Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

trojan.dropper.bcminer


  • This topic is locked This topic is locked
19 replies to this topic

#1 mattsbach

mattsbach

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 31 August 2012 - 04:17 PM

Looks like I am infected again - running MBAM gives me these detections;

Files Detected: 3
C:\$RECYCLE.BIN\S-1-5-18\$0056d8a8e9e49f4b3db0ef73c8075778\U\00000008.@ (Trojan.Dropper.BCMiner) -> Quarantined and deleted successfully.
C:\$RECYCLE.BIN\S-1-5-18\$0056d8a8e9e49f4b3db0ef73c8075778\U\000000cb.@ (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\$RECYCLE.BIN\S-1-5-18\$0056d8a8e9e49f4b3db0ef73c8075778\U\80000032.@ (Rootkit.0Access) -> Quarantined and deleted successfully.

I need help again removing please - thank you for your help!!

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:47 PM

Posted 31 August 2012 - 04:55 PM

Please do the following:

download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to the disclaimer.
[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there
[*]Press Scan button.
[*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:
services.exe
[*]now press the search button
[*]when the search is complete, search.txt will also be written to your USB
[*]type exit and reboot the computer normally
[*]please copy and paste both logs in your reply.(FRST.txt and Search.txt)[/list]

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 mattsbach

mattsbach
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 31 August 2012 - 05:26 PM

THANK YOU THANK YOU!

Scan result of Farbar Recovery Scan Tool Version: 31-08-2012 01
Ran by SYSTEM at 31-08-2012 18:15:21
Running from F:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [7693344 2009-04-10] (Realtek Semiconductor)
HKLM\...\Run: [Skytel] C:\Program Files\Realtek\Audio\HDA\Skytel.exe [1833504 2009-04-10] (Realtek Semiconductor Corp.)
HKLM-x32\...\Run: [LTCM Client] C:\Program Files (x86)\LTCM Client\ltcmClient.exe /startup [2756864 2011-04-07] (Leader Technologies Inc.)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-05-30] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421776 2012-06-07] (Apple Inc.)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [] [x]
HKLM-x32\...\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [36800 2012-07-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [823224 2012-07-27] (Adobe Systems Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

==================== Services (Whitelisted) ======

2 DisplayLinkService; "C:\Program Files\DisplayLink Core Software\DisplayLinkManager.exe" [8610664 2010-03-04] (DisplayLink Corp.)
2 ODDPwrSvc; C:\Program Files\Acer\Optical Drive Power Management\ODDPWRSvc.exe [158240 2009-09-04] (Acer Incorporated)
3 OpenVPNService; C:\Program Files (x86)\OpenVPN\bin\openvpnserv.exe [36352 2009-10-01] ()
2 SpyHunter 4 Service; C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [1019328 2012-06-02] (Enigma Software Group USA, LLC.)
2 W3SVC; C:\Windows\system32\inetsrv\iisw3adm.dll [453120 2010-11-20] (Microsoft Corporation)
2 W3SVC; C:\Windows\SysWow64\inetsrv\iisw3adm.dll [397824 2010-11-20] (Microsoft Corporation)

==================== Drivers (Whitelisted) ===================

3 esgiguard; \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [13088 2011-03-02] ()
3 L1C; C:\Windows\System32\DRIVERS\L1C60x64.sys [65536 2009-11-13] (Atheros Communications, Inc.)
3 lmimirr; C:\Windows\System32\Drivers\lmimirr.sys [11552 2008-07-24] (LogMeIn, Inc.)
2 LMIRfsDriver; C:\Windows\System32\Drivers\LMIRfsDriver.sys [72216 2008-07-24] (LogMeIn, Inc.)
3 tapoas; C:\Windows\System32\Drivers\tapoas.sys [30720 2011-08-18] (The OpenVPN Project)
3 efavdrv; \??\C:\Windows\system32\drivers\efavdrv.sys [x]

==================== NetSvcs (Whitelisted) =================


==================== One Month Created Files and Folders ======================

2012-08-31 18:14 - 2012-08-31 18:15 - 00000000 ____D C:\FRST
2012-08-31 04:22 - 2012-08-31 04:22 - 00000000 ____D C:\Program Files (x86)\ESET
2012-08-31 04:17 - 2012-08-31 04:17 - 00000000 ____D C:\Users\All Users\ESET
2012-08-27 15:03 - 2012-08-27 15:03 - 00000000 ____D C:\Users\Matty\AppData\Local\libimobiledevice
2012-08-15 15:36 - 2012-07-18 10:15 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-08-15 15:36 - 2012-07-04 14:16 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll
2012-08-15 15:36 - 2012-07-04 14:13 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\browser.dll
2012-08-15 15:36 - 2012-07-04 14:13 - 00059392 ____A (Microsoft Corporation) C:\Windows\System32\browcli.dll
2012-08-15 15:36 - 2012-07-04 13:16 - 00057344 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netapi32.dll
2012-08-15 15:36 - 2012-07-04 13:14 - 00041984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\browcli.dll
2012-08-15 15:36 - 2012-06-26 23:06 - 01494016 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-08-15 15:36 - 2012-06-26 23:06 - 01188864 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-08-15 15:36 - 2012-06-26 23:06 - 00134144 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-08-15 15:36 - 2012-06-26 23:03 - 09059840 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-08-15 15:36 - 2012-06-26 23:03 - 00735744 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-08-15 15:36 - 2012-06-26 23:03 - 00097792 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-08-15 15:36 - 2012-06-26 23:02 - 12297216 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-08-15 15:36 - 2012-06-26 23:02 - 02453504 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-08-15 15:36 - 2012-06-26 23:02 - 00247808 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-08-15 15:36 - 2012-06-26 23:02 - 00064512 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-08-15 15:36 - 2012-06-26 21:53 - 01231360 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-08-15 15:36 - 2012-06-26 21:53 - 00981504 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-08-15 15:36 - 2012-06-26 21:53 - 00132096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-08-15 15:36 - 2012-06-26 21:51 - 06027776 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-08-15 15:36 - 2012-06-26 21:51 - 00627712 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2012-08-15 15:36 - 2012-06-26 21:51 - 00067584 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-08-15 15:36 - 2012-06-26 21:50 - 11020800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-08-15 15:36 - 2012-06-26 21:50 - 02073600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-08-15 15:36 - 2012-06-26 21:50 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-08-15 15:36 - 2012-06-26 21:50 - 00048128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-08-15 15:36 - 2012-06-26 20:53 - 01638912 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-08-15 15:36 - 2012-06-26 20:10 - 01638912 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-08-15 15:36 - 2012-06-15 21:16 - 00609792 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2012-08-15 15:36 - 2012-06-15 21:15 - 00911360 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-08-15 15:36 - 2012-06-15 20:26 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-08-15 15:36 - 2012-06-15 20:26 - 00428032 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2012-08-15 15:36 - 2012-05-13 21:26 - 00956928 ____A (Microsoft Corporation) C:\Windows\System32\localspl.dll

==================== 3 Months Modified Files ================================

2012-08-31 10:28 - 2010-03-13 21:27 - 00011104 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-08-31 10:28 - 2010-03-13 21:27 - 00011104 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-08-31 10:21 - 2012-07-19 19:15 - 00032160 ____A C:\Windows\setupact.log
2012-08-31 10:21 - 2012-07-19 19:14 - 00012696 ____A C:\Windows\PFRO.log
2012-08-31 10:21 - 2010-03-13 22:10 - 01893461 ____A C:\Windows\WindowsUpdate.log
2012-08-31 10:21 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-08-31 04:01 - 2012-04-11 23:09 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-08-31 04:00 - 2012-07-19 19:14 - 05812544 ____A C:\Windows\System32\FNTCACHE.DAT
2012-08-27 22:29 - 2009-07-19 10:42 - 00000600 ____A C:\Users\Matty\AppData\Roaming\winscp.rnd
2012-08-26 09:27 - 2010-02-15 04:16 - 00217868 ___AH C:\Windows\SysWOW64\mlfcache.dat
2012-08-20 00:56 - 2012-04-11 23:09 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-08-20 00:56 - 2011-05-19 23:43 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-08-15 20:59 - 2006-11-02 04:34 - 00000248 ____A C:\Windows\win.ini
2012-08-15 20:54 - 2010-04-15 06:52 - 62134624 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-08-12 13:56 - 2012-07-20 00:34 - 00138608 ____A C:\Users\Matty\AppData\Local\GDIPFONTCACHEV1.DAT
2012-08-12 07:58 - 2009-07-13 21:13 - 00754068 ____A C:\Windows\System32\PerfStringBackup.INI
2012-08-05 09:55 - 2011-12-05 23:22 - 00001456 ____A C:\Users\Matty\AppData\Local\Adobe Save for Web 12.0 Prefs
2012-07-19 19:15 - 2012-07-19 19:15 - 00000000 ____A C:\Windows\setuperr.log
2012-07-19 15:55 - 2012-07-19 15:55 - 00174064 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2012-07-19 15:55 - 2012-07-19 15:55 - 00174064 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2012-07-19 07:41 - 2012-07-19 07:42 - 00268784 ____A (Oracle Corporation) C:\Windows\System32\javaws.exe
2012-07-19 07:41 - 2012-06-23 21:21 - 00955888 ____A (Oracle Corporation) C:\Windows\System32\npDeployJava1.dll
2012-07-19 07:41 - 2012-06-23 21:20 - 00189424 ____A (Oracle Corporation) C:\Windows\System32\javaw.exe
2012-07-19 07:41 - 2012-06-23 21:20 - 00188912 ____A (Oracle Corporation) C:\Windows\System32\java.exe
2012-07-19 07:41 - 2012-04-20 20:49 - 00839152 ____A (Oracle Corporation) C:\Windows\System32\deployJava1.dll
2012-07-19 07:18 - 2009-07-13 18:34 - 00000215 ____A C:\Windows\system.ini
2012-07-18 10:15 - 2012-08-15 15:36 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-16 22:51 - 2012-07-16 22:51 - 00000017 ____A C:\Users\Matty\AppData\Local\resmon.resmoncfg
2012-07-15 11:21 - 2009-07-13 21:08 - 00032564 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-07-15 09:56 - 2009-08-02 21:20 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-07-15 09:56 - 2009-08-02 21:20 - 00000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-07-05 18:06 - 2012-07-19 15:55 - 00227760 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2012-07-05 18:06 - 2012-05-01 15:37 - 00772544 ____A (Oracle Corporation) C:\Windows\SysWOW64\npdeployJava1.dll
2012-07-05 18:06 - 2010-04-15 20:03 - 00687544 ____A (Oracle Corporation) C:\Windows\SysWOW64\deployJava1.dll
2012-07-04 14:16 - 2012-08-15 15:36 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll
2012-07-04 14:13 - 2012-08-15 15:36 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\browser.dll
2012-07-04 14:13 - 2012-08-15 15:36 - 00059392 ____A (Microsoft Corporation) C:\Windows\System32\browcli.dll
2012-07-04 13:16 - 2012-08-15 15:36 - 00057344 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netapi32.dll
2012-07-04 13:14 - 2012-08-15 15:36 - 00041984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\browcli.dll
2012-07-03 09:46 - 2009-09-01 00:57 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-06-27 14:46 - 2010-03-11 10:03 - 00000908 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1729025978-3398252532-1698638177-1000UA.job
2012-06-27 14:46 - 2010-03-11 10:03 - 00000856 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1729025978-3398252532-1698638177-1000Core.job
2012-06-26 23:06 - 2012-08-15 15:36 - 01494016 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-26 23:06 - 2012-08-15 15:36 - 01188864 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-26 23:06 - 2012-08-15 15:36 - 00134144 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-26 23:03 - 2012-08-15 15:36 - 09059840 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-26 23:03 - 2012-08-15 15:36 - 00735744 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-06-26 23:03 - 2012-08-15 15:36 - 00097792 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-26 23:02 - 2012-08-15 15:36 - 12297216 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-26 23:02 - 2012-08-15 15:36 - 02453504 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-26 23:02 - 2012-08-15 15:36 - 00247808 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-26 23:02 - 2012-08-15 15:36 - 00064512 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-26 21:53 - 2012-08-15 15:36 - 01231360 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-06-26 21:53 - 2012-08-15 15:36 - 00981504 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-06-26 21:53 - 2012-08-15 15:36 - 00132096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-06-26 21:51 - 2012-08-15 15:36 - 06027776 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-06-26 21:51 - 2012-08-15 15:36 - 00627712 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2012-06-26 21:51 - 2012-08-15 15:36 - 00067584 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-06-26 21:50 - 2012-08-15 15:36 - 11020800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-06-26 21:50 - 2012-08-15 15:36 - 02073600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-06-26 21:50 - 2012-08-15 15:36 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-06-26 21:50 - 2012-08-15 15:36 - 00048128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-06-26 20:53 - 2012-08-15 15:36 - 01638912 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-26 20:10 - 2012-08-15 15:36 - 01638912 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-06-15 21:16 - 2012-08-15 15:36 - 00609792 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2012-06-15 21:15 - 2012-08-15 15:36 - 00911360 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-15 20:26 - 2012-08-15 15:36 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-06-15 20:26 - 2012-08-15 15:36 - 00428032 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2012-06-13 20:30 - 2010-05-18 07:07 - 00000600 ____A C:\Users\Matty\AppData\Local\PUTTY.RND
2012-06-12 14:25 - 2011-04-26 13:13 - 00001697 ____A C:\_viminfo
2012-06-11 14:12 - 2012-06-11 14:06 - 00006233 ____A C:\Users\Matty\ovpntray.log
2012-06-08 21:43 - 2012-07-11 00:27 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-08 20:41 - 2012-07-11 00:27 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-06-05 22:06 - 2012-07-11 00:27 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 22:06 - 2012-07-11 00:27 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-05 22:02 - 2012-07-11 00:27 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-06-05 21:05 - 2012-07-11 00:27 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-06-05 21:05 - 2012-07-11 00:27 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2012-06-05 21:03 - 2012-07-11 00:27 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll


ZeroAccess:
C:\Windows\assembly\GAC_32\Desktop.ini

ZeroAccess:
C:\Windows\assembly\GAC_64\Desktop.ini

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-07-27 21:25:11
Restore point made on: 2012-07-30 21:56:01
Restore point made on: 2012-08-04 00:15:31
Restore point made on: 2012-08-07 13:35:52
Restore point made on: 2012-08-07 17:16:03
Restore point made on: 2012-08-10 20:57:51
Restore point made on: 2012-08-14 05:41:38
Restore point made on: 2012-08-15 20:54:35
Restore point made on: 2012-08-19 08:51:33
Restore point made on: 2012-08-26 07:46:43

==================== Memory info ===========================

Percentage of memory in use: 14%
Total physical RAM: 4027.79 MB
Available physical RAM: 3449.19 MB
Total Pagefile: 4025.94 MB
Available Pagefile: 3444.43 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

==================== Partitions ============================

1 Drive c: (ACER) (Fixed) (Total:286.37 GB) (Free:204.01 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (PQSERVICE) (Fixed) (Total:11.71 GB) (Free:2.53 GB) FAT32
4 Drive f: (PATRIOT) (Removable) (Total:3.73 GB) (Free:3.65 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 298 GB 0 B
Disk 1 Online 3824 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Recovery 11 GB 1024 KB
Partition 2 Primary 286 GB 11 GB

==================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D PQSERVICE FAT32 Partition 11 GB Healthy Hidden

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C ACER NTFS Partition 286 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3820 MB 4032 KB

==================================================================================

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F PATRIOT FAT32 Removable 3820 MB Healthy

==================================================================================

Last Boot: 2012-08-27 02:19

==================== End Of Log =============================







Farbar Recovery Scan Tool Version: 31-08-2012 01
Ran by SYSTEM at 2012-08-31 18:20:08
Running from F:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\erdnt\cache64\services.exe
[2012-07-18 22:01] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

====== End Of Search ======

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:47 PM

Posted 31 August 2012 - 05:32 PM

Please do the following:


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
HKLM-x32\...\Run: [] [x]
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.


NEXT


Refer to the ComboFix User's Guide

  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 mattsbach

mattsbach
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 31 August 2012 - 05:44 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 31-08-2012 01
Ran by SYSTEM at 2012-08-31 18:41:34 Run:1
Running from F:\

==============================================

HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ Default Value restored successfully.
C:\Windows\assembly\GAC_32\Desktop.ini moved successfully.
C:\Windows\assembly\GAC_64\Desktop.ini moved successfully.

==== End of Fixlog ====

#6 mattsbach

mattsbach
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 31 August 2012 - 06:02 PM

I ran ComboFix, but the temporary window has closed and no logs are popping up. The machine did not reboot either.

I have run the combofix a few times now and still no log pop up (yes I am waiting in between runs). The last time I did it said "the recycle bin appears to be corrupt, do you want to empty it" so I clicked yes and then combofix just closed again.

#7 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:47 PM

Posted 31 August 2012 - 08:00 PM

we'll use FRST to remove those detections in the recycle bin rather than ComboFix, I doubt MBAM actually deleted them, although they didn't show up in the FRST log

Please do the following:


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
C:\$RECYCLE.BIN\S-1-5-18\$0056d8a8e9e49f4b3db0ef73c8075778\U\00000008.@ 
C:\$RECYCLE.BIN\S-1-5-18\$0056d8a8e9e49f4b3db0ef73c8075778\U\000000cb.@ 
C:\$RECYCLE.BIN\S-1-5-18\$0056d8a8e9e49f4b3db0ef73c8075778\U\80000032.@ 
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.


Now try ComboFix again

try it in safe mode

To Enter Safemode
  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY repeatedly,
  • this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode
  • Then press the Enter Key on your Keyboard
  • go into your usual account

Edited by CatByte, 31 August 2012 - 08:03 PM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#8 mattsbach

mattsbach
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 02 September 2012 - 08:06 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 31-08-2012 01
Ran by SYSTEM at 2012-09-02 20:18:15 Run:2
Running from F:\

==============================================

C:\$RECYCLE.BIN\S-1-5-18\$0056d8a8e9e49f4b3db0ef73c8075778\U\00000008.@ not found.
C:\$RECYCLE.BIN\S-1-5-18\$0056d8a8e9e49f4b3db0ef73c8075778\U\000000cb.@ not found.
C:\$RECYCLE.BIN\S-1-5-18\$0056d8a8e9e49f4b3db0ef73c8075778\U\80000032.@ not found.

==== End of Fixlog ====




ComboFix 12-09-01.01 - Matty Sun Sep 02 20:24:24.4.1 - x64 NETWORK
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4028.3022 [GMT -4:00]
Running from: c:\users\Matty\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\$recycle.bin\S-1-5-18\$0056d8a8e9e49f4b3db0ef73c8075778\@
c:\$recycle.bin\S-1-5-18\$0056d8a8e9e49f4b3db0ef73c8075778\L\00000004.@
c:\$recycle.bin\S-1-5-18\$0056d8a8e9e49f4b3db0ef73c8075778\L\201d3dde
c:\$recycle.bin\S-1-5-18\$0056d8a8e9e49f4b3db0ef73c8075778\n
c:\$recycle.bin\S-1-5-18\$0056d8a8e9e49f4b3db0ef73c8075778\U\00000004.@
c:\$recycle.bin\S-1-5-18\$0056d8a8e9e49f4b3db0ef73c8075778\U\00000008.@
c:\$recycle.bin\S-1-5-18\$0056d8a8e9e49f4b3db0ef73c8075778\U\000000cb.@
c:\$recycle.bin\S-1-5-18\$0056d8a8e9e49f4b3db0ef73c8075778\U\80000000.@
c:\$recycle.bin\S-1-5-18\$0056d8a8e9e49f4b3db0ef73c8075778\U\80000032.@
c:\$recycle.bin\S-1-5-18\$0056d8a8e9e49f4b3db0ef73c8075778\U\80000064.@
c:\$recycle.bin\S-1-5-21-1729025978-3398252532-1698638177-1000\$0056d8a8e9e49f4b3db0ef73c8075778\@
c:\$recycle.bin\S-1-5-21-1729025978-3398252532-1698638177-1000\$0056d8a8e9e49f4b3db0ef73c8075778\L\00000004.@
c:\$recycle.bin\S-1-5-21-1729025978-3398252532-1698638177-1000\$0056d8a8e9e49f4b3db0ef73c8075778\n
c:\$recycle.bin\S-1-5-21-1729025978-3398252532-1698638177-1000\$0056d8a8e9e49f4b3db0ef73c8075778\U\00000004.@
c:\$recycle.bin\S-1-5-21-1729025978-3398252532-1698638177-1000\$0056d8a8e9e49f4b3db0ef73c8075778\U\00000008.@
c:\$recycle.bin\S-1-5-21-1729025978-3398252532-1698638177-1000\$0056d8a8e9e49f4b3db0ef73c8075778\U\000000cb.@
c:\$recycle.bin\S-1-5-21-1729025978-3398252532-1698638177-1000\$0056d8a8e9e49f4b3db0ef73c8075778\U\80000000.@
c:\$recycle.bin\S-1-5-21-1729025978-3398252532-1698638177-1000\$0056d8a8e9e49f4b3db0ef73c8075778\U\80000032.@
c:\$recycle.bin\S-1-5-21-1729025978-3398252532-1698638177-1000\$0056d8a8e9e49f4b3db0ef73c8075778\U\80000064.@
c:\windows\assembly\GAC_32\Desktop.ini
c:\windows\assembly\GAC_64\Desktop.ini
.
.
((((((((((((((((((((((((( Files Created from 2012-08-03 to 2012-09-03 )))))))))))))))))))))))))))))))
.
.
2012-09-03 00:32 . 2012-09-03 00:34 -------- d-----w- c:\users\Matty\AppData\Local\temp
2012-09-03 00:32 . 2012-09-03 00:32 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-09-03 00:32 . 2012-09-03 00:32 -------- d-----w- c:\users\DefaultAppPool\AppData\Local\temp
2012-09-03 00:32 . 2012-09-03 00:32 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-09-01 02:14 . 2012-09-01 02:15 -------- d-----w- C:\FRST
2012-08-31 12:22 . 2012-08-31 12:22 -------- d-----w- c:\program files (x86)\ESET
2012-08-29 10:08 . 2012-08-23 08:26 9310152 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{CBDC9492-A387-42E2-BDCC-037EEA654B5E}\mpengine.dll
2012-08-27 23:03 . 2012-08-27 23:03 -------- d-----w- c:\users\Matty\AppData\Local\libimobiledevice
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-20 08:56 . 2012-04-12 07:09 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-08-20 08:56 . 2011-05-20 07:43 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-08-16 04:54 . 2010-04-15 14:52 62134624 ----a-w- c:\windows\system32\MRT.exe
2012-07-19 15:41 . 2012-07-19 15:42 268784 ----a-w- c:\windows\system32\javaws.exe
2012-07-19 15:41 . 2012-06-24 05:21 955888 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-07-19 15:41 . 2012-06-24 05:20 189424 ----a-w- c:\windows\system32\javaw.exe
2012-07-19 15:41 . 2012-06-24 05:20 188912 ----a-w- c:\windows\system32\java.exe
2012-07-19 15:41 . 2012-04-21 04:49 839152 ----a-w- c:\windows\system32\deployJava1.dll
2012-07-06 02:06 . 2012-05-01 23:37 772544 ----a-w- c:\windows\SysWow64\npdeployJava1.dll
2012-07-06 02:06 . 2010-04-16 04:03 687544 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-07-03 17:46 . 2009-09-01 08:57 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-17 16:55 . 2012-06-17 16:55 110080 ----a-r- c:\users\Matty\AppData\Roaming\Microsoft\Installer\{3F97FA2C-C160-4696-97F9-EDB23D106E21}\IconF7A21AF7.exe
2012-06-17 16:55 . 2012-06-17 16:55 110080 ----a-r- c:\users\Matty\AppData\Roaming\Microsoft\Installer\{3F97FA2C-C160-4696-97F9-EDB23D106E21}\IconD7F16134.exe
2012-06-17 16:55 . 2012-06-17 16:55 110080 ----a-r- c:\users\Matty\AppData\Roaming\Microsoft\Installer\{3F97FA2C-C160-4696-97F9-EDB23D106E21}\Icon5B4E0377.exe
2012-06-09 05:43 . 2012-07-11 08:27 14172672 ----a-w- c:\windows\system32\shell32.dll
2012-06-06 06:06 . 2012-07-11 08:27 2004480 ----a-w- c:\windows\system32\msxml6.dll
2012-06-06 06:06 . 2012-07-11 08:27 1881600 ----a-w- c:\windows\system32\msxml3.dll
2012-06-06 06:02 . 2012-07-11 08:27 1133568 ----a-w- c:\windows\system32\cdosys.dll
2012-06-06 05:05 . 2012-07-11 08:27 1390080 ----a-w- c:\windows\SysWow64\msxml6.dll
2012-06-06 05:05 . 2012-07-11 08:27 1236992 ----a-w- c:\windows\SysWow64\msxml3.dll
2012-06-06 05:03 . 2012-07-11 08:27 805376 ----a-w- c:\windows\SysWow64\cdosys.dll
2010-09-21 18:44 . 2010-09-21 18:43 454656 ----a-w- c:\program files\putty.exe
2009-02-06 06:06 . 2009-02-06 06:06 291840 ----a-w- c:\program files\TwoFingerScroll.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"LTCM Client"="c:\program files (x86)\LTCM Client\ltcmClient.exe" [2011-04-07 2756864]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-06-07 421776]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2012-07-27 36800]
"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2012-07-27 823224]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-08-03 133104]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-20 250056]
R3 efavdrv;efavdrv;c:\windows\system32\drivers\efavdrv.sys [x]
R3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [2011-03-02 13088]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-08-03 133104]
R3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2011-01-07 45408]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 tapoas;TAP-Win32 Adapter OAS;c:\windows\system32\DRIVERS\tapoas.sys [2011-08-19 30720]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-02-15 52736]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-22 1255736]
S0 dlkmdldr;dlkmdldr;c:\windows\system32\drivers\dlkmdldr.sys [2010-03-04 13936]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-07-27 63960]
S2 DisplayLinkService;DisplayLinkManager;c:\program files\DisplayLink Core Software\DisplayLinkManager.exe [2010-03-04 8610664]
S2 DsiWMIService;Dritek WMI Service;c:\program files (x86)\Launch Manager\dsiwmis.exe [2009-08-24 107016]
S2 ODDPwrSvc;Acer ODD Power Service;c:\program files\Acer\Optical Drive Power Management\ODDPWRSvc.exe [2009-09-04 158240]
S3 dlkmd;dlkmd;c:\windows\system32\drivers\dlkmd.sys [2010-03-04 185968]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2009-09-08 126464]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C60x64.sys [2009-11-13 65536]
S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [2009-06-10 5434368]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
iissvcs REG_MULTI_SZ w3svc was
apphost REG_MULTI_SZ apphostsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-31 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-12 08:56]
.
2012-07-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-08-03 05:20]
.
2012-07-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-08-03 05:20]
.
2012-06-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1729025978-3398252532-1698638177-1000Core.job
- c:\users\Matty\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-11 04:44]
.
2012-06-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1729025978-3398252532-1698638177-1000UA.job
- c:\users\Matty\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-11 04:44]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 99080 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 161304]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-04-11 7693344]
"Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2009-04-11 1833504]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Matty\AppData\Roaming\Mozilla\Firefox\Profiles\chhl9j4f.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?q=
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-{1D0FDD6D-3C5E-4588-8ED0-02DC88014BF2} - c:\program files (x86)\InstallShield Installation Information\{1D0FDD6D-3C5E-4588-8ED0-02DC88014BF2}\setup.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
.
**************************************************************************
.
Completion time: 2012-09-02 20:40:55 - machine was rebooted
ComboFix-quarantined-files.txt 2012-09-03 00:40
.
Pre-Run: 219,450,974,208 bytes free
Post-Run: 219,355,910,144 bytes free
.
- - End Of File - - A576FF41DF3C0F495EB10B04774C1725

#9 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:47 PM

Posted 02 September 2012 - 08:33 PM

Please do the following:

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#10 mattsbach

mattsbach
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 02 September 2012 - 11:27 PM

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.09.03.01

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
Matty :: LAPTOP [administrator]

Sep 2 9:44:23 PM
mbam-log-2012-09-02 (21-44-23).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 218612
Time elapsed: 4 minute(s), 3 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)



C:\Qoobox\Quarantine\C\$RECYCLE.BIN\S-1-5-18\$0056d8a8e9e49f4b3db0ef73c8075778\U\00000008.@.vir Win64/Agent.BA trojan
C:\Qoobox\Quarantine\C\$RECYCLE.BIN\S-1-5-18\$0056d8a8e9e49f4b3db0ef73c8075778\U\000000cb.@.vir Win64/Conedex.B trojan
C:\Qoobox\Quarantine\C\$RECYCLE.BIN\S-1-5-18\$0056d8a8e9e49f4b3db0ef73c8075778\U\80000000.@.vir Win64/Sirefef.AP trojan
C:\Qoobox\Quarantine\C\$RECYCLE.BIN\S-1-5-18\$0056d8a8e9e49f4b3db0ef73c8075778\U\80000032.@.vir a variant of Win32/Sirefef.FD trojan
C:\Qoobox\Quarantine\C\$RECYCLE.BIN\S-1-5-18\$0056d8a8e9e49f4b3db0ef73c8075778\U\80000064.@.vir Win64/Sirefef.AN trojan
C:\Qoobox\Quarantine\C\$RECYCLE.BIN\S-1-5-21-1729025978-3398252532-1698638177-1000\$0056d8a8e9e49f4b3db0ef73c8075778\U\00000008.@.vir Win64/Agent.BA trojan
C:\Qoobox\Quarantine\C\$RECYCLE.BIN\S-1-5-21-1729025978-3398252532-1698638177-1000\$0056d8a8e9e49f4b3db0ef73c8075778\U\000000cb.@.vir Win64/Conedex.B trojan
C:\Qoobox\Quarantine\C\$RECYCLE.BIN\S-1-5-21-1729025978-3398252532-1698638177-1000\$0056d8a8e9e49f4b3db0ef73c8075778\U\80000000.@.vir Win64/Sirefef.AP trojan
C:\Qoobox\Quarantine\C\$RECYCLE.BIN\S-1-5-21-1729025978-3398252532-1698638177-1000\$0056d8a8e9e49f4b3db0ef73c8075778\U\80000032.@.vir a variant of Win32/Sirefef.FD trojan
C:\Qoobox\Quarantine\C\$RECYCLE.BIN\S-1-5-21-1729025978-3398252532-1698638177-1000\$0056d8a8e9e49f4b3db0ef73c8075778\U\80000064.@.vir Win64/Sirefef.AN trojan

#11 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:47 PM

Posted 03 September 2012 - 07:26 AM

all those detections from ESET are in ComboFix quarantine, so they can't harm you computer (we will be removing that at the end when we clean up all our tools, so stay with me)

Please do the following:

  • Please download MiniToolBox and save it to your desktop and run it.

    Checkmark following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List installed programs.

Click Go and post the result (Result.txt) that pops up. A copy of result.txt will be saved in the same directory the tool is run.

NEXT


Please download Farbar Service Scanner to your desktop and run it.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.



NEXT



Please advise how your computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#12 mattsbach

mattsbach
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 03 September 2012 - 11:57 AM

MiniToolBox by Farbar Version: 23-07-2012
Ran by Matty (administrator) on 03-09-2012 at 12:54:11
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= FF Proxy Settings: ==============================

========================= Hosts content: =================================

127.0.0.1 localhost


=========================== Installed Programs ============================

7-Zip 4.65
7-Zip 9.20 (x64 edition) (Version: 9.20.00.0)
Acer Crystal Eye Webcam (Version: 5.2.3.1)
Acer GridVista (Version: 2.75.825)
Adobe Acrobat X Pro - English, Franšais, Deutsch (Version: 10.1.4)
Adobe AIR (Version: 2.5.1.17730)
Adobe Color Common Settings (Version: 1.0.1)
Adobe Creative Suite 5.5 Master Collection (Version: 5.5)
Adobe ExtendScript Toolkit 2 (Version: 2.0.2)
Adobe Flash Player 11 ActiveX 64-bit (Version: 11.2.202.235)
Adobe Flash Player 11 Plugin (Version: 11.4.402.265)
Adobe Flash Player 11 Plugin 64-bit (Version: 11.4.402.265)
Adobe Reader X (10.1.4) (Version: 10.1.4)
Adobe Setup (Version: 1.0)
Amazon MP3 Downloader 1.0.10
Apple Application Support (Version: 2.1.9)
Apple Mobile Device Support (Version: 5.2.0.6)
Apple Software Update (Version: 2.1.3.127)
Atheros Communications Inc.® AR81Family Gigabit/Fast Ethernet Driver (Version: 1.0.0.18)
BlitzIn 3.0
Bonjour (Version: 3.0.0.10)
CCleaner (Version: 3.20)
Compatibility Pack for the 2007 Office system (Version: 12.0.6612.1000)
DisplayLink Core Software (Version: 5.2.23752.0)
DisplayLink Graphics (Version: 5.2.23982.0)
ESET Online Scanner v3
FastStone Photo Resizer 2.8 (Version: 2.8)
Finale 2008 (Version: 13.1.9)
FLV Player (Version: 2.0.25)
Garritan Instruments for Finale (Version: 1.0.13)
Git version 1.7.10-preview20120409 (Version: 1.7.10-preview20120409)
GoldWave v5.55
Google Chrome (Version: 19.0.1084.56)
Google Update Helper (Version: 1.3.21.115)
Intel® Graphics Media Accelerator Driver
iTunes (Version: 10.6.3.25)
Java 7 Update 7 (64-bit) (Version: 7.0.70)
Java Auto Updater (Version: 2.1.6.0)
Java™ 6 Update 31 (64-bit) (Version: 6.0.310)
Java™ 7 Update 5 (Version: 7.0.50)
JavaFX 2.1.1 (Version: 2.1.1)
K-Lite Codec Pack 5.0.0 (Standard) (Version: 5.0.0)
LAME v3.98.2 for Audacity
Launch Manager (Version: 3.0.02)
LogMeIn Ignition (Version: 1.1.64)
LTCM Client (Version: 1.20.3792)
Malwarebytes Anti-Malware version 1.62.0.1300 (Version: 1.62.0.1300)
Melloware PlacesBar Editor (Version: 1.1.0.61)
Microsoft Application Error Reporting (Version: 12.0.6015.5000)
Microsoft IntelliPoint 8.0 (Version: 8.01.249.0)
Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)
Microsoft Office Professional Edition 2003 (Version: 11.0.8173.0)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (Version: 9.0.21022)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft_VC80_ATL_x86 (Version: 8.0.50727.4053)
Microsoft_VC80_ATL_x86_x64 (Version: 8.0.50727.4053)
Microsoft_VC80_CRT_x86 (Version: 8.0.50727.4053)
Microsoft_VC80_CRT_x86_x64 (Version: 8.0.50727.4053)
Microsoft_VC80_MFC_x86 (Version: 8.0.50727.4053)
Microsoft_VC80_MFC_x86_x64 (Version: 8.0.50727.4053)
Microsoft_VC80_MFCLOC_x86 (Version: 8.0.50727.4053)
Microsoft_VC80_MFCLOC_x86_x64 (Version: 80.50727.4053)
Microsoft_VC90_ATL_x86 (Version: 1.00.0000)
Microsoft_VC90_ATL_x86_x64 (Version: 1.00.0000)
Microsoft_VC90_CRT_x86 (Version: 1.00.0000)
Microsoft_VC90_CRT_x86_x64 (Version: 1.00.0000)
Microsoft_VC90_MFC_x86 (Version: 1.00.0000)
Microsoft_VC90_MFC_x86_x64 (Version: 1.00.0000)
Microsoft_VC90_MFCLOC_x86 (Version: 1.00.0000)
Microsoft_VC90_MFCLOC_x86_x64 (Version: 1.00.0000)
Mozilla Firefox 16.0 (x86 en-US) (Version: 16.0)
MSVC80_x64 (Version: 1.0.1.0)
MSVC80_x64_v2 (Version: 1.0.3.0)
MSVC80_x86 (Version: 1.0.1.0)
MSVC80_x86_v2 (Version: 1.0.3.0)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
OpenVPN 2.1_rc20 (Version: 2.1_rc20)
Optical Drive Power Management (Version: 1.01.3002)
Orion Platinum
PDF Settings CS5 (Version: 10.0)
Playchess (Version: 1.00.000)
PowerDVD (Version: 7.0.4002.0)
QuickTime (Version: 7.72.80.56)
Realtek High Definition Audio Driver (Version: 6.0.1.5830)
Realtek USB 2.0 Card Reader (Version: 6.0.6000.20113)
Ruby 1.8.7-p358 (Version: 1.8.7-p358)
Safari (Version: 5.34.57.2)
SpyHunter (Version: 4.9.11.3987)
SQLyog Community 10.1 Beta1 (Version: 10.1 Beta1)
Synaptics Pointing Device Driver (Version: 12.2.2.0)
TextPad 5 (Version: 5.2.0)
TortoiseSVN 1.6.10.19898 (32 bit) (Version: 1.6.19898)
TortoiseSVN 1.6.16.21511 (64 bit) (Version: 1.6.21511)
Upgrade Kit (Version: 1.00.3002)
Windows Media Player Firefox Plugin (Version: 1.0.0.8)
WinRAR archiver
WinSCP 4.3.9 (Version: 4.3.9)

**** End of log ****




Farbar Service Scanner Version: 06-08-2012
Ran by Matty (administrator) on 03-09-2012 at 12:55:28
Running from "C:\Users\Matty\Desktop"
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.

MpsSvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.


Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============
BITS Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to retrieve start type of BITS. The value does not exist.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============

Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****


I think it's running well now.

#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:47 PM

Posted 03 September 2012 - 12:14 PM

there are a couple of broken services, your windows update and firewall wont be working,

please run the windows repair tool, then post another farbar services scan log to check if it is repaired:

Please download Windows Repair (all in one) from here

Install the program then run it

Go to step 2 and allow it to run Disk check

Posted Image

Once that is done then go to step 3 and allow it to run SFC

Posted Image

On the the Start Repairs tab => Click the Start

Posted Image

Click on the select all check box and then click on Start

DON'T use the computer while each scan is in progress.


Restart may be needed to finish the repair procedure.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#14 mattsbach

mattsbach
  • Topic Starter

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 03 September 2012 - 01:38 PM

Farbar Service Scanner Version: 06-08-2012
Ran by Matty (administrator) on 03-09-2012 at 14:36:56
Running from "C:\Users\Matty\Desktop"
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============
BITS Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to retrieve start type of BITS. The value does not exist.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============

Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:47 PM

Posted 03 September 2012 - 01:58 PM

The BITS registry key wasn't repaired:

please download the attached registry fix and save it to your desktop.Right click and choose to Merge it into your registry (then delete the file as you wont need it again)

Now reboot the computer and check that windows update is working correctly.

[attachment=129563:bits7.reg]

Please advise if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users