...\Run: [] [x]
SubSystems: [Windows] ==> ZeroAccess
2012-04-02 12:22 - 2012-04-02 14:11 - 0000344 ____A C:\Windows\Tasks\At47.job
2012-04-02 12:22 - 2012-04-02 13:11 - 0000344 ____A C:\Windows\Tasks\At45.job
2012-04-02 12:22 - 2012-04-02 13:07 - 0000344 ____A C:\Windows\Tasks\At9.job
2012-04-02 12:22 - 2012-04-02 13:07 - 0000344 ____A C:\Windows\Tasks\At7.job
2012-04-02 12:22 - 2012-04-02 13:07 - 0000344 ____A C:\Windows\Tasks\At5.job
2012-04-02 12:22 - 2012-04-02 13:07 - 0000344 ____A C:\Windows\Tasks\At43.job
2012-04-02 12:22 - 2012-04-02 13:07 - 0000344 ____A C:\Windows\Tasks\At41.job
2012-04-02 12:22 - 2012-04-02 13:07 - 0000344 ____A C:\Windows\Tasks\At39.job
2012-04-02 12:22 - 2012-04-02 13:04 - 0000112 ____A C:\Users\All Users\8U4Lu8QMU.dat
2012-04-02 12:22 - 2012-04-02 13:04 - 0000112 ____A C:\ProgramData\8U4Lu8QMU.dat
2012-04-02 14:11 - 2012-04-02 12:22 - 0000344 ____A C:\Windows\Tasks\At47.job
2012-04-02 13:11 - 2012-04-02 12:22 - 0000344 ____A C:\Windows\Tasks\At45.job
2012-04-02 13:07 - 2012-04-02 12:22 - 0000344 ____A C:\Windows\Tasks\At9.job
2012-04-02 13:07 - 2012-04-02 12:22 - 0000344 ____A C:\Windows\Tasks\At7.job
2012-04-02 13:07 - 2012-04-02 12:22 - 0000344 ____A C:\Windows\Tasks\At5.job
2012-04-02 13:07 - 2012-04-02 12:22 - 0000344 ____A C:\Windows\Tasks\At43.job
2012-04-02 13:07 - 2012-04-02 12:22 - 0000344 ____A C:\Windows\Tasks\At41.job
2012-04-02 13:07 - 2012-04-02 12:22 - 0000344 ____A C:\Windows\Tasks\At39.job
2012-04-02 13:04 - 2012-04-02 12:22 - 0000112 ____A C:\Users\All Users\8U4Lu8QMU.dat
2012-04-02 13:04 - 2012-04-02 12:22 - 0000112 ____A C:\ProgramData\8U4Lu8QMU.dat
cmd: bootrec /fixmbr
cmd: bootrec /fixboot
End

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.


Now restart, let it boot normally and tell me how it went.


NEXT


If you are now able to boot normally, please run ComboFix:


Refer to the ComboFix User's Guide

  • Download ComboFix from one of these locations:

    Link 1
    Link 2

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 maximal

maximal
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:17 AM

Posted 05 April 2012 - 01:34 AM

Thanks BC, I,ll do this when I get off work tonight...

#4 maximal

maximal
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:17 AM

Posted 05 April 2012 - 02:10 PM

OK, good(ish) stuff. Ran FRST64 fixlist as above, rebooted and logged in to win7. Ran combofix fine, the log is below. I did recieve the "marked for deletion" message when trying to open any programs, so rebooted. Now I'm back to a reboot loop whilst trying to start windows... going to fight the urge to tinker myself whilst in the prescence of proper wisdom!! Booted back into Ubuntu and copied the log you see below..

[Thanks for the help so far guys, I am very apreciative]

ComboFix 12-04-05.06 - alien 05/04/2012 19:43:01.1.8 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.353.1033.18.4044.1910 [GMT 1:00]
Running from: c:\users\alien\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\facemoods.com
c:\program files (x86)\facemoods.com\facemoods\1.4.17.11\bh\facemoods.dll
c:\program files (x86)\facemoods.com\facemoods\1.4.17.11\facemoods.crx
c:\program files (x86)\facemoods.com\facemoods\1.4.17.11\facemoods.png
c:\program files (x86)\facemoods.com\facemoods\1.4.17.11\facemoodsApp.dll
c:\program files (x86)\facemoods.com\facemoods\1.4.17.11\facemoodsEng.dll
c:\program files (x86)\facemoods.com\facemoods\1.4.17.11\facemoodssrv.exe
c:\program files (x86)\facemoods.com\facemoods\1.4.17.11\facemoodsTlbr.dll
c:\program files (x86)\facemoods.com\facemoods\1.4.17.11\uninstall.exe
c:\programdata\Roaming
c:\windows\assembly\GAC_32\Desktop.ini
c:\windows\assembly\GAC_64\Desktop.ini
c:\windows\assembly\temp\@
c:\windows\assembly\temp\cfg.ini
c:\windows\iun6002.exe
c:\windows\system\fltr106.dll
c:\windows\system32\consrv.dll
c:\windows\system32\dds_trash_log.cmd
c:\windows\System64
c:\windows\SysWow64\SET7DE4.tmp
c:\windows\SysWow64\SET8D35.tmp
c:\windows\SysWow64\SET98E0.tmp
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_AMService
.
.
((((((((((((((((((((((((( Files Created from 2012-03-05 to 2012-04-05 )))))))))))))))))))))))))))))))
.
.
2012-04-05 05:30 . 2012-04-05 05:31 -------- d-----w- C:\FRST
2012-04-03 17:24 . 2011-12-06 16:22 28760 ----a-w- c:\program files (x86)\Mozilla Firefox\ScriptFF.dll
2012-04-03 17:24 . 2012-04-03 17:24 -------- d-----w- c:\program files (x86)\Common Files\McAfee
2012-04-03 17:24 . 2011-10-15 11:16 10248 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2012-04-03 17:24 . 2011-10-15 11:16 75808 ----a-w- c:\windows\system32\drivers\mfenlfk.sys
2012-04-03 17:24 . 2011-10-15 11:16 65264 ----a-w- c:\windows\system32\drivers\cfwids.sys
2012-04-03 17:24 . 2011-10-15 11:16 481768 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2012-04-03 17:24 . 2011-10-15 11:16 284648 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2012-04-03 17:24 . 2011-10-15 11:16 229528 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2012-04-03 17:24 . 2011-10-15 11:16 100912 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2012-04-03 17:24 . 2012-04-03 17:24 -------- d-----w- c:\program files\Common Files\McAfee
2012-04-03 17:24 . 2012-04-03 17:25 -------- d-----w- c:\program files\McAfee
2012-04-03 17:24 . 2012-04-05 18:38 -------- d-----w- c:\program files (x86)\McAfee
2012-04-03 17:15 . 2011-11-18 15:36 161168 ----a-w- c:\windows\system32\mfevtps.exe
2012-04-03 17:15 . 2012-04-03 17:26 -------- d-----w- c:\programdata\McAfee
2012-04-02 21:09 . 2012-04-02 21:09 592824 ----a-w- c:\program files (x86)\Mozilla Firefox\gkmedias.dll
2012-04-02 21:09 . 2012-04-02 21:09 44472 ----a-w- c:\program files (x86)\Mozilla Firefox\mozglue.dll
2012-04-02 20:33 . 2012-04-02 20:33 8738464 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
2012-04-02 20:11 . 2012-04-02 20:33 418464 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-04-02 18:36 . 2012-04-02 18:36 -------- d-----w- c:\users\alien\AppData\Roaming\SanDisk SecureAccess
2012-04-01 17:09 . 2012-04-01 17:09 -------- d-----w- C:\share
2012-04-01 04:30 . 2012-04-01 04:36 -------- d-----w- c:\users\alien\.yawcam
2012-04-01 04:30 . 2012-04-01 04:30 -------- d-----w- c:\program files (x86)\Yawcam
2012-04-01 04:26 . 2012-04-01 04:26 -------- d-----w- c:\users\alien\AppData\Local\WMTools Downloaded Files
2012-04-01 04:25 . 2012-04-01 04:25 -------- d-----w- c:\program files (x86)\Movie Maker 2.6
2012-04-01 04:14 . 2003-11-10 17:14 729088 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iKernel.dll
2012-04-01 04:14 . 2003-11-10 17:13 69715 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\ctor.dll
2012-04-01 04:14 . 2003-11-10 17:12 266240 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iscript.dll
2012-04-01 04:14 . 2003-11-10 17:12 192512 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iuser.dll
2012-04-01 04:14 . 2003-11-10 17:11 5632 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\DotNetInstaller.exe
2012-04-01 04:14 . 2012-04-01 04:14 311428 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\setup.dll
2012-04-01 04:14 . 2012-04-01 04:14 188548 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iGdi.dll
2012-03-31 08:56 . 2012-03-14 03:27 8669240 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{0B83D3B7-B3A9-488D-ACCE-03A0D3325652}\mpengine.dll
2012-03-23 17:31 . 2012-04-02 21:08 -------- d-----w- c:\users\alien\AppData\Roaming\SanDisk
2012-03-14 20:13 . 2011-11-19 15:20 5559152 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-03-14 20:13 . 2011-11-19 14:50 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-03-14 20:13 . 2011-11-19 14:50 3913584 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-03-13 21:44 . 2012-02-10 06:36 1544192 ----a-w- c:\windows\system32\DWrite.dll
2012-03-13 21:44 . 2012-02-10 05:38 1077248 ----a-w- c:\windows\SysWow64\DWrite.dll
2012-03-13 21:44 . 2012-02-03 04:34 3145728 ----a-w- c:\windows\system32\win32k.sys
2012-03-13 19:16 . 2012-02-17 06:38 1031680 ----a-w- c:\windows\system32\rdpcore.dll
2012-03-13 19:16 . 2012-02-17 05:34 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
2012-03-13 19:16 . 2012-02-17 04:58 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-03-13 19:16 . 2012-02-17 04:57 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-03-13 19:16 . 2012-01-25 06:38 77312 ----a-w- c:\windows\system32\rdpwsx.dll
2012-03-13 19:16 . 2012-01-25 06:38 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-03-13 19:16 . 2012-01-25 06:33 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-02 20:33 . 2011-06-25 09:34 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-02-24 13:34 . 2012-02-24 13:34 162664 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10140.bin
2012-02-23 09:18 . 2011-06-24 22:42 279656 ------w- c:\windows\system32\MpSigStub.exe
2012-01-27 19:20 . 2012-01-27 19:20 283200 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files (x86)\Steam\Steam.exe" [2011-08-04 1242448]
"RocketDock"="c:\program files (x86)\RocketDock\RocketDock.exe" [2007-09-02 495616]
"DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2012-01-24 3478336]
"SanDiskSecureAccess_Manager.exe"="c:\users\alien\AppData\Roaming\SanDisk\SanDiskSecureAccess_Manager.exe" [2012-04-02 30705792]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"NUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2011-03-03 113288]
"AlienwareOn-ScreenDisplay"="c:\program files (x86)\Alienware On-Screen Display\AlienwareOn-ScreenDisplay.exe" [2011-09-02 1636208]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"FileServe Manager Task"="c:\program files (x86)\FileServe Manager\FSStarter.exe" [2011-09-02 954648]
"Jomantha"="e:\programs\n52teHid.exe" [2008-06-13 159744]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2011-05-20 284440]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-11-22 1675160]
.
c:\users\alien\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2010-7-29 1132320]
Rainmeter.lnk - c:\program files\Rainmeter\Rainmeter.exe [2011-9-18 102912]
Scrybe.lnk - c:\windows\Installer\{147DFAD8-34C3-4DE1-9FCA-ACEFDE9EF810}\NewShortcut11_8ACB210B42E44145A8C31F8E3DD765A3.exe [2011-11-29 45056]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer6"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 AlienFusionService;Alienware Fusion Service;c:\program files\Alienware\Command Center\AlienFusionService.exe [2011-02-04 15296]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-05-20 13592]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-01-27 249936]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-10-15 2253120]
R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-03-03 2656280]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-02 253600]
R3 JmtFltr;n52te;c:\windows\system32\drivers\JmtFltr.sys [x]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [x]
R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [2011-05-02 340240]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]
R3 RTCore64;RTCore64;c:\program files (x86)\EVGA Precision\RTCore64.sys [2011-08-31 14440]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 USBMULCD;USB Multi-Channel Audio Device Interface;c:\windows\system32\drivers\CM10664.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 EMSC;COMPAL Embedded System Control;c:\windows\system32\DRIVERS\EMSC.SYS [2009-06-26 16752]
S0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [x]
S0 stdcfltn;Disk Class Filter Driver for Accelerometer;c:\windows\system32\DRIVERS\stdcfltn.sys [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]
S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe [2011-03-21 89600]
S2 IconMan_R;IconMan_R;c:\program files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [2011-03-03 2372096]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-01-27 249936]
S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-01-27 249936]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2011-12-06 208536]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [x]
S2 MsiPcap;Migration Specialties Network driver (PCAP NDIS 5.0);c:\windows\system32\drivers\msipcap.sys [x]
S2 ScrybeUpdater;Scrybe Updater;c:\program files (x86)\Synaptics\Scrybe\Service\ScrybeUpdater.exe [2011-05-27 1300264]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-10-15 381248]
S3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\Accelern.sys [x]
S3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys [x]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [x]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [x]
S3 MEIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [x]
S3 NETwNs64;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETwNs64.sys [x]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [x]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [x]
S3 RSPCIESTOR;Realtek PCIE CardReader Driver;c:\windows\system32\DRIVERS\RtsPStor.sys [x]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - CFWIDS
*NewlyCreated* - WS2IFSL
*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-05 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-02 20:33]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FreeFallProtection"="c:\program files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe" [2010-12-17 703088]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2011-03-21 525312]
"Command Center Controllers"="c:\program files\Alienware\Command Center\AWCCStartupOrchestrator.exe" [2011-02-04 13256]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-04-10 167256]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-04-10 391512]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-04-10 415064]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2011-06-23 1744152]
"IntelPAN"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2011-05-02 1935120]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2011-10-15 539456]
"combofix"="c:\combofix\CF14681.3XE" [2010-11-20 345088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
lvmvdrv
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://start.facemoods.com/?a=ddrnw
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Download with FileServe Manager - c:\program files (x86)\FileServe Manager\GetUrl.htm
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 89.101.160.4 89.101.160.5
FF - ProfilePath - c:\users\alien\AppData\Roaming\Mozilla\Firefox\Profiles\xqglazs5.default\
FF - prefs.js: browser.startup.homepage - chrome://foxtab/content/homepage.html
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-facemoods - c:\program files (x86)\facemoods.com\facemoods\1.4.17.11\facemoodssrv.exe
HKLM-Run-(Default) - (no file)
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
AddRemove-Cool's_Codec_pack_4.12 - c:\windows\iun6002.exe
AddRemove-facemoods - c:\program files (x86)\facemoods.com\facemoods\1.4.17.11\uninstall.exe
AddRemove-PunkBusterSvc - c:\windows\system32\pbsvc_bc2.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{DB4E9724-F518-4DFD-9C7C-78B52103CAB9}"=hex:51,66,7a,6c,4c,1d,38,12,4a,94,5d,
df,2a,bb,93,08,e3,6a,3b,f5,24,5d,8e,ad
"{00000001-AB3B-4334-9DA2-EC6B2A02AFC6}"=hex:51,66,7a,6c,4c,1d,38,12,6f,03,13,
04,09,e5,5a,06,e2,b4,af,2b,2f,5c,eb,d2
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{326E768D-4182-46FD-9C16-1449A49795F4}"=hex:51,66,7a,6c,4c,1d,38,12,e3,75,7d,
36,b0,0f,93,03,e3,00,57,09,a1,c9,d1,e0
"{64182481-4F71-486B-A045-B233BD0DA8FC}"=hex:51,66,7a,6c,4c,1d,38,12,ef,27,0b,
60,43,01,05,0d,df,53,f1,73,b8,53,ec,e8
"{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}"=hex:51,66,7a,6c,4c,1d,38,12,07,5b,93,
aa,6e,60,ba,0b,f0,6d,b2,b7,80,44,00,83
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:fa,8f,ef,29,0f,11,cd,01
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,46,79,43,f0,3c,95,c8,43,ae,06,a5,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,46,79,43,f0,3c,95,c8,43,ae,06,a5,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_228_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_228_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SysWOW64\PnkBstrA.exe
c:\windows\SysWOW64\rundll32.exe
c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
.
**************************************************************************
.
Completion time: 2012-04-05 19:50:39 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-05 18:50
.
Pre-Run: 7,343,120,384 bytes free
Post-Run: 7,317,393,408 bytes free
.
- - End Of File - - A38E3D2B9C29262F2B4987EA9E441442

#5 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:17 PM

Posted 05 April 2012 - 04:14 PM

Hi

let's see if we can get it booting again before we do anything else.

Please run FRST64.exe with the following script as you did before


start
SubSystems: [Windows] ==> ZeroAccess
cmd: bootrec /fixmbr
cmd: bootrec /fixboot
End

let me know if you can now boot properly

If that does not resolve the boot issue, then please run a fresh scan with FRST as you did initially and post the new log

thanks

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#6 maximal

maximal
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:17 AM

Posted 06 April 2012 - 12:51 AM

Bleeping curls, thank you, your a genius! I now have windows back:-)

I'm just running out the door, but mcafee has just reported quarantining 'generic backdoor!xx' in C:windows\assembly\GAC_32\desktop.ini, and is requesting a reboot.
I'll let it do it's stuff when l get back this evening and let you know how I get on (finger crossed)...

#7 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:17 PM

Posted 06 April 2012 - 08:08 AM

Hi

Please run the following script with FRST again (my apologies, I missed a bad entry)

or your system will become unbootable again


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
SubSystems: [Windows] ==> ZeroAccess
2 lvmvdrv; C:\Windows\System32\mcusrmgr.dll [6656 2009-07-13] (Oak Technology Inc.)
C:\Windows\System32\mcusrmgr.dll
NETSVC: lvmvdrv
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.


Now restart, let it boot normally and tell me how it went.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#8 maximal

maximal
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:17 AM

Posted 06 April 2012 - 03:03 PM

Can't thank you guys enough, next time your in Ireland, I shall buy you a pint (seriously), in the meantime I'll just make use of the donate button;)

Everything is working great now, rebooted about 5 times without issue. Going to have a look at the tutorials so in future I may not have to impose on your time, don't know why I haven't come across this place before, thanks again... log below as requested..

Fix result of Farbar Recovery Scan Tool (FRST written by farbar) Version: 15-03-2012 
Ran by SYSTEM at 2012-04-06 17:14:14 R:3
Running from G:\

==============================================

HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows Value was restored.
lvmvdrv service deleted successfully.
C:\Windows\System32\mcusrmgr.dll moved successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\\netsvcs lvmvdrv Deleted successfully.

==== End of Fixlog ====


#9 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:17 PM

Posted 06 April 2012 - 04:12 PM

Hi, there are just a couple more scans I'd like you to do, just to make sure you are completely clean before I let you go (plus we have a special clean up outine for the tools)

so stay with me, till I give the all clear.

Please re-run comboFix, allow it to update if it asks to do so, (please make sure you disable your security programs), post the resulting logs.

then run the following:

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:17 PM

Posted 13 April 2012 - 07:29 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users