Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vista problems booting normally/spxh.sys malware?


  • This topic is locked This topic is locked
22 replies to this topic

#1 Prefiks

Prefiks

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:49 AM

Posted 31 August 2012 - 03:28 PM

Hello,

For about the past week, my CPU has been having problems booting normally. If I try to boot Vista normally, it'll get all the way to the log in screen and either give me a Blue Screen or will just stop responding (sometimes up to even 45 mins). When I boot it in Safe Mode, it boots fine and I've noticed if I boot in Safe Mode first and restart it normally, it usually works but its still a delay after log in anywhere up to 10 mins. I noticed when I ran DDS a system driver known as spxh.sys was found. I tried to do a quick search to see what type of driver it is and seems most people have identified it as some type of malware. So I don't know if thats causing the problem or not.




DDS Log

DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.4.1
Run by Kevin at 14:18:48 on 2012-08-31
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1013.211 [GMT -5:00]
.
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
AV: Microsoft Security Essentials *Disabled/Outdated* {BF5CEBDC-F2D3-7540-343C-F0CE11FD6E66}
SP: Microsoft Security Essentials *Disabled/Outdated* {043D0A38-D4E9-7ACE-0E8C-CBBC6A7A24DB}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\dldtcoms.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\lxdvcoms.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Western Digital\WD SmartWare\WDDMService.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\Western Digital\WD SmartWare\WDRulesEngine.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\ltmoh\ltmoh.exe
C:\Users\Kevin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Western Digital\WD SmartWare\WDFME.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
TB: {E0E899AB-F487-11D5-8D29-0050BA6940E3} - No File
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
uRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe
uRun: [Spotify Web Helper] "c:\users\kevin\appdata\roaming\spotify\data\SpotifyWebHelper.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [NDSTray.exe] NDSTray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Download All by FlashGet - c:\program files\flashget\jc_all.htm
IE: Download using FlashGet - c:\program files\flashget\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\progra~1\flashget\flashget.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab
TCP: DhcpNameServer = 206.166.17.20 206.166.83.20
TCP: Interfaces\{07908680-49DD-4AB7-B697-FBDA3E9A5C11} : DhcpNameServer = 206.166.17.20 206.166.83.20
TCP: Interfaces\{5AD8A2FB-5E90-42C5-8221-09CF98B92EEB} : DhcpNameServer = 192.168.1.254
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\kevin\appdata\roaming\mozilla\firefox\profiles\2mfhwwti.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\oracle\javafx 2.1 runtime\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_233.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2012-2-9 721000]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2012-2-9 353688]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2011-6-6 64952]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2012-2-9 21256]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-2-9 57656]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2012-2-9 44808]
R2 dldt_device;dldt_device;c:\windows\system32\dldtcoms.exe -service --> c:\windows\system32\dldtcoms.exe -service [?]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-3-25 42368]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-4 253088]
S3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\drivers\ivusb.sys [2010-7-29 25112]
S3 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2008-6-1 34064]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
SUnknown rootrepeal;rootrepeal; [x]
.
=============== Created Last 30 ================
.
2012-08-31 07:20:34 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{dfe9772b-215e-4223-b0cf-86d437ed52b5}\offreg.dll
2012-08-31 07:09:10 7022536 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{dfe9772b-215e-4223-b0cf-86d437ed52b5}\mpengine.dll
2012-08-16 22:34:42 -------- d-sh--w- C:\$RECYCLE.BIN
2012-08-16 22:34:26 -------- d-----w- c:\users\kevin\appdata\local\temp
2012-08-16 21:59:45 98816 ----a-w- c:\windows\sed.exe
2012-08-16 21:59:45 518144 ----a-w- c:\windows\SWREG.exe
2012-08-16 21:58:03 -------- d-----w- C:\ComboFix
.
==================== Find3M ====================
.
2012-07-13 22:53:14 463080 ----a-w- c:\program files\cnet2_Install-Chess-Free_exe.exe
2012-07-03 18:46:44 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-03 16:21:53 721000 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-07-03 16:21:53 57656 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-07-03 16:21:32 41224 ----a-w- c:\windows\avastSS.scr
2012-06-13 13:40:21 2047488 ----a-w- c:\windows\system32\win32k.sys
2012-06-05 16:47:28 1401856 ----a-w- c:\windows\system32\msxml6.dll
2012-06-05 16:47:27 1248768 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 15:26:04 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-06-02 22:12:32 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12:13 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 20:19:42 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 20:12:20 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-05-16 16:17:52 92242888 ----a-w- c:\program files\jdk-7u4-windows-i586.exe
.
============= FINISH: 14:22:02.62 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:49 PM

Posted 01 September 2012 - 06:16 PM

Please do the following:

download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to the disclaimer.
[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there
[*]Press Scan button.
[*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:
services.exe
[*]now press the search button
[*]when the search is complete, search.txt will also be written to your USB
[*]type exit and reboot the computer normally
[*]please copy and paste both logs in your reply.(FRST.txt and Search.txt)[/list]

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 Prefiks

Prefiks
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:49 AM

Posted 03 September 2012 - 05:33 PM

Thanks for the response CatByte


Here is the FRST.txt log

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 02-09-2012 03
Ran by SYSTEM at 03-09-2012 16:51:16
Running from F:\
Windows Vista ™ Home Premium (X86) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1451304 2009-03-20] (Synaptics Incorporated)
HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [6965792 1999-12-31] (Realtek Semiconductor)
HKLM\...\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE [411768 2006-12-19] (TOSHIBA Corporation)
HKLM\...\Run: [NDSTray.exe] NDSTray.exe [x]
HKLM\...\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe [530552 2006-12-15] (TOSHIBA Corporation)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [937920 2011-06-06] (Adobe Systems Incorporated)
HKLM\...\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui [4273976 2012-07-03] (AVAST Software)
HKU\Default\...\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe [417792 2006-11-10] (TOSHIBA)
HKU\Default User\...\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe [417792 2006-11-10] (TOSHIBA)
HKU\Kevin\...\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe [191552 1999-12-31] (Agere Systems)
HKU\Kevin\...\Run: [Spotify Web Helper] "C:\Users\Kevin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [1193176 2012-08-21] ()
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254

========================== Services (Whitelisted) ========================

2 avast! Antivirus; "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" [44808 2012-07-03] (AVAST Software)
2 dldt_device; C:\Windows\system32\dldtcoms.exe -service [595184 2008-02-25] ( )
2 lxdvCATSCustConnectService; C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxdvserv.exe [98984 2007-10-18] (Lexmark International, Inc.)
2 lxdv_device; C:\Windows\system32\lxdvcoms.exe -service [594600 2007-10-18] ( )
2 TosCoSrv; "C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe" [428152 2006-12-19] (TOSHIBA Corporation)
4 UleadBurningHelper; C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe [49152 2006-08-23] (Ulead Systems, Inc.)
2 MsMpSvc; "c:\Program Files\Microsoft Security Essentials\MsMpEng.exe" [x]
2 RoxLiveShare9; "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe" [x]
2 Swupdtmr; c:\Toshiba\IVP\swupdate\swupdtmr.exe [x]

==================== Drivers (Whitelisted) ===================

2 aswFsBlk; C:\Windows\System32\Drivers\aswFsBlk.sys [21256 2012-07-03] (AVAST Software)
2 aswMonFlt; \??\C:\Windows\system32\drivers\aswMonFlt.sys [57656 2012-07-03] (AVAST Software)
1 aswRdr; C:\Windows\System32\Drivers\aswRdr.sys [35928 2012-07-03] (AVAST Software)
1 aswSnx; C:\Windows\System32\Drivers\aswSnx.sys [721000 2012-07-03] (AVAST Software)
1 aswSP; C:\Windows\System32\Drivers\aswSP.sys [353688 2012-07-03] (AVAST Software)
1 aswTdi; C:\Windows\System32\Drivers\aswTdi.sys [54232 2012-07-03] (AVAST Software)
3 ivusb; C:\Windows\System32\DRIVERS\ivusb.sys [25112 2010-07-28] (Initio Corporation)
0 LPCFilter; C:\Windows\System32\DRIVERS\LPCFilter.sys [19456 2006-07-28] (COMPAL ELECTRONIC INC.)
1 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [151216 2010-03-25] (Microsoft Corporation)
3 MpNWMon; C:\Windows\System32\DRIVERS\MpNWMon.sys [42368 2010-03-25] (Microsoft Corporation)
3 npf; C:\Windows\System32\drivers\npf.sys [34064 2008-05-31] (CACE Technologies)
3 PCASp50; C:\Windows\System32\Drivers\PCASp50.sys [27072 2007-10-12] (Printing Communications Assoc., Inc. (PCAUSA))
0 PxHelp20; C:\Windows\System32\Drivers\PxHelp20.sys [43528 2007-05-01] (Sonic Solutions)
0 sptd; C:\Windows\System32\Drivers\sptd.sys [716272 2008-01-22] (Duplex Secure Ltd.)
3 swmsflt; C:\Windows\System32\drivers\swmsflt.sys [24840 2008-05-22] ()
3 usbbus; C:\Windows\System32\DRIVERS\lgusbbus.sys [12416 2008-01-11] (LG Electronics Inc.)
3 USBModem; C:\Windows\System32\DRIVERS\lgusbmodem.sys [21632 2008-01-11] (LG Electronics Inc.)
2 windrvNT; \??\C:\Windows\system32\windrvNT.sys [35363 2012-01-27] ()
4 blbdrive; C:\Windows\system32\drivers\blbdrive.sys [x]
3 BOCDRIVE; \??\C:\Program Files\Comodo\CBOClean\BOCDRIVE.sys [x]
3 catchme; \??\C:\Users\Kevin\AppData\Local\Temp\catchme.sys [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 MREMP50a64; \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS [x]
3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [x]
3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [x]
3 MRESP50a64; \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS [x]
3 Nmea; C:\Windows\System32\DRIVERS\pctnullport.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
3 PCTINDIS5; \??\C:\Windows\system32\PCTINDIS5.SYS [x]
3 Tosrfcom; [x]

==================== NetSvcs (Whitelisted) =================


============ One Month Created Files and Folders ==============

2012-09-03 16:50 - 2012-09-03 16:50 - 00000000 ____D C:\FRST
2012-08-31 10:36 - 2012-08-31 10:36 - 00004740 ____A C:\RootRepeal report 08-31-12 (13-36-17).txt
2012-08-31 10:32 - 2012-08-31 10:32 - 00002330 ____A C:\RootRepeal report 08-31-12 (13-32-47).txt
2012-08-31 10:30 - 2012-08-31 10:30 - 00002536 ____A C:\RootRepeal report 08-31-12 (13-30-19).txt
2012-08-30 11:27 - 2012-08-30 11:27 - 00000877 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-08-16 14:34 - 2012-08-16 14:34 - 00016022 ____A C:\ComboFix.txt
2012-08-16 13:59 - 2009-04-19 20:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-08-16 13:59 - 2000-08-30 16:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-08-16 13:59 - 2000-08-30 16:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-08-16 13:59 - 2000-08-30 16:00 - 00098816 ____A C:\Windows\sed.exe
2012-08-16 13:59 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe
2012-08-16 13:59 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe
2012-08-16 13:58 - 2012-08-16 14:36 - 00000000 ____D C:\ComboFix
2012-08-16 13:56 - 2012-08-16 14:34 - 00000000 ____D C:\Qoobox
2012-08-16 09:16 - 2012-08-16 09:16 - 00143131 ____A C:\Users\Kevin\Documents\gmer.log
2012-08-15 20:58 - 2012-08-15 20:58 - 00000475 ____A C:\Users\Kevin\Documents\08-15-2012.txt
2012-08-15 20:00 - 2012-08-30 21:39 - 00005336 ____A C:\Windows\PFRO.log
2012-08-07 11:47 - 2012-08-30 21:49 - 00089272 ____A C:\Users\Kevin\AppData\Local\GDIPFONTCACHEV1.DAT

============ 3 Months Modified Files ========================

2012-09-03 13:46 - 2012-07-11 11:01 - 02012514 ____A C:\Windows\WindowsUpdate.log
2012-09-03 13:46 - 2010-06-09 21:56 - 00049152 ____A C:\Windows\System32\Ikeext.etl
2012-09-03 13:46 - 2006-11-02 05:01 - 00032640 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-09-03 13:46 - 2006-11-02 05:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-09-03 13:46 - 2006-11-02 04:47 - 00003168 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-09-03 13:46 - 2006-11-02 04:47 - 00003168 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-09-03 12:52 - 2012-04-03 22:47 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-09-03 06:55 - 2012-01-27 18:43 - 00000020 ____A C:\sccfg.sys
2012-08-31 10:36 - 2012-08-31 10:36 - 00004740 ____A C:\RootRepeal report 08-31-12 (13-36-17).txt
2012-08-31 10:32 - 2012-08-31 10:32 - 00002330 ____A C:\RootRepeal report 08-31-12 (13-32-47).txt
2012-08-31 10:30 - 2012-08-31 10:30 - 00002536 ____A C:\RootRepeal report 08-31-12 (13-30-19).txt
2012-08-30 21:49 - 2012-08-07 11:47 - 00089272 ____A C:\Users\Kevin\AppData\Local\GDIPFONTCACHEV1.DAT
2012-08-30 21:48 - 2012-08-01 11:33 - 00002251 ____A C:\Windows\setupact.log
2012-08-30 21:39 - 2012-08-15 20:00 - 00005336 ____A C:\Windows\PFRO.log
2012-08-30 11:27 - 2012-08-30 11:27 - 00000877 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-08-20 10:05 - 2012-07-31 15:32 - 01679488 ____A C:\Windows\System32\FNTCACHE.DAT
2012-08-16 14:34 - 2012-08-16 14:34 - 00016022 ____A C:\ComboFix.txt
2012-08-16 14:24 - 2006-11-02 02:23 - 00000215 ____A C:\Windows\system.ini
2012-08-16 09:16 - 2012-08-16 09:16 - 00143131 ____A C:\Users\Kevin\Documents\gmer.log
2012-08-15 20:58 - 2012-08-15 20:58 - 00000475 ____A C:\Users\Kevin\Documents\08-15-2012.txt
2012-08-09 14:06 - 2006-11-02 02:33 - 00759570 ____A C:\Windows\System32\PerfStringBackup.INI
2012-08-01 22:22 - 2011-01-26 12:19 - 00054156 ___AH C:\Windows\QTFont.qfn
2012-08-01 11:33 - 2012-08-01 11:33 - 00000000 ____A C:\Windows\setuperr.log
2012-07-13 14:53 - 2012-07-13 14:53 - 00463080 ____A (CNET Download.com) C:\Program Files\cnet2_Install-Chess-Free_exe.exe
2012-07-11 12:17 - 2011-07-29 08:13 - 00000817 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk
2012-07-10 13:55 - 2006-11-02 02:23 - 00002577 ____A C:\Windows\System32\config.nt
2012-07-03 10:46 - 2010-03-20 09:17 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-07-03 08:21 - 2012-02-09 14:54 - 00721000 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSnx.sys
2012-07-03 08:21 - 2012-02-09 14:54 - 00353688 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSP.sys
2012-07-03 08:21 - 2012-02-09 14:54 - 00057656 ____A (AVAST Software) C:\Windows\System32\Drivers\aswMonFlt.sys
2012-07-03 08:21 - 2012-02-09 14:54 - 00054232 ____A (AVAST Software) C:\Windows\System32\Drivers\aswTdi.sys
2012-07-03 08:21 - 2012-02-09 14:54 - 00035928 ____A (AVAST Software) C:\Windows\System32\Drivers\aswRdr.sys
2012-07-03 08:21 - 2012-02-09 14:54 - 00021256 ____A (AVAST Software) C:\Windows\System32\Drivers\aswFsBlk.sys
2012-07-03 08:21 - 2012-02-09 14:52 - 00227648 ____A (AVAST Software) C:\Windows\System32\aswBoot.exe
2012-07-03 08:21 - 2012-02-09 14:52 - 00041224 ____A (AVAST Software) C:\Windows\avastSS.scr
2012-07-03 00:13 - 2006-11-02 02:24 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2012-06-13 05:40 - 2012-07-26 17:22 - 02047488 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-08 09:47 - 2012-07-26 14:47 - 11586048 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-08-13 22:11:41
Restore point made on: 2012-08-16 14:53:39
Restore point made on: 2012-08-16 23:51:22
Restore point made on: 2012-08-21 12:25:36
Restore point made on: 2012-08-21 23:24:31
Restore point made on: 2012-08-28 11:53:32
Restore point made on: 2012-08-29 16:10:12

==================== Memory info ===========================

Percentage of memory in use: 33%
Total physical RAM: 1013.5 MB
Available physical RAM: 674.55 MB
Total Pagefile: 875.06 MB
Available Pagefile: 748.93 MB
Total Virtual: 2047.88 MB
Available Virtual: 1983.72 MB

==================== Partitions ============================

1 Drive c: (SQ004286V02) (Fixed) (Total:110.32 GB) (Free:4.89 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
3 Drive e: (TOSHIBA SYSTEM VOLUME) (Fixed) (Total:1.46 GB) (Free:1.32 GB) NTFS
4 Drive f: (Lexar) (Removable) (Total:14.67 GB) (Free:14.31 GB) FAT32
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 112 GB 993 KB
Disk 1 Online 15 GB 0 B
Disk 2 No Media 0 B 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 1500 MB 1024 KB
Partition 2 Primary 110 GB 1501 MB

==================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 E TOSHIBA SYS NTFS Partition 1500 MB Healthy Hidden

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C SQ004286V02 NTFS Partition 110 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 15 GB 1360 KB

==================================================================================

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 F Lexar FAT32 Removable 15 GB Healthy

==================================================================================

Last Boot: 2012-09-03 07:55

==================== End Of Log =============================




Here is the Search.txt log

Farbar Recovery Scan Tool Version: 02-09-2012 03
Ran by SYSTEM at 2012-09-03 16:53:20
Running from F:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe
[2010-09-23 18:30] - [2009-04-10 20:28] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
[2008-07-01 22:35] - [2008-01-18 23:33] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6000.16386_none_cd28fe6bd05df036\services.exe
[2006-11-02 00:35] - [2006-11-02 01:45] - 0279552 ____A (Microsoft Corporation) 329CF3C97CE4C19375C8ABCABAE258B0

C:\Windows\System32\services.exe
[2010-09-23 18:30] - [2009-04-10 20:28] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

C:\Windows\ERDNT\cache\services.exe
[2010-08-17 11:33] - [2009-04-10 20:28] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

=== End Of Search ===

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:49 PM

Posted 03 September 2012 - 06:17 PM

Please run the following

Refer to the ComboFix User's Guide

  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 Prefiks

Prefiks
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:49 AM

Posted 04 September 2012 - 03:28 PM

ComboFix log

ComboFix 12-08-16.01 - Kevin 09/04/2012 15:03:34.4.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1013.305 [GMT -5:00]
Running from: c:\users\Kevin\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
AV: Microsoft Security Essentials *Disabled/Outdated* {BF5CEBDC-F2D3-7540-343C-F0CE11FD6E66}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Microsoft Security Essentials *Disabled/Outdated* {043D0A38-D4E9-7ACE-0E8C-CBBC6A7A24DB}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-08-04 to 2012-09-04 )))))))))))))))))))))))))))))))
.
.
2012-09-04 20:17 . 2012-09-04 20:18 -------- d-----w- c:\users\Kevin\AppData\Local\temp
2012-09-04 20:17 . 2012-09-04 20:17 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-09-04 20:17 . 2012-09-04 20:17 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-09-04 07:23 . 2012-09-04 07:23 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{C982E050-A18A-4841-B72F-201C869463B6}\offreg.dll ERROR(0x00000005)
2012-09-04 06:56 . 2012-08-23 07:15 7022536 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{C982E050-A18A-4841-B72F-201C869463B6}\mpengine.dll ERROR(0x00000005)
2012-09-04 00:50 . 2012-09-04 00:51 -------- d-----w- C:\FRST
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-23 07:15 . 2007-07-10 10:15 7022536 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll ERROR(0x00000005)
2012-07-13 22:53 . 2012-07-13 22:53 463080 ----a-w- c:\program files\cnet2_Install-Chess-Free_exe.exe
2012-07-03 18:46 . 2010-03-20 17:17 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-03 16:21 . 2012-02-09 22:54 54232 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-07-03 16:21 . 2012-02-09 22:54 21256 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-07-03 16:21 . 2012-02-09 22:54 353688 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-07-03 16:21 . 2012-02-09 22:54 35928 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-07-03 16:21 . 2012-02-09 22:54 721000 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-07-03 16:21 . 2012-02-09 22:54 57656 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-07-03 16:21 . 2012-02-09 22:52 41224 ----a-w- c:\windows\avastSS.scr
2012-07-03 16:21 . 2012-02-09 22:52 227648 ----a-w- c:\windows\system32\aswBoot.exe
2012-06-13 13:40 . 2012-07-27 01:22 2047488 ----a-w- c:\windows\system32\win32k.sys
2012-05-16 16:17 . 2012-05-16 16:09 92242888 ----a-w- c:\program files\jdk-7u4-windows-i586.exe
2012-07-12 19:51 . 2012-07-12 19:51 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-07-03 16:21 121528 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2000-01-01 191552]
"Spotify Web Helper"="c:\users\Kevin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2012-08-22 1193176]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-20 1451304]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2000-01-01 6965792]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2006-12-20 411768]
"NDSTray.exe"="NDSTray.exe" [BU]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2006-12-15 530552]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-07-03 4273976]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^WD Quick View.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\WD Quick View.lnk
backup=c:\windows\pss\WD Quick View.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^WDDMStatus.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\WDDMStatus.lnk
backup=c:\windows\pss\WDDMStatus.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 17:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dldtamon]
2008-06-24 06:27 16624 ----a-w- c:\program files\Dell V305\dldtamon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dldtmon.exe]
2008-06-24 06:26 668912 ----a-w- c:\program files\Dell V305\dldtmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HSON]
2006-12-08 00:49 55416 ----a-w- c:\program files\Toshiba\TBS\HSON.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2008-10-24 14:14 206112 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X5400 Series Fax Server]
2007-11-02 03:38 307880 ----a-w- c:\program files\Lexmark X5400 Series\fm3032.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdvamon]
2007-11-02 03:38 25256 ----a-w- c:\program files\Lexmark X5400 Series\lxdvamon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdvmon.exe]
2007-11-02 03:38 455336 ----a-w- c:\program files\Lexmark X5400 Series\lxdvmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-11-10 21:39 5244216 ----a-w- c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SansaDispatch]
2009-05-20 02:33 79872 ----a-w- c:\users\Kevin\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spotify Web Helper]
2012-08-22 05:29 1193176 ----a-w- c:\users\Kevin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-17 16:07 252296 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2007-09-13 23:28 185632 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2006-06-21 17:14 35328 ----a-w- c:\program files\Winamp\winampa.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2221865657-979036635-2274950644-1000]
"EnableNotificationsRef"=dword:00000001
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-04 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-04 00:19]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: Download All by FlashGet - c:\program files\FlashGet\jc_all.htm
IE: Download using FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\Kevin\AppData\Roaming\Mozilla\Firefox\Profiles\2mfhwwti.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-09-04 15:18
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
C:\sccfg.sys 20 bytes
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,50,b5,9b,67,c7,c1,73,44,ba,5b,7d,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,50,b5,9b,67,c7,c1,73,44,ba,5b,7d,\
.
[HKEY_USERS\S-1-5-21-2221865657-979036635-2274950644-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{BFBC14E1-18D2-29C9-152C-9DD32C670C97}*]
@Allowed: (Read) (RestrictedCode)
"iaofjaoomngchfblce"=hex:6b,61,66,62,64,70,6b,62,65,6b,66,6e,6f,6f,70,6f,6a,70,
63,64,66,65,00,00
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2012-09-04 15:24:53
ComboFix-quarantined-files.txt 2012-09-04 20:24
ComboFix2.txt 2012-08-16 22:34
.
Pre-Run: 6,013,341,696 bytes free
Post-Run: 6,593,724,416 bytes free
.
- - End Of File - - 16D36385A2C57F120C69EE5EB2273339

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:49 PM

Posted 04 September 2012 - 08:47 PM

Please run the following:

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 Prefiks

Prefiks
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:49 AM

Posted 05 September 2012 - 12:06 PM

Catbyte, I ran MBAM and followed your instructions. However at the end there wasn't an option to "Show results", a log in notepad opened up. I'm assuming thats because no threats were found.



Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org


Database version: v2012.09.04.11

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Kevin :: KEVIN-PC [administrator]

9/4/2012 9:03:02 PM
mbam-log-2012-09-04 (21-03-02).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 202360
Time elapsed: 22 minute(s), 29 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


ESETSCAN


C:\Program Files\cnet2_Install-Chess-Free_exe.exe a variant of Win32/InstallCore.D application
C:\Program Files\~Installer programs\cnet2_SmoothDraw3Setup_exe.exe a variant of Win32/InstallCore.D application
C:\Program Files\~Installer programs\deletelines.exe a variant of Win32/InstallIQ application
C:\Program Files\~Installer programs\ophcrack-win32-installer-3.4.0.exe multiple threats
C:\Program Files\~Installer programs\SUPERsetup.exe Win32/OpenCandy application
C:\Qoobox\Quarantine\C\Users\Kevin\AppData\Local\TempDIR\BetterInstaller.exe.vir a variant of Win32/Somoto.A application

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:49 PM

Posted 05 September 2012 - 09:30 PM

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

File::
C:\Program Files\cnet2_Install-Chess-Free_exe.exe 
C:\Program Files\~Installer programs\cnet2_SmoothDraw3Setup_exe.exe 
C:\Program Files\~Installer programs\deletelines.exe 
C:\Program Files\~Installer programs\ophcrack-win32-installer-3.4.0.exe 
C:\Program Files\~Installer programs\SUPERsetup.exe 
 
ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



NEXT



Please download Farbar Service Scanner and run it
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


NEXT



Please advise how the computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 Prefiks

Prefiks
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:49 AM

Posted 06 September 2012 - 02:37 PM

ComboFix Log

ComboFix 12-09-06.02 - Kevin 09/06/2012 14:01:46.5.2 - x86
Running from: c:\users\Kevin\Desktop\ComboFix.exe
Command switches used :: c:\users\Kevin\Desktop\CFScript.txt
.
FILE ::
"c:\program files\~Installer programs\cnet2_SmoothDraw3Setup_exe.exe"
"c:\program files\~Installer programs\deletelines.exe"
"c:\program files\~Installer programs\ophcrack-win32-installer-3.4.0.exe"
"c:\program files\~Installer programs\SUPERsetup.exe"
"c:\program files\cnet2_Install-Chess-Free_exe.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\~Installer programs\cnet2_SmoothDraw3Setup_exe.exe
c:\program files\~Installer programs\deletelines.exe
c:\program files\~Installer programs\ophcrack-win32-installer-3.4.0.exe
c:\program files\~Installer programs\SUPERsetup.exe
c:\program files\cnet2_Install-Chess-Free_exe.exe
c:\windows\system32\wpcap.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-08-06 to 2012-09-06 )))))))))))))))))))))))))))))))
.
.
2012-09-06 19:20 . 2012-09-06 19:21 -------- d-----w- c:\users\Kevin\AppData\Local\temp
2012-09-06 19:20 . 2012-09-06 19:20 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2012-09-06 19:20 . 2012-09-06 19:20 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-09-06 19:20 . 2012-09-06 19:20 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-09-04 06:56 . 2012-08-23 07:15 7022536 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{C982E050-A18A-4841-B72F-201C869463B6}\mpengine.dll ERROR(0x00000005)
2012-09-04 00:50 . 2012-09-04 00:51 -------- d-----w- C:\FRST
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-23 07:15 . 2007-07-10 10:15 7022536 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll ERROR(0x00000005)
2012-07-03 18:46 . 2010-03-20 17:17 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-03 16:21 . 2012-02-09 22:54 54232 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-07-03 16:21 . 2012-02-09 22:54 21256 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-07-03 16:21 . 2012-02-09 22:54 353688 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-07-03 16:21 . 2012-02-09 22:54 35928 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-07-03 16:21 . 2012-02-09 22:54 721000 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-07-03 16:21 . 2012-02-09 22:54 57656 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-07-03 16:21 . 2012-02-09 22:52 41224 ----a-w- c:\windows\avastSS.scr
2012-07-03 16:21 . 2012-02-09 22:52 227648 ----a-w- c:\windows\system32\aswBoot.exe
2012-06-13 13:40 . 2012-07-27 01:22 2047488 ----a-w- c:\windows\system32\win32k.sys
2012-05-16 16:17 . 2012-05-16 16:09 92242888 ----a-w- c:\program files\jdk-7u4-windows-i586.exe
2012-07-12 19:51 . 2012-07-12 19:51 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-07-03 16:21 121528 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2000-01-01 191552]
"Spotify Web Helper"="c:\users\Kevin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2012-08-22 1193176]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-20 1451304]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2000-01-01 6965792]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2006-12-20 411768]
"NDSTray.exe"="NDSTray.exe" [BU]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2006-12-15 530552]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-07-03 4273976]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^WD Quick View.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\WD Quick View.lnk
backup=c:\windows\pss\WD Quick View.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^WDDMStatus.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\WDDMStatus.lnk
backup=c:\windows\pss\WDDMStatus.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 17:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dldtamon]
2008-06-24 06:27 16624 ----a-w- c:\program files\Dell V305\dldtamon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dldtmon.exe]
2008-06-24 06:26 668912 ----a-w- c:\program files\Dell V305\dldtmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HSON]
2006-12-08 00:49 55416 ----a-w- c:\program files\Toshiba\TBS\HSON.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2008-10-24 14:14 206112 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X5400 Series Fax Server]
2007-11-02 03:38 307880 ----a-w- c:\program files\Lexmark X5400 Series\fm3032.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdvamon]
2007-11-02 03:38 25256 ----a-w- c:\program files\Lexmark X5400 Series\lxdvamon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdvmon.exe]
2007-11-02 03:38 455336 ----a-w- c:\program files\Lexmark X5400 Series\lxdvmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-11-10 21:39 5244216 ----a-w- c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SansaDispatch]
2009-05-20 02:33 79872 ----a-w- c:\users\Kevin\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spotify Web Helper]
2012-08-22 05:29 1193176 ----a-w- c:\users\Kevin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-17 16:07 252296 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2007-09-13 23:28 185632 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2006-06-21 17:14 35328 ----a-w- c:\program files\Winamp\winampa.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2221865657-979036635-2274950644-1000]
"EnableNotificationsRef"=dword:00000001
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-06 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-04 00:19]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: Download All by FlashGet - c:\program files\FlashGet\jc_all.htm
IE: Download using FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 206.166.17.20 206.166.83.20
FF - ProfilePath - c:\users\Kevin\AppData\Roaming\Mozilla\Firefox\Profiles\2mfhwwti.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-09-06 14:21
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,50,b5,9b,67,c7,c1,73,44,ba,5b,7d,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,50,b5,9b,67,c7,c1,73,44,ba,5b,7d,\
.
[HKEY_USERS\S-1-5-21-2221865657-979036635-2274950644-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{BFBC14E1-18D2-29C9-152C-9DD32C670C97}*]
@Allowed: (Read) (RestrictedCode)
"iaofjaoomngchfblce"=hex:6b,61,66,62,64,70,6b,62,65,6b,66,6e,6f,6f,70,6f,6a,70,
63,64,66,65,00,00
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2012-09-06 14:28:52
ComboFix-quarantined-files.txt 2012-09-06 19:28
ComboFix2.txt 2012-09-04 20:24
ComboFix3.txt 2012-08-16 22:34
.
Pre-Run: 5,326,233,600 bytes free
Post-Run: 5,365,039,104 bytes free
.
- - End Of File - - 73120EB686F7949F841EF70061898676



FSS log

Farbar Service Scanner Version: 06-08-2012
Ran by Kevin (administrator) on 06-09-2012 at 14:34:56
Running from "C:\Users\Kevin\Desktop"
Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============
SDRSVC Service is not running. Checking service configuration:
The start type of SDRSVC service is OK.
The ImagePath of SDRSVC service is OK.
The ServiceDll of SDRSVC service is OK.

VSS Service is not running. Checking service configuration:
The start type of VSS service is OK.
The ImagePath of VSS service is OK.


System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
RpcSs Service is not running. Checking service configuration:
The start type of RpcSs service is OK.
The ImagePath of RpcSs service is OK.
The ServiceDll of RpcSs service is OK.


Other Services:
==============


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****



Seems to be running a little bit smoother right now. ComboFix took a while though to finally finish running. But things right now seem to be running smoother.

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:49 PM

Posted 06 September 2012 - 02:44 PM

The windows back up service seems to be broken

please run the following:

Please download Windows Repair (all in one) from here

Install the program then run it

Go to step 2 and allow it to run Disk check

Posted Image

Once that is done then go to step 3 and allow it to run SFC

Posted Image

On the the Start Repairs tab => Click the Start

Posted Image

Click on the select all check box and then click on Start

DON'T use the computer while each scan is in progress.

Restart may be needed to finish the repair procedure.


please run a fresh Farbar Service Scanner log

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 Prefiks

Prefiks
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:49 AM

Posted 07 September 2012 - 11:05 AM

All task above completed. Here is the new FSS log

Farbar Service Scanner Version: 06-08-2012
Ran by Kevin (administrator) on 07-09-2012 at 11:03:35
Running from "C:\Users\Kevin\Desktop"
Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============

Other Services:
==============


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:49 PM

Posted 07 September 2012 - 01:33 PM

good,

that looks how it should

how is the computer running now, are there any outstanding issues?

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 Prefiks

Prefiks
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:49 AM

Posted 07 September 2012 - 10:39 PM

Its running pretty well right now besides two issues. Windows Security Center no longer recognizes my Anti-Virus software (Avast) and its not reading any of my plug n play devices (i.e. Blackberry, USB drive, etc). Avast is updated and says its secure and protecting my CPU but Windows doesn't see the program. I reinstalled Avast and it still doesn't recognize it.

Edited by Prefiks, 07 September 2012 - 10:42 PM.


#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:49 PM

Posted 07 September 2012 - 10:54 PM

just to see if it an issue with Avast or Windows WMI, please completely uninstall Avast, then download and install Microsoft Security Essentials, run a scan with it and see if it functions properly

Let me know if MSSE is recognized

http://www.microsoft.com/security_essentials/


The plug and play is disabled by design, windows does not support that function any longer (very insecure and easily exploited), the devices can still be manually started

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 Prefiks

Prefiks
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:49 AM

Posted 08 September 2012 - 02:26 AM

I uninstalled Avast however I'm unable to install Microsoft Security Essentials. I get the following error:

Cannot Complete the Security Essentials Installation

An error has prevented the Security Essentials setup wizard from completing successfully. Please restart your computer and try again.

Error code: 0x8004FF83



So I restarted it and tried again and received the same error. In addition to the CPU stopped responding for 25 minutes (the initial problem) before it finally started the installation process which ended up failing (as noted above).




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users