Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

FBI - Virus - Already have FRST scan completed and posted


  • This topic is locked This topic is locked
20 replies to this topic

#1 blenny

blenny

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 07 May 2013 - 10:30 AM

Appreciate any help!  FBI virus has PC locked.  Only can run in Safe Mode/prompt.  Download/scan w/ FarBar Recovery Tool.

 

Scan is completed and FRST txt posted below.  What to do next?

 

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 06-05-2013
Ran by SYSTEM on 07-05-2013 10:12:43
Running from F:\
Windows 7 Ultimate (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery
The current controlset is ControlSet002
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice [2839840 2010-03-24] (ESET)
HKLM-x32\...\RunOnce: [*EvtMgr32] C:\Users\Brian\AppData\Roaming\{34184A35-0401-272E-2D21-1D000D07C131}.exe [326656 2013-05-06] (exono GmbH)
HKLM\...\Winlogon: [Shell] C:\Users\Brian\AppData\Roaming\{34184A35-0401-272E-2D21-1D000D07C131}.exe [x ] ()
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$01d4dcc8a2b2cdd91d89f3f95b21d31c\n. ATTENTION! ====> ZeroAccess
HKLM-x32\...\Run: [P17RunE] RunDll32 P17RunE.dll,RunDLLEntry [x]
HKLM-x32\...\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [31016 2006-10-26] (Microsoft Corporation)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [37296 2011-06-07] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [937920 2011-03-29] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [ArcSoft Connection Service] C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe [207424 2010-10-27] (ArcSoft Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)
HKU\Brian\...\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)
HKU\Brian\...\Run: [Fuevexziug] C:\Users\Brian\AppData\Roaming\Lyilyr\ybiq.exe [x]
HKU\Brian\...\Run: [Adobe CSx Manager] C:\Users\Brian\AppData\Roaming\d423bdef-662f-4000-b478-f1e57ed7e021ad\dbdeffbfeedead.exe [x]
HKU\Brian\...\RunOnce: [*EvtMgr32] C:\Users\Brian\AppData\Roaming\{34184A35-0401-272E-2D21-1D000D07C131}.exe [326656 2013-05-06] (exono GmbH)
HKU\Brian\...\Winlogon: [Shell] C:\Users\Brian\AppData\Roaming\{34184A35-0401-272E-2D21-1D000D07C131}.exe [326656 2013-05-06] (exono GmbH)
Startup: C:\ProgramData\Start Menu\Programs\Startup\TMMonitor.lnk
ShortcutTarget: TMMonitor.lnk -> C:\Program Files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe (ArcSoft, Inc.)

==================== Services (Whitelisted) =================

S2 ACDaemon; C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)
S3 EhttpSrv; C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe [42336 2010-03-24] (ESET)
S2 ekrn; C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [810120 2010-03-24] (ESET)
S2 SBSDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)

==================== Drivers (Whitelisted) ====================

S3 AuviUDTV; C:\Windows\System32\DRIVERS\AuviUDTV64.sys [1416800 2008-11-13] (Auvitek Corp.)
S2 eamonm; C:\Windows\System32\DRIVERS\eamonm.sys [163888 2010-03-24] (ESET)
S1 ehdrv; C:\Windows\System32\DRIVERS\ehdrv.sys [139704 2010-03-24] (ESET)
S2 epfw; C:\Windows\System32\DRIVERS\epfw.sys [169592 2010-03-24] (ESET)
S3 Epfwndis; C:\Windows\System32\DRIVERS\Epfwndis.sys [33608 2010-03-24] (ESET)
S2 epfwwfp; C:\Windows\System32\DRIVERS\epfwwfp.sys [50600 2010-03-24] (ESET)
S3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [8192 2005-03-28] ()
S3 Afc; SysWOW64\drivers\Afc.sys [x]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [x]
S3 tsusbhub; system32\drivers\tsusbhub.sys [x]
S3 VGPU; System32\drivers\rdvgkmd.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-05-07 09:54 - 2013-05-07 09:54 - 00000000 ____D C:\FRST
2013-05-06 08:06 - 2013-05-06 08:06 - 00001584 ____A C:\Windows\PFRO.log
2013-05-06 08:00 - 2013-05-06 07:59 - 00447715 ___RA C:\Windows\System32\Drivers\etc\hosts.20130506-110008.backup
2013-05-06 07:55 - 2013-05-06 07:55 - 00885760 ____A (Apple Computer, Inc.) C:\Users\Brian\AppData\Roaming\87EB.tmp
2013-05-06 07:55 - 2013-05-06 07:55 - 00291847 ____A C:\Users\Brian\acrobatreader.exe
2013-05-06 07:55 - 2013-05-06 07:55 - 00000787 ____A C:\Users\Brian\Desktop\Internet Security 2013.lnk
2013-05-06 07:55 - 2013-05-06 07:55 - 00000000 ____A C:\Users\Brian\chrome.exe
2013-05-06 07:54 - 2013-05-06 08:06 - 00000000 ____D C:\Users\Brian\AppData\Roaming\d423bdef-662f-4000-b478-f1e57ed7e021ad
2013-05-06 07:54 - 2013-05-06 07:54 - 00326656 ___SH (exono GmbH) C:\Users\Brian\AppData\Roaming\{34184A35-0401-272E-2D21-1D000D07C131}.exe
2013-05-06 07:54 - 2013-05-06 07:54 - 00000000 ____A C:\Users\Brian\vlcplayer.exe
2013-05-06 07:54 - 2013-05-06 07:54 - 00000000 ____A C:\Users\Brian\notepad.exe
2013-05-06 07:54 - 2013-05-06 07:54 - 00000000 ____A C:\Users\Brian\msconfig.exe
2013-05-06 07:54 - 2013-05-06 07:54 - 00000000 ____A C:\Users\Brian\acrobat.exe
2013-05-04 22:00 - 2013-05-07 06:21 - 00001522 ____A C:\Windows\setupact.log
2013-05-04 22:00 - 2013-05-04 22:00 - 00000000 ____A C:\Windows\setuperr.log
2013-05-01 04:53 - 2013-05-01 04:53 - 00000000 ____D C:\Windows\Sun
2013-04-09 16:12 - 2013-02-21 02:30 - 01766912 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-04-09 16:12 - 2013-02-21 02:30 - 01129984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-04-09 16:12 - 2013-02-21 02:29 - 14323200 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-04-09 16:12 - 2013-02-21 02:29 - 13761024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-04-09 16:12 - 2013-02-21 02:29 - 02877440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-04-09 16:12 - 2013-02-21 02:29 - 02046464 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-04-09 16:12 - 2013-02-21 02:29 - 00690688 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-04-09 16:12 - 2013-02-21 02:29 - 00493056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-04-09 16:12 - 2013-02-21 02:29 - 00391168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-04-09 16:12 - 2013-02-21 02:29 - 00109056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2013-04-09 16:12 - 2013-02-21 02:29 - 00061440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2013-04-09 16:12 - 2013-02-21 02:29 - 00039424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-04-09 16:12 - 2013-02-21 02:29 - 00033280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2013-04-09 16:12 - 2013-02-21 02:15 - 02240512 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-04-09 16:12 - 2013-02-21 02:15 - 00051712 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2013-04-09 16:12 - 2013-02-21 02:14 - 19230208 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-04-09 16:12 - 2013-02-21 02:14 - 15404544 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-04-09 16:12 - 2013-02-21 02:14 - 03958784 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-04-09 16:12 - 2013-02-21 02:14 - 02647040 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-04-09 16:12 - 2013-02-21 02:14 - 01365504 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-04-09 16:12 - 2013-02-21 02:14 - 00855552 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-04-09 16:12 - 2013-02-21 02:14 - 00603136 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-04-09 16:12 - 2013-02-21 02:14 - 00526336 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-04-09 16:12 - 2013-02-21 02:14 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2013-04-09 16:12 - 2013-02-21 02:14 - 00067072 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2013-04-09 16:12 - 2013-02-21 02:14 - 00053248 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-04-09 16:12 - 2013-02-21 02:14 - 00039936 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2013-04-09 16:12 - 2013-02-19 04:01 - 02706432 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-04-09 16:12 - 2013-02-19 03:42 - 02706432 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-04-09 16:12 - 2013-02-19 03:10 - 00071680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2013-04-09 16:12 - 2013-02-19 02:51 - 00089600 ____A (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2013-04-09 16:11 - 2013-03-18 22:04 - 05550424 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2013-04-09 16:11 - 2013-03-18 21:46 - 00043520 ____A (Microsoft Corporation) C:\Windows\System32\csrsrv.dll
2013-04-09 16:11 - 2013-03-18 21:04 - 03968856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2013-04-09 16:11 - 2013-03-18 21:04 - 03913560 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2013-04-09 16:11 - 2013-03-18 20:47 - 00006656 ____A (Microsoft Corporation) C:\Windows\SysWOW64\apisetschema.dll
2013-04-09 16:11 - 2013-03-18 19:06 - 00112640 ____A (Microsoft Corporation) C:\Windows\System32\smss.exe
2013-04-09 16:11 - 2013-03-01 22:04 - 01655656 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys
2013-04-09 16:11 - 2013-02-28 19:36 - 03153408 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-04-09 16:11 - 2013-02-14 22:08 - 00044032 ____A (Microsoft Corporation) C:\Windows\System32\tsgqec.dll
2013-04-09 16:11 - 2013-02-14 22:06 - 03717632 ____A (Microsoft Corporation) C:\Windows\System32\mstscax.dll
2013-04-09 16:11 - 2013-02-14 22:02 - 00158720 ____A (Microsoft Corporation) C:\Windows\System32\aaclient.dll
2013-04-09 16:11 - 2013-02-14 20:37 - 03217408 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mstscax.dll
2013-04-09 16:11 - 2013-02-14 20:34 - 00131584 ____A (Microsoft Corporation) C:\Windows\SysWOW64\aaclient.dll
2013-04-09 16:11 - 2013-02-14 19:25 - 00036864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\tsgqec.dll

==================== One Month Modified Files and Folders =======

2013-05-07 09:54 - 2013-05-07 09:54 - 00000000 ____D C:\FRST
2013-05-07 06:21 - 2013-05-04 22:00 - 00001522 ____A C:\Windows\setupact.log
2013-05-07 06:21 - 2010-07-06 15:55 - 01999330 ____A C:\Windows\WindowsUpdate.log
2013-05-07 06:03 - 2009-07-13 21:13 - 00713888 ____A C:\Windows\System32\PerfStringBackup.INI
2013-05-07 06:03 - 2009-07-13 20:45 - 00014016 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-05-07 06:03 - 2009-07-13 20:45 - 00014016 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-05-07 05:58 - 2012-11-15 10:49 - 00000000 ____D C:\ProgramData\NVIDIA
2013-05-07 05:58 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-05-06 08:06 - 2013-05-06 08:06 - 00001584 ____A C:\Windows\PFRO.log
2013-05-06 08:06 - 2013-05-06 07:54 - 00000000 ____D C:\Users\Brian\AppData\Roaming\d423bdef-662f-4000-b478-f1e57ed7e021ad
2013-05-06 08:05 - 2010-07-05 15:21 - 00000000 ____D C:\users\Brian
2013-05-06 07:59 - 2013-05-06 08:00 - 00447715 ___RA C:\Windows\System32\Drivers\etc\hosts.20130506-110008.backup
2013-05-06 07:58 - 2010-07-05 17:05 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2013-05-06 07:55 - 2013-05-06 07:55 - 00885760 ____A (Apple Computer, Inc.) C:\Users\Brian\AppData\Roaming\87EB.tmp
2013-05-06 07:55 - 2013-05-06 07:55 - 00291847 ____A C:\Users\Brian\acrobatreader.exe
2013-05-06 07:55 - 2013-05-06 07:55 - 00000787 ____A C:\Users\Brian\Desktop\Internet Security 2013.lnk
2013-05-06 07:55 - 2013-05-06 07:55 - 00000000 ____A C:\Users\Brian\chrome.exe
2013-05-06 07:55 - 2010-12-19 11:23 - 00000000 ____D C:\Users\Brian\Downloads\Tudors
2013-05-06 07:54 - 2013-05-06 07:54 - 00326656 ___SH (exono GmbH) C:\Users\Brian\AppData\Roaming\{34184A35-0401-272E-2D21-1D000D07C131}.exe
2013-05-06 07:54 - 2013-05-06 07:54 - 00000000 ____A C:\Users\Brian\vlcplayer.exe
2013-05-06 07:54 - 2013-05-06 07:54 - 00000000 ____A C:\Users\Brian\notepad.exe
2013-05-06 07:54 - 2013-05-06 07:54 - 00000000 ____A C:\Users\Brian\msconfig.exe
2013-05-06 07:54 - 2013-05-06 07:54 - 00000000 ____A C:\Users\Brian\acrobat.exe
2013-05-06 07:41 - 2010-07-05 15:43 - 00000000 ____D C:\Users\Brian\Desktop\Installs
2013-05-04 22:00 - 2013-05-04 22:00 - 00000000 ____A C:\Windows\setuperr.log
2013-05-04 06:50 - 2010-07-06 09:43 - 00000000 ____D C:\Program Files (x86)\JDownloader
2013-05-04 06:35 - 2009-07-13 21:08 - 00032608 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2013-05-02 17:40 - 2010-10-24 13:50 - 00000000 ____D C:\ProgramData\ArcSoft
2013-05-02 17:40 - 2010-07-07 10:06 - 00000000 ____D C:\Users\Brian\AppData\Roaming\vlc
2013-05-02 17:40 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration
2013-05-02 17:40 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\AppCompat
2013-05-01 04:53 - 2013-05-01 04:53 - 00000000 ____D C:\Windows\Sun
2013-04-20 13:19 - 2013-01-12 15:15 - 00001113 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-04-20 13:19 - 2013-01-12 15:15 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-04-20 13:18 - 2009-07-13 18:34 - 00447228 ___RA C:\Windows\System32\Drivers\etc\hosts.20130506-105938.backup
2013-04-20 11:07 - 2012-11-15 10:49 - 00000000 ____D C:\Program Files (x86)\NVIDIA Corporation
2013-04-20 11:05 - 2012-11-15 10:48 - 00000000 ____D C:\Program Files\NVIDIA Corporation
2013-04-09 16:32 - 2009-07-13 20:45 - 00419872 ____A C:\Windows\System32\FNTCACHE.DAT
2013-04-09 16:13 - 2010-07-05 15:57 - 72702784 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-3470817563-4153859810-2664510771-1001\$01d4dcc8a2b2cdd91d89f3f95b21d31c

ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$01d4dcc8a2b2cdd91d89f3f95b21d31c

==================== Known DLLs (Whitelisted) ================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2013-04-23 09:54:30
Restore point made on: 2013-04-30 18:01:08
Restore point made on: 2013-05-01 09:16:26
Restore point made on: 2013-05-02 17:38:37

==================== Memory info ===========================

Percentage of memory in use: 14%
Total physical RAM: 4094.55 MB
Available physical RAM: 3507.8 MB
Total Pagefile: 4092.7 MB
Available Pagefile: 3497.91 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:931.51 GB) (Free:732.15 GB) NTFS (Disk=0 Partition=1) ==>[Drive with boot components (obtained from BCD)]
Drive f: (Lexar) (Removable) (Total:7.45 GB) (Free:0.67 GB) FAT32 (Disk=2 Partition=1)
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
==================== MBR & Partition Table ==================

====================================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 932 GB) (Disk ID: D04173E5)
Partition 1: (Active) - (Size=932 GB) - (Type=07 NTFS)

====================================================================
Disk: 2 (Size: 7 GB) (Disk ID: 00000000)
Partition 1: (Not Active) - (Size=7 GB) - (Type=0B)

Last Boot: 2013-05-04 07:18

==================== End Of Log ============================

 



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:04 PM

Posted 07 May 2013 - 12:26 PM


Hello blenny

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.


Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flash drive as fixlist.txt

 
HKLM-x32\...\RunOnce: [*EvtMgr32] C:\Users\Brian\AppData\Roaming\{34184A35-0401-272E-2D21-1D000D07C131}.exe [326656 2013-05-06] (exono GmbH)
HKLM\...\Winlogon: [Shell] C:\Users\Brian\AppData\Roaming\{34184A35-0401-272E-2D21-1D000D07C131}.exe [x ] ()
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$01d4dcc8a2b2cdd91d89f3f95b21d31c\n. ATTENTION! ====> ZeroAccess
HKU\Brian\...\Run: [Fuevexziug] C:\Users\Brian\AppData\Roaming\Lyilyr\ybiq.exe [x]
HKU\Brian\...\Run: [Adobe CSx Manager] C:\Users\Brian\AppData\Roaming\d423bdef-662f-4000-b478-f1e57ed7e021ad\dbdeffbfeedead.exe [x]
HKU\Brian\...\RunOnce: [*EvtMgr32] C:\Users\Brian\AppData\Roaming\{34184A35-0401-272E-2D21-1D000D07C131}.exe [326656 2013-05-06] (exono GmbH)
HKU\Brian\...\Winlogon: [Shell] C:\Users\Brian\AppData\Roaming\{34184A35-0401-272E-2D21-1D000D07C131}.exe [326656 2013-05-06] (exono GmbH)
C:\Users\Brian\acrobatreader.exe
C:\Users\Brian\Desktop\Internet Security 2013.lnk
C:\Users\Brian\chrome.exe
C:\Users\Brian\AppData\Roaming\d423bdef-662f-4000-b478-f1e57ed7e021ad
C:\Users\Brian\AppData\Roaming\{34184A35-0401-272E-2D21-1D000D07C131}.exe
C:\Users\Brian\vlcplayer.exe
C:\Users\Brian\notepad.exe
C:\Users\Brian\msconfig.exe
C:\Users\Brian\acrobat.exe
C:\Users\Brian\AppData\Roaming\87EB.tmp
C:\$Recycle.Bin\S-1-5-21-3470817563-4153859810-2664510771-1001\$01d4dcc8a2b2cdd91d89f3f95b21d31c
C:\$Recycle.Bin\S-1-5-18\$01d4dcc8a2b2cdd91d89f3f95b21d31c
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.

Run FRST again like we did before but this time press the Fix button just once and wait.
The tool will make a log on the flash drive (Fixlog.txt) please post it to your reply.

Also boot the computer into normal mode and let me know how things are looking.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 blenny

blenny
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 07 May 2013 - 05:16 PM

Hi Gringo

 

Appreciate the help/response.  I was able to run the FRST again and I was able to run the fix w/ the script you provided.  I will attach the fixlog.txt below.  I was able to reboot into normal mode.  However - none of my applications are working.  All my applications are looking for a program to open with.  If i open explorer, it asks what program I would like to open Explorer with.  All my other programs are doing this as well.  PC asks what  program I would like to use in order to open x.  All my files are still intact - so that is good.  Also - my LAN is fouled - not sure if that is apart of the same issue as above?  Can't bring up the internet. 

 

Wonder if I should run a restore option? 

 

Super best regards and I appreciate your help.

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 06-05-2013
Ran by SYSTEM at 2013-05-07 12:44:05 Run:1
Running from F:\
Boot Mode: Recovery
==============================================

HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\\*EvtMgr32 => Value deleted successfully.
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value was restored successfully.
HKLM\Software\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default => Value was restored successfully.
HKEY_USERS\Brian\Software\Microsoft\Windows\CurrentVersion\Run\\Fuevexziug => Value not found.
HKEY_USERS\Brian\Software\Microsoft\Windows\CurrentVersion\Run\\Adobe CSx Manager => Value not found.
HKEY_USERS\Brian\Software\Microsoft\Windows\CurrentVersion\RunOnce\\*EvtMgr32 => Value not found.
HKEY_USERS\Brian\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.
C:\Users\Brian\acrobatreader.exe => Moved successfully.
C:\Users\Brian\Desktop\Internet Security 2013.lnk => Moved successfully.
C:\Users\Brian\chrome.exe => Moved successfully.
C:\Users\Brian\AppData\Roaming\d423bdef-662f-4000-b478-f1e57ed7e021ad => Moved successfully.
C:\Users\Brian\AppData\Roaming\{34184A35-0401-272E-2D21-1D000D07C131}.exe => Moved successfully.
C:\Users\Brian\vlcplayer.exe => Moved successfully.
C:\Users\Brian\notepad.exe => Moved successfully.
C:\Users\Brian\msconfig.exe => Moved successfully.
C:\Users\Brian\acrobat.exe => Moved successfully.
C:\Users\Brian\AppData\Roaming\87EB.tmp => Moved successfully.
C:\$Recycle.Bin\S-1-5-21-3470817563-4153859810-2664510771-1001\$01d4dcc8a2b2cdd91d89f3f95b21d31c => Moved successfully.
C:\$Recycle.Bin\S-1-5-18\$01d4dcc8a2b2cdd91d89f3f95b21d31c => Moved successfully.

==== End of Fixlog ====



#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:04 PM

Posted 07 May 2013 - 05:29 PM


Scan with exeHelper:

Please download exeHelper to your desktop.
  • Double-click on exeHelper.com to run the fix.
  • A black window should pop up, press any key to close once the fix is completed.
  • Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 blenny

blenny
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 07 May 2013 - 06:16 PM

Moved app from download to problem PC.  Ran app - black window opened and scan completed. No issues w/ scan. Did save as of file created.  Shown below. exehelperlog

 

 

 

 

exeHelper by Raktor
Build 20100414
Run at 18:12:55 on 05/07/13
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--



#6 blenny

blenny
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 07 May 2013 - 07:11 PM

All Apps seem to be running as they should!  Great!  I just cannot get my internet going.  Does something need to be reset w/ the LAN connection?  Reset the internet modem 2x now and LAN card won't seem to pick up the reset? 

 

Thanks for all the help thus far!



#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:04 PM

Posted 07 May 2013 - 08:22 PM


Hello blenny

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 blenny

blenny
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 07 May 2013 - 09:36 PM

Gringo

 

Log from combofix shown below.  No issues running the combofix program.  It did not the ESET was still "scanning" but not active as I did shut down ESET according to all directions available.  Total time for combofix was about 5minutes.  No issues.  Did 1 reboot and then told me to wait as it was processing log.  Still no internet connectivity.  I did call ISP and they attempted to reset modem/router.  No luck.  All other computers in house are working fine.

 

Best regards - and really appreciate your help.

 

ComboFix 13-05-07.02 - Brian 05/07/2013  21:18:50.1.4 - x64
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.1.1033.18.4095.2984 [GMT -5:00]
Running from: c:\users\Brian\Desktop\ComboFix.exe
AV: ESET Smart Security 4.2 *Enabled/Outdated* {CB0F8167-5331-BA19-698E-64816B6801A5}
FW: ESET Personal firewall *Enabled* {F3340042-195E-BB41-42D1-CDB495BB46DE}
SP: ESET Smart Security 4.2 *Enabled/Outdated* {706E6083-750B-B597-533E-5FF310EF4B18}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Brian\AppData\Roaming\Microsoft\Windows\Recent\Arrogent Bastard Jamil's Show.rec.url
c:\users\Brian\AppData\Roaming\Oqyda
c:\users\Brian\AppData\Roaming\Oqyda\ufar.ewo
.
.
(((((((((((((((((((((((((   Files Created from 2013-04-08 to 2013-05-08  )))))))))))))))))))))))))))))))
.
.
2013-05-07 17:54 . 2013-05-07 17:54 -------- d-----w- C:\FRST
2013-05-04 14:43 . 2013-05-04 14:43 154624 ----a-w- c:\programdata\Microsoft\Windows\DRM\D23C.tmp.dat
2013-05-03 01:44 . 2013-04-10 03:46 9317456 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{9FDCABD7-EE01-4102-8A98-67C309253081}\mpengine.dll
2013-05-01 12:53 . 2013-05-01 12:53 -------- d-----w- c:\windows\Sun
2013-04-10 00:11 . 2013-02-15 06:06 3717632 ----a-w- c:\windows\system32\mstscax.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-04-10 00:13 . 2010-07-05 23:57 72702784 ----a-w- c:\windows\system32\MRT.exe
2013-04-04 19:50 . 2013-01-12 23:15 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-04-02 14:09 . 2013-04-02 14:09 4550656 ----a-w- c:\windows\SysWow64\GPhotos.scr
2013-03-14 00:23 . 2013-03-14 00:23 73728 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe
2013-03-14 00:23 . 2013-03-14 00:23 719360 ----a-w- c:\windows\SysWow64\mshtmlmedia.dll
2013-03-14 00:23 . 2013-03-14 00:23 61952 ----a-w- c:\windows\SysWow64\tdc.ocx
2013-03-14 00:23 . 2013-03-14 00:23 523264 ----a-w- c:\windows\SysWow64\vbscript.dll
2013-03-14 00:23 . 2013-03-14 00:23 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll
2013-03-14 00:23 . 2013-03-14 00:23 38400 ----a-w- c:\windows\SysWow64\imgutil.dll
2013-03-14 00:23 . 2013-03-14 00:23 361984 ----a-w- c:\windows\SysWow64\html.iec
2013-03-14 00:23 . 2013-03-14 00:23 23040 ----a-w- c:\windows\SysWow64\licmgr10.dll
2013-03-14 00:23 . 2013-03-14 00:23 226304 ----a-w- c:\windows\system32\elshyph.dll
2013-03-14 00:23 . 2013-03-14 00:23 216064 ----a-w- c:\windows\system32\msls31.dll
2013-03-14 00:23 . 2013-03-14 00:23 197120 ----a-w- c:\windows\system32\msrating.dll
2013-03-14 00:23 . 2013-03-14 00:23 185344 ----a-w- c:\windows\SysWow64\elshyph.dll
2013-03-14 00:23 . 2013-03-14 00:23 158720 ----a-w- c:\windows\SysWow64\msls31.dll
2013-03-14 00:23 . 2013-03-14 00:23 150528 ----a-w- c:\windows\SysWow64\iexpress.exe
2013-03-14 00:23 . 2013-03-14 00:23 1441280 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2013-03-14 00:23 . 2013-03-14 00:23 138752 ----a-w- c:\windows\SysWow64\wextract.exe
2013-03-14 00:23 . 2013-03-14 00:23 137216 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2013-03-14 00:23 . 2013-03-14 00:23 12800 ----a-w- c:\windows\SysWow64\mshta.exe
2013-03-14 00:23 . 2013-03-14 00:23 110592 ----a-w- c:\windows\SysWow64\IEAdvpack.dll
2013-03-14 00:23 . 2013-03-14 00:23 1054720 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe
2013-03-14 00:23 . 2013-03-14 00:23 97280 ----a-w- c:\windows\system32\mshtmled.dll
2013-03-14 00:23 . 2013-03-14 00:23 92160 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2013-03-14 00:23 . 2013-03-14 00:23 905728 ----a-w- c:\windows\system32\mshtmlmedia.dll
2013-03-14 00:23 . 2013-03-14 00:23 81408 ----a-w- c:\windows\system32\icardie.dll
2013-03-14 00:23 . 2013-03-14 00:23 77312 ----a-w- c:\windows\system32\tdc.ocx
2013-03-14 00:23 . 2013-03-14 00:23 762368 ----a-w- c:\windows\system32\ieapfltr.dll
2013-03-14 00:23 . 2013-03-14 00:23 62976 ----a-w- c:\windows\system32\pngfilt.dll
2013-03-14 00:23 . 2013-03-14 00:23 599552 ----a-w- c:\windows\system32\vbscript.dll
2013-03-14 00:23 . 2013-03-14 00:23 52224 ----a-w- c:\windows\system32\msfeedsbs.dll
2013-03-14 00:23 . 2013-03-14 00:23 51200 ----a-w- c:\windows\system32\imgutil.dll
2013-03-14 00:23 . 2013-03-14 00:23 48640 ----a-w- c:\windows\system32\mshtmler.dll
2013-03-14 00:23 . 2013-03-14 00:23 452096 ----a-w- c:\windows\system32\dxtmsft.dll
2013-03-14 00:23 . 2013-03-14 00:23 441856 ----a-w- c:\windows\system32\html.iec
2013-03-14 00:23 . 2013-03-14 00:23 281600 ----a-w- c:\windows\system32\dxtrans.dll
2013-03-14 00:23 . 2013-03-14 00:23 27648 ----a-w- c:\windows\system32\licmgr10.dll
2013-03-14 00:23 . 2013-03-14 00:23 270848 ----a-w- c:\windows\system32\iedkcs32.dll
2013-03-14 00:23 . 2013-03-14 00:23 247296 ----a-w- c:\windows\system32\webcheck.dll
2013-03-14 00:23 . 2013-03-14 00:23 235008 ----a-w- c:\windows\system32\url.dll
2013-03-14 00:23 . 2013-03-14 00:23 173568 ----a-w- c:\windows\system32\ieUnatt.exe
2013-03-14 00:23 . 2013-03-14 00:23 167424 ----a-w- c:\windows\system32\iexpress.exe
2013-03-14 00:23 . 2013-03-14 00:23 1509376 ----a-w- c:\windows\system32\inetcpl.cpl
2013-03-14 00:23 . 2013-03-14 00:23 149504 ----a-w- c:\windows\system32\occache.dll
2013-03-14 00:23 . 2013-03-14 00:23 144896 ----a-w- c:\windows\system32\wextract.exe
2013-03-14 00:23 . 2013-03-14 00:23 1400416 ----a-w- c:\windows\system32\ieapfltr.dat
2013-03-14 00:23 . 2013-03-14 00:23 13824 ----a-w- c:\windows\system32\mshta.exe
2013-03-14 00:23 . 2013-03-14 00:23 136192 ----a-w- c:\windows\system32\iepeers.dll
2013-03-14 00:23 . 2013-03-14 00:23 135680 ----a-w- c:\windows\system32\IEAdvpack.dll
2013-03-14 00:23 . 2013-03-14 00:23 12800 ----a-w- c:\windows\system32\msfeedssync.exe
2013-03-14 00:23 . 2013-03-14 00:23 102912 ----a-w- c:\windows\system32\inseng.dll
2013-03-14 00:21 . 2013-03-14 00:21 9728 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-03-14 00:21 . 2013-03-14 00:21 9728 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-03-14 00:21 . 2013-03-14 00:21 648192 ----a-w- c:\windows\system32\d3d10level9.dll
2013-03-14 00:21 . 2013-03-14 00:21 604160 ----a-w- c:\windows\SysWow64\d3d10level9.dll
2013-03-14 00:21 . 2013-03-14 00:21 5632 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2013-03-14 00:21 . 2013-03-14 00:21 5632 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-ole32-l1-1-0.dll
2013-03-14 00:21 . 2013-03-14 00:21 5632 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2013-03-14 00:21 . 2013-03-14 00:21 5632 ---ha-w- c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
2013-03-14 00:21 . 2013-03-14 00:21 522752 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2013-03-14 00:21 . 2013-03-14 00:21 465920 ----a-w- c:\windows\system32\WMPhoto.dll
2013-03-14 00:21 . 2013-03-14 00:21 417792 ----a-w- c:\windows\SysWow64\WMPhoto.dll
2013-03-14 00:21 . 2013-03-14 00:21 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-user32-l1-1-0.dll
2013-03-14 00:21 . 2013-03-14 00:21 4096 ---ha-w- c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
2013-03-14 00:21 . 2013-03-14 00:21 3928064 ----a-w- c:\windows\system32\d2d1.dll
2013-03-14 00:21 . 2013-03-14 00:21 364544 ----a-w- c:\windows\SysWow64\XpsGdiConverter.dll
2013-03-14 00:21 . 2013-03-14 00:21 363008 ----a-w- c:\windows\system32\dxgi.dll
2013-03-14 00:21 . 2013-03-14 00:21 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-advapi32-l2-1-0.dll
2013-03-14 00:21 . 2013-03-14 00:21 3584 ---ha-w- c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
2013-03-14 00:21 . 2013-03-14 00:21 3419136 ----a-w- c:\windows\SysWow64\d2d1.dll
2013-03-14 00:21 . 2013-03-14 00:21 333312 ----a-w- c:\windows\system32\d3d10_1core.dll
2013-03-14 00:21 . 2013-03-14 00:21 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-version-l1-1-0.dll
2013-03-14 00:21 . 2013-03-14 00:21 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-shell32-l1-1-0.dll
2013-03-14 00:21 . 2013-03-14 00:21 3072 ---ha-w- c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
2013-03-14 00:21 . 2013-03-14 00:21 3072 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
2013-03-14 00:21 . 2013-03-14 00:21 296960 ----a-w- c:\windows\system32\d3d10core.dll
2013-03-14 00:21 . 2013-03-14 00:21 293376 ----a-w- c:\windows\SysWow64\dxgi.dll
2013-03-14 00:21 . 2013-03-14 00:21 2776576 ----a-w- c:\windows\system32\msmpeg2vdec.dll
2013-03-14 00:21 . 2013-03-14 00:21 2565120 ----a-w- c:\windows\system32\d3d10warp.dll
2013-03-14 00:21 . 2013-03-14 00:21 2560 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-normaliz-l1-1-0.dll
2013-03-14 00:21 . 2013-03-14 00:21 2560 ---ha-w- c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
2013-03-14 00:21 . 2013-03-14 00:21 249856 ----a-w- c:\windows\SysWow64\d3d10_1core.dll
2013-03-14 00:21 . 2013-03-14 00:21 245248 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2013-03-14 00:21 . 2013-03-14 00:21 2284544 ----a-w- c:\windows\SysWow64\msmpeg2vdec.dll
2013-03-14 00:21 . 2013-03-14 00:21 221184 ----a-w- c:\windows\system32\UIAnimation.dll
2013-03-14 00:21 . 2013-03-14 00:21 220160 ----a-w- c:\windows\SysWow64\d3d10core.dll
2013-03-14 00:21 . 2013-03-14 00:21 207872 ----a-w- c:\windows\SysWow64\WindowsCodecsExt.dll
2013-03-14 00:21 . 2013-03-14 00:21 1988096 ----a-w- c:\windows\SysWow64\d3d10warp.dll
2013-03-14 00:21 . 2013-03-14 00:21 194560 ----a-w- c:\windows\system32\d3d10_1.dll
2013-03-14 00:21 . 2013-03-14 00:21 1887232 ----a-w- c:\windows\system32\d3d11.dll
2013-03-14 00:21 . 2013-03-14 00:21 187392 ----a-w- c:\windows\SysWow64\UIAnimation.dll
2013-03-14 00:21 . 2013-03-14 00:21 1682432 ----a-w- c:\windows\system32\XpsPrint.dll
2013-03-14 00:21 . 2013-03-14 00:21 1643520 ----a-w- c:\windows\system32\DWrite.dll
2013-03-14 00:21 . 2013-03-14 00:21 161792 ----a-w- c:\windows\SysWow64\d3d10_1.dll
2013-03-14 00:21 . 2013-03-14 00:21 1504768 ----a-w- c:\windows\SysWow64\d3d11.dll
2013-03-14 00:21 . 2013-03-14 00:21 1424384 ----a-w- c:\windows\system32\WindowsCodecs.dll
2013-03-14 00:21 . 2013-03-14 00:21 1247744 ----a-w- c:\windows\SysWow64\DWrite.dll
2013-03-14 00:21 . 2013-03-14 00:21 1238528 ----a-w- c:\windows\system32\d3d10.dll
2013-03-14 00:21 . 2013-03-14 00:21 1230336 ----a-w- c:\windows\SysWow64\WindowsCodecs.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"P17RunE"="P17RunE.dll" [2008-03-28 14848]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"ArcSoft Connection Service"="c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
TMMonitor.lnk - c:\program files (x86)\ArcSoft\TotalMedia 3.5\TMMonitor.exe [2010-10-24 258048]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2010-07-23 79360]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 20992]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2008-06-16 55024]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2010-03-25 139704]
S2 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files (x86)\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [2009-09-06 169312]
S2 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [2010-03-25 163888]
S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [2010-03-25 810120]
S2 epfwwfp;epfwwfp;c:\windows\system32\DRIVERS\epfwwfp.sys [2010-03-25 50600]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2013-01-18 383264]
S3 AuviUDTV;AuviUDTV ATSC Capture Device;c:\windows\system32\DRIVERS\AuviUDTV64.sys [2008-11-13 1416800]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2010-03-25 2839840]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - LocalService
FontCache
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.mediacomtoday.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 97.64.168.12 97.64.183.165 192.168.1.1
.
.
------- File Associations -------
.
JSEFile=%SystemRoot%\SysWow64\CScript.exe "%1" %*
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-Fuevexziug - c:\users\Brian\AppData\Roaming\Lyilyr\ybiq.exe
Wow6432Node-HKCU-Run-Adobe CSx Manager - c:\users\Brian\AppData\Roaming\d423bdef-662f-4000-b478-f1e57ed7e021ad\dbdeffbfeedead.exe
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_265_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_265_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Creative\Shared Files\CTAudSvc.exe
c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\windows\SysWOW64\rundll32.exe
c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
.
**************************************************************************
.
Completion time: 2013-05-07  21:30:05 - machine was rebooted
ComboFix-quarantined-files.txt  2013-05-08 02:30
.
Pre-Run: 800,728,760,320 bytes free
Post-Run: 800,518,787,072 bytes free
.
- - End Of File - - 9066882687C2432DE60F6791A0DFE822
 



#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:04 PM

Posted 07 May 2013 - 09:49 PM

Go Start>Run (Start search in Vista and 7), type in:
cmd
Click OK (in Vista, while holding CTRL, and SHIFT, press Enter).

At Command Prompt, type in:
netsh int ip reset reset.log
Hit Enter.
Type in:
netsh winsock reset catalog
Hit Enter.

Restart computer.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 blenny

blenny
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 08 May 2013 - 08:51 AM

Gringo

 

I have completed this process.  Ran cmd as admin.

 

PC requested me to reboot after first command.  I completed 2nd command as instructed before rebooting.

 

Rebooted.  No internet.

 

Next? 

 

Thank you!



#11 blenny

blenny
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 08 May 2013 - 09:17 AM

Gringo - I try and troubleshoot the network adapter.  May be a driver issue?

 

I go into troubleshooting for all hardware and complete the scan.  It comes back with these "problems"  - note - if I apply the automatic "fix" - it cannot complete the fixes.

 

Problems Found:

 

NVIDIA nForce Networking Controller #2 - Eset Personal Firewall Miniport as a driver problem

NVIDIA nForce Networking Controller - Eset Personal Firewall Miniport has a driver problem

WAN Miniport (IP) - Eset Personal Firewall Minport has a driver problem

WAN Miniport (Network Monitor) - Eset Personal Firewal Miniport has a driver problem

WAN Miniport (IPv6) - Eset Personal Firewall Miniport has a driver problem

Ethernet Controller doesn't have a driver

 

Do I try and do a system restore?  Or run a windows help disk?  Or maybe something else? 

 

 

Best Regards Mr Gringo!



#12 blenny

blenny
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 08 May 2013 - 09:37 AM

If it matters my network adapter is integrated to my motherboard

 

ASUS P5N72-T Premium

 

Aside from a System Restore or Windows help disk, is there a better way to download/obtain drivers that may need to be replaced?

 

Thanks again!



#13 blenny

blenny
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 08 May 2013 - 10:23 AM

Went to ASUS website to see if I can obtain drivers for this network adapter.

 

http://support.asus.com/download.aspx?SLanguage=en-us&m=p5n72-t+premium

 

 

Downloaded the 3 "utility" options, extracted to flash drive.  I then tried to update drivers on problem PC by navigating to the folders of the extracted contents.  No such luck.  Could not find drivers.  I didn't want to deal w/ any of the BIOS options as I'm more nervious about playing w/ those options. 

 

I'll wait for your help Mr Gringo

 

Best Regards!



#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:04 PM

Posted 08 May 2013 - 12:41 PM


Hello



Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 blenny

blenny
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 08 May 2013 - 05:01 PM

Gringo - FSS scan displayed below. 

Best Regards

 

 

 

 

 

Farbar Service Scanner Version: 14-04-2013
Ran by Brian (administrator) on 08-05-2013 at 16:59:36
Running from "C:\Users\Brian\Desktop"
Windows 7 Ultimate Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error.
Attempt to access Google.com returned error: Other errors
Attempt to access Yahoo IP returned error.
Attempt to access Yahoo.com returned error: Other errors

Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0

System Restore:
============

System Restore Disabled Policy:
========================

Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================

Windows Defender:
==============

Other Services:
==============

File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit

**** End of log ****






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users