Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SVCHost Virus only being detected by GMER


  • This topic is locked This topic is locked
21 replies to this topic

#1 Ian Dubbelboer

Ian Dubbelboer

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:01:35 AM

Posted 21 March 2013 - 04:59 PM

Hello

 

I have a system infected with some kind of root kit virus which I have been struggling to remove. 

 

GMER see something wrong with SVCHost

 

RKILL sees Windows Defender and Windows Security Center Service are both being disabled attempts to restart the service result in the service starting but with in seconds the service is stopped and returned to disabled.

 

The virus is smart enough to use UPNP to open inbound ports on a firewall and operate as a spam relay, but beyond what I have listed no other signs of infection are visible.

 

I have tried running most of the usual suspects listed here for removal, but nothing seems to spot the virus unaided including combo fix.  Everything I have tried to run has been able to complete without error, but without removal of the virus either.

 

Current versions of Adobe Reader, Flash, Shockwave have been installed.   I am unable to get the 32 bit version of Java 7u17 to install but 7u15 is installed.  64 bit of 7u17 is installed.

 

I will attach the standard DDS log shortly



BC AdBot (Login to Remove)

 


#2 Ian Dubbelboer

Ian Dubbelboer
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:01:35 AM

Posted 21 March 2013 - 05:03 PM

DDS.txt

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16470  BrowserJavaVersion: 1.7.0_15
Run by Wesley at 16:00:19 on 2013-03-21
Microsoft Windows 7 Professional   6.1.7601.1.1252.2.1033.18.1791.714 [GMT -6:00]
.
AV: Trend Micro Security Agent *Disabled/Updated* {B7599298-8445-728A-A5C7-A26A082C8BDA}
SP: Trend Micro Security Agent *Disabled/Updated* {0C38737C-A27F-7D04-9F77-991873ABC167}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\dwrcs\DWRCS.EXE
C:\Program Files\FileOpen\Services\FileOpenManagerService64.exe
C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe
C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe
C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe
C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files (x86)\Print Audit Inc\Print Audit 6\Client\pa6clhlp64.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k regsvc
C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\WUDFHost.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiWatchDog.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\dwrcs\DWRCST.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\PrintDisp.exe
C:\Program Files (x86)\pdfconverter.com\PDF Converter Elite\3.0\pcSONPrnDisp.exe
C:\Program Files\FileOpen\Services\FileOpenBroker64.exe
C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe
C:\Users\wesley\AppData\Local\Akamai\netsession_win.exe
C:\Program Files (x86)\CEZEO software\LanTalk NET\LanTalk.exe
C:\Program Files (x86)\Print Audit Inc\Print Audit 6\Client\pa6clint.exe
C:\Users\wesley\AppData\Local\Akamai\netsession_win.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AcroRd32.exe
C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AcroRd32.exe
C:\Windows\system32\calc.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.ca/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: TmIEPlugInBHO Class: {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files\Trend Micro\AMSP\module\20004\1.6.1261\6.6.1089\TmIEPlg32.dll
BHO: SSVHelper Class: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
uRun: [Akamai NetSession Interface] "C:\Users\wesley\AppData\Local\Akamai\netsession_win.exe"
mRun: [LanTalk.NET] C:\Program Files (x86)\CEZEO software\LanTalk NET\LanTalk.exe
mRun: [PrintAudit6] C:\Program Files (x86)\Print Audit Inc\Print Audit 6\Client\pa6clint.exe
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoWelcomeScreen = dword:1
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableInstallerDetection = dword:0
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableSecureUIAPaths = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-Windows\System: AddAdminGroupToRUP = dword:1
mPolicies-Windows\System: CompatibleRUPSecurity = dword:1
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~1\MICROS~1\Office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_15-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_15-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://encana.webex.com/client/T27LC/webex/ieatgpc1.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 192.168.0.20
TCP: Interfaces\{DE50BF31-D4BE-44B6-B450-4BDD97EE1E85} : DHCPNameServer = 192.168.0.20
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\module\20004\1.6.1261\6.6.1089\TmIEPlg32.dll
Handler: tmtbim - {0B37915C-8B98-4B9E-80D4-464D2C830D10} - C:\Program Files\Trend Micro\Security Agent\UIFramework\ProToolbarIMRatingActiveX.dll
SSODL: WebCheck - <orphaned>
IFEO: ehshell.exe - "C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe" -MceShellRedirect
x64-mStart Page = hxxp://en.ca.acer.yahoo.com
x64-BHO: TmIEPlugInBHO Class: {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files\Trend Micro\AMSP\module\20004\1.6.1261\6.6.1089\TmIEPlg.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-Run: [PrintDisp] C:\Windows\System32\PrintDisp.exe
x64-Run: [PDF Converter Elite Print Dispatcher] C:\Program Files (x86)\pdfconverter.com\PDF Converter Elite\3.0\pcSONPrnDisp.exe
x64-Run: [FileOpenBroker] C:\Program Files\FileOpen\Services\FileOpenBroker64.exe
x64-Run: [LogMeIn GUI] "C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe"
x64-Run: [Trend Micro Client Framework] "C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe"
x64-Run: [DameWare MRC Agent] C:\Windows\dwrcs\DWRCST.exe
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_17-windows-i586.cab
x64-DPF: {CAFEEFAC-0017-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_17-windows-i586.cab
x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_17-windows-i586.cab
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\module\20004\1.6.1261\6.6.1089\TmIEPlg.dll
x64-Handler: tmtbim - {0B37915C-8B98-4B9E-80D4-464D2C830D10} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
x64-IFEO: ehshell.exe - "C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe" -MceShellRedirect
.
============= SERVICES / DRIVERS ===============
.
R1 dwvkbd;DameWare Virtual Keyboard 64 bit Driver;C:\Windows\System32\drivers\dwvkbd64.sys [2008-3-12 30720]
R2 FileOpenManagerService;FileOpen Manager Service;C:\Program Files\FileOpen\Services\FileOpenManagerService64.exe [2012-10-17 335288]
R2 LMIGuardianSvc;LMIGuardianSvc;C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [2012-1-31 375728]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files (x86)\LogMeIn\x64\rainfo.sys [2011-9-16 15928]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\Windows\System32\drivers\LMIRfsDriver.sys [2013-1-12 72216]
R2 msftesql$GERPSQLCLIENT;SQL Server FullText Search (GERPSQLCLIENT);C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe [2010-3-26 91992]
R2 MSSQL$GERPSQLCLIENT;SQL Server (GERPSQLCLIENT);C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2010-12-10 29293408]
R2 PA6ClientHelper;Print Audit 6 Client Helper 64-bit;C:\Program Files (x86)\Print Audit Inc\Print Audit 6\Client\pa6clhlp64.exe [2012-10-23 384960]
R2 tmevtmgr;tmevtmgr;C:\Windows\System32\drivers\tmevtmgr.sys [2010-12-22 77184]
R3 DwMirror;DwMirror;C:\Windows\System32\drivers\DamewareMini.sys [2008-3-14 5632]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\System32\drivers\yk62x64.sys [2009-6-10 389120]
RUnknown 76119247;76119247; [x]
S2 Amsp;Trend Micro Solution Platform;C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe [2010-12-22 269016]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 Printer Control;Printer Control;C:\Windows\System32\PrintCtrl.exe [2012-3-28 77824]
S3 ose64;Office 64 Source Engine;C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-1-9 174440]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2012-12-13 19456]
S3 slsusb;Edge CS/CTS Device Driver;C:\Windows\System32\drivers\slsusb.sys [2009-8-3 31328]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2012-12-13 57856]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-10-19 1255736]
.
=============== Created Last 30 ================
.
2013-03-21 13:06:03 -------- d-sh--w- C:\$RECYCLE.BIN
2013-03-21 05:42:04 -------- d-----w- C:\Users\wesley\AppData\Local\temp
2013-03-21 04:58:59 -------- d-----w- C:\ProgramData\Kaspersky Lab
2013-03-21 04:57:54 460888 ----a-w- C:\Windows\System32\drivers\76119247.sys
2013-03-21 04:44:44 -------- d-----w- C:\ProgramData\Malwarebytes
2013-03-21 04:44:43 24176 ----a-w- C:\Windows\System32\drivers\mbam.sys
2013-03-21 04:44:43 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-03-21 04:34:01 1085344 ----a-w- C:\Windows\System32\npDeployJava1.dll
2013-03-21 04:33:49 108448 ----a-w- C:\Windows\System32\WindowsAccessBridge-64.dll
2013-03-21 04:30:06 -------- d-----w- C:\Windows\SysWow64\Adobe
2013-03-21 04:19:05 -------- d-----w- C:\ProgramData\HitmanPro
2013-03-21 03:57:34 98816 ----a-w- C:\Windows\sed.exe
2013-03-21 03:57:34 256000 ----a-w- C:\Windows\PEV.exe
2013-03-21 03:57:34 208896 ----a-w- C:\Windows\MBR.exe
2013-03-13 18:03:20 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2013-03-13 11:58:07 19968 ----a-w- C:\Windows\System32\drivers\usb8023.sys
2013-03-08 01:27:25 143872 --sha-r- C:\Windows\SysWow64\msidntldd.dll
2013-03-05 10:07:49 9162192 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{1283CC11-2531-4EEE-8CD9-EB795C11A9F1}\mpengine.dll
2013-02-23 22:28:35 95648 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
.
==================== Find3M  ====================
.
2013-03-21 04:33:33 963488 ----a-w- C:\Windows\System32\deployJava1.dll
2013-03-21 04:29:09 73432 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-03-21 04:29:09 693976 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-02-23 22:28:07 861088 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll
2013-02-23 22:28:07 782240 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2013-02-12 05:45:24 135168 ----a-w- C:\Windows\apppatch\AppPatch64\AcXtrnal.dll
2013-02-12 05:45:22 350208 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll
2013-02-12 05:45:22 308736 ----a-w- C:\Windows\apppatch\AppPatch64\AcGenral.dll
2013-02-12 05:45:22 111104 ----a-w- C:\Windows\apppatch\AppPatch64\acspecfc.dll
2013-02-12 04:48:31 474112 ----a-w- C:\Windows\apppatch\AcSpecfc.dll
2013-02-12 04:48:26 2176512 ----a-w- C:\Windows\apppatch\AcGenral.dll
2013-02-02 06:57:02 2312704 ----a-w- C:\Windows\System32\jscript9.dll
2013-02-02 06:47:24 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2013-02-02 06:47:19 1392128 ----a-w- C:\Windows\System32\wininet.dll
2013-02-02 06:42:18 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2013-02-02 06:41:51 599040 ----a-w- C:\Windows\System32\vbscript.dll
2013-02-02 06:38:01 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2013-02-02 03:38:35 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll
2013-02-02 03:30:32 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2013-02-02 03:30:21 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2013-02-02 03:26:47 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2013-02-02 03:26:21 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll
2013-01-25 22:37:56 84328 ----a-w- C:\Windows\System32\LMIinit.dll
2013-01-17 08:28:58 273840 ------w- C:\Windows\System32\MpSigStub.exe
2013-01-13 21:17:03 9728 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-01-13 21:17:02 2560 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-normaliz-l1-1-0.dll
2013-01-13 21:16:42 10752 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-advapi32-l1-1-0.dll
2013-01-13 21:12:46 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-advapi32-l2-1-0.dll
2013-01-13 21:11:21 4096 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-user32-l1-1-0.dll
2013-01-13 21:11:08 5632 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-ole32-l1-1-0.dll
2013-01-13 21:11:07 5632 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2013-01-13 21:11:07 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-version-l1-1-0.dll
2013-01-13 21:11:07 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-shell32-l1-1-0.dll
2013-01-13 20:35:31 9728 ---ha-w- C:\Windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-01-13 20:35:31 2560 ---ha-w- C:\Windows\System32\api-ms-win-downlevel-normaliz-l1-1-0.dll
2013-01-13 20:35:18 10752 ---ha-w- C:\Windows\System32\api-ms-win-downlevel-advapi32-l1-1-0.dll
2013-01-13 20:32:07 3584 ---ha-w- C:\Windows\System32\api-ms-win-downlevel-advapi32-l2-1-0.dll
2013-01-13 20:31:48 4096 ---ha-w- C:\Windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll
2013-01-13 20:31:41 5632 ---ha-w- C:\Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll
2013-01-13 20:31:40 5632 ---ha-w- C:\Windows\System32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2013-01-13 20:31:40 3072 ---ha-w- C:\Windows\System32\api-ms-win-downlevel-version-l1-1-0.dll
2013-01-13 20:31:40 3072 ---ha-w- C:\Windows\System32\api-ms-win-downlevel-shell32-l1-1-0.dll
2013-01-13 20:31:00 1247744 ----a-w- C:\Windows\SysWow64\DWrite.dll
2013-01-13 20:22:22 1988096 ----a-w- C:\Windows\SysWow64\d3d10warp.dll
2013-01-13 20:20:31 293376 ----a-w- C:\Windows\SysWow64\dxgi.dll
2013-01-13 20:09:00 249856 ----a-w- C:\Windows\SysWow64\d3d10_1core.dll
2013-01-13 20:08:43 220160 ----a-w- C:\Windows\SysWow64\d3d10core.dll
2013-01-13 20:08:35 1504768 ----a-w- C:\Windows\SysWow64\d3d11.dll
2013-01-13 19:59:04 1643520 ----a-w- C:\Windows\System32\DWrite.dll
2013-01-13 19:58:28 1175552 ----a-w- C:\Windows\System32\FntCache.dll
2013-01-13 19:54:01 604160 ----a-w- C:\Windows\SysWow64\d3d10level9.dll
2013-01-13 19:53:58 207872 ----a-w- C:\Windows\SysWow64\WindowsCodecsExt.dll
2013-01-13 19:53:14 187392 ----a-w- C:\Windows\SysWow64\UIAnimation.dll
2013-01-13 19:51:30 2565120 ----a-w- C:\Windows\System32\d3d10warp.dll
2013-01-13 19:49:17 363008 ----a-w- C:\Windows\System32\dxgi.dll
2013-01-13 19:48:47 161792 ----a-w- C:\Windows\SysWow64\d3d10_1.dll
2013-01-13 19:46:25 1080832 ----a-w- C:\Windows\SysWow64\d3d10.dll
2013-01-13 19:43:21 1230336 ----a-w- C:\Windows\SysWow64\WindowsCodecs.dll
2013-01-13 19:38:39 333312 ----a-w- C:\Windows\System32\d3d10_1core.dll
2013-01-13 19:38:32 1887232 ----a-w- C:\Windows\System32\d3d11.dll
2013-01-13 19:38:21 296960 ----a-w- C:\Windows\System32\d3d10core.dll
2013-01-13 19:37:57 3419136 ----a-w- C:\Windows\SysWow64\d2d1.dll
2013-01-13 19:25:04 245248 ----a-w- C:\Windows\System32\WindowsCodecsExt.dll
2013-01-13 19:24:33 648192 ----a-w- C:\Windows\System32\d3d10level9.dll
2013-01-13 19:24:30 221184 ----a-w- C:\Windows\System32\UIAnimation.dll
2013-01-13 19:20:42 194560 ----a-w- C:\Windows\System32\d3d10_1.dll
2013-01-13 19:20:04 1238528 ----a-w- C:\Windows\System32\d3d10.dll
2013-01-13 19:15:40 1424384 ----a-w- C:\Windows\System32\WindowsCodecs.dll
2013-01-13 19:10:36 3928064 ----a-w- C:\Windows\System32\d2d1.dll
2013-01-13 19:02:06 417792 ----a-w- C:\Windows\SysWow64\WMPhoto.dll
2013-01-13 18:34:58 364544 ----a-w- C:\Windows\SysWow64\XpsGdiConverter.dll
2013-01-13 18:32:43 465920 ----a-w- C:\Windows\System32\WMPhoto.dll
2013-01-13 18:09:52 522752 ----a-w- C:\Windows\System32\XpsGdiConverter.dll
2013-01-13 17:26:42 1158144 ----a-w- C:\Windows\SysWow64\XpsPrint.dll
2013-01-13 17:05:09 1682432 ----a-w- C:\Windows\System32\XpsPrint.dll
2013-01-13 02:20:43 88008 ----a-w- C:\Windows\System32\LMIRfsClientNP.dll.000.bak
2013-01-13 02:20:43 88008 ----a-w- C:\Windows\System32\LMIRfsClientNP.dll
2013-01-13 02:20:38 83880 ----a-w- C:\Windows\System32\LMIinit.dll.000.bak
2013-01-13 02:20:38 35240 ----a-w- C:\Windows\System32\LMIport.dll
2013-01-05 05:53:43 5553512 ----a-w- C:\Windows\System32\ntoskrnl.exe
2013-01-05 05:00:15 3967848 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2013-01-05 05:00:11 3913064 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2013-01-04 06:11:21 2284544 ----a-w- C:\Windows\SysWow64\msmpeg2vdec.dll
2013-01-04 06:11:13 2776576 ----a-w- C:\Windows\System32\msmpeg2vdec.dll
2013-01-04 05:46:09 215040 ----a-w- C:\Windows\System32\winsrv.dll
2013-01-04 04:51:16 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2013-01-04 04:43:21 44032 ----a-w- C:\Windows\apppatch\acwow64.dll
2013-01-04 03:26:48 3153408 ----a-w- C:\Windows\System32\win32k.sys
2013-01-04 02:47:35 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2013-01-04 02:47:34 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2013-01-04 02:47:34 2048 ----a-w- C:\Windows\SysWow64\user.exe
2013-01-04 02:47:33 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2013-01-03 06:00:54 1913192 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2013-01-03 06:00:42 288088 ----a-w- C:\Windows\System32\drivers\FWPKCLNT.SYS
.
============= FINISH: 16:01:18.27 ===============
 



#3 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:35 AM

Posted 21 March 2013 - 05:04 PM

Please do the following:

Download the appropriate version for your system of the Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
  • To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    On the System Recovery Options menu you will get the following options:

      • Startup Repair
        System Restore
        Windows Complete PC Restore
        Windows Memory Diagnostic Tool
        Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to the disclaimer.
    • Place a check next to List Drivers MD5 as well as the default check marks that are already there
    • Press Scan button.
    • type exit and reboot the computer normally
    • FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#4 Ian Dubbelboer

Ian Dubbelboer
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:01:35 AM

Posted 21 March 2013 - 05:27 PM

I'm only able to remote control the system at the moment I will re run the tool in safe mode and repost the result.

 

I ran the tool in normal mode in case such a log does provide any use.

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 13-03-2013 (ATTENTION: FRST version is 8 days old)
Ran by Wesley at 21-03-2013 16:20:52
Running from C:\Users\wesley\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DXLPFI85
  Service Pack 1 (X64) OS Language: English(US)
Attention: Could not load system hive.
ATTENTION:=====> THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNCTION PROPERLY.


==================== One Month Created Files and Folders ========

2013-03-21 16:20 - 2013-03-21 16:20 - 00000000 ____D C:\FRST
2013-03-21 16:01 - 2013-03-21 16:01 - 00020658 ____A C:\Users\wesley\Desktop\dds.txt
2013-03-21 16:01 - 2013-03-21 16:01 - 00010596 ____A C:\Users\wesley\Desktop\attach.txt
2013-03-21 00:14 - 2013-03-21 00:14 - 00002646 ____A C:\Users\mrsmith\Desktop\FSS.txt
2013-03-21 00:07 - 2013-03-21 00:07 - 00002796 ____A C:\Users\mrsmith\Desktop\RKreport[2]_D_03212013_02d0007.txt
2013-03-21 00:05 - 2013-03-21 00:05 - 00002688 ____A C:\Users\mrsmith\Desktop\RKreport[1]_S_03212013_02d0005.txt
2013-03-21 00:04 - 2013-03-21 00:04 - 00816128 ____A C:\Users\mrsmith\Desktop\RogueKiller.exe
2013-03-21 00:03 - 2013-03-21 00:07 - 00000000 ____D C:\Users\mrsmith\Desktop\RK_Quarantine
2013-03-20 23:42 - 2013-03-20 23:42 - 00016924 ____A C:\ComboFix.txt
2013-03-20 23:17 - 2013-03-20 23:17 - 00000000 ____D C:\Users\mrsmith\AppData\Roaming\CEZEO software
2013-03-20 23:07 - 2012-11-14 01:00 - 01754528 ____A (Bleeping Computer, LLC) C:\Users\mrsmith\Desktop\rkill.exe
2013-03-20 22:58 - 2013-03-20 22:58 - 00000000 ____D C:\ProgramData\Kaspersky Lab
2013-03-20 22:57 - 2012-11-15 05:33 - 00460888 ____A (Kaspersky Lab ZAO) C:\Windows\System32\Drivers\76119247.sys
2013-03-20 22:44 - 2013-03-20 22:45 - 00001105 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-03-20 22:44 - 2013-03-20 22:45 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-03-20 22:44 - 2013-03-20 22:44 - 00000000 ____D C:\Users\mrsmith\AppData\Roaming\Malwarebytes
2013-03-20 22:44 - 2013-03-20 22:44 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-03-20 22:44 - 2012-12-14 16:49 - 00024176 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2013-03-20 22:36 - 2013-03-20 22:36 - 00896928 ____A (Oracle Corporation) C:\Users\mrsmith\Desktop\JavaSetup7u17.exe
2013-03-20 22:34 - 2013-03-20 22:33 - 01085344 ____A (Oracle Corporation) C:\Windows\System32\npDeployJava1.dll
2013-03-20 22:34 - 2013-03-20 22:33 - 00310688 ____A (Oracle Corporation) C:\Windows\System32\javaws.exe
2013-03-20 22:33 - 2013-03-20 22:33 - 00188832 ____A (Oracle Corporation) C:\Windows\System32\javaw.exe
2013-03-20 22:33 - 2013-03-20 22:33 - 00188320 ____A (Oracle Corporation) C:\Windows\System32\java.exe
2013-03-20 22:33 - 2013-03-20 22:33 - 00108448 ____A (Oracle Corporation) C:\Windows\System32\WindowsAccessBridge-64.dll
2013-03-20 22:32 - 2013-03-20 22:32 - 33003424 ____A (Oracle Corporation) C:\Users\mrsmith\Downloads\jre-7u17-windows-x64.exe
2013-03-20 22:32 - 2013-03-20 22:32 - 00086536 ____A C:\Users\mrsmith\AppData\Local\GDIPFONTCACHEV1.DAT
2013-03-20 22:30 - 2013-03-20 22:30 - 00000000 ____D C:\Windows\SysWOW64\Adobe
2013-03-20 22:28 - 2013-03-20 22:28 - 00000000 ____D C:\Users\mrsmith\AppData\Roaming\Adobe
2013-03-20 22:19 - 2013-03-20 22:26 - 00000000 ____D C:\ProgramData\HitmanPro
2013-03-20 22:18 - 2013-03-20 22:18 - 00000000 ____D C:\Users\mrsmith\AppData\Local\Print Audit Inc
2013-03-20 22:18 - 2013-03-20 22:18 - 00000000 ____D C:\Users\mrsmith\AppData\Local\LogMeIn
2013-03-20 22:17 - 2013-03-20 22:18 - 00000000 ____D C:\users\mrsmith
2013-03-20 22:17 - 2013-03-20 22:17 - 00006126 _RASH C:\Users\mrsmith\ntuser.pol
2013-03-20 22:17 - 2013-03-20 22:17 - 00000020 ___SH C:\Users\mrsmith\ntuser.ini
2013-03-20 22:17 - 2012-08-26 03:09 - 00000000 ____D C:\Users\mrsmith\Documents\Visual Studio 2005
2013-03-20 22:17 - 2011-11-23 04:08 - 00000000 ____D C:\Users\mrsmith\AppData\Local\Microsoft Help
2013-03-20 22:17 - 2010-10-13 16:29 - 00000000 ____D C:\Users\mrsmith\AppData\Roaming\Macromedia
2013-03-20 21:57 - 2013-03-20 23:42 - 00000000 ___AD C:\Qoobox
2013-03-20 21:57 - 2011-06-26 00:45 - 00256000 ____A C:\Windows\PEV.exe
2013-03-20 21:57 - 2010-11-07 11:20 - 00208896 ____A C:\Windows\MBR.exe
2013-03-20 21:57 - 2009-04-19 22:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2013-03-20 21:57 - 2000-08-30 18:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2013-03-20 21:57 - 2000-08-30 18:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2013-03-20 21:57 - 2000-08-30 18:00 - 00098816 ____A C:\Windows\sed.exe
2013-03-20 21:57 - 2000-08-30 18:00 - 00080412 ____A C:\Windows\grep.exe
2013-03-20 21:57 - 2000-08-30 18:00 - 00068096 ____A C:\Windows\zip.exe
2013-03-20 21:56 - 2013-03-20 22:10 - 00000000 ____D C:\Windows\erdnt
2013-03-20 21:51 - 2013-03-20 21:51 - 00002019 ____A C:\Users\Public\Desktop\Adobe Reader XI.lnk
2013-03-14 12:00 - 2013-01-13 15:17 - 00009728 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-03-14 12:00 - 2013-01-13 15:17 - 00002560 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-normaliz-l1-1-0.dll
2013-03-14 12:00 - 2013-01-13 15:16 - 00010752 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-advapi32-l1-1-0.dll
2013-03-14 12:00 - 2013-01-13 15:12 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-advapi32-l2-1-0.dll
2013-03-14 12:00 - 2013-01-13 15:11 - 00005632 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2013-03-14 12:00 - 2013-01-13 15:11 - 00005632 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.dll
2013-03-14 12:00 - 2013-01-13 15:11 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-user32-l1-1-0.dll
2013-03-14 12:00 - 2013-01-13 15:11 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-version-l1-1-0.dll
2013-03-14 12:00 - 2013-01-13 15:11 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-shell32-l1-1-0.dll
2013-03-14 12:00 - 2013-01-13 14:35 - 00010752 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-advapi32-l1-1-0.dll
2013-03-14 12:00 - 2013-01-13 14:35 - 00009728 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-03-14 12:00 - 2013-01-13 14:35 - 00002560 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-normaliz-l1-1-0.dll
2013-03-14 12:00 - 2013-01-13 14:32 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-advapi32-l2-1-0.dll
2013-03-14 12:00 - 2013-01-13 14:31 - 01247744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll
2013-03-14 12:00 - 2013-01-13 14:31 - 00005632 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2013-03-14 12:00 - 2013-01-13 14:31 - 00005632 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll
2013-03-14 12:00 - 2013-01-13 14:31 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll
2013-03-14 12:00 - 2013-01-13 14:31 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-version-l1-1-0.dll
2013-03-14 12:00 - 2013-01-13 14:31 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-downlevel-shell32-l1-1-0.dll
2013-03-14 12:00 - 2013-01-13 14:22 - 01988096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10warp.dll
2013-03-14 12:00 - 2013-01-13 14:20 - 00293376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dxgi.dll
2013-03-14 12:00 - 2013-01-13 14:09 - 00249856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10_1core.dll
2013-03-14 12:00 - 2013-01-13 14:08 - 01504768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d11.dll
2013-03-14 12:00 - 2013-01-13 14:08 - 00220160 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10core.dll
2013-03-14 12:00 - 2013-01-13 13:59 - 01643520 ____A (Microsoft Corporation) C:\Windows\System32\DWrite.dll
2013-03-14 12:00 - 2013-01-13 13:58 - 01175552 ____A (Microsoft Corporation) C:\Windows\System32\FntCache.dll
2013-03-14 12:00 - 2013-01-13 13:54 - 00604160 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10level9.dll
2013-03-14 12:00 - 2013-01-13 13:53 - 00207872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecsExt.dll
2013-03-14 12:00 - 2013-01-13 13:53 - 00187392 ____A (Microsoft Corporation) C:\Windows\SysWOW64\UIAnimation.dll
2013-03-14 12:00 - 2013-01-13 13:51 - 02565120 ____A (Microsoft Corporation) C:\Windows\System32\d3d10warp.dll
2013-03-14 12:00 - 2013-01-13 13:49 - 00363008 ____A (Microsoft Corporation) C:\Windows\System32\dxgi.dll
2013-03-14 12:00 - 2013-01-13 13:48 - 00161792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10_1.dll
2013-03-14 12:00 - 2013-01-13 13:46 - 01080832 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10.dll
2013-03-14 12:00 - 2013-01-13 13:43 - 01230336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll
2013-03-14 12:00 - 2013-01-13 13:38 - 01887232 ____A (Microsoft Corporation) C:\Windows\System32\d3d11.dll
2013-03-14 12:00 - 2013-01-13 13:38 - 00333312 ____A (Microsoft Corporation) C:\Windows\System32\d3d10_1core.dll
2013-03-14 12:00 - 2013-01-13 13:38 - 00296960 ____A (Microsoft Corporation) C:\Windows\System32\d3d10core.dll
2013-03-14 12:00 - 2013-01-13 13:37 - 03419136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d2d1.dll
2013-03-14 12:00 - 2013-01-13 13:25 - 00245248 ____A (Microsoft Corporation) C:\Windows\System32\WindowsCodecsExt.dll
2013-03-14 12:00 - 2013-01-13 13:24 - 00648192 ____A (Microsoft Corporation) C:\Windows\System32\d3d10level9.dll
2013-03-14 12:00 - 2013-01-13 13:24 - 00221184 ____A (Microsoft Corporation) C:\Windows\System32\UIAnimation.dll
2013-03-14 12:00 - 2013-01-13 13:20 - 01238528 ____A (Microsoft Corporation) C:\Windows\System32\d3d10.dll
2013-03-14 12:00 - 2013-01-13 13:20 - 00194560 ____A (Microsoft Corporation) C:\Windows\System32\d3d10_1.dll
2013-03-14 12:00 - 2013-01-13 13:15 - 01424384 ____A (Microsoft Corporation) C:\Windows\System32\WindowsCodecs.dll
2013-03-14 12:00 - 2013-01-13 13:10 - 03928064 ____A (Microsoft Corporation) C:\Windows\System32\d2d1.dll
2013-03-14 12:00 - 2013-01-13 13:02 - 00417792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\WMPhoto.dll
2013-03-14 12:00 - 2013-01-13 12:34 - 00364544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XpsGdiConverter.dll
2013-03-14 12:00 - 2013-01-13 12:32 - 00465920 ____A (Microsoft Corporation) C:\Windows\System32\WMPhoto.dll
2013-03-14 12:00 - 2013-01-13 12:09 - 00522752 ____A (Microsoft Corporation) C:\Windows\System32\XpsGdiConverter.dll
2013-03-14 12:00 - 2013-01-13 11:26 - 01158144 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XpsPrint.dll
2013-03-14 12:00 - 2013-01-13 11:05 - 01682432 ____A (Microsoft Corporation) C:\Windows\System32\XpsPrint.dll
2013-03-14 12:00 - 2013-01-04 00:11 - 02776576 ____A (Microsoft Corporation) C:\Windows\System32\msmpeg2vdec.dll
2013-03-14 12:00 - 2013-01-04 00:11 - 02284544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msmpeg2vdec.dll
2013-03-13 12:03 - 2013-02-02 01:31 - 17815040 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-03-13 12:03 - 2013-02-02 00:58 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-03-13 12:03 - 2013-02-02 00:57 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-03-13 12:03 - 2013-02-02 00:48 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-03-13 12:03 - 2013-02-02 00:47 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2013-03-13 12:03 - 2013-02-02 00:47 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-03-13 12:03 - 2013-02-02 00:46 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2013-03-13 12:03 - 2013-02-02 00:43 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-03-13 12:03 - 2013-02-02 00:42 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-03-13 12:03 - 2013-02-02 00:42 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2013-03-13 12:03 - 2013-02-02 00:41 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2013-03-13 12:03 - 2013-02-02 00:40 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-03-13 12:03 - 2013-02-02 00:39 - 02147840 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-03-13 12:03 - 2013-02-02 00:38 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-03-13 12:03 - 2013-02-02 00:38 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2013-03-13 12:03 - 2013-02-02 00:34 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-03-13 12:03 - 2013-02-01 22:09 - 12321792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-03-13 12:03 - 2013-02-01 21:42 - 09738240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-03-13 12:03 - 2013-02-01 21:38 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-03-13 12:03 - 2013-02-01 21:31 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-03-13 12:03 - 2013-02-01 21:30 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2013-03-13 12:03 - 2013-02-01 21:30 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-03-13 12:03 - 2013-02-01 21:29 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2013-03-13 12:03 - 2013-02-01 21:27 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-03-13 12:03 - 2013-02-01 21:26 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-03-13 12:03 - 2013-02-01 21:26 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2013-03-13 12:03 - 2013-02-01 21:26 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2013-03-13 12:03 - 2013-02-01 21:25 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-03-13 12:03 - 2013-02-01 21:23 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-03-13 12:03 - 2013-02-01 21:23 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-03-13 12:03 - 2013-02-01 21:23 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2013-03-13 12:03 - 2013-02-01 21:20 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-03-13 12:01 - 2013-03-13 12:01 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2013-03-13 12:01 - 2013-03-13 12:01 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2013-03-13 05:58 - 2013-02-11 22:12 - 00019968 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\usb8023.sys
2013-03-09 13:03 - 2013-03-09 13:03 - 00000000 ____D C:\Users\Public\Documents\Print Audit Inc
2013-03-07 19:27 - 2013-03-20 23:49 - 00000312 ____A C:\Windows\Tasks\XSCMV.job
2013-03-07 19:27 - 2013-03-07 19:27 - 00143872 _RASH C:\Windows\SysWOW64\msidntldd.dll
2013-03-01 19:27 - 2013-03-01 19:27 - 16575720 ____A C:\Users\wesley\Desktop\1498 Gordondale 11-03-079-11 W6M Wellsite Signed Drawings.zip
2013-02-23 16:29 - 2013-02-23 16:28 - 00262560 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2013-02-23 16:28 - 2013-02-23 16:28 - 00174496 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2013-02-23 16:28 - 2013-02-23 16:28 - 00174496 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2013-02-23 16:28 - 2013-02-23 16:28 - 00095648 ____A (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll

==================== One Month Modified Files and Folders =======

2013-03-21 16:20 - 2013-03-21 16:20 - 00000000 ____D C:\FRST
2013-03-21 16:20 - 2010-10-14 10:22 - 00000000 ____D C:\Users\wesley\Documents\Outlook Files
2013-03-21 16:16 - 2010-10-13 15:42 - 00000144 ____A C:\Windows\System32\config\netlogon.ftl
2013-03-21 16:01 - 2013-03-21 16:01 - 00020658 ____A C:\Users\wesley\Desktop\dds.txt
2013-03-21 16:01 - 2013-03-21 16:01 - 00010596 ____A C:\Users\wesley\Desktop\attach.txt
2013-03-21 15:46 - 2010-10-13 13:33 - 01235339 ____A C:\Windows\WindowsUpdate.log
2013-03-21 15:33 - 2013-02-06 16:15 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-03-21 07:12 - 2010-10-13 18:19 - 00000000 ____D C:\Users\wesley\AppData\Roaming\Adobe
2013-03-21 00:22 - 2009-07-13 22:45 - 00015184 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-03-21 00:22 - 2009-07-13 22:45 - 00015184 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-03-21 00:17 - 2013-01-12 20:19 - 00000000 ____D C:\ProgramData\LogMeIn
2013-03-21 00:14 - 2013-03-21 00:14 - 00002646 ____A C:\Users\mrsmith\Desktop\FSS.txt
2013-03-21 00:07 - 2013-03-21 00:07 - 00002796 ____A C:\Users\mrsmith\Desktop\RKreport[2]_D_03212013_02d0007.txt
2013-03-21 00:07 - 2013-03-21 00:03 - 00000000 ____D C:\Users\mrsmith\Desktop\RK_Quarantine
2013-03-21 00:05 - 2013-03-21 00:05 - 00002688 ____A C:\Users\mrsmith\Desktop\RKreport[1]_S_03212013_02d0005.txt
2013-03-21 00:04 - 2013-03-21 00:04 - 00816128 ____A C:\Users\mrsmith\Desktop\RogueKiller.exe
2013-03-20 23:49 - 2013-03-07 19:27 - 00000312 ____A C:\Windows\Tasks\XSCMV.job
2013-03-20 23:42 - 2013-03-20 23:42 - 00016924 ____A C:\ComboFix.txt
2013-03-20 23:42 - 2013-03-20 21:57 - 00000000 ___AD C:\Qoobox
2013-03-20 23:37 - 2009-07-13 20:34 - 00000215 ____A C:\Windows\system.ini
2013-03-20 23:20 - 2009-07-13 23:13 - 00909846 ____A C:\Windows\System32\PerfStringBackup.INI
2013-03-20 23:17 - 2013-03-20 23:17 - 00000000 ____D C:\Users\mrsmith\AppData\Roaming\CEZEO software
2013-03-20 23:14 - 2012-11-15 04:47 - 00001658 ____A C:\Windows\setupact.log
2013-03-20 23:14 - 2012-03-12 08:49 - 00430840 ____A C:\Windows\PFRO.log
2013-03-20 23:14 - 2009-07-13 23:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-03-20 22:58 - 2013-03-20 22:58 - 00000000 ____D C:\ProgramData\Kaspersky Lab
2013-03-20 22:45 - 2013-03-20 22:44 - 00001105 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-03-20 22:45 - 2013-03-20 22:44 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-03-20 22:44 - 2013-03-20 22:44 - 00000000 ____D C:\Users\mrsmith\AppData\Roaming\Malwarebytes
2013-03-20 22:44 - 2013-03-20 22:44 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-03-20 22:36 - 2013-03-20 22:36 - 00896928 ____A (Oracle Corporation) C:\Users\mrsmith\Desktop\JavaSetup7u17.exe
2013-03-20 22:35 - 2010-11-03 17:35 - 00000000 ____D C:\Program Files\Java
2013-03-20 22:33 - 2013-03-20 22:34 - 01085344 ____A (Oracle Corporation) C:\Windows\System32\npDeployJava1.dll
2013-03-20 22:33 - 2013-03-20 22:34 - 00310688 ____A (Oracle Corporation) C:\Windows\System32\javaws.exe
2013-03-20 22:33 - 2013-03-20 22:33 - 00188832 ____A (Oracle Corporation) C:\Windows\System32\javaw.exe
2013-03-20 22:33 - 2013-03-20 22:33 - 00188320 ____A (Oracle Corporation) C:\Windows\System32\java.exe
2013-03-20 22:33 - 2013-03-20 22:33 - 00108448 ____A (Oracle Corporation) C:\Windows\System32\WindowsAccessBridge-64.dll
2013-03-20 22:33 - 2010-11-03 17:36 - 00963488 ____A (Oracle Corporation) C:\Windows\System32\deployJava1.dll
2013-03-20 22:32 - 2013-03-20 22:32 - 33003424 ____A (Oracle Corporation) C:\Users\mrsmith\Downloads\jre-7u17-windows-x64.exe
2013-03-20 22:32 - 2013-03-20 22:32 - 00086536 ____A C:\Users\mrsmith\AppData\Local\GDIPFONTCACHEV1.DAT
2013-03-20 22:30 - 2013-03-20 22:30 - 00000000 ____D C:\Windows\SysWOW64\Adobe
2013-03-20 22:29 - 2012-12-12 08:10 - 00693976 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-03-20 22:29 - 2012-12-12 08:10 - 00073432 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-03-20 22:29 - 2010-10-13 16:29 - 00000000 ____D C:\ProgramData\Adobe
2013-03-20 22:28 - 2013-03-20 22:28 - 00000000 ____D C:\Users\mrsmith\AppData\Roaming\Adobe
2013-03-20 22:27 - 2011-07-25 12:38 - 00000000 ____D C:\Program Files (x86)\Java
2013-03-20 22:27 - 2010-11-02 14:22 - 00000000 ____D C:\Windows\System32\appmgmt
2013-03-20 22:26 - 2013-03-20 22:19 - 00000000 ____D C:\ProgramData\HitmanPro
2013-03-20 22:18 - 2013-03-20 22:18 - 00000000 ____D C:\Users\mrsmith\AppData\Local\Print Audit Inc
2013-03-20 22:18 - 2013-03-20 22:18 - 00000000 ____D C:\Users\mrsmith\AppData\Local\LogMeIn
2013-03-20 22:18 - 2013-03-20 22:17 - 00000000 ____D C:\users\mrsmith
2013-03-20 22:17 - 2013-03-20 22:17 - 00006126 _RASH C:\Users\mrsmith\ntuser.pol
2013-03-20 22:17 - 2013-03-20 22:17 - 00000020 ___SH C:\Users\mrsmith\ntuser.ini
2013-03-20 22:13 - 2009-07-13 21:20 - 00000000 __RHD C:\users\Default
2013-03-20 22:10 - 2013-03-20 21:56 - 00000000 ____D C:\Windows\erdnt
2013-03-20 22:08 - 2010-10-13 16:19 - 00000000 ____D C:\users\wesley
2013-03-20 21:51 - 2013-03-20 21:51 - 00002019 ____A C:\Users\Public\Desktop\Adobe Reader XI.lnk
2013-03-20 21:51 - 2010-10-13 18:19 - 00000000 ____D C:\Users\wesley\AppData\Local\Adobe
2013-03-20 21:51 - 2010-10-13 16:29 - 00000000 ____D C:\Program Files (x86)\Adobe
2013-03-19 07:25 - 2012-04-23 16:17 - 00000000 ____D C:\Users\wesley\AppData\Local\Akamai
2013-03-15 09:47 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\rescache
2013-03-15 09:08 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\SysWOW64\zh-HK
2013-03-15 09:08 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\SysWOW64\tr-TR
2013-03-15 09:08 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\System32\zh-HK
2013-03-15 09:08 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\System32\tr-TR
2013-03-13 12:06 - 2012-04-16 08:46 - 72013344 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-03-13 12:06 - 2010-10-13 16:35 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-03-13 12:01 - 2013-03-13 12:01 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2013-03-13 12:01 - 2013-03-13 12:01 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2013-03-10 16:12 - 2010-10-13 15:44 - 00014006 _RASH C:\ProgramData\ntuser.pol
2013-03-09 13:03 - 2013-03-09 13:03 - 00000000 ____D C:\Users\Public\Documents\Print Audit Inc
2013-03-07 19:27 - 2013-03-07 19:27 - 00143872 _RASH C:\Windows\SysWOW64\msidntldd.dll
2013-03-01 19:27 - 2013-03-01 19:27 - 16575720 ____A C:\Users\wesley\Desktop\1498 Gordondale 11-03-079-11 W6M Wellsite Signed Drawings.zip
2013-02-23 16:28 - 2013-02-23 16:29 - 00262560 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2013-02-23 16:28 - 2013-02-23 16:28 - 00174496 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2013-02-23 16:28 - 2013-02-23 16:28 - 00174496 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2013-02-23 16:28 - 2013-02-23 16:28 - 00095648 ____A (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2013-02-23 16:28 - 2013-01-14 18:11 - 00861088 ____A (Oracle Corporation) C:\Windows\SysWOW64\npDeployJava1.dll
2013-02-23 16:28 - 2013-01-14 18:11 - 00782240 ____A (Oracle Corporation) C:\Windows\SysWOW64\deployJava1.dll

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== Restore Points  =========================

Restore point made on: 2013-03-20 22:33:20
Restore point made on: 2013-03-20 22:34:27

==================== Memory info ===========================

Percentage of memory in use: 68%
Total physical RAM: 1791.49 MB
Available physical RAM: 557.84 MB
Total Pagefile: 3582.98 MB
Available Pagefile: 1611.64 MB
Total Virtual: 8192 MB
Available Virtual: 8191.86 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:144.2 GB) (Free:23.88 GB) NTFS
2 Drive d: (DATA) (Fixed) (Total:144.03 GB) (Free:0.01 GB) NTFS
8 Drive l: (New Volume) (Fixed) (Total:931.51 GB) (Free:728.13 GB) NTFS
9 Drive o: (Drafting_Data) (Network) (Total:931.48 GB) (Free:510.34 GB) NTFS
10 Drive q: (Data_Drive) (Network) (Total:931.48 GB) (Free:453.38 GB) NTFS
11 Drive r: (Data_Drive) (Network) (Total:931.48 GB) (Free:453.38 GB) NTFS
12 Drive s: (Data_Drive) (Network) (Total:931.48 GB) (Free:453.38 GB) NTFS
13 Drive t: (Data_Drive) (Network) (Total:931.48 GB) (Free:453.38 GB) NTFS
14 Drive u: (Data_Drive) (Network) (Total:931.48 GB) (Free:453.38 GB) NTFS
15 Drive v: (Data_Drive) (Network) (Total:931.48 GB) (Free:453.38 GB) NTFS
16 Drive w: (Data_Drive) (Network) (Total:931.48 GB) (Free:453.38 GB) NTFS
17 Drive x: (Data_Drive) (Network) (Total:931.48 GB) (Free:453.38 GB) NTFS
18 Drive y: (Data_Drive) (Network) (Total:931.48 GB) (Free:453.38 GB) NTFS
19 Drive z: (Data_Drive) (Network) (Total:931.48 GB) (Free:453.38 GB) NTFS

  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online          298 GB      0 B        
  Disk 1    Online          931 GB      0 B        
  Disk 2    No Media           0 B      0 B        
  Disk 3    No Media           0 B      0 B        
  Disk 4    No Media           0 B      0 B        
  Disk 5    No Media           0 B      0 B        

Partitions of Disk 0:
===============

Disk ID: 356DF93D

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Recovery             9 GB    31 KB
  Partition 2    Primary            100 MB     9 GB
  Partition 3    Primary            144 GB     9 GB
  Partition 4    Primary            144 GB   154 GB

==================================================================================

Disk: 0
Partition 1
Type  : 27
Hidden: Yes
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 4         PQSERVICE    NTFS   Partition      9 GB  Healthy    Hidden 

=========================================================

Disk: 0
Partition 2
Type  : 07
Hidden: No
Active: Yes

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 1         System Rese  NTFS   Partition    100 MB  Healthy    System (partition with boot components) 

=========================================================

Disk: 0
Partition 3
Type  : 07
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 2     C                NTFS   Partition    144 GB  Healthy    Boot   

=========================================================

Disk: 0
Partition 4
Type  : 07
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 3     D   DATA         NTFS   Partition    144 GB  Healthy           

=========================================================

Partitions of Disk 1:
===============

Disk ID: 819B8AAB

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary            931 GB    31 KB

==================================================================================

Disk: 1
Partition 1
Type  : 07
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 5     L   New Volume   NTFS   Partition    931 GB  Healthy           

=========================================================
============================== MBR Partition Table ==================

==============================
Partitions of Disk 0:
===============
Disk ID: 356DF93D

Partition 1:
=========
Hex: 0001010027FEFFFF3F0000003B4C3801
Active: NO
Type: 27
Size: 10 GB

Partition 2:
=========
Hex: 80FEFFFF07FEFFFF0050380100200300
Active: YES
Type: 07 (NTFS)
Size: 100 MB

Partition 3:
=========
Hex: 00FEFFFF07FEFFFF00703B0100680612
Active: NO
Type: 07 (NTFS)
Size: 144 GB

Partition 4:
=========
Hex: 00FEFFFF07FEFFFFCFDB4113F2FA0012
Active: NO
Type: 07 (NTFS)
Size: 144 GB

==============================
Partitions of Disk 1:
===============
Disk ID: 819B8AAB

Partition 1:
=========
Hex: 0001010007FEFFFF3F00000082597074
Active: NO
Type: 07 (NTFS)
Size: 932 GB


Last Boot: 2013-03-15 00:57

==================== End Of Log =============================



#5 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:35 AM

Posted 21 March 2013 - 05:33 PM

If you are unable to boot to the recovery environment, we can use other tools

please run the following:

Please create a new system restore point before running Malwarebytes Anti-Rootkit if you can.

MBAR tutorial

Download Malwarebytes Anti-Rootkit from HERE
  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt
  • ~~~~~~~~~~~~~~~~~~~~~~~

    Note:
    If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:
    Internet access
    Windows Update
    Windows Firewall

    If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot.
    Verify that your system is now functioning normally.


Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#6 Ian Dubbelboer

Ian Dubbelboer
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:01:35 AM

Posted 21 March 2013 - 05:55 PM

No luck

 

Resulting logs (System)

 

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.01.0.1021

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 9.0.8112.16421

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, L:\ DRIVE_FIXED
CPU speed: 2.294000 GHz
Memory total: 1878515712, free: 314888192

------------ Kernel report ------------
     03/21/2013 16:40:08
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_AuthenticAMD.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\system32\DRIVERS\76119247.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\system32\drivers\pciide.sys
\SystemRoot\system32\drivers\PCIIDEX.SYS
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\drivers\vmbus.sys
\SystemRoot\system32\drivers\winhv.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\vmstorfl.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\DRIVERS\disk.sys
\SystemRoot\system32\DRIVERS\CLASSPNP.SYS
\SystemRoot\system32\drivers\cdrom.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\system32\DRIVERS\dwvkbd64.sys
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\drivers\ws2ifsl.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\serial.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\tmtdi.sys
\SystemRoot\system32\drivers\termdd.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\drivers\mssmbios.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\system32\drivers\csc.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\amdk8.sys
\SystemRoot\system32\drivers\atikmdag.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\DRIVERS\yk62x64.sys
\SystemRoot\system32\DRIVERS\usbohci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\drivers\HDAudBus.sys
\SystemRoot\system32\drivers\1394ohci.sys
\SystemRoot\system32\DRIVERS\fdc.sys
\SystemRoot\system32\DRIVERS\serenum.sys
\SystemRoot\system32\DRIVERS\parport.sys
\SystemRoot\system32\drivers\mouclass.sys
\SystemRoot\system32\drivers\CompositeBus.sys
\SystemRoot\system32\DRIVERS\DamewareMini.sys
\SystemRoot\system32\DRIVERS\lmimirr.sys
\SystemRoot\system32\drivers\kbdclass.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\rdpbus.sys
\SystemRoot\system32\drivers\swenum.sys
\SystemRoot\system32\drivers\ks.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\HdAudio.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_dumpata.sys
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\system32\DRIVERS\USBSTOR.SYS
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\drivers\hidusb.sys
\SystemRoot\system32\drivers\HIDCLASS.SYS
\SystemRoot\system32\drivers\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\drivers\kbdhid.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\system32\DRIVERS\tmcomm.sys
\SystemRoot\system32\DRIVERS\tmevtmgr.sys
\SystemRoot\system32\DRIVERS\tmactmon.sys
\??\C:\Program Files\FileOpen\Services\fileopen64.sys
\??\C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys
\??\C:\Windows\system32\drivers\LMIRfsDriver.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\DRIVERS\WUDFRd.sys
\SystemRoot\System32\drivers\rdpdr.sys
\SystemRoot\system32\drivers\tdtcp.sys
\SystemRoot\System32\DRIVERS\tssecsrv.sys
\SystemRoot\System32\Drivers\RDPWD.SYS
\??\C:\Program Files (x86)\Print Audit Inc\Print Audit 6\Client\pa664Inj.sys
\SystemRoot\system32\DRIVERS\asyncmac.sys
\??\C:\Windows\system32\Drivers\PROCEXP113.SYS
\??\C:\Users\mrsmith\AppData\Local\Temp\uwldqpow.sys
\SystemRoot\System32\DamewareDisp.dll
\SystemRoot\System32\lmimirr.dll
\SystemRoot\System32\lmimirr2.dll
\SystemRoot\system32\drivers\spsys.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\mbamswissarmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
\Windows\System32\autochk.exe
----------- End -----------
<<<1>>>
Upper Device Name: \Device\Harddisk5\DR5
Upper Device Object: 0xfffffa8002e48790
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\0000007a\
Lower Device Object: 0xfffffa8002e4cb60
Lower Device Driver Name: \Driver\USBSTOR\
Driver name found: USBSTOR
Initialization returned 0x0
Load Function returned 0x0
<<<1>>>
Upper Device Name: \Device\Harddisk4\DR4
Upper Device Object: 0xfffffa8003192790
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\00000079\
Lower Device Object: 0xfffffa8003188b60
Lower Device Driver Name: \Driver\USBSTOR\
Driver name found: USBSTOR
<<<1>>>
Upper Device Name: \Device\Harddisk3\DR3
Upper Device Object: 0xfffffa8003190790
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\00000078\
Lower Device Object: 0xfffffa8003122b60
Lower Device Driver Name: \Driver\USBSTOR\
Driver name found: USBSTOR
<<<1>>>
Upper Device Name: \Device\Harddisk2\DR2
Upper Device Object: 0xfffffa800318e790
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\00000077\
Lower Device Object: 0xfffffa8003120b60
Lower Device Driver Name: \Driver\USBSTOR\
Driver name found: USBSTOR
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR1
Upper Device Object: 0xfffffa8002e3d790
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\00000070\
Lower Device Object: 0xfffffa8002b8e510
Lower Device Driver Name: \Driver\USBSTOR\
Driver name found: USBSTOR
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xfffffa80024e5060
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-0\
Lower Device Object: 0xfffffa8001531060
Lower Device Driver Name: \Driver\atapi\
Driver name found: atapi
Initialization returned 0x0
Port sub-driver loaded: \??\C:\Windows\System32\drivers\ataport.sys (0x0)
Load Function returned 0x0
Downloaded database version: v2013.03.21.14
Initializing...
Done!
<<<2>>>
Device number: 0, partition: 3
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xfffffa80024e5060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa80024e5b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa80024e5060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa80023e5520, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xfffffa8001531060, DeviceName: \Device\Ide\IdeDeviceP0T0L0-0\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0xfffff8a00bdbbf10, 0xfffffa80024e5060, 0xfffffa800204f790
Lower DeviceData: 0xfffff8a004d9f370, 0xfffffa8001531060, 0xfffffa80033e2910
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning directory: C:\Windows\system32\drivers...
<<<2>>>
Device number: 0, partition: 3
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 356DF93D

Partition information:

    Partition 0 type is Other (0x27)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 63  Numsec = 20466747

    Partition 1 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 20467712  Numsec = 204800
    Partition file system is NTFS
    Partition is bootable

    Partition 2 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 20672512  Numsec = 302409728

    Partition 3 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 323083215  Numsec = 302054130

Disk Size: 320072933376 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-625122448-625142448)...
Physical Sector Size: 512
Drive: 1, DevicePointer: 0xfffffa8002e3d790, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa8002b8fa50, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa8002e3d790, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa8002b8e510, DeviceName: \Device\00000070\, DriverName: \Driver\USBSTOR\
------------ End ----------
Alternate DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
Upper DeviceData: 0xfffff8a00f5055c0, 0xfffffa8002e3d790, 0xfffffa80035556d0
Lower DeviceData: 0xfffff8a00be2b7c0, 0xfffffa8002b8e510, 0xfffffa8001648e40
Drive 1
Scanning MBR on drive 1...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 819B8AAB

Partition information:

    Partition 0 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 63  Numsec = 1953520002

    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 1000204886016 bytes
Sector size: 512 bytes

Physical Sector Size: 0
Drive: 2, DevicePointer: 0xfffffa800318e790, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa8002e23300, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa800318e790, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa8003120b60, DeviceName: \Device\00000077\, DriverName: \Driver\USBSTOR\
------------ End ----------
Physical Sector Size: 0
Drive: 3, DevicePointer: 0xfffffa8003190790, DeviceName: \Device\Harddisk3\DR3\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa8002dbfb90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa8003190790, DeviceName: \Device\Harddisk3\DR3\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa8003122b60, DeviceName: \Device\00000078\, DriverName: \Driver\USBSTOR\
------------ End ----------
Physical Sector Size: 0
Drive: 4, DevicePointer: 0xfffffa8003192790, DeviceName: \Device\Harddisk4\DR4\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa8002d9dad0, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa8003192790, DeviceName: \Device\Harddisk4\DR4\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa8003188b60, DeviceName: \Device\00000079\, DriverName: \Driver\USBSTOR\
------------ End ----------
Physical Sector Size: 0
Drive: 5, DevicePointer: 0xfffffa8002e48790, DeviceName: \Device\Harddisk5\DR5\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa80030f3040, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa8002e48790, DeviceName: \Device\Harddisk5\DR5\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa8002e4cb60, DeviceName: \Device\0000007a\, DriverName: \Driver\USBSTOR\
------------ End ----------
Done!
Performing system, memory and registry scan...
Done!
Scan finished
=======================================


Resulting logs (MBAR)

 

Malwarebytes Anti-Rootkit BETA 1.01.0.1021
www.malwarebytes.org

Database version: v2013.03.21.14

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
mrsmith :: WES-PC [administrator]

21/03/2013 4:52:42 PM
mbar-log-2013-03-21 (16-52-42).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 28673
Time elapsed: 12 minute(s), 15 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)



#7 Ian Dubbelboer

Ian Dubbelboer
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:01:35 AM

Posted 21 March 2013 - 06:00 PM

Just for reference this is what GMER sees.

 

This does not say it has a root kit but the other behavior demonstrated at the begining of the thread is why I think one must exist.

Running GMER on other systems has never give such results

 

 

GMER 2.1.19155 - http://www.gmer.net
Rootkit scan 2013-03-21 16:57:19
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD3200AAJS-22B4A0 rev.01.03A01 298.09GB
Running: d8stw0mp.exe; Driver: C:\Users\mrsmith\AppData\Local\Temp\uwldqpow.sys


---- Threads - GMER 2.1 ----

Thread  C:\Windows\system32\lsm.exe [568:5976]                                                   000007fefcd61a70
Thread  C:\Windows\System32\svchost.exe [916:1040]                                               000007fefb01331c
Thread  C:\Windows\System32\svchost.exe [916:3264]                                               000007fef7ac44e0
Thread  C:\Windows\System32\svchost.exe [916:3316]                                               000007fef59120c0
Thread  C:\Windows\System32\svchost.exe [916:3320]                                               000007fef5b514a0
Thread  C:\Windows\System32\svchost.exe [916:3384]                                               000007fef59126a8
Thread  C:\Windows\System32\svchost.exe [916:3388]                                               000007fef59129dc
Thread  C:\Windows\System32\svchost.exe [916:3392]                                               000007fef59129dc
Thread  C:\Windows\System32\svchost.exe [916:3612]                                               000007fef808a2b0
Thread  C:\Windows\System32\svchost.exe [916:5064]                                               000007fef7da88f8
Thread  C:\Windows\system32\svchost.exe [976:1800]                                               000007fef9fcce0c
Thread  C:\Windows\system32\svchost.exe [976:2744]                                               000007fef73084d8
Thread  C:\Windows\system32\svchost.exe [976:2888]                                               000007fef72c23a8
Thread  C:\Windows\system32\svchost.exe [976:2900]                                               000007fef77f0d00
Thread  C:\Windows\system32\svchost.exe [976:2904]                                               000007fef6f29498
Thread  C:\Windows\system32\svchost.exe [976:3688]                                               000007fef793c8ec
Thread  C:\Windows\system32\svchost.exe [976:2336]                                               000007fef4724cac
Thread  C:\Windows\system32\svchost.exe [976:192]                                                000007fef6727bd0
Thread  C:\Windows\system32\svchost.exe [976:1412]                                               000007fef6727bd0
Thread  C:\Windows\system32\svchost.exe [976:4800]                                               000007fef7d55124
Thread  C:\Windows\system32\svchost.exe [976:5420]                                               000007fef9fcce0c
Thread  C:\Windows\system32\svchost.exe [976:4320]                                               000007fef69ccb70
Thread  C:\Windows\system32\svchost.exe [976:6140]                                               000007fef69ccb70
Thread  C:\Windows\system32\svchost.exe [976:6564]                                               000007fef6804164
Thread  C:\Windows\system32\svchost.exe [976:6176]                                               000007fef6c65170
Thread  C:\Windows\system32\svchost.exe [976:4580]                                               000007fef7641d28
Thread  C:\Windows\system32\svchost.exe [976:4004]                                               000007fef7641d28
Thread  C:\Windows\system32\svchost.exe [976:3284]                                               000007fef7641d28
Thread  C:\Windows\System32\spoolsv.exe [1256:3744]                                              000007fef57410c8
Thread  C:\Windows\System32\spoolsv.exe [1256:3748]                                              000007fef4a56144
Thread  C:\Windows\System32\spoolsv.exe [1256:3752]                                              000007fef9945fd0
Thread  C:\Windows\System32\spoolsv.exe [1256:3756]                                              000007fef4a33438
Thread  C:\Windows\System32\spoolsv.exe [1256:3760]                                              000007fef99463ec
Thread  C:\Windows\System32\spoolsv.exe [1256:3768]                                              000007fef7835e5c
Thread  C:\Windows\System32\spoolsv.exe [1256:3772]                                              000007fef4b15074
Thread  C:\Windows\System32\spoolsv.exe [1256:3800]                                              000007fef4b91030
Thread  C:\Windows\system32\svchost.exe [1304:1140]                                              000007fef9945fd0
Thread  C:\Windows\system32\svchost.exe [1304:388]                                               000007fef99463ec
Thread  C:\Windows\system32\svchost.exe [1304:2212]                                              000007fef2938470
Thread  C:\Windows\system32\svchost.exe [1304:1204]                                              000007fef2942418
Thread  C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1744:2096]  00000000770f3e45
Thread  C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1744:2176]  00000000770f2e25
Thread  C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1744:2556]  00000000740529e1
Thread  C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1744:2560]  00000000740529e1
Thread  C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1744:2564]  00000000740529e1
Thread  C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1744:2568]  00000000740529e1
Thread  C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1744:2572]  00000000740529e1
Thread  C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1744:2584]  00000000740529e1
Thread  C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1744:2728]  00000000740529e1
Thread  C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1744:2732]  00000000740529e1
Thread  C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1744:2736]  00000000740529e1
Thread  C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1744:2936]  00000000740529e1
Thread  C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1744:2940]  00000000740529e1
Thread  C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1744:2948]  00000000740529e1
Thread  C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1744:2952]  00000000740529e1
Thread  C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1744:2964]  00000000740529e1
Thread  C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1744:2980]  00000000740529e1
Thread  C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1744:2984]  00000000740529e1
Thread  C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1744:2988]  00000000770f3e45
Thread  C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1744:3008]  0000000073a51c2f
Thread  C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1744:3020]  00000000740529e1
Thread  C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1744:2992]  00000000740529e1
Thread  C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1744:4492]  00000000740529e1
Thread  C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1744:3136]  00000000740529e1
Thread  C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1744:384]   00000000740529e1
Thread  C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1744:5392]  00000000740529e1
Thread  C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1744:4108]  00000000740529e1
Thread  C:\Windows\System32\WUDFHost.exe [3640:3700]                                             000007fef5cd24a0
Thread  C:\Windows\system32\taskhost.exe [1528:460]                                              000007fefa672740
Thread  C:\Windows\system32\taskhost.exe [1528:2252]                                             000007fefa611f38
Thread  C:\Windows\system32\taskhost.exe [1528:2068]                                             000007fefb111010
Thread  C:\Windows\Explorer.EXE [1488:2004]                                                      000007fef48d2154
Thread  C:\Windows\Explorer.EXE [1488:4680]                                                      000007fef0392118
Thread  C:\Windows\Explorer.EXE [1488:4996]                                                      000007fefb111010
Thread  C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE [1572:1084]                       000007fefb742a7c
Thread  C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE [1572:4256]                       000007fefa371ebc
Thread  C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE [1572:1556]                       00000000709a21f0
Thread  C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE [1572:4176]                       000007fefb111010
Thread  C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE [1572:3160]                       000007fef48d2154
Thread  C:\Windows\system32\LogonUI.exe [4388:4912]                                              000007fefc24b170
Thread  C:\Windows\system32\LogonUI.exe [4388:5836]                                              000007fef2cb7048

---- EOF - GMER 2.1 ----



#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:35 AM

Posted 21 March 2013 - 07:18 PM

ok,

are those entries highlighted in red when you run the scan?
(they may not be an indication of an infection in Svchost)
I had noticed a .job file and hidden .dll that appear suspicious, let's see what ComboFix can find

Please run the following

Refer to the ComboFix User's Guide
  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------
  • NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.



Edited by CatByte, 21 March 2013 - 07:19 PM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 Ian Dubbelboer

Ian Dubbelboer
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:01:35 AM

Posted 21 March 2013 - 07:48 PM

Those entries are not highlighted in red for the GMER report

 

Here is the combofix log

 

ComboFix 13-03-21.01 - mrsmith 21/03/2013  18:35:17.3.2 - x64
Microsoft Windows 7 Professional   6.1.7601.1.1252.2.1033.18.1791.626 [GMT -6:00]
Running from: C:\Users\mrsmith\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U1PAO39L\ComboFix.exe
AV: Trend Micro Security Agent *Disabled/Updated* {B7599298-8445-728A-A5C7-A26A082C8BDA}
SP: Trend Micro Security Agent *Disabled/Updated* {0C38737C-A27F-7D04-9F77-991873ABC167}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}


(((((((((((((((((((((((((   Files Created from 2013-02-22 to 2013-03-22  )))))))))))))))))))))))))))))))


2013-03-22 00:43:57 . 2013-03-22 00:43:57 -------- d-----w- C:\Users\Wesley.000\AppData\Local\temp
2013-03-22 00:43:56 . 2013-03-22 00:43:56 -------- d-----w- C:\Users\user\AppData\Local\temp
2013-03-22 00:43:56 . 2013-03-22 00:43:56 -------- d-----w- C:\Users\UpdatusUser\AppData\Local\temp
2013-03-22 00:43:56 . 2013-03-22 00:43:56 -------- d-----w- C:\Users\precisionadmin\AppData\Local\temp
2013-03-22 00:43:56 . 2013-03-22 00:43:56 -------- d-----w- C:\Users\Default\AppData\Local\temp
2013-03-21 22:21:47 . 2013-03-21 22:21:47 -------- d-----w- C:\Users\wesley\AppData\Roaming\Malwarebytes
2013-03-21 22:20:50 . 2013-03-21 22:20:52 -------- d-----w- C:\FRST
2013-03-21 05:42:04 . 2013-03-22 00:43:57 -------- d-----w- C:\Users\wesley\AppData\Local\temp
2013-03-21 04:58:59 . 2013-03-21 04:58:59 -------- d-----w- C:\ProgramData\Kaspersky Lab
2013-03-21 04:57:54 . 2012-11-15 11:33:37 460888 ----a-w- C:\Windows\system32\drivers\76119247.sys
2013-03-21 04:44:44 . 2013-03-21 04:44:44 -------- d-----w- C:\ProgramData\Malwarebytes
2013-03-21 04:44:43 . 2013-03-22 00:14:44 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-03-21 04:34:01 . 2013-03-21 04:33:33 310688 ----a-w- C:\Windows\system32\javaws.exe
2013-03-21 04:34:01 . 2013-03-21 04:33:33 1085344 ----a-w- C:\Windows\system32\npDeployJava1.dll
2013-03-21 04:33:49 . 2013-03-21 04:33:34 108448 ----a-w- C:\Windows\system32\WindowsAccessBridge-64.dll
2013-03-21 04:33:49 . 2013-03-21 04:33:33 188832 ----a-w- C:\Windows\system32\javaw.exe
2013-03-21 04:33:49 . 2013-03-21 04:33:33 188320 ----a-w- C:\Windows\system32\java.exe
2013-03-21 04:30:06 . 2013-03-21 04:30:16 -------- d-----w- C:\Windows\SysWow64\Adobe
2013-03-21 04:19:05 . 2013-03-21 04:26:49 -------- d-----w- C:\ProgramData\HitmanPro
2013-03-21 04:17:31 . 2013-03-21 04:18:11 -------- d-----w- C:\Users\mrsmith
2013-03-21 03:51:53 . 2013-03-21 03:51:56 -------- d-----w- C:\Program Files (x86)\Common Files\Adobe
2013-03-13 18:03:20 . 2013-02-02 06:38:01 2382848 ----a-w- C:\Windows\system32\mshtml.tlb
2013-03-13 18:01:25 . 2013-03-13 18:01:25 -------- d-----w- C:\Program Files\Microsoft Silverlight
2013-03-13 18:01:25 . 2013-03-13 18:01:25 -------- d-----w- C:\Program Files (x86)\Microsoft Silverlight
2013-03-13 11:58:07 . 2013-02-12 04:12:05 19968 ----a-w- C:\Windows\system32\drivers\usb8023.sys
2013-03-08 01:27:25 . 2013-03-08 01:27:25 143872 --sha-r- C:\Windows\SysWow64\msidntldd.dll
2013-03-05 10:07:49 . 2013-02-08 00:28:29 9162192 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{1283CC11-2531-4EEE-8CD9-EB795C11A9F1}\mpengine.dll
2013-02-23 22:28:35 . 2013-02-23 22:28:16 95648 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
.


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2013-03-21 04:33:33 . 2010-11-03 23:36:08 963488 ----a-w- C:\Windows\system32\deployJava1.dll
2013-03-21 04:29:09 . 2012-12-12 14:10:10 73432 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-03-21 04:29:09 . 2012-12-12 14:10:10 693976 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-03-13 18:06:16 . 2012-04-16 14:46:18 72013344 ----a-w- C:\Windows\system32\MRT.exe
2013-02-23 22:28:07 . 2013-01-15 00:11:29 861088 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll
2013-02-23 22:28:07 . 2013-01-15 00:11:29 782240 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2013-02-12 05:45:24 . 2013-03-13 18:49:42 135168 ----a-w- C:\Windows\apppatch\AppPatch64\AcXtrnal.dll
2013-02-12 05:45:22 . 2013-03-13 18:49:43 308736 ----a-w- C:\Windows\apppatch\AppPatch64\AcGenral.dll
2013-02-12 05:45:22 . 2013-03-13 18:49:42 111104 ----a-w- C:\Windows\apppatch\AppPatch64\acspecfc.dll
2013-02-12 05:45:22 . 2013-03-13 18:49:41 350208 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll
2013-02-12 04:48:31 . 2013-03-13 18:49:43 474112 ----a-w- C:\Windows\apppatch\AcSpecfc.dll
2013-02-12 04:48:26 . 2013-03-13 18:49:44 2176512 ----a-w- C:\Windows\apppatch\AcGenral.dll
2013-01-25 22:37:56 . 2013-01-13 02:19:42 84328 ----a-w- C:\Windows\system32\LMIinit.dll
2013-01-17 08:28:58 . 2010-10-13 22:00:11 273840 ------w- C:\Windows\system32\MpSigStub.exe
2013-01-13 02:20:43 . 2013-01-13 02:19:45 88008 ----a-w- C:\Windows\system32\LMIRfsClientNP.dll.000.bak
2013-01-13 02:20:43 . 2013-01-13 02:19:45 88008 ----a-w- C:\Windows\system32\LMIRfsClientNP.dll
2013-01-13 02:20:38 . 2013-01-13 02:19:45 35240 ----a-w- C:\Windows\system32\LMIport.dll
2013-01-13 02:20:38 . 2013-01-13 02:19:42 83880 ----a-w- C:\Windows\system32\LMIinit.dll.000.bak
2013-01-05 05:53:43 . 2013-02-13 11:42:00 5553512 ----a-w- C:\Windows\system32\ntoskrnl.exe
2013-01-05 05:00:15 . 2013-02-13 11:41:59 3967848 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2013-01-05 05:00:11 . 2013-02-13 11:41:58 3913064 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2013-01-04 05:46:09 . 2013-02-13 11:41:27 215040 ----a-w- C:\Windows\system32\winsrv.dll
2013-01-04 04:51:16 . 2013-02-13 11:41:25 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2013-01-04 04:43:21 . 2013-02-13 11:41:26 44032 ----a-w- C:\Windows\apppatch\acwow64.dll
2013-01-04 03:26:48 . 2013-02-13 11:41:33 3153408 ----a-w- C:\Windows\system32\win32k.sys
2013-01-04 02:47:35 . 2013-02-13 11:41:26 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2013-01-04 02:47:34 . 2013-02-13 11:41:25 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2013-01-04 02:47:34 . 2013-02-13 11:41:23 2048 ----a-w- C:\Windows\SysWow64\user.exe
2013-01-04 02:47:33 . 2013-02-13 11:41:26 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2013-01-03 06:00:54 . 2013-02-13 11:41:11 1913192 ----a-w- C:\Windows\system32\drivers\tcpip.sys
2013-01-03 06:00:42 . 2013-02-13 11:41:09 288088 ----a-w- C:\Windows\system32\drivers\FWPKCLNT.SYS


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"LanTalk.NET"="C:\Program Files (x86)\CEZEO software\LanTalk NET\LanTalk.exe" [2009-11-26 08:07:30 364224]
"PrintAudit6"="C:\Program Files (x86)\Print Audit Inc\Print Audit 6\Client\pa6clint.exe" [2012-10-23 18:31:04 1546176]
"Adobe ARM"="C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-18 19:08:28 946352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableInstallerDetection"= 0 (0x0)
"EnableLUA"= 0 (0x0)
"EnableSecureUIAPaths"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3795921718-2913594863-6219231-1142\Scripts\Logon\0\0]
"Script"=Logon Script.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3795921718-2913594863-6219231-1163\Scripts\Logon\0\0]
"Script"=Logon Script.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3795921718-2913594863-6219231-1238\Scripts\Logon\0\0]
"Script"=Logon Script.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""

--- Other Services/Drivers In Memory ---

*NewlyCreated* - 48695176
*NewlyCreated* - 73654324
*NewlyCreated* - LMIINFO
*NewlyCreated* - WS2IFSL
*Deregistered* - 48695176
*Deregistered* - 73654324
*Deregistered* - FileOpenWebPublisherScreenHookDriver
*Deregistered* - PJLMPA664InjDrv
*Deregistered* - uwldqpow

Contents of the 'Scheduled Tasks' folder

2013-03-22 C:\Windows\Tasks\Adobe Flash Player Updater.job
- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-12-12 14:10:15 . 2013-03-21 04:29:09]

2013-03-21 C:\Windows\Tasks\XSCMV.job
- C:\Windows\system32\rundll32.exe [2009-07-13 23:41:43 . 2009-07-14 01:14:31]


--------- X64 Entries -----------


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PrintDisp"="C:\Windows\system32\PrintDisp.exe" [2011-02-19 14:55:18 826368]
"PDF Converter Elite Print Dispatcher"="C:\Program Files (x86)\pdfconverter.com\PDF Converter Elite\3.0\pcSONPrnDisp.exe" [2012-04-19 16:51:52 335872]
"FileOpenBroker"="C:\Program Files\FileOpen\Services\FileOpenBroker64.exe" [2012-10-17 20:55:22 1092528]
"LogMeIn GUI"="C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe" [2011-09-16 21:10:50 57928]
"Trend Micro Client Framework"="C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2012-11-01 11:19:46 219512]
"DameWare MRC Agent"="C:\Windows\dwrcs\DWRCST.exe" [2011-01-24 23:01:24 282496]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - LocalService
FontCache

------- Supplementary Scan -------

uLocal Page = C:\Windows\system32\blank.htm
mLocal Page = C:\Windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.0.20



#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:35 AM

Posted 21 March 2013 - 07:57 PM

It appears some of that log was cut off,


Please run the following:
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

  • Copy/paste the text inside the Codebox below into notepad:

    Here's how to do that:
    Press the WinKey + R to open a run box, type Notepad > click OK.
    This will open an empty notepad file:

    Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')
    http://www.bleepingcomputer.com/forums/t/489367/svchost-virus-only-being-detected-by-gmer/#entry3009018
    
    Collect::
    C:\Windows\SysWow64\msidntldd.dll
    C:\Windows\Tasks\XSCMV.job
    
    ClearJavaCache::
    
    Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

    Save this file to your desktop, Save this as "CFScript"

    Here's how to do that:

    1.Click File;
    2.Click Save As... Change the directory to your desktop;
    3.Change the Save as type to "All Files";
    4.Type in the file name: CFScript
    5.Click Save ...

    CFScriptB-4.gif
    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix may request an update; please allow it.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it shall produce a log for you.
    • Copy and paste the contents of the log in your next reply.
    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 Ian Dubbelboer

Ian Dubbelboer
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:01:35 AM

Posted 21 March 2013 - 08:24 PM

Sorry that was probably some mistake on my part

 

Here is the ComboFix log again

 

ComboFix 13-03-21.01 - mrsmith 21/03/2013  18:35:17.3.2 - x64
Microsoft Windows 7 Professional   6.1.7601.1.1252.2.1033.18.1791.626 [GMT -6:00]
Running from: c:\users\mrsmith\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U1PAO39L\ComboFix.exe
AV: Trend Micro Security Agent *Disabled/Updated* {B7599298-8445-728A-A5C7-A26A082C8BDA}
SP: Trend Micro Security Agent *Disabled/Updated* {0C38737C-A27F-7D04-9F77-991873ABC167}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2013-02-22 to 2013-03-22  )))))))))))))))))))))))))))))))
.
.
2013-03-22 00:43 . 2013-03-22 00:43 -------- d-----w- c:\users\Wesley.000\AppData\Local\temp
2013-03-22 00:43 . 2013-03-22 00:43 -------- d-----w- c:\users\user\AppData\Local\temp
2013-03-22 00:43 . 2013-03-22 00:43 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2013-03-22 00:43 . 2013-03-22 00:43 -------- d-----w- c:\users\precisionadmin\AppData\Local\temp
2013-03-22 00:43 . 2013-03-22 00:43 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-03-21 22:21 . 2013-03-21 22:21 -------- d-----w- c:\users\wesley\AppData\Roaming\Malwarebytes
2013-03-21 22:20 . 2013-03-21 22:20 -------- d-----w- C:\FRST
2013-03-21 05:42 . 2013-03-22 00:43 -------- d-----w- c:\users\wesley\AppData\Local\temp
2013-03-21 04:58 . 2013-03-21 04:58 -------- d-----w- c:\programdata\Kaspersky Lab
2013-03-21 04:57 . 2012-11-15 11:33 460888 ----a-w- c:\windows\system32\drivers\76119247.sys
2013-03-21 04:44 . 2013-03-21 04:44 -------- d-----w- c:\programdata\Malwarebytes
2013-03-21 04:44 . 2013-03-22 00:14 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2013-03-21 04:34 . 2013-03-21 04:33 310688 ----a-w- c:\windows\system32\javaws.exe
2013-03-21 04:34 . 2013-03-21 04:33 1085344 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-03-21 04:33 . 2013-03-21 04:33 108448 ----a-w- c:\windows\system32\WindowsAccessBridge-64.dll
2013-03-21 04:33 . 2013-03-21 04:33 188832 ----a-w- c:\windows\system32\javaw.exe
2013-03-21 04:33 . 2013-03-21 04:33 188320 ----a-w- c:\windows\system32\java.exe
2013-03-21 04:30 . 2013-03-21 04:30 -------- d-----w- c:\windows\SysWow64\Adobe
2013-03-21 04:19 . 2013-03-21 04:26 -------- d-----w- c:\programdata\HitmanPro
2013-03-21 04:17 . 2013-03-21 04:18 -------- d-----w- c:\users\mrsmith
2013-03-21 03:51 . 2013-03-21 03:51 -------- d-----w- c:\program files (x86)\Common Files\Adobe
2013-03-13 18:03 . 2013-02-02 06:38 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2013-03-13 18:01 . 2013-03-13 18:01 -------- d-----w- c:\program files\Microsoft Silverlight
2013-03-13 18:01 . 2013-03-13 18:01 -------- d-----w- c:\program files (x86)\Microsoft Silverlight
2013-03-13 11:58 . 2013-02-12 04:12 19968 ----a-w- c:\windows\system32\drivers\usb8023.sys
2013-03-08 01:27 . 2013-03-08 01:27 143872 --sha-r- c:\windows\SysWow64\msidntldd.dll
2013-03-05 10:07 . 2013-02-08 00:28 9162192 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{1283CC11-2531-4EEE-8CD9-EB795C11A9F1}\mpengine.dll
2013-02-23 22:28 . 2013-02-23 22:28 95648 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-03-21 04:33 . 2010-11-03 23:36 963488 ----a-w- c:\windows\system32\deployJava1.dll
2013-03-21 04:29 . 2012-12-12 14:10 73432 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-03-21 04:29 . 2012-12-12 14:10 693976 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-03-13 18:06 . 2012-04-16 14:46 72013344 ----a-w- c:\windows\system32\MRT.exe
2013-02-23 22:28 . 2013-01-15 00:11 861088 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2013-02-23 22:28 . 2013-01-15 00:11 782240 ----a-w- c:\windows\SysWow64\deployJava1.dll
2013-02-12 05:45 . 2013-03-13 18:49 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll
2013-02-12 05:45 . 2013-03-13 18:49 308736 ----a-w- c:\windows\apppatch\AppPatch64\AcGenral.dll
2013-02-12 05:45 . 2013-03-13 18:49 111104 ----a-w- c:\windows\apppatch\AppPatch64\acspecfc.dll
2013-02-12 05:45 . 2013-03-13 18:49 350208 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll
2013-02-12 04:48 . 2013-03-13 18:49 474112 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2013-02-12 04:48 . 2013-03-13 18:49 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll
2013-01-25 22:37 . 2013-01-13 02:19 84328 ----a-w- c:\windows\system32\LMIinit.dll
2013-01-17 08:28 . 2010-10-13 22:00 273840 ------w- c:\windows\system32\MpSigStub.exe
2013-01-13 02:20 . 2013-01-13 02:19 88008 ----a-w- c:\windows\system32\LMIRfsClientNP.dll.000.bak
2013-01-13 02:20 . 2013-01-13 02:19 88008 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2013-01-13 02:20 . 2013-01-13 02:19 35240 ----a-w- c:\windows\system32\LMIport.dll
2013-01-13 02:20 . 2013-01-13 02:19 83880 ----a-w- c:\windows\system32\LMIinit.dll.000.bak
2013-01-05 05:53 . 2013-02-13 11:42 5553512 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-01-05 05:00 . 2013-02-13 11:41 3967848 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2013-01-05 05:00 . 2013-02-13 11:41 3913064 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2013-01-04 05:46 . 2013-02-13 11:41 215040 ----a-w- c:\windows\system32\winsrv.dll
2013-01-04 04:51 . 2013-02-13 11:41 5120 ----a-w- c:\windows\SysWow64\wow32.dll
2013-01-04 04:43 . 2013-02-13 11:41 44032 ----a-w- c:\windows\apppatch\acwow64.dll
2013-01-04 03:26 . 2013-02-13 11:41 3153408 ----a-w- c:\windows\system32\win32k.sys
2013-01-04 02:47 . 2013-02-13 11:41 25600 ----a-w- c:\windows\SysWow64\setup16.exe
2013-01-04 02:47 . 2013-02-13 11:41 7680 ----a-w- c:\windows\SysWow64\instnm.exe
2013-01-04 02:47 . 2013-02-13 11:41 2048 ----a-w- c:\windows\SysWow64\user.exe
2013-01-04 02:47 . 2013-02-13 11:41 14336 ----a-w- c:\windows\SysWow64\ntvdm64.dll
2013-01-03 06:00 . 2013-02-13 11:41 1913192 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-01-03 06:00 . 2013-02-13 11:41 288088 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"LanTalk.NET"="c:\program files (x86)\CEZEO software\LanTalk NET\LanTalk.exe" [2009-11-26 364224]
"PrintAudit6"="c:\program files (x86)\Print Audit Inc\Print Audit 6\Client\pa6clint.exe" [2012-10-23 1546176]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-18 946352]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableInstallerDetection"= 0 (0x0)
"EnableLUA"= 0 (0x0)
"EnableSecureUIAPaths"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3795921718-2913594863-6219231-1142\Scripts\Logon\0\0]
"Script"=Logon Script.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3795921718-2913594863-6219231-1163\Scripts\Logon\0\0]
"Script"=Logon Script.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3795921718-2913594863-6219231-1238\Scripts\Logon\0\0]
"Script"=Logon Script.bat
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 48695176
*NewlyCreated* - 73654324
*NewlyCreated* - LMIINFO
*NewlyCreated* - WS2IFSL
*Deregistered* - 48695176
*Deregistered* - 73654324
*Deregistered* - FileOpenWebPublisherScreenHookDriver
*Deregistered* - PJLMPA664InjDrv
*Deregistered* - uwldqpow
.
Contents of the 'Scheduled Tasks' folder
.
2013-03-22 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-12-12 04:29]
.
2013-03-21 c:\windows\Tasks\XSCMV.job
- c:\windows\system32\rundll32.exe [2009-07-13 01:14]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PrintDisp"="c:\windows\system32\PrintDisp.exe" [2011-02-19 826368]
"PDF Converter Elite Print Dispatcher"="c:\program files (x86)\pdfconverter.com\PDF Converter Elite\3.0\pcSONPrnDisp.exe" [2012-04-19 335872]
"FileOpenBroker"="c:\program files\FileOpen\Services\FileOpenBroker64.exe" [2012-10-17 1092528]
"LogMeIn GUI"="c:\program files (x86)\LogMeIn\x64\LogMeInSystray.exe" [2011-09-16 57928]
"Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2012-11-01 219512]
"DameWare MRC Agent"="c:\windows\dwrcs\DWRCST.exe" [2011-01-24 282496]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - LocalService
FontCache
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.0.20
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\msftesql$GERPSQLCLIENT]
"ImagePath"="\"c:\program files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:GERPSQLCLIENT"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-03-21  18:48:54
ComboFix-quarantined-files.txt  2013-03-22 00:48
ComboFix2.txt  2013-03-21 05:42
ComboFix3.txt  2013-03-21 04:13
.
Pre-Run: 25,400,545,280 bytes free
Post-Run: 25,225,973,760 bytes free
.
- - End Of File - - E478CE98CA364914EF434E735BA0CFA6
 



#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:35 AM

Posted 21 March 2013 - 08:27 PM

ok good, thanks

please run the ComboFix script as is

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 Ian Dubbelboer

Ian Dubbelboer
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:01:35 AM

Posted 21 March 2013 - 09:16 PM

Not sure what happened.  ComboxFix started and I lost remote control like I expected, but after 15 mins no progress was made.  I never got the ability to remote control back. 

 

I eventually forced a remote restart and when I logged into again this is the resulting log.   I am guessing it was waiting for user input I could not provide remotely.

 

This is the resulting log and it did upload a file

 

ComboFix 13-03-21.01 - Wesley 21/03/2013  19:37:50.4.2 - x64
Microsoft Windows 7 Professional   6.1.7601.1.1252.2.1033.18.1791.586 [GMT -6:00]
Running from: \\precision1\ClientApps\Virus removal\ComboFix.exe
Command switches used :: c:\users\wesley\Desktop\CFScript.txt
AV: Trend Micro Security Agent *Disabled/Updated* {B7599298-8445-728A-A5C7-A26A082C8BDA}
SP: Trend Micro Security Agent *Disabled/Updated* {0C38737C-A27F-7D04-9F77-991873ABC167}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
.
(((((((((((((((((((((((((   Files Created from 2013-02-22 to 2013-03-22  )))))))))))))))))))))))))))))))
.
.
2013-03-22 01:45 . 2013-03-22 01:45 -------- d-----w- c:\users\Wesley.000\AppData\Local\temp
2013-03-22 01:45 . 2013-03-22 01:45 -------- d-----w- c:\users\user\AppData\Local\temp
2013-03-22 01:45 . 2013-03-22 01:45 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2013-03-22 01:45 . 2013-03-22 01:45 -------- d-----w- c:\users\precisionadmin\AppData\Local\temp
2013-03-22 01:45 . 2013-03-22 01:45 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-03-21 22:21 . 2013-03-21 22:21 -------- d-----w- c:\users\wesley\AppData\Roaming\Malwarebytes
2013-03-21 22:20 . 2013-03-21 22:20 -------- d-----w- C:\FRST
2013-03-21 05:42 . 2013-03-22 02:04 -------- d-----w- c:\users\wesley\AppData\Local\temp
2013-03-21 04:58 . 2013-03-21 04:58 -------- d-----w- c:\programdata\Kaspersky Lab
2013-03-21 04:57 . 2012-11-15 11:33 460888 ----a-w- c:\windows\system32\drivers\76119247.sys
2013-03-21 04:44 . 2013-03-21 04:44 -------- d-----w- c:\programdata\Malwarebytes
2013-03-21 04:34 . 2013-03-21 04:33 310688 ----a-w- c:\windows\system32\javaws.exe
2013-03-21 04:34 . 2013-03-21 04:33 1085344 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-03-21 04:33 . 2013-03-21 04:33 108448 ----a-w- c:\windows\system32\WindowsAccessBridge-64.dll
2013-03-21 04:33 . 2013-03-21 04:33 188832 ----a-w- c:\windows\system32\javaw.exe
2013-03-21 04:33 . 2013-03-21 04:33 188320 ----a-w- c:\windows\system32\java.exe
2013-03-21 04:30 . 2013-03-21 04:30 -------- d-----w- c:\windows\SysWow64\Adobe
2013-03-21 04:19 . 2013-03-21 04:26 -------- d-----w- c:\programdata\HitmanPro
2013-03-21 04:17 . 2013-03-21 04:18 -------- d-----w- c:\users\mrsmith
2013-03-21 03:51 . 2013-03-21 03:51 -------- d-----w- c:\program files (x86)\Common Files\Adobe
2013-03-13 18:03 . 2013-02-02 06:38 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2013-03-13 18:01 . 2013-03-13 18:01 -------- d-----w- c:\program files\Microsoft Silverlight
2013-03-13 18:01 . 2013-03-13 18:01 -------- d-----w- c:\program files (x86)\Microsoft Silverlight
2013-03-13 11:58 . 2013-02-12 04:12 19968 ----a-w- c:\windows\system32\drivers\usb8023.sys
2013-03-08 01:27 . 2013-03-08 01:27 143872 ------w- c:\windows\SysWow64\msidntldd.dll
2013-03-05 10:07 . 2013-02-08 00:28 9162192 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{1283CC11-2531-4EEE-8CD9-EB795C11A9F1}\mpengine.dll
2013-02-23 22:28 . 2013-02-23 22:28 95648 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-03-21 04:33 . 2010-11-03 23:36 963488 ----a-w- c:\windows\system32\deployJava1.dll
2013-03-21 04:29 . 2012-12-12 14:10 73432 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-03-21 04:29 . 2012-12-12 14:10 693976 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-03-13 18:06 . 2012-04-16 14:46 72013344 ----a-w- c:\windows\system32\MRT.exe
2013-02-23 22:28 . 2013-01-15 00:11 861088 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2013-02-23 22:28 . 2013-01-15 00:11 782240 ----a-w- c:\windows\SysWow64\deployJava1.dll
2013-02-12 05:45 . 2013-03-13 18:49 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll
2013-02-12 05:45 . 2013-03-13 18:49 308736 ----a-w- c:\windows\apppatch\AppPatch64\AcGenral.dll
2013-02-12 05:45 . 2013-03-13 18:49 111104 ----a-w- c:\windows\apppatch\AppPatch64\acspecfc.dll
2013-02-12 05:45 . 2013-03-13 18:49 350208 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll
2013-02-12 04:48 . 2013-03-13 18:49 474112 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2013-02-12 04:48 . 2013-03-13 18:49 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll
2013-01-25 22:37 . 2013-01-13 02:19 84328 ----a-w- c:\windows\system32\LMIinit.dll
2013-01-17 08:28 . 2010-10-13 22:00 273840 ------w- c:\windows\system32\MpSigStub.exe
2013-01-13 02:20 . 2013-01-13 02:19 88008 ----a-w- c:\windows\system32\LMIRfsClientNP.dll.000.bak
2013-01-13 02:20 . 2013-01-13 02:19 88008 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2013-01-13 02:20 . 2013-01-13 02:19 35240 ----a-w- c:\windows\system32\LMIport.dll
2013-01-13 02:20 . 2013-01-13 02:19 83880 ----a-w- c:\windows\system32\LMIinit.dll.000.bak
2013-01-05 05:53 . 2013-02-13 11:42 5553512 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-01-05 05:00 . 2013-02-13 11:41 3967848 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2013-01-05 05:00 . 2013-02-13 11:41 3913064 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2013-01-04 05:46 . 2013-02-13 11:41 215040 ----a-w- c:\windows\system32\winsrv.dll
2013-01-04 04:51 . 2013-02-13 11:41 5120 ----a-w- c:\windows\SysWow64\wow32.dll
2013-01-04 04:43 . 2013-02-13 11:41 44032 ----a-w- c:\windows\apppatch\acwow64.dll
2013-01-04 03:26 . 2013-02-13 11:41 3153408 ----a-w- c:\windows\system32\win32k.sys
2013-01-04 02:47 . 2013-02-13 11:41 25600 ----a-w- c:\windows\SysWow64\setup16.exe
2013-01-04 02:47 . 2013-02-13 11:41 7680 ----a-w- c:\windows\SysWow64\instnm.exe
2013-01-04 02:47 . 2013-02-13 11:41 2048 ----a-w- c:\windows\SysWow64\user.exe
2013-01-04 02:47 . 2013-02-13 11:41 14336 ----a-w- c:\windows\SysWow64\ntvdm64.dll
2013-01-03 06:00 . 2013-02-13 11:41 1913192 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-01-03 06:00 . 2013-02-13 11:41 288088 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"LanTalk.NET"="c:\program files (x86)\CEZEO software\LanTalk NET\LanTalk.exe" [2009-11-26 364224]
"PrintAudit6"="c:\program files (x86)\Print Audit Inc\Print Audit 6\Client\pa6clint.exe" [2012-10-23 1546176]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-18 946352]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableInstallerDetection"= 0 (0x0)
"EnableLUA"= 0 (0x0)
"EnableSecureUIAPaths"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3795921718-2913594863-6219231-1142\Scripts\Logon\0\0]
"Script"=Logon Script.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3795921718-2913594863-6219231-1163\Scripts\Logon\0\0]
"Script"=Logon Script.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3795921718-2913594863-6219231-1238\Scripts\Logon\0\0]
"Script"=Logon Script.bat
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 ose64;Office 64 Source Engine;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-01-10 174440]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-08-23 19456]
R3 slsusb;Edge CS/CTS Device Driver;c:\windows\system32\Drivers\slsusb.sys [2009-08-03 31328]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2012-08-23 57856]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-10-19 1255736]
S1 dwvkbd;DameWare Virtual Keyboard 64 bit Driver;c:\windows\system32\DRIVERS\dwvkbd64.sys [2008-03-13 30720]
S2 Amsp;Trend Micro Solution Platform;c:\program files\Trend Micro\AMSP\coreServiceShell.exe coreFrameworkHost.exe [x]
S2 FileOpenManagerService;FileOpen Manager Service;c:\program files\FileOpen\Services\FileOpenManagerService64.exe [2012-10-17 335288]
S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [2013-01-13 375728]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files (x86)\LogMeIn\x64\RaInfo.sys [2011-09-16 15928]
S2 msftesql$GERPSQLCLIENT;SQL Server FullText Search (GERPSQLCLIENT);c:\program files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe [2010-03-26 91992]
S2 MSSQL$GERPSQLCLIENT;SQL Server (GERPSQLCLIENT);c:\program files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2010-12-11 29293408]
S2 PA6ClientHelper;Print Audit 6 Client Helper 64-bit;c:\program files (x86)\Print Audit Inc\Print Audit 6\Client\pa6clhlp64.exe [2012-10-23 384960]
S2 Printer Control;Printer Control;c:\windows\system32\PrintCtrl.exe [2011-01-03 77824]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\DRIVERS\tmevtmgr.sys [2012-09-24 77184]
S3 DwMirror;DwMirror;c:\windows\system32\DRIVERS\DamewareMini.sys [2008-03-14 5632]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2009-06-10 389120]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - FileOpenWebPublisherScreenHookDriver
*Deregistered* - PJLMPA664InjDrv
.
Contents of the 'Scheduled Tasks' folder
.
2013-03-22 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-12-12 04:29]
.
2013-03-22 c:\windows\Tasks\XSCMV.job
- c:\windows\system32\rundll32.exe [2009-07-13 01:14]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PrintDisp"="c:\windows\system32\PrintDisp.exe" [2011-02-19 826368]
"PDF Converter Elite Print Dispatcher"="c:\program files (x86)\pdfconverter.com\PDF Converter Elite\3.0\pcSONPrnDisp.exe" [2012-04-19 335872]
"FileOpenBroker"="c:\program files\FileOpen\Services\FileOpenBroker64.exe" [2012-10-17 1092528]
"LogMeIn GUI"="c:\program files (x86)\LogMeIn\x64\LogMeInSystray.exe" [2011-09-16 57928]
"Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2012-11-01 219512]
"DameWare MRC Agent"="c:\windows\dwrcs\DWRCST.exe" [2011-01-24 282496]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - LocalService
FontCache
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.0.20
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\msftesql$GERPSQLCLIENT]
"ImagePath"="\"c:\program files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:GERPSQLCLIENT"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SysWOW64\rundll32.exe
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
.
**************************************************************************
.
Completion time: 2013-03-21  20:14:05 - machine was rebooted
ComboFix-quarantined-files.txt  2013-03-22 02:14
ComboFix2.txt  2013-03-22 00:48
ComboFix3.txt  2013-03-21 05:42
ComboFix4.txt  2013-03-21 04:13
.
Pre-Run: 25,074,515,968 bytes free
Post-Run: 24,969,797,632 bytes free
.
- - End Of File - - 658F544B7C78563EA964E9B3E8B4E7F3
Upload was successful
 



#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:35 AM

Posted 21 March 2013 - 09:32 PM

It doesn't appear as though the two files were removed as they show in the new log

c:\windows\Tasks\XSCMV.job
c:\windows\SysWow64\msidntldd.dll




please see if you can navigate to those files manually and remove them

(please make sure you remove the correct file msidntldd.dll - there is a legitimate file with a similar name - different spelling msidntld.dll - make sure you do not remove this one.)


then run the following:

Please download Junkware Removal Tool to your desktop.
  • Shutdown your antivirus to avoid any conflicts.
  • Right-mouse click JRT.exe and select Run as administrator
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message

  • NEXT


    Download AdwCleaner from here and save it to your desktop.
    • Run AdwCleaner and select Delete
    • Once done it will ask to reboot, allow the reboot
    • On reboot a log will be produced, please attach the content of the log to your next reply
    NEXT
    • Please open your MalwareBytes AntiMalware Program
    • Click the Update Tab and search for updates
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish, so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected. <-- very important
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the entire report in your next reply.
    Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



    NEXT


    Go here to run an online scanner from ESET.
    • Turn off the real time scanner of any existing antivirus program while performing the online scan
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the activeX control to install
    • Click Start
    • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
    • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
    • Click Scan
    • Wait for the scan to finish
    • When the scan completes, press the LIST OF THREATS FOUND button
    • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
    • Include the contents of this report in your next reply.
    • Press the BACK button.
    • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 Ian Dubbelboer

Ian Dubbelboer
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:01:35 AM

Posted 21 March 2013 - 09:43 PM

I was able to delete both through the command prompt.  Doing the other actions now, but I will check if they pop backup or similar items






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users