Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ongoing struggle with malware(s)


  • This topic is locked This topic is locked
25 replies to this topic

#1 Problem?

Problem?

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:00 PM

Posted 31 December 2012 - 06:22 AM

Hi experts.. a brief outline of my troubles:

Original symptoms:
- Web browsers redirecting from all antivirus websites
- Macafee would constantly be opening and closing during session and unable to open or control
- Other system facilities not operational
- Windows defender errored everytime a scan was commanded

I then downloaded Malwarebytes and tried to scan, the infection prevented it from opening, I followed an online instruction and renamed .exe to mab.exe and it worked.

Ran scans and found multiple infections which were removed. Ran scans on other apps and all seemed clean.

This cured some of the symptoms, web searching now worked macafee recovered to be usable and windows defender was fixed

--

I am now in an even worse situation, the infection removed my registry for windows security centre, windows firewall and probably other stuff.

I have re-added the registry for security centre and now this is working..

Windows Firewall and Macafee firewall are both disabled (although macafee thinks it isn't) the infection seems to able to manipulate macafee antivirus at will at the moment.

Windows Defender has been removed and no longer works/opens at all.

I have rescanned with malwarebytes and this is the most recent log

Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2012.12.24.06

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 8.0.7601.17514
*removed* :: *removed*-PC [administrator]

30/12/2012 16:04:21
mbam-log-2012-12-31 (00-59-04).txt

Scan type: Full scan (C:\|D:\|E:\|H:\|I:\|J:\|K:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 682528
Time elapsed: 7 hour(s), 54 minute(s), 34 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 1
C:\Users\*removed*\AppData\Local\AVS4YOU\rxulhuyy.dll (Spyware.Password) -> No action taken.

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|AVS4YOU (Spyware.Password) -> Data: RUNDLL32.EXE C:\Users\*removed*\AppData\Local\AVS4YOU\rxulhuyy.dll,vlc_entry__1_0_0e -> No action taken.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Users\*removed*\AppData\Local\AVS4YOU\rxulhuyy.dll (Spyware.Password) -> No action taken.

(end)

BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:00 PM

Posted 01 January 2013 - 10:05 AM

Hello and welcome. Please follow these guidelines while we work on your PC:
  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until Iíve given you the ďAll clear.Ē Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.
Posted Image Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Under the Custom Scan box paste this in:
    netsvcs
  • Click the Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and paste them into your next post.
Posted Image Download aswMBR.exe to your desktop.
  • Double click the aswMBR.exe to run it
  • You will be asked if you want to use Avast! Free anti virus for scanning - select No
  • Click the "Scan" button to start scan
  • On completion of the scan click save log, save it to your desktop and post in your next reply.
Please include the following in your next post:
  • OTL.txt and Extras.txt logs
  • aswMBR log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 Problem?

Problem?
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:00 PM

Posted 01 January 2013 - 11:22 AM

Hi, Thanks for replying.

OTL

Spoiler


extras

Spoiler



asw

Currently runningaswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software
Run date: 2013-01-01 16:22:53
-----------------------------
16:22:53.947 OS Version: Windows 6.1.7601 Service Pack 1
16:22:53.947 Number of processors: 4 586 0xF0B
16:22:53.949 ComputerName: *removed*-PC UserName: *removed*
16:22:55.585 Initialize success
16:23:07.456 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
16:23:07.458 Disk 0 Vendor: ST350062 HP21 Size: 476940MB BusType: 3
16:23:07.480 Disk 0 MBR read successfully
16:23:07.483 Disk 0 MBR scan
16:23:07.487 Disk 0 Windows 7 default MBR code
16:23:07.490 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 466245 MB offset 63
16:23:07.519 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 10691 MB offset 954871470
16:23:07.525 Disk 0 scanning sectors +976768065
16:23:07.587 Disk 0 scanning C:\Windows\system32\drivers
16:23:19.098 Service scanning
16:23:27.736 Service MpKsl37afd70b c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{ECF3264B-870F-4E12-ACEB-0EFB234FBA7C}\MpKsl37afd70b.sys **LOCKED** 32
16:23:37.108 Modules scanning
16:23:48.819 Disk 0 trace - called modules:
16:23:48.841 ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys halmacpi.dll
16:23:49.173 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x87740030]
16:23:49.180 3 CLASSPNP.SYS[8cba859e] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x868c7030]
16:23:49.187 Scan finished successfully
16:24:29.943 Disk 0 MBR has been saved successfully to "C:\Users\*removed*\Desktop\MBR.dat"
16:24:30.031 The log file has been saved successfully to "C:\Users\*removed*\Desktop\aswMBR.txt

Edited by Problem?, 01 January 2013 - 11:44 AM.


#4 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:00 PM

Posted 01 January 2013 - 02:09 PM

Please do this next:

Posted Image Go to this page and download Malwarebytes Anti-Rootkit (MBAR)
  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • MBAR will create logs that you will find in the same folder you found MBAR.exe. Please post those for me to review.
Posted Image Download Combofix from either of the links below, and save it to your desktop.

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • If you have trouble, stop and post back. Do not try to repeatedly run comboFix!
  • When finished, it will produce a report for you.
.
Note: If after running ComboFix you receive a message stating, "Illegal Operation Attempted on a registry key that has been marked for deletion" rebooting your computer will resolve the problem.

Please include the following in your next post:
  • MBAR log(s)
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#5 Problem?

Problem?
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:00 PM

Posted 01 January 2013 - 03:45 PM

mbar

Malwarebytes Anti-Rootkit 1.01.0.1011
www.malwarebytes.org

Database version: v2013.01.01.03

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 8.0.7601.17514
:: [administrator]

01/01/2013 20:08:47
mbar-log-2013-01-01 (20-08-47).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 29745
Time elapsed: 20 minute(s), 29 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

combo

ComboFix 13-01-01.02 - *removed* 01/01/2013 20:17:45.1.4 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.44.1033.18.3327.1870 [GMT 0:00]
Running from: c:\users\*removed*\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892}
AV: Microsoft Security Essentials *Disabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
FW: McAfee Firewall *Enabled* {959DA8E2-3527-57D1-4915-924367AD4FE9}
SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F}
SP: Microsoft Security Essentials *Disabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\program files\Adobe\Photoshop.exe
c:\program files\Adobe\SHFOLDER.dll
c:\users\*removed*\AppData\Local\aryyepcy.log
c:\users\*removed*\AppData\Local\fjbehonw.log
c:\users\*removed*\AppData\Local\ilvvoowh.log
c:\users\*removed*\AppData\Local\jilomvab.log
c:\users\*removed*\AppData\Local\mejgxkgc.log
c:\users\*removed*\AppData\Local\tkpmmhbx.log
c:\users\*removed*\AppData\Local\vdgjygfb.log
.
.
((((((((((((((((((((((((( Files Created from 2012-12-01 to 2013-01-01 )))))))))))))))))))))))))))))))
.
.
2013-01-01 20:31 . 2013-01-01 20:35 -------- d-----w- c:\users\*removed*\AppData\Local\temp
2013-01-01 20:31 . 2013-01-01 20:31 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2013-01-01 20:31 . 2013-01-01 20:31 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
2013-01-01 20:31 . 2013-01-01 20:31 -------- d-----w- c:\users\Home\AppData\Local\temp
2013-01-01 20:31 . 2013-01-01 20:31 -------- d-----w- c:\users\Guest\AppData\Local\temp
2013-01-01 20:31 . 2013-01-01 20:31 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-01-01 15:58 . 2013-01-01 15:58 29904 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{ECF3264B-870F-4E12-ACEB-0EFB234FBA7C}\MpKsl37afd70b.sys
2013-01-01 15:55 . 2013-01-01 15:55 60872 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{ECF3264B-870F-4E12-ACEB-0EFB234FBA7C}\offreg.dll
2013-01-01 12:36 . 2012-11-08 10:00 6812136 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{ECF3264B-870F-4E12-ACEB-0EFB234FBA7C}\mpengine.dll
2012-12-30 14:32 . 2012-11-08 10:00 6812136 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-12-25 19:02 . 2012-12-25 19:02 740840 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{2BCCB084-3C28-49F0-8AF2-6B7CF25D6FBD}\gapaengine.dll
2012-12-25 19:00 . 2012-12-25 19:00 -------- d-----w- c:\program files\Microsoft Security Client
2012-12-25 15:45 . 2012-12-16 14:13 295424 ----a-w- c:\windows\system32\atmfd.dll
2012-12-25 15:45 . 2012-12-16 14:13 34304 ----a-w- c:\windows\system32\atmlib.dll
2012-12-24 18:17 . 2012-12-24 18:17 -------- d-----w- c:\program files\iPod
2012-12-24 18:17 . 2012-12-24 18:18 -------- d-----w- c:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E1
2012-12-24 17:37 . 2012-12-24 17:37 -------- d-----w- c:\program files\Yontoo
2012-12-24 17:37 . 2012-12-24 17:37 -------- d-----w- c:\programdata\Tarma Installer
2012-12-22 12:09 . 2012-05-28 10:28 147472 ----a-w- c:\windows\system32\drivers\HipShieldK.sys
2012-12-22 12:08 . 2012-11-09 06:53 167344 ----a-w- c:\windows\system32\mfevtps.exe
2012-12-15 21:39 . 2012-12-15 21:39 -------- d-----w- c:\users\*removed*\AppData\Roaming\Malwarebytes
2012-12-15 21:39 . 2012-12-24 17:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-12-15 21:39 . 2012-12-15 21:39 -------- d-----w- c:\programdata\Malwarebytes
2012-12-15 21:39 . 2012-09-29 19:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-12-15 12:21 . 2012-12-24 23:42 -------- d-----w- c:\users\*removed*\AppData\Local\xikdpsoa
2012-12-13 18:12 . 2012-10-04 14:41 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2012-12-13 18:11 . 2012-10-27 06:23 163328 ----a-w- c:\program files\Internet Explorer\ieproxy.dll
2012-12-13 18:11 . 2012-11-12 11:52 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2012-12-13 18:11 . 2012-11-09 04:42 2048 ----a-w- c:\windows\system32\tzres.dll
2012-12-05 21:54 . 2012-10-28 11:50 73696 ----a-w- c:\program files\Mozilla Firefox\updated\breakpadinjector.dll
2012-12-05 21:54 . 2012-10-28 11:50 261600 ----a-w- c:\program files\Mozilla Firefox\updated\components\browsercomps.dll
2012-12-05 21:54 . 2012-10-21 12:47 18912 ----a-w- c:\program files\Mozilla Firefox\updated\AccessibleMarshal.dll
2012-12-04 18:24 . 2012-12-04 18:24 -------- d-----w- c:\program files\YTD Toolbar
2012-12-04 18:24 . 2012-12-04 18:24 -------- d-----w- c:\program files\Common Files\Spigot
2012-12-04 18:24 . 2012-12-04 18:24 -------- d-----w- c:\program files\Application Updater
2012-12-03 19:01 . 2012-12-31 01:13 -------- d-----w- c:\users\*removed*\AppData\Local\AVS4YOU
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-12-11 19:14 . 2012-06-02 15:36 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-12-11 19:14 . 2011-05-17 10:30 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-11-09 06:56 . 2012-11-09 06:56 60480 ----a-w- c:\windows\system32\drivers\cfwids.sys
2012-11-09 06:53 . 2012-11-09 06:53 210136 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2012-11-09 06:51 . 2012-11-09 06:51 565352 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2012-11-09 06:50 . 2012-11-09 06:50 362640 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2012-11-09 06:50 . 2012-11-09 06:50 65488 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2012-11-09 06:49 . 2012-11-09 06:49 234824 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2012-11-09 06:49 . 2012-11-09 06:49 132912 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2012-11-08 18:00 . 2012-12-25 13:46 6812136 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{B8592BF1-C017-454E-A8D6-3CD408612CA6}\mpengine.dll
2012-11-02 01:46 . 2012-11-02 01:46 9744 ----a-w- c:\windows\system32\drivers\mfeclnrk.sys
2012-11-02 01:46 . 2012-11-02 01:46 81456 ----a-w- c:\windows\system32\drivers\mfencrk.sys
2012-11-02 01:46 . 2012-11-02 01:46 252200 ----a-w- c:\windows\system32\drivers\mfencbdc.sys
2012-10-16 07:39 . 2012-11-27 18:49 561664 ----a-w- c:\windows\apppatch\AcLayers.dll
2012-10-10 21:15 . 2012-10-10 21:15 1867112 ----a-w- c:\windows\system32\nvcuvenc.dll
2012-10-10 21:15 . 2012-10-10 21:15 2574696 ----a-w- c:\windows\system32\nvcuvid.dll
2012-10-10 21:14 . 2012-10-10 21:14 888168 ----a-w- c:\windows\system32\nvdispgenco32.dll
2012-10-10 21:14 . 2012-10-10 21:14 12501352 ----a-w- c:\windows\system32\nvwgf2um.dll
2012-10-10 21:14 . 2012-10-10 21:14 17559912 ----a-w- c:\windows\system32\nvcompiler.dll
2012-10-10 21:14 . 2012-10-10 21:14 2428776 ----a-w- c:\windows\system32\nvapi.dll
2012-10-10 21:14 . 2012-10-10 21:14 7697768 ----a-w- c:\windows\system32\nvcuda.dll
2012-10-10 21:14 . 2012-10-10 21:14 10837352 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2012-10-10 21:14 . 2012-10-10 21:14 19906920 ----a-w- c:\windows\system32\nvoglv32.dll
2012-10-10 21:14 . 2012-10-10 21:14 1009512 ----a-w- c:\windows\system32\nvdispco32.dll
2012-10-10 21:14 . 2012-10-10 21:14 6127464 ----a-w- c:\windows\system32\nvopencl.dll
2012-10-10 21:14 . 2012-10-10 21:14 15309160 ----a-w- c:\windows\system32\nvd3dum.dll
2012-10-09 17:40 . 2012-11-14 18:21 44032 ----a-w- c:\windows\system32\dhcpcsvc6.dll
2012-10-09 17:40 . 2012-11-14 18:21 193536 ----a-w- c:\windows\system32\dhcpcore6.dll
2012-12-06 18:16 . 2011-05-06 12:33 262112 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2010-11-20 144384]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2008-06-02 178712]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"RtHDVCpl"="RtHDVCpl.exe" [2008-07-03 6266880]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2012-10-07 514936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"SearchSettings"="c:\program files\Common Files\Spigot\Search Settings\SearchSettings.exe" [2012-11-28 1123720]
"mcpltui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2012-10-07 514936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-12-12 152544]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 947176]
.
c:\users\*removed*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
DeskPins.lnk - c:\program files\DeskPins\DeskPins.exe [2004-5-2 62464]
SDK Tray Menu.lnk - c:\sun\SDK\jdk\bin\javaw.exe [2009-12-11 139264]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" /hide
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
R2 0276691357065444mcinstcleanup;McAfee Application Installer Cleanup (0276691357065444);c:\windows\TEMP\027669~1.EXE [x]
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [x]
R3 HipShieldK;McAfee Inc. HipShieldK;c:\windows\system32\drivers\HipShieldK.sys [x]
R3 KMWDFILTERx86;HIDServiceDesc;c:\windows\system32\DRIVERS\KMWDFILTER.sys [x]
R3 mfencrk;McAfee Inc. mfencrk;c:\windows\system32\DRIVERS\mfencrk.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 PCD5SRVC{BD6912E3-AC9D80E8-05040000};PCD5SRVC{BD6912E3-AC9D80E8-05040000} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\PC-DOC~1\PCD5SRVC.pkms [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\DRIVERS\VBoxNetAdp.sys [x]
R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys [x]
R3 VBoxUSB;VirtualBox USB;c:\windows\system32\Drivers\VBoxUSB.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [x]
S1 MpKsl37afd70b;MpKsl37afd70b;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{ECF3264B-870F-4E12-ACEB-0EFB234FBA7C}\MpKsl37afd70b.sys [x]
S2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [x]
S2 HomeNetSvc;McAfee Home Network;c:\program files\Common Files\Mcafee\Platform\McSvcHost\McSvHost.exe [x]
S2 HPBtnSrv;HP Chasis Button Service;c:\hp\HPEZBTN\HPBtnSrv.exe [x]
S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\Mcafee\Platform\McSvcHost\McSvHost.exe [x]
S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [x]
S2 mcpltsvc;McAfee Platform Services;c:\program files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [x]
S2 mfecore;McAfee Anti-Malware Core;c:\program files\Common Files\McAfee\AMCore\mcshield.exe [x]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [x]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [x]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]
S2 TeamViewer5;TeamViewer 5;c:\program files\TeamViewer\Version5\TeamViewer_Service.exe [x]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [x]
S3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\system32\drivers\HCW85BDA.sys [x]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [x]
S3 mfencbdc;McAfee Inc. mfencbdc;c:\windows\system32\DRIVERS\mfencbdc.sys [x]
S3 netr73;USB Wireless 802.11 b/g Adaptor Driver for Vista;c:\windows\system32\DRIVERS\netr73.sys [x]
S3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
*Deregistered* - mfeavfk01
*Deregistered* - mferkdk
*Deregistered* - mfesmfk
*Deregistered* - MPFP
.
Contents of the 'Scheduled Tasks' folder
.
2013-01-01 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-02 19:14]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.youtube.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=81&bd=Pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-GB\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
FF - ProfilePath - c:\users\*removed*\AppData\Roaming\Mozilla\Firefox\Profiles\2faai7rb.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=937811&p=
FF - user.js: extentions.y2layers.installId - c7fb6e2a-b0bc-48b1-8ffc-8d1cd0309d53
FF - user.js: extentions.y2layers.defaultEnableAppsList - DropDownDeals,buzzdock,YontooNewOffers
FF - user.js: extensions.autoDisableScopes - 14
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{F3FEE66E-E034-436a-86E4-9690573BEE8A} - (no file)
HKCU-Run-Rainlendar2 - c:\program files\Rainlendar2\Rainlendar2.exe
HKLM-Run-WinampAgent - c:\program files\Winamp\winampa.exe
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\PCD5SRVC{BD6912E3-AC9D80E8-05040000}]
"ImagePath"="\??\c:\progra~1\PC-DOC~1\PCD5SRVC.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\program files\NVIDIA Corporation\Display\nvxdsync.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\McAfee\SystemCore\mfefire.exe
c:\windows\System32\WUDFHost.exe
c:\windows\system32\taskhost.exe
c:\progra~1\McAfee\MSC\McAPExe.exe
c:\windows\system32\conhost.exe
c:\windows\RtHDVCpl.exe
c:\program files\NVIDIA Corporation\Display\nvtray.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Common Files\McAfee\Platform\mcuicnt.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\windows\system32\sppsvc.exe
c:\hp\kbd\kbd.exe
.
**************************************************************************
.
Completion time: 2013-01-01 20:42:05 - machine was rebooted
ComboFix-quarantined-files.txt 2013-01-01 20:42
.
Pre-Run: 201,590,595,584 bytes free
Post-Run: 201,853,038,592 bytes free
.
- - End Of File - - 8D5D59005C0725B3FBB9611544CDB987

Edited by Problem?, 01 January 2013 - 04:44 PM.


#6 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:00 PM

Posted 01 January 2013 - 04:26 PM

You posted the aswMBR log again instead of the MBAR logs. It/they will be in the same folder you found MBAR.exe.

Please do this next:

Posted Image You have more than one antivirus (AV) program running. Your logs show both Microsoft Security Essentials and McAffee running. Running more than one AV program does not offer any more protection and often causes conflicts and slow downs with your computer. Please remove all but one of the AV applications.

Posted Image Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Folder:: and replace *removed* with the valid entry for that folder path

Folder::
c:\users\*removed*\AppData\Local\xikdpsoa
ClearJavaCache::
Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Please include the following in your next post:
  • MBAR log(s)
  • ComboFix log

Edited by RPMcMurphy, 01 January 2013 - 04:28 PM.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#7 Problem?

Problem?
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:00 PM

Posted 01 January 2013 - 04:47 PM

Hi, I have edited my post to contain the correct MBAR log! I installed microsoft security essentials as mcafee appeared to have been compromised by the infection. As Mcafee is a paid licence I have now removed the microsoft package.

I've made the script but will have to run combo again after work tomorrow.. thanks for help so far.

Edited by Problem?, 01 January 2013 - 04:50 PM.


#8 Problem?

Problem?
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:00 PM

Posted 02 January 2013 - 01:34 PM

Malwarebytes Anti-Rootkit 1.01.0.1011
www.malwarebytes.org

Database version: v2013.01.01.03

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 8.0.7601.17514
:: [administrator]

01/01/2013 20:08:47
mbar-log-2013-01-01 (20-08-47).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 29745
Time elapsed: 20 minute(s), 29 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)



ComboFix 13-01-02.02 - *removed* 02/01/2013 18:17:29.2.4 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.44.1033.18.3327.1829 [GMT 0:00]
Running from: c:\users\*removed*\Desktop\ComboFix.exe
Command switches used :: c:\users\*removed*\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892}
FW: McAfee Firewall *Enabled* {959DA8E2-3527-57D1-4915-924367AD4FE9}
SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\*removed*\AppData\Roaming\inst.exe
c:\users\*removed*\AppData\Roaming\mIRC\logs\status.log
c:\users\*removed*\AppData\Roaming\vso_ts_preview.xml
.
.
((((((((((((((((((((((((( Files Created from 2012-12-02 to 2013-01-02 )))))))))))))))))))))))))))))))
.
.
2013-01-02 18:29 . 2013-01-02 18:29 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2013-01-02 18:29 . 2013-01-02 18:29 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
2013-01-02 18:29 . 2013-01-02 18:29 -------- d-----w- c:\users\Home\AppData\Local\temp
2013-01-02 18:29 . 2013-01-02 18:29 -------- d-----w- c:\users\Guest\AppData\Local\temp
2013-01-02 18:29 . 2013-01-02 18:29 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-01-02 18:05 . 2013-01-02 18:05 60872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{EBF441C1-CD37-4CD2-BEF7-E0AAD26B73F8}\offreg.dll
2013-01-02 17:46 . 2012-11-08 18:00 6812136 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{EBF441C1-CD37-4CD2-BEF7-E0AAD26B73F8}\mpengine.dll
2013-01-01 20:31 . 2013-01-02 18:29 -------- d-----w- c:\users\*removed*\AppData\Local\temp
2012-12-25 15:45 . 2012-12-16 14:13 295424 ----a-w- c:\windows\system32\atmfd.dll
2012-12-25 15:45 . 2012-12-16 14:13 34304 ----a-w- c:\windows\system32\atmlib.dll
2012-12-24 18:17 . 2012-12-24 18:17 -------- d-----w- c:\program files\iPod
2012-12-24 18:17 . 2012-12-24 18:18 -------- d-----w- c:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E1
2012-12-24 17:37 . 2012-12-24 17:37 -------- d-----w- c:\program files\Yontoo
2012-12-24 17:37 . 2012-12-24 17:37 -------- d-----w- c:\programdata\Tarma Installer
2012-12-22 12:09 . 2012-05-28 10:28 147472 ----a-w- c:\windows\system32\drivers\HipShieldK.sys
2012-12-22 12:08 . 2012-11-09 06:53 167344 ----a-w- c:\windows\system32\mfevtps.exe
2012-12-15 21:39 . 2012-12-15 21:39 -------- d-----w- c:\users\*removed*\AppData\Roaming\Malwarebytes
2012-12-15 21:39 . 2012-12-24 17:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-12-15 21:39 . 2012-12-15 21:39 -------- d-----w- c:\programdata\Malwarebytes
2012-12-15 21:39 . 2012-09-29 19:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-12-15 12:21 . 2012-12-24 23:42 -------- d-----w- c:\users\*removed*\AppData\Local\xikdpsoa
2012-12-13 18:12 . 2012-10-04 14:41 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2012-12-13 18:11 . 2012-10-27 06:23 163328 ----a-w- c:\program files\Internet Explorer\ieproxy.dll
2012-12-13 18:11 . 2012-11-12 11:52 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2012-12-13 18:11 . 2012-11-09 04:42 2048 ----a-w- c:\windows\system32\tzres.dll
2012-12-05 21:54 . 2012-10-28 11:50 73696 ----a-w- c:\program files\Mozilla Firefox\updated\breakpadinjector.dll
2012-12-05 21:54 . 2012-10-28 11:50 261600 ----a-w- c:\program files\Mozilla Firefox\updated\components\browsercomps.dll
2012-12-05 21:54 . 2012-10-21 12:47 18912 ----a-w- c:\program files\Mozilla Firefox\updated\AccessibleMarshal.dll
2012-12-04 18:24 . 2012-12-04 18:24 -------- d-----w- c:\program files\YTD Toolbar
2012-12-04 18:24 . 2012-12-04 18:24 -------- d-----w- c:\program files\Common Files\Spigot
2012-12-04 18:24 . 2012-12-04 18:24 -------- d-----w- c:\program files\Application Updater
2012-12-03 19:01 . 2012-12-31 01:13 -------- d-----w- c:\users\*removed*\AppData\Local\AVS4YOU
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-12-11 19:14 . 2012-06-02 15:36 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-12-11 19:14 . 2011-05-17 10:30 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-11-09 06:56 . 2012-11-09 06:56 60480 ----a-w- c:\windows\system32\drivers\cfwids.sys
2012-11-09 06:53 . 2012-11-09 06:53 210136 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2012-11-09 06:51 . 2012-11-09 06:51 565352 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2012-11-09 06:50 . 2012-11-09 06:50 362640 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2012-11-09 06:50 . 2012-11-09 06:50 65488 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2012-11-09 06:49 . 2012-11-09 06:49 234824 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2012-11-09 06:49 . 2012-11-09 06:49 132912 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2012-11-02 01:46 . 2012-11-02 01:46 9744 ----a-w- c:\windows\system32\drivers\mfeclnrk.sys
2012-11-02 01:46 . 2012-11-02 01:46 81456 ----a-w- c:\windows\system32\drivers\mfencrk.sys
2012-11-02 01:46 . 2012-11-02 01:46 252200 ----a-w- c:\windows\system32\drivers\mfencbdc.sys
2012-10-16 07:39 . 2012-11-27 18:49 561664 ----a-w- c:\windows\apppatch\AcLayers.dll
2012-10-10 21:15 . 2012-10-10 21:15 1867112 ----a-w- c:\windows\system32\nvcuvenc.dll
2012-10-10 21:15 . 2012-10-10 21:15 2574696 ----a-w- c:\windows\system32\nvcuvid.dll
2012-10-10 21:14 . 2012-10-10 21:14 888168 ----a-w- c:\windows\system32\nvdispgenco32.dll
2012-10-10 21:14 . 2012-10-10 21:14 12501352 ----a-w- c:\windows\system32\nvwgf2um.dll
2012-10-10 21:14 . 2012-10-10 21:14 17559912 ----a-w- c:\windows\system32\nvcompiler.dll
2012-10-10 21:14 . 2012-10-10 21:14 2428776 ----a-w- c:\windows\system32\nvapi.dll
2012-10-10 21:14 . 2012-10-10 21:14 7697768 ----a-w- c:\windows\system32\nvcuda.dll
2012-10-10 21:14 . 2012-10-10 21:14 10837352 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2012-10-10 21:14 . 2012-10-10 21:14 19906920 ----a-w- c:\windows\system32\nvoglv32.dll
2012-10-10 21:14 . 2012-10-10 21:14 1009512 ----a-w- c:\windows\system32\nvdispco32.dll
2012-10-10 21:14 . 2012-10-10 21:14 6127464 ----a-w- c:\windows\system32\nvopencl.dll
2012-10-10 21:14 . 2012-10-10 21:14 15309160 ----a-w- c:\windows\system32\nvd3dum.dll
2012-10-09 17:40 . 2012-11-14 18:21 44032 ----a-w- c:\windows\system32\dhcpcsvc6.dll
2012-10-09 17:40 . 2012-11-14 18:21 193536 ----a-w- c:\windows\system32\dhcpcore6.dll
2012-12-06 18:16 . 2011-05-06 12:33 262112 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2010-11-20 144384]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2008-06-02 178712]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"RtHDVCpl"="RtHDVCpl.exe" [2008-07-03 6266880]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2012-10-07 514936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"SearchSettings"="c:\program files\Common Files\Spigot\Search Settings\SearchSettings.exe" [2012-11-28 1123720]
"mcpltui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2012-10-07 514936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-12-12 152544]
.
c:\users\*removed*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
DeskPins.lnk - c:\program files\DeskPins\DeskPins.exe [2004-5-2 62464]
SDK Tray Menu.lnk - c:\sun\SDK\jdk\bin\javaw.exe [2009-12-11 139264]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" /hide
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
R2 0276691357065444mcinstcleanup;McAfee Application Installer Cleanup (0276691357065444);c:\windows\TEMP\027669~1.EXE [x]
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [x]
R3 HipShieldK;McAfee Inc. HipShieldK;c:\windows\system32\drivers\HipShieldK.sys [x]
R3 KMWDFILTERx86;HIDServiceDesc;c:\windows\system32\DRIVERS\KMWDFILTER.sys [x]
R3 mfencrk;McAfee Inc. mfencrk;c:\windows\system32\DRIVERS\mfencrk.sys [x]
R3 PCD5SRVC{BD6912E3-AC9D80E8-05040000};PCD5SRVC{BD6912E3-AC9D80E8-05040000} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\PC-DOC~1\PCD5SRVC.pkms [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\DRIVERS\VBoxNetAdp.sys [x]
R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys [x]
R3 VBoxUSB;VirtualBox USB;c:\windows\system32\Drivers\VBoxUSB.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [x]
S2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [x]
S2 HomeNetSvc;McAfee Home Network;c:\program files\Common Files\Mcafee\Platform\McSvcHost\McSvHost.exe [x]
S2 HPBtnSrv;HP Chasis Button Service;c:\hp\HPEZBTN\HPBtnSrv.exe [x]
S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\Mcafee\Platform\McSvcHost\McSvHost.exe [x]
S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [x]
S2 mcpltsvc;McAfee Platform Services;c:\program files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [x]
S2 mfecore;McAfee Anti-Malware Core;c:\program files\Common Files\McAfee\AMCore\mcshield.exe [x]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [x]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [x]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]
S2 TeamViewer5;TeamViewer 5;c:\program files\TeamViewer\Version5\TeamViewer_Service.exe [x]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [x]
S3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\system32\drivers\HCW85BDA.sys [x]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [x]
S3 mfencbdc;McAfee Inc. mfencbdc;c:\windows\system32\DRIVERS\mfencbdc.sys [x]
S3 netr73;USB Wireless 802.11 b/g Adaptor Driver for Vista;c:\windows\system32\DRIVERS\netr73.sys [x]
S3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
*Deregistered* - mferkdk
*Deregistered* - mfesmfk
*Deregistered* - MPFP
.
Contents of the 'Scheduled Tasks' folder
.
2013-01-02 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-02 19:14]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.youtube.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=81&bd=Pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-GB\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
FF - ProfilePath - c:\users\*removed*\AppData\Roaming\Mozilla\Firefox\Profiles\2faai7rb.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=937811&p=
FF - user.js: extentions.y2layers.installId - c7fb6e2a-b0bc-48b1-8ffc-8d1cd0309d53
FF - user.js: extentions.y2layers.defaultEnableAppsList - DropDownDeals,buzzdock,YontooNewOffers
FF - user.js: extensions.autoDisableScopes - 14
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\PCD5SRVC{BD6912E3-AC9D80E8-05040000}]
"ImagePath"="\??\c:\progra~1\PC-DOC~1\PCD5SRVC.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-01-02 18:32:01
ComboFix-quarantined-files.txt 2013-01-02 18:32
ComboFix2.txt 2013-01-01 20:42
.
Pre-Run: 201,645,252,608 bytes free
Post-Run: 201,775,980,544 bytes free
.
- - End Of File - - 99EE56C97FE1867D4E64A970F73BBEE4

Edited by Problem?, 02 January 2013 - 01:34 PM.


#9 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:00 PM

Posted 02 January 2013 - 07:49 PM

Please do this next:

The script left this folder behind - did you edit it to replace *removed* with the valid name? If you can, please navigate to it and manually delete it

c:\users\*removed*\AppData\Local\xikdpsoa
Posted Image Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
Please include the following in your next post:
  • JRT log

Edited by RPMcMurphy, 02 January 2013 - 07:49 PM.
Format error

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#10 Problem?

Problem?
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:00 PM

Posted 03 January 2013 - 01:43 PM

Hello, yes I was able to find the folder and have deleted it from my C drive.

here is the log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.3.6 (01.02.2013:4)
OS: Windows 7 Ultimate x86
Ran by *removed* on 03/01/2013 at 18:35:18.68
Blog: http://thisisudax.blogspot.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services

Successfully stopped: [Service] application updater
Successfully deleted: [Service] application updater



~~~ Registry Values

Successfully deleted: [Registry Value] hkey_local_machine\software\microsoft\windows\currentversion\run\\searchsettings
Successfully deleted: [Registry Value] hkey_current_user\software\microsoft\internet explorer\urlsearchhooks\\{f3fee66e-e034-436a-86e4-9690573bee8a}
Successfully repaired: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\main\\Start Page



~~~ Registry Keys

Successfully deleted: [Registry Key] hkey_local_machine\software\application updater
Successfully deleted: [Registry Key] hkey_current_user\software\appdatalow\software\search settings



~~~ Files

Successfully deleted: [File] C:\eula.1028.txt
Successfully deleted: [File] C:\eula.1031.txt
Successfully deleted: [File] C:\eula.1033.txt
Successfully deleted: [File] C:\eula.1036.txt
Successfully deleted: [File] C:\eula.1040.txt
Successfully deleted: [File] C:\eula.1041.txt
Successfully deleted: [File] C:\eula.1042.txt
Successfully deleted: [File] C:\eula.2052.txt
Successfully deleted: [File] C:\install.res.1028.dll
Successfully deleted: [File] C:\install.res.1031.dll
Successfully deleted: [File] C:\install.res.1033.dll
Successfully deleted: [File] C:\install.res.1036.dll
Successfully deleted: [File] C:\install.res.1040.dll
Successfully deleted: [File] C:\install.res.1041.dll
Successfully deleted: [File] C:\install.res.1042.dll
Successfully deleted: [File] C:\install.res.2052.dll
Successfully deleted: [File] C:\install.res.3082.dll



~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\tarma installer"
Successfully deleted: [Folder] "C:\ProgramData\ytd video downloader"
Successfully deleted: [Folder] "C:\Users\*removed*\appdata\locallow\search settings"
Successfully deleted: [Folder] "C:\Program Files\application updater"
Successfully deleted: [Folder] "C:\Program Files\icq6toolbar"
Successfully deleted: [Folder] "C:\Program Files\yontoo"
Successfully deleted: [Folder] "C:\Program Files\ytd toolbar"
Failed to delete: [Folder] "C:\Program Files\Common Files\spigot"
Successfully deleted: [Folder] "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ytd video downloader"



~~~ FireFox

Successfully deleted: [File] C:\Users\*removed*\AppData\Roaming\mozilla\firefox\profiles\2faai7rb.default\user.js
Successfully deleted the following from C:\Users\*removed*\AppData\Roaming\mozilla\firefox\profiles\2faai7rb.default\prefs.js

user_pref("extentions.y2layers.defaultEnableAppsList", "DropDownDeals,buzzdock,YontooNewOffers");
user_pref("extentions.y2layers.installId", "c7fb6e2a-b0bc-48b1-8ffc-8d1cd0309d53");
Emptied folder: C:\Users\*removed*\AppData\Roaming\mozilla\firefox\profiles\2faai7rb.default\minidumps [64 files]



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 03/01/2013 at 18:39:58.19
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

#11 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:00 PM

Posted 03 January 2013 - 10:06 PM

How is your computer running now? Please do this next:

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.
  • Go to Start > Control Panel > Programs > Uninstall a program, and remove all older versions of Java.
  • Click (highlight) any item with Java Runtime Environment (JRE, J2SE, Java™ 6 or Java™ 7) in the name and select "uninstall".
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Go to this page to download the latest version. Press the download button under JRE and follow the prompts. Accept the agreement and choose the Windows x86 offline option.
  • Run the installer you just downloaded
Posted Image Go to thisLINK to run an online scannner from ESET.
  • Note: For browsers other than Internet Explorer, you will need to download and install esetsmartinstaller_enu.exe. Click on it and save the file to a convenient location. Double click on it to install and a new window will open.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • If you are using Internet Explorer, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic.
Please include the following in your next post:
  • How is the computer running now?
  • ESET log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#12 Problem?

Problem?
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:00 PM

Posted 04 January 2013 - 01:52 PM

Hi,

The machine is running very nicely at the moment, infact it is probably running at twice the speed it was before I was infected with this stuff a lot quicker to respond. In regard to all the stuff that was previously not working this all seems back and the services missing have also re-appeared.

I have a question about removing Java, I have removed 2 versions, the 3rd is asking for admin access but whats in the box doesn't seem right. See below for a transcript of the popup box (screenshots aren't working on the command box).


"Do you want to allow the following programme from an unknown publisher to make changes to your computer?"

C:\Windows\Installer\1ac8f.msi
Publisher: Unknown
File Origin: Harddrive of this computer

Looks a bit dodgy can you confirm if this is a legitimate process?

#13 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:00 PM

Posted 04 January 2013 - 02:36 PM

Which Java version are you working on when you see that?

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#14 Problem?

Problem?
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:00 PM

Posted 04 January 2013 - 02:39 PM

Which Java version are you working on when you see that?

Java™ SE Runtime Environment 6 Update 1

If it helps the ESET online scanner is running at the moment and has detected a threat with a Java file Java/Jshrink.A, will post log when its completed.

#15 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:00 PM

Posted 04 January 2013 - 03:18 PM

OK, I'll have some further instructions for you once I see that log.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users