Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Aflictment


  • This topic is locked This topic is locked
30 replies to this topic

#1 12339623

12339623

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 04 August 2012 - 05:06 PM

( From Previous log 3 Times Relapse )

Starting around two months ago, my computer would randomly not open .exe files like Firefox. Since then, my computer had to reboot Windows 7 to open correctly. Today, this computer suddenly stopped opening files, music would not work, and blanked the desktop into a white screen (toolbar and icons were still there). The strange thing is that Rkill (as explorer.exe and iexplorer.exe), SUPERAntiSpyware, and Malware Bytes cannot find anything. Since the two months I have only installed a computer game (Warcraft III and Expansion) legally.
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
I notice it is starting to take my laptop longer to turn on. After the window loading screen, the screen is black with just the mouse until the log-in account page appears. My computer is overall slower as well. I noticed I have multiple explorer.exe programs opened taking up in total 200,000+ memory.



GMER's options required for the log does not work on my 64-bit Window 7 Professional, so I did not scan my laptop.


DDS Log:

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_33
Run by Andrew at 14:53:06 on 2012-08-04
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.4007.2098 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Outdated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Outdated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\ibmpmsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe
C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files (x86)\Lenovo\Access Connections\AcPrfMgrSvc.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\CxAudMsg64.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe
C:\Program Files\Lenovo\Communications Utility\CAMMUTE.exe
C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe
C:\Program Files\Lenovo\Communications Utility\TPKNRSVC.exe
C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe
c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
C:\Windows\SysWOW64\SAsrv.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files (x86)\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Lenovo\Access Connections\AcSvc.exe
C:\Program Files (x86)\ThinkPad\Utilities\PWMEWSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\PROGRA~1\Lenovo\HOTKEY\TPONSCR.EXE
C:\PROGRA~1\Lenovo\HOTKEY\tpnumlkd.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Lenovo\Screen Reading Optimizer\SRORest.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files (x86)\Lenovo\Access Connections\SvcGuiHlpr.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Lenovo\Screen Reading Optimizer\SROSVC.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files (x86)\Lenovo\System Update\SUService.exe
C:\Program Files (x86)\Symantec\VIP Access Client\VIPAppService.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files (x86)\LENOVO\Message Center Plus\MCPLaunch.exe
C:\Program Files (x86)\Internet Explorer\IELowutil.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AcroRd32.exe
C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AcroRd32.exe
C:\Users\Andrew\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Andrew\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Users\Andrew\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Andrew\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Andrew\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Andrew\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Andrew\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\msiexec.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Users\Andrew\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Andrew\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.amazon.com/Rechargeable-Controller-Battery-XBOX-360/dp/B003WIGKZQ
uDefault_Page_URL = hxxp://lenovo.msn.com
uURLSearchHooks: YouTube Downloader Toolbar: {f3fee66e-e034-436a-86e4-9690573bee8a} - C:\Program Files (x86)\YouTube Downloader Toolbar\IE\5.1\youtubedownloaderToolbarIE.dll
mWinlogon: Userinit=userinit.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Symantec VIP Access Add-On: {c63cd127-a1cb-4d49-a4f7-d6f88a917be6} - C:\Program Files (x86)\Symantec\VIP Access Client\VIPAddOnForIE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: YouTube Downloader Toolbar: {f3fee66e-e034-436a-86e4-9690573bee8a} - C:\Program Files (x86)\YouTube Downloader Toolbar\IE\5.1\youtubedownloaderToolbarIE.dll
TB: YouTube Downloader Toolbar: {f3fee66e-e034-436a-86e4-9690573bee8a} - C:\Program Files (x86)\YouTube Downloader Toolbar\IE\5.1\youtubedownloaderToolbarIE.dll
uRun: [Facebook Update] "C:\Users\Andrew\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver
uRun: [Google Update] "C:\Users\Andrew\AppData\Local\Google\Update\GoogleUpdate.exe" /c
mRun: [<NO NAME>]
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~4\Office12\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~4\Office14\ONBttnIE.dll/105
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~4\Office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~4\Office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
TCP: DhcpNameServer = 71.9.127.107 68.190.192.35 24.205.224.36
TCP: Interfaces\{4EA49459-11F8-4592-B3E6-CD5666643BB6} : DhcpNameServer = 71.9.127.107 68.190.192.35 24.205.224.36
TCP: Interfaces\{4EA49459-11F8-4592-B3E6-CD5666643BB6}\16474777966696 : DhcpNameServer = 192.168.6.1 64.134.255.2 64.134.255.10
TCP: Interfaces\{4EA49459-11F8-4592-B3E6-CD5666643BB6}\34F657E64797C496262716279775966496 : DhcpNameServer = 10.48.146.16 10.48.146.81
TCP: Interfaces\{4EA49459-11F8-4592-B3E6-CD5666643BB6}\3747162766C6565647 : DhcpNameServer = 192.168.10.1
TCP: Interfaces\{4EA49459-11F8-4592-B3E6-CD5666643BB6}\4656E6E697377534 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{8B72DEBC-1BE6-4484-8C99-4CF393D1B3EA} : DhcpNameServer = 10.20.0.20 10.20.0.22
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
LSA: Notification Packages = scecli ACGina
BHO-X64: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO-X64: 0x1 - No File
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO-X64: SkypeIEPluginBHO - No File
BHO-X64: Symantec VIP Access Add-On: {C63CD127-A1CB-4D49-A4F7-D6F88A917BE6} - C:\Program Files (x86)\Symantec\VIP Access Client\VIPAddOnForIE.dll
BHO-X64: IEPlugin - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: YouTube Downloader Toolbar: {F3FEE66E-E034-436a-86E4-9690573BEE8A} - C:\Program Files (x86)\YouTube Downloader Toolbar\IE\5.1\youtubedownloaderToolbarIE.dll
TB-X64: YouTube Downloader Toolbar: {F3FEE66E-E034-436a-86E4-9690573BEE8A} - C:\Program Files (x86)\YouTube Downloader Toolbar\IE\5.1\youtubedownloaderToolbarIE.dll
mRun-x64: [(Default)]
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\jszjjphe.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=937811&p=
FF - component: C:\Program Files (x86)\Symantec\VIP Access Client\components\VeriSign Identity Protection.dll
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\Andrew\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll
FF - plugin: C:\Users\Andrew\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: C:\Users\Andrew\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_270.dll
FF - plugin: C:\Windows\SysWOW64\npdeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R0 TPDIGIMN;TPDIGIMN;C:\Windows\system32\DRIVERS\ApsHM64.sys --> C:\Windows\system32\DRIVERS\ApsHM64.sys [?]
R1 lenovo.smi;Lenovo System Interface Driver;C:\Windows\system32\DRIVERS\smiifx64.sys --> C:\Windows\system32\DRIVERS\smiifx64.sys [?]
R1 PHCORE;PHCORE;C:\Program Files\Lenovo\RapidBoot\PHCORE64.sys [2010-12-3 31592]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [2011-7-18 140672]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-1-3 63928]
R2 CxAudMsg;Conexant Audio Message Service;C:\Windows\system32\CxAudMsg64.exe --> C:\Windows\system32\CxAudMsg64.exe [?]
R2 risdxc;risdxc;C:\Windows\system32\DRIVERS\risdxc64.sys --> C:\Windows\system32\DRIVERS\risdxc64.sys [?]
R3 5U877;USB Video Device;C:\Windows\system32\DRIVERS\5U877.sys --> C:\Windows\system32\DRIVERS\5U877.sys [?]
R3 IntcDAud;Intel® Display Audio;C:\Windows\system32\DRIVERS\IntcDAud.sys --> C:\Windows\system32\DRIVERS\IntcDAud.sys [?]
R3 MEIx64;Intel® Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
R3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;C:\Windows\system32\DRIVERS\rtl8192Ce.sys --> C:\Windows\system32\DRIVERS\rtl8192Ce.sys [?]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-4-4 250056]
S3 dmvsc;dmvsc;C:\Windows\system32\drivers\dmvsc.sys --> C:\Windows\system32\drivers\dmvsc.sys [?]
S3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]
S4 RsFx0105;RsFx0105 Driver;C:\Windows\system32\DRIVERS\RsFx0105.sys --> C:\Windows\system32\DRIVERS\RsFx0105.sys [?]
.
=============== Created Last 30 ================
.
2012-07-28 01:46:40 -------- d-----w- C:\ProgramData\PreEmptive Solutions
2012-07-25 08:28:33 -------- d-----w- C:\Windows\CheckSur
2012-07-22 23:23:20 3148800 ----a-w- C:\Windows\System32\win32k.sys
2012-07-21 03:04:10 2829 ----a-w- C:\Windows\War3Unin.pif
2012-07-21 03:04:10 139264 ----a-w- C:\Windows\War3Unin.exe
2012-07-20 23:35:02 2004480 ----a-w- C:\Windows\System32\msxml6.dll
2012-07-20 23:35:02 1881600 ----a-w- C:\Windows\System32\msxml3.dll
2012-07-20 23:35:02 1390080 ----a-w- C:\Windows\SysWow64\msxml6.dll
2012-07-20 23:35:02 1236992 ----a-w- C:\Windows\SysWow64\msxml3.dll
2012-07-20 23:35:01 2048 ----a-w- C:\Windows\SysWow64\msxml3r.dll
2012-07-20 23:35:01 2048 ----a-w- C:\Windows\System32\msxml3r.dll
2012-07-20 23:10:16 9013136 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{0CE3B697-5770-4D45-9610-D4C080AF08EB}\mpengine.dll
2012-07-16 22:56:58 9013136 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-07-14 03:39:29 -------- d-----w- C:\Program Files\SAMSUNG
2012-07-14 03:38:58 -------- d-----w- C:\ProgramData\Samsung
2012-07-10 06:08:28 -------- d-----w- C:\ProgramData\VS
2012-07-10 05:57:33 73064 ----a-w- C:\Windows\SysWow64\perf-MSSQL$SQLEXPRESS-sqlctr10.3.5500.0.dll
2012-07-10 05:57:33 109416 ----a-w- C:\Windows\System32\perf-MSSQL$SQLEXPRESS-sqlctr10.3.5500.0.dll
2012-07-10 05:57:33 105832 ----a-w- C:\Windows\System32\SQSRVRES.DLL
2012-07-10 05:33:40 -------- d-----w- C:\Users\Andrew\AppData\Roaming\Free Download Manager
2012-07-10 05:33:37 -------- d-----w- C:\Program Files (x86)\Free Download Manager
2012-07-10 05:33:12 -------- d-----w- C:\Program Files (x86)\PC Speed Maximizer
2012-07-10 05:33:05 -------- d-----w- C:\Users\Andrew\AppData\Local\antiphishing-vmninternethelper1_1dn
2012-07-10 05:33:04 -------- d-----w- C:\ProgramData\Anti-phishing Domain Advisor
.
==================== Find3M ====================
.
2012-08-03 17:27:36 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-08-03 17:27:36 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-06-21 07:02:29 476936 ----a-w- C:\Windows\SysWow64\npdeployJava1.dll
2012-06-21 07:02:29 472840 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2012-06-06 06:02:54 1133568 ----a-w- C:\Windows\System32\cdosys.dll
2012-06-06 05:03:06 805376 ----a-w- C:\Windows\SysWow64\cdosys.dll
2012-06-02 22:19:42 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2012-06-02 22:15:31 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2012-06-02 22:15:12 36864 ----a-w- C:\Windows\System32\wuapp.exe
2012-06-02 22:15:08 99840 ----a-w- C:\Windows\System32\wudriver.dll
2012-06-02 05:50:10 458704 ----a-w- C:\Windows\System32\drivers\cng.sys
2012-06-02 05:48:16 95600 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
2012-06-02 05:48:16 151920 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2012-06-02 05:45:31 340992 ----a-w- C:\Windows\System32\schannel.dll
2012-06-02 05:44:21 307200 ----a-w- C:\Windows\System32\ncrypt.dll
2012-06-02 04:40:42 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2012-06-02 04:40:39 225280 ----a-w- C:\Windows\SysWow64\schannel.dll
2012-06-02 04:39:10 219136 ----a-w- C:\Windows\SysWow64\ncrypt.dll
2012-06-02 04:34:09 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2012-05-18 02:06:48 2311680 ----a-w- C:\Windows\System32\jscript9.dll
2012-05-18 01:59:14 1392128 ----a-w- C:\Windows\System32\wininet.dll
2012-05-18 01:58:39 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-05-18 01:55:22 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2012-05-18 01:51:30 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-05-17 22:45:37 1800192 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-05-17 22:35:47 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-05-17 22:35:39 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-05-17 22:29:45 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2012-05-17 22:24:45 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
.
============= FINISH: 14:54:39.91 ===============

Edited by 12339623, 05 August 2012 - 02:54 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,259 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:29 AM

Posted 09 August 2012 - 09:21 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall


Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html


Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Third party programs if not up to date can be the cause infiltration of an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please post the logs for my review.

#3 12339623

12339623
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 11 August 2012 - 04:12 AM

I read the instructions, disabled my firewalls, ran combo fix, had to restart my computer because of the "illegal restart" problem, and after reenabled the firewalls before activating security check. Windows Defender was already off, but Microsoft Security Essentials still cannot update. Here are the logs:

ComboFix.txt Log:

ComboFix 12-08-09.01 - Andrew 08/11/2012 1:30.1.4 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.4007.2377 [GMT -7:00]
Running from: c:\users\Andrew\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Outdated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Outdated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Andrew\Documents\~WRL0005.tmp
c:\users\Andrew\Documents\~WRL0405.tmp
c:\users\Andrew\Documents\~WRL1577.tmp
c:\users\Andrew\Documents\~WRL2403.tmp
Q:\Autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2012-07-11 to 2012-08-11 )))))))))))))))))))))))))))))))
.
.
2012-08-11 08:44 . 2012-08-11 08:44 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-04 21:50 . 2012-08-04 21:50 -------- d-----w- c:\program files (x86)\Common Files\Skype
2012-07-28 01:46 . 2012-07-28 01:46 -------- d-----w- c:\programdata\PreEmptive Solutions
2012-07-25 08:28 . 2012-07-25 08:28 -------- d-----w- c:\windows\CheckSur
2012-07-22 23:23 . 2012-06-12 03:08 3148800 ----a-w- c:\windows\system32\win32k.sys
2012-07-21 03:04 . 2012-07-21 03:12 2829 ----a-w- c:\windows\War3Unin.pif
2012-07-21 03:04 . 2012-07-21 03:12 139264 ----a-w- c:\windows\War3Unin.exe
2012-07-21 02:54 . 2012-08-10 02:39 -------- d-----w- c:\program files (x86)\Warcraft III
2012-07-20 23:35 . 2012-06-06 06:06 2004480 ----a-w- c:\windows\system32\msxml6.dll
2012-07-20 23:35 . 2012-06-06 06:06 1881600 ----a-w- c:\windows\system32\msxml3.dll
2012-07-20 23:35 . 2012-06-06 05:05 1390080 ----a-w- c:\windows\SysWow64\msxml6.dll
2012-07-20 23:35 . 2012-06-06 05:05 1236992 ----a-w- c:\windows\SysWow64\msxml3.dll
2012-07-20 23:35 . 2010-06-26 03:55 2048 ----a-w- c:\windows\system32\msxml3r.dll
2012-07-20 23:35 . 2010-06-26 03:24 2048 ----a-w- c:\windows\SysWow64\msxml3r.dll
2012-07-20 23:35 . 2012-06-09 05:43 14172672 ----a-w- c:\windows\system32\shell32.dll
2012-07-20 23:10 . 2012-05-31 04:04 9013136 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0CE3B697-5770-4D45-9610-D4C080AF08EB}\mpengine.dll
2012-07-16 22:56 . 2012-05-31 04:04 9013136 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-07-14 03:39 . 2012-07-14 03:39 -------- d-----w- c:\program files\SAMSUNG
2012-07-14 03:38 . 2012-07-14 03:38 -------- d-----w- c:\programdata\Samsung
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-03 17:27 . 2012-04-05 05:19 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-08-03 17:27 . 2011-08-20 04:27 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-29 20:39 . 2012-06-28 03:28 2379552 ----a-w- c:\programdata\Microsoft\VisualStudio\10.0\1033\ResourceCache.dll
2012-07-22 23:19 . 2011-09-03 21:19 59701280 ----a-w- c:\windows\system32\MRT.exe
2012-06-21 07:02 . 2012-06-21 07:02 476936 ----a-w- c:\windows\SysWow64\npdeployJava1.dll
2012-06-21 07:02 . 2011-11-12 20:01 472840 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-06-02 22:19 . 2012-06-21 20:22 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-21 20:22 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-21 20:22 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-21 20:22 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-21 20:22 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 22:19 . 2012-06-21 20:22 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:15 . 2012-06-21 20:22 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-21 20:22 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 22:15 . 2012-06-21 20:22 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-05-18 02:47 . 2012-06-15 02:13 17807360 ----a-w- c:\windows\system32\mshtml.dll
2012-05-18 02:16 . 2012-06-15 02:13 10924032 ----a-w- c:\windows\system32\ieframe.dll
2012-05-18 02:06 . 2012-06-15 02:14 2311680 ----a-w- c:\windows\system32\jscript9.dll
2012-05-18 01:59 . 2012-06-15 02:14 1346048 ----a-w- c:\windows\system32\urlmon.dll
2012-05-18 01:59 . 2012-06-15 02:14 1392128 ----a-w- c:\windows\system32\wininet.dll
2012-05-18 01:58 . 2012-06-15 02:14 1494528 ----a-w- c:\windows\system32\inetcpl.cpl
2012-05-18 01:58 . 2012-06-15 02:14 237056 ----a-w- c:\windows\system32\url.dll
2012-05-18 01:56 . 2012-06-15 02:14 85504 ----a-w- c:\windows\system32\jsproxy.dll
2012-05-18 01:55 . 2012-06-15 02:14 173056 ----a-w- c:\windows\system32\ieUnatt.exe
2012-05-18 01:55 . 2012-06-15 02:14 818688 ----a-w- c:\windows\system32\jscript.dll
2012-05-18 01:54 . 2012-06-15 02:14 2144768 ----a-w- c:\windows\system32\iertutil.dll
2012-05-18 01:51 . 2012-06-15 02:14 96768 ----a-w- c:\windows\system32\mshtmled.dll
2012-05-18 01:51 . 2012-06-15 02:14 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-05-18 01:47 . 2012-06-15 02:14 248320 ----a-w- c:\windows\system32\ieui.dll
2012-05-17 22:45 . 2012-06-15 02:14 1800192 ----a-w- c:\windows\SysWow64\jscript9.dll
2012-05-17 22:35 . 2012-06-15 02:14 1129472 ----a-w- c:\windows\SysWow64\wininet.dll
2012-05-17 22:35 . 2012-06-15 02:14 1427968 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2012-05-17 22:29 . 2012-06-15 02:14 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2012-05-17 22:24 . 2012-06-15 02:14 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Facebook Update"="c:\users\Andrew\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-07-13 138096]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 HyperW7Svc;HyperW7 Service;c:\program files\Lenovo\RapidBoot\HyperW7Svc64.exe [2010-12-03 116072]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-07-13 160944]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-03 250056]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168]
R3 FoxAwdWINFLASH64;FoxAwdWINFLASH64;c:\users\Andrew\AppData\Local\Temp\_AAC9.tmp\FoxAwdWINFLASH64.sys [x]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-06-22 113120]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-21 98688]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-27 291696]
R3 Power Manager DBC Service;Power Manager DBC Service;c:\program files (x86)\ThinkPad\Utilities\PWMDBSVC.EXE [2011-07-04 83304]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-08-13 1255736]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2009-07-22 61976]
R4 RsFx0105;RsFx0105 Driver;c:\windows\system32\DRIVERS\RsFx0105.sys [2011-09-23 311144]
R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2011-09-23 431464]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM64.sys [2011-03-30 23664]
S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiifx64.sys [2010-09-07 15472]
S1 PHCORE;PHCORE;c:\program files\Lenovo\RapidBoot\PHCORE64.SYS [2010-12-03 31592]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-11-13 140672]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 CxAudMsg;Conexant Audio Message Service;c:\windows\system32\CxAudMsg64.exe [2010-12-16 198784]
S2 jhi_service;Intel® Identity Protection Technology Host Interface Service;c:\program files (x86)\Intel\Services\IPT\jhi_service.exe [2011-02-24 212944]
S2 LENOVO.CAMMUTE;Lenovo Camera Mute;c:\program files\Lenovo\Communications Utility\CAMMUTE.exe [2011-04-05 40808]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [2011-04-04 45496]
S2 LENOVO.TPKNRSVC;Lenovo Keyboard Noise Reduction;c:\program files\Lenovo\Communications Utility\TPKNRSVC.exe [2011-04-05 59240]
S2 Lenovo.VIRTSCRLSVC;Lenovo Auto Scroll;c:\program files\LENOVO\VIRTSCRL\lvvsst.exe [2010-04-07 93032]
S2 PwmEWSvc;Cisco EnergyWise Enabler;c:\program files (x86)\ThinkPad\Utilities\PWMEWSVC.EXE [2011-07-04 148840]
S2 risdxc;risdxc;c:\windows\system32\DRIVERS\risdxc64.sys [2011-03-23 101376]
S2 SAService;Conexant SmartAudio service;c:\windows\system32\SAsrv.exe [x]
S2 SROSVC;Screen Reading Optimizer Service Program;c:\program files (x86)\Lenovo\Screen Reading Optimizer\SROSVC.exe [2011-03-02 443240]
S2 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\LENOVO\HOTKEY\TPHKLOAD.exe [2011-04-20 144232]
S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2011-03-29 64952]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-02-22 2656280]
S2 VIPAppService;VIPAppService;c:\program files (x86)\Symantec\VIP Access Client\VIPAppService.exe [2011-07-13 82544]
S3 5U877;USB Video Device;c:\windows\system32\DRIVERS\5U877.sys [2011-03-05 166016]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2011-07-29 52584]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2011-04-27 317440]
S3 MEIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2010-10-19 56344]
S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2011-08-01 45416]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-06-10 539240]
S3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;c:\windows\system32\DRIVERS\rtl8192Ce.sys [2011-04-13 1143912]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-14 17920]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-11 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-05 17:27]
.
2012-08-09 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3450173754-1997913292-391584751-1000Core.job
- c:\users\Andrew\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-08-20 17:33]
.
2012-08-11 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3450173754-1997913292-391584751-1000UA.job
- c:\users\Andrew\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-08-20 17:33]
.
2012-08-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3450173754-1997913292-391584751-1000Core.job
- c:\users\Andrew\AppData\Local\Google\Update\GoogleUpdate.exe [2012-03-14 03:52]
.
2012-08-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3450173754-1997913292-391584751-1000UA.job
- c:\users\Andrew\AppData\Local\Google\Update\GoogleUpdate.exe [2012-03-14 03:52]
.
2012-07-22 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\PC-Doctor\uaclauncher.exe [2011-03-31 15:06]
.
2012-08-11 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\PC-Doctor\uaclauncher.exe [2011-03-31 15:06]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-27 1271168]
"combofix"="c:\combofix\CF30016.3XE" [2010-11-21 345088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.amazon.com/Rechargeable-Controller-Battery-XBOX-360/dp/B003WIGKZQ
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~4\Office12\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~4\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 71.9.127.107 68.190.192.35 24.205.224.36
TCP: Interfaces\{4EA49459-11F8-4592-B3E6-CD5666643BB6}: DhcpNameServer = 71.9.127.107 68.190.192.35 24.205.224.36
FF - ProfilePath - c:\users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\jszjjphe.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=937811&p=
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Toolbar-Locked - (no file)
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
AddRemove-Natural Selection - c:\windows\system32\javaws.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_270_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_270_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Lenovo\Access Connections\AcPrfMgrSvc.exe
c:\program files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
c:\windows\SysWOW64\SAsrv.exe
c:\program files (x86)\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files (x86)\Lenovo\Access Connections\AcSvc.exe
c:\progra~1\LENOVO\VIRTSCRL\virtscrl.exe
c:\progra~1\Lenovo\HOTKEY\TPONSCR.EXE
c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
c:\program files (x86)\Lenovo\System Update\SUService.exe
c:\program files (x86)\LENOVO\Message Center Plus\MCPLaunch.exe
.
**************************************************************************
.
Completion time: 2012-08-11 02:00:41 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-11 09:00
.
Pre-Run: 127,152,984,064 bytes free
Post-Run: 129,697,173,504 bytes free
.
- - End Of File - - D322609E0C53B03DEEA399B72CD0C140

Security Check Log checkup.txt:

Results of screen317's Security Check version 0.99.43
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Microsoft Security Essentials
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.61.0.1400
Java™ 6 Update 33
Java version out of Date!
Adobe Reader X (10.1.3)
Mozilla Firefox 13.0.1 Firefox out of Date!
Google Chrome 21.0.1180.60
Google Chrome 21.0.1180.75
Google Chrome VisualElementsManifest.xml..
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
Microsoft Security Essentials msseces.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 3%
````````````````````End of Log``````````````````````

#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,259 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:29 AM

Posted 11 August 2012 - 09:33 AM

Secure your system by updating 3rd party programs.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

Check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

If present remove the old version(s) of Java using the Add/Remove Programs applet.


Java™ 6 Update 33


===

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Security Center/Action center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


#5 12339623

12339623
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 11 August 2012 - 04:02 PM

My java version is up-to-date and I have no old versions even though the security check said it was out of date. When i started Farbar first, all my programs stopped working, my mouse was stuck on loading, and eventually my desktop turned white. At the time I turned it off and turned it back on. This time all my programs had trouble opening. After I ran Rkill, it closed familiar programs but had one unfamiliar closed process. Windows Defender was automatically on this time, but i still cannot update Windows Security Essentials.

FSS.txt

Farbar Service Scanner Version: 06-08-2012
Ran by Andrew (administrator) on 11-08-2012 at 13:54:34
Running from "C:\Users\Andrew\Desktop"
Microsoft Windows 7 Professional Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************



Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============

Other Services:
==============


File Check:
========
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,259 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:29 AM

Posted 12 August 2012 - 07:31 AM

Please Download
TDSSKiller.zip

>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue
    Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

===

Please post the logs for my review.

#7 12339623

12339623
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 13 August 2012 - 03:30 AM

The first program, TDSS Killer, did not catch anything. aswMBR had to download from the AVAST databse before scan. I did run all the virus programs on the desktop.After, I put them in the folder "Virus Management." I accidently opened two aswMBR, where the first one canceled itself before scanning.

aswMBR.txt:


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-08-13 01:02:56
-----------------------------
01:02:56.885 OS Version: Windows x64 6.1.7601 Service Pack 1
01:02:56.885 Number of processors: 4 586 0x2A07
01:02:56.885 ComputerName: ANDREW-THINK UserName: Andrew
01:02:57.649 Initialize success
01:04:01.506 AVAST engine defs: 12081300
01:04:15.157 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
01:04:15.157 Disk 0 Vendor: WDC_WD32 02.0 Size: 305245MB BusType: 3
01:04:15.173 Disk 0 MBR read successfully
01:04:15.173 Disk 0 MBR scan
01:04:15.173 Disk 0 unknown MBR code
01:04:15.173 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 1200 MB offset 2048
01:04:15.220 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 294043 MB offset 2459648
01:04:15.282 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 10000 MB offset 604659712
01:04:15.376 Disk 0 scanning C:\Windows\system32\drivers
01:04:43.596 Service scanning
01:05:15.295 Modules scanning
01:05:15.311 Disk 0 trace - called modules:
01:05:15.342 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys iaStor.sys hal.dll
01:05:15.342 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800669f060]
01:05:15.358 3 CLASSPNP.SYS[fffff8800186c43f] -> nt!IofCallDriver -> [0xfffffa80047de280]
01:05:15.358 5 ACPI.sys[fffff88000e0b7a1] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa80047ec050]
01:05:16.528 AVAST engine scan C:\Windows
01:05:22.549 AVAST engine scan C:\Windows\system32
01:12:36.096 AVAST engine scan C:\Windows\system32\drivers
01:12:47.859 AVAST engine scan C:\Users\Andrew
01:23:09.364 AVAST engine scan C:\ProgramData
01:28:13.003 Scan finished successfully
01:29:44.903 Disk 0 MBR has been saved successfully to "C:\Users\Andrew\Desktop\MBR.dat"
01:29:44.918 The log file has been saved successfully to "C:\Users\Andrew\Desktop\aswMBR.txt"

#8 12339623

12339623
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 13 August 2012 - 03:30 AM

The first program, TDSS Killer, did not catch anything. aswMBR had to download from the AVAST databse before scan. I did run all the virus programs on the desktop.After, I put them in the folder "Virus Management." I accidently opened two aswMBR, where the first one canceled itself before scanning.

aswMBR.txt:


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-08-13 01:02:56
-----------------------------
01:02:56.885 OS Version: Windows x64 6.1.7601 Service Pack 1
01:02:56.885 Number of processors: 4 586 0x2A07
01:02:56.885 ComputerName: ANDREW-THINK UserName: Andrew
01:02:57.649 Initialize success
01:04:01.506 AVAST engine defs: 12081300
01:04:15.157 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
01:04:15.157 Disk 0 Vendor: WDC_WD32 02.0 Size: 305245MB BusType: 3
01:04:15.173 Disk 0 MBR read successfully
01:04:15.173 Disk 0 MBR scan
01:04:15.173 Disk 0 unknown MBR code
01:04:15.173 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 1200 MB offset 2048
01:04:15.220 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 294043 MB offset 2459648
01:04:15.282 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 10000 MB offset 604659712
01:04:15.376 Disk 0 scanning C:\Windows\system32\drivers
01:04:43.596 Service scanning
01:05:15.295 Modules scanning
01:05:15.311 Disk 0 trace - called modules:
01:05:15.342 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys iaStor.sys hal.dll
01:05:15.342 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800669f060]
01:05:15.358 3 CLASSPNP.SYS[fffff8800186c43f] -> nt!IofCallDriver -> [0xfffffa80047de280]
01:05:15.358 5 ACPI.sys[fffff88000e0b7a1] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa80047ec050]
01:05:16.528 AVAST engine scan C:\Windows
01:05:22.549 AVAST engine scan C:\Windows\system32
01:12:36.096 AVAST engine scan C:\Windows\system32\drivers
01:12:47.859 AVAST engine scan C:\Users\Andrew
01:23:09.364 AVAST engine scan C:\ProgramData
01:28:13.003 Scan finished successfully
01:29:44.903 Disk 0 MBR has been saved successfully to "C:\Users\Andrew\Desktop\MBR.dat"
01:29:44.918 The log file has been saved successfully to "C:\Users\Andrew\Desktop\aswMBR.txt"

#9 12339623

12339623
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 13 August 2012 - 03:30 AM

The first program, TDSS Killer, did not catch anything. aswMBR had to download from the AVAST databse before scan. I did run all the virus programs on the desktop.After, I put them in the folder "Virus Management." I accidently opened two aswMBR, where the first one canceled itself before scanning.

aswMBR.txt:


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-08-13 01:02:56
-----------------------------
01:02:56.885 OS Version: Windows x64 6.1.7601 Service Pack 1
01:02:56.885 Number of processors: 4 586 0x2A07
01:02:56.885 ComputerName: ANDREW-THINK UserName: Andrew
01:02:57.649 Initialize success
01:04:01.506 AVAST engine defs: 12081300
01:04:15.157 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
01:04:15.157 Disk 0 Vendor: WDC_WD32 02.0 Size: 305245MB BusType: 3
01:04:15.173 Disk 0 MBR read successfully
01:04:15.173 Disk 0 MBR scan
01:04:15.173 Disk 0 unknown MBR code
01:04:15.173 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 1200 MB offset 2048
01:04:15.220 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 294043 MB offset 2459648
01:04:15.282 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 10000 MB offset 604659712
01:04:15.376 Disk 0 scanning C:\Windows\system32\drivers
01:04:43.596 Service scanning
01:05:15.295 Modules scanning
01:05:15.311 Disk 0 trace - called modules:
01:05:15.342 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys iaStor.sys hal.dll
01:05:15.342 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800669f060]
01:05:15.358 3 CLASSPNP.SYS[fffff8800186c43f] -> nt!IofCallDriver -> [0xfffffa80047de280]
01:05:15.358 5 ACPI.sys[fffff88000e0b7a1] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa80047ec050]
01:05:16.528 AVAST engine scan C:\Windows
01:05:22.549 AVAST engine scan C:\Windows\system32
01:12:36.096 AVAST engine scan C:\Windows\system32\drivers
01:12:47.859 AVAST engine scan C:\Users\Andrew
01:23:09.364 AVAST engine scan C:\ProgramData
01:28:13.003 Scan finished successfully
01:29:44.903 Disk 0 MBR has been saved successfully to "C:\Users\Andrew\Desktop\MBR.dat"
01:29:44.918 The log file has been saved successfully to "C:\Users\Andrew\Desktop\aswMBR.txt"

#10 12339623

12339623
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 13 August 2012 - 03:30 AM

The first program, TDSS Killer, did not catch anything. aswMBR had to download from the AVAST databse before scan. I did run all the virus programs on the desktop.After, I put them in the folder "Virus Management." I accidently opened two aswMBR, where the first one canceled itself before scanning.

aswMBR.txt:


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-08-13 01:02:56
-----------------------------
01:02:56.885 OS Version: Windows x64 6.1.7601 Service Pack 1
01:02:56.885 Number of processors: 4 586 0x2A07
01:02:56.885 ComputerName: ANDREW-THINK UserName: Andrew
01:02:57.649 Initialize success
01:04:01.506 AVAST engine defs: 12081300
01:04:15.157 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
01:04:15.157 Disk 0 Vendor: WDC_WD32 02.0 Size: 305245MB BusType: 3
01:04:15.173 Disk 0 MBR read successfully
01:04:15.173 Disk 0 MBR scan
01:04:15.173 Disk 0 unknown MBR code
01:04:15.173 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 1200 MB offset 2048
01:04:15.220 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 294043 MB offset 2459648
01:04:15.282 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 10000 MB offset 604659712
01:04:15.376 Disk 0 scanning C:\Windows\system32\drivers
01:04:43.596 Service scanning
01:05:15.295 Modules scanning
01:05:15.311 Disk 0 trace - called modules:
01:05:15.342 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys iaStor.sys hal.dll
01:05:15.342 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800669f060]
01:05:15.358 3 CLASSPNP.SYS[fffff8800186c43f] -> nt!IofCallDriver -> [0xfffffa80047de280]
01:05:15.358 5 ACPI.sys[fffff88000e0b7a1] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa80047ec050]
01:05:16.528 AVAST engine scan C:\Windows
01:05:22.549 AVAST engine scan C:\Windows\system32
01:12:36.096 AVAST engine scan C:\Windows\system32\drivers
01:12:47.859 AVAST engine scan C:\Users\Andrew
01:23:09.364 AVAST engine scan C:\ProgramData
01:28:13.003 Scan finished successfully
01:29:44.903 Disk 0 MBR has been saved successfully to "C:\Users\Andrew\Desktop\MBR.dat"
01:29:44.918 The log file has been saved successfully to "C:\Users\Andrew\Desktop\aswMBR.txt"

#11 12339623

12339623
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 13 August 2012 - 03:30 AM

The first program, TDSS Killer, did not catch anything. aswMBR had to download from the AVAST databse before scan. I did run all the virus programs on the desktop.After, I put them in the folder "Virus Management." I accidently opened two aswMBR, where the first one canceled itself before scanning.

aswMBR.txt:


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-08-13 01:02:56
-----------------------------
01:02:56.885 OS Version: Windows x64 6.1.7601 Service Pack 1
01:02:56.885 Number of processors: 4 586 0x2A07
01:02:56.885 ComputerName: ANDREW-THINK UserName: Andrew
01:02:57.649 Initialize success
01:04:01.506 AVAST engine defs: 12081300
01:04:15.157 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
01:04:15.157 Disk 0 Vendor: WDC_WD32 02.0 Size: 305245MB BusType: 3
01:04:15.173 Disk 0 MBR read successfully
01:04:15.173 Disk 0 MBR scan
01:04:15.173 Disk 0 unknown MBR code
01:04:15.173 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 1200 MB offset 2048
01:04:15.220 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 294043 MB offset 2459648
01:04:15.282 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 10000 MB offset 604659712
01:04:15.376 Disk 0 scanning C:\Windows\system32\drivers
01:04:43.596 Service scanning
01:05:15.295 Modules scanning
01:05:15.311 Disk 0 trace - called modules:
01:05:15.342 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys iaStor.sys hal.dll
01:05:15.342 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800669f060]
01:05:15.358 3 CLASSPNP.SYS[fffff8800186c43f] -> nt!IofCallDriver -> [0xfffffa80047de280]
01:05:15.358 5 ACPI.sys[fffff88000e0b7a1] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa80047ec050]
01:05:16.528 AVAST engine scan C:\Windows
01:05:22.549 AVAST engine scan C:\Windows\system32
01:12:36.096 AVAST engine scan C:\Windows\system32\drivers
01:12:47.859 AVAST engine scan C:\Users\Andrew
01:23:09.364 AVAST engine scan C:\ProgramData
01:28:13.003 Scan finished successfully
01:29:44.903 Disk 0 MBR has been saved successfully to "C:\Users\Andrew\Desktop\MBR.dat"
01:29:44.918 The log file has been saved successfully to "C:\Users\Andrew\Desktop\aswMBR.txt"

#12 12339623

12339623
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 13 August 2012 - 03:31 AM

The first program, TDSS Killer, did not catch anything. aswMBR had to download from the AVAST databse before scan. I did run all the virus programs on the desktop.After, I put them in the folder "Virus Management." I accidently opened two aswMBR, where the first one canceled itself before scanning.

aswMBR.txt:


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-08-13 01:02:56
-----------------------------
01:02:56.885 OS Version: Windows x64 6.1.7601 Service Pack 1
01:02:56.885 Number of processors: 4 586 0x2A07
01:02:56.885 ComputerName: ANDREW-THINK UserName: Andrew
01:02:57.649 Initialize success
01:04:01.506 AVAST engine defs: 12081300
01:04:15.157 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
01:04:15.157 Disk 0 Vendor: WDC_WD32 02.0 Size: 305245MB BusType: 3
01:04:15.173 Disk 0 MBR read successfully
01:04:15.173 Disk 0 MBR scan
01:04:15.173 Disk 0 unknown MBR code
01:04:15.173 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 1200 MB offset 2048
01:04:15.220 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 294043 MB offset 2459648
01:04:15.282 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 10000 MB offset 604659712
01:04:15.376 Disk 0 scanning C:\Windows\system32\drivers
01:04:43.596 Service scanning
01:05:15.295 Modules scanning
01:05:15.311 Disk 0 trace - called modules:
01:05:15.342 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys iaStor.sys hal.dll
01:05:15.342 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800669f060]
01:05:15.358 3 CLASSPNP.SYS[fffff8800186c43f] -> nt!IofCallDriver -> [0xfffffa80047de280]
01:05:15.358 5 ACPI.sys[fffff88000e0b7a1] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa80047ec050]
01:05:16.528 AVAST engine scan C:\Windows
01:05:22.549 AVAST engine scan C:\Windows\system32
01:12:36.096 AVAST engine scan C:\Windows\system32\drivers
01:12:47.859 AVAST engine scan C:\Users\Andrew
01:23:09.364 AVAST engine scan C:\ProgramData
01:28:13.003 Scan finished successfully
01:29:44.903 Disk 0 MBR has been saved successfully to "C:\Users\Andrew\Desktop\MBR.dat"
01:29:44.918 The log file has been saved successfully to "C:\Users\Andrew\Desktop\aswMBR.txt"

#13 12339623

12339623
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 13 August 2012 - 03:48 AM

The first program, TDSS Killer, did not catch anything. aswMBR had to download from the AVAST databse before scan. I did run all the virus programs on the desktop.After, I put them in the folder "Virus Management." I accidently opened two aswMBR, where the first one canceled itself before scanning.

aswMBR.txt:


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-08-13 01:02:56
-----------------------------
01:02:56.885 OS Version: Windows x64 6.1.7601 Service Pack 1
01:02:56.885 Number of processors: 4 586 0x2A07
01:02:56.885 ComputerName: ANDREW-THINK UserName: Andrew
01:02:57.649 Initialize success
01:04:01.506 AVAST engine defs: 12081300
01:04:15.157 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
01:04:15.157 Disk 0 Vendor: WDC_WD32 02.0 Size: 305245MB BusType: 3
01:04:15.173 Disk 0 MBR read successfully
01:04:15.173 Disk 0 MBR scan
01:04:15.173 Disk 0 unknown MBR code
01:04:15.173 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 1200 MB offset 2048
01:04:15.220 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 294043 MB offset 2459648
01:04:15.282 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 10000 MB offset 604659712
01:04:15.376 Disk 0 scanning C:\Windows\system32\drivers
01:04:43.596 Service scanning
01:05:15.295 Modules scanning
01:05:15.311 Disk 0 trace - called modules:
01:05:15.342 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys iaStor.sys hal.dll
01:05:15.342 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800669f060]
01:05:15.358 3 CLASSPNP.SYS[fffff8800186c43f] -> nt!IofCallDriver -> [0xfffffa80047de280]
01:05:15.358 5 ACPI.sys[fffff88000e0b7a1] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa80047ec050]
01:05:16.528 AVAST engine scan C:\Windows
01:05:22.549 AVAST engine scan C:\Windows\system32
01:12:36.096 AVAST engine scan C:\Windows\system32\drivers
01:12:47.859 AVAST engine scan C:\Users\Andrew
01:23:09.364 AVAST engine scan C:\ProgramData
01:28:13.003 Scan finished successfully
01:29:44.903 Disk 0 MBR has been saved successfully to "C:\Users\Andrew\Desktop\MBR.dat"
01:29:44.918 The log file has been saved successfully to "C:\Users\Andrew\Desktop\aswMBR.txt"

#14 12339623

12339623
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 13 August 2012 - 05:05 AM

I was posting while bleepingcomputer had a error, so posts 7-12 are the same

#15 nasdaq

nasdaq

  • Malware Response Team
  • 39,259 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:29 AM

Posted 13 August 2012 - 07:50 AM

Download this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a flash drive.

Plug the flash drive into the infected PC.

Restart your computer and tap F8 to bring up the Advanced Menu, then click Repair your computer

Follow the prompt to enter keyboard input method, and then the prompt to enter a password. If the machine does not have a password, simply click Enter.

In the next menu, use the arrow keys on the keyboard to highlight Command Prompt and press Enter.
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst64.exe and press Enter. Or FRST.exe if 32 bit system.

    Note: Replace letter e with the drive letter of your flash drive.

  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users