Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan horse Dropper.Generic_C.MMI and Found Luhe.Sirefef.A


  • This topic is locked This topic is locked
19 replies to this topic

#1 ddibowski

ddibowski

  • Members
  • 162 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:02 PM

Posted 23 July 2012 - 08:39 AM

My PC has been infected by a virus. I use AVG software and it is showing Trojan horse Dropper.Generic_C.MMI and Found Luhe.Sirefef.A on recent scans.
It is keeping me from accessing the internet. In order for me to do my work I will have to download your tools to a thumb drive. I hope it will work this way.
I see DDS does its work over the internet. Is there another way I can get you this information?
Thanks in advance
Don

BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:02 PM

Posted 23 July 2012 - 08:56 AM

Hello ddibowski,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

  • Finally, please reply using the ADD REPLY button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
  • I will get back to you with instructions.



Can you tell me which operating system you are using. Windows Xp,Vista ,or Windows7? is it a 32 bit or 64bit system?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 ddibowski

ddibowski
  • Topic Starter

  • Members
  • 162 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:02 PM

Posted 23 July 2012 - 10:20 AM

Thanks for your quick response.

It is Win 7 64 bit

#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:02 PM

Posted 23 July 2012 - 11:52 AM

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.[*]The tool will start to run.[*]When the tool opens click Yes to disclaimer.[*]Press Scan button.[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list][/quote]

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 ddibowski

ddibowski
  • Topic Starter

  • Members
  • 162 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:02 PM

Posted 23 July 2012 - 01:28 PM

Here is the log from frst64

Scan result of Farbar Recovery Scan Tool Version: 20-07-2012 01
Ran by SYSTEM at 23-07-2012 14:19:17
Running from I:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [10060832 2010-02-08] (Realtek Semiconductor)
HKLM\...\Run: [DellStage] "C:\Program Files (x86)\Dell Stage\Dell Stage\stage_primary.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\start.umj" --startup [207350 2011-01-25] ()
HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [161304 2010-08-25] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [386584 2010-08-25] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [415256 2010-08-25] (Intel Corporation)
HKLM\...\Run: [ISW] "C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" /icon="hidden" [1125504 2011-11-03] (Check Point Software Technologies)
HKLM-x32\...\Run: [ShwiconXP9106] C:\Program Files (x86)\Multimedia Card Reader(9106)\ShwiconXP9106.exe [237568 2010-01-27] (Alcor Micro Corp.)
HKLM-x32\...\Run: [Dell DataSafe Online] C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe [1117528 2010-08-25] (Dell, Inc.)
HKLM-x32\...\Run: [] [x]
HKLM-x32\...\Run: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [240112 2010-11-25] (Sonic Solutions)
HKLM-x32\...\Run: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe" [514544 2010-11-17] ()
HKLM-x32\...\Run: [AVG_TRAY] C:\Program Files (x86)\AVG\AVG10\avgtray.exe [2339168 2012-01-17] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [ZoneAlarm] "C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe" [73360 2011-11-09] (Check Point Software Technologies LTD)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [37296 2012-03-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKU\Jim\...\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)
HKLM-x32\...\RunOnce: [Launcher] C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Scheduler\Launcher.exe [163040 2010-08-11] (Softthinks)
HKLM-x32\...\RunOnce: [DSUpdateLauncher] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\hstart.exe" /NOCONSOLE /D="C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate" /RUNAS "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe" [161088 2010-07-21] ()
HKLM-x32\...\RunOnce: [STToasterLauncher] C:\Program Files (x86)\Dell DataSafe Local Backup\toasterLauncher.exe [120032 2010-08-11] ()
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.200.1

==================== Services (Whitelisted) ======

2 AVGIDSAgent; "C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe" [7391072 2012-01-31] (AVG Technologies CZ, s.r.o.)
2 avgwd; "C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe" [269520 2011-02-08] (AVG Technologies CZ, s.r.o.)
2 IswSvc; "C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe" [827520 2011-11-03] (Check Point Software Technologies)
3 nosGetPlusHelper; C:\Program Files (x86)\NOS\bin\getPlus_Helper_3004.dll [53248 2011-03-29] (NOS Microsystems Ltd.)
2 RoxWatch12; "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe" [219632 2010-11-25] (Sonic Solutions)
3 stllssvr; "C:\Program Files (x86)\Common Files\SureThing Shared\stllssvr.exe" [74392 2010-11-08] (MicroVision Development, Inc.)
2 vsmon; C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe -service [2420616 2011-11-09] (Check Point Software Technologies LTD)

========================== Drivers (Whitelisted) =============

3 AVGIDSDriver; C:\Windows\System32\Drivers\AVGIDSDriver.sys [118864 2011-05-27] (AVG Technologies CZ, s.r.o. )
0 AVGIDSEH; C:\Windows\System32\Drivers\AVGIDSEH.sys [26704 2011-02-22] (AVG Technologies CZ, s.r.o. )
3 AVGIDSFilter; C:\Windows\System32\Drivers\AVGIDSFilter.sys [29264 2011-02-10] (AVG Technologies CZ, s.r.o. )
1 Avgldx64; C:\Windows\System32\Drivers\Avgldx64.sys [304720 2011-01-07] (AVG Technologies CZ, s.r.o.)
1 Avgmfx64; C:\Windows\System32\Drivers\Avgmfx64.sys [41552 2011-03-01] (AVG Technologies CZ, s.r.o.)
0 Avgrkx64; C:\Windows\System32\Drivers\Avgrkx64.sys [37456 2011-03-16] (AVG Technologies CZ, s.r.o.)
1 Avgtdia; C:\Windows\System32\Drivers\Avgtdia.sys [377936 2011-04-04] (AVG Technologies CZ, s.r.o.)
2 ISWKL; \??\C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys [33672 2011-11-03] (Check Point Software Technologies)
1 Vsdatant; C:\Windows\System32\Drivers\Vsdatant.sys [454232 2011-05-07] (Check Point Software Technologies LTD)
3 LVPr2M64; C:\Windows\System32\DRIVERS\LVPr2M64.sys [x]
3 PCDSRVC{1E208CE0-FB7451FF-06020101}_0; \??\c:\program files\dell support center\pcdsrvc_x64.pkms [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-07-23 12:33 - 2012-07-23 13:07 - 00000000 ____D C:\FRST
2012-07-20 14:39 - 2012-07-20 14:39 - 00000781 ____A C:\Users\Jim\My Documents\command_line.txt
2012-07-20 14:39 - 2012-07-20 14:39 - 00000781 ____A C:\Users\Jim\Documents\command_line.txt
2012-07-19 08:19 - 2012-07-19 08:19 - 00002016 ____A C:\Users\Public\Desktop\Adobe Reader 9.lnk
2012-07-19 08:19 - 2012-07-19 08:19 - 00002016 ____A C:\Users\All Users\Desktop\Adobe Reader 9.lnk
2012-07-19 08:16 - 2012-07-19 08:16 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-07-19 08:16 - 2012-07-19 08:16 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-07-19 08:16 - 2012-07-19 08:16 - 00000000 ____D C:\Windows\System32\Macromed
2012-07-12 02:02 - 2012-06-11 22:08 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-11 03:19 - 2012-06-09 00:43 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-07-11 03:19 - 2012-06-08 23:41 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-07-11 03:19 - 2012-06-06 01:06 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-07-11 03:19 - 2012-06-06 01:06 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-07-11 03:19 - 2012-06-06 00:05 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-07-11 03:19 - 2012-06-06 00:05 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2012-07-11 03:19 - 2012-06-02 00:50 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-07-11 03:19 - 2012-06-02 00:48 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-07-11 03:19 - 2012-06-02 00:48 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-07-11 03:19 - 2012-06-02 00:45 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-07-11 03:19 - 2012-06-02 00:44 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-07-11 03:19 - 2012-06-01 23:40 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2012-07-11 03:19 - 2012-06-01 23:40 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2012-07-11 03:19 - 2012-06-01 23:39 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2012-07-11 03:19 - 2012-06-01 23:34 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2012-07-11 03:19 - 2010-06-25 22:55 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\msxml3r.dll
2012-07-11 03:19 - 2010-06-25 22:24 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3r.dll
2012-07-11 03:18 - 2012-06-06 01:02 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-07-11 03:18 - 2012-06-06 00:03 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll
2012-06-25 13:49 - 2012-06-25 13:50 - 00000000 ____D C:\Users\Jim\Local Settings\Microsoft Games
2012-06-25 13:49 - 2012-06-25 13:50 - 00000000 ____D C:\Users\Jim\Local Settings\Application Data\Microsoft Games
2012-06-25 13:49 - 2012-06-25 13:50 - 00000000 ____D C:\Users\Jim\AppData\Local\Microsoft Games

============ 3 Months Modified Files ========================

2012-07-23 13:13 - 2011-04-27 10:10 - 00000072 ____A C:\Windows\SysWOW64\ToasterLauncherLog.log
2012-07-23 13:13 - 2009-07-14 00:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-23 13:13 - 2009-07-13 23:51 - 00025229 ____A C:\Windows\setupact.log
2012-07-23 13:13 - 2009-07-13 23:45 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-23 13:13 - 2009-07-13 23:45 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-23 13:12 - 2009-07-14 00:10 - 01185236 ____A C:\Windows\WindowsUpdate.log
2012-07-23 12:34 - 2009-07-14 00:13 - 00727374 ____A C:\Windows\System32\PerfStringBackup.INI
2012-07-23 06:35 - 2011-04-27 10:10 - 00000422 ____A C:\Windows\Tasks\SystemToolsDailyTest.job
2012-07-20 14:46 - 2009-07-14 00:08 - 00019892 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-07-20 14:39 - 2012-07-20 14:39 - 00000781 ____A C:\Users\Jim\My Documents\command_line.txt
2012-07-20 14:39 - 2012-07-20 14:39 - 00000781 ____A C:\Users\Jim\Documents\command_line.txt
2012-07-19 08:27 - 2011-04-20 00:17 - 00043328 ____A C:\Windows\PFRO.log
2012-07-19 08:19 - 2012-07-19 08:19 - 00002016 ____A C:\Users\Public\Desktop\Adobe Reader 9.lnk
2012-07-19 08:19 - 2012-07-19 08:19 - 00002016 ____A C:\Users\All Users\Desktop\Adobe Reader 9.lnk
2012-07-19 08:16 - 2012-07-19 08:16 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-07-19 08:16 - 2012-07-19 08:16 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-07-12 02:19 - 2009-07-13 23:45 - 00333632 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-12 02:00 - 2011-05-18 11:25 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-06-25 13:48 - 2011-04-27 10:10 - 00000564 ____A C:\Windows\Tasks\PCDoctorBackgroundMonitorTask.job
2012-06-11 22:08 - 2012-07-12 02:02 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-09 00:43 - 2012-07-11 03:19 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-08 23:41 - 2012-07-11 03:19 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-06-06 01:06 - 2012-07-11 03:19 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-06 01:06 - 2012-07-11 03:19 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-06 01:02 - 2012-07-11 03:18 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-06-06 00:05 - 2012-07-11 03:19 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-06-06 00:05 - 2012-07-11 03:19 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2012-06-06 00:03 - 2012-07-11 03:18 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll
2012-06-02 17:19 - 2012-06-22 01:53 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 17:19 - 2012-06-22 01:53 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 17:19 - 2012-06-22 01:53 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 17:19 - 2012-06-22 01:53 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 17:19 - 2012-06-22 01:53 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 17:15 - 2012-06-22 01:53 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 17:15 - 2012-06-22 01:53 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 14:19 - 2012-06-22 01:53 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 14:15 - 2012-06-22 01:53 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-02 00:50 - 2012-07-11 03:19 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-06-02 00:48 - 2012-07-11 03:19 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-06-02 00:48 - 2012-07-11 03:19 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-02 00:45 - 2012-07-11 03:19 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-02 00:44 - 2012-07-11 03:19 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-06-01 23:40 - 2012-07-11 03:19 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2012-06-01 23:40 - 2012-07-11 03:19 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2012-06-01 23:39 - 2012-07-11 03:19 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2012-06-01 23:34 - 2012-07-11 03:19 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2012-05-14 23:01 - 2012-06-13 06:06 - 01188864 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-05-14 22:59 - 2012-06-13 06:05 - 00064512 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-05-14 22:03 - 2012-06-13 06:06 - 00981504 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-05-14 22:00 - 2012-06-13 06:05 - 00048128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-05-04 06:06 - 2012-06-13 06:05 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-05-04 05:03 - 2012-06-13 06:05 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-05-04 05:03 - 2012-06-13 06:05 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-05-01 00:40 - 2012-06-13 06:05 - 00209920 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
2012-04-27 22:55 - 2012-06-13 06:05 - 00210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-04-26 00:41 - 2012-06-13 06:05 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-04-26 00:41 - 2012-06-13 06:05 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-04-26 00:34 - 2012-06-13 06:05 - 00009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe

ZeroAccess:
C:\Windows\Installer\{60a98e2c-6f26-9e0e-358d-f36eadfb405d}
C:\Windows\Installer\{60a98e2c-6f26-9e0e-358d-f36eadfb405d}\@
C:\Windows\Installer\{60a98e2c-6f26-9e0e-358d-f36eadfb405d}\L
C:\Windows\Installer\{60a98e2c-6f26-9e0e-358d-f36eadfb405d}\U
C:\Windows\Installer\{60a98e2c-6f26-9e0e-358d-f36eadfb405d}\L\00000004.@
C:\Windows\Installer\{60a98e2c-6f26-9e0e-358d-f36eadfb405d}\L\1afb2d56
C:\Windows\Installer\{60a98e2c-6f26-9e0e-358d-f36eadfb405d}\L\201d3dde

ZeroAccess:
C:\Users\Jim\AppData\Local\{60a98e2c-6f26-9e0e-358d-f36eadfb405d}
C:\Users\Jim\AppData\Local\{60a98e2c-6f26-9e0e-358d-f36eadfb405d}\@
C:\Users\Jim\AppData\Local\{60a98e2c-6f26-9e0e-358d-f36eadfb405d}\L
C:\Users\Jim\AppData\Local\{60a98e2c-6f26-9e0e-358d-f36eadfb405d}\U

ZeroAccess:
C:\Windows\assembly\GAC_32\Desktop.ini

ZeroAccess:
C:\Windows\assembly\GAC_64\Desktop.ini

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 11%
Total physical RAM: 5943.12 MB
Available physical RAM: 5267.16 MB
Total Pagefile: 5941.27 MB
Available Pagefile: 5258.06 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:917.66 GB) (Free:866.86 GB) NTFS
7 Drive i: (HP v125w) (Removable) (Total:7.45 GB) (Free:1.99 GB) FAT32
8 Drive j: (RECOVERY) (Fixed) (Total:13.81 GB) (Free:5.61 GB) NTFS ==>[System with boot components (obtained from reading drive)]
9 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 931 GB 0 B
Disk 1 Online 7648 MB 0 B
Disk 2 No Media 0 B 0 B
Disk 3 No Media 0 B 0 B
Disk 4 No Media 0 B 0 B
Disk 5 No Media 0 B 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 39 MB 31 KB
Partition 2 Primary 13 GB 40 MB
Partition 3 Primary 917 GB 13 GB

==================================================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 8 FAT Partition 39 MB Healthy Hidden

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 J RECOVERY NTFS Partition 13 GB Healthy

==================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C OS NTFS Partition 917 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 7647 MB 40 KB

==================================================================================

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 I HP v125w FAT32 Removable 7647 MB Healthy

==================================================================================

==========================================================

Last Boot: 2012-07-18 02:36

======================= End Of Log ==========================

Thanks for the help
Don

#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:02 PM

Posted 23 July 2012 - 04:12 PM

Hello,

We will now start cleaning your machine.

1.
Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

C:\Windows\Installer\{60a98e2c-6f26-9e0e-358d-f36eadfb405d}
C:\Users\Jim\AppData\Local\{60a98e2c-6f26-9e0e-358d-f36eadfb405d}
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
On Windows XP: Now please boot into the BartPE CD.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.


2.
Please do the following in Normal mode.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

3.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


Things to include in your next reply::
Fixlog.txt
TdssKiller log
Combofix.txt
How is your machine running now?

Edited by fireman4it, 23 July 2012 - 04:12 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 ddibowski

ddibowski
  • Topic Starter

  • Members
  • 162 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:02 PM

Posted 23 July 2012 - 07:04 PM

I hope I didn't mess things up here but this is what I did. I ran frst64 using the fix option and the supplied lines of code. I got a fixlog which I will copy at the end of this. I then did a restart after frst64.

Steps 2 and 3 make a point of saving it to the desktop. So I assumed the frst64 fixed the PC enough that I should be able to get to the internet. I was not able to open IE successflly. I decided to shut it down the PC and reboot my modem thinking this might help. (I know I am not supposed to think.) When I unplugged my modem I got a message on my laptop the network was not available. The laptop still had the ethernet cable plugged into it not the desktop we are fixing.

So should I be doing steps 2 and/or 3 to the flash drive? Or did I somehow reinfect the computer?

Here is the fixlog.
Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 20-07-2012 01
Ran by SYSTEM at 2012-07-23 19:37:38 Run:1
Running from I:\

==============================================

C:\Windows\Installer\{60a98e2c-6f26-9e0e-358d-f36eadfb405d} moved successfully.
C:\Users\Jim\AppData\Local\{60a98e2c-6f26-9e0e-358d-f36eadfb405d} moved successfully.
C:\Windows\assembly\GAC_32\Desktop.ini moved successfully.
C:\Windows\assembly\GAC_64\Desktop.ini moved successfully.

==== End of Fixlog ====

Thanks
Don

#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:02 PM

Posted 23 July 2012 - 09:11 PM

Hello,
Please download steps 2 and 3 to your flash drive then transfer them to your computer and run them and post there logs.

Make sure you transfer Combofix to your desktop before running it.

Edited by fireman4it, 23 July 2012 - 09:12 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 ddibowski

ddibowski
  • Topic Starter

  • Members
  • 162 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:02 PM

Posted 24 July 2012 - 09:47 AM

Here is what I did. Copied TDSKiller and ComboFix to the flash drive. Copied them to the desktop of the infected PC. I thought I double clicked TDSKiller. I saw a warning about the anti virus program and so I turned the statuses inactive while that window was open. I could see a window behind this one so I moved it and saw it was TDSKiller with a big scan button on it. I was starting to wonder if I clicked the wrong one. I did not see a way to stop it. I thought maybe TDSKiller somehow uses the ComboFix software so I continued with that. Several times it warned me that AVG was active but when I looked at the status it still showed inactive. I assumed since it was not inactive when it started it still thought it was active. There was one last warning, an option to run it with AVG active. I went with it. It went through a number of stages. It gave me a combofix log.txt which I have below.

Prior to the log appearing, I got a small windows box with the message
C:\Program Files (x86)\Dell DataSafe Local Backup\ComponetnDSUpdatDSUpd.exe
A device attached to the system is not functioning

I think this message appeared as part of the restart because after I clicked OK a Windows startup notes played and the desktop Icons appeared.

I had moved the ethernet cord to the bad PC because I expected to try it out when I finished. While it was there I decided to try the internet. I clicked on IE and got this small windows box with this message:
C:\Program Files (x86)\INternet Explorer\iexplorer.exe
Illegal operation attempted on a registry key that is marked for deletion

When I click OK on that window I get a small windows box with the message:
Can't open this item
It might have been moved, renamed, or deleted. Do you want to remove this item?
Yes or No buttons

I clicked NO

I tried to open Windows Explorer to see if there is a tdskiller log on the c drive but it gives me the message:
C:\Windows\explorer.exe
Illegal operation attempted on a registry key that is marked for deletion

To see if it was all programs that gave me this message I tried notepad and calculator and got similar meassages.

I really don't think I ran Combofix first but it sure looks like it and I really am sorry if I did. Hopefully you can dig me out of this mess. I am not sure the log is going to help but it is below.

Thanks
Don

log.txt follows....
ComboFix 12-07-25.04 - Jim 07/24/2012 9:52.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.5943.4794 [GMT -4:00]
Running from: c:\users\Jim\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
FW: ZoneAlarm Free Firewall *Enabled* {E6380B7E-D4B2-19F1-083E-56486607704B}
SP: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2012-06-24 to 2012-07-24 )))))))))))))))))))))))))))))))
.
.
2012-07-24 13:55 . 2012-07-24 13:55 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-23 17:33 . 2012-07-23 18:07 -------- d-----w- C:\FRST
2012-07-19 13:16 . 2012-07-19 13:16 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-07-19 13:16 . 2012-07-19 13:16 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-19 13:16 . 2012-07-19 13:16 -------- d-----w- c:\windows\system32\Macromed
2012-07-12 07:02 . 2012-06-12 03:08 3148800 ----a-w- c:\windows\system32\win32k.sys
2012-07-11 08:18 . 2012-06-06 06:05 1499136 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
2012-07-11 08:18 . 2012-06-06 05:05 1019904 ----a-w- c:\program files (x86)\Common Files\System\ado\msado15.dll
2012-07-11 08:18 . 2012-06-06 06:05 495616 ----a-w- c:\program files\Common Files\System\ado\msadox.dll
2012-07-11 08:18 . 2012-06-06 06:05 61440 ----a-w- c:\program files\Common Files\System\ado\msador15.dll
2012-07-11 08:18 . 2012-06-06 06:05 466944 ----a-w- c:\program files\Common Files\System\ado\msadomd.dll
2012-07-11 08:18 . 2012-06-06 06:05 258048 ----a-w- c:\program files\Common Files\System\msadc\msadco.dll
2012-07-11 08:18 . 2012-06-06 06:02 1133568 ----a-w- c:\windows\system32\cdosys.dll
2012-07-11 08:18 . 2012-06-06 05:05 143360 ----a-w- c:\program files (x86)\Common Files\System\ado\msjro.dll
2012-07-11 08:18 . 2012-06-06 05:05 372736 ----a-w- c:\program files (x86)\Common Files\System\ado\msadox.dll
2012-07-11 08:18 . 2012-06-06 05:05 57344 ----a-w- c:\program files (x86)\Common Files\System\ado\msador15.dll
2012-07-11 08:18 . 2012-06-06 05:05 352256 ----a-w- c:\program files (x86)\Common Files\System\ado\msadomd.dll
2012-07-11 08:18 . 2012-06-06 05:05 212992 ----a-w- c:\program files (x86)\Common Files\System\msadc\msadco.dll
2012-07-11 08:18 . 2012-06-06 05:03 805376 ----a-w- c:\windows\SysWow64\cdosys.dll
2012-06-25 18:49 . 2012-06-25 18:50 -------- d-----w- c:\users\Jim\AppData\Local\Microsoft Games
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-12 07:00 . 2011-05-18 16:25 59701280 ----a-w- c:\windows\system32\MRT.exe
2012-06-02 22:19 . 2012-06-22 06:53 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-22 06:53 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-22 06:53 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-22 06:53 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-22 06:53 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:15 . 2012-06-22 06:53 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-22 06:53 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 19:19 . 2012-06-22 06:53 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 19:15 . 2012-06-22 06:53 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-05-15 04:01 . 2012-06-13 11:06 1188864 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 03:59 . 2012-06-13 11:05 64512 ----a-w- c:\windows\system32\jsproxy.dll
2012-05-15 03:03 . 2012-06-13 11:06 981504 ----a-w- c:\windows\SysWow64\wininet.dll
2012-05-04 11:06 . 2012-06-13 11:05 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 10:03 . 2012-06-13 11:05 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-05-04 10:03 . 2012-06-13 11:05 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-05-01 05:40 . 2012-06-13 11:05 209920 ----a-w- c:\windows\system32\profsvc.dll
2012-04-28 03:55 . 2012-06-13 11:05 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-04-26 05:41 . 2012-06-13 11:05 77312 ----a-w- c:\windows\system32\rdpwsx.dll
2012-04-26 05:41 . 2012-06-13 11:05 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-04-26 05:34 . 2012-06-13 11:05 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"ShwiconXP9106"="c:\program files (x86)\Multimedia Card Reader(9106)\ShwiconXP9106.exe" [2010-01-27 237568]
"Dell DataSafe Online"="c:\program files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe" [2010-08-26 1117528]
"RoxWatchTray"="c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [2010-11-25 240112]
"Desktop Disc Tool"="c:\program files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe" [2010-11-17 514544]
"AVG_TRAY"="c:\program files (x86)\AVG\AVG10\avgtray.exe" [2012-01-18 2339168]
"ZoneAlarm"="c:\program files (x86)\CheckPoint\ZoneAlarm\zatray.exe" [2011-11-10 73360]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"STToasterLauncher"="c:\program files (x86)\Dell DataSafe Local Backup\toasterLauncher.exe" [2010-08-11 120032]
"Launcher"="c:\program files (x86)\Dell DataSafe Local Backup\Components\Scheduler\Launcher.exe" [2010-08-11 163040]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG10\avgchsva.exe /sync\0c:\progra~2\AVG\AVG10\avgrsa.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-11-25 219632]
R3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2010-02-27 158976]
R3 LVPr2M64;Logitech LVPr2M64 Driver;c:\windows\system32\DRIVERS\LVPr2M64.sys [x]
R3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe [2009-07-14 27136]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 PCDSRVC{1E208CE0-FB7451FF-06020101}_0;PCDSRVC{1E208CE0-FB7451FF-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\dell support center\pcdsrvc_x64.pkms [2010-07-30 25072]
R3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-11-25 1116656]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-04-30 1255736]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [2011-02-22 26704]
S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys [2011-03-16 37456]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2010-03-19 55856]
S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys [2011-01-07 304720]
S1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys [2011-03-01 41552]
S1 Avgtdia;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdia.sys [2011-04-05 377936]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [2012-01-31 7391072]
S2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG10\avgwdsvc.exe [2011-02-08 269520]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]
S2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [2011-08-25 13672]
S2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [2011-11-03 33672]
S2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\IswSvc.exe [2011-11-03 827520]
S2 NOBU;Dell DataSafe Online;c:\program files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe SERVICE [x]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]
S2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [2010-08-20 689472]
S2 TeamViewer6;TeamViewer 6;c:\program files (x86)\TeamViewer\Version6\TeamViewer_Service.exe [2011-04-15 2280312]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [2011-05-27 118864]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [2011-02-10 29264]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2009-09-17 56344]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-02-04 271872]
S3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys [2009-10-16 321064]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2011-10-01 764264]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2011-10-01 268648]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2011-10-01 25960]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2011-10-01 22376]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-25 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2010-08-05 23:47]
.
2012-07-23 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\pcdrcui.exe [2010-08-05 23:47]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-02-09 10060832]
"DellStage"="c:\program files (x86)\Dell Stage\Dell Stage\stage_primary.exe" [2011-01-25 1802472]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-25 161304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-25 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-25 415256]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2011-11-03 1125504]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
Trusted Zone: cnet.com\download
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 192.168.200.1
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Toolbar-Locked - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCDSRVC{1E208CE0-FB7451FF-06020101}_0]
"ImagePath"="\??\c:\program files\dell support center\pcdsrvc_x64.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SysWOW64\runonce.exe
c:\program files (x86)\Dell DataSafe Local Backup\Components\Scheduler\STService.exe
c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\hstart.exe
c:\program files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files (x86)\AVG\AVG10\avgmfapx.exe
.
**************************************************************************
.
Completion time: 2012-07-24 10:00:28 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-24 14:00
.
Pre-Run: 932,115,595,264 bytes free
Post-Run: 932,584,464,384 bytes free
.
- - End Of File - - B77F74BA3C185EE427FC2458C0BDFEDF

#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:02 PM

Posted 24 July 2012 - 04:13 PM

Illegal operation attempted on a registry key that is marked for deletion


This sometime happens. You just need to reboot once or twice and everything should be ok. Please go ahead and try and open Internet Explorer again after you have rebooted. If it opens go ahead and see if it is working ok.

Edited by fireman4it, 24 July 2012 - 04:13 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 ddibowski

ddibowski
  • Topic Starter

  • Members
  • 162 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:02 PM

Posted 24 July 2012 - 09:26 PM

Earlier this evening I was able to do a reboot. I was able to access the internet. I only had a few minutes to try it out and want to try it some more tomorrow. (It is my brotherís PC and I am not there right now.)

I did get several messages after the reboot. One was to install AVG 2012 which I will do after we are finished with this case. One wanted to install a new version of java which I let it do.

There was one message right after I booted. The PC was sitting on the Google screen. A message came up, I think it was ďIllegal Operation in stack at line 4Ē. I clicked Ok. I have the exact wording at my brotherís. I am not sure if it was from the Google screen or something that was still starting up.

But I was able to find the two logs TDSSKiller and Combofix which I think is going to be the same as my previous post.

My brother used the internet a little after I left this afternoon and did not have any problems. But like I said I want to run over there in the morning and try it a little more but I donít expect any more problems. Is there anything in particular I should look at?

I really appreciate your help on this. Iíll stop short of saying I look forward to the next time I have a problem.

Thanks for all you did.
Don

TDSSKiller....
09:42:19.0479 4896 TDSS rootkit removing tool 2.7.48.0 Jul 24 2012 13:16:32
09:42:21.0607 4896 ============================================================
09:42:21.0607 4896 Current date / time: 2012/07/24 09:42:21.0607
09:42:21.0607 4896 SystemInfo:
09:42:21.0607 4896
09:42:21.0607 4896 OS Version: 6.1.7601 ServicePack: 1.0
09:42:21.0607 4896 Product type: Workstation
09:42:21.0607 4896 ComputerName: JIM-PC
09:42:21.0607 4896 UserName: Jim
09:42:21.0607 4896 Windows directory: C:\Windows
09:42:21.0607 4896 System windows directory: C:\Windows
09:42:21.0607 4896 Running under WOW64
09:42:21.0607 4896 Processor architecture: Intel x64
09:42:21.0607 4896 Number of processors: 4
09:42:21.0607 4896 Page size: 0x1000
09:42:21.0607 4896 Boot type: Normal boot
09:42:21.0607 4896 ============================================================
09:42:22.0434 4896 Drive \Device\Harddisk0\DR0 - Size: 0xE8E0DB6000 (931.51 Gb), SectorSize: 0x200, Cylinders: 0x1DB01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
09:42:22.0449 4896 Drive \Device\Harddisk5\DR5 - Size: 0x1DE000000 (7.47 Gb), SectorSize: 0x200, Cylinders: 0x3CE, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
09:42:22.0449 4896 ============================================================
09:42:22.0449 4896 \Device\Harddisk0\DR0:
09:42:22.0449 4896 MBR partitions:
09:42:22.0449 4896 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x14000, BlocksNum 0x1B9F000
09:42:22.0449 4896 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x1BB3000, BlocksNum 0x72B53000
09:42:22.0449 4896 \Device\Harddisk5\DR5:
09:42:22.0449 4896 MBR partitions:
09:42:22.0449 4896 \Device\Harddisk5\DR5\Partition0: MBR, Type 0xC, StartLBA 0x50, BlocksNum 0xEEFFB0
09:42:22.0449 4896 ============================================================
09:42:22.0481 4896 C: <-> \Device\Harddisk0\DR0\Partition1
09:42:22.0481 4896 ============================================================
09:42:22.0481 4896 Initialize success
09:42:22.0481 4896 ============================================================

ComboFix.....
ComboFix 12-07-25.04 - Jim 07/24/2012 9:52.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.5943.4794 [GMT -4:00]
Running from: c:\users\Jim\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
FW: ZoneAlarm Free Firewall *Enabled* {E6380B7E-D4B2-19F1-083E-56486607704B}
SP: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2012-06-24 to 2012-07-24 )))))))))))))))))))))))))))))))
.
.
2012-07-24 13:55 . 2012-07-24 13:55 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-23 17:33 . 2012-07-23 18:07 -------- d-----w- C:\FRST
2012-07-19 13:16 . 2012-07-19 13:16 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-07-19 13:16 . 2012-07-19 13:16 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-19 13:16 . 2012-07-19 13:16 -------- d-----w- c:\windows\system32\Macromed
2012-07-12 07:02 . 2012-06-12 03:08 3148800 ----a-w- c:\windows\system32\win32k.sys
2012-07-11 08:18 . 2012-06-06 06:05 1499136 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
2012-07-11 08:18 . 2012-06-06 05:05 1019904 ----a-w- c:\program files (x86)\Common Files\System\ado\msado15.dll
2012-07-11 08:18 . 2012-06-06 06:05 495616 ----a-w- c:\program files\Common Files\System\ado\msadox.dll
2012-07-11 08:18 . 2012-06-06 06:05 61440 ----a-w- c:\program files\Common Files\System\ado\msador15.dll
2012-07-11 08:18 . 2012-06-06 06:05 466944 ----a-w- c:\program files\Common Files\System\ado\msadomd.dll
2012-07-11 08:18 . 2012-06-06 06:05 258048 ----a-w- c:\program files\Common Files\System\msadc\msadco.dll
2012-07-11 08:18 . 2012-06-06 06:02 1133568 ----a-w- c:\windows\system32\cdosys.dll
2012-07-11 08:18 . 2012-06-06 05:05 143360 ----a-w- c:\program files (x86)\Common Files\System\ado\msjro.dll
2012-07-11 08:18 . 2012-06-06 05:05 372736 ----a-w- c:\program files (x86)\Common Files\System\ado\msadox.dll
2012-07-11 08:18 . 2012-06-06 05:05 57344 ----a-w- c:\program files (x86)\Common Files\System\ado\msador15.dll
2012-07-11 08:18 . 2012-06-06 05:05 352256 ----a-w- c:\program files (x86)\Common Files\System\ado\msadomd.dll
2012-07-11 08:18 . 2012-06-06 05:05 212992 ----a-w- c:\program files (x86)\Common Files\System\msadc\msadco.dll
2012-07-11 08:18 . 2012-06-06 05:03 805376 ----a-w- c:\windows\SysWow64\cdosys.dll
2012-06-25 18:49 . 2012-06-25 18:50 -------- d-----w- c:\users\Jim\AppData\Local\Microsoft Games
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-12 07:00 . 2011-05-18 16:25 59701280 ----a-w- c:\windows\system32\MRT.exe
2012-06-02 22:19 . 2012-06-22 06:53 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-22 06:53 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-22 06:53 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-22 06:53 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-22 06:53 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:15 . 2012-06-22 06:53 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-22 06:53 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 19:19 . 2012-06-22 06:53 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 19:15 . 2012-06-22 06:53 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-05-15 04:01 . 2012-06-13 11:06 1188864 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 03:59 . 2012-06-13 11:05 64512 ----a-w- c:\windows\system32\jsproxy.dll
2012-05-15 03:03 . 2012-06-13 11:06 981504 ----a-w- c:\windows\SysWow64\wininet.dll
2012-05-04 11:06 . 2012-06-13 11:05 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 10:03 . 2012-06-13 11:05 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-05-04 10:03 . 2012-06-13 11:05 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-05-01 05:40 . 2012-06-13 11:05 209920 ----a-w- c:\windows\system32\profsvc.dll
2012-04-28 03:55 . 2012-06-13 11:05 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-04-26 05:41 . 2012-06-13 11:05 77312 ----a-w- c:\windows\system32\rdpwsx.dll
2012-04-26 05:41 . 2012-06-13 11:05 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-04-26 05:34 . 2012-06-13 11:05 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"ShwiconXP9106"="c:\program files (x86)\Multimedia Card Reader(9106)\ShwiconXP9106.exe" [2010-01-27 237568]
"Dell DataSafe Online"="c:\program files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe" [2010-08-26 1117528]
"RoxWatchTray"="c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [2010-11-25 240112]
"Desktop Disc Tool"="c:\program files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe" [2010-11-17 514544]
"AVG_TRAY"="c:\program files (x86)\AVG\AVG10\avgtray.exe" [2012-01-18 2339168]
"ZoneAlarm"="c:\program files (x86)\CheckPoint\ZoneAlarm\zatray.exe" [2011-11-10 73360]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"STToasterLauncher"="c:\program files (x86)\Dell DataSafe Local Backup\toasterLauncher.exe" [2010-08-11 120032]
"Launcher"="c:\program files (x86)\Dell DataSafe Local Backup\Components\Scheduler\Launcher.exe" [2010-08-11 163040]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG10\avgchsva.exe /sync\0c:\progra~2\AVG\AVG10\avgrsa.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-11-25 219632]
R3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2010-02-27 158976]
R3 LVPr2M64;Logitech LVPr2M64 Driver;c:\windows\system32\DRIVERS\LVPr2M64.sys [x]
R3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe [2009-07-14 27136]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 PCDSRVC{1E208CE0-FB7451FF-06020101}_0;PCDSRVC{1E208CE0-FB7451FF-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\dell support center\pcdsrvc_x64.pkms [2010-07-30 25072]
R3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-11-25 1116656]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-04-30 1255736]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [2011-02-22 26704]
S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys [2011-03-16 37456]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2010-03-19 55856]
S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys [2011-01-07 304720]
S1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys [2011-03-01 41552]
S1 Avgtdia;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdia.sys [2011-04-05 377936]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [2012-01-31 7391072]
S2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG10\avgwdsvc.exe [2011-02-08 269520]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]
S2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [2011-08-25 13672]
S2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [2011-11-03 33672]
S2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\IswSvc.exe [2011-11-03 827520]
S2 NOBU;Dell DataSafe Online;c:\program files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe SERVICE [x]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]
S2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [2010-08-20 689472]
S2 TeamViewer6;TeamViewer 6;c:\program files (x86)\TeamViewer\Version6\TeamViewer_Service.exe [2011-04-15 2280312]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [2011-05-27 118864]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [2011-02-10 29264]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2009-09-17 56344]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-02-04 271872]
S3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys [2009-10-16 321064]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2011-10-01 764264]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2011-10-01 268648]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2011-10-01 25960]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2011-10-01 22376]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-25 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2010-08-05 23:47]
.
2012-07-23 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\pcdrcui.exe [2010-08-05 23:47]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-02-09 10060832]
"DellStage"="c:\program files (x86)\Dell Stage\Dell Stage\stage_primary.exe" [2011-01-25 1802472]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-25 161304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-25 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-25 415256]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2011-11-03 1125504]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
Trusted Zone: cnet.com\download
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 192.168.200.1
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Toolbar-Locked - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCDSRVC{1E208CE0-FB7451FF-06020101}_0]
"ImagePath"="\??\c:\program files\dell support center\pcdsrvc_x64.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SysWOW64\runonce.exe
c:\program files (x86)\Dell DataSafe Local Backup\Components\Scheduler\STService.exe
c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\hstart.exe
c:\program files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files (x86)\AVG\AVG10\avgmfapx.exe
.
**************************************************************************
.
Completion time: 2012-07-24 10:00:28 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-24 14:00
.
Pre-Run: 932,115,595,264 bytes free
Post-Run: 932,584,464,384 bytes free
.
- - End Of File - - B77F74BA3C185EE427FC2458C0BDFEDF

#12 ddibowski

ddibowski
  • Topic Starter

  • Members
  • 162 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:02 PM

Posted 25 July 2012 - 10:58 AM

I just wanted to let you know the PC seems to be working okay. This morning I shutdown the computer and powered it on. It is working without any problems. I think we are okay.

The message I got before was Stack overflow at line 4. But I haven't seen it again so I guess it was just something that needed to work itself out.

Thanks for you help on this case. I really do appreciate it and will be making a donation to the site. I want you here next time I have a problem.

Don

#13 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:02 PM

Posted 25 July 2012 - 12:23 PM

Hello Don,


Glad to hear things are better. Those error messages are very common after running Combofix. You just need to reboot to get rid of them. In which you did. Let's run a couple more scanners to make sure no leftovers are hiding. Then we will send you on your internet surfing way!

1.
Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Important!! When you save the mbam-setup file, rename it to something random (such as 123abc.exe) before beginning the download.
Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on the renamed file to install the application.
    For instructions with screenshots, please refer to this Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.
Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.

2.
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.


Things to include in your next reply::
MBAM log
Eset log
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#14 ddibowski

ddibowski
  • Topic Starter

  • Members
  • 162 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:02 PM

Posted 26 July 2012 - 01:41 PM

Yesterday since I thought we were about done I updated the AVG and ZoneAlarm software. As the Eset was running I got a Threat Detected message from AVG. I had inactivated the AVG software for 15 minutes before Anti_malware ran but maybe it started on its own after the 15 minutes.

It gave me the threat detected message on
File Name c:\FRST\Quarantine\Desktop.ini

In Show Details it showed
C:\Program Files (x86)\ESET\ESET Online Scanner\OnlineCmd\Line\Scanner.exe
Process ID 1336

I left eset finish and then clicked on Move to Vault. It successfully moved it. I don't think this is a problem but thought I would mention it.

There is a file called desktop.ini on the desktop. I am not sure when it got there. When I look at the properties it says it was created 4/27/11 and modified 7/11/12 3:21 am. Do you think it is a problem? I am tempted to open it with notepad but thought you might have some other idea.

Anti-Malware did not find any problems. Eset found and fixed three infections. I have posted the logs below.

Everything seeems to be working okay. Let me know if there is anything more I need to do.

Thanks for all your help

Don

Anti_Malware log....
Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.26.11

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
Jim :: JIM-PC [administrator]

Protection: Enabled

7/26/2012 10:09:36 AM
mbam-log-2012-07-26 (10-09-36).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 196258
Time elapsed: 2 minute(s), 4 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


Eset log....
C:\Program Files (x86)\Dell DataSafe Local Backup\hstart.exe a variant of Win32/HiddenStart.A application cleaned by deleting - quarantined
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\hstart.exe a variant of Win32/HiddenStart.A application cleaned by deleting - quarantined
C:\Windows\winsxs\Temp\PendingDeletes\$$DeleteMe.services.exe.01cd66af7e97fe6a.0000 Win64/Patched.B.Gen trojan deleted - quarantined

#15 ddibowski

ddibowski
  • Topic Starter

  • Members
  • 162 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:02 PM

Posted 26 July 2012 - 01:46 PM

One more thing - I just noticed a second desktop.ini file on the desktop. the created and modify dates are 7/14/09. I am not sure what these files are or when they got there.

Thanks
Don




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users