Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

zeroaccess rootkill help


  • This topic is locked This topic is locked
71 replies to this topic

#1 weldermike

weldermike

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:06:37 AM

Posted 18 March 2013 - 04:47 AM

I have been told I am infected with zeroaccess rootkill.  my symptoms are:

 

I am getting the following error popping up:

 

7oJUQ.png

 

In addition my computer is churning like crazy, everything is really slow and I keep getting all black screens with just the curser on it.

 

Please see this previous post:

 

http://www.bleepingcomputer.com/forums/index.php?app=forums&module=post&section=post&do=new_post&f=22

 

I have run Security check, Farbar security scanner, mini tool box, Malwarebytes scan and malwarebytesanti-rootkit and posted the logs,

 

I have now run DDS.  Here are the logs:

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16470  BrowserJavaVersion: 10.17.2
Run by The Flagg Family at 5:27:55 on 2013-03-18
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3317.111 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe
C:\Windows\system32\AERTSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\EPSON\EpsonCustomerParticipation\EPCP.exe
C:\Windows\system32\EscSvc.exe
C:\Windows\Explorer.EXE
C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Hawkes Learning Systems\Hawkes Update Service Manager\srvany.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Microsoft\BingBar\SeaPort.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Hawkes Learning Systems\Hawkes Update Service Manager\HawkesUpdater.exe
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Epson Software\Event Manager\EEventManager.exe
C:\Program Files\Epson Software\FAX Utility\FUFAXRCV.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Logitech\Logitech Vid\Vid.exe
C:\Windows\System32\spool\drivers\w32x86\3\E_TATIJJE.EXE
C:\Windows\System32\WUDFHost.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Hawkes Learning Systems\Hawkes Update Service Manager\HawkesUpdater.exe
C:\Program Files\PIXELA\ImageMixer 3 SE Ver.5\Transfer Utility\CameraMonitor.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_11_3_300_265_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com
uWindow Title = Internet Explorer provided by Dell
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4080721
mStart Page = hxxp://www.google.com
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Easy Photo Print: {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - c:\program files\epson software\easy photo print\EPTBL.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
BHO: CBrowserHelperObject Object: {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\program files\dell\bae\BAE.dll
BHO: GamesBarBHO Class: {CB0D163C-E9F4-4236-9496-0597E24B23A5} -
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: AIM Toolbar: {61539ECD-CC67-4437-A03C-9AACCBD14326} - c:\program files\aim toolbar\aimtb.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} -
TB: Easy Photo Print: {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - c:\program files\epson software\easy photo print\EPTBL.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Logitech Vid] "c:\program files\logitech\logitech vid\vid.exe" -bootmode
uRun: [SearchEngineProtection] c:\program files\gamesbar\SearchEngineProtection.exe
uRun: [Google Update] "c:\users\the flagg family\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [EPSON Stylus CX4800 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatiada.exe /fu "c:\windows\temp\E_S24B4.tmp" /EF "HKCU"
uRun: [EPLTarget\P0000000000000001] c:\windows\system32\spool\drivers\w32x86\3\e_tatijje.exe /ept "epltarget\P0000000000000001" /M "WF-3520 Series"
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1151601.exe -Update -1151601 -"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET CLR 3.0.30618; Media Center PC 5.0; SLCC1; .NET4.0C; BRI/2)" -"http://www.harcourtschool.com/activity/mixture/mixture.html"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [EEventManager] "c:\program files\epson software\event manager\EEventManager.exe"
mRun: [FUFAXRCV] "c:\program files\epson software\fax utility\FUFAXRCV.exe"
mRun: [FUFAXSTM] "c:\program files\epson software\fax utility\FUFAXSTM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\users\thefla~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\epsona~1.lnk - c:\users\the flagg family\appdata\roaming\leadertech\powerregister\Epson all-in-one Registration.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hawkes~1.lnk - c:\program files\hawkes learning systems\hawkes update service manager\HawkesUpdater.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\imagem~1.lnk - c:\program files\pixela\imagemixer 3 se ver.5\transfer utility\CameraMonitor.exe
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: &AIM Toolbar Search - c:\programdata\aim toolbar\ietoolbar\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{6928159B-3781-41BA-B767-7457822872F6} : DHCPNameServer = 192.168.0.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2013-1-20 195296]
R2 ABBYY.Licensing.FineReader.Sprint.9.0;ABBYY FineReader 9.0 Sprint Licensing Service;c:\program files\common files\abbyy\finereadersprint\9.00\licensing\NetworkLicenseServer.exe [2009-5-14 759048]
R2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-5 77824]
R2 EpsonCustomerParticipation;EpsonCustomerParticipation;c:\program files\epson\epsoncustomerparticipation\EPCP.exe [2012-5-10 539744]
R2 EpsonScanSvc;Epson Scanner Service;c:\windows\system32\escsvc.exe [2013-3-3 122000]
R2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 100328]
R3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
R3 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTBS23.SYS [2009-7-13 266752]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-5-6 191752]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2012-6-19 39272]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-3-12 52224]
.
=============== Created Last 30 ================
.
2013-03-17 20:14:35 6954968 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{6bd7c441-4f95-48d4-97c1-56ecec3fff75}\mpengine.dll
2013-03-17 17:24:31 -------- d-----w- c:\users\the flagg family\appdata\local\{EDDF98DA-FCFA-474A-ADFF-0A0E61B7FEDD}
2013-03-16 16:42:57 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-03-16 16:25:39 740840 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{ee177c11-a69b-4435-8f0d-3ac292e70042}\gapaengine.dll
2013-03-16 16:23:36 6954968 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2013-03-16 12:21:31 -------- d-----w- c:\users\the flagg family\appdata\local\{9D3F8C0E-A65F-4999-9BCF-9EB367212400}
2013-03-16 00:18:56 -------- d-----w- c:\users\the flagg family\appdata\local\{55E3A009-93F2-4E81-91D8-3B501566698C}
2013-03-15 11:50:27 -------- d-----w- c:\users\the flagg family\appdata\local\{BF8D8C6F-91C4-4D6A-9602-456B4A801DA8}
2013-03-14 23:49:57 -------- d-----w- c:\users\the flagg family\appdata\local\{FEE872CB-B5E0-49A5-A067-9864241DDACE}
2013-03-14 11:49:02 -------- d-----w- c:\users\the flagg family\appdata\local\{4A2AB0B5-8EC3-418F-8611-E56D7C45D0AB}
2013-03-13 23:48:38 -------- d-----w- c:\users\the flagg family\appdata\local\{283A051E-338C-4640-8592-AAD7CD6B1A77}
2013-03-13 11:48:27 -------- d-----w- c:\users\the flagg family\appdata\local\{5FEE9882-B886-43ED-9B72-B6D8D5639C8E}
2013-03-12 23:48:16 -------- d-----w- c:\users\the flagg family\appdata\local\{012F88AE-A333-45F7-8921-D959E06DE285}
2013-03-12 11:48:05 -------- d-----w- c:\users\the flagg family\appdata\local\{4C19C41F-B72F-4D36-BBC5-FDF4E8C1FAE7}
2013-03-11 23:47:54 -------- d-----w- c:\users\the flagg family\appdata\local\{F097D2C2-9F99-4BE1-AA2C-33A0F0FD5043}
2013-03-11 11:47:30 -------- d-----w- c:\users\the flagg family\appdata\local\{EFA7D57A-0883-440C-A9D6-C69FE5BB6723}
2013-03-10 23:47:19 -------- d-----w- c:\users\the flagg family\appdata\local\{802A6A61-E8CE-48CE-BA66-991AE2B8E3EA}
2013-03-10 11:47:08 -------- d-----w- c:\users\the flagg family\appdata\local\{C14278D1-218E-463F-9DAD-DC713E1F90B5}
2013-03-09 23:46:57 -------- d-----w- c:\users\the flagg family\appdata\local\{AC5BFD6B-6755-4DED-888C-D64AA674840E}
2013-03-09 11:46:47 -------- d-----w- c:\users\the flagg family\appdata\local\{2C408C9F-48A7-4478-B6B5-700C83C536EB}
2013-03-08 23:46:36 -------- d-----w- c:\users\the flagg family\appdata\local\{BE29190C-4A1B-4873-83D8-068565CBD4E1}
2013-03-08 11:46:25 -------- d-----w- c:\users\the flagg family\appdata\local\{5B4322DF-0795-48EB-9E17-74D5C3CA84A5}
2013-03-07 23:46:14 -------- d-----w- c:\users\the flagg family\appdata\local\{43E9072B-2CB4-4FDD-A7FA-861742684E6C}
2013-03-07 11:46:03 -------- d-----w- c:\users\the flagg family\appdata\local\{06D6809D-4788-453C-BD22-ECF9F24A7B41}
2013-03-06 23:45:52 -------- d-----w- c:\users\the flagg family\appdata\local\{661CFDBF-705C-443B-8A51-03ABB4B47C5D}
2013-03-06 11:45:41 -------- d-----w- c:\users\the flagg family\appdata\local\{E696C1C3-A411-4E52-ABEC-A203E48938EB}
2013-03-05 23:45:30 -------- d-----w- c:\users\the flagg family\appdata\local\{D52FEEAC-635E-4B6B-97E0-3D5BBBA6CF89}
2013-03-05 11:45:19 -------- d-----w- c:\users\the flagg family\appdata\local\{25A05051-B83B-4E9B-A3A0-AF42F6842C62}
2013-03-04 23:45:08 -------- d-----w- c:\users\the flagg family\appdata\local\{B50A829B-5FDA-4E95-8783-091E9BE327F1}
2013-03-04 11:44:45 -------- d-----w- c:\users\the flagg family\appdata\local\{47D08D37-297D-4D7B-8794-C9DA47A75C6B}
2013-03-04 00:42:24 77824 ----a-w- c:\windows\system32\EBAPI.dll
2013-03-04 00:42:24 65536 ----a-w- c:\windows\system32\EEBUtil.dll
2013-03-04 00:42:24 55808 ----a-w- c:\windows\system32\EEBSDKIF.dll
2013-03-04 00:42:24 135168 ----a-w- c:\windows\system32\EEBAPI.dll
2013-03-04 00:42:24 110592 ----a-w- c:\windows\system32\EEBDSCVR.dll
2013-03-04 00:34:53 -------- d-----w- c:\users\the flagg family\appdata\local\ABBYY
2013-03-04 00:33:40 -------- d-----w- c:\program files\ABBYY FineReader 9.0 Sprint
2013-03-04 00:33:39 -------- d-----w- c:\programdata\ABBYY
2013-03-04 00:33:39 -------- d-----w- c:\program files\common files\ABBYY
2013-03-04 00:30:49 342016 ----a-w- c:\windows\system32\esw2ud.dll
2013-03-04 00:30:49 122000 ----a-w- c:\windows\system32\escsvc.exe
2013-03-04 00:29:30 -------- d-----w- c:\program files\common files\EPSON
2013-03-04 00:29:21 475496 ----a-w- c:\windows\system32\ensppmon.dll
2013-03-04 00:29:21 457780 ----a-w- c:\windows\system32\ensppui.dll
2013-03-04 00:29:21 249344 ----a-w- c:\windows\system32\enspres.dll
2013-03-04 00:29:21 249344 ----a-w- c:\windows\system32\enpres.dll
2013-03-04 00:29:20 475496 ----a-w- c:\windows\system32\enppmon.dll
2013-03-04 00:29:20 457780 ----a-w- c:\windows\system32\enppui.dll
2013-03-04 00:29:20 -------- d-----w- c:\program files\EpsonNet
2013-03-04 00:28:11 8192 ----a-w- c:\windows\system32\E_DCINST.DLL
2013-03-04 00:28:09 95232 ----a-w- c:\windows\system32\E_TLBJJE.DLL
2013-03-04 00:28:07 81408 ----a-w- c:\windows\system32\E_TD4BJJE.DLL
2013-03-03 23:44:34 -------- d-----w- c:\users\the flagg family\appdata\local\{0BAD93F5-0F00-4455-BDF8-6C390E0B2ADD}
2013-03-03 11:44:23 -------- d-----w- c:\users\the flagg family\appdata\local\{C94F45BB-49E6-45DC-880C-CA60134A90C1}
2013-03-02 23:44:12 -------- d-----w- c:\users\the flagg family\appdata\local\{F3BD1921-B625-4E9C-8CFC-42F0979C6A85}
2013-03-02 11:43:48 -------- d-----w- c:\users\the flagg family\appdata\local\{D56D70DF-D404-4FC5-ACDC-7FBF718F1016}
2013-03-01 23:43:37 -------- d-----w- c:\users\the flagg family\appdata\local\{57E6ACCE-854B-4BBD-A81E-6EEB84AA1B73}
2013-03-01 11:42:57 -------- d-----w- c:\users\the flagg family\appdata\local\{2B82C709-2AFC-4F5E-A29A-F02127427B8E}
2013-02-28 23:42:33 -------- d-----w- c:\users\the flagg family\appdata\local\{96CD8952-2ACC-49DD-86C0-B44644BC6C71}
2013-02-28 15:35:30 -------- dc-h--w- c:\programdata\{2CB7E68C-946F-4273-97CC-85B3F2AB1353}
2013-02-28 15:26:10 94208 ----a-w- c:\windows\system32\MSSTKPRP.DLL
2013-02-28 15:26:10 344064 ----a-w- c:\windows\system32\rsp_ogg_player_ocx2.dll
2013-02-28 15:26:10 344064 ----a-w- c:\windows\system32\rsp_ogg_player_ocx1.dll
2013-02-28 15:26:10 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL
2013-02-28 15:26:09 372736 ----a-w- c:\windows\system32\vbwExtender.ocx
2013-02-28 15:26:09 224016 ----a-w- c:\windows\system32\TABCTL32.OCX
2013-02-28 15:26:09 205848 ----a-w- c:\windows\system32\THREED32.OCX
2013-02-28 15:26:08 662288 ----a-w- c:\windows\system32\MSCOMCT2.OCX
2013-02-28 15:26:08 212240 ----a-w- c:\windows\system32\RICHTX32.OCX
2013-02-28 15:26:08 159744 ----a-w- c:\windows\system32\rsp_ogg_vorbis_ocx_320reg.ocx
2013-02-28 15:26:08 1328824 ----a-w- c:\windows\system32\SPR32X60.ocx
2013-02-28 15:26:07 557328 ----a-w- c:\windows\system32\DAO360.DLL
2013-02-28 15:25:25 -------- d-----w- c:\program files\Hawkes Learning Systems
2013-02-28 15:22:08 -------- d--h--w- c:\programdata\{9C9477C6-B3C2-455B-82F3-E537CBCAABF0}
2013-02-28 15:22:06 -------- d-----w- c:\users\the flagg family\appdata\local\PackageAware
2013-02-28 11:42:22 -------- d-----w- c:\users\the flagg family\appdata\local\{ABBBBA4A-166B-4308-82EC-83ADB8826CDB}
2013-02-27 15:09:47 -------- d-----w- c:\users\the flagg family\appdata\local\{EFF17F9B-13E3-4816-874C-45476CA76F63}
2013-02-27 03:09:36 -------- d-----w- c:\users\the flagg family\appdata\local\{DEDDA8BD-7290-4AB8-AB8D-440365D072E6}
2013-02-26 15:09:25 -------- d-----w- c:\users\the flagg family\appdata\local\{77EE3729-5EBE-4629-8504-7B96CA5C3182}
2013-02-26 03:09:01 -------- d-----w- c:\users\the flagg family\appdata\local\{84C8E6B5-DA17-465C-A351-6D16BC281A04}
2013-02-25 15:08:51 -------- d-----w- c:\users\the flagg family\appdata\local\{988FEEA0-2B64-4B71-9734-2B6B43DA827F}
2013-02-25 03:08:39 -------- d-----w- c:\users\the flagg family\appdata\local\{B08136BD-27B6-4D0D-8EAD-DC9D0C51AFD6}
2013-02-24 15:08:16 -------- d-----w- c:\users\the flagg family\appdata\local\{EDD77A92-32FE-429C-9A7A-87770B53CDC2}
2013-02-24 03:08:05 -------- d-----w- c:\users\the flagg family\appdata\local\{4EAB60DB-F495-48CE-BF07-FE0C634A8FF0}
2013-02-23 15:07:54 -------- d-----w- c:\users\the flagg family\appdata\local\{257715B5-D19E-4907-AFA2-632DCE42EBB0}
2013-02-23 03:07:44 -------- d-----w- c:\users\the flagg family\appdata\local\{C80A8693-E35E-46DA-9650-E63F3DCA5D37}
2013-02-22 15:07:21 -------- d-----w- c:\users\the flagg family\appdata\local\{F265D057-81A7-484F-A745-1BC5F7E704A1}
2013-02-22 03:06:57 -------- d-----w- c:\users\the flagg family\appdata\local\{3AF7F649-F28C-4E44-AC35-F587C0FD02A3}
2013-02-21 15:06:46 -------- d-----w- c:\users\the flagg family\appdata\local\{75E26EAB-4F50-4B5A-94C6-557353E0B605}
2013-02-21 03:06:35 -------- d-----w- c:\users\the flagg family\appdata\local\{9FA2ACE1-687A-4983-BE49-6D22B6551EDA}
2013-02-20 15:06:25 -------- d-----w- c:\users\the flagg family\appdata\local\{183A9679-BE15-4B1D-AB03-1D6B94783E24}
2013-02-20 03:06:14 -------- d-----w- c:\users\the flagg family\appdata\local\{27637DE3-E8AF-4022-BC5A-D2D1C28FAA79}
2013-02-19 15:06:03 -------- d-----w- c:\users\the flagg family\appdata\local\{3EC6268E-5851-4A7F-BFC8-14ECDD89A61B}
2013-02-19 01:26:24 -------- d-----w- c:\users\the flagg family\appdata\local\{40165EE2-C079-4580-8AA3-D109D34AB80F}
2013-02-18 13:26:14 -------- d-----w- c:\users\the flagg family\appdata\local\{3A26D225-E64A-454A-9C04-041BF9D21385}
2013-02-18 01:26:03 -------- d-----w- c:\users\the flagg family\appdata\local\{FC576577-93E6-4140-82F6-19C4A352E327}
2013-02-17 13:25:52 -------- d-----w- c:\users\the flagg family\appdata\local\{09EE5721-3FD4-4300-AB8A-D4AD1473BAEC}
2013-02-17 01:25:41 -------- d-----w- c:\users\the flagg family\appdata\local\{B69B0BF2-129A-43A9-9E45-C00997145B0F}
2013-02-16 13:25:30 -------- d-----w- c:\users\the flagg family\appdata\local\{B11BD7B2-1649-417E-A825-31E4E0E12E1B}
.
==================== Find3M  ====================
.
2013-03-16 16:42:48 861088 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-03-16 16:42:48 782240 ----a-w- c:\windows\system32\deployJava1.dll
2013-02-12 04:48:31 474112 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2013-02-12 04:48:26 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll
2013-02-02 03:38:35 1800704 ----a-w- c:\windows\system32\jscript9.dll
2013-02-02 03:30:32 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2013-02-02 03:30:21 1129472 ----a-w- c:\windows\system32\wininet.dll
2013-02-02 03:26:47 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2013-02-02 03:26:21 420864 ----a-w- c:\windows\system32\vbscript.dll
2013-02-02 03:23:28 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2013-01-30 10:53:21 232336 ------w- c:\windows\system32\MpSigStub.exe
2013-01-20 19:59:04 195296 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2013-01-20 19:59:04 100328 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2013-01-13 21:17:03 9728 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-01-13 21:17:02 2560 ---ha-w- c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
2013-01-13 21:16:42 10752 ---ha-w- c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
2013-01-13 21:12:46 3584 ---ha-w- c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
2013-01-13 21:11:21 4096 ---ha-w- c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
2013-01-13 21:11:08 5632 ---ha-w- c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
2013-01-13 21:11:07 5632 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2013-01-13 21:11:07 3072 ---ha-w- c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
2013-01-13 21:11:07 3072 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
2013-01-13 20:31:00 1247744 ----a-w- c:\windows\system32\DWrite.dll
2013-01-13 20:30:34 906240 ----a-w- c:\windows\system32\FntCache.dll
2013-01-13 20:22:22 1988096 ----a-w- c:\windows\system32\d3d10warp.dll
2013-01-13 20:20:31 293376 ----a-w- c:\windows\system32\dxgi.dll
2013-01-13 20:09:00 249856 ----a-w- c:\windows\system32\d3d10_1core.dll
2013-01-13 20:08:43 220160 ----a-w- c:\windows\system32\d3d10core.dll
2013-01-13 20:08:35 1504768 ----a-w- c:\windows\system32\d3d11.dll
2013-01-13 19:54:01 604160 ----a-w- c:\windows\system32\d3d10level9.dll
2013-01-13 19:53:58 207872 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2013-01-13 19:53:14 187392 ----a-w- c:\windows\system32\UIAnimation.dll
2013-01-13 19:48:47 161792 ----a-w- c:\windows\system32\d3d10_1.dll
2013-01-13 19:46:25 1080832 ----a-w- c:\windows\system32\d3d10.dll
2013-01-13 19:43:21 1230336 ----a-w- c:\windows\system32\WindowsCodecs.dll
2013-01-13 19:37:57 3419136 ----a-w- c:\windows\system32\d2d1.dll
2013-01-13 19:02:06 417792 ----a-w- c:\windows\system32\WMPhoto.dll
2013-01-13 18:34:58 364544 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2013-01-13 17:26:42 1158144 ----a-w- c:\windows\system32\XpsPrint.dll
2013-01-05 05:00:15 3967848 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-01-05 05:00:11 3913064 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-01-04 06:11:21 2284544 ----a-w- c:\windows\system32\msmpeg2vdec.dll
2013-01-04 04:50:52 169984 ----a-w- c:\windows\system32\winsrv.dll
2013-01-04 03:00:29 2347008 ----a-w- c:\windows\system32\win32k.sys
2013-01-03 05:05:20 1293672 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-01-03 05:04:43 187752 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
.
============= FINISH:  5:31:24.52 ===============
 

THANKS!!

 



BC AdBot (Login to Remove)

 


#2 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:37 AM

Posted 18 March 2013 - 10:26 AM

Hi and Welcome!!
 
My name is Jeff. I would be more than happy to take a look at your malware results logs and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:
  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
  • If you happen to have a flash drive/thumb drive please have that ready in the event that we need to use it.
  • Please be sure to subscribe to this topic so that you can see when there are new responses.
  • IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your operating system and losing all your programs and data.
 
Having said that.... vegeta_zps7f4345cf.gifLet's get going!!
----------

aswmbr-1-1.jpg Please download aswMBR to your desktop.
  • Double click the aswMBR icon to run it.
  • Click the Scan button to start scan.
  • If you are asked to update the Avast Virus database please allow it to do so.
  • When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply.
aswmbrscan.jpg
Click the image to enlarge it
----------

WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#3 weldermike

weldermike
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:06:37 AM

Posted 18 March 2013 - 10:44 AM

Thanks for the help Jeff.  I will be using a seperate laptop for instructions from your posts while working on the infected system.

 

I will do the above in about 11 hours from now.

 

Appreciate the help!!!



#4 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:37 AM

Posted 18 March 2013 - 10:46 AM

No problem....thanks for letting me know. :)

WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#5 weldermike

weldermike
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:06:37 AM

Posted 18 March 2013 - 09:25 PM

Did you want the dat file also?

 

Here is the text file:

 

 

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-03-18 22:08:08
-----------------------------
22:08:08.779    OS Version: Windows 6.1.7601 Service Pack 1
22:08:08.779    Number of processors: 2 586 0xF0B
22:08:08.821    ComputerName: THEFLAGGFAMI-PC  UserName:
22:08:11.191    Initialize success
22:13:08.161    AVAST engine defs: 13031801
22:13:55.306    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
22:13:55.311    Disk 0 Vendor: ST3500630AS 3.ADJ Size: 476940MB BusType: 3
22:13:55.471    Disk 0 MBR read successfully
22:13:55.473    Disk 0 MBR scan
22:13:55.480    Disk 0 Windows 7 default MBR code
22:13:55.483    Disk 0 Partition 1 00     DE Dell Utility Dell 8.0       54 MB offset 63
22:13:55.526    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS        10240 MB offset 112640
22:13:55.577    Disk 0 Partition 3 80 (A) 07    HPFS/NTFS NTFS       466644 MB offset 21084160
22:13:55.613    Disk 0 scanning sectors +976771072
22:13:55.725    Disk 0 scanning C:\Windows\system32\drivers
22:14:14.829    Service scanning
22:14:33.710    Service MpKsl22230c6e c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{5B3EDF60-76FC-4833-952D-94FB201C0D18}\MpKsl22230c6e.sys **LOCKED** 32
22:14:57.920    Modules scanning
22:15:03.727    Disk 0 trace - called modules:
22:15:03.751    ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll ataport.SYS pciide.sys PCIIDEX.SYS atapi.sys
22:15:03.756    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86714618]
22:15:03.761    3 CLASSPNP.SYS[8be0459e] -> nt!IofCallDriver -> [0x86264918]
22:15:03.767    5 ACPI.sys[8bca13d4] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x8597e908]
22:15:05.175    AVAST engine scan C:\Windows
22:15:10.345    AVAST engine scan C:\Windows\system32
22:20:58.537    AVAST engine scan C:\Windows\system32\drivers
22:21:44.743    AVAST engine scan C:\Users\The Flagg Family
22:22:30.764    Disk 0 MBR has been saved successfully to "C:\Users\The Flagg Family\Desktop\MBR.dat"
22:22:30.770    The log file has been saved successfully to "C:\Users\The Flagg Family\Desktop\aswMBR.txt"


 



#6 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:37 AM

Posted 19 March 2013 - 06:37 AM

Hi,

 

No you can just hold onto the .dat file for the time being....at least until we finish up.   :)

----------

 

 

ComboFix
 
Download Combofix from the link below, and save it to your desktop.  
 
**Note:  It is important that it is saved directly to your desktop**
 If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.
 
--------------------------------------------------------------------
 
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
 
--------------------------------------------------------------------
 
Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.  


  • Please post the C:\ComboFix.txt for further review.

----------

WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#7 weldermike

weldermike
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:06:37 AM

Posted 19 March 2013 - 09:40 AM

OK. About 7 hours from now.



#8 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:37 AM

Posted 19 March 2013 - 12:45 PM

Sounds just fine. I have class tonight anyway. :)

WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#9 weldermike

weldermike
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:06:37 AM

Posted 19 March 2013 - 07:21 PM

ComboFix 13-03-19.01 - The Flagg Family 03/19/2013  20:00:58.1.2 - x86
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3317.1890 [GMT -4:00]
Running from: c:\users\The Flagg Family\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
SP: Microsoft Security Essentials *Disabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\3600baa1302f52f2b42a18b0f874a409_c
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\TEMP\mia13\mEXEFunc.dll
.
.
(((((((((((((((((((((((((   Files Created from 2013-02-20 to 2013-03-20  )))))))))))))))))))))))))))))))
.
.
2013-03-20 00:08 . 2013-03-20 00:08 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-03-19 00:02 . 2013-02-08 00:45 6954968 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5B3EDF60-76FC-4833-952D-94FB201C0D18}\mpengine.dll
2013-03-17 20:14 . 2013-02-08 00:45 6954968 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-03-16 16:42 . 2013-03-16 16:42 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-03-16 16:25 . 2012-11-28 18:10 740840 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{EE177C11-A69B-4435-8F0D-3AC292E70042}\gapaengine.dll
2013-03-04 00:42 . 2007-09-07 22:33 135168 ----a-w- c:\windows\system32\EEBAPI.dll
2013-03-04 00:42 . 2007-03-28 23:26 65536 ----a-w- c:\windows\system32\EEBUtil.dll
2013-03-04 00:42 . 2006-12-19 23:31 110592 ----a-w- c:\windows\system32\EEBDSCVR.dll
2013-03-04 00:42 . 2006-12-19 23:20 77824 ----a-w- c:\windows\system32\EBAPI.dll
2013-03-04 00:42 . 2003-12-17 06:01 55808 ----a-w- c:\windows\system32\EEBSDKIF.dll
2013-03-04 00:34 . 2013-03-04 00:34 -------- d-----w- c:\users\The Flagg Family\AppData\Local\ABBYY
2013-03-04 00:33 . 2013-03-04 00:35 -------- d-----w- c:\program files\ABBYY FineReader 9.0 Sprint
2013-03-04 00:33 . 2013-03-04 00:33 -------- d-----w- c:\programdata\ABBYY
2013-03-04 00:33 . 2013-03-04 00:33 -------- d-----w- c:\program files\Common Files\ABBYY
2013-03-04 00:30 . 2011-12-12 05:00 342016 ----a-w- c:\windows\system32\esw2ud.dll
2013-03-04 00:30 . 2011-12-12 05:00 122000 ----a-w- c:\windows\system32\escsvc.exe
2013-03-04 00:29 . 2013-03-04 00:42 -------- d-----w- c:\program files\Common Files\EPSON
2013-03-04 00:29 . 2011-08-30 18:39 457780 ----a-w- c:\windows\system32\ensppui.dll
2013-03-04 00:29 . 2011-08-30 18:38 475496 ----a-w- c:\windows\system32\ensppmon.dll
2013-03-04 00:29 . 2011-08-01 23:24 249344 ----a-w- c:\windows\system32\enspres.dll
2013-03-04 00:29 . 2011-08-01 23:24 249344 ----a-w- c:\windows\system32\enpres.dll
2013-03-04 00:29 . 2013-03-04 00:29 -------- d-----w- c:\program files\EpsonNet
2013-03-04 00:29 . 2011-08-30 18:39 457780 ----a-w- c:\windows\system32\enppui.dll
2013-03-04 00:29 . 2011-08-30 18:38 475496 ----a-w- c:\windows\system32\enppmon.dll
2013-03-04 00:28 . 2013-03-04 00:27 8192 ----a-w- c:\windows\system32\E_DCINST.DLL
2013-03-04 00:28 . 2013-03-04 00:27 95232 ----a-w- c:\windows\system32\E_TLBJJE.DLL
2013-03-04 00:28 . 2013-03-04 00:27 81408 ----a-w- c:\windows\system32\E_TD4BJJE.DLL
2013-02-28 15:35 . 2013-03-02 05:01 -------- dc-h--w- c:\programdata\{2CB7E68C-946F-4273-97CC-85B3F2AB1353}
2013-02-28 15:26 . 2008-06-04 21:56 344064 ----a-w- c:\windows\system32\rsp_ogg_player_ocx2.dll
2013-02-28 15:26 . 2008-06-04 21:56 344064 ----a-w- c:\windows\system32\rsp_ogg_player_ocx1.dll
2013-02-28 15:26 . 2000-07-15 05:00 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL
2013-02-28 15:26 . 1998-08-09 23:07 94208 ----a-w- c:\windows\system32\MSSTKPRP.DLL
2013-02-28 15:26 . 2004-03-10 11:15 224016 ----a-w- c:\windows\system32\TABCTL32.OCX
2013-02-28 15:26 . 2003-05-10 00:01 372736 ----a-w- c:\windows\system32\vbwExtender.ocx
2013-02-28 15:26 . 1998-06-27 01:22 205848 ----a-w- c:\windows\system32\THREED32.OCX
2013-02-28 15:26 . 2008-06-04 23:02 159744 ----a-w- c:\windows\system32\rsp_ogg_vorbis_ocx_320reg.ocx
2013-02-28 15:26 . 2004-03-10 11:15 662288 ----a-w- c:\windows\system32\MSCOMCT2.OCX
2013-02-28 15:26 . 2004-03-10 11:15 212240 ----a-w- c:\windows\system32\RICHTX32.OCX
2013-02-28 15:26 . 2002-02-19 20:20 1328824 ----a-w- c:\windows\system32\SPR32X60.ocx
2013-02-28 15:26 . 1999-12-07 22:30 557328 ----a-w- c:\windows\system32\DAO360.DLL
2013-02-28 15:25 . 2013-02-28 15:35 -------- d-----w- c:\program files\Hawkes Learning Systems
2013-02-28 15:22 . 2013-02-28 15:34 -------- d--h--w- c:\programdata\{9C9477C6-B3C2-455B-82F3-E537CBCAABF0}
2013-02-28 15:22 . 2013-02-28 15:22 -------- d-----w- c:\users\The Flagg Family\AppData\Local\PackageAware
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-03-16 16:42 . 2012-11-25 16:58 861088 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-03-16 16:42 . 2011-05-18 23:49 782240 ----a-w- c:\windows\system32\deployJava1.dll
2013-02-12 04:48 . 2013-03-16 16:12 474112 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2013-02-12 04:48 . 2013-03-16 16:12 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll
2013-01-30 10:53 . 2009-10-04 18:50 232336 ------w- c:\windows\system32\MpSigStub.exe
2013-01-20 19:59 . 2013-01-20 19:59 195296 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2013-01-20 19:59 . 2010-10-25 01:25 100328 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2013-01-05 05:00 . 2013-02-13 08:18 3967848 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-01-05 05:00 . 2013-02-13 08:18 3913064 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-01-04 04:50 . 2013-02-13 08:18 169984 ----a-w- c:\windows\system32\winsrv.dll
2013-01-04 03:00 . 2013-02-13 08:18 2347008 ----a-w- c:\windows\system32\win32k.sys
2013-01-03 05:05 . 2013-02-13 08:18 1293672 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-01-03 05:04 . 2013-02-13 08:18 187752 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2010-11-20 144384]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-21 68856]
"Logitech Vid"="c:\program files\Logitech\Logitech Vid\vid.exe" [2009-07-16 5458704]
"EPLTarget\P0000000000000001"="c:\windows\system32\spool\DRIVERS\W32X86\3\E_TATIJJE.EXE" [2013-03-04 249440]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-17 4907008]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-29 17920]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-24 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-24 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-24 150552]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-01-27 947152]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-06-07 421776]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-07-31 38872]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-11 919008]
"EEventManager"="c:\program files\Epson Software\Event Manager\EEventManager.exe" [2012-01-26 1058400]
"FUFAXRCV"="c:\program files\Epson Software\FAX Utility\FUFAXRCV.exe" [2012-02-29 502912]
"FUFAXSTM"="c:\program files\Epson Software\FAX Utility\FUFAXSTM.exe" [2012-02-29 863360]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-7-21 50688]
Hawkes Update Notifier.lnk - c:\program files\Hawkes Learning Systems\Hawkes Update Service Manager\HawkesUpdater.exe [2013-2-28 3768184]
ImageMixer 3 SE Camera Monitor Ver.5.lnk - c:\program files\PIXELA\ImageMixer 3 SE Ver.5\Transfer Utility\CameraMonitor.exe [2010-9-26 253952]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-07-21 15:32 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" /hide
.
R1 eegryesf;eegryesf;c:\windows\system32\drivers\eegryesf.sys [x]
R1 MpKsl22230c6e;MpKsl22230c6e;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5B3EDF60-76FC-4833-952D-94FB201C0D18}\MpKsl22230c6e.sys [x]
R2 gupdate1c9eab16229fa77;Google Update Service (gupdate1c9eab16229fa77);c:\program files\Google\Update\GoogleUpdate.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [x]
R3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S2 ABBYY.Licensing.FineReader.Sprint.9.0;ABBYY FineReader 9.0 Sprint Licensing Service;c:\program files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe [x]
S2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [x]
S2 EpsonCustomerParticipation;EpsonCustomerParticipation;c:\program files\EPSON\EpsonCustomerParticipation\EPCP.exe [x]
S2 EpsonScanSvc;Epson Scanner Service;c:\windows\system32\EscSvc.exe [x]
S2 HawkesUpdater;Hawkes Unattended Updater;c:\program files\Hawkes Learning Systems\Hawkes Update Service Manager\srvany.exe [x]
S3 VST_DPV;VST_DPV;c:\windows\system32\DRIVERS\VSTDPV3.SYS [x]
S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\DRIVERS\VSTBS23.SYS [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ    SSDPSRV upnphost SCardSvr TBS fdrespub AppIDSvc QWAVE wcncsvc Mcx2Svc SensrSvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - LocalService
FontCache
.
.
Contents of the 'Scheduled Tasks' folder
.
2013-03-19 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-07-21 09:19]
.
2013-03-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-11 16:26]
.
2013-03-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-11 16:26]
.
2013-03-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-849849326-2601386290-864959393-1000Core.job
- c:\users\The Flagg Family\AppData\Local\Google\Update\GoogleUpdate.exe [2012-02-08 20:34]
.
2013-03-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-849849326-2601386290-864959393-1000UA.job
- c:\users\The Flagg Family\AppData\Local\Google\Update\GoogleUpdate.exe [2012-02-08 20:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: &AIM Toolbar Search - c:\programdata\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-SearchEngineProtection - c:\program files\Gamesbar\SearchEngineProtection.exe
SafeBoot-02735224.sys
SafeBoot-13991261.sys
AddRemove-CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1 - c:\program files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1\HXFSETUP.EXE
AddRemove-GamesBar - c:\program files\GamesBar\uninst.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\program files\Common Files\EPSON\EBAPI\eEBSVC.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\programdata\EPSON\EPW!3 SSRP\E_S40RP7.EXE
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Microsoft\BingBar\SeaPort.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\windows\System32\WUDFHost.exe
c:\windows\RtHDVCpl.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\DllHost.exe
c:\windows\system32\sppsvc.exe
.
**************************************************************************
.
Completion time: 2013-03-19  20:18:34 - machine was rebooted
ComboFix-quarantined-files.txt  2013-03-20 00:18
.
Pre-Run: 118,925,029,376 bytes free
Post-Run: 119,829,557,248 bytes free
.
- - End Of File - - 390A4BFA4F6FAB31DE150469200E46DE
 



#10 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:37 AM

Posted 19 March 2013 - 09:05 PM

This is probably going to be one of the bad things on your system but I want to be sure...
 
 
Please go to: VirusTotal
On the page you'll find a "Choose File" button.
Click on the Choose File button.
In the Choose File to Upload window which opens, copy and paste this into the File Name box.
 
c:\windows\system32\drivers\eegryesf.sys
 
Next, click the Open button.
Then click the "Scan It!" button just below.
This will scan the file. Please be patient.
If you get a message saying File has already been analyzed: click Reanalyze file now
Once scanned, copy and paste the link to the results page in your next reply.
----------


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#11 weldermike

weldermike
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:06:37 AM

Posted 20 March 2013 - 05:11 AM

It says the file does not exist.  I searched for it with explorer and it is not there.



#12 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:37 AM

Posted 20 March 2013 - 06:55 AM

No problems.  We can see in the logs that it is actually there.   :)
------------
 
 
ComboFix

 

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the box below:
ClearJavaCache::
 
File::
c:\windows\system32\drivers\eegryesf.sys
 
Driver::
eegryesf

 

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

CFScriptB-4.gif

 

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Post the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
 
Post the new ComboFix log and let me know how your system is running now.   :)


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#13 weldermike

weldermike
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:06:37 AM

Posted 20 March 2013 - 06:10 PM

ComboFix 13-03-20.02 - The Flagg Family 03/20/2013  18:49:40.2.2 - x86
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3317.351 [GMT -4:00]
Running from: c:\users\The Flagg Family\Desktop\ComboFix.exe
Command switches used :: c:\users\The Flagg Family\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
SP: Microsoft Security Essentials *Disabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\windows\system32\drivers\eegryesf.sys"
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\TEMP\mia3\mEXEFunc.dll
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_eegryesf
.
.
(((((((((((((((((((((((((   Files Created from 2013-02-20 to 2013-03-20  )))))))))))))))))))))))))))))))
.
.
2013-03-20 22:59 . 2013-03-20 23:02 -------- d-----w- c:\users\The Flagg Family\AppData\Local\temp
2013-03-20 22:59 . 2013-03-20 22:59 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-03-20 00:33 . 2013-03-15 07:21 7108640 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{3FE4F15C-18C5-4F67-A2FB-8102FF452C99}\mpengine.dll
2013-03-20 00:24 . 2013-02-08 00:45 6954968 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-03-16 16:42 . 2013-03-16 16:42 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-03-16 16:25 . 2012-11-28 18:10 740840 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{EE177C11-A69B-4435-8F0D-3AC292E70042}\gapaengine.dll
2013-03-04 00:42 . 2007-09-07 22:33 135168 ----a-w- c:\windows\system32\EEBAPI.dll
2013-03-04 00:42 . 2007-03-28 23:26 65536 ----a-w- c:\windows\system32\EEBUtil.dll
2013-03-04 00:42 . 2006-12-19 23:31 110592 ----a-w- c:\windows\system32\EEBDSCVR.dll
2013-03-04 00:42 . 2006-12-19 23:20 77824 ----a-w- c:\windows\system32\EBAPI.dll
2013-03-04 00:42 . 2003-12-17 06:01 55808 ----a-w- c:\windows\system32\EEBSDKIF.dll
2013-03-04 00:34 . 2013-03-04 00:34 -------- d-----w- c:\users\The Flagg Family\AppData\Local\ABBYY
2013-03-04 00:33 . 2013-03-04 00:35 -------- d-----w- c:\program files\ABBYY FineReader 9.0 Sprint
2013-03-04 00:33 . 2013-03-04 00:33 -------- d-----w- c:\programdata\ABBYY
2013-03-04 00:33 . 2013-03-04 00:33 -------- d-----w- c:\program files\Common Files\ABBYY
2013-03-04 00:30 . 2011-12-12 05:00 342016 ----a-w- c:\windows\system32\esw2ud.dll
2013-03-04 00:30 . 2011-12-12 05:00 122000 ----a-w- c:\windows\system32\escsvc.exe
2013-03-04 00:29 . 2013-03-04 00:42 -------- d-----w- c:\program files\Common Files\EPSON
2013-03-04 00:29 . 2011-08-30 18:39 457780 ----a-w- c:\windows\system32\ensppui.dll
2013-03-04 00:29 . 2011-08-30 18:38 475496 ----a-w- c:\windows\system32\ensppmon.dll
2013-03-04 00:29 . 2011-08-01 23:24 249344 ----a-w- c:\windows\system32\enspres.dll
2013-03-04 00:29 . 2011-08-01 23:24 249344 ----a-w- c:\windows\system32\enpres.dll
2013-03-04 00:29 . 2013-03-04 00:29 -------- d-----w- c:\program files\EpsonNet
2013-03-04 00:29 . 2011-08-30 18:39 457780 ----a-w- c:\windows\system32\enppui.dll
2013-03-04 00:29 . 2011-08-30 18:38 475496 ----a-w- c:\windows\system32\enppmon.dll
2013-03-04 00:28 . 2013-03-04 00:27 8192 ----a-w- c:\windows\system32\E_DCINST.DLL
2013-03-04 00:28 . 2013-03-04 00:27 95232 ----a-w- c:\windows\system32\E_TLBJJE.DLL
2013-03-04 00:28 . 2013-03-04 00:27 81408 ----a-w- c:\windows\system32\E_TD4BJJE.DLL
2013-02-28 15:35 . 2013-03-02 05:01 -------- dc-h--w- c:\programdata\{2CB7E68C-946F-4273-97CC-85B3F2AB1353}
2013-02-28 15:26 . 2008-06-04 21:56 344064 ----a-w- c:\windows\system32\rsp_ogg_player_ocx2.dll
2013-02-28 15:26 . 2008-06-04 21:56 344064 ----a-w- c:\windows\system32\rsp_ogg_player_ocx1.dll
2013-02-28 15:26 . 2000-07-15 05:00 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL
2013-02-28 15:26 . 1998-08-09 23:07 94208 ----a-w- c:\windows\system32\MSSTKPRP.DLL
2013-02-28 15:26 . 2004-03-10 11:15 224016 ----a-w- c:\windows\system32\TABCTL32.OCX
2013-02-28 15:26 . 2003-05-10 00:01 372736 ----a-w- c:\windows\system32\vbwExtender.ocx
2013-02-28 15:26 . 1998-06-27 01:22 205848 ----a-w- c:\windows\system32\THREED32.OCX
2013-02-28 15:26 . 2008-06-04 23:02 159744 ----a-w- c:\windows\system32\rsp_ogg_vorbis_ocx_320reg.ocx
2013-02-28 15:26 . 2004-03-10 11:15 662288 ----a-w- c:\windows\system32\MSCOMCT2.OCX
2013-02-28 15:26 . 2004-03-10 11:15 212240 ----a-w- c:\windows\system32\RICHTX32.OCX
2013-02-28 15:26 . 2002-02-19 20:20 1328824 ----a-w- c:\windows\system32\SPR32X60.ocx
2013-02-28 15:26 . 1999-12-07 22:30 557328 ----a-w- c:\windows\system32\DAO360.DLL
2013-02-28 15:25 . 2013-02-28 15:35 -------- d-----w- c:\program files\Hawkes Learning Systems
2013-02-28 15:22 . 2013-02-28 15:34 -------- d--h--w- c:\programdata\{9C9477C6-B3C2-455B-82F3-E537CBCAABF0}
2013-02-28 15:22 . 2013-02-28 15:22 -------- d-----w- c:\users\The Flagg Family\AppData\Local\PackageAware
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-03-16 16:42 . 2012-11-25 16:58 861088 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-03-16 16:42 . 2011-05-18 23:49 782240 ----a-w- c:\windows\system32\deployJava1.dll
2013-02-12 04:48 . 2013-03-16 16:12 474112 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2013-02-12 04:48 . 2013-03-16 16:12 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll
2013-01-30 10:53 . 2009-10-04 18:50 232336 ------w- c:\windows\system32\MpSigStub.exe
2013-01-20 19:59 . 2013-01-20 19:59 195296 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2013-01-20 19:59 . 2010-10-25 01:25 100328 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2013-01-05 05:00 . 2013-02-13 08:18 3967848 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-01-05 05:00 . 2013-02-13 08:18 3913064 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-01-04 04:50 . 2013-02-13 08:18 169984 ----a-w- c:\windows\system32\winsrv.dll
2013-01-04 03:00 . 2013-02-13 08:18 2347008 ----a-w- c:\windows\system32\win32k.sys
2013-01-03 05:05 . 2013-02-13 08:18 1293672 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-01-03 05:04 . 2013-02-13 08:18 187752 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2010-11-20 144384]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-21 68856]
"Logitech Vid"="c:\program files\Logitech\Logitech Vid\vid.exe" [2009-07-16 5458704]
"EPLTarget\P0000000000000001"="c:\windows\system32\spool\DRIVERS\W32X86\3\E_TATIJJE.EXE" [2013-03-04 249440]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-17 4907008]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-29 17920]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-24 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-24 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-24 150552]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-01-27 947152]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-06-07 421776]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-07-31 38872]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-11 919008]
"EEventManager"="c:\program files\Epson Software\Event Manager\EEventManager.exe" [2012-01-26 1058400]
"FUFAXRCV"="c:\program files\Epson Software\FAX Utility\FUFAXRCV.exe" [2012-02-29 502912]
"FUFAXSTM"="c:\program files\Epson Software\FAX Utility\FUFAXSTM.exe" [2012-02-29 863360]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-7-21 50688]
Hawkes Update Notifier.lnk - c:\program files\Hawkes Learning Systems\Hawkes Update Service Manager\HawkesUpdater.exe [2013-2-28 3768184]
ImageMixer 3 SE Camera Monitor Ver.5.lnk - c:\program files\PIXELA\ImageMixer 3 SE Ver.5\Transfer Utility\CameraMonitor.exe [2010-9-26 253952]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-07-21 15:32 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" /hide
.
R1 MpKsl22230c6e;MpKsl22230c6e;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5B3EDF60-76FC-4833-952D-94FB201C0D18}\MpKsl22230c6e.sys [x]
R2 gupdate1c9eab16229fa77;Google Update Service (gupdate1c9eab16229fa77);c:\program files\Google\Update\GoogleUpdate.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [x]
R3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S2 ABBYY.Licensing.FineReader.Sprint.9.0;ABBYY FineReader 9.0 Sprint Licensing Service;c:\program files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe [x]
S2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [x]
S2 EpsonCustomerParticipation;EpsonCustomerParticipation;c:\program files\EPSON\EpsonCustomerParticipation\EPCP.exe [x]
S2 EpsonScanSvc;Epson Scanner Service;c:\windows\system32\EscSvc.exe [x]
S2 HawkesUpdater;Hawkes Unattended Updater;c:\program files\Hawkes Learning Systems\Hawkes Update Service Manager\srvany.exe [x]
S3 VST_DPV;VST_DPV;c:\windows\system32\DRIVERS\VSTDPV3.SYS [x]
S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\DRIVERS\VSTBS23.SYS [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ    SSDPSRV upnphost SCardSvr TBS fdrespub AppIDSvc QWAVE wcncsvc Mcx2Svc SensrSvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - LocalService
FontCache
.
.
Contents of the 'Scheduled Tasks' folder
.
2013-03-19 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-07-21 09:19]
.
2013-03-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-11 16:26]
.
2013-03-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-11 16:26]
.
2013-03-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-849849326-2601386290-864959393-1000Core.job
- c:\users\The Flagg Family\AppData\Local\Google\Update\GoogleUpdate.exe [2012-02-08 20:34]
.
2013-03-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-849849326-2601386290-864959393-1000UA.job
- c:\users\The Flagg Family\AppData\Local\Google\Update\GoogleUpdate.exe [2012-02-08 20:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: &AIM Toolbar Search - c:\programdata\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\program files\Common Files\EPSON\EBAPI\eEBSVC.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\system32\taskhost.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\programdata\EPSON\EPW!3 SSRP\E_S40RP7.EXE
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Microsoft\BingBar\SeaPort.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\conhost.exe
c:\windows\RtHDVCpl.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\DllHost.exe
c:\windows\system32\sppsvc.exe
.
**************************************************************************
.
Completion time: 2013-03-20  19:07:36 - machine was rebooted
ComboFix-quarantined-files.txt  2013-03-20 23:07
ComboFix2.txt  2013-03-20 00:18
.
Pre-Run: 119,696,240,640 bytes free
Post-Run: 124,294,770,688 bytes free
.
- - End Of File - - 2E27C93B1E01EEFE1730DE912149238A
 



#14 weldermike

weldermike
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:06:37 AM

Posted 20 March 2013 - 06:27 PM

Getting an error:  Unable to laod plug-in library.

 

It will not go away.  The icon associated with it is for an online class.



#15 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:37 AM

Posted 20 March 2013 - 08:13 PM

Are you able to take a screen shot and post what it is exactly you are seeing please?  


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users