Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows 7 BSOD ataport.sys 0x0000008e


  • This topic is locked This topic is locked
24 replies to this topic

#1 Nightfyre776

Nightfyre776

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:03 PM

Posted 09 February 2013 - 02:37 PM

Hello all,

 

Last night my daughter was on her laptop she was given by a friend about 4 months ago. Until last night it was working fine. When she tried to get on it this morning it would start up fine and run for a bit then after about 5-10 minutes she would get the BSOD. This is what the stop code read: 0x0000008e (oxc0000005, 0x833c9487, 0xb6265754, 0x00000000)

ataport.sys - address 833c9487 base at 833c3000, date stamp 4c3788e8

 

 

I ran and have a log of frst which I aqquired from reading elsewhere in the forums. I will post upon request. Computer needed ASAP as it has a lot of her papers for school saved on it.

 

Thanks in advance!

 

 



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:03 AM

Posted 11 February 2013 - 03:54 PM

please post the FRST log

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 Nightfyre776

Nightfyre776
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:03 PM

Posted 12 February 2013 - 09:02 AM

I will post asap when I get off work.

#4 Nightfyre776

Nightfyre776
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:03 PM

Posted 12 February 2013 - 05:54 PM

Here is the FRST report you asked for....

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 06-02-2013
Ran by SYSTEM at 09-02-2013 11:25:06
Running from G:\
Windows 7 Ultimate  Service Pack 1 (X86) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1348904 2008-08-14] (Synaptics, Inc.)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-26] (Microsoft Corporation)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-27] (Adobe Systems Incorporated)
HKLM\...\Run: [lxeamon.exe] "C:\Program Files\Lexmark S300-S400 Series\lxeamon.exe" [770728 2011-01-23] ()
HKLM\...\Run: [EzPrint] "C:\Program Files\Lexmark S300-S400 Series\ezprint.exe" [148280 2011-01-23] ()
HKLM\...\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [446392 2012-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [SwitchBoard] C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM\...\Run: [AdobeCS6ServiceManager] "C:\Program Files\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" -launchedbylogin [1073312 2012-03-09] (Adobe Systems Incorporated)
HKLM\...\Run: [LWS] C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe -hide [205336 2011-11-11] (Logitech Inc.)
HKU\Cricket\...\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe" -quiet [6595928 2012-05-25] (Yahoo! Inc.)
HKU\Cricket\...\Run: [AdobeBridge]  [x]
HKU\Cricket\...\Run: [Logitech Vid] "C:\Program Files\Logitech\Vid HD\Vid.exe" -bootmode [5915480 2010-10-29] (Logitech Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Startup: C:\Users\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\3.0.313\SSScheduler.exe (McAfee, Inc.)

==================== Services (Whitelisted) ===================

2 lxeaCATSCustConnectService; C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxeaserv.exe [193192 2010-04-14] (Lexmark International, Inc.)
2 lxea_device; C:\Windows\system32\lxeacoms.exe -service [598696 2010-04-14] ( )
3 McComponentHostService; "C:\Program Files\McAfee Security Scan\3.0.313\McCHSvc.exe" [234776 2012-10-26] (McAfee, Inc.)
3 MozillaMaintenance; "C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe" [115608 2013-02-05] (Mozilla Foundation)
2 UMVPFSrv; C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [450848 2012-01-17] (Logitech Inc.)
2 MsMpSvc; "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [x]
3 NisSrv; "c:\Program Files\Microsoft Security Client\NisSrv.exe" [x]

==================== Drivers (Whitelisted) ====================

0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)
3 VGPU; C:\Windows\System32\drivers\rdvgkmd.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-02-09 10:55 - 2013-02-09 10:55 - 00146048 ____A C:\Windows\Minidump\020913-21465-01.dmp
2013-02-09 10:41 - 2013-02-09 10:42 - 00146048 ____A C:\Windows\Minidump\020913-25786-01.dmp
2013-02-09 10:20 - 2013-02-09 10:55 - 202960353 ____A C:\Windows\MEMORY.DMP
2013-02-09 10:20 - 2013-02-09 10:20 - 00146048 ____A C:\Windows\Minidump\020913-24492-01.dmp
2013-02-09 01:24 - 2013-02-09 01:24 - 00146048 ____A C:\Windows\Minidump\020913-21387-01.dmp
2013-02-09 01:13 - 2013-02-09 01:13 - 00146048 ____A C:\Windows\Minidump\020913-13852-01.dmp
2013-02-09 01:09 - 2013-02-09 10:55 - 00000000 ____D C:\Windows\Minidump
2013-02-09 01:09 - 2013-02-09 01:09 - 00146048 ____A C:\Windows\Minidump\020913-16910-01.dmp
2013-02-05 23:28 - 2013-02-05 23:30 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-01-30 22:41 - 2013-01-30 22:41 - 00002004 ____A C:\Users\Public\Desktop\McAfee Security Scan Plus.lnk


==================== One Month Modified Files and Folders ========

2013-02-09 11:25 - 2013-02-09 11:25 - 00000000 ____D C:\FRST
2013-02-09 11:20 - 2012-09-15 10:14 - 00034154 ____A C:\Users\All Users\lxeascan.log
2013-02-09 11:20 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-02-09 11:20 - 2009-07-13 20:39 - 00055178 ____A C:\Windows\setupact.log
2013-02-09 11:20 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\LogFiles
2013-02-09 11:05 - 2012-08-05 16:50 - 01555231 ____A C:\Windows\WindowsUpdate.log
2013-02-09 10:55 - 2013-02-09 10:55 - 00146048 ____A C:\Windows\Minidump\020913-21465-01.dmp
2013-02-09 10:55 - 2013-02-09 10:20 - 202960353 ____A C:\Windows\MEMORY.DMP
2013-02-09 10:55 - 2013-02-09 01:09 - 00000000 ____D C:\Windows\Minidump
2013-02-09 10:46 - 2012-08-05 18:32 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-02-09 10:42 - 2013-02-09 10:41 - 00146048 ____A C:\Windows\Minidump\020913-25786-01.dmp
2013-02-09 10:20 - 2013-02-09 10:20 - 00146048 ____A C:\Windows\Minidump\020913-24492-01.dmp
2013-02-09 10:14 - 2012-08-05 17:03 - 00000000 ____D C:\users\Cricket
2013-02-09 10:13 - 2012-11-13 22:34 - 00000000 ____D C:\Users\All Users\McAfee Security Scan
2013-02-09 10:13 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\wfp
2013-02-09 10:13 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\DriverStore
2013-02-09 10:13 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\registration
2013-02-09 10:13 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\AppCompat
2013-02-09 02:49 - 2009-07-13 20:34 - 00021248 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-02-09 02:49 - 2009-07-13 20:34 - 00021248 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-02-09 01:24 - 2013-02-09 01:24 - 00146048 ____A C:\Windows\Minidump\020913-21387-01.dmp
2013-02-09 01:13 - 2013-02-09 01:13 - 00146048 ____A C:\Windows\Minidump\020913-13852-01.dmp
2013-02-09 01:09 - 2013-02-09 01:09 - 00146048 ____A C:\Windows\Minidump\020913-16910-01.dmp
2013-02-07 10:31 - 2012-08-05 17:33 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2013-02-05 23:30 - 2013-02-05 23:28 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-01-30 22:41 - 2013-01-30 22:41 - 00002004 ____A C:\Users\Public\Desktop\McAfee Security Scan Plus.lnk
2013-01-30 22:40 - 2012-11-13 22:34 - 00000000 ____D C:\Program Files\McAfee Security Scan
2013-01-30 02:53 - 2012-08-05 17:37 - 00232336 ____A (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2013-01-28 15:51 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\NDF
2013-01-24 11:15 - 2012-10-03 21:53 - 00001596 ____A C:\Users\All Users\lxea.log
2013-01-18 23:26 - 2012-09-15 10:17 - 00000000 ____D C:\Users\All Users\Lx_cats

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

TDL4: custom:26000022 <===== ATTENTION!

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2013-01-11 18:54:44
Restore point made on: 2013-01-15 17:10:28
Restore point made on: 2013-01-18 21:55:59
Restore point made on: 2013-01-22 18:23:37
Restore point made on: 2013-01-26 12:28:28
Restore point made on: 2013-01-29 20:50:15
Restore point made on: 2013-02-02 23:12:08
Restore point made on: 2013-02-07 10:42:38

==================== Memory info ===========================

Percentage of memory in use: 20%
Total physical RAM: 1916 MB
Available physical RAM: 1526.48 MB
Total Pagefile: 1916 MB
Available Pagefile: 1523.7 MB
Total Virtual: 2047.88 MB
Available Virtual: 1949.93 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:148.95 GB) (Free:102.42 GB) NTFS
4 Drive g: () (Removable) (Total:3.73 GB) (Free:3.7 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
6 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]
ATTENTION: Malware custom entry on BCD on drive y: detected. Check for MBR/Partition infection.

  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online          149 GB      0 B         
  Disk 1    No Media           0 B      0 B         
  Disk 2    Online         3824 MB      0 B         

Partitions of Disk 0:
===============

Disk ID: 84B9FA84

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary            100 MB  1024 KB
  Partition 2    Primary            148 GB   101 MB

=========================================================

Disk: 0
Partition 1
Type  : 07
Hidden: No
Active: Yes

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 1     Y   System Rese  NTFS   Partition    100 MB  Healthy            

=========================================================

Disk: 0
Partition 2
Type  : 07
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 2     C                NTFS   Partition    148 GB  Healthy            

=========================================================

Partitions of Disk 2:
===============

Disk ID: C3072E18

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary           3823 MB   4096 B

=========================================================

Disk: 2
Partition 1
Type  : 0B
Hidden: No
Active: Yes

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 4     G                FAT32  Removable   3823 MB  Healthy            

=========================================================

Last Boot: 2013-02-03 00:37

==================== End Of Log ============================



#5 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:03 AM

Posted 12 February 2013 - 06:24 PM

Please do the following:


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt
start
TDL4: custom:26000022
end
NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.



NEXT
  • Download RogueKiller and save it to your desktop.
  • Quit all other programs
  • Start RogueKiller.exe
  • Wait until the Prescan has finished ...
  • Click on Scan
    RGKRScan.png
  • Wait for the end of the scan
  • A report will be created on your desktop.
  • Click on the Delete button
    RGKRDelete.png
  • Next click on the ShortcutsFix
    RGKRShortcutsFix.png
  • another report will be created on your desktop.
  • Please post: All RKreport.txt text files located on your desktop.





Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#6 Nightfyre776

Nightfyre776
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:03 PM

Posted 12 February 2013 - 09:27 PM

Every time I try and run the rogue killer I get the BSOD and it restarts the computer before I can finish. I tried to do it in "safe mode" to see if it works that way, and it did. here are the reports:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 06-02-2013
Ran by SYSTEM at 2013-02-12 18:08:04 Run:3
Running from G:\

==============================================


The operation completed successfully.
The operation completed successfully.

==== End of Fixlog ====

 

 

 

RogueKiller V8.5.1 [Feb 12 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Safe mode with network support
User : Cricket [Admin rights]
Mode : Scan -- Date : 02/12/2013 18:18:23
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 2 ¤¤¤
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts



¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD1600BEVS-26VAT0 ATA Device +++++
--- User ---
[MBR] bfbb8ced862a849f225e719786e900bd
[BSP] 7a9881afa5b269410f0677365cee36db : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 152525 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] 537b2030ed269f4ff74542498cb27a4b
[BSP] 7a9881afa5b269410f0677365cee36db : Windows 7/8 MBR Code
Partition table:
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 152525 Mo

+++++ PhysicalDrive1: SMI USB DISK USB Device +++++
--- User ---
[MBR] 188d862bd3024f199048a22bc714dfe2
[BSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT32 (0x0b) [VISIBLE] Offset (sectors): 8 | Size: 3823 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1]_S_02122013_02d1818.txt >>
RKreport[1]_S_02122013_02d1818.txt


 

 

RogueKiller V8.5.1 [Feb 12 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Safe mode with network support
User : Cricket [Admin rights]
Mode : Remove -- Date : 02/12/2013 18:19:16
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 2 ¤¤¤
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts



¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD1600BEVS-26VAT0 ATA Device +++++
--- User ---
[MBR] bfbb8ced862a849f225e719786e900bd
[BSP] 7a9881afa5b269410f0677365cee36db : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 152525 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] 537b2030ed269f4ff74542498cb27a4b
[BSP] 7a9881afa5b269410f0677365cee36db : Windows 7/8 MBR Code
Partition table:
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 152525 Mo

+++++ PhysicalDrive1: SMI USB DISK USB Device +++++
--- User ---
[MBR] 188d862bd3024f199048a22bc714dfe2
[BSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT32 (0x0b) [VISIBLE] Offset (sectors): 8 | Size: 3823 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[2]_D_02122013_02d1819.txt >>
RKreport[1]_S_02122013_02d1818.txt ; RKreport[2]_D_02122013_02d1819.txt

 

 

 

 

RogueKiller V8.5.1 [Feb 12 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Safe mode with network support
User : Cricket [Admin rights]
Mode : Shortcuts HJfix -- Date : 02/12/2013 18:23:30
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ File attributes restored: ¤¤¤
Desktop: Success 1 / Fail 0
Quick launch: Success 1 / Fail 0
Programs: Success 8 / Fail 0
Start menu: Success 1 / Fail 0
User folder: Success 73 / Fail 0
My documents: Success 2 / Fail 2
My favorites: Success 0 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 0 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 29 / Fail 0
Backup: [NOT FOUND]

Drives:
[C:] \Device\HarddiskVolume2 -- 0x3 --> Restored
[D:] \Device\CdRom0 -- 0x5 --> Skipped
[E:] \Device\HarddiskVolume4 -- 0x2 --> Restored
[F:] \Device\HarddiskVolume3 -- 0x2 --> Restored

Finished : << RKreport[3]_SC_02122013_02d1823.txt >>
RKreport[1]_S_02122013_02d1818.txt ; RKreport[2]_D_02122013_02d1819.txt ; RKreport[3]_SC_02122013_02d1823.txt


 



#7 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:03 AM

Posted 12 February 2013 - 09:32 PM

Please run the following

Refer to the ComboFix User's Guide
  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ------------------------------------------------------------------------------------------
  • NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Edited by CatByte, 13 February 2013 - 05:28 PM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#8 Nightfyre776

Nightfyre776
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:03 PM

Posted 12 February 2013 - 11:21 PM

ComboFix 13-02-12.01 - Cricket 02/12/2013  19:56:17.2.1 - x86 NETWORK
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.1.1033.18.1916.703 [GMT -8:00]
Running from: c:\users\Cricket\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((   Files Created from 2013-01-13 to 2013-02-13  )))))))))))))))))))))))))))))))
.
.
2013-02-13 04:04 . 2013-02-13 04:04    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-02-13 03:45 . 2013-02-13 04:04    --------    d-----w-    c:\users\Cricket\AppData\Local\temp
2013-02-13 02:11 . 2013-02-13 02:17    15616    ----a-w-    c:\windows\system32\drivers\TrueSight.sys
2013-02-09 19:25 . 2013-02-09 19:25    --------    d-----w-    C:\FRST
2013-02-09 18:14 . 2013-01-08 04:57    6991832    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5DC566F8-B3D2-46DD-9204-A1C02FEB0844}\mpengine.dll
2013-02-04 18:22 . 2013-01-08 04:57    6991832    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-01-30 10:53 . 2012-08-06 01:37    232336    ----a-w-    c:\windows\system32\MpSigStub.exe
2013-01-08 22:46 . 2012-08-06 02:32    74248    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-01-08 22:46 . 2012-08-06 02:32    697864    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2012-11-29 06:43 . 2012-11-29 06:44    740840    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{094EFF7E-5396-451B-BCEF-5211270A7D85}\gapaengine.dll
2013-02-06 07:30 . 2013-02-06 07:28    262552    ----a-w-    c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2012-05-25 6595928]
"Logitech Vid"="c:\program files\Logitech\Vid HD\Vid.exe" [2010-10-29 5915480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-12 137752]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-12 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-12 172568]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-27 931200]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"lxeamon.exe"="c:\program files\Lexmark S300-S400 Series\lxeamon.exe" [2011-01-24 770728]
"EzPrint"="c:\program files\Lexmark S300-S400 Series\ezprint.exe" [2011-01-24 148280]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2012-04-04 446392]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS6ServiceManager"="c:\program files\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" [2012-03-09 1073312]
"LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2011-11-11 205336]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\3.0.313\SSScheduler.exe [2012-10-26 271808]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 lxea_device;lxea_device;c:\windows\system32\lxeacoms.exe [x]
R2 lxeaCATSCustConnectService;lxeaCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxeaserv.exe [x]
R2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [x]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\3.0.313\McCHSvc.exe [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2013-02-09 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-06 22:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://http://www.yahoo.com/?ilc=8.yahoo.com
mStart Page = hxxp://http://www.yahoo.com/?ilc=8.yahoo.com
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Cricket\AppData\Roaming\Mozilla\Firefox\Profiles\rtt6k6es.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=mkg030&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - user.js: extensions.autoDisableScopes - 14
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(2896)
c:\windows\system32\NetworkExplorer.dll
.
Completion time: 2013-02-12  20:06:35
ComboFix-quarantined-files.txt  2013-02-13 04:06
ComboFix2.txt  2013-02-13 03:45
.
Pre-Run: 109,945,647,104 bytes free
Post-Run: 110,042,988,544 bytes free
.
- - End Of File - - E8C14CDC35D56B775C802AACCA97C9B6
 



#9 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:03 AM

Posted 13 February 2013 - 05:29 PM

Please run the following:

Please download Junkware Removal Tool to your desktop.
  • Shutdown your antivirus to avoid any conflicts.
  • Right-mouse click JRT.exe and select Run as administrator
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message

  • NEXT


    Download AdwCleaner from here and save it to your desktop.
    • Run AdwCleaner and select Delete
    • Once done it will ask to reboot, allow the reboot
    • On reboot a log will be produced, please attach the content of the log to your next reply
    NEXT
    • Please open your MalwareBytes AntiMalware Program
    • Click the Update Tab and search for updates
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish, so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected. <-- very important
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the entire report in your next reply.
    Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



    NEXT


    Go here to run an online scanner from ESET.
    • Turn off the real time scanner of any existing antivirus program while performing the online scan
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the activeX control to install
    • Click Start
    • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
    • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
    • Click Scan
    • Wait for the scan to finish
    • When the scan completes, press the LIST OF THREATS FOUND button
    • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
    • Include the contents of this report in your next reply.
    • Press the BACK button.
    • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#10 Nightfyre776

Nightfyre776
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:03 PM

Posted 13 February 2013 - 11:13 PM

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.6.3 (02.12.2013:1)
OS: Windows 7 Ultimate x86
Ran by Cricket on Wed 02/13/2013 at 17:58:23.48
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values

Successfully deleted: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\toolbar\\{ef99bd32-c1fb-11d2-892f-0090271d4f88}
Successfully repaired: [Registry Value] hkey_current_user\software\microsoft\internet explorer\searchscopes\\DefaultScope
Successfully repaired: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\searchscopes\\DefaultScope
Successfully repaired: [Registry Value] hkey_users\.default\software\microsoft\internet explorer\searchscopes\\DefaultScope
Successfully repaired: [Registry Value] hkey_users\s-1-5-18\software\microsoft\internet explorer\searchscopes\\DefaultScope
Successfully repaired: [Registry Value] hkey_users\s-1-5-19\software\microsoft\internet explorer\searchscopes\\DefaultScope
Successfully repaired: [Registry Value] hkey_users\s-1-5-20\software\microsoft\internet explorer\searchscopes\\DefaultScope
Successfully repaired: [Registry Value] hkey_users\S-1-5-21-1792320014-1144063567-267912352-1000\software\microsoft\internet explorer\searchscopes\\DefaultScope



~~~ Registry Keys

Successfully deleted: [Registry Key] hkey_classes_root\yt.ytnavassistplugin
Successfully deleted: [Registry Key] hkey_classes_root\yt.ytnavassistplugin.1
Successfully deleted: [Registry Key] hkey_classes_root\clsid\{02478d38-c3f9-4efb-9b51-7695eca05670}
Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{02478d38-c3f9-4efb-9b51-7695eca05670}
Successfully deleted: [Registry Key] hkey_classes_root\clsid\{1be04434-6b9f-48c8-8675-94c640d5b293}
Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{3bd44f0e-0596-4008-aee0-45d47e3a8f0e}
Successfully deleted: [Registry Key] hkey_classes_root\clsid\{ef99bd32-c1fb-11d2-892f-0090271d4f88}



~~~ Files

Successfully deleted: [File] "C:\Program Files\mozilla firefox\plugins\npcouponprinter.dll"
Successfully deleted: [File] "C:\Program Files\mozilla firefox\plugins\npmozcouponprinter.dll"



~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\blekko toolbars"
Successfully deleted: [Folder] "C:\ProgramData\tarma installer"
Successfully deleted: [Folder] "C:\Program Files\coupons"



~~~ FireFox

Successfully deleted: [File] C:\Users\Cricket\AppData\Roaming\mozilla\firefox\profiles\rtt6k6es.default\user.js
Successfully deleted the following from C:\Users\Cricket\AppData\Roaming\mozilla\firefox\profiles\rtt6k6es.default\prefs.js

user_pref("browser.search.order.1", "blekko");
Emptied folder: C:\Users\Cricket\AppData\Roaming\mozilla\firefox\profiles\rtt6k6es.default\minidumps [115 files]



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 02/13/2013 at 18:16:50.34
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

 

 

# AdwCleaner v2.112 - Logfile created 02/13/2013 at 18:20:27
# Updated 10/02/2013 by Xplode
# Operating system : Windows 7 Ultimate Service Pack 1 (32 bits)
# User : Cricket - CRICKET-PC
# Boot Mode : Safe mode with networking
# Running from : C:\Users\Cricket\Downloads\adwcleaner0.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16447

[OK] Registry is clean.

-\\ Mozilla Firefox v18.0.2 (en-US)

File : C:\Users\Cricket\AppData\Roaming\Mozilla\Firefox\Profiles\rtt6k6es.default\prefs.js

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [1119 octets] - [13/02/2013 18:20:27]

########## EOF - C:\AdwCleaner[S1].txt - [1179 octets] ##########
 

 

 

 

Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org

Database version: v2013.02.14.01

Windows 7 Service Pack 1 x86 NTFS (Safe Mode/Networking)
Internet Explorer 9.0.8112.16421
Cricket :: CRICKET-PC [administrator]

2/13/2013 6:31:24 PM
mbam-log-2013-02-13 (18-31-24).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 196520
Time elapsed: 4 minute(s), 28 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 

 

 

C:\Qoobox\Quarantine\C\ProgramData\Microsoft\Windows\DRM\F043.tmp.vir    a variant of Win32/Kryptik.AUGP trojan
C:\Users\Cricket\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\26\69a14a1a-6d4d69aa    a variant of Java/Exploit.CVE-2012-5076.L trojan
C:\Users\Cricket\Desktop\flash drive\Downloads\ARO2011_tbt.exe    a variant of Win32/Bundled.Toolbar.Ask application
C:\Users\Cricket\Desktop\flash drive\Downloads\tinyword.exe    probably a variant of Win32/InstallIQ application
C:\Users\Cricket\Desktop\flash drive\FD2\flash drive\frostwire-5.3.2.windows.exe    multiple threats
C:\Users\Cricket\Desktop\flash drive\FD2\flash drive\SetupImgBurn_2.5.7.0.exe    a variant of Win32/Bundled.Toolbar.Ask application
 



#11 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:03 AM

Posted 15 February 2013 - 07:15 AM

Please do the following:
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Copy/paste the text inside the Codebox below into notepad:

    Here's how to do that:
    Click Start > Run type Notepad click OK.
    This will open an empty notepad file:

    Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')
    File::
    C:\Users\Cricket\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\26\69a14a1a-6d4d69aa
    C:\Users\Cricket\Desktop\flash drive\Downloads\ARO2011_tbt.exe    
    C:\Users\Cricket\Desktop\flash drive\Downloads\tinyword.exe    
    C:\Users\Cricket\Desktop\flash drive\FD2\flash drive\frostwire-5.3.2.windows.exe
    C:\Users\Cricket\Desktop\flash drive\FD2\flash drive\SetupImgBurn_2.5.7.0.exe 
       
    
    Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

    Save this file to your desktop, Save this as "CFScript"

    Here's how to do that:

    1.Click File;
    2.Click Save As... Change the directory to your desktop;
    3.Change the Save as type to "All Files";
    4.Type in the file name: CFScript
    5.Click Save ...

    CFScriptB-4.gif
    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal
    • When finished, it shall produce a log for you
    • Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT

Please advise how the computer is running now and if there are any outstanding issues

Edited by CatByte, 15 February 2013 - 07:18 AM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#12 Nightfyre776

Nightfyre776
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:03 PM

Posted 15 February 2013 - 10:52 PM

ComboFix 13-02-15.01 - Cricket 02/15/2013  19:26:10.3.1 - x86 NETWORK
Running from: c:\users\Cricket\Desktop\ComboFix.exe
.
.
(((((((((((((((((((((((((   Files Created from 2013-01-16 to 2013-02-16  )))))))))))))))))))))))))))))))
.
.
2013-02-13 02:11 . 2013-02-13 02:17    15616    ----a-w-    c:\windows\system32\drivers\TrueSight.sys
2013-02-09 19:25 . 2013-02-09 19:25    --------    d-----w-    C:\FRST
2013-02-09 18:14 . 2013-01-08 04:57    6991832    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-01-30 10:53 . 2012-08-06 01:37    232336    ----a-w-    c:\windows\system32\MpSigStub.exe
2013-01-08 22:46 . 2012-08-06 02:32    74248    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-01-08 22:46 . 2012-08-06 02:32    697864    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2012-11-29 06:43 . 2012-11-29 06:44    740840    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{094EFF7E-5396-451B-BCEF-5211270A7D85}\gapaengine.dll
2013-02-06 07:30 . 2013-02-06 07:28    262552    ----a-w-    c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2012-05-25 6595928]
"Logitech Vid"="c:\program files\Logitech\Vid HD\Vid.exe" [2010-10-29 5915480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-12 137752]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-12 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-12 172568]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-27 931200]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"lxeamon.exe"="c:\program files\Lexmark S300-S400 Series\lxeamon.exe" [2011-01-24 770728]
"EzPrint"="c:\program files\Lexmark S300-S400 Series\ezprint.exe" [2011-01-24 148280]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2012-04-04 446392]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS6ServiceManager"="c:\program files\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" [2012-03-09 1073312]
"LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2011-11-11 205336]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\3.0.313\SSScheduler.exe [2012-10-26 271808]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 lxea_device;lxea_device;c:\windows\system32\lxeacoms.exe [x]
R2 lxeaCATSCustConnectService;lxeaCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxeaserv.exe [x]
R2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [x]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\3.0.313\McCHSvc.exe [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2013-02-09 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-06 22:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://http://www.yahoo.com/?ilc=8.yahoo.com
mStart Page = hxxp://http://www.yahoo.com/?ilc=8.yahoo.com
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Cricket\AppData\Roaming\Mozilla\Firefox\Profiles\rtt6k6es.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=mkg030&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-Coupon Printer for Windows5.0.0.1 - c:\program files\Coupons\uninstall.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3884)
c:\windows\system32\NetworkExplorer.dll
.
Completion time: 2013-02-15  19:35:52
ComboFix-quarantined-files.txt  2013-02-16 03:35
ComboFix2.txt  2013-02-13 04:06
ComboFix3.txt  2013-02-13 03:45
.
Pre-Run: 110,372,454,400 bytes free
Post-Run: 110,320,676,864 bytes free
.
- - End Of File - - 3C5D1D85648BD696C5C38CE97B5E5734
 



#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:03 AM

Posted 16 February 2013 - 08:13 AM

the header of that log isn't showing that it was run from the script

can you please confirm that the script was successfully dropped onto the combofix icon before the run?


How is the computer running now? Are there any outstanding issues?

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#14 Nightfyre776

Nightfyre776
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:03 PM

Posted 16 February 2013 - 10:50 AM

I followed the instructions you gave when I went to drop the script onto combo fix it automatically started to run. So I'm guessing it didn't work right lol. As for running still have BSOD

Tommy

#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:03 AM

Posted 16 February 2013 - 12:24 PM

please re-run FRST and post a new log

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users