Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fighting nasty virus that I can not get rid of... Very stealthy and resilient


  • Please log in to reply
9 replies to this topic

#1 Weaver1

Weaver1

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:49 AM

Posted 22 July 2013 - 08:19 AM

Hello, I have been fighting this virus on all of our family systems. Not sure how its propagated yet I have traces of something that is very stealthy and super resilient surviving secure wipes zero fills etc. I have also taken my systems down to board level and reflashed firmware with no luck.

 

This virus seems to lay dormant for a few days I think and starts to download different parts and peices...... I have posted a few times during my tear down and diagnostic phase but even after log after log and countless hours of work with the great techs here at bleeping computer this seems to keep poping up .

 

In my efforts to get rid of this darn thing I have had to wipe harddrives start fresh several times causing confusion here as I was working with techs.. Right now I am going to use only one system to figure out this bug and start rebuilding one system at a time. We have about 7 systems including three desktops and four laptops... as I said all but one are wiped and torn down. I am afraid to even plug hard drives in  ........

 

I have a laptop online now our only system for a large family right now making things tuff on me the "home" computer guy ...lol not much of a windows tech but learning a ton lol... So I ran combofix after windows asked me to turn on avira when it was already running and also started downloading updates even when I have it set to "check but only download and install after requested" ... Log is in next post

 

Desprate here my friends...


Edited by Weaver1, 22 July 2013 - 08:26 AM.


BC AdBot (Login to Remove)

 


#2 Weaver1

Weaver1
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:49 AM

Posted 22 July 2013 - 08:20 AM

ComboFix 13-07-20.03 - gregs 07/22/2013   5:51.8.2 - x86 MINIMAL
Microsoft Windows 7 Home Premium N   6.1.7600.0.1252.1.1033.18.2942.2425 [GMT -7:00]
Running from: c:\users\gregs\Desktop\ComboFix.exe
AV: Avira Desktop *Enabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Enabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\erdnt\cache\userinit.exe
.
.
(((((((((((((((((((((((((   Files Created from 2013-06-22 to 2013-07-22  )))))))))))))))))))))))))))))))
.
.
2013-07-22 12:56 . 2013-07-22 12:56    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-07-22 12:44 . 2013-07-22 12:44    12872    ----a-w-    c:\windows\system32\bootdelete.exe
2013-07-22 12:44 . 2013-07-22 12:44    30464    ----a-w-    c:\windows\system32\drivers\hitmanpro37.sys
2013-07-22 03:45 . 2012-06-02 22:19    53784    ----a-w-    c:\windows\system32\wuauclt.exe
2013-07-22 03:45 . 2012-06-02 22:19    45080    ----a-w-    c:\windows\system32\wups2.dll
2013-07-22 03:45 . 2012-06-02 22:19    1933848    ----a-w-    c:\windows\system32\wuaueng.dll
2013-07-22 03:45 . 2012-06-02 22:12    2422272    ----a-w-    c:\windows\system32\wucltux.dll
2013-07-22 03:45 . 2012-06-02 22:19    35864    ----a-w-    c:\windows\system32\wups.dll
2013-07-22 03:45 . 2012-06-02 22:19    577048    ----a-w-    c:\windows\system32\wuapi.dll
2013-07-22 03:45 . 2012-06-02 22:12    88576    ----a-w-    c:\windows\system32\wudriver.dll
2013-07-22 03:45 . 2012-06-02 22:19    171904    ----a-w-    c:\windows\system32\wuwebv.dll
2013-07-22 03:45 . 2012-06-02 22:12    33792    ----a-w-    c:\windows\system32\wuapp.exe
2013-07-21 07:01 . 2013-07-21 07:14    --------    d-----w-    c:\programdata\Malwarebytes' Anti-Malware (portable)
2013-07-21 06:08 . 2013-07-21 06:08    67168    ----a-w-    c:\windows\system32\drivers\avnetflt.sys
2013-07-21 06:06 . 2013-06-20 21:49    84744    ----a-w-    c:\windows\system32\drivers\avgntflt.sys
2013-07-21 06:06 . 2013-06-20 21:49    135136    ----a-w-    c:\windows\system32\drivers\avipbb.sys
2013-07-21 06:06 . 2013-03-06 23:13    37352    ----a-w-    c:\windows\system32\drivers\avkmgr.sys
2013-07-21 06:06 . 2013-07-21 06:06    --------    d-----w-    c:\programdata\Avira
2013-07-21 06:06 . 2013-07-21 06:06    --------    d-----w-    c:\program files\Avira
2013-07-21 06:04 . 2013-07-21 06:04    --------    d-----w-    c:\program files\SUPERAntiSpyware
2013-07-21 06:04 . 2013-07-21 06:04    --------    d-----w-    c:\programdata\SUPERAntiSpyware.com
2013-07-21 06:03 . 2013-07-21 06:03    --------    d-----w-    c:\programdata\Malwarebytes
2013-07-21 06:03 . 2013-07-21 06:04    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2013-07-21 06:03 . 2013-04-04 21:50    22856    ----a-w-    c:\windows\system32\drivers\mbam.sys
2013-07-21 06:03 . 2013-07-21 06:03    --------    d-----w-    c:\program files\The KMPlayer
2013-07-21 06:03 . 2013-07-21 06:24    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-07-21 06:03 . 2013-07-21 06:24    692104    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-07-21 06:03 . 2013-07-21 06:03    --------    d-----w-    c:\windows\system32\Macromed
2013-07-21 06:02 . 2013-07-21 06:02    --------    d-----w-    c:\programdata\MediaMonkey
2013-07-21 06:02 . 2013-07-21 06:03    --------    d-----w-    c:\program files\MediaMonkey
2013-07-21 06:02 . 2013-07-21 06:02    --------    d-----w-    c:\program files\GRETECH
2013-07-21 06:02 . 2013-07-21 06:02    --------    d-----w-    c:\program files\Glary Utilities
2013-07-21 06:02 . 2013-07-21 06:02    --------    d-----w-    c:\program files\PeaZip
2013-07-21 06:02 . 2013-07-21 06:02    --------    d-----w-    c:\program files\Auslogics
2013-07-21 06:01 . 2013-07-21 06:01    --------    d-----w-    c:\program files\InfraRecorder
2013-07-21 06:01 . 2013-07-21 06:01    --------    d-----w-    c:\program files\ImgBurn
2013-07-21 06:01 . 2013-07-21 06:01    --------    d-----w-    c:\program files\TeraCopy
2013-07-21 06:01 . 2013-07-21 06:01    --------    d-----w-    c:\program files\VS Revo Group
2013-07-21 06:01 . 2013-07-21 06:01    --------    d-----w-    c:\program files\WinDirStat
2013-07-21 06:01 . 2013-07-21 06:01    --------    d-----w-    c:\program files\Mozilla Maintenance Service
2013-07-21 04:03 . 2013-07-21 04:03    --------    d-----w-    c:\program files\HitmanPro
2013-07-21 04:02 . 2013-07-21 05:45    135464    ----a-w-    c:\windows\system32\LnkProtect.dll
2013-07-21 04:02 . 2013-07-22 12:44    --------    d-----w-    c:\programdata\HitmanPro
2013-07-18 23:20 . 2013-07-18 22:29    --------    d-----w-    c:\windows\Panther
2013-07-18 23:09 . 2013-07-18 23:09    0    ----a-w-    c:\windows\ativpsrm.bin
2013-07-18 23:08 . 2013-07-21 06:06    --------    d-sh--w-    c:\windows\Installer
2013-07-18 23:08 . 2013-07-18 23:08    --------    d-----w-    c:\program files\ATI
2013-07-18 22:55 . 2013-07-15 10:34    7143960    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{9B8F99FB-0905-497B-8A1C-531B69FDC9DB}\mpengine.dll
2013-07-18 22:29 . 2013-07-21 12:37    --------    d-----w-    c:\users\gregs
2013-07-18 22:29 . 2013-07-18 22:29    --------    d-----w-    C:\Recovery
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2013-06-20 345144]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2013-05-07 115440]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
R1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys [2013-03-06 37352]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2011-07-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2011-07-12 67664]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2013-06-20 84024]
R2 HitmanProScheduler;HitmanPro Scheduler;c:\program files\HitmanPro\hmpsched.exe [2013-07-21 106280]
R4 AntiVirWebService;Avira Web Protection;c:\program files\Avira\AntiVir Desktop\AVWEBGRD.EXE [2013-06-20 589368]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2013-05-23 119056]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys [2009-07-13 347136]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation    REG_MULTI_SZ       SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc SensrSvc
.
Contents of the 'Scheduled Tasks' folder
.
2013-07-22 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2013-07-21 23:51]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\gregs\AppData\Roaming\Mozilla\Firefox\Profiles\ytme8fyu.default\
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\conhost.exe
.
**************************************************************************
.
Completion time: 2013-07-22  06:00:07 - machine was rebooted
ComboFix-quarantined-files.txt  2013-07-22 13:00
ComboFix2.txt  2013-07-22 09:12
ComboFix3.txt  2013-07-21 12:47
ComboFix4.txt  2013-07-21 04:16
ComboFix5.txt  2013-07-22 12:50
.
Pre-Run: 148,675,604,480 bytes free
Post-Run: 148,625,809,408 bytes free
.
- - End Of File - - 93353AD820E0B0915D2D4041AF14D8C4
A36C5E4F47E84449FF07ED3517B43A31
 



#3 Weaver1

Weaver1
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:49 AM

Posted 23 July 2013 - 10:14 PM

Anyone have an idea whats going on in this log? I know bp is a busy place let me know if I need to add any info or logs to get started here ... Thanks



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,543 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:49 PM

Posted 24 July 2013 - 09:47 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Search and delete the AdWare, PUP (Potentially Unwanted Program) installed on your computer.

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete tab follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).
===

thisisujrt.gif Please download
Junkware Removal Tool to your Desktop.
  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.
===

Please download and run this DDS Scanning Tool. Nothing will be deleted. It will just give me some additional information about your system.

Download DDS by sUBs from one of the following links, if you no longer have it available. Save it to your desktop.

1: DDS.scr (Not recommended if you use Chrome to download this .scr file. Use the other options.)
2: DDS.pif
3: DDS.COM

Double click on the DDS icon, allow it to run.
A small box will open, with an explanation about the tool. No input is needed, the scan is running.
Notepad will open with the results.
Follow the instructions that pop up for posting the results.
Please note: You may have to disable any script protection running if the scan fails to run.

dds_scr.gif

Please just paste the contents of the DDS.txt log in your next post. DO NOT attach the log.
===

Third party programs if not up to date can be the cause of infiltration an infection.

Please restart the computer before running this security check.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.
===

Please paste the logs in your next reply, DO NOT ATTACH THEM
Let me know what problem persists.

#5 Weaver1

Weaver1
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:49 AM

Posted 24 July 2013 - 10:55 AM

Thank you so much for the response.. here are the logs

 

 

# AdwCleaner v2.306 - Logfile created 07/24/2013 at 08:50:48
# Updated 19/07/2013 by Xplode
# Operating system : Windows 7 Home Premium N  (32 bits)
# User : gregs - GREGS-PC
# Boot Mode : Normal
# Running from : C:\Users\gregs\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****


***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.7600.17267

[OK] Registry is clean.

-\\ Mozilla Firefox v22.0 (en-US)

File : C:\Users\gregs\AppData\Roaming\Mozilla\Firefox\Profiles\ytme8fyu.default\prefs.js

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [655 octets] - [24/07/2013 08:50:48]

########## EOF - C:\AdwCleaner[S1].txt - [714 octets] ##########
 



#6 Weaver1

Weaver1
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:49 AM

Posted 24 July 2013 - 11:01 AM

JRT log:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 5.2.2 (07.22.2013:2)
OS: Windows 7 Home Premium N x86
Ran by gregs on Wed 07/24/2013 at  8:56:46.85
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys



~~~ Files



~~~ Folders



~~~ FireFox

Emptied folder: C:\Users\gregs\AppData\Roaming\mozilla\firefox\profiles\ytme8fyu.default\minidumps [5 files]



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 07/24/2013 at  8:59:25.13
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 



#7 Weaver1

Weaver1
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:49 AM

Posted 24 July 2013 - 11:04 AM

DDS.txt

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.7600.17267
Run by gregs at 9:01:30 on 2013-07-24
Microsoft Windows 7 Home Premium N   6.1.7600.0.1252.1.1033.18.2942.2088 [GMT -7:00]
.
AV: Avira Desktop *Enabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Enabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
TCP: Interfaces\{2481D1AC-0133-4551-8AC9-9309D61A904E} : NameServer = 208.67.222.222,208.67.220.220
SSODL: WebCheck - <orphaned>
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\gregs\appdata\roaming\mozilla\firefox\profiles\ytme8fyu.default\
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_8_800_94.dll
.
============= SERVICES / DRIVERS ===============
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2013-7-20 37352]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2013-7-20 84024]
R2 AntiVirService;Avira Real-Time Protection;c:\program files\avira\antivir desktop\avguard.exe [2013-7-20 108088]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2013-7-20 84744]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-10 139776]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [2009-6-10 347136]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S4 AntiVirWebService;Avira Web Protection;c:\program files\avira\antivir desktop\avwebgrd.exe [2013-7-20 589368]
.
=============== Created Last 30 ================
.
2013-07-24 15:56:45    --------    d-----w-    c:\windows\ERUNT
2013-07-24 12:31:34    --------    d-----w-    c:\program files\CCleaner
2013-07-24 12:29:31    801792    ----a-w-    c:\windows\system32\FntCache.dll
2013-07-24 12:29:31    728448    ----a-w-    c:\windows\system32\drivers\dxgkrnl.sys
2013-07-24 12:29:31    442880    ----a-w-    c:\windows\system32\XpsPrint.dll
2013-07-24 12:29:31    283648    ----a-w-    c:\windows\system32\XpsGdiConverter.dll
2013-07-24 12:29:31    219008    ----a-w-    c:\windows\system32\drivers\dxgmms1.sys
2013-07-24 12:29:31    1495040    ----a-w-    c:\windows\system32\ExplorerFrame.dll
2013-07-24 12:29:31    135168    ----a-w-    c:\windows\system32\XpsRasterService.dll
2013-07-24 12:29:31    107520    ----a-w-    c:\windows\system32\cdd.dll
2013-07-24 12:17:59    981504    ----a-w-    c:\windows\system32\wininet.dll
2013-07-24 12:16:41    954752    ----a-w-    c:\windows\system32\mfc40.dll
2013-07-24 12:15:54    1236992    ----a-w-    c:\windows\system32\msxml3.dll
2013-07-24 12:14:59    690688    ----a-w-    c:\windows\system32\msvcrt.dll
2013-07-24 12:01:38    1170944    ----a-w-    c:\windows\system32\d3d10warp.dll
2013-07-24 12:01:37    739840    ----a-w-    c:\windows\system32\d2d1.dll
2013-07-24 12:01:37    218624    ----a-w-    c:\windows\system32\d3d10_1core.dll
2013-07-24 12:01:37    161792    ----a-w-    c:\windows\system32\d3d10_1.dll
2013-07-24 12:01:37    1074176    ----a-w-    c:\windows\system32\DWrite.dll
2013-07-24 11:59:59    78336    ----a-w-    c:\windows\system32\synceng.dll
2013-07-24 11:59:57    101760    ----a-w-    c:\windows\system32\consent.exe
2013-07-24 11:59:56    132608    ----a-w-    c:\windows\system32\cabview.dll
2013-07-24 03:21:03    388096    ----a-r-    c:\users\gregs\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2013-07-24 03:21:03    --------    d-----w-    c:\program files\Trend Micro
2013-07-23 18:07:33    --------    d-sh--w-    C:\$RECYCLE.BIN
2013-07-22 15:24:06    --------    d-----w-    c:\programdata\Kaspersky Lab
2013-07-22 12:44:38    12872    ----a-w-    c:\windows\system32\bootdelete.exe
2013-07-22 03:45:46    2422272    ----a-w-    c:\windows\system32\wucltux.dll
2013-07-22 03:45:35    88576    ----a-w-    c:\windows\system32\wudriver.dll
2013-07-22 03:45:26    33792    ----a-w-    c:\windows\system32\wuapp.exe
2013-07-22 03:45:26    171904    ----a-w-    c:\windows\system32\wuwebv.dll
2013-07-21 07:01:06    --------    d-----w-    c:\programdata\Malwarebytes' Anti-Malware (portable)
2013-07-21 06:47:13    --------    d-----w-    c:\users\gregs\appdata\roaming\Malwarebytes
2013-07-21 06:46:05    --------    d-----w-    c:\users\gregs\appdata\roaming\PeaZip
2013-07-21 06:37:11    --------    d-----w-    c:\users\gregs\appdata\roaming\GlarySoft
2013-07-21 06:31:30    --------    d-----w-    c:\users\gregs\appdata\roaming\TeraCopy
2013-07-21 06:25:39    --------    d-----w-    c:\users\gregs\appdata\local\Macromedia
2013-07-21 06:24:30    --------    d-----w-    c:\users\gregs\appdata\local\Adobe
2013-07-21 06:11:49    --------    d-----w-    c:\users\gregs\appdata\roaming\Avira
2013-07-21 06:08:21    67168    ----a-w-    c:\windows\system32\drivers\avnetflt.sys
2013-07-21 06:06:06    84744    ----a-w-    c:\windows\system32\drivers\avgntflt.sys
2013-07-21 06:06:06    37352    ----a-w-    c:\windows\system32\drivers\avkmgr.sys
2013-07-21 06:06:05    --------    d-----w-    c:\programdata\Avira
2013-07-21 06:06:05    --------    d-----w-    c:\program files\Avira
2013-07-21 06:03:59    --------    d-----w-    c:\programdata\Malwarebytes
2013-07-21 06:03:58    22856    ----a-w-    c:\windows\system32\drivers\mbam.sys
2013-07-21 06:03:58    --------    d-----w-    c:\users\gregs\appdata\local\Programs
2013-07-21 06:03:58    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2013-07-21 06:03:34    --------    d-----w-    c:\program files\The KMPlayer
2013-07-21 06:03:07    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-07-21 06:03:07    692104    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-07-21 06:03:02    --------    d-----w-    c:\users\gregs\appdata\roaming\MediaMonkey
2013-07-21 06:02:54    --------    d-----w-    c:\programdata\MediaMonkey
2013-07-21 06:02:45    --------    d-----w-    c:\program files\MediaMonkey
2013-07-21 06:02:31    --------    d-----w-    c:\users\gregs\appdata\local\Mozilla
2013-07-21 06:02:25    --------    d-----w-    c:\program files\GRETECH
2013-07-21 06:02:17    --------    d-----w-    c:\program files\Glary Utilities
2013-07-21 06:02:14    --------    d-----w-    c:\program files\PeaZip
2013-07-21 06:02:08    --------    d-----w-    c:\program files\Auslogics
2013-07-21 04:02:45    135464    ----a-w-    c:\windows\system32\LnkProtect.dll
2013-07-21 04:02:30    --------    d-----w-    c:\programdata\HitmanPro
2013-07-18 23:20:51    --------    d-----w-    c:\windows\Panther
2013-07-18 23:17:23    98816    ----a-w-    c:\windows\sed.exe
2013-07-18 23:17:23    256000    ----a-w-    c:\windows\PEV.exe
2013-07-18 23:17:23    208896    ----a-w-    c:\windows\MBR.exe
2013-07-18 23:09:40    0    ----a-w-    c:\windows\ativpsrm.bin
2013-07-18 23:08:01    --------    d-sh--w-    c:\windows\Installer
2013-07-18 23:08:01    --------    d-----w-    c:\program files\ATI
2013-07-18 22:55:13    7143960    ----a-w-    c:\programdata\microsoft\windows defender\definition updates\{9b8f99fb-0905-497b-8a1c-531b69fdc9db}\mpengine.dll
2013-07-18 22:55:01    --------    d-----w-    c:\users\gregs\appdata\roaming\WinBatch
2013-07-18 22:50:11    --------    d-----w-    c:\users\gregs\appdata\local\Diagnostics
2013-07-18 22:31:26    --------    d-----w-    c:\windows\pss
.
==================== Find3M  ====================
.
.
============= FINISH:  9:02:03.00 ===============



#8 Weaver1

Weaver1
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:49 AM

Posted 24 July 2013 - 11:13 AM

 Results of screen317's Security Check version 0.99.71  
 Windows 7  x86 (UAC is enabled)  
 Out of date service pack!!
``````````````Antivirus/Firewall Check:``````````````
 Windows Security Center service is not running! This report may not be accurate!
 Windows Firewall Enabled!  
Avira Desktop   
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:`````````
 Malwarebytes Anti-Malware version 1.75.0.1300  
 CCleaner     
 Adobe Flash Player     11.8.800.94  
 Mozilla Firefox (22.0)
````````Process Check: objlist.exe by Laurent````````  
 Avira Antivir avgnt.exe
 Avira Antivir avguard.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 4%
````````````````````End of Log``````````````````````
 



#9 Weaver1

Weaver1
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:49 AM

Posted 24 July 2013 - 11:16 AM

So you know I seem to have a "windows update" issue.... I have ran several full updates that seem to be redundant... I have it set to inform me before doing anything I have been promted three times, every time I have updated....I restart and a day or so goes by windows is installing with out my permission then later prompts me to update again. I have paid close attention and they seem to be redunded updates nothing new ...



#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,543 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:49 PM

Posted 24 July 2013 - 01:04 PM

Are you having problems updating the SP1 service pack and other updates?

Read the Microsoft article.

http://windows.microsoft.com/en-US/windows7/install-windows-7-service-pack-1

Follow the instructions on how to install.

If you get any error number please quote it and will take if from there.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users