Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32/Sirefef!cfg quarantined


  • This topic is locked This topic is locked
22 replies to this topic

#1 mstap42

mstap42

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:10 PM

Posted 13 September 2012 - 10:36 PM

MSSE quarantined Sirefef!cfg yesterday.

So far, have noticed no adverse symptoms. MSSE updates/scans daily and has caught no other malware.

Will appreciate your help.

GMER found nothing on C:\. The only options *not* grayed out were Services, Registry, Files, and ADS. I unchecked ADS, per instructions.

DDS log follows.

Many thanks.

--ms

# == BEGIN DDS.txt == #
.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.7.2
Run by Stapletons at 22:57:49 on 2012-09-13
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3839.1512 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\PassportLearning\Academy\apache\bin\Apache.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CrashPlan\CrashPlanService.exe
C:\PassportLearning\Academy\apache\bin\Apache.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\SysWOW64\FortiSSLVPNdaemon.exe
C:\Program Files\Microsoft LifeCam\MSCamS64.exe
C:\Program Files (x86)\Common Files\Livescribe\PenComm\PenCommService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\PassportLearning\Academy\bin\wrapper.exe
C:\PassportLearning\Academy\j2sdk\bin\java.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe
C:\Users\Stapletons\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Program Files\CrashPlan\CrashPlanTray.exe
C:\Program Files\Dell\DellDock\DellDock.exe
C:\Users\Stapletons\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Users\Stapletons\Documents\RCA Detective\RCADetective.exe
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Windows\system32\conhost.exe
C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe
C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe
c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files (x86)\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\system32\mmc.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
uRun: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
uRun: [SansaDispatch] C:\Users\Stapletons\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe
uRun: [Easy Dock]
mRun: [HDAudDeck] C:\Program Files (x86)\VIA\VIAudioi\VDeck\vdeck.exe
mRun: [StartCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [PDVDDXSrv] "C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
mRun: [LifeCam] "C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe"
mRun: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [KeePass 2 PreLoad] "C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe" --preload
StartupFolder: C:\Users\STAPLE~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\DELLDO~1.LNK - C:\Program Files (x86)\Dell\DellDock\DellDock.exe
StartupFolder: C:\Users\STAPLE~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\Stapletons\AppData\Roaming\Dropbox\bin\Dropbox.exe
StartupFolder: C:\Users\STAPLE~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\RCADET~1.LNK - C:\Users\Stapletons\Documents\RCA Detective\RCADetective.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\APCUPS~1.LNK - C:\Program Files (x86)\APC\APC PowerChute Personal Edition\Display.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\CRASHP~1.LNK - C:\Program Files (x86)\CrashPlan\CrashPlanTray.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
Trusted Zone: intuit.com\ttlc
DPF: {1ABA5FAC-1417-422B-BA82-45C35E2C908B} - hxxp://kitchenplanner.ikea.com/US/Core/Player/2020PlayerAX_IKEA_Win32.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab
DPF: {B6648EB8-2460-484F-9255-9654454C4C70} - hxxps://vpn.louisville.edu/prx/000/http/localhost/arr_x.cab
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {CAFEEFAC-0017-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.254.254
TCP: Interfaces\{0B2AD027-D7C9-4BDB-989B-31FA59FF296B} : DhcpNameServer = 192.168.254.254
TCP: Interfaces\{18F1F89D-B001-445B-9547-3B46676F46A2} : DhcpNameServer = 192.168.254.254
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
mASetup: {2D46B6DC-2207-486B-B523-A557E6D54B47} - C:\Windows\system32\cmd.exe /D /C start C:\Windows\system32\ie4uinit.exe -ClearIconCache
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
BHO-X64: Search Helper - No File
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO-X64: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO-X64: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO-X64: SkypeIEPluginBHO - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
mRun-x64: [HDAudDeck] C:\Program Files (x86)\VIA\VIAudioi\VDeck\vdeck.exe
mRun-x64: [StartCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [PDVDDXSrv] "C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
mRun-x64: [LifeCam] "C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe"
mRun-x64: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun-x64: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe"
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [KeePass 2 PreLoad] "C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe" --preload
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Stapletons\AppData\Roaming\Mozilla\Firefox\Profiles\6bb5gtwl.default\
FF - prefs.js: browser.search.selectedEngine - Startpage HTTPS
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Fortinet\SslvpnClient\npccplugin.dll
FF - plugin: C:\Program Files (x86)\Fortinet\SslvpnClient\nptcplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npMozCouponPrinter.dll
FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll
FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw_1166636.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_265.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-7-27 63960]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 AutoSkillApplicationServer;AutoSkill Application Server;C:\PassportLearning\Academy\bin\wrapper.exe -s C:\PassportLearning\Academy\bin\app.conf --> C:\PassportLearning\Academy\bin\wrapper.exe -s C:\PassportLearning\Academy\bin\app.conf [?]
R2 AutoSkillWebServer;AutoSkillWebServer;C:\PassportLearning\Academy\apache\bin\Apache.exe [2011-9-12 14336]
R2 CrashPlanService;CrashPlan Backup Service;C:\Program Files\CrashPlan\CrashPlanService.exe [2012-3-26 222720]
R2 DockLoginService;Dock Login Service;C:\Program Files\Dell\DellDock\DockLogin.exe [2009-6-9 155648]
R2 FortiSslvpnDaemon;FortiClient SSL VPN;C:\Windows\SysWOW64\FortiSSLVPNdaemon.exe [2011-2-8 825960]
R2 IntuitUpdateServiceV4;Intuit Update Service v4;C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [2011-8-25 13672]
R2 PenCommService;Livescribe Pulse Smartpen Service;C:\Program Files (x86)\Common Files\Livescribe\PenComm\PenCommService.exe [2011-8-11 470528]
R2 Skype C2C Service;Skype C2C Service;C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2012-8-13 3064000]
R3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;C:\Windows\system32\Drivers\nx6000.sys --> C:\Windows\system32\Drivers\nx6000.sys [?]
R3 pppop;PPPoP WAN Adapter;C:\Windows\system32\DRIVERS\pppop64.sys --> C:\Windows\system32\DRIVERS\pppop64.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;C:\Windows\system32\drivers\viahduaa.sys --> C:\Windows\system32\drivers\viahduaa.sys [?]
S2 AutoSkillDatabaseServer;AutoSkillDatabaseServer;C:/PassportLearning/Academy/pgsql/bin/pg_ctl.exe runservice -N "AutoSkillDatabaseServer" -D "C:/PassportLearning/Academy/data/database/pgsql" --> C:/PassportLearning/Academy/pgsql/bin/pg_ctl.exe runservice -N AutoSkillDatabaseServer [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-2-24 136176]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-7-13 160944]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-4-14 250568]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-2-24 136176]
S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-5-6 114144]
S3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2012-3-26 291696]
S3 PCDSRVC{1E208CE0-FB7451FF-06020101}_0;PCDSRVC{1E208CE0-FB7451FF-06020101}_0 - PCDR Kernel Mode Service Helper Driver;C:\Program Files\Dell Support Center\pcdsrvc_x64.pkms [2011-5-12 25072]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2012-09-14 00:49:49 -------- d-----w- C:\Users\Stapletons\AppData\Roaming\KeePass
2012-09-14 00:38:43 -------- d-----w- C:\Program Files (x86)\KeePass Password Safe 2
2012-09-13 18:28:53 9310152 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{7F07A740-D905-465A-A068-2900C990730A}\mpengine.dll
2012-09-12 18:22:14 9310152 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-09-03 00:57:39 95208 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2012-08-15 17:54:44 58880 ----a-w- C:\Windows\System32\browcli.dll
2012-08-15 17:54:44 41472 ----a-w- C:\Windows\SysWow64\browcli.dll
2012-08-15 17:54:44 136704 ----a-w- C:\Windows\System32\browser.dll
2012-08-15 17:54:43 3146752 ----a-w- C:\Windows\System32\win32k.sys
2012-08-15 17:54:42 956416 ----a-w- C:\Windows\System32\localspl.dll
.
==================== Find3M ====================
.
2012-09-03 00:57:32 746984 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2012-09-03 00:45:05 73416 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-09-03 00:45:05 696520 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-07-08 23:05:36 328704 ----a-w- C:\Windows\System32\services.exe
2012-07-08 23:03:02 328704 ----a-w- C:\Windows\System32\services.exe.B35F8D52ADEFB97C
2012-07-08 23:00:01 328704 ----a-w- C:\Windows\System32\services.exe.88C7413FBBCDABC8
2012-07-08 22:56:53 328704 ----a-w- C:\Windows\System32\services.exe.365FE88F59834D41
2012-07-08 22:51:49 328704 ----a-w- C:\Windows\System32\services.exe.F0B9CE567D9279DA
2012-07-08 22:48:41 328704 ----a-w- C:\Windows\System32\services.exe.4E6256BD9401289E
2012-07-06 02:06:30 772544 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll
2012-07-03 17:46:44 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-06-29 03:56:34 2312704 ----a-w- C:\Windows\System32\jscript9.dll
2012-06-29 03:49:11 1392128 ----a-w- C:\Windows\System32\wininet.dll
2012-06-29 03:48:07 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-06-29 03:43:49 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2012-06-29 03:39:48 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-06-29 00:16:58 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-06-29 00:09:01 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-06-29 00:08:59 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-06-29 00:04:43 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2012-06-29 00:00:45 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
.
============= FINISH: 22:58:33.97 ===============

# == END DDS.txt == #

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:10 PM

Posted 14 September 2012 - 07:58 AM

Please run the following:

download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to the disclaimer.
[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there
[*]Press Scan button.
[*]type exit and reboot the computer normally
[*]FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.[/list]

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 mstap42

mstap42
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:10 PM

Posted 14 September 2012 - 09:28 PM

CatByte,

Thanks for quick reply. Here's the log...

# == BEGIN FRST.txt == #

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 14-09-2012 01
Ran by SYSTEM at 14-09-2012 22:14:47
Running from K:\malware tools
Microsoft Windows XP (X64) OS Language: English(US)
The current controlset is ControlSet001

ATTENTION!:=====> THE OPERATING SYSTEM IS A X86 SYSTEM BUT THE BOOT DISK THAT IS USED TO BOOT TO RECOVERY ENVIRONMENT IS A X64 SYSTEM DISK.
==================== Registry (Whitelisted) ===================

HKLM\...\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE [81990 2003-09-29] (Network Associates, Inc.)
HKLM\...\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey [135251 2003-09-10] (Network Associates, Inc.)
HKLM\...\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [335872 2003-11-25] (ATI Technologies, Inc.)
HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [278528 2005-10-18] (Apple Computer, Inc.)
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [155648 2005-12-21] (Apple Computer, Inc.)
HKLM\...\Run: [IMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe [x]
HKLM\...\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon [1191936 2006-03-21] (CANON INC.)
HKLM\...\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot [155648 2003-09-29] (Scansoft, Inc.)
HKLM\...\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [69632 2006-03-21] (ScanSoft, Inc.)
HKLM\...\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe [1388544 2004-07-27] (Analog Devices, Inc.)
HKLM\...\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray [860160 2004-08-06] (Analog Devices, Inc.)
HKLM\...\Run: [Logitech Utility] Logi_MwX.Exe [x]
HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [39792 2008-10-14] (Adobe Systems Incorporated)
HKLM\...\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /StartUp [x]
HKU\bryan\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [155648 2005-12-21] (Apple Computer, Inc.)
HKU\bryan\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [15360 2004-08-03] (Microsoft Corporation)
HKU\bryan\...\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [x]
HKU\colin\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [155648 2005-12-21] (Apple Computer, Inc.)
HKU\colin\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [15360 2004-08-03] (Microsoft Corporation)
HKU\colin\...\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [x]
HKU\parents\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [15360 2004-08-03] (Microsoft Corporation)
HKU\parents\...\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)
HKU\parents\...\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet [4351216 2009-05-26] (Yahoo! Inc.)
HKU\parents\...\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~3.EXE -Update -1103472 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB6; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.garfieldgames.com/Sampler/ggc_menu.htm" [460216 2009-01-16] (Adobe Systems, Inc.)
HKLM-x32\...\Winlogon: [Userinit] [x]
HKLM-x32\...\Winlogon: [Shell] [x ] ()
Winlogon\Notify\AtiExtEvent: Ati2evxx.dll ()
Winlogon\Notify\crypt32chain: crypt32.dll (Microsoft Corporation)
Winlogon\Notify\cryptnet: cryptnet.dll (Microsoft Corporation)
Winlogon\Notify\cscdll: cscdll.dll (Microsoft Corporation)
Winlogon\Notify\dimsntfy:
Winlogon\Notify\ScCertProp: wlnotify.dll (Microsoft Corporation)
Winlogon\Notify\Schedule: wlnotify.dll (Microsoft Corporation)
Winlogon\Notify\sclgntfy: sclgntfy.dll (Microsoft Corporation)
Winlogon\Notify\SensLogn: WlNotify.dll (Microsoft Corporation)
Winlogon\Notify\termsrv: wlnotify.dll (Microsoft Corporation)
Winlogon\Notify\WgaLogon: WgaLogon.dll (Microsoft Corporation)
Winlogon\Notify\wlballoon: wlnotify.dll (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.254.254
Lsa: [Notification Packages] scecli
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\APC UPS Status.lnk
ShortcutTarget: APC UPS Status.lnk -> C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe (American Power Conversion Corporation)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
ShortcutTarget: Logitech Desktop Messenger.lnk -> C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe (No File)

==================== Services ====================

4 Alerter; C:\Windows\System32\alrsvc.dll [17408 2004-08-03] (Microsoft Corporation)
2 APC UPS Service; C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe [176193 2005-12-12] (American Power Conversion Corporation)
3 aspnet_state; C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [34312 2008-07-25] (Microsoft Corporation)
2 Ati HotKey Poller; C:\Windows\System32\Ati2evxx.exe [397312 2004-03-03] ()
4 ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [516096 2004-03-03] ()
4 ClipSrv; C:\Windows\System32\clipsrv.exe [33280 2004-08-03] (Microsoft Corporation)
3 dmadmin; C:\Windows\System32\dmadmin.exe /com [224768 2004-08-03] (Microsoft Corp., Veritas Software)
2 dmserver; C:\Windows\System32\dmserver.dll [23552 2004-08-03] (Microsoft Corp.)
2 ERSvc; C:\Windows\System32\ersvc.dll [23040 2004-08-03] (Microsoft Corporation)
2 Eventlog; C:\Windows\System32\services.exe [110592 2009-02-06] (Microsoft Corporation)
3 FastUserSwitchingCompatibility; C:\Windows\System32\shsvcs.dll [134656 2006-12-19] (Microsoft Corporation)
3 FontCache3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [46104 2008-07-29] (Microsoft Corporation)
2 helpsvc; C:\Windows\PCHealth\HelpCtr\Binaries\pchsvc.dll [38912 2004-08-03] (Microsoft Corporation)
3 HTTPFilter; C:\Windows\System32\w3ssl.dll [15872 2004-08-03] (Microsoft Corporation)
3 IDriverT; "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe" [69632 2005-04-03] (Macrovision Corporation)
3 idsvc; "C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe" [881664 2008-07-29] (Microsoft Corporation)
3 ImapiService; C:\WINDOWS\System32\imapi.exe [150016 2004-08-03] (Microsoft Corporation)
2 IntuitUpdateService; "C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe" [13088 2008-10-10] (Intuit Inc.)
3 iPodService; C:\Program Files\iPod\bin\iPodService.exe [323584 2005-10-18] (Apple Computer, Inc.)
2 McAfeeFramework; C:\Program Files\Network Associates\Common Framework\FrameworkService.exe /ServiceStart [106586 2003-09-10] (Network Associates, Inc.)
2 McShield; "C:\Program Files\Network Associates\VirusScan\mcshield.exe" [237657 2003-09-29] (Network Associates, Inc.)
2 McTaskManager; "C:\Program Files\Network Associates\VirusScan\vstskmgr.exe" [69706 2003-09-29] (Network Associates, Inc.)
4 Messenger; C:\Windows\System32\msgsvc.dll [33792 2004-08-03] (Microsoft Corporation)
3 mnmsrvc; C:\WINDOWS\System32\mnmsrvc.exe [32768 2004-08-03] (Microsoft Corporation)
4 NetDDE; C:\Windows\System32\netdde.exe [111104 2004-08-03] (Microsoft Corporation)
4 NetDDEdsdm; C:\Windows\System32\netdde.exe [111104 2004-08-03] (Microsoft Corporation)
3 Nla; C:\Windows\System32\mswsock.dll [245248 2008-06-20] (Microsoft Corporation)
3 NtLmSsp; C:\Windows\System32\lsass.exe [13312 2004-08-03] (Microsoft Corporation)
3 NtmsSvc; C:\Windows\System32\ntmssvc.dll [435200 2004-08-03] (Microsoft Corporation)
2 PlugPlay; C:\Windows\System32\services.exe [110592 2009-02-06] (Microsoft Corporation)
2 PolicyAgent; C:\Windows\System32\lsass.exe [13312 2004-08-03] (Microsoft Corporation)
3 RDSessMgr; C:\WINDOWS\system32\sessmgr.exe [140800 2004-08-03] (Microsoft Corporation)
3 RSVP; C:\Windows\System32\rsvp.exe [132608 2002-08-29] (Microsoft Corporation)
3 SCardSvr; C:\Windows\System32\SCardSvr.exe [95744 2004-08-03] (Microsoft Corporation)
2 SMSv3hs; C:\Program Files\Rosetta Stone\SMS v3.0hs\Service\JavaSrvc.exe [65536 2006-04-21] (Alexandria Software Consulting)
2 SoundMAX Agent Service (default); C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe [45056 2002-09-20] (Analog Devices, Inc.)
2 srservice; C:\WINDOWS\System32\srsvc.dll [170496 2004-08-03] (Microsoft Corporation)
3 SwPrv; C:\WINDOWS\System32\dllhost.exe /Processid:{7AD8E77D-0D94-4282-BA41-7E0D0B2F51EB} [5120 2004-08-03] (Microsoft Corporation)
3 SysmonLog; C:\Windows\System32\smlogsvc.exe [89600 2004-08-03] (Microsoft Corporation)
4 TlntSvr; C:\WINDOWS\System32\tlntsvr.exe [73216 2004-08-03] (Microsoft Corporation)
2 uploadmgr; C:\Windows\PCHealth\HelpCtr\Binaries\pchsvc.dll [38912 2004-08-03] (Microsoft Corporation)
3 UPS; C:\Windows\System32\ups.exe [18432 2004-08-03] (Microsoft Corporation)
3 vsmon; C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service [75304 2008-03-13] (Zone Labs, LLC)
3 WmdmPmSN; C:\WINDOWS\system32\mspmsnsv.dll [27136 2006-10-18] (Microsoft Corporation)
3 Wmi; C:\Windows\System32\advapi32.dll [616960 2009-02-09] (Microsoft Corporation)
2 wuauserv; C:\WINDOWS\system32\wuauserv.dll [6656 2004-08-03] (Microsoft Corporation)
2 WZCSVC; C:\Windows\System32\wzcsvc.dll [359936 2004-08-03] (Microsoft Corporation)
3 xmlprov; C:\Windows\System32\xmlprov.dll [129536 2004-08-03] (Microsoft Corporation)
2 aawservice; "C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe" [x]
2 AVG Anti-Spyware Guard; C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe [x]
2 Diskeeper; "C:\Program Files\Executive Software\DiskeeperLite\DKService.exe" [x]
3 gusvc; "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe" [x]
4 HidServ; C:\Windows\System32\hidserv.dll [x]
2 imonNT; C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe [x]
2 OracleMTSRecoveryService; C:\oracle\ora92\bin\omtsreco.exe "OracleMTSRecoveryService" [x]
3 OracleOraHome92ClientCache; C:\oracle\ora92\BIN\ONRSD.EXE [x]

==================== Drivers =================================

4 ACPIEC; C:\Windows\System32\Drivers\ACPIEC.sys [11648 2002-08-29] (Microsoft Corporation)
3 aeaudio; C:\Windows\System32\Drivers\aeaudio.sys [133200 2004-05-17] (Andrea Electronics Corporation)
3 aec; C:\Windows\System32\Drivers\aec.sys [142464 2006-02-14] (Microsoft Corporation)
0 aic78xx; C:\Windows\System32\Drivers\aic78xx.sys [56960 2002-08-29] (Microsoft Corporation)
3 Arp1394; C:\Windows\System32\Drivers\Arp1394.sys [60800 2004-08-03] (Microsoft Corporation)
2 aslm75; C:\Windows\System32\Drivers\aslm75.sys [6272 1997-04-22] ()
3 ati2mtag; C:\Windows\System32\Drivers\ati2mtag.sys [679936 2004-03-03] (ATI Technologies Inc.)
3 atirage3; C:\Windows\System32\DRIVERS\atimpae.sys [75136 2001-08-17] (ATI Technologies Inc.)
3 Atmarpc; C:\Windows\System32\Drivers\Atmarpc.sys [59904 2004-08-03] (Microsoft Corporation)
3 audstub; C:\Windows\System32\Drivers\audstub.sys [3072 2001-08-17] (Microsoft Corporation)
1 AvgAsCln; C:\Windows\System32\Drivers\AvgAsCln.sys [10872 2007-05-30] (GRISOFT, s.r.o.)
4 cbidf2k; C:\Windows\System32\Drivers\cbidf2k.sys [13952 2002-08-29] (Microsoft Corporation)
1 Cdaudio; C:\Windows\System32\Drivers\Cdaudio.sys [18688 2002-08-29] (Microsoft Corporation)
4 dmboot; C:\Windows\System32\Drivers\dmboot.sys [799744 2004-08-03] (Microsoft Corp., Veritas Software)
0 dmio; C:\Windows\System32\Drivers\dmio.sys [153344 2004-08-03] (Microsoft Corp., Veritas Software)
0 dmload; C:\Windows\System32\Drivers\dmload.sys [5888 2002-08-29] (Microsoft Corp., Veritas Software.)
3 DMusic; C:\Windows\System32\Drivers\DMusic.sys [52864 2004-08-03] (Microsoft Corporation)
3 E100B; C:\Windows\System32\DRIVERS\e100b325.sys [165496 2007-11-16] (Intel Corporation)
1 Fips; C:\Windows\System32\Drivers\Fips.sys [34944 2002-08-29] (Microsoft Corporation)
3 FlexBios; C:\Windows\System32\Drivers\FlexBios.sys [33148 2004-01-29] (Your Corporation)
0 Ftdisk; C:\Windows\System32\Drivers\Ftdisk.sys [125056 2002-08-29] (Microsoft Corporation)
3 Gpc; C:\Windows\System32\DRIVERS\msgpc.sys [35072 2004-08-03] (Microsoft Corporation)
1 Imapi; C:\Windows\System32\Drivers\Imapi.sys [41856 2004-08-03] (Microsoft Corporation)
3 Invoker; C:\Windows\System32\Drivers\Invoker.sys [34004 2004-01-29] (Your Corporation)
3 Ip6Fw; C:\Windows\System32\Drivers\Ip6Fw.sys [29056 2004-08-03] (Microsoft Corporation)
3 IpInIp; C:\Windows\System32\Drivers\IpInIp.sys [20992 2004-08-03] (Microsoft Corporation)
1 IPSec; C:\Windows\System32\Drivers\IPSec.sys [74752 2004-08-03] (Microsoft Corporation)
1 KLIF; C:\Windows\System32\Drivers\KLIF.sys [127768 2007-07-19] (Kaspersky Lab)
3 kmixer; C:\Windows\System32\Drivers\kmixer.sys [172416 2006-06-14] (Microsoft Corporation)
3 L8042PR2; C:\Windows\System32\Drivers\L8042PR2.sys [51729 2003-12-17] (Logitech, Inc.)
3 LHidFlt2; C:\Windows\System32\Drivers\LHidFlt2.sys [25505 2003-12-17] (Logitech, Inc.)
3 LHidUsb; C:\Windows\System32\Drivers\LHidUsb.sys [37887 2003-12-17] (Logitech, Inc.)
3 LMouFlt2; C:\Windows\System32\Drivers\LMouFlt2.sys [70801 2003-12-17] (Logitech, Inc.)
3 MidiSyn; C:\Windows\System32\Drivers\MidiSyn.sys [235100 2002-09-20] (Analog Devices Inc)
1 mnmdd; C:\Windows\System32\Drivers\mnmdd.sys [4224 2002-08-29] (Microsoft Corporation)
3 MxlW2k; C:\Windows\System32\Drivers\MxlW2k.sys [28164 2002-03-01] (MusicMatch, Inc.)
3 NaiAvFilter1; C:\Windows\System32\drivers\naiavf5x.sys [83008 2003-09-29] (Network Associates, Inc.)
3 NAL; \??\C:\WINDOWS\system32\Drivers\iqvw32.sys [30880 2009-10-14] (Intel Corporation )
3 NIC1394; C:\Windows\System32\Drivers\NIC1394.sys [61824 2004-08-03] (Microsoft Corporation)
3 NwlnkFlt; C:\Windows\System32\Drivers\NwlnkFlt.sys [12416 2002-08-29] (Microsoft Corporation)
3 NwlnkFwd; C:\Windows\System32\Drivers\NwlnkFwd.sys [32512 2002-08-29] (Microsoft Corporation)
3 PSched; C:\Windows\System32\Drivers\PSched.sys [69120 2004-08-03] (Microsoft Corporation)
3 Ptilink; C:\Windows\System32\Drivers\Ptilink.sys [17792 2002-08-29] (Parallel Technologies, Inc.)
3 Raspti; C:\Windows\System32\Drivers\Raspti.sys [16512 2002-08-29] (Microsoft Corporation)
1 redbook; C:\Windows\System32\Drivers\redbook.sys [57472 2004-08-03] (Microsoft Corporation)
3 s3m; C:\Windows\System32\Drivers\s3m.sys [166720 2001-08-17] (S3 Incorporated)
3 senfilt; C:\Windows\System32\Drivers\senfilt.sys [381056 2004-04-26] (Sensaura)
1 sf; C:\Windows\System32\Drivers\sf.sys [33995 2004-08-28] (Sonic Focus, Inc)
2 SIODRV; C:\Windows\System32\Drivers\SIODRV.sys [7424 2005-05-02] (Intel Corporation)
0 SISAGP; C:\Windows\System32\Drivers\SISAGP.sys [41088 2004-08-03] (Silicon Integrated Systems Corporation)
0 SiSide; C:\Windows\System32\Drivers\SiSide.sys [4096 2003-03-25] (Silicon Integrated Systems Corp.)
0 sisidex; C:\Windows\System32\Drivers\sisidex.sys [49024 2002-10-16] (Windows ® 2000 DDK provider)
0 sisperf; C:\Windows\System32\Drivers\sisperf.sys [9472 2002-08-20] (Silicon Integrated Systems Corp.)
0 SiSRaid; C:\Windows\System32\Drivers\SiSRaid.sys [45568 2003-12-09] (Silicon Integrated Systems)
0 SiSRaid1; C:\Windows\System32\Drivers\SiSRaid1.sys [45568 2003-12-09] (Silicon Integrated Systems)
3 SMBios; C:\Windows\System32\Drivers\SMBios.sys [36484 2003-10-14] (Intel Corporation)
3 smbusp; C:\Windows\System32\DRIVERS\smb.sys [21931 2003-01-13] (Intel Corporation)
3 smwdm; C:\Windows\System32\Drivers\smwdm.sys [259648 2004-09-01] (Analog Devices, Inc.)
3 splitter; C:\Windows\System32\Drivers\splitter.sys [6400 2006-06-14] (Microsoft Corporation)
0 sr; C:\Windows\System32\Drivers\sr.sys [73472 2004-08-03] (Microsoft Corporation)
0 srescan; C:\Windows\System32\ZoneLabs\srescan.sys [51176 2008-02-26] (Zone Labs, LLC)
3 SSNDIS5; \??\C:\WINDOWS\system32\SSNDIS5.SYS [17169 2004-09-17] (Printing Communications Assoc., Inc. (PCAUSA))
3 swmidi; C:\Windows\System32\Drivers\swmidi.sys [54272 2002-08-29] (Microsoft Corporation)
3 sysaudio; C:\Windows\System32\Drivers\sysaudio.sys [60800 2004-08-03] (Microsoft Corporation)
3 Update; C:\Windows\System32\Drivers\Update.sys [364160 2007-04-23] (Microsoft Corporation)
1 vsdatant; C:\Windows\System32\vsdatant.sys [394952 2008-03-13] (Zone Labs, LLC)
3 wdmaud; C:\Windows\System32\Drivers\wdmaud.sys [82944 2006-06-14] (Microsoft Corporation)
3 yukonwxp; C:\Windows\System32\Drivers\yukonwxp.sys [174464 2003-12-23] (Marvell Semiconductor Inc.)
4 Abiosdsk; [x]
4 abp480n5; [x]
4 adpu160m; [x]
4 Aha154x; [x]
4 aic78u2; [x]
4 AliIde; [x]
4 amsint; [x]
4 asc; [x]
4 asc3350p; [x]
4 asc3550; [x]
3 ASUSHWIO; \??\C:\WINDOWS\System32\drivers\ASUSHWIO.sys [x]
4 Atdisk; [x]
1 AVG Anti-Spyware Driver; \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys [x]
4 cd20xrnt; [x]
1 Changer; [x]
4 CmdIde; [x]
4 Cpqarray; [x]
4 dac2w2k; [x]
4 dac960nt; [x]
4 dpti2o; [x]
4 hpn; [x]
1 i2omgmt; [x]
4 i2omp; [x]
4 ini910u; [x]
4 IntelIde; [x]
3 L2XPSR; \??\C:\PROGRA~1\EFFICI~1\TANGOM~1\app\L2XPSR.SYS [x]
1 lbrtfdc; [x]
3 LOGNT; \??\C:\PROGRA~1\EFFICI~1\TANGOM~1\app\lognt.sys [x]
4 mraid35x; [x]
3 PCAMPR5; \??\C:\WINDOWS\System32\PCAMPR5.SYS [x]
1 PCIDump; [x]
3 PDCOMP; [x]
3 PDFRAME; [x]
3 PDRELI; [x]
3 PDRFRAME; [x]
4 perc2; [x]
4 perc2hib; [x]
4 ql1080; [x]
4 Ql10wnt; [x]
4 ql12160; [x]
4 ql1240; [x]
4 ql1280; [x]
4 Simbad; [x]
4 Sparrow; [x]
4 symc810; [x]
4 symc8xx; [x]
4 sym_hi; [x]
4 sym_u3; [x]
4 TosIde; [x]
4 ultra; [x]
4 ViaIde; [x]
3 WDICA; [x]

==================== NetSvcs (Whitelisted) =================


==================== One Month Created Files and Folders ======================

2012-09-14 22:14 - 2012-09-14 22:14 - 00000000 ____D C:\FRST


==================== 3 Months Modified Files ================================


==================== Known DLLs (Whitelisted) =================

C:\Windows\SysWOW64\advapi32.dll IS MISSING <==== ATTENTION!
C:\Windows\SysWOW64\comdlg32.dll IS MISSING <==== ATTENTION!
C:\Windows\SysWOW64\gdi32.dll IS MISSING <==== ATTENTION!
C:\Windows\SysWOW64\imagehlp.dll IS MISSING <==== ATTENTION!
C:\Windows\SysWOW64\kernel32.dll IS MISSING <==== ATTENTION!
C:\Windows\SysWOW64\lz32.dll IS MISSING <==== ATTENTION!
C:\Windows\SysWOW64\ole32.dll IS MISSING <==== ATTENTION!
C:\Windows\SysWOW64\oleaut32.dll IS MISSING <==== ATTENTION!
[2002-08-29 04:00] - [2005-07-25 20:39] - 0074752 ____A (Microsoft Corporation) C:\Windows\System32\olecli32.dll
C:\Windows\SysWOW64\olecli32.dll IS MISSING <==== ATTENTION!
[2008-09-23 15:36] - [2005-07-25 20:39] - 0037888 ____A (Microsoft Corporation) C:\Windows\System32\olecnv32.dll
C:\Windows\SysWOW64\olecnv32.dll IS MISSING <==== ATTENTION!
[2002-08-29 04:00] - [2002-08-29 04:00] - 0022016 ____A (Microsoft Corporation) C:\Windows\System32\olesvr32.dll
C:\Windows\SysWOW64\olesvr32.dll IS MISSING <==== ATTENTION!
[2002-08-29 04:00] - [2002-08-29 04:00] - 0069120 ____A (Microsoft Corporation) C:\Windows\System32\olethk32.dll
C:\Windows\SysWOW64\olethk32.dll IS MISSING <==== ATTENTION!
C:\Windows\SysWOW64\rpcrt4.dll IS MISSING <==== ATTENTION!
C:\Windows\SysWOW64\shell32.dll IS MISSING <==== ATTENTION!
C:\Windows\SysWOW64\url.dll IS MISSING <==== ATTENTION!
C:\Windows\SysWOW64\urlmon.dll IS MISSING <==== ATTENTION!
C:\Windows\SysWOW64\user32.dll IS MISSING <==== ATTENTION!
C:\Windows\SysWOW64\version.dll IS MISSING <==== ATTENTION!
C:\Windows\SysWOW64\wininet.dll IS MISSING <==== ATTENTION!
C:\Windows\SysWOW64\wldap32.dll IS MISSING <==== ATTENTION!

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe
[2002-08-29 04:00] - [2004-08-03 23:56] - 0502272 ____A (Microsoft Corporation) 01C3346C241652F43AED8E2149881BFE

C:\Windows\System32\wininit.exe IS MISSING <==== ATTENTION!.
C:\Windows\SysWOW64\wininit.exe IS MISSING <==== ATTENTION!.
C:\Windows\explorer.exe
[2003-05-11 18:12] - [2007-06-13 02:23] - 1033216 ____A (Microsoft Corporation) 97BD6515465659FF8F3B7BE375B2EA87

C:\Windows\SysWOW64\explorer.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\svchost.exe
[2002-08-29 04:00] - [2004-08-03 23:56] - 0014336 ____A (Microsoft Corporation) 8F078AE4ED187AAABC0A305146DE6716

C:\Windows\SysWOW64\svchost.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\services.exe
[2008-09-23 15:36] - [2009-02-06 09:14] - 0110592 ____A (Microsoft Corporation) 37561F8D4160D62DA86D24AE41FAE8DE

C:\Windows\System32\User32.dll
[2002-08-29 04:00] - [2007-03-08 07:36] - 0577536 ____A (Microsoft Corporation) B409909F6E2E8A7067076ED748ABF1E7

C:\Windows\SysWOW64\User32.dll IS MISSING <==== ATTENTION!.
C:\Windows\System32\userinit.exe
[2008-09-23 15:36] - [2004-08-03 23:56] - 0024576 ____A (Microsoft Corporation) 39B1FFB03C2296323832ACBAE50D2AFF

C:\Windows\SysWOW64\userinit.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\Drivers\volsnap.sys
[2008-09-23 15:35] - [2004-08-03 22:00] - 0052352 ____A (Microsoft Corporation) EE4660083DEBA849FF6C485D944B379B


==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================


==================== Memory info ===========================

Percentage of memory in use: 14%
Total physical RAM: 3839.12 MB
Available physical RAM: 3278.91 MB
Total Pagefile: 3837.27 MB
Available Pagefile: 3271.53 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

==================== Partitions ============================

1 Drive c: (Main drive) (Fixed) (Total:111.8 GB) (Free:79.48 GB) NTFS
2 Drive e: (OS) (Fixed) (Total:587.7 GB) (Free:499.85 GB) NTFS
8 Drive k: () (Removable) (Total:3.72 GB) (Free:1.64 GB) FAT32
9 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
10 Drive y: (RECOVERY) (Fixed) (Total:8.42 GB) (Free:4.33 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 596 GB 0 B
Disk 1 Online 111 GB 10 MB
Disk 2 No Media 0 B 0 B
Disk 3 No Media 0 B 0 B
Disk 4 No Media 0 B 0 B
Disk 5 No Media 0 B 0 B
Disk 6 Online 3823 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 54 MB 31 KB
Partition 2 Primary 8 GB 55 MB
Partition 3 Primary 587 GB 8 GB

==================================================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 9 FAT Partition 54 MB Healthy Hidden

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y RECOVERY NTFS Partition 8 GB Healthy

==================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 E OS NTFS Partition 587 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 111 GB 31 KB

==================================================================================

Disk: 1
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 C Main drive NTFS Partition 111 GB Healthy

==================================================================================

Partitions of Disk 6:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3819 MB 4096 KB

==================================================================================

Disk: 6
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 8 K FAT32 Removable 3819 MB Healthy

==================================================================================
==================== End Of Log =============================

# == END FRST.txt == #

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:10 PM

Posted 14 September 2012 - 09:56 PM

what kind of set up do you have there?

the DDS log said you were running Win 7

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3839.1512 [GMT -4:00]

yet the FRST log shows XP

Microsoft Windows XP (X64) OS Language: English(US)

ATTENTION!:=====> THE OPERATING SYSTEM IS A X86 SYSTEM BUT THE BOOT DISK THAT IS USED TO BOOT TO RECOVERY ENVIRONMENT IS A X64 SYSTEM DISK.

so the drive is not being read properly?

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 mstap42

mstap42
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:10 PM

Posted 15 September 2012 - 08:06 PM

CatByte,

Sorry about that. I scanned the wrong drive, depite helpful prompt from FRST64. Scan log for the correct drive is pasted below.

My setup:
Disk 0 :: From an old box that ran under XP. I yanked it from the old PC and dropped it in my current box for backup, not boot.
Disk 1 :: Main drive, Win 7 Home Premium, as reported by DDS.

# == BEGIN FRST.txt, second try...this time for the correct drive (Win7 Home Prem.) == #

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 14-09-2012 01
Ran by SYSTEM at 15-09-2012 20:40:58
Running from K:\malware tools
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
HKLM-x32\...\Run: [HDAudDeck] C:\Program Files (x86)\VIA\VIAudioi\VDeck\vdeck.exe [2243584 2009-07-28] (VIA)
HKLM-x32\...\Run: [StartCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [98304 2009-06-14] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [PDVDDXSrv] "C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [140520 2009-06-24] (CyberLink Corp.)
HKLM-x32\...\Run: [LifeCam] "C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe" [119152 2010-03-01] (Microsoft Corporation)
HKLM-x32\...\Run: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [59240 2011-09-27] (Apple Inc.)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-05-30] (Apple Inc.)
HKLM-x32\...\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation)
HKLM-x32\...\Run: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [498160 2009-12-15] ()
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421776 2012-06-07] (Apple Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [KeePass 2 PreLoad] "C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe" --preload [1911808 2012-09-08] (Dominik Reichl)
HKU\Stapletons\...\Run: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe [59240 2012-02-23] (Apple Inc.)
HKU\Stapletons\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2011-02-24] (Google Inc.)
HKU\Stapletons\...\Run: [SansaDispatch] C:\Users\Stapletons\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe [79872 2012-05-03] (SanDisk Corporation)
HKU\Stapletons\...\Run: [Easy Dock] [x]
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]
Tcpip\Parameters: [DhcpNameServer] 192.168.254.254
Startup: C:\Users\All Users\Start Menu\Programs\Startup\APC UPS Status.lnk
ShortcutTarget: APC UPS Status.lnk -> C:\Program Files (x86)\APC\APC PowerChute Personal Edition\Display.exe (American Power Conversion Corporation)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\CrashPlan Tray.lnk
ShortcutTarget: CrashPlan Tray.lnk -> C:\Program Files\CrashPlan\CrashPlanTray.exe (Code 42 Software, Inc.)
Startup: C:\Users\Default\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Default User\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Stapletons\Start Menu\Programs\Startup\Dell Dock.lnk
ShortcutTarget: Dell Dock.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Stapletons\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> (No File)
Startup: C:\Users\Stapletons\Start Menu\Programs\Startup\RCA Detective.lnk
ShortcutTarget: RCA Detective.lnk -> (No File)

==================== Services ====================

2 APC UPS Service; "C:\Program Files (x86)\APC\APC PowerChute Personal Edition\mainserv.exe" [689464 2009-01-06] (American Power Conversion Corporation)
2 AutoSkillWebServer; "C:\PassportLearning\Academy\apache\bin\Apache.exe" -k runservice [14336 2006-07-30] (Apache Software Foundation)
2 CrashPlanService; "C:\Program Files\CrashPlan\CrashPlanService.exe" [222720 2012-03-26] (CrashPlan)
2 FortiSslvpnDaemon; C:\Windows\SysWOW64\FortiSSLVPNdaemon.exe [825960 2011-02-08] (Fortinet Inc.)
2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)
3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation)
2 PenCommService; C:\Program Files (x86)\Common Files\Livescribe\PenComm\PenCommService.exe [470528 2011-08-11] (Livescribe)
2 AutoSkillApplicationServer; C:\PassportLearning\Academy\bin\wrapper.exe -s C:\PassportLearning\Academy\bin\app.conf [x]
2 AutoSkillDatabaseServer; C:/PassportLearning/Academy/pgsql/bin/pg_ctl.exe runservice -N "AutoSkillDatabaseServer" -D "C:/PassportLearning/Academy/data/database/pgsql" [x]

==================== Drivers =================================

3 pppop; C:\Windows\System32\DRIVERS\pppop64.sys [42528 2009-07-21] (Fortinet Inc.)
3 PcdrNdisuio; C:\Windows\SysWow64\drivers\pcdrndisuio.sys [x]
3 PCDSRVC{1E208CE0-FB7451FF-06020101}_0; \??\c:\program files\dell support center\pcdsrvc_x64.pkms [x]

==================== NetSvcs (Whitelisted) =================


==================== One Month Created Files and Folders ======================

2012-09-13 18:54 - 2012-09-13 19:03 - 00000000 ____D C:\Users\Stapletons\Desktop\malware cleanup
2012-09-13 16:49 - 2012-09-13 16:49 - 00000000 ____D C:\Users\Stapletons\AppData\Roaming\KeePass
2012-09-13 16:38 - 2012-09-13 16:38 - 00001107 ____A C:\Users\Stapletons\Desktop\KeePass 2.lnk
2012-09-13 16:38 - 2012-09-13 16:38 - 00000000 ____D C:\Program Files (x86)\KeePass Password Safe 2
2012-09-13 16:37 - 2012-09-13 16:37 - 02494413 ____A (Dominik Reichl ) C:\Users\Stapletons\Downloads\KeePass-2.20-Setup.exe
2012-09-07 09:53 - 2012-09-07 09:54 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2012-09-02 16:57 - 2012-09-02 16:57 - 00246760 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2012-09-02 16:57 - 2012-09-02 16:57 - 00174056 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2012-09-02 16:57 - 2012-09-02 16:57 - 00174056 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2012-09-02 16:57 - 2012-09-02 16:57 - 00095208 ____A (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2012-09-02 16:55 - 2012-09-02 16:59 - 06724176 ____A (Adobe Systems Inc.) C:\Users\Stapletons\Downloads\Shockwave_Installer_Slim.exe
2012-09-02 16:54 - 2012-09-02 16:56 - 31169000 ____A (Oracle Corporation) C:\Users\Stapletons\Downloads\jre-7u7-windows-i586.exe
2012-08-16 19:10 - 2012-08-16 19:10 - 00109056 ____A C:\Users\Stapletons\Downloads\FINAL Gluten Free Dairy Free August 2012 Recipe Cards.xls


==================== 3 Months Modified Files ================================

2012-09-15 16:33 - 2009-07-13 21:10 - 01382820 ____A C:\Windows\WindowsUpdate.log
2012-09-15 16:33 - 2009-07-13 20:51 - 05241186 ____A C:\Windows\setupact.log
2012-09-15 16:05 - 2011-02-24 18:15 - 00000906 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-09-15 15:42 - 2012-04-14 17:26 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-09-15 10:00 - 2011-05-25 10:05 - 00000506 ____A C:\Windows\Tasks\SystemToolsDailyTest.job
2012-09-15 08:48 - 2009-07-13 20:45 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-09-15 08:48 - 2009-07-13 20:45 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-09-15 08:40 - 2011-02-24 18:15 - 00000902 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-09-15 08:40 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-09-14 18:04 - 2009-07-13 21:13 - 00786770 ____A C:\Windows\System32\PerfStringBackup.INI
2012-09-13 19:46 - 2012-09-13 19:46 - 00001111 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-09-13 16:38 - 2012-09-13 16:38 - 00001107 ____A C:\Users\Stapletons\Desktop\KeePass 2.lnk
2012-09-13 16:37 - 2012-09-13 16:37 - 02494413 ____A (Dominik Reichl ) C:\Users\Stapletons\Downloads\KeePass-2.20-Setup.exe
2012-09-12 10:00 - 2010-01-24 10:24 - 64462936 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-09-08 05:07 - 2011-05-25 10:05 - 00000564 ____A C:\Windows\Tasks\PCDoctorBackgroundMonitorTask.job
2012-09-07 13:04 - 2012-07-08 13:36 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-09-02 16:59 - 2012-09-02 16:55 - 06724176 ____A (Adobe Systems Inc.) C:\Users\Stapletons\Downloads\Shockwave_Installer_Slim.exe
2012-09-02 16:57 - 2012-09-02 16:57 - 00246760 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2012-09-02 16:57 - 2012-09-02 16:57 - 00174056 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2012-09-02 16:57 - 2012-09-02 16:57 - 00174056 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2012-09-02 16:57 - 2012-09-02 16:57 - 00095208 ____A (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2012-09-02 16:57 - 2010-05-05 15:06 - 00746984 ____A (Oracle Corporation) C:\Windows\SysWOW64\deployJava1.dll
2012-09-02 16:56 - 2012-09-02 16:54 - 31169000 ____A (Oracle Corporation) C:\Users\Stapletons\Downloads\jre-7u7-windows-i586.exe
2012-09-02 16:45 - 2012-04-14 17:26 - 00696520 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-09-02 16:45 - 2011-05-20 17:47 - 00073416 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-08-29 10:01 - 2010-03-12 18:21 - 00002515 ____A C:\Users\Public\Desktop\Skype.lnk
2012-08-16 19:10 - 2012-08-16 19:10 - 00109056 ____A C:\Users\Stapletons\Downloads\FINAL Gluten Free Dairy Free August 2012 Recipe Cards.xls
2012-08-15 15:33 - 2012-08-15 10:59 - 00012709 ____A C:\Users\Stapletons\Documents\2012 schedule.xlsx
2012-08-15 10:43 - 2009-07-13 20:45 - 00437264 ____A C:\Windows\System32\FNTCACHE.DAT
2012-08-08 17:02 - 2010-01-18 22:02 - 00036800 ____A C:\Windows\PFRO.log
2012-08-07 17:09 - 2010-01-22 18:43 - 00001006 ____A C:\Users\Stapletons\Desktop\My Docs - OLD DRIVE.lnk
2012-07-26 18:26 - 2012-07-26 18:24 - 36519048 ____A (CrashPlan) C:\Users\Stapletons\Downloads\CrashPlan-x64_3.2.1_Win.exe
2012-07-19 16:49 - 2009-07-13 21:08 - 00032562 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-07-18 09:31 - 2012-08-15 09:54 - 03146752 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-15 13:57 - 2012-07-15 13:57 - 00013728 ____A C:\Users\Stapletons\Desktop\pinball - Shortcut.lnk
2012-07-12 14:15 - 2010-01-23 20:20 - 00007626 ____A C:\Users\Stapletons\AppData\Local\Resmon.ResmonCfg
2012-07-12 13:46 - 2012-01-20 18:48 - 00893936 ____A (Oracle Corporation) C:\Users\Stapletons\Downloads\jxpiinstall.exe
2012-07-11 04:00 - 2009-07-13 18:34 - 00000478 ____A C:\Windows\win.ini
2012-07-10 20:19 - 2012-07-10 20:19 - 00022291 ____A C:\ComboFix.txt
2012-07-10 19:18 - 2009-07-13 18:34 - 00000215 ____A C:\Windows\system.ini
2012-07-09 15:19 - 2012-07-09 15:19 - 00000000 ____A C:\Users\Stapletons\defogger_reenable
2012-07-08 15:05 - 2009-07-13 15:19 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe
2012-07-08 15:03 - 2012-07-08 15:03 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.B35F8D52ADEFB97C
2012-07-08 15:00 - 2012-07-08 15:00 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.88C7413FBBCDABC8
2012-07-08 14:56 - 2012-07-08 14:56 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.365FE88F59834D41
2012-07-08 14:51 - 2012-07-08 14:51 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.F0B9CE567D9279DA
2012-07-08 14:48 - 2012-07-08 14:48 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.4E6256BD9401289E
2012-07-08 14:40 - 2011-01-26 05:49 - 00001945 ____A C:\Windows\epplauncher.mif
2012-07-08 14:39 - 2010-08-23 04:56 - 00800428 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-07-07 16:18 - 2012-07-07 16:17 - 13419112 ____A (Stardock Corporation ) C:\Users\Stapletons\Downloads\DellDock16a_setup_ENG.exe
2012-07-05 18:06 - 2012-07-12 13:48 - 00772544 ____A (Oracle Corporation) C:\Windows\SysWOW64\npDeployJava1.dll
2012-07-04 14:04 - 2012-08-15 09:54 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll
2012-07-04 14:01 - 2012-08-15 09:54 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\browser.dll
2012-07-04 14:01 - 2012-08-15 09:54 - 00058880 ____A (Microsoft Corporation) C:\Windows\System32\browcli.dll
2012-07-04 13:26 - 2012-08-15 09:54 - 00057344 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netapi32.dll
2012-07-04 13:23 - 2012-08-15 09:54 - 00041472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\browcli.dll
2012-06-28 20:55 - 2012-08-15 10:03 - 17809920 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-28 20:09 - 2012-08-15 10:03 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-28 19:56 - 2012-08-15 10:03 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-28 19:49 - 2012-08-15 10:03 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-28 19:49 - 2012-08-15 10:03 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-28 19:48 - 2012-08-15 10:03 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-28 19:47 - 2012-08-15 10:03 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-28 19:45 - 2012-08-15 10:03 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-28 19:44 - 2012-08-15 10:03 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-28 19:43 - 2012-08-15 10:03 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-28 19:42 - 2012-08-15 10:03 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-28 19:40 - 2012-08-15 10:03 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-28 19:39 - 2012-08-15 10:03 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-28 19:35 - 2012-08-15 10:03 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-28 16:52 - 2012-08-15 10:03 - 12317184 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-06-28 16:27 - 2012-08-15 10:03 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-06-28 16:16 - 2012-08-15 10:03 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-06-28 16:09 - 2012-08-15 10:03 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-06-28 16:09 - 2012-08-15 10:03 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-06-28 16:08 - 2012-08-15 10:03 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-06-28 16:07 - 2012-08-15 10:03 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-06-28 16:06 - 2012-08-15 10:03 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-06-28 16:04 - 2012-08-15 10:03 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-06-28 16:04 - 2012-08-15 10:03 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-06-28 16:01 - 2012-08-15 10:03 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-06-28 16:01 - 2012-08-15 10:03 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-06-28 16:00 - 2012-08-15 10:03 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-06-28 15:57 - 2012-08-15 10:03 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll


ZeroAccess:
C:\Windows\Installer\{9550df1c-e541-9837-84c9-ac102cebaa3f}
C:\Windows\Installer\{9550df1c-e541-9837-84c9-ac102cebaa3f}\L
C:\Windows\Installer\{9550df1c-e541-9837-84c9-ac102cebaa3f}\U
C:\Windows\Installer\{9550df1c-e541-9837-84c9-ac102cebaa3f}\L\00000004.@
C:\Windows\Installer\{9550df1c-e541-9837-84c9-ac102cebaa3f}\L\1afb2d56
C:\Windows\Installer\{9550df1c-e541-9837-84c9-ac102cebaa3f}\L\201d3dde

ZeroAccess:
C:\Users\Stapletons\AppData\Local\{9550df1c-e541-9837-84c9-ac102cebaa3f}
C:\Users\Stapletons\AppData\Local\{9550df1c-e541-9837-84c9-ac102cebaa3f}\@
C:\Users\Stapletons\AppData\Local\{9550df1c-e541-9837-84c9-ac102cebaa3f}\L
C:\Users\Stapletons\AppData\Local\{9550df1c-e541-9837-84c9-ac102cebaa3f}\U

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-09-02 10:09:51
Restore point made on: 2012-09-02 16:48:08
Restore point made on: 2012-09-02 16:50:17
Restore point made on: 2012-09-02 16:57:00
Restore point made on: 2012-09-06 10:47:59
Restore point made on: 2012-09-10 10:45:15
Restore point made on: 2012-09-12 10:00:39
Restore point made on: 2012-09-15 10:45:38

==================== Memory info ===========================

Percentage of memory in use: 16%
Total physical RAM: 3839.12 MB
Available physical RAM: 3200.67 MB
Total Pagefile: 3837.27 MB
Available Pagefile: 3193.23 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

==================== Partitions ============================

1 Drive c: (OS) (Fixed) (Total:587.7 GB) (Free:501.03 GB) NTFS
2 Drive d: (Main drive) (Fixed) (Total:111.8 GB) (Free:79.48 GB) NTFS
8 Drive k: () (Removable) (Total:3.72 GB) (Free:1.64 GB) FAT32
9 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
10 Drive y: (RECOVERY) (Fixed) (Total:8.42 GB) (Free:4.33 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 596 GB 0 B
Disk 1 Online 111 GB 10 MB
Disk 2 No Media 0 B 0 B
Disk 3 No Media 0 B 0 B
Disk 4 No Media 0 B 0 B
Disk 5 No Media 0 B 0 B
Disk 6 Online 3823 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 54 MB 31 KB
Partition 2 Primary 8 GB 55 MB
Partition 3 Primary 587 GB 8 GB

==================================================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 9 FAT Partition 54 MB Healthy Hidden

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y RECOVERY NTFS Partition 8 GB Healthy

==================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C OS NTFS Partition 587 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 111 GB 31 KB

==================================================================================

Disk: 1
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 D Main drive NTFS Partition 111 GB Healthy

==================================================================================

Partitions of Disk 6:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3819 MB 4096 KB

==================================================================================

Disk: 6
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 8 K FAT32 Removable 3819 MB Healthy

==================================================================================

Last Boot: 2012-09-06 04:14

==================== End Of Log =============================

# == END FRST.txt, second try == #

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:10 PM

Posted 15 September 2012 - 08:51 PM

that looks better, please run the following:



Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
C:\Windows\Installer\{9550df1c-e541-9837-84c9-ac102cebaa3f}
C:\Users\Stapletons\AppData\Local\{9550df1c-e541-9837-84c9-ac102cebaa3f}
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.


NEXT



Refer to the ComboFix User's Guide

  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 mstap42

mstap42
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:10 PM

Posted 16 September 2012 - 11:44 AM

CatByte,

Here are the logs for 'FRST64.exe -Fix < fixlist.txt' and ComboFix.

MSSE re-enabled.

Thanks!

# == BEGIN Fixlog.txt == #

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 14-09-2012 01
Ran by SYSTEM at 2012-09-15 23:30:44 Run:1
Running from K:\malware tools

==============================================

C:\Windows\Installer\{9550df1c-e541-9837-84c9-ac102cebaa3f} moved successfully.
C:\Users\Stapletons\AppData\Local\{9550df1c-e541-9837-84c9-ac102cebaa3f} moved successfully.

==== End of Fixlog ====

# ==== END Fixlog.txt ==== #







# == BEGIN ComboFix.txt == #

ComboFix 12-09-15.02 - Stapletons 09/15/2012 23:39:11.4.4 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3839.2125 [GMT -4:00]
Running from: c:\users\Stapletons\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-08-16 to 2012-09-16 )))))))))))))))))))))))))))))))
.
.
2012-09-16 05:49 . 2012-09-16 05:49 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-09-16 05:49 . 2012-09-16 05:49 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-09-16 03:34 . 2012-08-23 08:26 9310152 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{886E6C8D-7B0A-47DC-A748-93827BD95C72}\mpengine.dll
2012-09-15 18:46 . 2012-08-23 08:26 9310152 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-09-14 00:49 . 2012-09-14 00:49 -------- d-----w- c:\users\Stapletons\AppData\Roaming\KeePass
2012-09-14 00:38 . 2012-09-14 00:38 -------- d-----w- c:\program files (x86)\KeePass Password Safe 2
2012-09-03 00:57 . 2012-09-03 00:57 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-09-03 00:57 . 2012-09-03 00:57 95208 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2012-08-29 18:01 . 2012-08-29 18:01 -------- d-----w- c:\program files (x86)\Common Files\Skype
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-12 18:00 . 2010-01-24 18:24 64462936 ----a-w- c:\windows\system32\MRT.exe
2012-09-07 21:04 . 2012-07-08 21:36 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-03 00:57 . 2010-05-05 23:06 746984 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-09-03 00:45 . 2012-04-15 01:26 696520 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-09-03 00:45 . 2011-05-21 01:47 73416 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-08-31 12:25 . 2010-04-18 19:47 4278384 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll
2012-08-31 12:25 . 2010-06-01 13:10 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
2012-07-24 19:24 . 2010-01-27 20:30 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2012-07-24 19:24 . 2010-01-27 20:30 4283672 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
2012-07-24 19:24 . 2010-05-19 12:36 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
2012-07-24 19:24 . 2010-02-28 14:00 539984 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
2012-07-18 17:31 . 2012-08-15 17:54 3146752 ----a-w- c:\windows\system32\win32k.sys
2012-07-14 17:23 . 2010-01-29 13:04 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore-2\Microsoft.MediaCenter.Sports.UI.dll
2012-07-14 17:12 . 2010-01-27 20:30 539984 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2012-07-08 23:05 . 2009-07-13 23:19 328704 ----a-w- c:\windows\system32\services.exe
2012-07-08 23:03 . 2012-07-08 23:03 328704 ----a-w- c:\windows\system32\services.exe.B35F8D52ADEFB97C
2012-07-08 23:00 . 2012-07-08 23:00 328704 ----a-w- c:\windows\system32\services.exe.88C7413FBBCDABC8
2012-07-08 22:56 . 2012-07-08 22:56 328704 ----a-w- c:\windows\system32\services.exe.365FE88F59834D41
2012-07-08 22:51 . 2012-07-08 22:51 328704 ----a-w- c:\windows\system32\services.exe.F0B9CE567D9279DA
2012-07-08 22:48 . 2012-07-08 22:48 328704 ----a-w- c:\windows\system32\services.exe.4E6256BD9401289E
2012-07-08 22:43 . 2012-07-08 22:43 927800 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6C91E880-E080-4764-A047-434AFD215684}\gapaengine.dll
2012-07-06 02:06 . 2012-07-12 21:48 772544 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2012-07-04 22:04 . 2012-08-15 17:54 73216 ----a-w- c:\windows\system32\netapi32.dll
2012-07-04 22:01 . 2012-08-15 17:54 58880 ----a-w- c:\windows\system32\browcli.dll
2012-07-04 22:01 . 2012-08-15 17:54 136704 ----a-w- c:\windows\system32\browser.dll
2012-07-04 21:23 . 2012-08-15 17:54 41472 ----a-w- c:\windows\SysWow64\browcli.dll
2012-06-29 04:55 . 2012-08-15 18:03 17809920 ----a-w- c:\windows\system32\mshtml.dll
2012-06-29 04:09 . 2012-08-15 18:03 10925568 ----a-w- c:\windows\system32\ieframe.dll
2012-06-29 03:56 . 2012-08-15 18:03 2312704 ----a-w- c:\windows\system32\jscript9.dll
2012-06-29 03:49 . 2012-08-15 18:03 1346048 ----a-w- c:\windows\system32\urlmon.dll
2012-06-29 03:49 . 2012-08-15 18:03 1392128 ----a-w- c:\windows\system32\wininet.dll
2012-06-29 03:48 . 2012-08-15 18:03 1494528 ----a-w- c:\windows\system32\inetcpl.cpl
2012-06-29 03:47 . 2012-08-15 18:03 237056 ----a-w- c:\windows\system32\url.dll
2012-06-29 03:45 . 2012-08-15 18:03 85504 ----a-w- c:\windows\system32\jsproxy.dll
2012-06-29 03:44 . 2012-08-15 18:03 816640 ----a-w- c:\windows\system32\jscript.dll
2012-06-29 03:43 . 2012-08-15 18:03 173056 ----a-w- c:\windows\system32\ieUnatt.exe
2012-06-29 03:42 . 2012-08-15 18:03 2144768 ----a-w- c:\windows\system32\iertutil.dll
2012-06-29 03:40 . 2012-08-15 18:03 96768 ----a-w- c:\windows\system32\mshtmled.dll
2012-06-29 03:39 . 2012-08-15 18:03 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-06-29 03:35 . 2012-08-15 18:03 248320 ----a-w- c:\windows\system32\ieui.dll
2012-06-29 00:16 . 2012-08-15 18:03 1800704 ----a-w- c:\windows\SysWow64\jscript9.dll
2012-06-29 00:09 . 2012-08-15 18:03 1129472 ----a-w- c:\windows\SysWow64\wininet.dll
2012-06-29 00:08 . 2012-08-15 18:03 1427968 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2012-06-29 00:04 . 2012-08-15 18:03 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2012-06-29 00:00 . 2012-08-15 18:03 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Stapletons\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Stapletons\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Stapletons\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MobileDocuments"="c:\program files (x86)\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 59240]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-02-25 39408]
"SansaDispatch"="c:\users\Stapletons\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe" [2012-05-03 79872]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"HDAudDeck"="c:\program files (x86)\VIA\VIAudioi\VDeck\vdeck.exe" [2009-07-28 2243584]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-06-15 98304]
"PDVDDXSrv"="c:\program files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-06-25 140520]
"LifeCam"="c:\program files (x86)\Microsoft LifeCam\LifeExp.exe" [2010-03-02 119152]
"AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-09-27 59240]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"Desktop Disc Tool"="c:\program files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [2009-12-16 498160]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-04-19 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-06-07 421776]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"KeePass 2 PreLoad"="c:\program files (x86)\KeePass Password Safe 2\KeePass.exe" [2012-09-08 1911808]
.
c:\users\Stapletons\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-9-21 1316192]
Dropbox.lnk - c:\users\Stapletons\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]
RCA Detective.lnk - c:\users\Stapletons\Documents\RCA Detective\RCADetective.exe [2012-5-16 868864]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files (x86)\APC\APC PowerChute Personal Edition\Display.exe [2009-1-6 267576]
CrashPlan Tray.lnk - c:\program files\CrashPlan\CrashPlanTray.exe [2012-3-26 217088]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-9-21 1316192]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 AutoSkillApplicationServer;AutoSkill Application Server;c:\passportlearning\Academy\bin\wrapper.exe [2008-02-07 135168]
R2 AutoSkillDatabaseServer;AutoSkillDatabaseServer;C:/PassportLearning/Academy/pgsql/bin/pg_ctl.exe runservice -N AutoSkillDatabaseServer -D C:/PassportLearning/Academy/data/database/pgsql [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-02-25 136176]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-07-13 160944]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-09-03 250568]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-02-25 136176]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-09-07 114144]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-21 98688]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-26 291696]
R3 PCDSRVC{1E208CE0-FB7451FF-06020101}_0;PCDSRVC{1E208CE0-FB7451FF-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\dell support center\pcdsrvc_x64.pkms [2011-05-12 25072]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-02-15 52736]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-13 1255736]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2009-07-09 55280]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-07-27 63960]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-06-15 203264]
S2 AutoSkillWebServer;AutoSkillWebServer;c:\passportlearning\Academy\apache\bin\Apache.exe [2006-07-30 14336]
S2 CrashPlanService;CrashPlan Backup Service;c:\program files\CrashPlan\CrashPlanService.exe [2012-03-26 222720]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2009-06-09 155648]
S2 FortiSslvpnDaemon;FortiClient SSL VPN;c:\windows\SysWOW64\FortiSSLVPNdaemon.exe [2011-02-08 825960]
S2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [2011-08-25 13672]
S2 PenCommService;Livescribe Pulse Smartpen Service;c:\program files (x86)\Common Files\Livescribe\PenComm\PenCommService.exe [2011-08-11 470528]
S2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2012-08-13 3064000]
S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\Drivers\nx6000.sys [2010-03-02 36720]
S3 pppop;PPPoP WAN Adapter;c:\windows\system32\DRIVERS\pppop64.sys [2009-07-21 42528]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-06-10 539240]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2009-07-25 1224704]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-16 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-15 00:45]
.
2012-09-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-02-25 02:14]
.
2012-09-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-02-25 02:14]
.
2012-09-08 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2011-06-21 18:09]
.
2012-09-16 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\uaclauncher.exe [2011-06-21 18:09]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\Stapletons\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\Stapletons\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\Stapletons\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 1271168]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 192.168.254.254
DPF: {1ABA5FAC-1417-422B-BA82-45C35E2C908B} - hxxp://kitchenplanner.ikea.com/US/Core/Player/2020PlayerAX_IKEA_Win32.cab
DPF: {B6648EB8-2460-484F-9255-9654454C4C70} - hxxps://vpn.louisville.edu/prx/000/http/localhost/arr_x.cab
FF - ProfilePath - c:\users\Stapletons\AppData\Roaming\Mozilla\Firefox\Profiles\6bb5gtwl.default\
FF - prefs.js: browser.search.selectedEngine - Startpage HTTPS
FF - prefs.js: browser.startup.homepage - about:blank
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKCU-Run-Easy Dock - (no file)
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AutoSkillDatabaseServer]
"ImagePath"="C:/PassportLearning/Academy/pgsql/bin/pg_ctl.exe runservice -N \"AutoSkillDatabaseServer\" -D \"C:/PassportLearning/Academy/data/database/pgsql\""
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AutoSkillDatabaseServer]
"ImagePath"="C:/PassportLearning/Academy/pgsql/bin/pg_ctl.exe runservice -N \"AutoSkillDatabaseServer\" -D \"C:/PassportLearning/Academy/data/database/pgsql\""
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCDSRVC{1E208CE0-FB7451FF-06020101}_0]
"ImagePath"="\??\c:\program files\dell support center\pcdsrvc_x64.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
c:\program files (x86)\APC\APC PowerChute Personal Edition\apcsystray.exe
.
**************************************************************************
.
Completion time: 2012-09-16 08:29:08 - machine was rebooted
ComboFix-quarantined-files.txt 2012-09-16 12:28
ComboFix2.txt 2012-07-11 04:19
.
Pre-Run: 537,806,774,272 bytes free
Post-Run: 537,641,353,216 bytes free
.
- - End Of File - - DEAA20A99EB8912F159878B8195C045B

# == END ComboFix.txt == #

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:10 PM

Posted 16 September 2012 - 12:51 PM

Please do the following:


Download AdwCleaner from here and save it to your desktop.
  • Run AdwCleaner and select Delete
  • Once done it will ask to reboot, allow the reboot
  • On reboot a log will be produced, please attach the content of the log to your next reply


NEXT



  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 mstap42

mstap42
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:10 PM

Posted 16 September 2012 - 03:51 PM

CatByte,

Currently running ESET scanner per instructions.

But... Win32/Sirefef!cfg is back, quarantined by MSSE as ESET runs in IE9.

See below for logs requested AdwCleaner and MBAM logs, run with params per instructions. For amusement only, I guess, given this recent news.

Please advise.

Thanks::

# == BEGIN AdwCleaner log == #
# AdwCleaner v2.002 - Logfile created 09/16/2012 at 16:27:46
# Updated 16/09/2012 by Xplode
# Operating system : Windows 7 Home Premium (64 bits)
# User : Stapletons - STAPLETONS-PC
# Boot Mode : Normal
# Running from : C:\Users\Stapletons\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****

Key Deleted : HKCU\Software\Conduit
Key Deleted : HKLM\Software\Conduit

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

Restored : [HKCU\Software\Wow6432Node\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKCU\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]

-\\ Mozilla Firefox v15.0.1 (en-US)

Profile name : default
File : C:\Users\Stapletons\AppData\Roaming\Mozilla\Firefox\Profiles\6bb5gtwl.default\prefs.js

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [1389 octets] - [16/09/2012 16:27:46]

########## EOF - C:\AdwCleaner[S1].txt - [1449 octets] ##########

# == END AdwCleaner log == #


# == BEGIN MMAM log == #

Malwarebytes Anti-Malware 1.65.0.1400
www.malwarebytes.org

Database version: v2012.09.16.11

Windows 7 x64 NTFS
Internet Explorer 9.0.8112.16421
Stapletons :: STAPLETONS-PC [administrator]

9/16/2012 4:33:29 PM
mbam-log-2012-09-16 (16-33-29).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 204232
Time elapsed: 3 minute(s), 11 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


# == END MBAM log == #

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:10 PM

Posted 16 September 2012 - 04:24 PM

But... Win32/Sirefef!cfg is back, quarantined by MSSE as ESET runs in IE9.


what was the path of the detection?

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 mstap42

mstap42
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:10 PM

Posted 16 September 2012 - 04:37 PM

C:\FRST\Quarantine\{9550df1c-e541-9837-84c9-ac102cebaa3f}\{9550df1c-e541-9837-84c9-ac102cebaa3f}\@

Hmm. I must have missed a "remove" step somewhere.

No worries?

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:10 PM

Posted 16 September 2012 - 04:49 PM

no you didn't miss a step

the bad files removed by FRST are kept in a quarantine folder where they can no longer harm your computer. At the end when we clean up all our tools you can delete that folder if you wish, but it has backup registry hives there as well, so we keep those just in case there is a problem, so it's fine for now



(bad files are never actually "deleted" from a machine, they are just "moved" to a different section of the hard disk and/or the pointer to the file location is changed, then the bad code is over written by other code eventually when other files are saved to the location of where the bad file is/was, so the code is obliterated...hope that makes sense)

The ESET can take several hours, so be patient....

Edited by CatByte, 16 September 2012 - 04:49 PM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 mstap42

mstap42
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:10 PM

Posted 16 September 2012 - 05:01 PM

whew ... thanks for the explanation.

Last time around, it ran for about 4 hours. Will get back with you tomorrow.

#14 mstap42

mstap42
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:10 PM

Posted 16 September 2012 - 05:07 PM

whew ... thanks for the explanation.

Last time around, it ran for about 4 hours. Will get back with you tomorrow.

Muchas gracias.

#15 mstap42

mstap42
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:10 PM

Posted 16 September 2012 - 09:45 PM

CatByte,

Here's the ESET scan log:

C:\Users\Stapletons\Downloads\Source\Setup_FreeConverter.exe Win32/Toolbar.SearchSuite application

Thanks!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users