Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus found i need help please


  • Please log in to reply
29 replies to this topic

#1 djnando

djnando

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 01 March 2013 - 01:53 AM

I have taken the compiter in to repairs they couldnt fix it. i have tried every program and combination with no luck and have clean reinstalled many times and it keeps coming back here are some logs.Attached File  aswMBR.txt   2.05KB   4 downloads

 

Mod Edit:  Pasted log into topic, removed attachment - Hamluis.

 

ComboFix 13-02-26.01 - Dj Beats L 02/28/2013   6:47.1.4 - x64
Microsoft Windows 7 Ultimate   6.1.7600.0.1252.1.1033.18.7990.6039 [GMT -6:00]
Running from: c:\users\Dj Beats L\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
SP: Microsoft Security Essentials *Disabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system\fltr106.dll
.
.
(((((((((((((((((((((((((   Files Created from 2013-01-28 to 2013-02-28  )))))))))))))))))))))))))))))))
.
.
2013-02-28 12:52 . 2013-02-28 12:52 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-02-28 11:01 . 2009-01-15 01:31 313344 ----a-r- c:\windows\system32\CmiInstallResAll64.dll
2013-02-28 11:01 . 2009-01-15 01:32 524768 ----a-r- c:\windows\difxapi.dll
2013-02-28 10:59 . 2013-02-28 10:59 -------- d-----w- c:\program files\PlayReady
2013-02-28 10:50 . 2011-02-19 06:37 1135104 ----a-w- c:\windows\system32\FntCache.dll
2013-02-28 10:45 . 2013-02-28 10:45 -------- d-----w- c:\program files\Microsoft Silverlight
2013-02-28 10:45 . 2013-02-28 10:45 -------- d-----w- c:\program files (x86)\Microsoft Silverlight
2013-02-28 10:22 . 2013-02-05 04:49 70004024 ----a-w- c:\windows\system32\MRT.exe
2013-02-28 10:21 . 2013-02-28 10:21 -------- d-----w- c:\program files (x86)\MSXML 4.0
2013-02-28 09:32 . 2010-09-14 06:45 367104 ----a-w- c:\windows\system32\wcncsvc.dll
2013-02-28 09:32 . 2010-09-14 06:07 276992 ----a-w- c:\windows\SysWow64\wcncsvc.dll
2013-02-28 09:28 . 2012-07-26 04:55 785512 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
2013-02-28 09:28 . 2012-07-26 04:55 54376 ----a-w- c:\windows\system32\drivers\WdfLdr.sys
2013-02-28 09:28 . 2012-07-26 04:47 2560 ----a-w- c:\windows\system32\drivers\en-US\wdf01000.sys.mui
2013-02-28 09:28 . 2012-07-26 02:36 9728 ----a-w- c:\windows\system32\Wdfres.dll
2013-02-28 09:24 . 2012-12-16 16:52 46080 ----a-w- c:\windows\system32\atmlib.dll
2013-02-28 09:24 . 2012-12-16 14:25 34304 ----a-w- c:\windows\SysWow64\atmlib.dll
2013-02-28 09:24 . 2012-12-16 14:40 367616 ----a-w- c:\windows\system32\atmfd.dll
2013-02-28 09:24 . 2012-12-16 14:25 295424 ----a-w- c:\windows\SysWow64\atmfd.dll
2013-02-28 09:23 . 2012-07-26 02:26 87040 ----a-w- c:\windows\system32\drivers\WUDFPf.sys
2013-02-28 09:23 . 2012-07-26 02:26 198656 ----a-w- c:\windows\system32\drivers\WUDFRd.sys
2013-02-28 09:23 . 2012-07-26 03:08 84992 ----a-w- c:\windows\system32\WUDFSvc.dll
2013-02-28 09:23 . 2012-07-26 03:08 194048 ----a-w- c:\windows\system32\WUDFPlatform.dll
2013-02-28 09:23 . 2012-07-26 03:08 229888 ----a-w- c:\windows\system32\WUDFHost.exe
2013-02-28 09:23 . 2012-07-26 03:08 744448 ----a-w- c:\windows\system32\WUDFx.dll
2013-02-28 09:23 . 2012-07-26 03:08 45056 ----a-w- c:\windows\system32\WUDFCoinstaller.dll
2013-02-28 09:21 . 2010-03-04 04:40 184832 ----a-w- c:\windows\system32\drivers\usbvideo.sys
2013-02-28 09:21 . 2010-03-04 04:32 243712 ----a-w- c:\windows\system32\drivers\ks.sys
2013-02-28 09:11 . 2010-08-04 07:07 552960 ----a-w- c:\windows\system32\msdri.dll
2013-02-28 09:10 . 2012-11-22 10:32 801280 ----a-w- c:\windows\system32\usp10.dll
2013-02-28 09:09 . 2011-06-15 09:58 106496 ----a-w- c:\windows\system32\odbccu32.dll
2013-02-28 09:08 . 2011-07-09 02:44 287744 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2013-02-28 09:08 . 2011-05-04 02:51 157696 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2013-02-28 09:08 . 2011-05-04 02:51 126464 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2013-02-28 09:08 . 2011-03-11 06:19 1395712 ----a-w- c:\windows\system32\mfc42.dll
2013-02-28 09:08 . 2011-03-11 06:19 1359872 ----a-w- c:\windows\system32\mfc42u.dll
2013-02-28 09:08 . 2011-03-11 05:40 1137664 ----a-w- c:\windows\SysWow64\mfc42.dll
2013-02-28 09:08 . 2011-03-11 05:40 1164288 ----a-w- c:\windows\SysWow64\mfc42u.dll
2013-02-28 09:06 . 2011-02-05 12:41 640896 ----a-w- c:\windows\system32\winload.efi
2013-02-28 08:49 . 2013-02-28 08:49 1085344 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-02-28 08:49 . 2013-02-28 08:49 108448 ----a-w- c:\windows\system32\WindowsAccessBridge-64.dll
2013-02-28 08:49 . 2013-02-28 08:49 -------- d-----w- c:\program files\Java
2013-02-28 08:43 . 2013-02-28 08:44 -------- d-----w- c:\windows\system32\appmgmt
2013-02-28 08:27 . 2013-02-28 08:27 -------- d-----w- c:\program files\Microsoft Windows Performance Toolkit
2013-02-28 08:27 . 2013-02-28 08:27 -------- d-----w- c:\program files\Microsoft Help Viewer
2013-02-28 08:19 . 2013-02-28 08:19 -------- d-----w- c:\program files\Debugging Tools for Windows (x64)
2013-02-28 08:19 . 2013-02-28 08:19 -------- d-----w- c:\program files (x86)\Application Verifier
2013-02-28 08:19 . 2013-02-28 08:19 -------- d-----w- c:\program files\Application Verifier (x64)
2013-02-28 08:15 . 2013-02-28 08:15 -------- d-----w- c:\program files\Microsoft SDKs
2013-02-28 07:24 . 2012-05-05 07:44 43008 ----a-w- c:\windows\SysWow64\srclient.dll
2013-02-28 07:24 . 2012-05-05 08:30 503808 ----a-w- c:\windows\system32\srcore.dll
2013-02-28 07:23 . 2009-09-11 03:29 41472 ----a-w- c:\windows\system32\drivers\winusb.sys
2013-02-28 05:14 . 2013-02-28 05:14 -------- d-----w- c:\program files\ATI Technologies
2013-02-28 04:02 . 2013-02-28 04:02 -------- d-----w- c:\users\Administrator
2013-02-28 03:45 . 2013-02-28 03:45 -------- d-----w- c:\programdata\{9BF4D58B-C6D6-467B-BC5A-FD0C1278F4AF}
2013-02-28 03:34 . 2013-02-28 03:35 -------- d-----w- c:\program files\WinRAR
2013-02-28 03:18 . 2013-02-28 03:18 972264 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8B8B3152-2545-4A81-B9A8-18A181B0FAC0}\gapaengine.dll
2013-02-28 03:18 . 2013-02-07 22:28 9162192 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{32C24A6C-6F63-4A98-91C7-2C3B038B2258}\mpengine.dll
2013-02-28 03:09 . 2013-02-28 03:09 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2013-02-28 03:09 . 2013-02-28 03:09 -------- d-----w- c:\program files\Microsoft Security Client
2013-02-28 03:07 . 2013-02-28 03:07 -------- d-----w- c:\program files (x86)\Common Files\Java
2013-02-28 03:06 . 2013-02-28 03:06 861088 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2013-02-28 03:06 . 2013-02-28 03:06 95648 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-02-28 03:06 . 2013-02-28 03:06 -------- d-----w- c:\program files (x86)\Java
2013-02-28 03:01 . 2010-04-09 11:06 374664 ----a-w- c:\windows\system32\drivers\netio.sys
2013-02-28 03:01 . 2013-02-28 03:01 -------- d-----w- c:\programdata\McAfee
2013-02-27 22:29 . 2013-02-27 22:29 -------- d-----w- c:\windows\SysWow64\Wat
2013-02-27 22:29 . 2013-02-27 22:29 -------- d-----w- c:\windows\system32\Wat
2013-02-27 22:29 . 2013-02-27 22:29 -------- d-sh--w- c:\windows\BitLockerDiscoveryVolumeContents
2013-02-27 22:29 . 2013-02-27 22:29 -------- d-----w- c:\windows\RemotePackages
2013-02-27 20:16 . 2012-03-01 06:54 22896 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2013-02-27 20:16 . 2012-03-01 06:40 80896 ----a-w- c:\windows\system32\imagehlp.dll
2013-02-27 20:16 . 2012-03-01 06:35 5120 ----a-w- c:\windows\system32\wmi.dll
2013-02-27 20:16 . 2012-03-01 05:45 158720 ----a-w- c:\windows\SysWow64\imagehlp.dll
2013-02-27 20:16 . 2012-03-01 05:40 5120 ----a-w- c:\windows\SysWow64\wmi.dll
2013-02-27 19:58 . 2013-02-27 19:58 -------- d-----w- c:\programdata\ATI
2013-02-27 19:51 . 2013-02-27 19:51 982912 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2013-02-27 19:51 . 2013-02-27 19:51 265088 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2013-02-27 19:51 . 2013-02-27 19:51 229888 ----a-w- c:\windows\system32\XpsRasterService.dll
2013-02-27 19:51 . 2013-02-27 19:51 1863680 ----a-w- c:\windows\system32\ExplorerFrame.dll
2013-02-27 19:51 . 2013-02-27 19:51 1495040 ----a-w- c:\windows\SysWow64\ExplorerFrame.dll
2013-02-27 19:51 . 2013-02-27 19:51 144384 ----a-w- c:\windows\system32\cdd.dll
2013-02-27 19:51 . 2013-02-27 19:51 135168 ----a-w- c:\windows\SysWow64\XpsRasterService.dll
2013-02-27 19:50 . 2013-02-28 10:47 -------- d-----w- c:\program files (x86)\Microsoft
2013-02-27 19:44 . 2013-02-28 02:53 -------- d-----w- c:\programdata\Norton
2013-02-27 19:44 . 2009-11-25 18:47 99176 ----a-w- c:\windows\SysWow64\PresentationHostProxy.dll
2013-02-27 19:44 . 2009-11-25 18:47 49472 ----a-w- c:\windows\SysWow64\netfxperf.dll
2013-02-27 19:44 . 2009-11-25 18:47 48960 ----a-w- c:\windows\system32\netfxperf.dll
2013-02-27 19:44 . 2009-11-25 18:47 297808 ----a-w- c:\windows\SysWow64\mscoree.dll
2013-02-27 19:44 . 2009-11-25 18:47 295264 ----a-w- c:\windows\SysWow64\PresentationHost.exe
2013-02-27 19:44 . 2009-11-25 18:47 1130824 ----a-w- c:\windows\SysWow64\dfshim.dll
2013-02-27 19:44 . 2009-11-25 18:47 109912 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2013-02-27 19:44 . 2009-11-25 18:47 444752 ----a-w- c:\windows\system32\mscoree.dll
2013-02-27 19:44 . 2009-11-25 18:47 320352 ----a-w- c:\windows\system32\PresentationHost.exe
2013-02-27 19:44 . 2009-11-25 18:47 1942856 ----a-w- c:\windows\system32\dfshim.dll
2013-02-27 19:43 . 2013-02-27 19:43 -------- d-----w- c:\programdata\Uninstall
2013-02-27 19:43 . 2013-02-27 19:43 -------- d-----w- c:\programdata\Sonic
2013-02-27 19:43 . 2013-02-27 19:43 -------- d-----w- c:\program files (x86)\Common Files\Roxio Shared
2013-02-27 19:43 . 2013-02-27 19:43 -------- d-----w- c:\programdata\Macrovision
2013-02-27 19:43 . 2013-02-27 19:43 -------- d-----w- c:\program files (x86)\Microsoft WSE
2013-02-27 19:42 . 2013-02-27 19:02 -------- d-----w- c:\programdata\RoxioNow
2013-02-27 19:42 . 2013-02-27 19:42 -------- d-----w- c:\program files (x86)\Roxio
2013-02-27 19:41 . 2013-01-05 05:57 5500776 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-02-27 19:41 . 2013-01-05 05:02 3957608 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2013-02-27 19:41 . 2013-01-05 05:02 3902312 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2013-02-27 19:40 . 2013-01-04 05:41 1893224 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-02-27 19:40 . 2013-01-04 05:40 287576 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2013-02-27 19:40 . 2013-02-27 19:40 -------- d-----w- c:\users\Default\AppData\Local\HuluDesktop
2013-02-27 19:38 . 2012-11-09 05:34 751104 ----a-w- c:\windows\system32\win32spl.dll
2013-02-27 19:38 . 2012-11-09 04:49 492032 ----a-w- c:\windows\SysWow64\win32spl.dll
2013-02-27 19:38 . 2012-11-20 05:55 307200 ----a-w- c:\windows\system32\ncrypt.dll
2013-02-27 19:38 . 2012-11-20 05:10 219136 ----a-w- c:\windows\SysWow64\ncrypt.dll
2013-02-27 19:37 . 2012-11-02 05:30 2001408 ----a-w- c:\windows\system32\msxml6.dll
2013-02-27 19:37 . 2012-11-02 05:30 1880064 ----a-w- c:\windows\system32\msxml3.dll
2013-02-27 19:37 . 2012-11-02 04:50 1388544 ----a-w- c:\windows\SysWow64\msxml6.dll
2013-02-27 19:37 . 2012-11-02 04:50 1236992 ----a-w- c:\windows\SysWow64\msxml3.dll
2013-02-27 19:37 . 2012-11-09 05:34 2048 ----a-w- c:\windows\system32\tzres.dll
2013-02-27 19:37 . 2012-11-09 04:49 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2013-02-27 19:36 . 2012-11-02 05:27 478208 ----a-w- c:\windows\system32\dpnet.dll
2013-02-27 19:36 . 2012-11-02 04:48 376832 ----a-w- c:\windows\SysWow64\dpnet.dll
2013-02-27 19:36 . 2012-09-06 17:38 295792 ----a-w- c:\windows\system32\drivers\volsnap.sys
2013-02-27 19:35 . 2012-09-25 22:39 95744 ----a-w- c:\windows\system32\synceng.dll
2013-02-27 19:35 . 2012-09-25 21:55 78336 ----a-w- c:\windows\SysWow64\synceng.dll
2013-02-27 19:35 . 2012-08-11 00:53 714752 ----a-w- c:\windows\system32\kerberos.dll
2013-02-27 19:35 . 2012-08-10 23:54 541184 ----a-w- c:\windows\SysWow64\kerberos.dll
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-02-28 08:49 . 2010-10-20 23:10 963488 ----a-w- c:\windows\system32\deployJava1.dll
2013-02-28 03:06 . 2010-10-20 23:09 782240 ----a-w- c:\windows\SysWow64\deployJava1.dll
2013-02-27 18:52 . 2010-06-24 18:33 19696 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2013-01-20 21:59 . 2013-01-20 21:59 230320 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2013-01-20 21:59 . 2013-01-20 21:59 130008 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2013-01-04 04:43 . 2013-02-27 19:39 44032 ----a-w- c:\windows\apppatch\acwow64.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\programdata\Macrovision\FLEXnet Connect\6\ISUSPM.exe" [2008-10-20 210208]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-09-09 98304]
"HP Quick Launch"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2010-09-29 584760]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ    DPPassFilter scecli
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 CLKMSVC10_C6F09094;CyberLink Product - 2013/02/27 11:31;c:\program files (x86)\Hewlett-Packard\Media\DVD\Kernel\HDDVD\NavFilter\kmsvc.exe [2010-09-21 245232]
R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [2009-06-10 5434368]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2013-01-20 130008]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2013-01-27 379360]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2010-01-12 232992]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2010-06-24 344680]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [2009-06-10 292864]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 740864]
R3 USBMULCD;USB Multi-Channel Audio Device Interface;c:\windows\system32\drivers\CM10664.sys [2009-09-30 1307648]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2013-02-27 1255736]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2009-06-10 389120]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe [2009-03-04 89600]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-09-09 203264]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
S2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2012-09-27 86528]
S2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2010-07-21 103992]
S2 HPClientSvc;HP Client Services;c:\program files\Hewlett-Packard\HP Client Services\HPClientServices.exe [2010-08-06 291896]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2011-05-14 30520]
S2 HPWMISVC;HPWMISVC;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2010-09-29 26680]
S2 RoxioNow Service;RoxioNow Service;c:\program files (x86)\Roxio\RoxioNow Player\RNowSvc.exe [2010-09-11 399344]
S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-05-01 2533400]
S2 vcsFPService;Validity VCS Fingerprint Service;c:\windows\system32\vcsFPService.exe [2010-02-23 2192176]
S3 clwvd;HP Webcam Splitter;c:\windows\system32\DRIVERS\clwvd.sys [2010-09-04 31088]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2010-05-01 56344]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2009-10-27 151936]
S3 intelkmd;intelkmd;c:\windows\system32\DRIVERS\igdpmd64.sys [2010-07-28 10610400]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ASWMBR
*Deregistered* - aswMBR
*Deregistered* - CLKMDRV10_C6F09094
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\AutorunsDisabled\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-08-16 21:43 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-02-28 c:\windows\Tasks\HPCeeScheduleForDj Beats L.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 05:15]
.
2013-02-27 c:\windows\Tasks\HPCeeScheduleForDJBEATSL-HP$.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 05:15]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00Zecter]
@="{D25B32FE-CB96-491A-98FF-AD59DA382D69}"
[HKEY_CLASSES_ROOT\CLSID\{D25B32FE-CB96-491A-98FF-AD59DA382D69}]
2010-09-23 04:53 2210304 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\01Zecter]
@="{EB24CA6D-F315-4A81-AC1A-C79CFD77F3F5}"
[HKEY_CLASSES_ROOT\CLSID\{EB24CA6D-F315-4A81-AC1A-C79CFD77F3F5}]
2010-09-23 04:53 2210304 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\02Zecter]
@="{B3C78E40-6B64-47C3-AE34-60B770881EB8}"
[HKEY_CLASSES_ROOT\CLSID\{B3C78E40-6B64-47C3-AE34-60B770881EB8}]
2010-09-23 04:53 2210304 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\03Zecter]
@="{622AFE52-33F6-4D9F-9966-E0BC52D7D69D}"
[HKEY_CLASSES_ROOT\CLSID\{622AFE52-33F6-4D9F-9966-E0BC52D7D69D}]
2010-09-23 04:53 2210304 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\04Zecter]
@="{855156F0-2A0F-11DE-8C30-0800200C9A66}"
[HKEY_CLASSES_ROOT\CLSID\{855156F0-2A0F-11DE-8C30-0800200C9A66}]
2010-09-23 04:53 2210304 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2010-07-23 487424]
"SmartMenu"="c:\program files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [2010-09-01 611896]
"HPWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe" [2010-07-21 8192]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-01-27 1281512]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-07-28 161304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-07-28 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-07-28 415256]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{1984DD45-52CF-49cd-AB77-18F378FEA264}"= "c:\program files\Stardock\Fences Pro\FencesMenu64.dll" [2010-09-16 464744]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
AddRemove-{EE202411-2C26-49E8-9784-1BC1DBF7DE96} - c:\program files (x86)\InstallShield Installation Information\{EE202411-2C26-49E8-9784-1BC1DBF7DE96}\setup.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10i.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10i.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10i.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10i.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-02-28  06:53:51
ComboFix-quarantined-files.txt  2013-02-28 12:53
.
Pre-Run: 645,072,150,528 bytes free
Post-Run: 645,636,599,808 bytes free
.
- - End Of File - - 2A53CF30CE7860A82EB3D81BA6AE8D5C


Edited by hamluis, 01 March 2013 - 07:19 AM.
Moved from Win 7 to Malware Removal Logs


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:44 PM

Posted 02 March 2013 - 10:22 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.
 
If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please download and run this DDS Scanning Tool. Nothing will be deleted. It will just give me some additional information about your system.
 
  • Download DDS by sUBs from one of the following links if you no longer have it available.  Save it to your desktop.
    •  
  • DDS.scr <- not recommended if you use Chrome to download this .scr file. Use the other options.
 
  • Double click on the DDS icon, allow it to run. 
  • A small box will open, with an explanation about the tool.  No input is needed, the scan is running. 
  • Notepad will open with the results. 
  • Follow the instructions that pop up for posting the results.
  • Please note:  You may have to disable any script protection running if the scan fails to run.
 
 
Please just paste the contents of the DDS.txt log in your next post. DO NOT attach the log.
===
 
Search and delete the AdWare, PUP (Potentially Unwanted Program) installed on your computer.
 
Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete tab follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).
Please post the logs and let me know if the problem persists.


#3 djnando

djnando
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 03 March 2013 - 05:52 PM

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16464
Run by DJ Music Mobile at 16:45:44 on 2013-03-03
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.7990.6149 [GMT -6:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\IDT\WDM\STacSV64.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Hpservice.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\vcsFPService.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\DigitalPersona\Bin\DpHostW.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\IDT\WDM\AESTSr64.exe
C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\svchost.exe -k WbioSvcGroup
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\DigitalPersona\Bin\DPAgent.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\IDT\WDM\sttray64.exe
C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\DigitalPersona\Bin\DPAgent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Hewlett-Packard\Media\Webcam\YCMMirage.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Windows\system32\sppsvc.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpCaslNotification.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\makecab.exe
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
mWinlogon: Userinit = userinit.exe
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - <orphaned>
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{4E131464-B1DB-4E36-A36C-F46E269F6EB6} : DHCPNameServer = 192.168.1.1
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
LSA: Notification Packages =  DPPassFilter scecli
x64-mWinlogon: Userinit = C:\Windows\System32\userinit.exe,C:\Program Files (x86)\DigitalPersona\Bin\DPAgent.exe,
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - <orphaned>
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe
x64-Run: [SmartMenu] C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe /background
x64-Run: [HPWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe 120 C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe /hidden
x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
x64-STS: FencesShlExt Class - {1984DD45-52CF-49cd-AB77-18F378FEA264} - C:\Program Files\Stardock\Fences Pro\FencesMenu64.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2013-1-20 230320]
R2 AESTFilters;Andrea ST Filters Service;C:\Program Files\IDT\WDM\AESTSr64.exe [2013-3-1 89600]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2010-9-9 203264]
R3 clwvd;HP Webcam Splitter;C:\Windows\System32\drivers\clwvd.sys [2010-9-3 31088]
R3 HECIx64;Intel® Management Engine Interface;C:\Windows\System32\drivers\HECIx64.sys [2010-5-1 56344]
R3 Impcd;Impcd;C:\Windows\System32\drivers\Impcd.sys [2009-10-27 151936]
R3 intelkmd;intelkmd;C:\Windows\System32\drivers\igdpmd64.sys [2010-7-28 10610400]
S2 CLKMSVC10_C6F09094;CyberLink Product - 2013/03/01 12:14:46;C:\Program Files (x86)\Hewlett-Packard\Media\DVD\Kernel\HDDVD\NavFilter\kmsvc.exe [2013-3-1 245232]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\System32\drivers\netw5v64.sys [2009-6-10 5434368]
S3 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2013-1-20 130008]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\System32\drivers\RtsUStor.sys [2013-3-1 232992]
S3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2013-3-1 344680]
S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\System32\drivers\VSTAZL6.SYS [2009-7-13 292864]
S3 SrvHsfV92;SrvHsfV92;C:\Windows\System32\drivers\VSTDPV6.SYS [2009-7-13 1485312]
S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\System32\drivers\VSTCNXT6.SYS [2009-7-13 740864]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2013-3-2 59392]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\System32\drivers\yk62x64.sys [2009-6-10 389120]
.
=============== Created Last 30 ================
.
2013-03-03 00:13:51 -------- d-----w- C:\Windows\System32\SPReview
2013-03-03 00:13:24 -------- d-----w- C:\Windows\System32\EventProviders
2013-03-03 00:10:59 91136 ----a-w- C:\Windows\SysWow64\dot3api.dll
2013-03-03 00:09:59 95232 ----a-w- C:\Windows\SysWow64\logagent.exe
2013-03-02 22:49:52 -------- d-----w- C:\Program Files (x86)\MSXML 4.0
2013-03-02 22:49:21 1139200 ----a-w- C:\Windows\System32\FntCache.dll
2013-03-02 22:49:20 902656 ----a-w- C:\Windows\System32\d2d1.dll
2013-03-02 22:49:20 739840 ----a-w- C:\Windows\SysWow64\d2d1.dll
2013-03-02 22:34:07 9162192 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{4F87A097-64F7-41ED-8198-77DB83462B95}\mpengine.dll
2013-03-02 22:29:34 996352 ----a-w- C:\Program Files\Common Files\Microsoft Shared\VGX\VGX.dll
2013-03-02 22:29:34 768000 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll
2013-03-02 22:28:49 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client
2013-03-02 22:28:47 -------- d-----w- C:\Program Files\Microsoft Security Client
2013-03-02 22:20:09 -------- d-----w- C:\Program Files\CCleaner
2013-03-02 22:07:50 -------- d-----w- C:\Windows\Panther
2013-03-02 22:03:14 -------- d-----w- C:\Windows\SysWow64\Wat
2013-03-02 22:03:14 -------- d-----w- C:\Windows\System32\Wat
2013-03-02 21:52:53 9728 ----a-w- C:\Windows\System32\Wdfres.dll
2013-03-02 21:52:53 785512 ----a-w- C:\Windows\System32\drivers\Wdf01000.sys
2013-03-02 21:52:53 54376 ----a-w- C:\Windows\System32\drivers\WdfLdr.sys
2013-03-02 21:52:53 2560 ----a-w- C:\Windows\System32\drivers\en-US\wdf01000.sys.mui
2013-03-02 21:21:55 70656 ----a-w- C:\Windows\SysWow64\fontsub.dll
2013-03-02 21:21:55 46080 ----a-w- C:\Windows\System32\atmlib.dll
2013-03-02 21:21:55 367616 ----a-w- C:\Windows\System32\atmfd.dll
2013-03-02 21:21:55 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
2013-03-02 21:21:55 295424 ----a-w- C:\Windows\SysWow64\atmfd.dll
2013-03-02 21:21:55 100864 ----a-w- C:\Windows\System32\fontsub.dll
2013-03-02 21:21:28 87040 ----a-w- C:\Windows\System32\drivers\WUDFPf.sys
2013-03-02 21:21:28 198656 ----a-w- C:\Windows\System32\drivers\WUDFRd.sys
2013-03-02 21:21:27 84992 ----a-w- C:\Windows\System32\WUDFSvc.dll
2013-03-02 21:21:27 744448 ----a-w- C:\Windows\System32\WUDFx.dll
2013-03-02 21:21:27 45056 ----a-w- C:\Windows\System32\WUDFCoinstaller.dll
2013-03-02 21:21:27 229888 ----a-w- C:\Windows\System32\WUDFHost.exe
2013-03-02 21:21:27 194048 ----a-w- C:\Windows\System32\WUDFPlatform.dll
2013-03-02 21:12:06 81408 ----a-w- C:\Windows\System32\imagehlp.dll
2013-03-02 21:12:06 5120 ----a-w- C:\Windows\SysWow64\wmi.dll
2013-03-02 21:12:06 5120 ----a-w- C:\Windows\System32\wmi.dll
2013-03-02 21:12:06 23408 ----a-w- C:\Windows\System32\drivers\fs_rec.sys
2013-03-02 21:12:06 159232 ----a-w- C:\Windows\SysWow64\imagehlp.dll
2013-03-02 21:11:09 -------- d-----w- C:\Users\DJ Music Mobile\AppData\Local\WindowsUpdate
2013-03-02 20:33:15 -------- d-----w- C:\fb5de63b4bbd446cb8054943
2013-03-02 20:17:02 1659760 ----a-w- C:\Windows\System32\drivers\ntfs.sys
2013-03-02 20:15:49 142336 ----a-w- C:\Windows\System32\poqexec.exe
2013-03-02 20:15:49 123904 ----a-w- C:\Windows\SysWow64\poqexec.exe
2013-03-02 20:15:45 2871808 ----a-w- C:\Windows\explorer.exe
2013-03-02 20:15:44 2616320 ----a-w- C:\Windows\SysWow64\explorer.exe
2013-03-02 20:15:41 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2013-03-02 20:15:41 2048 ----a-w- C:\Windows\System32\tzres.dll
2013-03-02 20:15:34 961024 ----a-w- C:\Windows\System32\CPFilters.dll
2013-03-02 20:15:34 850944 ----a-w- C:\Windows\SysWow64\sbe.dll
2013-03-02 20:15:34 642048 ----a-w- C:\Windows\SysWow64\CPFilters.dll
2013-03-02 20:15:34 259072 ----a-w- C:\Windows\System32\mpg2splt.ax
2013-03-02 20:15:34 199680 ----a-w- C:\Windows\SysWow64\mpg2splt.ax
2013-03-02 20:15:34 1118720 ----a-w- C:\Windows\System32\sbe.dll
2013-03-02 20:13:57 3153408 ----a-w- C:\Windows\System32\win32k.sys
2013-03-02 20:13:15 43520 ----a-w- C:\Windows\System32\csrsrv.dll
2013-03-02 20:13:12 515584 ----a-w- C:\Windows\System32\timedate.cpl
2013-03-02 20:13:12 478720 ----a-w- C:\Windows\SysWow64\timedate.cpl
2013-03-02 20:13:10 476160 ----a-w- C:\Windows\System32\XpsGdiConverter.dll
2013-03-02 20:13:10 288256 ----a-w- C:\Windows\SysWow64\XpsGdiConverter.dll
2013-03-02 20:11:48 2002432 ----a-w- C:\Windows\System32\msxml6.dll
2013-03-02 20:10:25 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2013-03-02 20:09:50 75776 ----a-w- C:\Windows\SysWow64\psisrndr.ax
2013-03-02 20:08:45 95744 ----a-w- C:\Windows\System32\synceng.dll
2013-03-02 20:06:53 67072 ----a-w- C:\Windows\splwow64.exe
2013-03-02 20:06:53 559104 ----a-w- C:\Windows\System32\spoolsv.exe
2013-03-02 20:06:40 1464320 ----a-w- C:\Windows\System32\crypt32.dll
2013-03-02 20:06:40 1159680 ----a-w- C:\Windows\SysWow64\crypt32.dll
2013-03-02 20:06:39 184320 ----a-w- C:\Windows\System32\cryptsvc.dll
2013-03-02 20:06:39 140288 ----a-w- C:\Windows\SysWow64\cryptsvc.dll
2013-03-02 20:06:39 140288 ----a-w- C:\Windows\System32\cryptnet.dll
2013-03-02 20:06:39 103936 ----a-w- C:\Windows\SysWow64\cryptnet.dll
2013-03-02 20:06:32 77312 ----a-w- C:\Windows\System32\packager.dll
2013-03-02 20:06:32 67072 ----a-w- C:\Windows\SysWow64\packager.dll
2013-03-01 22:14:02 -------- d-----w- C:\Program Files\Microsoft Windows Performance Toolkit
2013-03-01 22:13:28 -------- d-----w- C:\Program Files\Microsoft Help Viewer
2013-03-01 22:04:21 -------- d-----w- C:\Program Files\Debugging Tools for Windows (x64)
2013-03-01 22:03:24 -------- d-----w- C:\Program Files\Application Verifier (x64)
2013-03-01 22:03:24 -------- d-----w- C:\Program Files (x86)\Application Verifier
2013-03-01 21:35:42 -------- d-----w- C:\Program Files (x86)\Common Files\Microsoft
2013-03-01 21:35:23 -------- d-----w- C:\Program Files (x86)\Windows Kits
2013-03-01 20:48:17 -------- d-----w- C:\ProgramData\Package Cache
2013-03-01 20:27:57 -------- d-----w- C:\Program Files (x86)\HP Games
2013-03-01 20:27:55 -------- d-----w- C:\ProgramData\WildTangent
2013-03-01 20:27:05 -------- d-----w- C:\ProgramData\Norton
2013-03-01 20:26:35 -------- d-----w- C:\ProgramData\NortonInstaller
2013-03-01 20:26:09 -------- d-----w- C:\ProgramData\Uninstall
2013-03-01 20:25:46 -------- d-----w- C:\Program Files (x86)\Microsoft WSE
2013-03-01 20:22:31 -------- dc-h--w- C:\ProgramData\{05971B75-B620-4D64-9985-7971BEF763A2}
2013-03-01 20:22:29 -------- d-----w- C:\Program Files\Stardock
2013-03-01 20:12:15 0 ----a-w- C:\Windows\ativpsrm.bin
2013-03-01 20:11:09 53248 ----a-w- C:\Windows\SysWow64\CSVer.dll
2013-03-01 20:10:59 -------- d-----w- C:\Windows\Hewlett-Packard
2013-03-01 20:10:11 -------- d-----w- C:\Windows\Driver Cache
2013-03-01 20:10:11 -------- d-----w- C:\Program Files (x86)\HP
2013-03-01 20:08:49 6656 ----a-w- C:\Windows\System32\bcmwlrc.dll
2013-03-01 20:08:48 -------- d-----w- C:\Program Files\Broadcom
2013-03-01 20:06:29 -------- d-----w- C:\Program Files\Validity Sensors
2013-03-01 20:06:12 540696 ----a-w- C:\Windows\System32\drivers\iaStor.sys
2013-03-01 20:05:54 -------- d-----w- C:\Program Files (x86)\Common Files\postureAgent
2013-03-01 20:05:33 -------- d-----w- C:\Program Files\Synaptics
2013-03-01 20:03:34 -------- d-----w- C:\Program Files\ATI
2013-03-01 20:03:32 -------- d-----w- C:\Program Files (x86)\ATI Technologies
2013-03-01 19:55:37 9162192 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{8538CC1A-E32A-4CA0-8DFA-7E40BAFA0909}\mpengine.dll
2013-03-01 19:55:37 273840 ------w- C:\Windows\System32\MpSigStub.exe
2013-03-01 19:55:23 -------- d-----w- C:\Windows\ehome
2013-03-01 19:49:09 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll
2013-03-01 19:49:09 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
2013-03-01 19:49:09 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
2013-03-01 19:43:21 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2013-03-01 19:43:11 99840 ----a-w- C:\Windows\System32\wudriver.dll
2013-03-01 19:42:58 36864 ----a-w- C:\Windows\System32\wuapp.exe
2013-03-01 19:42:58 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2013-03-01 19:35:16 -------- d-----w- C:\Users\DJ Music Mobile\AppData\Local\ATI
2013-03-01 19:34:16 -------- d-----w- C:\Users\DJ Music Mobile\AppData\Roaming\hpqLog
2013-03-01 19:34:14 -------- d-----w- C:\Users\DJ Music Mobile\AppData\Roaming\Stardock
2013-03-01 19:33:29 -------- d-----w- C:\Users\DJ Music Mobile\AppData\Local\RemEngine
2013-03-01 19:31:25 -------- d-----w- C:\Users\DJ Music Mobile\AppData\Local\Hewlett-Packard
2013-03-01 19:31:08 -------- d-----w- C:\Users\DJ Music Mobile\AppData\Local\Hewlett-Packard_Company
2013-03-01 19:30:08 -------- d-----w- C:\Users\DJ Music Mobile\AppData\Local\VirtualStore
.
==================== Find3M  ====================
.
2013-03-03 00:19:22 175616 ----a-w- C:\Windows\System32\msclmd.dll
2013-03-03 00:19:22 152576 ----a-w- C:\Windows\SysWow64\msclmd.dll
2013-01-20 21:59:04 230320 ----a-w- C:\Windows\System32\drivers\MpFilter.sys
2013-01-20 21:59:04 130008 ----a-w- C:\Windows\System32\drivers\NisDrvWFP.sys
2013-01-05 05:53:43 5553512 ----a-w- C:\Windows\System32\ntoskrnl.exe
2013-01-05 05:00:15 3967848 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2013-01-05 05:00:11 3913064 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2013-01-04 05:46:09 215040 ----a-w- C:\Windows\System32\winsrv.dll
2013-01-04 04:51:16 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2013-01-04 04:43:21 44032 ----a-w- C:\Windows\apppatch\acwow64.dll
2013-01-04 02:47:35 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2013-01-04 02:47:34 2048 ----a-w- C:\Windows\SysWow64\user.exe
2013-01-04 02:47:33 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2013-01-03 06:00:54 1913192 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2013-01-03 06:00:42 288088 ----a-w- C:\Windows\System32\drivers\FWPKCLNT.SYS
2012-12-07 13:20:16 441856 ----a-w- C:\Windows\System32\Wpc.dll
2012-12-07 13:15:31 2746368 ----a-w- C:\Windows\System32\gameux.dll
2012-12-07 12:26:17 308736 ----a-w- C:\Windows\SysWow64\Wpc.dll
2012-12-07 12:20:43 2576384 ----a-w- C:\Windows\SysWow64\gameux.dll
2012-12-07 11:20:04 30720 ----a-w- C:\Windows\System32\usk.rs
2012-12-07 11:20:03 43520 ----a-w- C:\Windows\System32\csrr.rs
2012-12-07 11:20:03 23552 ----a-w- C:\Windows\System32\oflc.rs
2012-12-07 11:20:01 45568 ----a-w- C:\Windows\System32\oflc-nz.rs
2012-12-07 11:20:01 44544 ----a-w- C:\Windows\System32\pegibbfc.rs
2012-12-07 11:20:01 20480 ----a-w- C:\Windows\System32\pegi-fi.rs
2012-12-07 11:20:00 20480 ----a-w- C:\Windows\System32\pegi-pt.rs
2012-12-07 11:19:59 20480 ----a-w- C:\Windows\System32\pegi.rs
2012-12-07 11:19:58 46592 ----a-w- C:\Windows\System32\fpb.rs
2012-12-07 11:19:57 40960 ----a-w- C:\Windows\System32\cob-au.rs
2012-12-07 11:19:57 21504 ----a-w- C:\Windows\System32\grb.rs
2012-12-07 11:19:57 15360 ----a-w- C:\Windows\System32\djctq.rs
2012-12-07 11:19:56 55296 ----a-w- C:\Windows\System32\cero.rs
2012-12-07 11:19:55 51712 ----a-w- C:\Windows\System32\esrb.rs
.
============= FINISH: 16:48:46.40 ===============
 



#4 djnando

djnando
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 03 March 2013 - 05:54 PM

i think my winlogon.exe is the infected culprit



#5 djnando

djnando
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 03 March 2013 - 05:57 PM

i have 2 computers in a network both have the same problem the previous log belongs to the laptop. the second one is the desktop



#6 djnando

djnando
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 03 March 2013 - 06:03 PM

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16464
Run by Dj Desk at 16:59:26 on 2013-03-03
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.7935.6336 [GMT -6:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}


.Sorry by we do  not service two computer on the same topic.

 

Both logs do not show any suspicious items.

 

Please post the AdwCleaner log for this computer.

 

Let me know what is being deleted.

 

Just may be your Router is infected, try this.

 

How to Reset a Router Back to the Factory Default Settings
 
Then, please reconfigure it back to your preferred setting.. Below is the list of default username and password, should you don't know it ;)
 
===
 
Reset for Linksys, Netgear, D-Link and Belkin Routers
http://www.techsupportforum.com/2763-reset-for-linksys-netgear-d-link-and-belkin-routers/
 
How to Secure Your Wireless Router
http://www.ehow.com/how_2253625_secure-wireless-router.html
 
Let me know if the problem persists.
 
 
p.s.
If you would like me to look at your second computer, start a new topic and  post the following logs
 
1 - DDS
2 - AdwCleaner
3 - a Combofix log.
 
Paste the link in your next reply and I will expedite the matter.

Edited by nasdaq, 04 March 2013 - 10:14 AM.


#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:44 PM

Posted 09 March 2013 - 09:19 AM

Are you still with me?



#8 djnando

djnando
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 09 March 2013 - 12:02 PM

yes



#9 djnando

djnando
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 09 March 2013 - 12:18 PM

tried it thank u



#10 djnando

djnando
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 09 March 2013 - 09:52 PM

Thank you but that didnt help i have a hacker in my hands i just need to figure out who is it and how i can find out who it is.

#11 djnando

djnando
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 09 March 2013 - 09:53 PM

How to stop them from changing my registry. Should i call police.

#12 djnando

djnando
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 10 March 2013 - 03:33 AM

So far when i do a clean install. There are registry keys in place not sure where are they coming from i have erased every log , note you name it i have found problems with the set up logs like vista the os instead of win 7 someone please help

#13 nasdaq

nasdaq

  • Malware Response Team
  • 38,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:44 PM

Posted 10 March 2013 - 09:16 AM

So far when i do a clean install. There are registry keys in place not sure where are they coming from i have erased every log

If you do not reformat your computer before reinstalling the registry keys will not be deleted.

 

What are the activities that the said hacker is doing?

What are the problems with this computer?



#14 djnando

djnando
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 10 March 2013 - 01:07 PM

i have reformatted the drve over n over there is an issue with all drives mbr error that i cant get rid off



#15 djnando

djnando
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 10 March 2013 - 01:11 PM

GMER 2.1.18952 - http://www.gmer.net
Rootkit scan 2013-03-10 13:08:08
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000067 ST310005 rev.HP35 931.51GB
Running: k7veei9j.exe; Driver: C:\Users\DJNAND~1\AppData\Local\Temp\pwtiruob.sys


---- Devices - GMER 2.1 ----

Device  \FileSystem\Ntfs \Ntfs                                                  fffffa80070792c0

---- Threads - GMER 2.1 ----

Thread  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3788:3872]  00000000766c7587
Thread  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3788:3868]  000000006ff50cb3
Thread  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3788:1448]  0000000077bc2e25
Thread  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3788:3256]  0000000077bc3e45
Thread  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3788:1456]  0000000077bc3e45
Thread  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3788:4704]  0000000077bc3e45

---- EOF - GMER 2.1 --






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users