Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cleanup after running CF on my own


  • This topic is locked This topic is locked
39 replies to this topic

#1 David Balažic

David Balažic

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 15 September 2012 - 04:19 AM

As requested in this thread, I post here the DDS log.
As I'm on 64 bit Windows, no GMER log. (as per Step 8 in the Preparation Guide).

Before the log, a quote of my first post from the other forum thread, describing the situation:

Hi!

I made the mistake of running Combofix on my own initiative.

This is on Windows 7 Home Premium 64 bit (up to date).

I had a few programs open when I ran ComboFix: Windows Explorer, Firefox, uTorrent, HDDLED, CursorHider and maybe bitcoin-qt (not sure)
Some of them were closed by CF.
Then suddenly the CF exe file disappeared from the folder where it was. Also the CF windows was nowhere to be seen any more.

As I had two copies of ComboFix.exe, I started the other one. (version 12.9.14.3)
This time it ran to the end and displayed the log.

There was no malware reported, but CursorHider.exe and c:\programdata\ntuser.dat were deleted (moved to quarantine).

The question is, how to revert the changes?

I found this topic suggesting System Restore, but when I start System Restore, I get a dialog warning that System Restore is disabled. So I decided to ask here before doing anything more.


Thanks in advance,
David


Now the DDS log:
.
DDS (Ver_2011-08-26.01) - NTFSAMD64 
Internet Explorer: 9.0.8112.16421  BrowserJavaVersion: 10.7.2
Run by stein at 11:10:49 on 2012-09-15
Microsoft Windows 7 Home Premium   6.1.7601.1.1250.386.1033.18.4078.2455 [GMT 2:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Memeo\AutoBackup\MemeoBackgroundService.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\SysWOW64\vmnat.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe
C:\Windows\SysWOW64\vmnetdhcp.exe
C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Windows\system32\WUDFHost.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
C:\Program Files (x86)\Internet Explorer\IELowutil.exe
C:\Windows\system32\taskmgr.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Users\stein\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
C:\Windows\system32\wbem\wmiprvse.exe
K:\Downloads\Defogger.exe
C:\Windows\system32\conhost.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.aldi.com
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [hddled.exe] C:\Program Files (x86)\HddLed\hddled.exe s
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIconLaunch.exe "C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" 60
mRun: [CLMLServer] "C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe"
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
LSP: %windir%\system32\vsocklib.dll
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{5FDEDADD-6F28-4D36-BCAE-1F7B6B0DE51A} : DhcpNameServer = 192.168.1.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
Handler: x-owacid2 - {5B290518-830E-4C57-A66B-E4F748900C27} - C:\Program Files (x86)\Microsoft\SMIME Client (2010)\mimectl.dll
BHO-X64: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB-X64: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
mRun-x64: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIconLaunch.exe "C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" 60
mRun-x64: [CLMLServer] "C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\stein\AppData\Roaming\Mozilla\Firefox\Profiles\x0642j45.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: C:\PROGRA~2\MICROS~2\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
FF - plugin: C:\Users\stein\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: C:\Users\stein\AppData\Roaming\Mozilla\plugins\np-mswmp.dll
FF - plugin: C:\Users\stein\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - plugin: C:\Users\stein\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: C:\Windows\system32\Wat\npWatWeb.dll
FF - plugin: C:\Windows\SysWOW64\npdeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R0 vsock;vSockets Driver;C:\Windows\system32\drivers\vsock.sys --> C:\Windows\system32\drivers\vsock.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2012-1-4 822624]
R2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2012-1-24 13592]
R2 MemeoBackgroundService;MemeoBackgroundService;C:\Program Files (x86)\Memeo\AutoBackup\MemeoBackgroundService.exe [2011-9-28 25824]
R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-8-11 1262400]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-1 508776]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-5-15 382272]
R2 UNS;Intel(R) Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2012-1-24 2656280]
R2 VMUSBArbService;VMware USB Arbitration Service;C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe [2012-8-1 917656]
R3 asmthub3;ASMedia USB3 Hub Service;C:\Windows\system32\drivers\asmthub3.sys --> C:\Windows\system32\drivers\asmthub3.sys [?]
R3 asmtxhci;ASMEDIA XHCI Service;C:\Windows\system32\drivers\asmtxhci.sys --> C:\Windows\system32\drivers\asmtxhci.sys [?]
R3 MEIx64;Intel(R) Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\system32\drivers\nvhda64v.sys --> C:\Windows\system32\drivers\nvhda64v.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
R3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;C:\Windows\system32\DRIVERS\RTL8192su.sys --> C:\Windows\system32\DRIVERS\RTL8192su.sys [?]
R3 Sftfs;Sftfs;C:\Windows\system32\DRIVERS\Sftfslh.sys --> C:\Windows\system32\DRIVERS\Sftfslh.sys [?]
R3 Sftplay;Sftplay;C:\Windows\system32\DRIVERS\Sftplaylh.sys --> C:\Windows\system32\DRIVERS\Sftplaylh.sys [?]
R3 Sftredir;Sftredir;C:\Windows\system32\DRIVERS\Sftredirlh.sys --> C:\Windows\system32\DRIVERS\Sftredirlh.sys [?]
R3 Sftvol;Sftvol;C:\Windows\system32\DRIVERS\Sftvollh.sys --> C:\Windows\system32\DRIVERS\Sftvollh.sys [?]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-1 219496]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Storitev Posodobitve za Google (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-4-2 136176]
S2 hddledd;hddledd;C:\Program Files (x86)\HddLed\hddledd.exe [2009-8-21 49152]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-6-7 160944]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-4-22 250568]
S3 bcbxq;{D874112A-74A7-43D0-A61C-FE055821F921};C:\Program Files (x86)\ophcrack\pwdump\servpw.exe --> C:\Program Files (x86)\ophcrack\pwdump\servpw.exe [?]
S3 fbsnc;{F0503CEC-8C0D-410C-8BFA-B9FCAAB362C2};C:\Program Files (x86)\ophcrack\pwdump\servpw.exe --> C:\Program Files (x86)\ophcrack\pwdump\servpw.exe [?]
S3 Futuremark SystemInfo Service;Futuremark SystemInfo Service;C:\Program Files (x86)\Common Files\Futuremark Shared\Futuremark SystemInfo\FMSISvc.exe [2012-4-8 135584]
S3 gupdatem;Storitev Posodobitve za Google (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-4-2 136176]
S3 ivusb;Initio Driver for USB Default Controller;C:\Windows\system32\DRIVERS\ivusb.sys --> C:\Windows\system32\DRIVERS\ivusb.sys [?]
S3 LcAgent;LC Remote Agent;C:\Windows\Temp\lcagent.exe --> C:\Windows\Temp\lcagent.exe [?]
S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-4-24 114144]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 PSI;PSI;C:\Windows\system32\DRIVERS\psi_mf.sys --> C:\Windows\system32\DRIVERS\psi_mf.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\system32\DRIVERS\wdcsam64.sys --> C:\Windows\system32\DRIVERS\wdcsam64.sys [?]
S3 wsvd;wsvd;C:\Windows\system32\DRIVERS\wsvd.sys --> C:\Windows\system32\DRIVERS\wsvd.sys [?]
.
=============== Created Last 30 ================
.
2012-09-14 21:01:29	98816	----a-w-	C:\Windows\sed.exe
2012-09-14 21:01:29	518144	----a-w-	C:\Windows\SWREG.exe
2012-09-14 21:01:29	256000	----a-w-	C:\Windows\PEV.exe
2012-09-14 21:01:29	208896	----a-w-	C:\Windows\MBR.exe
2012-09-14 20:57:44	69000	----a-w-	C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{A7C64120-A409-4A21-9E26-0354A4D44172}\offreg.dll
2012-09-14 14:38:30	9310152	----a-w-	C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{A7C64120-A409-4A21-9E26-0354A4D44172}\mpengine.dll
2012-09-12 09:48:17	950128	----a-w-	C:\Windows\System32\drivers\ndis.sys
2012-09-12 09:48:17	574464	----a-w-	C:\Windows\System32\d3d10level9.dll
2012-09-12 09:48:17	41472	----a-w-	C:\Windows\System32\drivers\RNDISMP.sys
2012-09-12 09:48:16	490496	----a-w-	C:\Windows\SysWow64\d3d10level9.dll
2012-09-12 09:48:16	376688	----a-w-	C:\Windows\System32\drivers\netio.sys
2012-09-12 09:48:16	288624	----a-w-	C:\Windows\System32\drivers\FWPKCLNT.SYS
2012-09-12 09:48:16	1913200	----a-w-	C:\Windows\System32\drivers\tcpip.sys
2012-09-11 19:50:24	--------	d-----w-	C:\Users\stein\AppData\Local\HddLed Indicator
2012-09-11 19:50:20	--------	d-----w-	C:\Program Files (x86)\HddLed
2012-09-09 22:56:36	--------	d-----w-	C:\Program Files (x86)\Kaspersky Lab
2012-08-30 21:57:39	95208	----a-w-	C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2012-08-29 14:28:32	--------	d-----w-	C:\Users\stein\AppData\Local\Western Digital
2012-08-27 20:32:19	--------	d-----w-	C:\ProgramData\Protexis
2012-08-27 19:13:33	--------	d-----w-	C:\Users\stein\AppData\Local\Softexe
2012-08-27 18:13:23	--------	d-----w-	C:\Users\stein\AppData\Local\VMware
2012-08-27 18:02:37	70256	----a-w-	C:\Windows\System32\drivers\vsock.sys
2012-08-27 18:02:37	67224	----a-w-	C:\Windows\System32\vsocklib.dll
2012-08-27 18:02:37	63128	----a-w-	C:\Windows\SysWow64\vsocklib.dll
2012-08-27 18:02:36	67224	----a-w-	C:\Windows\System32\drivers\vmx86.sys
2012-08-27 18:02:36	32920	----a-w-	C:\Windows\System32\drivers\VMkbd.sys
2012-08-27 18:02:10	357016	----a-w-	C:\Windows\SysWow64\vmnetdhcp.exe
2012-08-27 18:02:07	435864	----a-w-	C:\Windows\SysWow64\vmnat.exe
2012-08-27 18:02:07	30360	----a-w-	C:\Windows\System32\drivers\vmnetuserif.sys
2012-08-27 18:02:05	933528	----a-w-	C:\Windows\System32\vnetlib64.dll
2012-08-27 18:02:03	52376	----a-w-	C:\Windows\System32\drivers\hcmon.sys
2012-08-27 18:01:59	--------	d-----w-	C:\Program Files\Common Files\VMware
2012-08-27 18:01:55	--------	d-----w-	C:\Program Files (x86)\VMware
2012-08-27 18:01:55	--------	d-----w-	C:\Program Files (x86)\Common Files\VMware
2012-08-24 18:02:45	--------	d-----w-	C:\Users\stein\temp
2012-08-21 17:56:14	--------	d-----w-	C:\Users\stein\AppData\Roaming\Garmin
.
==================== Find3M  ====================
.
2012-09-07 15:04:46	25928	----a-w-	C:\Windows\System32\drivers\mbam.sys
2012-08-30 21:57:37	821736	----a-w-	C:\Windows\SysWow64\npdeployJava1.dll
2012-08-30 21:57:37	746984	----a-w-	C:\Windows\SysWow64\deployJava1.dll
2012-08-27 21:38:04	73416	----a-w-	C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-08-27 21:38:04	696520	----a-w-	C:\Windows\SysWow64\FlashPlayerApp.exe
2012-08-15 13:16:52	62104	----a-w-	C:\Windows\System32\vmnetbridge.dll
2012-08-15 13:16:52	48792	----a-w-	C:\Windows\System32\vnetinst.dll
2012-08-15 13:16:52	45720	----a-w-	C:\Windows\System32\drivers\vmnetbridge.sys
2012-08-15 13:16:50	24216	----a-w-	C:\Windows\System32\drivers\vmnet.sys
2012-08-15 13:16:50	20120	----a-w-	C:\Windows\System32\drivers\vmnetadapter.sys
2012-08-15 11:33:44	353280	----a-w-	C:\Windows\SysWow64\vmnc.dll
2012-08-01 15:10:24	37680	----a-w-	C:\Windows\System32\drivers\vmusb.sys
2012-07-18 18:15:06	3148800	----a-w-	C:\Windows\System32\win32k.sys
2012-07-06 10:29:52	85104	----a-w-	C:\Windows\System32\drivers\vmci.sys
2012-07-04 22:13:27	59392	----a-w-	C:\Windows\System32\browcli.dll
2012-07-04 22:13:27	136704	----a-w-	C:\Windows\System32\browser.dll
2012-07-04 21:14:34	41984	----a-w-	C:\Windows\SysWow64\browcli.dll
2012-06-30 17:54:06	74344	----a-w-	C:\Windows\System32\RtNicProp64.dll
2012-06-30 17:54:06	708200	----a-w-	C:\Windows\System32\drivers\Rt64win7.sys
2012-06-30 17:54:06	107552	----a-w-	C:\Windows\System32\RTNUninst64.dll
2012-06-29 03:56:34	2312704	----a-w-	C:\Windows\System32\jscript9.dll
2012-06-29 03:49:11	1392128	----a-w-	C:\Windows\System32\wininet.dll
2012-06-29 03:48:07	1494528	----a-w-	C:\Windows\System32\inetcpl.cpl
2012-06-29 03:43:49	173056	----a-w-	C:\Windows\System32\ieUnatt.exe
2012-06-29 03:39:48	2382848	----a-w-	C:\Windows\System32\mshtml.tlb
2012-06-29 00:16:58	1800704	----a-w-	C:\Windows\SysWow64\jscript9.dll
2012-06-29 00:09:01	1129472	----a-w-	C:\Windows\SysWow64\wininet.dll
2012-06-29 00:08:59	1427968	----a-w-	C:\Windows\SysWow64\inetcpl.cpl
2012-06-29 00:04:43	142848	----a-w-	C:\Windows\SysWow64\ieUnatt.exe
2012-06-29 00:00:45	2382848	----a-w-	C:\Windows\SysWow64\mshtml.tlb
2012-06-25 14:04:24	1394248	----a-w-	C:\Windows\SysWow64\msxml4.dll
.
============= FINISH: 11:11:00,07 ===============



BC AdBot (Login to Remove)

 


#2 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:05:25 PM

Posted 15 September 2012 - 03:53 PM

Hello David Balažic, and welcome to the Malware Removal forums! :thumbsup:

My name is bloopie and I'll be helping you with your problems as best I can! :thumbup2:

There was no malware reported, but CursorHider.exe and c:\programdata\ntuser.dat were deleted (moved to quarantine).

How do you know it was moved to quarantine? What tool told you that? If you have run other tools, please post the logs from them. I need to see what your infection was! :thumbup2:

==========


A few things to keep in mind while we are working together:

  • If you have since resolved the original problem you were having, I would appreciate it if you let me know.
  • If you are unsure about any of the steps just post what you can and I will guide you!
  • Please do not put your logs into codeboxes or quoteboxes, just simply paste them here for me! :thumbup2:
  • Please tell me if you have your original Windows CD/DVD available.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below I will review your topic an do my best to resolve your issues.
  • Please check this topic at least once a day for a reply from me! :)

==========

Step :step1:
I see you have run Combofix on this machine before! Combofix is not a toy and should only be used by a trained helper!

Since you have already run the tool, I will need to see the logfile it made. It can be found at C:\ComboFix.txt

==========

Step :step2:
Please download aswMBR ( 4.5MB ) to your desktop.
  • Double click the aswMBR.exe icon, and click Run.
  • When asked if you'd like to "download the latest Avast! virus definitions", click Yes.
  • Click the Scan button to start the scan.
  • On completion of the scan, click the save log button, save it to your desktop, then copy and paste it in your next reply.

==========

What I would like to see in your next reply!

  • The C:\Combofix.txt
  • The aswMBR log
  • A clear description of the problems you are having! And weather you have your CD/DVD or not!

bloopie

Edited by bloopie, 15 September 2012 - 04:07 PM.
Updated instructions


#3 David Balažic

David Balažic
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 15 September 2012 - 04:26 PM

0) I don't have a Windows CD, it is a preinstalled PC. There is a recovery partition somewhere on the HDD.

1.) the combofix.txt log:

ComboFix 12-09-14.03 - stein 14.09.2012 23:02:34.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1250.386.1033.18.4078.2102 [GMT 2:00]
Running from: k:\downloads\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\ntuser.dat
c:\users\stein\AppData\Local\Softexe\Cursor Hider\CursorHider.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-08-14 to 2012-09-14 )))))))))))))))))))))))))))))))
.
.
2012-09-14 21:05 . 2012-09-14 21:05 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-09-14 21:05 . 2012-09-14 21:05 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-09-14 20:57 . 2012-09-14 20:57 69000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{A7C64120-A409-4A21-9E26-0354A4D44172}\offreg.dll
2012-09-14 14:38 . 2012-08-23 08:26 9310152 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{A7C64120-A409-4A21-9E26-0354A4D44172}\mpengine.dll
2012-09-12 09:48 . 2012-08-22 18:12 950128 ----a-w- c:\windows\system32\drivers\ndis.sys
2012-09-12 09:48 . 2012-08-02 17:58 574464 ----a-w- c:\windows\system32\d3d10level9.dll
2012-09-12 09:48 . 2012-07-04 20:26 41472 ----a-w- c:\windows\system32\drivers\RNDISMP.sys
2012-09-12 09:48 . 2012-08-22 18:12 1913200 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-09-12 09:48 . 2012-08-22 18:12 376688 ----a-w- c:\windows\system32\drivers\netio.sys
2012-09-12 09:48 . 2012-08-22 18:12 288624 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2012-09-12 09:48 . 2012-08-02 16:57 490496 ----a-w- c:\windows\SysWow64\d3d10level9.dll
2012-09-11 19:50 . 2012-09-11 19:50 -------- d-----w- c:\users\stein\AppData\Local\HddLed Indicator
2012-09-11 19:50 . 2012-09-11 19:50 -------- d-----w- c:\program files (x86)\HddLed
2012-09-09 22:56 . 2012-09-09 22:56 -------- d-----w- c:\program files (x86)\Kaspersky Lab
2012-08-30 21:57 . 2012-08-30 21:57 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-08-30 21:57 . 2012-08-30 21:57 95208 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2012-08-30 21:57 . 2012-08-30 21:57 -------- d-----w- c:\program files (x86)\Java
2012-08-29 14:28 . 2012-08-29 14:28 -------- d-----w- c:\users\stein\AppData\Local\Western Digital
2012-08-27 20:32 . 2012-08-27 20:32 -------- d-----w- c:\programdata\Protexis
2012-08-27 20:32 . 2012-08-27 20:32 -------- d-----w- c:\users\stein\AppData\Roaming\Corel
2012-08-27 19:13 . 2012-08-27 19:13 -------- d-----w- c:\users\stein\AppData\Local\Softexe
2012-08-27 18:13 . 2012-09-07 22:11 -------- d-----w- c:\users\stein\AppData\Local\VMware
2012-08-27 18:13 . 2012-09-07 21:26 -------- d-----w- c:\users\stein\AppData\Roaming\VMware
2012-08-27 18:02 . 2012-07-06 10:30 67224 ----a-w- c:\windows\system32\vsocklib.dll
2012-08-27 18:02 . 2012-07-06 10:29 63128 ----a-w- c:\windows\SysWow64\vsocklib.dll
2012-08-27 18:02 . 2012-07-06 10:29 70256 ----a-w- c:\windows\system32\drivers\vsock.sys
2012-08-27 18:02 . 2012-08-15 13:18 67224 ----a-w- c:\windows\system32\drivers\vmx86.sys
2012-08-27 18:02 . 2012-08-15 13:16 32920 ----a-w- c:\windows\system32\drivers\VMkbd.sys
2012-08-27 18:02 . 2012-08-15 13:18 357016 ----a-w- c:\windows\SysWow64\vmnetdhcp.exe
2012-08-27 18:02 . 2012-08-15 13:18 30360 ----a-w- c:\windows\system32\drivers\vmnetuserif.sys
2012-08-27 18:02 . 2012-08-15 13:17 435864 ----a-w- c:\windows\SysWow64\vmnat.exe
2012-08-27 18:02 . 2012-08-15 13:18 933528 ----a-w- c:\windows\system32\vnetlib64.dll
2012-08-27 18:02 . 2012-08-01 15:10 52376 ----a-w- c:\windows\system32\drivers\hcmon.sys
2012-08-27 18:01 . 2012-08-27 18:01 -------- d-----w- c:\program files\Common Files\VMware
2012-08-27 18:01 . 2012-09-14 07:58 -------- d-----w- c:\programdata\VMware
2012-08-27 18:01 . 2012-08-27 18:01 -------- d-----w- c:\program files (x86)\VMware
2012-08-27 18:01 . 2012-08-27 18:01 -------- d-----w- c:\program files (x86)\Common Files\VMware
2012-08-24 18:02 . 2012-08-24 18:02 -------- d-----w- c:\users\stein\temp
2012-08-21 17:56 . 2012-08-21 17:56 -------- d-----w- c:\users\stein\AppData\Roaming\Garmin
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-12 10:42 . 2011-07-18 20:31 64462936 ----a-w- c:\windows\system32\MRT.exe
2012-09-07 15:04 . 2012-04-20 20:50 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-30 21:57 . 2012-01-23 23:44 821736 ----a-w- c:\windows\SysWow64\npdeployJava1.dll
2012-08-30 21:57 . 2011-07-18 21:13 746984 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-08-27 21:38 . 2012-04-22 14:12 73416 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-08-27 21:38 . 2012-04-22 14:12 696520 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-08-15 13:16 . 2012-08-15 13:16 62104 ----a-w- c:\windows\system32\vmnetbridge.dll
2012-08-15 13:16 . 2012-08-15 13:16 48792 ----a-w- c:\windows\system32\vnetinst.dll
2012-08-15 13:16 . 2012-08-15 13:16 45720 ----a-w- c:\windows\system32\drivers\vmnetbridge.sys
2012-08-15 13:16 . 2012-08-15 13:16 24216 ----a-w- c:\windows\system32\drivers\vmnet.sys
2012-08-15 13:16 . 2012-08-15 13:16 20120 ----a-w- c:\windows\system32\drivers\vmnetadapter.sys
2012-08-15 11:33 . 2012-08-15 11:33 353280 ----a-w- c:\windows\SysWow64\vmnc.dll
2012-08-01 15:10 . 2012-08-01 15:10 37680 ----a-w- c:\windows\system32\drivers\vmusb.sys
2012-07-18 18:15 . 2012-08-14 18:33 3148800 ----a-w- c:\windows\system32\win32k.sys
2012-07-06 10:29 . 2012-07-06 10:29 85104 ----a-w- c:\windows\system32\drivers\vmci.sys
2012-07-04 22:16 . 2012-08-14 18:33 73216 ----a-w- c:\windows\system32\netapi32.dll
2012-07-04 22:13 . 2012-08-14 18:33 59392 ----a-w- c:\windows\system32\browcli.dll
2012-07-04 22:13 . 2012-08-14 18:33 136704 ----a-w- c:\windows\system32\browser.dll
2012-07-04 21:14 . 2012-08-14 18:33 41984 ----a-w- c:\windows\SysWow64\browcli.dll
2012-06-30 17:54 . 2012-04-11 22:30 708200 ----a-w- c:\windows\system32\drivers\Rt64win7.sys
2012-06-30 17:54 . 2012-01-23 20:34 74344 ----a-w- c:\windows\system32\RtNicProp64.dll
2012-06-30 17:54 . 2012-01-23 20:34 107552 ----a-w- c:\windows\system32\RTNUninst64.dll
2012-06-29 04:55 . 2012-08-14 18:36 17809920 ----a-w- c:\windows\system32\mshtml.dll
2012-06-29 04:09 . 2012-08-14 18:36 10925568 ----a-w- c:\windows\system32\ieframe.dll
2012-06-29 03:56 . 2012-08-14 18:36 2312704 ----a-w- c:\windows\system32\jscript9.dll
2012-06-29 03:49 . 2012-08-14 18:36 1346048 ----a-w- c:\windows\system32\urlmon.dll
2012-06-29 03:49 . 2012-08-14 18:36 1392128 ----a-w- c:\windows\system32\wininet.dll
2012-06-29 03:48 . 2012-08-14 18:36 1494528 ----a-w- c:\windows\system32\inetcpl.cpl
2012-06-29 03:47 . 2012-08-14 18:36 237056 ----a-w- c:\windows\system32\url.dll
2012-06-29 03:45 . 2012-08-14 18:36 85504 ----a-w- c:\windows\system32\jsproxy.dll
2012-06-29 03:44 . 2012-08-14 18:36 816640 ----a-w- c:\windows\system32\jscript.dll
2012-06-29 03:43 . 2012-08-14 18:36 173056 ----a-w- c:\windows\system32\ieUnatt.exe
2012-06-29 03:42 . 2012-08-14 18:36 2144768 ----a-w- c:\windows\system32\iertutil.dll
2012-06-29 03:40 . 2012-08-14 18:36 96768 ----a-w- c:\windows\system32\mshtmled.dll
2012-06-29 03:39 . 2012-08-14 18:36 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-06-29 03:35 . 2012-08-14 18:36 248320 ----a-w- c:\windows\system32\ieui.dll
2012-06-29 00:16 . 2012-08-14 18:36 1800704 ----a-w- c:\windows\SysWow64\jscript9.dll
2012-06-29 00:09 . 2012-08-14 18:36 1129472 ----a-w- c:\windows\SysWow64\wininet.dll
2012-06-29 00:08 . 2012-08-14 18:36 1427968 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2012-06-29 00:04 . 2012-08-14 18:36 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2012-06-29 00:00 . 2012-08-14 18:36 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2012-06-25 14:04 . 2012-06-25 14:04 1394248 ----a-w- c:\windows\SysWow64\msxml4.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hddled.exe"="c:\program files (x86)\HddLed\hddled.exe" [2009-08-21 805376]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIconLaunch.exe" [2012-02-29 56088]
"CLMLServer"="c:\program files (x86)\CyberLink\Power2Go\CLMLSvc.exe" [2010-08-03 107816]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer2"=wdmaud.drv
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Storitev Posodobitve za Google (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-04-02 136176]
R2 hddledd;hddledd;c:\program files (x86)\HddLed\hddledd.exe [2009-08-21 49152]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-06-07 160944]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-27 250568]
R3 ALSysIO;ALSysIO;c:\users\stein\AppData\Local\Temp\ALSysIO64.sys [x]
R3 bcbxq;{D874112A-74A7-43D0-A61C-FE055821F921};c:\program files (x86)\ophcrack\pwdump\servpw.exe [x]
R3 cpuz130;cpuz130;c:\users\stein\AppData\Local\Temp\cpuz130\cpuz_x64.sys [x]
R3 fbsnc;{F0503CEC-8C0D-410C-8BFA-B9FCAAB362C2};c:\program files (x86)\ophcrack\pwdump\servpw.exe [x]
R3 Futuremark SystemInfo Service;Futuremark SystemInfo Service;c:\program files (x86)\Common Files\Futuremark Shared\Futuremark SystemInfo\FMSISvc.exe [2011-12-09 135584]
R3 gupdatem;Storitev Posodobitve za Google (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-04-02 136176]
R3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\DRIVERS\ivusb.sys [2010-07-28 29720]
R3 LcAgent;LC Remote Agent;c:\windows\Temp\lcagent.exe [x]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-09-06 114144]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4925184]
R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [2010-07-07 17464]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-01-24 1255736]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys [2008-05-06 14464]
R3 wsvd;wsvd;c:\windows\system32\DRIVERS\wsvd.sys [2010-09-23 129008]
S0 vmci;VMware VMCI Bus Driver;c:\windows\system32\DRIVERS\vmci.sys [2012-07-06 85104]
S0 vsock;vSockets Driver;c:\windows\system32\drivers\vsock.sys [2012-07-06 70256]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2012-02-01 13592]
S2 MemeoBackgroundService;MemeoBackgroundService;c:\program files (x86)\Memeo\AutoBackup\MemeoBackgroundService.exe [2011-09-28 25824]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-05-15 1262400]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-05-15 382272]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-03-11 2656280]
S2 VMUSBArbService;VMware USB Arbitration Service;c:\program files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe [2012-08-01 917656]
S3 asmthub3;ASMedia USB3 Hub Service;c:\windows\system32\drivers\asmthub3.sys [2011-08-02 129000]
S3 asmtxhci;ASMEDIA XHCI Service;c:\windows\system32\drivers\asmtxhci.sys [2011-08-02 391144]
S3 MEIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2011-03-11 56344]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [2012-04-18 188736]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2012-06-30 708200]
S3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8192su.sys [2010-11-25 694888]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2011-10-01 764264]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2011-10-01 268648]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2011-10-01 25960]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2011-10-01 22376]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-14 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-22 21:38]
.
2012-09-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-04-02 17:48]
.
2012-09-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-04-02 17:48]
.
2012-09-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3235208281-3310333265-147021884-1001Core.job
- c:\users\stein\AppData\Local\Google\Update\GoogleUpdate.exe [2012-05-26 17:53]
.
2012-09-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3235208281-3310333265-147021884-1001UA.job
- c:\users\stein\AppData\Local\Google\Update\GoogleUpdate.exe [2012-05-26 17:53]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2012-01-16 12445288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.aldi.com
mLocal Page = c:\windows\SysWOW64\blank.htm
LSP: %windir%\system32\vsocklib.dll
TCP: DhcpNameServer = 192.168.1.1
Handler: x-owacid2 - {5B290518-830E-4C57-A66B-E4F748900C27} - c:\program files (x86)\Microsoft\SMIME Client (2010)\mimectl.dll
FF - ProfilePath - c:\users\stein\AppData\Roaming\Mozilla\Firefox\Profiles\x0642j45.default\
FF - prefs.js: browser.startup.homepage - about:blank
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-CursorHider - c:\users\stein\AppData\Local\Softexe\Cursor Hider\CursorHider.exe
AddRemove-WinImage - c:\users\stein\Desktop\winima85\winimage.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ChromeHTML"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ChromeHTML"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ChromeHTML"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ChromeHTML"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ChromeHTML"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_265_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_265_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_265.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_265.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_265.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_265.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-09-14 23:06:54
ComboFix-quarantined-files.txt 2012-09-14 21:06
.
Pre-Run: 72.475.611.136 bytes free
Post-Run: 72.398.417.920 bytes free
.
- - End Of File - - B129A64D64545A79B709C5FB09D0A866

2.) aswMBR log:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-09-15 23:09:51
-----------------------------
23:09:51.957 OS Version: Windows x64 6.1.7601 Service Pack 1
23:09:51.957 Number of processors: 4 586 0x2A07
23:09:51.958 ComputerName: HOFKO UserName: stein
23:09:52.533 Initialize success
23:13:21.936 AVAST engine defs: 12091400
23:13:28.809 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
23:13:28.811 Disk 0 Vendor: Hitachi_ MS2O Size: 953869MB BusType: 3
23:13:28.825 Disk 0 MBR read successfully
23:13:28.828 Disk 0 MBR scan
23:13:28.832 Disk 0 Windows 7 default MBR code
23:13:28.835 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
23:13:28.844 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 143359 MB offset 206848
23:13:28.849 Disk 0 Partition - 00 0F Extended LBA 758177 MB offset 293812785
23:13:28.889 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 51200 MB offset 1846566912
23:13:28.927 Disk 0 Partition 4 00 07 HPFS/NTFS NTFS 29996 MB offset 293812848
23:13:28.933 Disk 0 Partition - 00 05 Extended 228183 MB offset 355245975
23:13:28.944 Disk 0 Partition 5 00 07 HPFS/NTFS NTFS 228183 MB offset 355246080
23:13:28.981 Disk 0 scanning C:\Windows\system32\drivers
23:13:35.309 Service scanning
23:13:51.668 Modules scanning
23:13:51.675 Disk 0 trace - called modules:
23:13:51.722 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
23:13:51.728 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8006fa1060]
23:13:51.733 3 CLASSPNP.SYS[fffff88001cbf43f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa80049cf050]
23:13:52.148 AVAST engine scan C:\Windows
23:13:53.886 AVAST engine scan C:\Windows\system32
23:15:49.097 AVAST engine scan C:\Windows\system32\drivers
23:15:57.200 AVAST engine scan C:\Users\stein
23:19:36.501 AVAST engine scan C:\ProgramData
23:19:59.518 Scan finished successfully
23:25:30.938 Disk 0 MBR has been saved successfully to "C:\Users\stein\Desktop\MBR.dat"
23:25:30.940 The log file has been saved successfully to "C:\Users\stein\Desktop\aswMBR.txt"



3.) A clear description of the problems:
ComboFix changed a lot of Windows settings (hosts file changed, System Restore is apparently turned off now,...). I would like to have them back as they were before.


PS: "How do you know it was moved to quarantine?"
- it is missing on the original place
- is is present in the Quarantine (C:\Qoobox\Quarantine\C\Users\xxxxx\AppData\Local\Softexe\Cursor Hider\CursorHider.exe.vir)
- it is mentione in the ComboFix log under "Other Deletions"

Edited by David Balažic, 15 September 2012 - 04:31 PM.


#4 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:05:25 PM

Posted 15 September 2012 - 04:44 PM

Hi again,

Please list the files you want back from quarantine, and let me know the Windows settings you would like to have set back!

hosts file changed, System Restore is apparently turned off now

The hosts file is reset by default from Combofix, we can change that if you need later.

System Restore is also reset by Combofix upon uninstall. This is so a new restore point can be set after malware removal and the system is free of malware! :wink:

We can take care of that with a script. :)

==========

Navigate to C:\QooBox\ComboFix-quarantined-files.txt, copy and paste the contents of the text file in your next reply!

==========

Do you have any other problems with the computer right now?

bloopie

Edited by bloopie, 15 September 2012 - 04:51 PM.


#5 David Balažic

David Balažic
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 15 September 2012 - 05:43 PM

- all of them.
Is that not possible?

- ComboFix-quarantined-files.txt :

2012-09-14 21:06:27 . 2012-09-14 21:06:27 582 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-WinImage.reg.dat
2012-09-14 21:06:14 . 2012-09-14 21:06:14 169 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-HKCU-Run-CursorHider.reg.dat
2012-09-14 21:04:41 . 2012-09-14 21:04:41 7,148 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2012-09-14 21:01:28 . 2012-09-14 21:01:28 51 ----a-w- C:\Qoobox\Quarantine\catchme.log
2012-09-08 12:30:25 . 2012-09-08 12:30:25 262,144 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\ntuser.dat.vir
2012-08-27 19:13:33 . 2012-07-25 17:51:08 557,768 ----a-w- C:\Qoobox\Quarantine\C\Users\stein\AppData\Local\Softexe\Cursor Hider\CursorHider.exe.vir


- "Do you have any other problems with the computer right now?"
No, just the missing files and settings (IE settings were also reset).

#6 David Balažic

David Balažic
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 15 September 2012 - 05:58 PM

C:\Windows\zip.exe
Is this part of ComboFix?

#7 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:05:25 PM

Posted 15 September 2012 - 06:08 PM

Hello David Balažic,

Please follow these instructions as best you can!

  • Restart your computer
  • Before Windows loads, you will be prompted to choose which Operating System to start as mentioned earlier
  • Use the up and down arrow key to select Microsoft Windows Recovery Console
  • You must enter which Windows installation to log onto. Type 1 and press enter.
  • At the C:\Windows prompt, type the following bolded text, and press enter:
  • cd erdnt\subs
  • At the next prompt, type the following bolded text, and press Enter:
  • batch erdnt.con
  • The erunt backups will begin copying.
  • At the next prompt, type the following bolded text and press Enter:
  • exit
  • Windows will now begin loading.



Are you now able to boot up normally?

If so, I have more instructions for you, so let me know how it goes!

bloopie

#8 David Balažic

David Balažic
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 15 September 2012 - 06:22 PM

I don't have Microsoft Windows Recovery Console in the boot menu. Just Windows 7 and the memory test tool.
But I found a install CD (an USB flash key actually). Can I use that?

#9 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:05:25 PM

Posted 15 September 2012 - 11:04 PM

Hi again,

If you cannot boot to the Recovery Console, then we can extract those files from quarantine with a script. This script will only recover the files listed for deletion!


Run a Combofix Script


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy the text in the codebox below, then paste it into the empty notepad:

DeQuarantine::

C:\Qoobox\Quarantine\Registry_backups\AddRemove-WinImage.reg.dat
C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-HKCU-Run-CursorHider.reg.dat
C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
C:\Qoobox\Quarantine\catchme.log
C:\Qoobox\Quarantine\C\ProgramData\ntuser.dat.vir
C:\Qoobox\Quarantine\C\Users\stein\AppData\Local\Softexe\Cursor Hider\CursorHider.exe.vir

Quit::
Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\DeQuarantine.txt which I will require in your next reply.

bloopie

#10 David Balažic

David Balažic
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 16 September 2012 - 05:44 AM

C:\DeQuarantine.txt :


C:\Qoobox\Quarantine\C\ProgramData\ntuser.dat.vir -> C:\ProgramData\ntuser.dat
C:\Qoobox\Quarantine\C\Users\stein\AppData\Local\Softexe\Cursor Hider\CursorHider.exe.vir -> C:\Users\stein\AppData\Local\Softexe\Cursor Hider\CursorHider.exe


PS: Network stopped working after this. I am posting this from another computer.

PPS: Regarding your previous post, there is no "subs" folder in c:\windows\erdnt

PPPS: During execution, ComboFix said there is a newer version available and asked if I wanted to update. I choose "No".

Edited by David Balažic, 16 September 2012 - 06:08 AM.


#11 David Balažic

David Balažic
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 16 September 2012 - 05:53 AM

Here it says:


* If that does not work, then navigate to C:\WINDOWS\ERDNT\Hiv-backup\erdnt.exe, double-click on erdnt.exe and reboot the machine.



Can I try that?

Edited by David Balažic, 16 September 2012 - 06:58 AM.


#12 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:05:25 PM

Posted 16 September 2012 - 09:37 AM

Hi again,

Yes you can try that as a restore function, and then run Farbar's Service Scanner:

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:

    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Let me know what happens!

bloopie

#13 David Balažic

David Balažic
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 16 September 2012 - 11:39 AM

Hi again,

Yes you can try that as a restore function,

What?
Doubleclick erdnt.exe ?
Or the Windows install DVD (USB key) ?

PS: Something is wrong with email notifications. I did not get an email for your last reply yet, and you posted it 2 hours ago. I have a gmail account, there is nothing in the Spam folder either. I do have some previous notifications.

Edited by David Balažic, 16 September 2012 - 11:40 AM.


#14 David Balažic

David Balažic
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 16 September 2012 - 02:33 PM

Hmm, after reading the thread again, I believe you were referring to running erdnt.exe by doubleclick in Windows. All go with that.

#15 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:05:25 PM

Posted 17 September 2012 - 08:10 AM

Hi again,

Hmm, after reading the thread again, I believe you were referring to running erdnt.exe by doubleclick in Windows.

Yes, that's correct. erdnt.exe is a registry backup that got made by Combofix. Hopefully restoring your registry will correct the changes made. Let me know if that is successful!

bloopie




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users