Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

trojan removed, suspected lingering infection on critical machine


  • This topic is locked This topic is locked
14 replies to this topic

#1 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:01:06 AM

Posted 08 May 2013 - 04:33 PM

Hey there. Could someone with a bit more know than me take a look over this combofix log please. I see a couple of lines that give me cause for concern. The machine is a critical machine with highly confidential information and I really have to be sure... Pulling it for 4  or 5 hours to do a comprehensive scan would be a huge pain in the ass and upset the powers that be no end, but having it comprimised would be worse...

 

Please read and let me know if you see anything that gives cause for concern.

 

Thanks

 

------------------------------------------------------------------------------------------------------------

ComboFix 13-05-07.02 - jmccormack 08/05/2013  14:32:01.1.4 - x64
Microsoft Windows 7 Professional   6.1.7601.1.1252.61.1033.18.4041.2270 [GMT 10:00]
Running from: c:\users\jmccormack\Downloads\ComboFix.exe
AV: Kaspersky Endpoint Security 10 for Windows *Disabled/Updated* {C3113FBF-4BCB-4461-D78D-6EDFEC9593E5}
FW: Kaspersky Endpoint Security 10 for Windows *Disabled* {FB2ABE9A-01A4-4539-FCD2-C7EA1246D49E}
SP: Kaspersky Endpoint Security 10 for Windows *Disabled/Updated* {7870DE5B-6DF1-4BEF-ED3D-55AD9712D958}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Roaming
c:\windows\TEMP\kladminkit\06f9856f-d71a-4411-8d37-e25e742cf91f.dll
.
.
(((((((((((((((((((((((((   Files Created from 2013-04-08 to 2013-05-08  )))))))))))))))))))))))))))))))
.
.
2013-05-08 04:36 . 2013-05-08 04:36    --------    d-----w-    c:\users\michael\AppData\Local\temp
2013-05-08 04:36 . 2013-05-08 04:36    --------    d-----w-    c:\users\jmills\AppData\Local\temp
2013-05-08 04:36 . 2013-05-08 04:36    --------    d-----w-    c:\users\diane\AppData\Local\temp
2013-05-08 04:36 . 2013-05-08 04:36    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-05-08 04:07 . 2013-05-08 04:07    181064    ----a-w-    c:\windows\PSEXESVC.EXE
2013-05-08 03:47 . 2013-05-08 03:47    --------    d-----w-    c:\users\jmccormack
2013-05-08 01:48 . 2013-05-08 01:48    --------    d-----w-    c:\windows\ELAMBKUP
2013-04-29 21:15 . 2013-04-29 21:15    --------    d-----w-    c:\programdata\TightVNC
2013-04-29 21:15 . 2013-04-29 21:15    --------    d-----w-    c:\program files\TightVNC
2013-04-29 21:15 . 2013-04-29 21:15    95648    ----a-w-    c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-04-29 21:15 . 2013-04-29 21:15    --------    d-----w-    c:\program files (x86)\Java
2013-04-29 07:51 . 2013-04-12 14:45    1656680    ----a-w-    c:\windows\system32\drivers\ntfs.sys
2013-04-15 21:31 . 2013-03-28 21:49    262552    ----a-w-    c:\program files (x86)\Mozilla Firefox\components\browsercomps.dll
2013-04-15 06:52 . 2013-02-15 06:08    44032    ----a-w-    c:\windows\system32\tsgqec.dll
2013-04-15 06:52 . 2013-02-15 06:02    158720    ----a-w-    c:\windows\system32\aaclient.dll
2013-04-15 06:52 . 2013-02-15 04:34    131584    ----a-w-    c:\windows\SysWow64\aaclient.dll
2013-04-15 06:52 . 2013-02-15 03:25    36864    ----a-w-    c:\windows\SysWow64\tsgqec.dll
2013-04-15 06:52 . 2013-02-15 04:37    3217408    ----a-w-    c:\windows\SysWow64\mstscax.dll
2013-04-15 06:52 . 2013-02-15 06:06    3717632    ----a-w-    c:\windows\system32\mstscax.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-04-29 21:15 . 2012-10-17 04:46    866720    ----a-w-    c:\windows\SysWow64\npdeployJava1.dll
2013-04-29 21:15 . 2012-10-17 04:46    788896    ----a-w-    c:\windows\SysWow64\deployJava1.dll
2013-04-15 21:32 . 2012-10-17 04:49    71048    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-04-15 21:32 . 2012-10-17 04:49    691592    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2013-04-15 06:51 . 2012-11-27 07:02    72702784    ----a-w-    c:\windows\system32\MRT.exe
2013-02-12 05:45 . 2013-03-13 22:33    135168    ----a-w-    c:\windows\apppatch\AppPatch64\AcXtrnal.dll
2013-02-12 05:45 . 2013-03-13 22:33    350208    ----a-w-    c:\windows\apppatch\AppPatch64\AcLayers.dll
2013-02-12 05:45 . 2013-03-13 22:33    308736    ----a-w-    c:\windows\apppatch\AppPatch64\AcGenral.dll
2013-02-12 05:45 . 2013-03-13 22:33    111104    ----a-w-    c:\windows\apppatch\AppPatch64\acspecfc.dll
2013-02-12 04:48 . 2013-03-13 22:33    474112    ----a-w-    c:\windows\apppatch\AcSpecfc.dll
2013-02-12 04:48 . 2013-03-13 22:33    2176512    ----a-w-    c:\windows\apppatch\AcGenral.dll
2013-02-12 04:12 . 2013-03-13 22:34    19968    ----a-w-    c:\windows\system32\drivers\usb8023.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"FLxHCIm64"="c:\program files\Fresco Logic\Fresco Logic USB3.0 Host Controller\amd64_host\FLxHCIm.exe" [2011-11-04 47616]
"HP Quick Launch"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2011-07-11 574008]
"HPOSD"="c:\program files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe" [2011-08-19 379960]
"HP CoolSense"="c:\program files (x86)\Hewlett-Packard\HP CoolSense\CoolSense.exe" [2011-08-26 1342008]
"AVP"="c:\program files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows\avp.exe" [2013-01-19 729744]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"SoftwareSASGeneration"= 1 (0x1)
"DefaultLogonDomain"= TSLGROUP
"MaxGPOScriptWait"= 900 (0x384)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"AlwaysShowClassicMenu"= 1 (0x1)
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2011-09-10 86072]
R3 AMPPALP;Intel� Centrino� Wireless Bluetooth� 3.0 + High Speed Protocol;c:\windows\system32\DRIVERS\amppal.sys [2011-08-08 299008]
R3 Bluetooth Media Service;Bluetooth Media Service;c:\program files (x86)\Intel\Bluetooth\mediasrv.exe [2011-10-18 1354064]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168]
R3 intaud_WaveExtensible;Intel WiDi Audio Device;c:\windows\system32\drivers\intelaud.sys [2011-08-05 34200]
R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [2011-07-28 340240]
R3 PSEXESVC;PsExec;c:\windows\PSEXESVC.EXE [2013-05-08 181064]
R3 RSPCIESTOR;Realtek PCIE CardReader Driver;c:\windows\system32\DRIVERS\RtsPStor.sys [2011-10-24 339560]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [2009-06-10 292864]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 740864]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 vnet;Shrew Soft Virtual Adapter;c:\windows\system32\DRIVERS\virtualnet.sys [2010-09-02 17408]
S0 mctkmdldr;mctkmdldr;c:\windows\system32\drivers\mctkmdldr64.sys [2011-04-08 19584]
S1 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\DRIVERS\klfltdev.sys [2012-09-13 32088]
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys [2012-11-23 28504]
S1 kltdi;kltdi;c:\windows\system32\DRIVERS\kltdi.sys [2012-11-22 54104]
S1 kneps;kneps;c:\windows\system32\DRIVERS\kneps.sys [2012-11-16 178008]
S1 vflt;Shrew Soft Lightweight Filter;c:\windows\system32\DRIVERS\vfilter.sys [2010-09-02 21504]
S2 AMPPALR3;Intel� Centrino� Wireless Bluetooth� 3.0 + High Speed Service;c:\program files\Intel\BluetoothHS\BTHSAmpPalService.exe [2011-09-01 1166848]
S2 Bluetooth Device Monitor;Bluetooth Device Monitor;c:\program files (x86)\Intel\Bluetooth\devmonsrv.exe [2011-10-18 936272]
S2 Bluetooth OBEX Service;Bluetooth OBEX Service;c:\program files (x86)\Intel\Bluetooth\obexsrv.exe [2011-10-18 1001808]
S2 BTHSSecurityMgr;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Security Service;c:\program files\Intel\BluetoothHS\BTHSSecurityMgr.exe [2011-06-03 134928]
S2 dtpd;ShrewSoft DNS Proxy Daemon;c:\program files\ShrewSoft\VPN Client\dtpd.exe [2010-10-08 56592]
S2 FusionInventory-Agent;FusionInventory-Agent;c:\program files (x86)\FusionInventory-Agent\perl\bin\perl.exe [2012-02-22 9728]
S2 GManager;GManager;c:\windows\system32\GManager.exe [2012-03-13 311160]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-11-23 227896]
S2 HPWMISVC;HPWMISVC;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2011-07-11 26680]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-08-24 13592]
S2 IconMan_R;IconMan_R;c:\program files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [2011-08-31 2425960]
S2 iked;ShrewSoft IKE Daemon;c:\program files\ShrewSoft\VPN Client\iked.exe [2010-10-08 957712]
S2 ipsecd;ShrewSoft IPSEC Daemon;c:\program files\ShrewSoft\VPN Client\ipsecd.exe [2010-10-08 697616]
S2 irstrtsv;Intel® Rapid Start Technology Service;c:\windows\SysWOW64\irstrtsv.exe [2011-07-07 184320]
S2 ISCTAgent;ISCT Always Updated Agent;c:\program files (x86)\Intel\Intel® Smart Connect Technology Agent\iSCTAgent.exe [2011-09-15 94208]
S2 jhi_service;Intel® Identity Protection Technology Host Interface Service;c:\program files (x86)\Intel\Services\IPT\jhi_service.exe [2011-02-24 212944]
S2 MCTDesktopSvr;MCTDesktopSvr;c:\program files (x86)\Common Files\DesktopUtil\MCTDesktopSvr.exe [2011-05-03 199296]
S2 tvnserver;TightVNC Server;c:\program files\TightVNC\tvnserver.exe [2013-04-24 1852400]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-08-09 2656536]
S2 WpkgServer;WPKG Control Service;c:\program files\Wpkg-GP\WpkgServer.exe [2011-09-15 29696]
S3 AMPPAL;Intel� Centrino� Wireless Bluetooth� 3.0 + High Speed Virtual Adapter;c:\windows\system32\DRIVERS\AMPPAL.sys [2011-08-08 299008]
S3 btmaux;Intel Bluetooth Auxiliary Service;c:\windows\system32\DRIVERS\btmaux.sys [2011-08-29 53760]
S3 btmhsf;btmhsf;c:\windows\system32\DRIVERS\btmhsf.sys [2011-10-10 288768]
S3 clwvd;CyberLink WebCam Virtual Driver;c:\windows\system32\DRIVERS\clwvd.sys [2010-07-28 31088]
S3 FLxHCIc;Fresco Logic xHCI (USB3) Device Driver;c:\windows\system32\DRIVERS\FLxHCIc.sys [2011-11-04 221440]
S3 FLxHCIh;Fresco Logic xHCI (USB3) Hub Device Driver;c:\windows\system32\DRIVERS\FLxHCIh.sys [2011-11-04 70912]
S3 iBtFltCoex;iBtFltCoex;c:\windows\system32\DRIVERS\iBtFltCoex.sys [2011-10-11 59904]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-10-16 317440]
S3 irstrtdv;Intel® Rapid Start Technology Driver;c:\windows\system32\DRIVERS\irstrtdv.sys [2011-06-15 26504]
S3 ISCT;Intel® Smart Connect Technology Device Driver;c:\windows\system32\DRIVERS\ISCTD64.sys [2011-09-15 44992]
S3 iwdbus;IWD Bus Enumerator;c:\windows\system32\DRIVERS\iwdbus.sys [2011-08-05 25496]
S3 LAN9500;LAN9500 USB 2.0 to Ethernet 10/100 Adapter Service;c:\windows\system32\DRIVERS\lan9500-x64-n51f.sys [2012-10-17 71168]
S3 mctkmd;mctkmd;c:\windows\system32\drivers\mctkmd64.sys [2012-04-11 135296]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-09-29 646248]
S3 t5usb64;Trigger 5 External Graphics;c:\windows\system32\drivers\t5usb64.sys [2012-04-10 123520]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2013-05-08 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-10-17 21:32]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-11-02 167704]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-11-02 392472]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-11-02 416024]
"IntelPAN"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2011-07-28 1935120]
"BTMTrayAgent"="c:\program files (x86)\Intel\Bluetooth\btmshell.dll" [2011-10-18 10357008]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2011-10-23 1424896]
"tvncontrol"="c:\program files\TightVNC\tvnserver.exe" [2013-04-24 1852400]
"MCTDUtil"="c:\program files (x86)\Common Files\DesktopUtil\Util-Desktop.exe" [2011-05-03 195200]
"FDispPos"="c:\program files (x86)\Common Files\DesktopUtil\Util-Desktop.exe" [2011-05-03 195200]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - LocalService
FontCache
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 41.0.8.3 41.0.8.6 41.0.7.77
TCP: Interfaces\{2966C54D-A4C6-469D-AFF0-BB6E64C69C77}: NameServer = 41.0.7.77
FF - ProfilePath - c:\users\jmccormack\AppData\Roaming\Mozilla\Firefox\Profiles\7vchsira.default\
.
- - - - ORPHANS REMOVED - - - -
.
HKLM_Wow6432Node-ActiveSetup-{F5E7D9AF-60F6-4A30-87E3-4EA94D322CE1} - msiexec
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
AddRemove-PRONTO-Xi Reference Manuals - Phase 6 - c:\program files (x86)\PRONTO\BMS\HELP\uninstall.exe
AddRemove-{6F44AF95-3CDE-4513-AD3F-6D45F17BF324} - c:\program files (x86)\InstallShield Installation Information\{6F44AF95-3CDE-4513-AD3F-6D45F17BF324}\setup.exe
AddRemove-{B8B4D43C-EAA0-4EEC-B93E-D4D012316286} - c:\program files (x86)\InstallShield Installation Information\{B8B4D43C-EAA0-4EEC-B93E-D4D012316286}\setup.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_169_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_169_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_169_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_169_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_169.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_169.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_169.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_169.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files (x86)\Kaspersky Lab\NetworkAgent\klnagent.exe
c:\program files (x86)\Intel\Intel® Smart Connect Technology Agent\ISCTHidMonitor.exe
c:\program files (x86)\Intel\Intel® Smart Connect Technology Agent\ISCTHidMonitor.exe
c:\program files (x86)\CyberLink\YouCam\YCMMirage.exe
c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
.
**************************************************************************
.
Completion time: 2013-05-08  14:42:53 - machine was rebooted
ComboFix-quarantined-files.txt  2013-05-08 04:42
.
Pre-Run: 70,046,912,512 bytes free
Post-Run: 70,739,623,936 bytes free
.
- - End Of File - - 5465D819634473F3ABA693165B80F74C
 


Edited by TsVk!, 08 May 2013 - 08:03 PM.
Moved to log forum from Windows 7. ~ OB


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,935 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:06 AM

Posted 12 May 2013 - 09:48 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

These scans will not take very long to complete.

Please download and run this DDS Scanning Tool. Nothing will be deleted. It will just give me some additional information about your system.

Download DDS by sUBs from one of the following links, if you no longer have it available. Save it to your desktop.

1: DDS.scr (Not recommended if you use Chrome to download this .scr file. Use the other options.)
2: DDS.pif
3: DDS.COM

Double click on the DDS icon, allow it to run.
A small box will open, with an explanation about the tool. No input is needed, the scan is running.
Notepad will open with the results.
Follow the instructions that pop up for posting the results.
Please note: You may have to disable any script protection running if the scan fails to run.

dds_scr.gif

Please just paste the contents of the DDS.txt log in your next post. DO NOT attach the log.
===

Third party programs if not up to date can be the cause of infiltration an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Search and delete the AdWare, PUP (Potentially Unwanted Program) installed on your computer.

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete tab follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).
Please paste the logs in your next reply, DO NOT ATTACH THEM
Let me know what problem persists.

#3 TsVk!

TsVk!

    penguin farmer

  • Topic Starter

  • Members
  • 6,230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:01:06 AM

Posted 12 May 2013 - 09:48 PM

Thanks for helping me nasdaq,

 

dds logs

------------------------------------------

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16476
Run by jmccormack at 12:09:52 on 2013-05-13
Microsoft Windows 7 Professional   6.1.7601.1.1252.61.1033.18.4041.2308 [GMT 10:00]
.
AV: Kaspersky Endpoint Security 10 for Windows *Disabled/Updated* {C3113FBF-4BCB-4461-D78D-6EDFEC9593E5}
SP: Kaspersky Endpoint Security 10 for Windows *Disabled/Updated* {7870DE5B-6DF1-4BEF-ED3D-55AD9712D958}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Kaspersky Endpoint Security 10 for Windows *Disabled* {FB2ABE9A-01A4-4539-FCD2-C7EA1246D49E}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\IDT\WDM\STacSV64.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe
C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe
C:\Program Files\ShrewSoft\VPN Client\dtpd.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\FusionInventory-Agent\perl\bin\perl.exe
C:\Windows\system32\GManager.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
C:\Program Files\ShrewSoft\VPN Client\iked.exe
C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe
C:\Windows\SysWOW64\irstrtsv.exe
C:\Program Files (x86)\Intel\Intel® Smart Connect Technology Agent\iSCTAgent.exe
C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe
C:\Program Files (x86)\Kaspersky Lab\NetworkAgent\klnagent.exe
C:\Program Files (x86)\Common Files\DesktopUtil\MCTDesktopSvr.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files (x86)\Intel\Intel® Smart Connect Technology Agent\ISCTHidMonitor.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\TightVNC\tvnserver.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Wpkg-GP\WpkgServer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\WUDFHost.exe
C:\Program Files (x86)\Intel\Intel® Smart Connect Technology Agent\ISCTHidMonitor.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\IDT\WDM\sttray64.exe
C:\Program Files\TightVNC\tvnserver.exe
C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe
C:\Program Files (x86)\Common Files\DesktopUtil\MCTDUtil.exe
C:\Program Files (x86)\Common Files\DesktopUtil\FDispPos.exe
C:\Program Files\Fresco Logic\Fresco Logic USB3.0 Host Controller\amd64_host\FLxHCIm.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe
C:\Program Files (x86)\Hewlett-Packard\HP CoolSense\CoolSense.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\Windows\system32\SearchIndexer.exe
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe
C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Windows\system32\svchost.exe -k defragsvc
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
mRun: [FLxHCIm64] "C:\Program Files\Fresco Logic\Fresco Logic USB3.0 Host Controller\amd64_host\FLxHCIm.exe"
mRun: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
mRun: [HPOSD] C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe
mRun: [HP CoolSense] C:\Program Files (x86)\Hewlett-Packard\HP CoolSense\CoolSense.exe -byrunkey
mRun: [AVP] "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows\avp.exe"
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoWelcomeScreen = dword:1
uPolicies-Explorer: ForceStartMenuLogOff = dword:1
uPolicies-Explorer: AlwaysShowClassicMenu = dword:1
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoWelcomeScreen = dword:1
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: SoftwareSASGeneration = dword:1
mPolicies-System: DefaultLogonDomain = TSLGROUP
mPolicies-System: MaxGPOScriptWait = dword:900
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_15-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_11-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_13-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_15-windows-i586.cab
TCP: NameServer = 41.0.8.3 41.0.8.6 41.0.7.77
TCP: Interfaces\{2966C54D-A4C6-469D-AFF0-BB6E64C69C77} : NameServer = 41.0.7.77
TCP: Interfaces\{3880AA17-F073-44B5-A4B1-7BE4151BC62A} : DHCPNameServer = 41.0.8.3 41.0.8.6 41.0.7.77
TCP: Interfaces\{A0FF8E46-9A3F-44BC-AF56-E93FB9368A40} : DHCPNameServer = 41.0.8.3 41.0.8.6 41.0.7.77
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [IntelPAN] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel PAN Tray
x64-Run: [BTMTrayAgent] rundll32.exe "C:\Program Files (x86)\Intel\Bluetooth\btmshell.dll",TrayApp
x64-Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe
x64-Run: [tvncontrol] "C:\Program Files\TightVNC\tvnserver.exe" -controlservice -slave
x64-Run: [MCTDUtil] C:\Program Files (x86)\Common Files\DesktopUtil\Util-Desktop.exe Launch SuperUtil
x64-Run: [FDispPos] C:\Program Files (x86)\Common Files\DesktopUtil\Util-Desktop.exe Launch FixPos
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\jmccormack\AppData\Roaming\Mozilla\Firefox\Profiles\7vchsira.default\
FF - plugin: C:\Program Files (x86)\ABR\Plug-In\bin\npAUSkeyPlugin.dll
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_169.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mctkmdldr;mctkmdldr;C:\Windows\System32\drivers\mctKmdldr64.sys [2012-10-17 19584]
R1 KLFLTDEV;Kaspersky Lab KLFltDev;C:\Windows\System32\drivers\klfltdev.sys [2012-9-13 32088]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;C:\Windows\System32\drivers\klim6.sys [2011-9-1 28504]
R1 kltdi;kltdi;C:\Windows\System32\drivers\kltdi.sys [2012-11-22 54104]
R1 kneps;kneps;C:\Windows\System32\drivers\kneps.sys [2012-11-16 178008]
R1 vflt;Shrew Soft Lightweight Filter;C:\Windows\System32\drivers\vfilter.sys [2010-9-2 21504]
R2 AMPPALR3;Intel� Centrino� Wireless Bluetooth� 3.0 + High Speed Service;C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe [2011-9-1 1166848]
R2 Bluetooth Device Monitor;Bluetooth Device Monitor;C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe [2011-10-19 936272]
R2 Bluetooth OBEX Service;Bluetooth OBEX Service;C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe [2011-10-19 1001808]
R2 BTHSSecurityMgr;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Security Service;C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe [2011-6-4 134928]
R2 dtpd;ShrewSoft DNS Proxy Daemon;C:\Program Files\ShrewSoft\VPN Client\dtpd.exe -service --> C:\Program Files\ShrewSoft\VPN Client\dtpd.exe -service [?]
R2 FusionInventory-Agent;FusionInventory-Agent;C:\Program Files (x86)\FusionInventory-Agent\perl\bin\perl.exe [2012-2-23 9728]
R2 GManager;GManager;C:\Windows\System32\GManager.exe [2012-10-17 311160]
R2 HP Support Assistant Service;HP Support Assistant Service;C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe [2011-9-10 86072]
R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-11-23 227896]
R2 HPWMISVC;HPWMISVC;C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2011-7-12 26680]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2012-4-13 13592]
R2 IconMan_R;IconMan_R;C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [2012-4-13 2425960]
R2 iked;ShrewSoft IKE Daemon;C:\Program Files\ShrewSoft\VPN Client\iked.exe -service --> C:\Program Files\ShrewSoft\VPN Client\iked.exe -service [?]
R2 ipsecd;ShrewSoft IPSEC Daemon;C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe -service --> C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe -service [?]
R2 irstrtsv;Intel® Rapid Start Technology Service;C:\Windows\SysWOW64\irstrtsv.exe [2012-4-13 184320]
R2 ISCTAgent;ISCT Always Updated Agent;C:\Program Files (x86)\Intel\Intel® Smart Connect Technology Agent\iSCTAgent.exe [2011-9-16 94208]
R2 jhi_service;Intel® Identity Protection Technology Host Interface Service;C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe [2011-2-24 212944]
R2 klnagent;Kaspersky Lab Network Agent;C:\Program Files (x86)\Kaspersky Lab\NetworkAgent\klnagent.exe [2013-1-22 127632]
R2 MCTDesktopSvr;MCTDesktopSvr;C:\Program Files (x86)\Common Files\DesktopUtil\MCTDesktopSvr.exe [2012-10-17 199296]
R2 tvnserver;TightVNC Server;C:\Program Files\TightVNC\tvnserver.exe [2013-4-24 1852400]
R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2012-4-13 2656536]
R2 WpkgServer;WPKG Control Service;C:\Program Files\Wpkg-GP\WpkgServer.exe [2011-9-16 29696]
R3 AMPPAL;Intel� Centrino� Wireless Bluetooth� 3.0 + High Speed Virtual Adapter;C:\Windows\System32\drivers\AmpPal.sys [2011-8-9 299008]
R3 Bluetooth Media Service;Bluetooth Media Service;C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe [2011-10-19 1354064]
R3 btmaux;Intel Bluetooth Auxiliary Service;C:\Windows\System32\drivers\btmaux.sys [2011-8-30 53760]
R3 btmhsf;btmhsf;C:\Windows\System32\drivers\btmhsf.sys [2011-10-11 288768]
R3 clwvd;CyberLink WebCam Virtual Driver;C:\Windows\System32\drivers\clwvd.sys [2010-7-29 31088]
R3 FLxHCIc;Fresco Logic xHCI (USB3) Device Driver;C:\Windows\System32\drivers\FLxHCIc.sys [2011-11-4 221440]
R3 FLxHCIh;Fresco Logic xHCI (USB3) Hub Device Driver;C:\Windows\System32\drivers\FLxHCIh.sys [2011-11-4 70912]
R3 iBtFltCoex;iBtFltCoex;C:\Windows\System32\drivers\iBtFltCoex.sys [2011-10-12 59904]
R3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2010-10-16 317440]
R3 irstrtdv;Intel® Rapid Start Technology Driver;C:\Windows\System32\drivers\irstrtdv.sys [2012-4-13 26504]
R3 ISCT;Intel® Smart Connect Technology Device Driver;C:\Windows\System32\drivers\ISCTD64.sys [2011-9-16 44992]
R3 iwdbus;IWD Bus Enumerator;C:\Windows\System32\drivers\iwdbus.sys [2011-8-6 25496]
R3 LAN9500;LAN9500 USB 2.0 to Ethernet 10/100 Adapter Service;C:\Windows\System32\drivers\lan9500-x64-n51f.sys [2012-10-17 71168]
R3 mctkmd;mctkmd;C:\Windows\System32\drivers\mctkmd64.sys [2012-10-17 135296]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2012-4-13 646248]
R3 t5usb64;Trigger 5 External Graphics;C:\Windows\System32\drivers\t5usb64.sys [2012-10-17 123520]
S2 avp;Kaspersky Endpoint Security Service;C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows\avp.exe -r --> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows\avp.exe -r [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 AMPPALP;Intel� Centrino� Wireless Bluetooth� 3.0 + High Speed Protocol;C:\Windows\System32\drivers\AmpPal.sys [2011-8-9 299008]
S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2010-11-21 71168]
S3 intaud_WaveExtensible;Intel WiDi Audio Device;C:\Windows\System32\drivers\intelaud.sys [2011-8-6 34200]
S3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [2011-7-28 340240]
S3 RSPCIESTOR;Realtek PCIE CardReader Driver;C:\Windows\System32\drivers\RtsPStor.sys [2012-4-13 339560]
S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\System32\drivers\VSTAZL6.SYS [2009-7-14 292864]
S3 SrvHsfV92;SrvHsfV92;C:\Windows\System32\drivers\VSTDPV6.SYS [2009-7-14 1485312]
S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\System32\drivers\VSTCNXT6.SYS [2009-7-14 740864]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 27136]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-21 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-21 31232]
S3 vnet;Shrew Soft Virtual Adapter;C:\Windows\System32\drivers\virtualnet.sys [2010-9-2 17408]
.
=============== Created Last 30 ================
.
2013-05-08 04:44:51    --------    d-sh--w-    C:\$RECYCLE.BIN
2013-05-08 04:30:41    98816    ----a-w-    C:\Windows\sed.exe
2013-05-08 04:30:41    256000    ----a-w-    C:\Windows\PEV.exe
2013-05-08 04:30:41    208896    ----a-w-    C:\Windows\MBR.exe
2013-05-08 04:25:49    --------    d-----w-    C:\Users\jmccormack\AppData\Local\Macromedia
2013-05-08 04:20:57    --------    d-----w-    C:\Users\jmccormack\AppData\Local\Mozilla
2013-05-08 03:48:09    --------    d-----w-    C:\Users\jmccormack\AppData\Local\Hewlett-Packard
2013-05-08 03:48:07    --------    d-----w-    C:\Users\jmccormack\AppData\Roaming\Synaptics
2013-05-08 01:48:31    --------    d-----w-    C:\Windows\ELAMBKUP
2013-04-29 21:15:41    --------    d-----w-    C:\ProgramData\TightVNC
2013-04-29 21:15:41    --------    d-----w-    C:\Program Files\TightVNC
2013-04-29 21:15:19    95648    ----a-w-    C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2013-04-29 07:51:29    1656680    ----a-w-    C:\Windows\System32\drivers\ntfs.sys
2013-04-15 21:31:53    262552    ----a-w-    C:\Program Files (x86)\Mozilla Firefox\components\browsercomps.dll
2013-04-15 06:52:19    44032    ----a-w-    C:\Windows\System32\tsgqec.dll
2013-04-15 06:52:19    36864    ----a-w-    C:\Windows\SysWow64\tsgqec.dll
2013-04-15 06:52:19    158720    ----a-w-    C:\Windows\System32\aaclient.dll
2013-04-15 06:52:19    131584    ----a-w-    C:\Windows\SysWow64\aaclient.dll
2013-04-15 06:52:18    3217408    ----a-w-    C:\Windows\SysWow64\mstscax.dll
2013-04-15 06:52:17    3717632    ----a-w-    C:\Windows\System32\mstscax.dll
.
==================== Find3M  ====================
.
2013-04-29 21:15:15    866720    ----a-w-    C:\Windows\SysWow64\npdeployJava1.dll
2013-04-29 21:15:15    788896    ----a-w-    C:\Windows\SysWow64\deployJava1.dll
2013-04-15 21:32:57    71048    ----a-w-    C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-04-15 21:32:57    691592    ----a-w-    C:\Windows\SysWow64\FlashPlayerApp.exe
2013-03-19 06:04:06    5550424    ----a-w-    C:\Windows\System32\ntoskrnl.exe
2013-03-19 05:46:56    43520    ----a-w-    C:\Windows\System32\csrsrv.dll
2013-03-19 05:04:13    3968856    ----a-w-    C:\Windows\SysWow64\ntkrnlpa.exe
2013-03-19 05:04:10    3913560    ----a-w-    C:\Windows\SysWow64\ntoskrnl.exe
2013-03-19 04:47:50    6656    ----a-w-    C:\Windows\SysWow64\apisetschema.dll
2013-03-19 03:06:33    112640    ----a-w-    C:\Windows\System32\smss.exe
2013-03-01 03:36:04    3153408    ----a-w-    C:\Windows\System32\win32k.sys
2013-02-22 06:27:49    2312704    ----a-w-    C:\Windows\System32\jscript9.dll
2013-02-22 06:20:51    1392128    ----a-w-    C:\Windows\System32\wininet.dll
2013-02-22 06:19:37    1494528    ----a-w-    C:\Windows\System32\inetcpl.cpl
2013-02-22 06:15:48    173056    ----a-w-    C:\Windows\System32\ieUnatt.exe
2013-02-22 06:15:23    599040    ----a-w-    C:\Windows\System32\vbscript.dll
2013-02-22 06:12:41    2382848    ----a-w-    C:\Windows\System32\mshtml.tlb
2013-02-22 03:46:00    1800704    ----a-w-    C:\Windows\SysWow64\jscript9.dll
2013-02-22 03:38:00    1129472    ----a-w-    C:\Windows\SysWow64\wininet.dll
2013-02-22 03:37:50    1427968    ----a-w-    C:\Windows\SysWow64\inetcpl.cpl
2013-02-22 03:34:17    142848    ----a-w-    C:\Windows\SysWow64\ieUnatt.exe
2013-02-22 03:34:03    420864    ----a-w-    C:\Windows\SysWow64\vbscript.dll
2013-02-22 03:31:46    2382848    ----a-w-    C:\Windows\SysWow64\mshtml.tlb
2013-02-12 05:45:24    135168    ----a-w-    C:\Windows\apppatch\AppPatch64\AcXtrnal.dll
2013-02-12 05:45:22    350208    ----a-w-    C:\Windows\apppatch\AppPatch64\AcLayers.dll
2013-02-12 05:45:22    308736    ----a-w-    C:\Windows\apppatch\AppPatch64\AcGenral.dll
2013-02-12 05:45:22    111104    ----a-w-    C:\Windows\apppatch\AppPatch64\acspecfc.dll
2013-02-12 04:48:31    474112    ----a-w-    C:\Windows\apppatch\AcSpecfc.dll
2013-02-12 04:48:26    2176512    ----a-w-    C:\Windows\apppatch\AcGenral.dll
2013-02-12 04:12:05    19968    ----a-w-    C:\Windows\System32\drivers\usb8023.sys
.
============= FINISH: 12:10:03.35 ===============

 

then the security check log went missing, existed, then it didn't. hmmm, sneaky bastards.

----------------------------------------------------------

 Our system is custom anyhow, and the LAN firewall stops a lot of activity, Java is disabled outside of our network and we apply security updates seperately to older versions of programs for various reasons. So the log looked shocking anyhow, but doesn't really reflect our system security.

 

Adw returned nothing... see log

-----------------------------------------------

# AdwCleaner v2.300 - Logfile created 05/13/2013 at 12:02:47
# Updated 28/04/2013 by Xplode
# Operating system : Windows 7 Professional Service Pack 1 (64 bits)
# User : jmccormack - ADMNB8
# Boot Mode : Normal
# Running from : C:\Users\jmills\Desktop\exetoolswin\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****


***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16476

[OK] Registry is clean.

-\\ Mozilla Firefox v17.0.5 (en-GB)

File : C:\Users\jmills\AppData\Roaming\Mozilla\Firefox\Profiles\7i5tianu.default\prefs.js

[OK] File is clean.

File : C:\Users\jmccormack\AppData\Roaming\Mozilla\Firefox\Profiles\7vchsira.default\prefs.js

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [806 octets] - [13/05/2013 12:02:47]

########## EOF - \AdwCleaner[R1].txt - [865 octets] ##########
 

Just to check I ran JRT.

 

---------------------------------------------

 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.9.4 (05.06.2013:1)
OS: Windows 7 Professional x64
Ran by jmccormack on Mon 13/05/2013 at 12:25:35.96
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys



~~~ Files



~~~ Folders

Successfully deleted: [Folder] "C:\Windows\syswow64\ai_recyclebin"



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 13/05/2013 at 12:30:13.28
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

What you think?

 

 

 



#4 TsVk!

TsVk!

    penguin farmer

  • Topic Starter

  • Members
  • 6,230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:01:06 AM

Posted 13 May 2013 - 12:25 AM

re-did the security check..

--------------------------------------------------------------------

 Windows 7 Service Pack 1 x64 (UAC is enabled)  
 Internet Explorer 9  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Disabled!  
Kaspersky Endpoint Security 10 for Windows   
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:`````````
 Java 7 Update 21  
 Adobe Flash Player 11.7.700.169 
 Mozilla Firefox 17.0.5 Firefox out of Date!  
 Mozilla Thunderbird (17.0.5)
````````Process Check: objlist.exe by Laurent````````  
 Kaspersky Lab NetworkAgent klnagent.exe  
 Kaspersky Lab Kaspersky Endpoint Security 10 for Windows avp.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 18% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````
 



#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,935 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:06 AM

Posted 13 May 2013 - 08:45 AM

Looking good.

What are the remaining issues with this computer.

#6 TsVk!

TsVk!

    penguin farmer

  • Topic Starter

  • Members
  • 6,230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:01:06 AM

Posted 13 May 2013 - 04:12 PM

Freezes during startup on the windows screen. Not sure if it's always done that, but that doesn't seem right for the speed of the machine and the startup workload.



#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,935 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:06 AM

Posted 14 May 2013 - 07:03 AM

--RogueKiller--
  • Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+


#8 TsVk!

TsVk!

    penguin farmer

  • Topic Starter

  • Members
  • 6,230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:01:06 AM

Posted 14 May 2013 - 07:59 PM

RogueKiller V8.5.4 _x64_ [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : jmccormack [Admin rights]
Mode : Scan -- Date : 05/15/2013 10:11:03
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 9 ¤¤¤
[DNS] HKLM\[...]\ControlSet001\Services\Tcpip\Interfaces\{2966C54D-A4C6-469D-AFF0-BB6E64C69C77} : NameServer (41.0.7.77) -> FOUND
[DNS] HKLM\[...]\ControlSet002\Services\Tcpip\Interfaces\{2966C54D-A4C6-469D-AFF0-BB6E64C69C77} : NameServer (41.0.7.77) -> FOUND
[HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND
[HJPOL] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJPOL] HKLM\[...]\Wow6432Node\System : DisableRegistryTools (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1       localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: SAMSUNG MZMPC128HBFU-000 +++++
--- User ---
[MBR] 003432cbaebbf281bfd08dd25b59cecd
[BSP] bf2d46fc32f500ddee51ba7414050b2d : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 199 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 409600 | Size: 107620 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 220815360 | Size: 10086 Mo
3 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 241471488 | Size: 4197 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: Virtual Link USB Device +++++
--- User ---
[MBR] 8daa4e3a2422350da553ee81628d7aed
[BSP] ce75ae4e4bf7680990dd97569f6e247e : MBR Code unknown
Partition table:
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1]_S_05152013_02d1011.txt >>
RKreport[1]_S_05152013_02d1011.txt

RogueKiller V8.5.4 _x64_ [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : jmccormack [Admin rights]
Mode : Remove -- Date : 05/15/2013 10:12:21
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 8 ¤¤¤
[DNS] HKLM\[...]\ControlSet001\Services\Tcpip\Interfaces\{2966C54D-A4C6-469D-AFF0-BB6E64C69C77} : NameServer (41.0.7.77) -> NOT REMOVED, USE DNSFIX
[DNS] HKLM\[...]\ControlSet002\Services\Tcpip\Interfaces\{2966C54D-A4C6-469D-AFF0-BB6E64C69C77} : NameServer (41.0.7.77) -> NOT REMOVED, USE DNSFIX
[HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> DELETED
[HJPOL] HKCU\[...]\System : DisableRegistryTools (0) -> DELETED
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> REPLACED (1)
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1       localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: SAMSUNG MZMPC128HBFU-000 +++++
--- User ---
[MBR] 003432cbaebbf281bfd08dd25b59cecd
[BSP] bf2d46fc32f500ddee51ba7414050b2d : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 199 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 409600 | Size: 107620 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 220815360 | Size: 10086 Mo
3 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 241471488 | Size: 4197 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: Virtual Link USB Device +++++
--- User ---
[MBR] 8daa4e3a2422350da553ee81628d7aed
[BSP] ce75ae4e4bf7680990dd97569f6e247e : MBR Code unknown
Partition table:
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[2]_D_05152013_02d1012.txt >>
RKreport[1]_S_05152013_02d1011.txt ; RKreport[2]_D_05152013_02d1012.txt


 

----------------------------------------------------------------------------------------------------------------------------

 

here's both the reports.... I'm still concerned for this machine. :mellow:

 



#9 nasdaq

nasdaq

  • Malware Response Team
  • 38,935 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:06 AM

Posted 15 May 2013 - 07:56 AM

Your IP address is from vodacom.co.za is this correct?

inetnum 41.0.0.0 - 41.0.255.255
netname ORG-VA67-AFRINIC
descr The IP Block 41.0.0.0/16 has been assigned to Vodacom Bussiness for ISP bussiness
country ZA
admin-c JH2-AFRINIC
tech-c JH2-AFRINIC
status ASSIGNED PA
mnt-by VODACOM-MNT
remarks Vodacom Bussiness (ASN 36994)
source AFRINIC # Filtered
parent 41.0.0.0 - 41.31.255.255
person Jacques Hendricks
address Vodacom PTY (Ltd)
phone +27 21 9409498
e-mail Jacques.hendricks@vodacom.co.za
nic-hdl JH2-AFRINIC
source AFRINIC # Filtered

===

Your Hosts file may be missing

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost

The first two lines would normally be

127.0.0.1 localhost

::1 localhost #[IPv6]


To reset it back to the default.
How To:
http://support.microsoft.com/kb/972034

Use the Fix it button on the page.
====

What are your concerne?

#10 TsVk!

TsVk!

    penguin farmer

  • Topic Starter

  • Members
  • 6,230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:01:06 AM

Posted 15 May 2013 - 06:44 PM

This machine is on a private LAN, we define our own ip addresses internally... and we also disable ipv6.

 

Startup windows splash screen freezes for about 15 seconds before continuing. I have checked the startup files/settings and can see no reason for it to hang like that. It has an i5 processor and SSD boot disk, it should fly through it.

 

I dunno, starting to think it recovered completely from the infection, but has a hardware problem.

 

I will retest it in a couple of weeks and if I find anything of interest will post here.

 

Thanks for your help nasdaq...



#11 nasdaq

nasdaq

  • Malware Response Team
  • 38,935 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:06 AM

Posted 16 May 2013 - 07:16 AM

This may help.

How to use the System File Checker tool to troubleshoot missing or corrupted system files on Windows Vista or on Windows 7
http://support.microsoft.com/kb/929833

#12 TsVk!

TsVk!

    penguin farmer

  • Topic Starter

  • Members
  • 6,230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:01:06 AM

Posted 21 May 2013 - 05:18 PM

thanks nasdaq...

 

The computer isn't attempting to 'dial' out anymore anyway, so I'm going to leave it. I have too many others to worry about now.

 

Appreciate your time looking at my logs, even though we couldn't find the issue. I am suspecting hardware at this stage, but I can't take the machine for analysis easily... stuff it, I'll fix it when it really breaks.

 

thanks again.



#13 nasdaq

nasdaq

  • Malware Response Team
  • 38,935 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:06 AM

Posted 22 May 2013 - 07:47 AM

Time for some housekeeping
  • The following will implement some cleanup procedures as well as reset System Restore points:
  • Click Start > Run and copy/paste the following bold text into the Run box and click OK:
  • ComboFix /Uninstall
===

To remove AdwCleaner.

Please double click on AdwCleaner.exe to run the tool.
Click on Uninstall.
Confirm with Yes.

If you decide to keep the AdwCleaner tool make sure to delete your version and download the latest before running it.

Delete the other tools we used.
You can Keep the DDS tool as most forum will ask to see a log before suggesting a fix.

Surf Safely, and Think Prevention!
===

#14 TsVk!

TsVk!

    penguin farmer

  • Topic Starter

  • Members
  • 6,230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:01:06 AM

Posted 22 May 2013 - 04:21 PM

Yeah I've done this already, thanks.

 

I generally have no issues removing malware, it's just a concern when some machines still shows glitches. I think in this case it's hardware.

 

Just going to wait for it to break now. B)



#15 nasdaq

nasdaq

  • Malware Response Team
  • 38,935 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:06 AM

Posted 23 May 2013 - 06:22 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users