Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Tried removing Malware myself and have deleted pictures and music


  • Please log in to reply
53 replies to this topic

#1 Swaffette

Swaffette

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:01:02 AM

Posted 15 May 2013 - 01:27 PM

Hello,

 

Looking to you for help after causing a huge problem for myself. I have been having problems for months with Visualbee, Conduit and Adnxs issues. I am NOT entirely comfortable with these topics but have had success in the past with Spybot. So I tried that and had not luck so I ended up on your site off of a search for Visual bee and followed advice given to another. Yes I realize now you do NOT recommend this, ugh.

 

I used the adwcleaner and it worked great. I got rid of a bunch of problems but was still only having Adnxs issues with pop ups on Mozilla. So I went back to searching and ended up back on your site and followed those insturctions given to someone else with using security check and roquekiller. Adnxs was still there so I used there next step and used Combofix.

 

It ran for 11 hours and when the laptop restarted the screen was balck and everthing was gone. A window popped up for a system restore that went back acouple days and some things came back. However all pictures and music is gone. I am sick. I did find them by searching on the name of a grouping of pictures. It seems that they are all there but the names have been changed with a .vir at the end of them all. It seems that they are marked as a virus and in quarentine? I could one by one go erase the .vir added to each photo but that could take years.( I was able to sucessfully do this several pictures though, thats something!)

 

So now I am on your actual site and see everywhere I should not have used them without help so I am reaching out :)

I have not uninstalled Combofix because I am afraid I might delete all my videos and pictures if it takes the quarentine with it. Once reading your preparation guide I have also not downloaded and run DDS for the same reason. I figured I have done enough damage, lol.

 

Can you help?

 

I am not great on the computer but I am willing if you can walk me through it. Thank you!!!



BC AdBot (Login to Remove)

 


#2 Swaffette

Swaffette
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:01:02 AM

Posted 16 May 2013 - 12:54 PM

I am also worried if there is a time frame to get this fixed. Should I not be using the computer? How soon will all my Photos and Music stay in quarentine? Am I running a risk of them permanently deleting?

 

Thanks for any help ~



#3 nasdaq

nasdaq

  • Malware Response Team
  • 39,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:02 AM

Posted 18 May 2013 - 10:19 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

You did well not to remove ComboFix.

If you still have the Combofix log please post the content.

===

Also

Please navigate to this text file: C:\Qoobox\Add-Remove Programs.txt
Then copy and paste the contents of that file in your next reply.

#4 Swaffette

Swaffette
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:01:02 AM

Posted 18 May 2013 - 01:52 PM

Hello nasdaq :) and thank you for your help

 

I was not able to find that text file though.

 

Once I was at C:\Qoobox\ my choices were:

 

BackEnv

LastRun

Quarentine

Test

TestC

 

I also copy and pasted your text file name and my laptop could not find it, sorry



#5 Swaffette

Swaffette
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:01:02 AM

Posted 18 May 2013 - 02:25 PM

Also, regarding the Combofix log, I never saw it. When I had restarted the computer everything came back up black. I was never shown a log or redirected to see it.

 

Is there another way I can find it for you? Thanks!



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:02 AM

Posted 19 May 2013 - 06:49 AM

Post the content of the Quarantined folder.

#7 Swaffette

Swaffette
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:01:02 AM

Posted 19 May 2013 - 08:10 PM

C:\Qoobox\Quarantine\C\Program Data\ntuser.dat.vir   vir file 256 Kb (Windows cannot open this file)

C:\Qoobox\Quarantine\C\Registry_backups\Service_backupService Dat File 2 KB (Windows cannot open this file)

 

 

C:\Qoobox\Quarantine\C\catchme text document 1KB

-------- 2013-05-13 - 11:52:35  -------------


-------- 2013-05-13 - 11:59:59  -------------
 



#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:02 AM

Posted 20 May 2013 - 07:13 AM

Just in case something goes wrong with my script please make a copy of the ntuser.dat.vir

C:\Qoobox\Quarantine\C\Program Data\ntuser.dat.vir

Copy the file in bold to a temporary folder and rename it ntuser.dat.vir.old

===

Open notepad and copy/paste the text in the quote box below into it:
 
DEQUARANTINE::
C:\Qoobox\Quarantine\C\Program Data\ntuser.dat.vir

Save this as CFScript.txt on your desktop.

CFScriptB-4.gif

Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Let me know if your pictures are restored.

How is the computer running?

#9 Swaffette

Swaffette
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:01:02 AM

Posted 20 May 2013 - 04:21 PM

Hello,

 

I completed everything you told me up to Saveing  CFScript.txt on my desktop. When I went to look for the Combofix symbol it wasnt there anymore.I searched Combofix.exe and windows cant find it. When I searched just Combofix, it has a folder which i drug to the desktop. When I clicked on it, it contains:

 

Combofix (The file folder I made)

Combofix (text document)

Combofix.exe.vir (VIR file)

ndis_combofix.dat (DAT file)

ComboFix-Download.3XE (3XE file)

 

I tried dragging the notepad to it but nothing happened.

 

 

 

So, I went back to my personl Logon I was on when trying to get rid of Adnxs. Securitycheck is still there as well as RogueKiller but Combofix isnt.

 

I do now have 2 folders that were not there before. One with my name on it. I mention this because inside are 14 other files:

Contacts               Desktop

Documents           Downloads

Favorites              Links

Music                    Pictures

Saved Games      Searches

Videos                  g2mdlhlpx

ntuser.dat.LOG1  ntuser.dat.LOG2

 

Most of what is in this list is what I am missing from my laptop, including all of our iTunes, however most of these files appear empty.

 

The 2nd folder is called RK_Quarantine:

 

ClassicStartMenu_{645FF040-0

NewStartPanel_{20D04FE0-0

NewStartPanel_{645FF040-0

NewStartPanel_{59031a47-0

System_DisableReg0

System_DisableTas0

 

I can click on these but it says Windows wants my permission to continue.

 

Would you like me to download Combofix again? or is there another part I could drag the notepad to? Thanks!



#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:02 AM

Posted 21 May 2013 - 07:13 AM

I completed everything you told me up to Saveing CFScript.txt on my desktop. When I went to look for the Combofix symbol it wasnt there anymore.I searched Combofix.exe and windows cant find it. When I searched just Combofix, it has a folder which i drug to the desktop. When I clicked on it, it contains:

Combofix (The file folder I made)
Combofix (text document)
Combofix.exe.vir (VIR file)
ndis_combofix.dat (DAT file)
ComboFix-Download.3XE (3XE file)


Rename Combofix.exe.vir to ComboFix.exe and send it to your desktop.
Try the fix again.

#11 Swaffette

Swaffette
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:01:02 AM

Posted 21 May 2013 - 12:24 PM

Completed everything you said - Combofix wanted to update before scanning and I said no.

Here is the log:

 

ComboFix 13-05-12.01 - kswafford 05/21/2013   8:57.1.2 - x64
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.4054.1726 [GMT -7:00]
Running from: c:\users\kswafford\Desktop\ComboFix.exe
Command switches used :: c:\users\kswafford\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892}
SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\kswafford\Documents\Downloads\PowerPointViewer.exe
c:\users\kswafford\g2mdlhlpx.exe
c:\users\LoveOfMyLife\g2mdlhlpx.exe
c:\windows\wininit.ini
.
.
(((((((((((((((((((((((((   Files Created from 2013-04-21 to 2013-05-21  )))))))))))))))))))))))))))))))
.
.
2013-05-21 16:07 . 2013-05-21 16:07    --------    d-----w-    c:\users\LoveOfMyLife\AppData\Local\temp
2013-05-21 16:07 . 2013-05-21 16:07    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-05-21 16:07 . 2013-05-21 16:07    --------    d-----w-    c:\users\kswafford\AppData\Local\temp
2013-05-21 16:07 . 2013-05-21 16:07    --------    d-----w-    c:\users\Guest\AppData\Local\temp
2013-05-21 16:07 . 2013-05-21 16:07    --------    d-----w-    c:\users\Cole\AppData\Local\temp
2013-05-21 16:07 . 2013-05-21 16:07    --------    d-----w-    c:\users\Casey\AppData\Local\temp
2013-05-21 09:19 . 2013-05-21 09:19    76232    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{BC525C12-490C-45D9-94D3-E8F472631986}\offreg.dll
2013-05-21 09:06 . 2013-05-13 06:37    9460464    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{BC525C12-490C-45D9-94D3-E8F472631986}\mpengine.dll
2013-05-18 01:54 . 2013-05-18 01:54    --------    d-----w-    c:\program files (x86)\Common Files\Java
2013-05-18 01:54 . 2013-04-04 12:35    95648    ----a-w-    c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-05-17 10:03 . 2013-05-05 21:36    17818624    ----a-w-    c:\windows\system32\mshtml.dll
2013-05-17 10:03 . 2013-05-05 21:16    2382848    ----a-w-    c:\windows\system32\mshtml.tlb
2013-05-17 10:03 . 2013-05-05 19:12    2382848    ----a-w-    c:\windows\SysWow64\mshtml.tlb
2013-05-16 16:41 . 2013-04-09 01:55    2774016    ----a-w-    c:\windows\system32\win32k.sys
2013-05-16 16:41 . 2013-04-15 14:17    901496    ----a-w-    c:\windows\system32\drivers\dxgkrnl.sys
2013-05-16 16:41 . 2013-04-13 03:34    47104    ----a-w-    c:\windows\system32\cdd.dll
2013-05-14 15:55 . 2013-05-14 16:06    --------    d-----w-    C:\$RECYCLE(0).BIN
2013-05-03 14:39 . 2013-05-03 14:39    --------    d-----w-    c:\program files (x86)\ESET
2013-05-03 04:05 . 2013-05-07 16:53    3827    ----a-w-    c:\windows\DeleteOnReboot.bat
2013-05-03 01:34 . 2013-05-14 01:53    --------    d-----w-    c:\users\LoveOfMyLife\AppData\Roaming\DriverCure
2013-05-03 01:34 . 2013-05-03 01:34    --------    d-----w-    c:\users\LoveOfMyLife\AppData\Roaming\ParetoLogic
2013-05-03 01:34 . 2013-05-07 04:51    --------    d-----w-    c:\programdata\ParetoLogic
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-17 10:13 . 2006-11-02 12:35    75016696    ----a-w-    c:\windows\system32\mrt.exe
2013-05-15 14:37 . 2012-05-09 15:52    692104    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2013-05-15 14:37 . 2011-06-14 03:29    71048    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-05-11 16:22 . 2011-03-29 02:36    22240    ----a-w-    c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2013-05-02 09:06 . 2009-10-02 22:23    278800    ------w-    c:\windows\system32\MpSigStub.exe
2013-03-11 13:33 . 2013-04-10 20:20    4691304    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-03-09 04:16 . 2013-04-10 20:20    85504    ----a-w-    c:\windows\system32\csrsrv.dll
2013-03-09 01:48 . 2013-04-10 20:20    75264    ----a-w-    c:\windows\system32\smss.exe
2013-03-08 04:18 . 2013-04-10 20:20    451072    ----a-w-    c:\windows\system32\winsrv.dll
2013-03-08 04:17 . 2013-04-10 20:20    2425344    ----a-w-    c:\windows\system32\mstscax.dll
2013-03-08 03:52 . 2013-04-10 20:20    2067968    ----a-w-    c:\windows\SysWow64\mstscax.dll
2013-03-06 00:03 . 2012-08-19 01:04    861088    ----a-w-    c:\windows\SysWow64\npDeployJava1.dll
2013-03-06 00:03 . 2010-04-29 01:36    782240    ----a-w-    c:\windows\SysWow64\deployJava1.dll
2013-03-03 19:13 . 2013-04-10 20:20    1513320    ----a-w-    c:\windows\system32\drivers\ntfs.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1555968]
"SightSpeed"="c:\program files (x86)\Dell Video Chat\DellVideoChat.exe" [2008-12-18 4823928]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Dell Webcam Central"="c:\program files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell.exe" [2008-06-03 446635]
"PCMService"="c:\program files (x86)\Dell\MediaDirect\PCMService.exe" [2008-01-14 132392]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-09-27 59240]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5.5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2013-03-14 1532992]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-10-25 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2013-02-20 152392]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVWSzItQUxZTUYtU0xLTFUtQVoyVUItNkdPS0ItSkhGTkg&inst=NzctNTAzNzkwMDc2LUtWMys3LUJBKzEtVDEtVUNBTEwrMS1CQVI4RysxLVVDQUxMMisyLVRCOCsyLUZMKzgtRjEwTSs1LVFJWDErNC1YMjAxMCsyLUYxME0xMEQrMi1MSUMrNy1GTDEwKzEtU1AxKzEtU1AxVEIrMS1TVUQrMQ&prod=90&ver=10.0.1424" [?]
.
c:\users\Casey\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]
.
c:\users\Cole\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]
.
c:\users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]
.
c:\users\kswafford\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]
hpqtra08.exe [2007-3-11 210520]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Event Planner Reminders Tray Icon.lnk - c:\sierra\Planner\PLNRnote.exe [2010-9-13 184320]
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2008-7-25 1994832]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages    REG_MULTI_SZ       DPPassFilter scecli
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_cce24a4c\AESTSr64.exe [2008-12-22 88576]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt    REG_MULTI_SZ       hpqcxs08 hpqddsvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
Themes
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-04-11 01:34    1642448    ----a-w-    c:\program files (x86)\Google\Chrome\Application\26.0.1410.64\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-05-21 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-09 14:37]
.
2013-05-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-10-16 14:19]
.
2013-05-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-10-16 14:19]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-08-19 272896]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 161304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 415256]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-16 499608]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MI1933~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
FF - ProfilePath - c:\users\kswafford\AppData\Roaming\Mozilla\Firefox\Profiles\46hvaf8c.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.foxnews.com/
FF - ExtSQL: 2013-05-15 09:07; btpersonas@brandthunder.com; c:\users\kswafford\AppData\Roaming\Mozilla\Firefox\Profiles\46hvaf8c.default\extensions\btpersonas@brandthunder.com
FF - ExtSQL: !HIDDEN! 2013-02-08 09:32; otis@digitalpersona.com; c:\program files (x86)\DigitalPersona\Bin\FirefoxExt
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-WMPNSCFG - c:\program files (x86)\Windows Media Player\WMPNSCFG.exe
Wow6432Node-HKCU-Run-SearchProtect - c:\users\kswafford\AppData\Roaming\SearchProtect\bin\cltmng.exe
SafeBoot-WudfPf
SafeBoot-WudfRd
WebBrowser-{77F5FE49-12E3-4CF5-ABB4-D993A0164D9E} - (no file)
HKLM-Run-SysTrayApp - c:\program files (x86)\IDT\WDM\sttray64.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2013-05-21  09:12:11
ComboFix-quarantined-files.txt  2013-05-21 16:11
.
Pre-Run: 7,853,871,104 bytes free
Post-Run: 7,559,036,928 bytes free
.
- - End Of File - - 6696CA015D29899188A9F1C437BE9D68
 

None of the pictures, videos, Music or bookmarks have returned. Since nothing returned I thought I would try it with the update.

 

Here is that log:

 

ComboFix 13-05-21.01 - kswafford 05/21/2013   9:42.2.2 - x64
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.4054.1590 [GMT -7:00]
Running from: c:\users\kswafford\Desktop\ComboFix.exe
Command switches used :: c:\users\kswafford\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892}
SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2013-04-21 to 2013-05-21  )))))))))))))))))))))))))))))))
.
.
2013-05-21 16:52 . 2013-05-21 16:52    --------    d-----w-    c:\users\LoveOfMyLife\AppData\Local\temp
2013-05-21 16:52 . 2013-05-21 16:52    --------    d-----w-    c:\users\kswafford\AppData\Local\temp
2013-05-21 16:52 . 2013-05-21 16:52    --------    d-----w-    c:\users\Guest\AppData\Local\temp
2013-05-21 16:52 . 2013-05-21 16:52    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-05-21 16:52 . 2013-05-21 16:52    --------    d-----w-    c:\users\Cole\AppData\Local\temp
2013-05-21 16:52 . 2013-05-21 16:52    --------    d-----w-    c:\users\Casey\AppData\Local\temp
2013-05-21 09:19 . 2013-05-21 09:19    76232    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{BC525C12-490C-45D9-94D3-E8F472631986}\offreg.dll
2013-05-21 09:06 . 2013-05-13 06:37    9460464    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{BC525C12-490C-45D9-94D3-E8F472631986}\mpengine.dll
2013-05-18 01:54 . 2013-05-18 01:54    --------    d-----w-    c:\program files (x86)\Common Files\Java
2013-05-18 01:54 . 2013-04-04 12:35    95648    ----a-w-    c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-05-17 10:03 . 2013-05-05 21:36    17818624    ----a-w-    c:\windows\system32\mshtml.dll
2013-05-17 10:03 . 2013-05-05 21:16    2382848    ----a-w-    c:\windows\system32\mshtml.tlb
2013-05-17 10:03 . 2013-05-05 19:12    2382848    ----a-w-    c:\windows\SysWow64\mshtml.tlb
2013-05-16 16:41 . 2013-04-09 01:55    2774016    ----a-w-    c:\windows\system32\win32k.sys
2013-05-16 16:41 . 2013-04-15 14:17    901496    ----a-w-    c:\windows\system32\drivers\dxgkrnl.sys
2013-05-16 16:41 . 2013-04-13 03:34    47104    ----a-w-    c:\windows\system32\cdd.dll
2013-05-14 15:55 . 2013-05-14 16:06    --------    d-----w-    C:\$RECYCLE(0).BIN
2013-05-03 14:39 . 2013-05-03 14:39    --------    d-----w-    c:\program files (x86)\ESET
2013-05-03 04:05 . 2013-05-07 16:53    3827    ----a-w-    c:\windows\DeleteOnReboot.bat
2013-05-03 01:34 . 2013-05-14 01:53    --------    d-----w-    c:\users\LoveOfMyLife\AppData\Roaming\DriverCure
2013-05-03 01:34 . 2013-05-03 01:34    --------    d-----w-    c:\users\LoveOfMyLife\AppData\Roaming\ParetoLogic
2013-05-03 01:34 . 2013-05-07 04:51    --------    d-----w-    c:\programdata\ParetoLogic
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-17 10:13 . 2006-11-02 12:35    75016696    ----a-w-    c:\windows\system32\mrt.exe
2013-05-15 14:37 . 2012-05-09 15:52    692104    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2013-05-15 14:37 . 2011-06-14 03:29    71048    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-05-11 16:22 . 2011-03-29 02:36    22240    ----a-w-    c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2013-05-02 09:06 . 2009-10-02 22:23    278800    ------w-    c:\windows\system32\MpSigStub.exe
2013-03-11 13:33 . 2013-04-10 20:20    4691304    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-03-09 04:16 . 2013-04-10 20:20    85504    ----a-w-    c:\windows\system32\csrsrv.dll
2013-03-09 01:48 . 2013-04-10 20:20    75264    ----a-w-    c:\windows\system32\smss.exe
2013-03-08 04:18 . 2013-04-10 20:20    451072    ----a-w-    c:\windows\system32\winsrv.dll
2013-03-08 04:17 . 2013-04-10 20:20    2425344    ----a-w-    c:\windows\system32\mstscax.dll
2013-03-08 03:52 . 2013-04-10 20:20    2067968    ----a-w-    c:\windows\SysWow64\mstscax.dll
2013-03-06 00:03 . 2012-08-19 01:04    861088    ----a-w-    c:\windows\SysWow64\npDeployJava1.dll
2013-03-06 00:03 . 2010-04-29 01:36    782240    ----a-w-    c:\windows\SysWow64\deployJava1.dll
2013-03-03 19:13 . 2013-04-10 20:20    1513320    ----a-w-    c:\windows\system32\drivers\ntfs.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1555968]
"SightSpeed"="c:\program files (x86)\Dell Video Chat\DellVideoChat.exe" [2008-12-18 4823928]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Dell Webcam Central"="c:\program files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell.exe" [2008-06-03 446635]
"PCMService"="c:\program files (x86)\Dell\MediaDirect\PCMService.exe" [2008-01-14 132392]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-09-27 59240]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5.5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2013-03-14 1532992]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-10-25 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2013-02-20 152392]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVWSzItQUxZTUYtU0xLTFUtQVoyVUItNkdPS0ItSkhGTkg&inst=NzctNTAzNzkwMDc2LUtWMys3LUJBKzEtVDEtVUNBTEwrMS1CQVI4RysxLVVDQUxMMisyLVRCOCsyLUZMKzgtRjEwTSs1LVFJWDErNC1YMjAxMCsyLUYxME0xMEQrMi1MSUMrNy1GTDEwKzEtU1AxKzEtU1AxVEIrMS1TVUQrMQ&prod=90&ver=10.0.1424" [?]
.
c:\users\Casey\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]
.
c:\users\Cole\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]
.
c:\users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]
.
c:\users\kswafford\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]
hpqtra08.exe [2007-3-11 210520]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Event Planner Reminders Tray Icon.lnk - c:\sierra\Planner\PLNRnote.exe [2010-9-13 184320]
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2008-7-25 1994832]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages    REG_MULTI_SZ       DPPassFilter scecli
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_cce24a4c\AESTSr64.exe [2008-12-22 88576]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt    REG_MULTI_SZ       hpqcxs08 hpqddsvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
Themes
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-04-11 01:34    1642448    ----a-w-    c:\program files (x86)\Google\Chrome\Application\26.0.1410.64\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-05-21 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-09 14:37]
.
2013-05-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-10-16 14:19]
.
2013-05-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-10-16 14:19]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-08-19 272896]
"SysTrayApp"="c:\program files (x86)\IDT\WDM\sttray64.exe" [BU]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 161304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 415256]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-16 499608]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MI1933~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
FF - ProfilePath - c:\users\kswafford\AppData\Roaming\Mozilla\Firefox\Profiles\46hvaf8c.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.foxnews.com/
FF - ExtSQL: 2013-05-15 09:07; btpersonas@brandthunder.com; c:\users\kswafford\AppData\Roaming\Mozilla\Firefox\Profiles\46hvaf8c.default\extensions\btpersonas@brandthunder.com
FF - ExtSQL: !HIDDEN! 2013-02-08 09:32; otis@digitalpersona.com; c:\program files (x86)\DigitalPersona\Bin\FirefoxExt
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{77F5FE49-12E3-4CF5-ABB4-D993A0164D9E} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2013-05-21  09:55:59
ComboFix-quarantined-files.txt  2013-05-21 16:55
ComboFix2.txt  2013-05-21 16:12
.
Pre-Run: 7,721,730,048 bytes free
Post-Run: 7,655,952,384 bytes free
.
- - End Of File - - 8D8A8216E283D4CB35597800E4ABA838
 

 

Still no photos, music, videos or bookmarks have returned. The laptop has been running faster since I did the first combofix and no sign of the ADNXS popups at all which is nice.



#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:02 AM

Posted 22 May 2013 - 07:13 AM

Did you run my script suggested in post No 8 to dequarantine the folder?

#13 Swaffette

Swaffette
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:01:02 AM

Posted 22 May 2013 - 09:24 AM

Yes, on both runs



#14 Swaffette

Swaffette
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:01:02 AM

Posted 22 May 2013 - 09:56 AM

And here is a third attempt

 

ComboFix 13-05-22.01 - kswafford 05/22/2013   7:31.3.2 - x64
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.4054.1620 [GMT -7:00]
Running from: c:\users\kswafford\Desktop\ComboFix.exe
Command switches used :: c:\users\kswafford\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892}
SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\kswafford\AppData\Local\{47446316-3C07-415A-8E08-1C2644999810}
.
.
(((((((((((((((((((((((((   Files Created from 2013-04-22 to 2013-05-22  )))))))))))))))))))))))))))))))
.
.
2013-05-22 14:41 . 2013-05-22 14:41    --------    d-----w-    c:\users\LoveOfMyLife\AppData\Local\temp
2013-05-22 14:41 . 2013-05-22 14:41    --------    d-----w-    c:\users\kswafford\AppData\Local\temp
2013-05-22 14:41 . 2013-05-22 14:41    --------    d-----w-    c:\users\Guest\AppData\Local\temp
2013-05-22 14:41 . 2013-05-22 14:41    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-05-22 14:41 . 2013-05-22 14:41    --------    d-----w-    c:\users\Cole\AppData\Local\temp
2013-05-22 14:41 . 2013-05-22 14:41    --------    d-----w-    c:\users\Casey\AppData\Local\temp
2013-05-21 17:07 . 2013-05-21 17:07    --------    d-----w-    c:\program files\iPod
2013-05-21 17:07 . 2013-05-21 17:08    --------    d-----w-    c:\programdata\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-05-21 17:07 . 2013-05-21 17:08    --------    d-----w-    c:\program files\iTunes
2013-05-21 17:07 . 2013-05-21 17:08    --------    d-----w-    c:\program files (x86)\iTunes
2013-05-21 09:19 . 2013-05-21 09:19    76232    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{BC525C12-490C-45D9-94D3-E8F472631986}\offreg.dll
2013-05-21 09:06 . 2013-05-13 06:37    9460464    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{BC525C12-490C-45D9-94D3-E8F472631986}\mpengine.dll
2013-05-18 01:54 . 2013-05-18 01:54    --------    d-----w-    c:\program files (x86)\Common Files\Java
2013-05-18 01:54 . 2013-04-04 12:35    95648    ----a-w-    c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-05-17 10:03 . 2013-05-05 21:36    17818624    ----a-w-    c:\windows\system32\mshtml.dll
2013-05-17 10:03 . 2013-05-05 21:16    2382848    ----a-w-    c:\windows\system32\mshtml.tlb
2013-05-17 10:03 . 2013-05-05 19:12    2382848    ----a-w-    c:\windows\SysWow64\mshtml.tlb
2013-05-16 16:41 . 2013-04-09 01:55    2774016    ----a-w-    c:\windows\system32\win32k.sys
2013-05-16 16:41 . 2013-04-15 14:17    901496    ----a-w-    c:\windows\system32\drivers\dxgkrnl.sys
2013-05-16 16:41 . 2013-04-13 03:34    47104    ----a-w-    c:\windows\system32\cdd.dll
2013-05-14 15:55 . 2013-05-14 16:06    --------    d-----w-    C:\$RECYCLE(0).BIN
2013-05-03 14:39 . 2013-05-03 14:39    --------    d-----w-    c:\program files (x86)\ESET
2013-05-03 04:05 . 2013-05-07 16:53    3827    ----a-w-    c:\windows\DeleteOnReboot.bat
2013-05-03 01:34 . 2013-05-14 01:53    --------    d-----w-    c:\users\LoveOfMyLife\AppData\Roaming\DriverCure
2013-05-03 01:34 . 2013-05-03 01:34    --------    d-----w-    c:\users\LoveOfMyLife\AppData\Roaming\ParetoLogic
2013-05-03 01:34 . 2013-05-07 04:51    --------    d-----w-    c:\programdata\ParetoLogic
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-17 10:13 . 2006-11-02 12:35    75016696    ----a-w-    c:\windows\system32\mrt.exe
2013-05-15 14:37 . 2012-05-09 15:52    692104    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2013-05-15 14:37 . 2011-06-14 03:29    71048    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-05-11 16:22 . 2011-03-29 02:36    22240    ----a-w-    c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2013-05-02 09:06 . 2009-10-02 22:23    278800    ------w-    c:\windows\system32\MpSigStub.exe
2013-03-11 13:33 . 2013-04-10 20:20    4691304    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-03-09 04:16 . 2013-04-10 20:20    85504    ----a-w-    c:\windows\system32\csrsrv.dll
2013-03-09 01:48 . 2013-04-10 20:20    75264    ----a-w-    c:\windows\system32\smss.exe
2013-03-08 04:18 . 2013-04-10 20:20    451072    ----a-w-    c:\windows\system32\winsrv.dll
2013-03-08 04:17 . 2013-04-10 20:20    2425344    ----a-w-    c:\windows\system32\mstscax.dll
2013-03-08 03:52 . 2013-04-10 20:20    2067968    ----a-w-    c:\windows\SysWow64\mstscax.dll
2013-03-06 00:03 . 2012-08-19 01:04    861088    ----a-w-    c:\windows\SysWow64\npDeployJava1.dll
2013-03-06 00:03 . 2010-04-29 01:36    782240    ----a-w-    c:\windows\SysWow64\deployJava1.dll
2013-03-03 19:13 . 2013-04-10 20:20    1513320    ----a-w-    c:\windows\system32\drivers\ntfs.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1555968]
"SightSpeed"="c:\program files (x86)\Dell Video Chat\DellVideoChat.exe" [2008-12-18 4823928]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Dell Webcam Central"="c:\program files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell.exe" [2008-06-03 446635]
"PCMService"="c:\program files (x86)\Dell\MediaDirect\PCMService.exe" [2008-01-14 132392]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-09-27 59240]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5.5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-22 59720]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2013-03-14 1532992]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-10-25 421888]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2013-05-15 152392]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVWSzItQUxZTUYtU0xLTFUtQVoyVUItNkdPS0ItSkhGTkg&inst=NzctNTAzNzkwMDc2LUtWMys3LUJBKzEtVDEtVUNBTEwrMS1CQVI4RysxLVVDQUxMMisyLVRCOCsyLUZMKzgtRjEwTSs1LVFJWDErNC1YMjAxMCsyLUYxME0xMEQrMi1MSUMrNy1GTDEwKzEtU1AxKzEtU1AxVEIrMS1TVUQrMQ&prod=90&ver=10.0.1424" [?]
.
c:\users\Casey\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]
.
c:\users\Cole\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]
.
c:\users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]
.
c:\users\kswafford\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]
hpqtra08.exe [2007-3-11 210520]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Event Planner Reminders Tray Icon.lnk - c:\sierra\Planner\PLNRnote.exe [2010-9-13 184320]
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2008-7-25 1994832]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages    REG_MULTI_SZ       DPPassFilter scecli
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_cce24a4c\AESTSr64.exe [2008-12-22 88576]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt    REG_MULTI_SZ       hpqcxs08 hpqddsvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
Themes
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-04-11 01:34    1642448    ----a-w-    c:\program files (x86)\Google\Chrome\Application\26.0.1410.64\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-05-22 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-09 14:37]
.
2013-05-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-10-16 14:19]
.
2013-05-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-10-16 14:19]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-08-19 272896]
"SysTrayApp"="c:\program files (x86)\IDT\WDM\sttray64.exe" [BU]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 161304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 415256]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-16 499608]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MI1933~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
FF - ProfilePath - c:\users\kswafford\AppData\Roaming\Mozilla\Firefox\Profiles\46hvaf8c.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.foxnews.com/
FF - ExtSQL: 2013-05-15 09:07; btpersonas@brandthunder.com; c:\users\kswafford\AppData\Roaming\Mozilla\Firefox\Profiles\46hvaf8c.default\extensions\btpersonas@brandthunder.com
FF - ExtSQL: 2013-05-21 09:53; {D19CA586-DD6C-4a0a-96F8-14644F340D60}; c:\program files (x86)\Common Files\McAfee\SystemCore
FF - ExtSQL: !HIDDEN! 2013-02-08 09:32; otis@digitalpersona.com; c:\program files (x86)\DigitalPersona\Bin\FirefoxExt
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{77F5FE49-12E3-4CF5-ABB4-D993A0164D9E} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2013-05-22  07:45:27
ComboFix-quarantined-files.txt  2013-05-22 14:44
ComboFix2.txt  2013-05-21 16:56
ComboFix3.txt  2013-05-21 16:12
.
Pre-Run: 4,674,293,760 bytes free
Post-Run: 5,101,555,712 bytes free
.
- - End Of File - - 012F2CA9D6C8524159E86FC848704950
 



#15 nasdaq

nasdaq

  • Malware Response Team
  • 39,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:02 AM

Posted 22 May 2013 - 10:27 AM

Lets see if we can find all the .vir files.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2


If your operating system is 64 bit download this tool:
SystemLook_x64.exe
  • Double-click SystemLook.exe to run it.
  • Copy and paste the content of the following bold text into the main textfield:
    :filefind
    *.vir
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users