Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I indeed have a virus ...combo fix find and refinds


  • This topic is locked This topic is locked
65 replies to this topic

#1 Weaver1

Weaver1

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:48 AM

Posted 26 May 2013 - 09:56 PM

i have posted logs but no response i ran combofix and it found 

c:\windows\SysWow64\w32apiw.dll

 

deleted but comes back......



BC AdBot (Login to Remove)

 


#2 Weaver1

Weaver1
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:48 AM

Posted 26 May 2013 - 10:21 PM

ComboFix 13-05-25.02 - gandg 05/26/2013 19:43:01.9.4 - x64
Microsoft Windows 7 Ultimate N 6.1.7601.1.1252.1.1033.18.16320.14911 [GMT -7:00]
Running from: c:\users\gandg\Desktop\ComboFix.exe
AV: Avira Desktop *Enabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Enabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\SysWow64\w32apiw.dll
.
.
((((((((((((((((((((((((( Files Created from 2013-04-27 to 2013-05-27 )))))))))))))))))))))))))))))))
.
.
2013-05-27 02:45 . 2013-05-27 02:45 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-05-27 00:52 . 2013-05-27 00:52 -------- d-----w- c:\program files\CPUID
2013-05-26 22:53 . 2013-05-26 22:53 -------- d-----w- c:\windows\ERUNT
2013-05-26 22:53 . 2013-05-26 22:53 -------- d-----w- C:\JRT
2013-05-26 17:10 . 2013-05-26 17:10 -------- d-----w- c:\programdata\NovaTech Network
2013-05-26 17:10 . 2013-05-26 17:10 -------- d-----w- c:\program files (x86)\Novawave
2013-05-26 15:29 . 2013-05-27 01:10 -------- d-----w- c:\program files (x86)\SpeedFan
2013-05-25 02:24 . 2013-05-26 10:00 -------- d-----w- c:\program files\Microsoft Silverlight
2013-05-25 02:24 . 2013-05-26 10:00 -------- d-----w- c:\program files (x86)\Microsoft Silverlight
2013-05-25 00:17 . 2013-05-25 00:17 83160 ----a-w- c:\windows\system32\drivers\avnetflt.sys
2013-05-24 19:29 . 2013-05-24 19:29 -------- d-----w- c:\program files (x86)\Opera
2013-05-24 18:12 . 2013-05-24 18:12 -------- d-----w- c:\programdata\Avira
2013-05-24 18:12 . 2013-05-24 18:12 -------- d-----w- c:\program files (x86)\Avira
2013-05-24 18:12 . 2013-05-24 18:11 28600 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2013-05-24 18:12 . 2013-05-24 18:11 130016 ----a-w- c:\windows\system32\drivers\avipbb.sys
2013-05-24 18:12 . 2013-05-24 18:11 100712 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2013-05-24 17:59 . 2013-05-24 17:59 -------- d-s---w- c:\windows\SysWow64\Microsoft
2013-05-24 13:33 . 2013-05-14 08:48 9460464 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{6BBB91B6-83A9-4C23-A065-8D6CB9542C36}\mpengine.dll
2013-05-24 02:30 . 2013-05-24 10:00 -------- d-----w- c:\program files (x86)\Microsoft.NET
2013-05-24 02:30 . 2013-05-24 02:30 -------- d-----w- c:\windows\PCHEALTH
2013-05-24 02:29 . 2013-05-24 02:29 -------- d-----w- c:\program files\Microsoft Office
2013-05-24 02:29 . 2013-05-24 02:29 -------- d-----w- c:\program files (x86)\Microsoft Analysis Services
2013-05-24 02:29 . 2013-05-24 02:30 -------- d-----w- c:\windows\SHELLNEW
2013-05-24 02:29 . 2013-05-25 02:25 -------- d-----w- c:\programdata\Microsoft Help
2013-05-24 02:29 . 2013-05-24 02:29 -------- d-----r- C:\MSOCache
2013-05-24 02:21 . 2013-05-24 02:21 -------- d-----w- c:\program files\CCleaner
2013-05-23 23:55 . 2013-05-23 23:55 -------- d-----w- c:\program files (x86)\NKProds
2013-05-23 23:54 . 2013-05-24 17:50 -------- d-----w- c:\program files\Google
2013-05-23 23:53 . 2013-05-09 08:58 287840 ----a-w- c:\windows\system32\aswBoot.exe
2013-05-23 23:53 . 2013-05-23 23:53 -------- d-----w- c:\program files\AVAST Software
2013-05-23 23:52 . 2013-05-24 18:00 -------- d-----w- c:\programdata\AVAST Software
2013-05-23 20:57 . 2013-05-23 20:57 -------- d-----w- c:\windows\SysWow64\Wat
2013-05-23 20:57 . 2013-05-23 20:57 -------- d-----w- c:\windows\system32\Wat
2013-05-23 20:13 . 2013-03-17 16:21 3649536 ----a-w- c:\windows\SysWow64\x264vfw.dll
2013-05-23 20:13 . 2012-06-09 17:21 178688 ----a-w- c:\windows\SysWow64\unrar.dll
2013-05-23 20:13 . 2011-12-21 17:14 151552 ----a-w- c:\windows\SysWow64\ac3acm.acm
2013-05-23 20:13 . 2011-12-07 17:32 216064 ----a-w- c:\windows\SysWow64\lagarith.dll
2013-05-23 20:13 . 2011-06-24 14:44 243200 ----a-w- c:\windows\SysWow64\xvidvfw.dll
2013-05-23 20:13 . 2011-06-24 14:28 650752 ----a-w- c:\windows\SysWow64\xvidcore.dll
2013-05-23 20:13 . 2008-09-24 18:41 839680 ----a-w- c:\windows\SysWow64\lameACM.acm
2013-05-23 20:13 . 2013-04-04 18:00 112640 ----a-w- c:\windows\SysWow64\ff_vfw.dll
2013-05-23 20:13 . 2013-05-23 20:13 -------- d-----w- c:\program files (x86)\K-Lite Codec Pack
2013-05-23 19:10 . 2013-05-23 19:10 -------- d-----w- c:\program files (x86)\BlueSprig
2013-05-23 18:55 . 2012-07-26 04:55 785512 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
2013-05-23 18:55 . 2012-07-26 04:55 54376 ----a-w- c:\windows\system32\drivers\WdfLdr.sys
2013-05-23 18:55 . 2012-07-26 04:47 2560 ----a-w- c:\windows\system32\drivers\en-US\wdf01000.sys.mui
2013-05-23 18:55 . 2012-07-26 02:36 9728 ----a-w- c:\windows\system32\Wdfres.dll
2013-05-23 18:51 . 2013-05-23 18:51 -------- d-----w- c:\users\UpdatusUser
2013-05-23 18:45 . 2013-05-03 23:15 75016696 ----a-w- c:\windows\system32\MRT.exe
2013-05-23 18:41 . 2013-01-13 19:53 187392 ----a-w- c:\windows\SysWow64\UIAnimation.dll
2013-05-23 18:40 . 2012-12-07 13:20 441856 ----a-w- c:\windows\system32\Wpc.dll
2013-05-23 18:39 . 2013-02-27 06:02 111448 ----a-w- c:\windows\system32\consent.exe
2013-05-23 18:37 . 2011-12-16 08:46 634880 ----a-w- c:\windows\system32\msvcrt.dll
2013-05-23 18:37 . 2011-12-16 07:52 690688 ----a-w- c:\windows\SysWow64\msvcrt.dll
2013-05-23 18:37 . 2012-05-05 08:36 503808 ----a-w- c:\windows\system32\srcore.dll
2013-05-23 18:37 . 2012-05-05 07:46 43008 ----a-w- c:\windows\SysWow64\srclient.dll
2013-05-23 18:37 . 2011-05-03 05:29 976896 ----a-w- c:\windows\system32\inetcomm.dll
2013-05-23 18:37 . 2011-05-03 04:30 741376 ----a-w- c:\windows\SysWow64\inetcomm.dll
2013-05-23 18:35 . 2012-02-17 06:38 1031680 ----a-w- c:\windows\system32\rdpcore.dll
2013-05-23 18:35 . 2012-02-17 05:34 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
2013-05-23 18:35 . 2012-02-17 04:57 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2013-05-23 18:34 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2013-05-23 18:34 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe
2013-05-23 18:34 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll
2013-05-23 18:34 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll
2013-05-23 18:34 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll
2013-05-23 18:34 . 2012-06-02 22:19 186752 ----a-w- c:\windows\system32\wuwebv.dll
2013-05-23 18:34 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll
2013-05-23 18:34 . 2012-06-02 22:15 36864 ----a-w- c:\windows\system32\wuapp.exe
2013-05-23 18:34 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll
2013-05-23 18:28 . 2013-05-24 02:23 -------- d-----w- c:\windows\Panther
2013-05-23 18:14 . 2013-05-26 21:49 -------- d-----w- c:\program files (x86)\Google
2013-05-23 18:14 . 2013-05-23 18:14 -------- d-----w- c:\program files\SUPERAntiSpyware
2013-05-23 18:14 . 2013-05-23 18:14 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2013-05-23 18:10 . 2013-05-24 18:56 -------- d-----w- c:\programdata\NVIDIA
2013-05-23 18:10 . 2013-01-18 15:00 6390048 ----a-w- c:\windows\system32\nvcpl.dll
2013-05-23 18:10 . 2013-01-18 15:00 3460896 ----a-w- c:\windows\system32\nvsvc64.dll
2013-05-23 18:10 . 2013-01-18 15:00 884512 ----a-w- c:\windows\system32\nvvsvc.exe
2013-05-23 18:10 . 2013-01-18 15:00 63776 ----a-w- c:\windows\system32\nvshext.dll
2013-05-23 18:10 . 2013-01-18 15:00 2953448 ----a-w- c:\windows\system32\nvcoproc.bin
2013-05-23 18:10 . 2013-01-18 15:00 2558240 ----a-w- c:\windows\system32\nvsvcr.dll
2013-05-23 18:10 . 2013-01-18 15:00 118560 ----a-w- c:\windows\system32\nvmctray.dll
2013-05-23 18:09 . 2012-10-02 22:21 60776 ----a-w- c:\windows\system32\OpenCL.dll
2013-05-23 18:09 . 2012-10-02 22:21 52584 ----a-w- c:\windows\SysWow64\OpenCL.dll
2013-05-23 18:09 . 2013-05-23 18:09 -------- d-----w- c:\programdata\NVIDIA Corporation
2013-05-23 18:09 . 2013-05-23 18:51 -------- d-----w- c:\program files (x86)\NVIDIA Corporation
2013-05-23 18:09 . 2013-02-26 07:32 1814304 ----a-w- c:\windows\system32\nvdispco64.dll
2013-05-23 18:09 . 2013-02-26 07:32 1510176 ----a-w- c:\windows\system32\nvdispgenco64.dll
2013-05-23 18:09 . 2013-02-26 07:32 1107440 ----a-w- c:\windows\system32\nvumdshimx.dll
2013-05-23 18:09 . 2013-02-26 07:32 15129960 ----a-w- c:\windows\SysWow64\nvd3dum.dll
2013-05-23 18:09 . 2013-02-26 07:32 2826040 ----a-w- c:\windows\system32\nvapi64.dll
2013-05-23 18:07 . 2013-05-23 18:51 -------- d-----w- c:\program files\NVIDIA Corporation
2013-05-23 18:00 . 2013-05-23 18:00 254528 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2013-05-23 18:00 . 2013-05-23 18:00 -------- d-----w- c:\program files (x86)\DAEMON Tools Pro
2013-05-23 17:59 . 2013-05-23 18:00 -------- d-----w- c:\programdata\DAEMON Tools Pro
2013-05-23 17:57 . 2012-05-21 08:25 19264 ----a-w- c:\windows\system32\drivers\iusb3hcs.sys
2013-05-23 17:57 . 2012-05-21 08:25 789824 ----a-w- c:\windows\system32\drivers\iusb3xhc.sys
2013-05-23 17:57 . 2012-05-21 08:25 357184 ----a-w- c:\windows\system32\drivers\iusb3hub.sys
2013-05-23 17:56 . 2012-06-13 06:00 74344 ----a-w- c:\windows\system32\RtNicProp64.dll
2013-05-23 17:56 . 2012-06-13 06:00 726160 ----a-w- c:\windows\system32\drivers\Rt64win7.sys
2013-05-23 17:56 . 2012-06-13 06:00 107552 ----a-w- c:\windows\system32\RTNUninst64.dll
2013-05-23 17:56 . 2013-05-23 17:56 -------- d-----w- c:\program files (x86)\Realtek
2013-05-23 17:56 . 2013-05-23 17:56 -------- d--h--w- c:\program files (x86)\InstallShield Installation Information
2013-05-23 17:53 . 2013-05-26 21:49 -------- d-sh--w- c:\windows\Installer
2013-05-23 17:53 . 2013-05-23 17:53 -------- d-----w- c:\program files (x86)\Common Files\InstallShield
2013-05-23 17:51 . 2013-05-23 17:57 -------- d-----w- c:\program files (x86)\Intel
2013-05-23 17:51 . 2011-12-07 15:55 53248 ----a-r- c:\windows\SysWow64\CSVer.dll
2013-05-23 17:51 . 2013-05-23 17:51 -------- d-----w- C:\Intel
2013-05-23 17:49 . 2013-05-23 17:49 -------- d-----w- c:\windows\Chipset
2013-05-23 17:49 . 2013-05-23 17:49 16896 ----a-w- c:\windows\AsTaskSched.dll
2013-05-23 17:49 . 2011-02-25 06:25 296320 ----a-w- c:\windows\system32\drivers\volsnap.sys
2013-05-23 17:34 . 2013-05-27 02:40 -------- d-----w- c:\users\gandg
2013-05-23 17:34 . 2013-05-23 17:34 -------- d-----w- C:\Recovery
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-02 09:06 . 2010-11-21 03:27 278800 ------w- c:\windows\system32\MpSigStub.exe
2013-04-13 05:49 . 2013-05-23 18:40 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll
2013-04-13 05:49 . 2013-05-23 18:40 350208 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll
2013-04-13 05:49 . 2013-05-23 18:40 308736 ----a-w- c:\windows\apppatch\AppPatch64\AcGenral.dll
2013-04-13 05:49 . 2013-05-23 18:40 111104 ----a-w- c:\windows\apppatch\AppPatch64\acspecfc.dll
2013-04-13 04:45 . 2013-05-23 18:40 474624 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2013-04-13 04:45 . 2013-05-23 18:40 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll
2013-02-26 07:32 . 2013-02-26 07:32 25256224 ----a-w- c:\windows\system32\nvcompiler.dll
2013-02-26 07:32 . 2013-02-26 07:32 2505144 ----a-w- c:\windows\SysWow64\nvapi.dll
2013-02-26 07:32 . 2013-02-26 07:32 6262608 ----a-w- c:\windows\SysWow64\nvopencl.dll
2013-02-26 07:32 . 2013-02-26 07:32 18055184 ----a-w- c:\windows\system32\nvd3dumx.dll
2013-02-26 07:32 . 2013-02-26 07:32 958120 ----a-w- c:\windows\SysWow64\nvumdshim.dll
2013-02-26 07:32 . 2013-02-26 07:32 2720544 ----a-w- c:\windows\SysWow64\nvcuvid.dll
2013-02-26 07:32 . 2013-02-26 07:32 26929440 ----a-w- c:\windows\system32\nvoglv64.dll
2013-02-26 07:32 . 2013-02-26 07:32 7932256 ----a-w- c:\windows\SysWow64\nvcuda.dll
2013-02-26 07:32 . 2013-02-26 07:32 2346784 ----a-w- c:\windows\system32\nvcuvenc.dll
2013-02-26 07:32 . 2013-02-26 07:32 245872 ----a-w- c:\windows\system32\nvinitx.dll
2013-02-26 07:32 . 2013-02-26 07:32 11036448 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2013-02-26 07:32 . 2013-02-26 07:32 2904352 ----a-w- c:\windows\system32\nvcuvid.dll
2013-02-26 07:32 . 2013-02-26 07:32 20449056 ----a-w- c:\windows\SysWow64\nvoglv32.dll
2013-02-26 07:32 . 2013-02-26 07:32 15053264 ----a-w- c:\windows\system32\nvwgf2umx.dll
2013-02-26 07:32 . 2013-02-26 07:32 17560352 ----a-w- c:\windows\SysWow64\nvcompiler.dll
2013-02-26 07:32 . 2013-02-26 07:32 7564040 ----a-w- c:\windows\system32\nvopencl.dll
2013-02-26 07:32 . 2013-02-26 07:32 1985824 ----a-w- c:\windows\SysWow64\nvcuvenc.dll
2013-02-26 07:32 . 2013-02-26 07:32 12641992 ----a-w- c:\windows\SysWow64\nvwgf2um.dll
2013-02-26 07:32 . 2013-02-26 07:32 9390760 ----a-w- c:\windows\system32\nvcuda.dll
2013-02-26 07:32 . 2013-02-26 07:32 201576 ----a-w- c:\windows\SysWow64\nvinit.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"USB3MON"="c:\program files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe" [2012-05-21 291648]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2013-05-24 345312]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer3"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168]
R3 MSICDSetup;MSICDSetup;E:\CDriver64.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-08-23 19456]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [2010-11-21 88960]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2012-08-23 29696]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2012-08-23 57856]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2012-08-23 30208]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-21 117248]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2013-05-23 1255736]
R4 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2013-05-07 143088]
R4 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2013-01-18 383264]
R4 VIAKaraokeService;VIA Karaoke digital mixer Service;c:\windows\system32\viakaraokesrv.exe [2011-11-12 27760]
S0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;c:\windows\system32\DRIVERS\iusb3hcs.sys [2012-05-21 19264]
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys [2013-05-24 28600]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2013-05-23 254528]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
S2 AntiVirSchedulerService;Avira Scheduler;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [2013-05-24 86752]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2011-05-18 47616]
S3 iusb3hub;Intel® USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\iusb3hub.sys [2012-05-21 357184]
S3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;c:\windows\system32\DRIVERS\iusb3xhc.sys [2012-05-21 789824]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2012-06-13 726160]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2011-11-12 2182768]
.
.
.
--------- X64 Entries -----------
.
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalService
FontCache
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-05-26 19:46:09
ComboFix-quarantined-files.txt 2013-05-27 02:46
ComboFix2.txt 2013-05-26 23:44
ComboFix3.txt 2013-05-26 23:30
ComboFix4.txt 2013-05-26 22:36
ComboFix5.txt 2013-05-27 02:42
.
Pre-Run: 36,484,341,760 bytes free
Post-Run: 36,400,173,056 bytes free
.
- - End Of File - - A6AED8A2BFF981D5F1FCC7B0692E12F7



#3 nasdaq

nasdaq

  • Malware Response Team
  • 40,510 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:48 AM

Posted 29 May 2013 - 09:56 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

--RogueKiller--
  • Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
  • ===

    Search and delete the AdWare, PUP (Potentially Unwanted Program) installed on your computer.

    Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete tab follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).
  • ===

    thisisujrt.gif Please download
    Junkware Removal Tool to your Desktop.
  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.
  • ===

    Please paste the logs in your next reply, DO NOT ATTACH THEM
    Let me know what problem persists.


#4 Weaver1

Weaver1
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:48 AM

Posted 29 May 2013 - 11:56 AM

Hi There,

 

First, thank you so much for responding I am painfully aware you all have a lot of work to do I know we all here keep you ladies and gent busy.

 

In my quest to eliminate exploits from my system I tried securely deleting ssd however looks like it failed to do as I needed. SO it accrued to me that maybe I indeed have a rootkit and installing win8 would render it useless due to kernel change, guess not... If your still willing to help me I have posted logs in order as requested , yet running win8 now instead of win 7... Sorry for the switch however I have been beating this horse for sometime so trying anything I can think of.. BTW tried dariks nuke and boot but it failed.....

 

 

Logs in order as requested:

 

 

RogueKiller V8.5.4 _x64_ [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 8 (6.2.9200 ) 64 bits version
Started in : Normal mode
User : Home [Admin rights]
Mode : Scan -- Date : 05/29/2013 09:39:44
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 2 ¤¤¤
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

 

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: OCZ-AGILITY3 +++++
--- User ---
[MBR] 1f48707902e92e5bd2b1471876a67d72
[BSP] 43a7766776d557ab6cf49acc510e0b99 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 350 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 718848 | Size: 56889 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: Hitachi HDS721050CLA360 +++++
--- User ---
[MBR] fce86bf5c4e7a6c23fa37a1742a3dee1
[BSP] c87225662d60582545f37845a2253a6c : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 476937 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive2: WDC WD2500SD-01KCC0 +++++
--- User ---
[MBR] 61fe0f43fe1ff6d4fa11ee621a7b53c7
[BSP] ed49650fdc7020c359af5eb52bdd3274 : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 238473 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1]_S_05292013_02d0939.txt >>
RKreport[1]_S_05292013_02d0939.txt

 

ADWcleaner:

# AdwCleaner v2.301 - Logfile created 05/29/2013 at 07:41:38
# Updated 16/05/2013 by Xplode
# Operating system : Windows 8 Pro  (64 bits)
# User : Home - TESTWIN8
# Boot Mode : Normal
# Running from : H:\downloads\AdwCleaner.exe
# Option [Delete]

***** [Services] *****

***** [Files / Folders] *****

***** [Registry] *****

Key Deleted : HKLM\SOFTWARE\Classes\S

***** [Internet Browsers] *****

-\\ Internet Explorer v10.0.9200.16537

[OK] Registry is clean.

-\\ Google Chrome v27.0.1453.94

File : C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [661 octets] - [29/05/2013 07:41:38]

########## EOF - C:\AdwCleaner[S1].txt - [720 octets] ##########

 

JRT:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.9.4 (05.06.2013:1)
OS: Windows 8 Pro x64
Ran by Home on Wed 05/29/2013 at  9:45:28.71
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

 

~~~ Registry Keys

 

~~~ Files

 

~~~ Folders

 

~~~ Event Viewer Logs were cleared

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 05/29/2013 at  9:47:20.51
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



#5 Weaver1

Weaver1
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:48 AM

Posted 29 May 2013 - 11:58 AM

I did run RKILL right before running the apps requested for log files I is concerning me, the results are not promising...

 

Rkill Log:

 

Rkill 2.5.0 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 05/29/2013 09:16:35 AM in x64 mode.
Windows Version: Windows 8 Pro

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * Windows Defender Disabled

   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001

Checking Windows Service Integrity:

 * Fax [Missing Service]

 * WinDefend => "%ProgramFiles%\Windows Defender\MsMpEng.exe" [Incorrect ImagePath]

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * No issues found.

Program finished at: 05/29/2013 09:16:43 AM
Execution time: 0 hours(s), 0 minute(s), and 7 seconds(s)



#6 Weaver1

Weaver1
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:48 AM

Posted 29 May 2013 - 12:00 PM

For some reason I cant make regedits in my system to delete dwords that are not stock by any means ... I ran regedit as admin and not able to change anything not even simple like adding a dword for system tweaks


Edited by Weaver1, 29 May 2013 - 12:24 PM.


#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,510 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:48 AM

Posted 29 May 2013 - 12:57 PM

If you had problems and you tried to repair your system by upgrading to Windows 8 it might not have been the right thing to do.

Can you restore Windows 7 by removing Win 8 and post a fresh DDS log and will take it from there.

Let me know what issues you are having with Win 7.

#8 Weaver1

Weaver1
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:48 AM

Posted 29 May 2013 - 01:12 PM

Sure well I installed it fresh so no way to restore win7 I can do a clean install and run the logs for you , however I was hoping to keep 8 its kinda grown on me.. If win 7 is only way to fight this rootkit then I will do it.. Let me know thanks

 

I used diskpart to "clean all" on my ssd before installing win8... Did not seem to kill infection, I also mentioned dariks nuke and boot It failed and crashed before I was able to nuke my drive.

 

Hope that clarifies.. Again cant thank you and your bleeping counterparts(lol) enough for the help and all that you people do for your forum users....



#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,510 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:48 AM

Posted 30 May 2013 - 06:56 AM

We should then continue with Windows 8.

* WinDefend => "%ProgramFiles%\Windows Defender\MsMpEng.exe" [Incorrect ImagePath]
Searching for Missing Digital Signatures:


This may be an indication of a ZeroAccess infection.

Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


#10 Weaver1

Weaver1
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:48 AM

Posted 30 May 2013 - 05:27 PM

Oh man I am so so sorry... I went ahead and reinstalled 7... Ok so I am going to stop here and wait for your instructions.. I am again so sorry ... And yeah it seems to have followed me anyway again with 7 ...



#11 Weaver1

Weaver1
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:48 AM

Posted 31 May 2013 - 12:44 AM

BTW i ran rkill after install of fresh copy of win 7 ult 64bit.....

 

Rkill 2.5.0 by Lawrence Abrams (Grinler)
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 05/30/2013 10:40:16 PM in x64 mode.
Windows Version: Windows 7 Ultimate N Service Pack 1
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * No malware processes found to kill.
 
Active Proxy Server Detected
 
 * Proxy Disabled.
 * ProxyOverride value deleted.
 * ProxyServer value deleted.
 * AutoConfigURL value deleted.
 * Proxy settings were backed up to Registry file.
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Backup Registry file created at:
 C:\Users\office\Desktop\rkill\rkill-05-30-2013-10-40-17.reg
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * No issues found.
 
Checking Windows Service Integrity: 
 
 * WMPNetworkSvc [Missing Service]
 * WPDBusEnum [Missing Service]
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * No issues found.
 
Program finished at: 05/30/2013 10:40:21 PM
Execution time: 0 hours(s), 0 minute(s), and 5 seconds(s)


#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,510 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:48 AM

Posted 31 May 2013 - 08:05 AM

No problems. If all is well I will close this topic.

#13 nasdaq

nasdaq

  • Malware Response Team
  • 40,510 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:48 AM

Posted 03 June 2013 - 08:57 PM

Following your PM please let me know the status of this computer.

For my review please post the following log.

Please download and run this DDS Scanning Tool. Nothing will be deleted. It will just give me some additional information about your system.

Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.

1: DDS.scr (Not recommended if you use Chrome to download this .scr file. Use the other options.)
2: DDS.pif
3: DDS.COM

Double click on the DDS icon, allow it to run.
A small box will open, with an explanation about the tool. No input is needed, the scan is running.
Notepad will open with the results.
Follow the instructions that pop up for posting the results.[/list]Please note: You may have to disable any script protection running if the scan fails to run.

dds_scr.gif

Please just paste the contents of the DDS.txt log in your next post. DO NOT attach the log.

The scan will also create this Attach.txt log I would also like to see the content.
Please post it in a other post for my review, do not attach the file.

#14 Weaver1

Weaver1
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:48 AM

Posted 04 June 2013 - 04:16 PM

Hey there.. thanks again for all the work .. So I am on a clean build out of spare parts ... Did you want me to run DDS on one of my infected boxes? I am currently rebuilding my other system that was the root of all this I believe and again looks like drives have been flashed.. So sorry for the confusion if you can clarify what computer you need the log from .. I have three laptops with the infection and one main. I again am now working from spare parts box with new ssd drive out of the package.

 

Thanks again 



#15 Weaver1

Weaver1
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:48 AM

Posted 04 June 2013 - 04:21 PM

Just in Case something odd is going on with my net setup here is the DDS log from my new build will get one from main laptop as well 

 

DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 7.0.6002.18005
Run by HomeOffice at 14:18:22 on 2013-06-04
#Option MBR scan  is disabled.
Microsoft® Windows Vista™ Business   6.0.6002.2.1252.1.1033.18.1022.360 [GMT -7:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\SLsvc.exe
C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k SDRSVC
.
============== Pseudo HJT Report ===============
.
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
mRun: [Windows Defender] c:\program files\windows defender\MSASCui.exe -hide
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{0B256F45-033B-44B2-84C6-EAA006B02657} : DHCPNameServer = 192.168.1.1
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\27.0.1453.94\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2013-06-04 16:07:55 -------- d-----w- c:\users\homeoffice\appdata\local\Google
2013-06-04 16:07:50 -------- d-----w- c:\users\homeoffice\appdata\local\Deployment
2013-06-04 16:07:50 -------- d-----w- c:\users\homeoffice\appdata\local\Apps
2013-06-04 16:04:06 73728 ----a-w- c:\windows\system32\RtNicProp32.dll
2013-06-04 16:04:06 142848 ----a-w- c:\windows\system32\drivers\Rtlh86.sys
2013-06-04 16:04:06 -------- d-----w- c:\program files\Realtek
2013-06-04 15:49:41 27648 ----a-w- c:\windows\system32\drivers\RtNdPt60.sys
2013-06-04 15:36:15 -------- d-----w- C:\dell
2013-06-04 15:18:36 -------- d-----w- c:\program files\NVIDIA Corporation
2013-06-04 03:21:37 -------- d-----w- c:\windows\Panther
2013-06-04 03:21:22 -------- d-sh--w- C:\Boot
2013-06-04 03:21:03 -------- d-----w- c:\windows\system32\OEM
.
==================== Find3M  ====================
.
.
============= FINISH: 14:18:31.01 ===============





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users