Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit.0Access - Unfortunately, I've Got It ....


  • This topic is locked This topic is locked
30 replies to this topic

#1 stillanovice

stillanovice

  • Members
  • 125 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Maine
  • Local time:02:47 PM

Posted 24 July 2013 - 06:40 PM

Hello!

 

Today, we kept getting notices on the laptop that it was was infected with malicious programs.  I ran MBAM and deleted two items.  I just got another notice that we are infected again, so I ran MBAM again and Rootkit.0Access came up as the malicious software.  It came up as one of the two malicious softwares the first time I ran it today. 

 

Now that I've removed it with MBAM, how can I be sure it's gone for sure and for good!?  A copy of my log follows.  Thank you!

 

************************

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.07.22.01

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16635
user :: USER-HP [administrator]

7/24/2013 5:22:23 PM
MBAM-log-2013-07-24 (19-30-59).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 497506
Time elapsed: 1 hour(s), 57 minute(s), 35 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Users\Maddy\AppData\Local\Google\Desktop\Install\{c12ae097-b346-22b9-e8c8-20dd60954359}\❤≸⋙\Ⱒ☠⍨\ﯹ๛\{c12ae097-b346-22b9-e8c8-20dd60954359}\U\000000cb.@ (Rootkit.0Access) -> No action taken.

(end)

 



BC AdBot (Login to Remove)

 


#2 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:47 PM

Posted 24 July 2013 - 07:10 PM

Hi and Welcome!!   
 
My name is Jeff. I would be more than happy to take a look at your malware results logs and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:

  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
  • If you happen to have a flash drive/thumb drive please have that ready in the event that we need to use it.
  • Please be sure to subscribe to the topic if you have not already done so.
  • IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.
    DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your operating system and losing all your programs and data.

     
    Having said that....   vegeta_zps7f4345cf.gif   Let's get going!!  
    ----------
     
    Please download DDS from either of these links
     
    LINK 1
    LINK 2
     
    and save it to your desktop.
    • Disable any antivirus programs during the scan (If you have difficulty properly disabling your protective programs, refer to this link here )
    • Double click dds to run the tool.
    • When done, two DDS.txt's will open.
    • Save both reports to your desktop.
    ---------------------------------------------------
    Please include the contents of the following in your next reply:
     
    DDS.txt
     
    Attach.txt
    ----------
     
    aswmbr-1-1.jpg Please download aswMBR to your desktop.
    • Double click the aswMBR icon to run it.
    • Click the Scan button to start scan.
    • If you are asked to update the Avast Virus database please allow it to do so.
    • When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply.
    aswmbrscan.jpg
    Click the image to enlarge it
    ----------

WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#3 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:47 PM

Posted 26 July 2013 - 08:43 PM

Still need help??  :)


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#4 stillanovice

stillanovice
  • Topic Starter

  • Members
  • 125 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Maine
  • Local time:02:47 PM

Posted 27 July 2013 - 01:06 PM

Yes, I still do ... won't be able to do the fixes until Sunday.  Will work on it then and post results.  :)  Thank you!



#5 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:47 PM

Posted 27 July 2013 - 02:01 PM

Ok sounds good. :)

WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#6 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:47 PM

Posted 29 July 2013 - 01:36 PM

Still need help??


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#7 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:47 PM

Posted 31 July 2013 - 06:58 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#8 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:47 PM

Posted 04 August 2013 - 04:49 PM

At the OP's request, this topic has been reopened.  


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#9 stillanovice

stillanovice
  • Topic Starter

  • Members
  • 125 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Maine
  • Local time:02:47 PM

Posted 04 August 2013 - 10:21 PM

I had to laugh ... now that we've reopened this topic, things have been running smoothly! :)  Requested Logs Follow:

 

Run by user at 23:11:44 on 2013-07-31
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.1979.895 [GMT -4:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe
C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
C:\Program Files (x86)\Hewlett-Packard\HP CloudDrive\zumodrive.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe
C:\Windows\system32\Macromed\Flash\FlashUtil64_11_3_300_265_ActiveX.exe
C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe
C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe
C:\Program Files\Realtek\RtVOsd\RtVOsd.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxps://www.google.com/
uSearch Bar = Preserve
BHO: {5F815AD7-A955-4943-91C4-7A96C2932399} - <orphaned>
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Rich Media Downloader: {A7DF592F-6E2A-45C4-9A87-4BD217D714ED} -
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Arcadesafari BHO: {adff4c9a-4f49-4a1f-8885-360e107b7938} -
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
BHO: HP Network Check Helper: {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
uRun: [ZumoDrive] C:\Program Files (x86)\Hewlett-Packard\HP CloudDrive\ZumoLauncher.lnk
mRun: [Norton Online Backup] C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {25510184-5A38-4A99-B273-DCA8EEF6CD08} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\NCLauncherFromIE.exe
IE: {A7DF592F-6E2A-45C4-9A87-4BD217D714ED} - {A7DF592F-6E2A-45C4-9A87-4BD217D714ED} -
DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} -
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
TCP: NameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{5234EEB6-9645-4B41-80B9-9D92E56E0DAB} : DHCPNameServer = 10.20.0.1
TCP: Interfaces\{7CCAF969-A696-496F-B8CC-70FF3A2DAD84} : DHCPNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{7CCAF969-A696-496F-B8CC-70FF3A2DAD84}\E4544574541425 : DHCPNameServer = 192.168.1.1
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} -
x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe -s
x64-Run: [HPWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe 120 C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe /hidden
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R2 AERTFilters;Andrea RT Filters Service;C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe [2012-5-1 98208]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2012-1-4 822624]
R2 HP Support Assistant Service;HP Support Assistant Service;C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe [2012-9-27 86528]
R2 HP Wireless Assistant Service;HP Wireless Assistant Service;C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2010-7-21 103992]
R2 HPClientSvc;HP Client Services;C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe [2010-8-5 291896]
R2 HPWMISVC;HPWMISVC;C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2010-11-9 26680]
R2 NOBU;Norton Online Backup;C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [2010-6-1 2804568]
R2 RoxioNow Service;RoxioNow Service;C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe [2010-9-11 399344]
R2 RtVOsdService;RtVOsdService Installer;C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe [2010-6-24 315392]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-1 508776]
R3 clwvd;CyberLink WebCam Virtual Driver;C:\Windows\System32\drivers\clwvd.sys [2010-9-29 31088]
R3 netr28x;Ralink 802.11n Extensible Wireless Driver;C:\Windows\System32\drivers\netr28x.sys [2012-5-1 1041760]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2012-5-1 347680]
R3 Sftfs;Sftfs;C:\Windows\System32\drivers\Sftfslh.sys [2011-10-1 764264]
R3 Sftplay;Sftplay;C:\Windows\System32\drivers\Sftplaylh.sys [2011-10-1 268648]
R3 Sftredir;Sftredir;C:\Windows\System32\drivers\Sftredirlh.sys [2011-10-1 25960]
R3 Sftvol;Sftvol;C:\Windows\System32\drivers\Sftvollh.sys [2011-10-1 22376]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-1 219496]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\System32\drivers\netw5v64.sys [2009-6-10 5434368]
S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\System32\drivers\VSTAZL6.SYS [2009-7-13 292864]
S3 SrvHsfV92;SrvHsfV92;C:\Windows\System32\drivers\VSTDPV6.SYS [2009-7-13 1485312]
S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\System32\drivers\VSTCNXT6.SYS [2009-7-13 740864]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2012-5-6 59392]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-2-15 52736]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-5-5 1255736]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\System32\drivers\yk62x64.sys [2009-6-10 389120]
.
=============== Created Last 30 ================
.
2013-07-30 16:48:13 76232 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{A8FE8972-70BE-4AFD-B1F1-06B07F125F5F}\offreg.dll
2013-07-30 14:22:07 9460976 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{A8FE8972-70BE-4AFD-B1F1-06B07F125F5F}\mpengine.dll
2013-07-22 21:41:05 -------- d-----w- C:\Users\user\AppData\Local\Adobe
2013-07-16 14:14:19 -------- d-----w- C:\Users\user\AppData\Local\Apple
2013-07-10 18:51:52 571904 ----a-w- C:\Program Files\Windows Defender\MpClient.dll
2013-07-10 18:50:52 1643520 ----a-w- C:\Windows\System32\DWrite.dll
2013-07-10 18:50:52 1247744 ----a-w- C:\Windows\SysWow64\DWrite.dll
2013-07-09 02:26:00 -------- d-----w- C:\Users\user\AppData\Local\Apple Computer
2013-07-02 23:25:53 33856 ---ha-w- C:\Windows\System32\hamachi.sys
2013-07-02 23:24:59 -------- d-----w- C:\Users\user\AppData\Local\LogMeIn Hamachi
2013-07-02 23:15:00 93976 ----a-w- C:\Program Files (x86)\Mozilla Firefox\plugins\nppluginrichmediaplayer.dll
.
==================== Find3M  ====================
.
2013-06-23 15:18:57 96168 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2013-06-23 15:18:57 867240 ----a-w- C:\Windows\SysWow64\npdeployJava1.dll
2013-06-23 15:18:57 789416 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2013-06-11 23:43:37 1767936 ----a-w- C:\Windows\SysWow64\wininet.dll
2013-06-11 23:43:00 2877440 ----a-w- C:\Windows\SysWow64\jscript9.dll
2013-06-11 23:42:58 61440 ----a-w- C:\Windows\SysWow64\iesetup.dll
2013-06-11 23:42:58 109056 ----a-w- C:\Windows\SysWow64\iesysprep.dll
2013-06-11 23:26:20 2241024 ----a-w- C:\Windows\System32\wininet.dll
2013-06-11 23:25:16 3958784 ----a-w- C:\Windows\System32\jscript9.dll
2013-06-11 23:25:13 67072 ----a-w- C:\Windows\System32\iesetup.dll
2013-06-11 23:25:13 136704 ----a-w- C:\Windows\System32\iesysprep.dll
2013-06-11 22:51:45 71680 ----a-w- C:\Windows\SysWow64\RegisterIEPKEYs.exe
2013-06-11 22:50:58 89600 ----a-w- C:\Windows\System32\RegisterIEPKEYs.exe
2013-06-07 03:22:18 2706432 ----a-w- C:\Windows\System32\mshtml.tlb
2013-06-07 02:37:52 2706432 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2013-06-05 03:34:27 3153920 ----a-w- C:\Windows\System32\win32k.sys
2013-06-04 06:00:13 624128 ----a-w- C:\Windows\System32\qedit.dll
2013-06-04 04:53:07 509440 ----a-w- C:\Windows\SysWow64\qedit.dll
2013-05-13 05:51:01 184320 ----a-w- C:\Windows\System32\cryptsvc.dll
2013-05-13 05:51:00 1464320 ----a-w- C:\Windows\System32\crypt32.dll
2013-05-13 05:51:00 139776 ----a-w- C:\Windows\System32\cryptnet.dll
2013-05-13 05:50:40 52224 ----a-w- C:\Windows\System32\certenc.dll
2013-05-13 04:45:55 140288 ----a-w- C:\Windows\SysWow64\cryptsvc.dll
2013-05-13 04:45:55 1160192 ----a-w- C:\Windows\SysWow64\crypt32.dll
2013-05-13 04:45:55 103936 ----a-w- C:\Windows\SysWow64\cryptnet.dll
2013-05-13 03:43:55 1192448 ----a-w- C:\Windows\System32\certutil.exe
2013-05-13 03:08:10 903168 ----a-w- C:\Windows\SysWow64\certutil.exe
2013-05-13 03:08:06 43008 ----a-w- C:\Windows\SysWow64\certenc.dll
2013-05-10 05:49:27 30720 ----a-w- C:\Windows\System32\cryptdlg.dll
2013-05-10 03:20:54 24576 ----a-w- C:\Windows\SysWow64\cryptdlg.dll
2013-05-08 06:39:01 1910632 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2013-05-06 06:03:49 1887744 ----a-w- C:\Windows\System32\WMVDECOD.DLL
2013-05-06 04:56:35 1620480 ----a-w- C:\Windows\SysWow64\WMVDECOD.DLL
.
============= FINISH: 23:12:32.26 ===============

 

 

 

 

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 5/1/2012 7:00:37 PM
System Uptime: 7/31/2013 10:57:26 PM (1 hours ago)
.
Motherboard: Hewlett-Packard |  | 1605
Processor: Intel® Celeron® CPU          900  @ 2.20GHz | CPU | 2194/800mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 214 GiB total, 100.555 GiB free.
D: is FIXED (NTFS) - 19 GiB total, 2.736 GiB free.
E: is CDROM (UDF)
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP190: 7/23/2013 1:01:50 PM - Windows Update
RP192: 7/24/2013 2:59:28 PM - Windows Defender Checkpoint
RP194: 7/25/2013 3:29:45 PM - Windows Defender Checkpoint
RP196: 7/26/2013 4:58:50 PM - Windows Defender Checkpoint
RP198: 7/27/2013 5:09:29 PM - Windows Defender Checkpoint
RP199: 7/30/2013 10:21:13 AM - Windows Update
RP201: 7/31/2013 3:29:58 PM - Windows Defender Checkpoint
.
==== Installed Programs ======================
.
Adobe AIR
Adobe Reader XI (11.0.03)
Adobe Shockwave Player 11.5
Agatha Christie - Peril at End House
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Bejeweled 2 Deluxe
Blackhawk Striker 2
Blasterball 3
Blio
Bonjour
Bounce Symphony
Build-a-lot 2
Cake Mania
Canon PowerShot A4000 IS and A3400 IS and A2400 IS and A2300 and A1300 and A810 Camera User Guide
Canon Utilities CameraWindow DC 8
Canon Utilities ImageBrowser EX
Canon Utilities PhotoStitch
CCleaner
Chuzzle Deluxe
Compaq Setup Manager
CyberLink DVD Suite
CyberLink MediaShow
CyberLink PowerDVD 9
CyberLink YouCam
D3DX10
DHTML Editing Component
Diner Dash 2 Restaurant Rescue
Dora's World Adventure
eMazing Mazes
Energy Star Digital Logo
Escape Rosecliff Island
ESU for Microsoft Windows 7
Farm Frenzy
Fashion Solitaire
FATE
Final Drive Nitro
Google Toolbar for Internet Explorer
Google Update Helper
Heroes of Hellas 2 - Olympia
Hewlett-Packard ACLM.NET v1.2.1.1
HP Auto
HP Client Services
HP CloudDrive
HP Customer Experience Enhancements
HP Documentation
HP Game Console
HP Games
HP MovieStore
HP Photo Creations
HP Power Manager
HP Quick Launch
HP Setup
HP Software Framework
HP Support Assistant
HP Wireless Assistant
Intel® Graphics Media Accelerator Driver
Intel® Rapid Storage Technology
IrfanView (remove only)
iTunes
Java 7 Update 25
Java Auto Updater
Jewel Quest Solitaire 2
Junk Mail filter update
LabelPrint
LEGO Creator
LightScribe System Software
Malwarebytes Anti-Malware version 1.75.0.1300
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Application Error Reporting
Microsoft Office 2010
Microsoft Office Click-to-Run 2010
Microsoft Office Starter 2010 - English
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
Microsoft WSE 3.0 Runtime
MSVCRT
MSVCRT_amd64
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Mystery P.I. - The London Caper
Norton Online Backup
Origin
Peggle Nights 1.0
Penguins!
Plants vs. Zombies
PlayReady PC Runtime x86
Poker Superstars III
Polar Bowler
Polar Golfer
Power2Go
PowerDirector
Ralink RT2860 Wireless LAN Card
Realtek Ethernet Controller Driver For Windows 7
Realtek High Definition Audio Driver
Recovery Manager
Revo Uninstaller 1.94
RoxioNow Player
RtVOsd
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2736428)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2835393)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Security Update for Microsoft .NET Framework 4 Extended (KB2736428)
Security Update for Microsoft .NET Framework 4 Extended (KB2742595)
Synaptics Pointing Device Driver
The Sims 3 Teaser
The Sims™ 2 Sampler - Create-A-Sim
TONKA Firefighter
Turbo Lister 2
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2600217)
Virtual Families
Virtual Villagers 4 - The Tree of Life
Wheel of Fortune 2
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Language Selector
Windows Live Mail
Windows Live Messenger
Windows Live MIME IFilter
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
WordPerfect Office 12
Zoo Tycoon: Complete Collection
Zuma Deluxe
.
==== Event Viewer Messages From Past Week ========
.
7/31/2013 7:30:43 PM, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the RtVOsdService service.
7/30/2013 3:56:31 PM, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the HPWMISVC service.
7/30/2013 12:59:23 PM, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.
7/29/2013 4:35:26 PM, Error: Server [2505]  - The server could not bind to the transport \Device\NetBT_Tcpip_{7CCAF969-A696-496F-B8CC-70FF3A2DAD84} because another computer on the network has the same name.  The server could not start.
7/29/2013 10:26:03 PM, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Netman service.
7/26/2013 5:59:14 PM, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the WSearch service.
7/26/2013 10:26:07 PM, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the WinDefend service.
7/25/2013 10:21:03 PM, Error: Schannel [36888]  - The following fatal alert was generated: 40. The internal error state is 107.
7/25/2013 10:21:03 PM, Error: Schannel [36874]  - An SSL 3.0 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.
.
==== End Of File ===========================

 

 

 

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-08-01 09:25:25
-----------------------------
09:25:25.086    OS Version: Windows x64 6.1.7601 Service Pack 1
09:25:25.086    Number of processors: 1 586 0x170A
09:25:25.086    ComputerName: USER-HP  UserName: user
09:25:40.156    Initialize success
10:43:47.407    AVAST engine defs: 13080100
10:44:48.740    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
10:44:48.750    Disk 0 Vendor: Hitachi_ PB2O Size: 238475MB BusType: 3
10:44:48.900    Disk 0 MBR read successfully
10:44:48.900    Disk 0 MBR scan
10:44:48.940    Disk 0 unknown MBR code
10:44:48.960    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS          199 MB offset 2048
10:44:48.970    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       218855 MB offset 409600
10:44:49.000    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS        19316 MB offset 448624640
10:44:49.020    Disk 0 Partition 4 00     0C    FAT32 LBA MSDOS5.0      103 MB offset 488183808
10:44:49.170    Disk 0 scanning C:\Windows\system32\drivers
10:45:00.357    Service scanning
10:45:33.240    Modules scanning
10:45:33.250    Disk 0 trace - called modules:
10:45:33.610    ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys
10:45:33.610    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800446c400]
10:45:33.620    3 CLASSPNP.SYS[fffff880011b143f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8002206050]
10:45:34.380    AVAST engine scan C:\Windows
10:45:36.531    AVAST engine scan C:\Windows\system32
10:48:51.369    AVAST engine scan C:\Windows\system32\drivers
10:49:04.860    AVAST engine scan C:\Users\user
10:50:23.130    Disk 0 MBR has been saved successfully to "C:\Users\user\Desktop\MBR.dat"
10:50:23.140    The log file has been saved successfully to "C:\Users\user\Desktop\aswMBR.txt"
10:56:15.966    AVAST engine scan C:\ProgramData
10:59:49.183    Scan finished successfully
23:20:25.293    Disk 0 MBR has been saved successfully to "C:\Users\user\Documents\MBR.dat"
23:20:25.315    The log file has been saved successfully to "C:\Users\user\Documents\aswMBR.txt"
 



#10 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:47 PM

Posted 05 August 2013 - 06:27 AM

No problem....I still see some entries in the logs you provided that need to be removed so this is a good thing...   :)
 
ComboFix
 
Download Combofix from either of the links below, and save it to your desktop.  
Link 1
Link 2
 
**Note:  It is important that it is saved directly to your desktop**
If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.


 
--------------------------------------------------------------------
 
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
 
--------------------------------------------------------------------
 
Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.

  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt for further review.

WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#11 stillanovice

stillanovice
  • Topic Starter

  • Members
  • 125 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Maine
  • Local time:02:47 PM

Posted 05 August 2013 - 11:30 AM

Hello!

 

I did the combofix, got the log and was going to get online to paste it in here, but I got the following notice:

 

C:/Program files/internext explorer/iexplore.exe

 

Illegal operation attempted on a registry key that has been marked for deletion.

 

I had to use a different computer to send you this message.  I will try not to panic..... :)



#12 stillanovice

stillanovice
  • Topic Starter

  • Members
  • 125 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Maine
  • Local time:02:47 PM

Posted 05 August 2013 - 08:25 PM

I reread my last post .... this might make more sense:

 

With Windows, we have 3 usernames.  I've been doing the instructions you provided while on Username "A".  Internet Explorer won't let Username "A" go online - I get the warning I referred to in my last post.  I checked Username "B" and I am able to get online with that username; however, I can't access the logs (or don't know how to) with Username "B" in order to post the logs here. 



#13 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:47 PM

Posted 05 August 2013 - 09:15 PM

If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.

:)
 
Once you restart your system once or twice, go ahead and post the log.


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#14 stillanovice

stillanovice
  • Topic Starter

  • Members
  • 125 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Maine
  • Local time:02:47 PM

Posted 07 August 2013 - 09:17 AM

That worked - thank you!  Here you go ...

 

 

 

ComboFix 13-08-07.01 - user 08/07/2013   9:19.5.1 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.1979.908 [GMT -4:00]
Running from: c:\users\user\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\user\AppData\Local\Temp\{28D407C1-9F7D-4BD2-9A04-D5DE849FB7BD}\fpb.tmp
c:\users\user\AppData\Local\Temp\libsqlitejdbc-8013600149207715575.lib
c:\users\user\AppData\Local\Temp\swt-gdip-win32-3448.dll
c:\users\user\AppData\Local\Temp\swt-win32-3448.dll
c:\users\user\AppData\Local\Temp\WindowsAPI.dll1403411812700700778.lib
.
.
(((((((((((((((((((((((((   Files Created from 2013-07-07 to 2013-08-07  )))))))))))))))))))))))))))))))
.
.
2013-08-07 13:32 . 2013-08-07 13:32 -------- d-----w- c:\users\Public\AppData\Local\temp
2013-08-07 13:32 . 2013-08-07 13:32 -------- d-----w- c:\users\Maddy\AppData\Local\temp
2013-08-07 13:32 . 2013-08-07 13:32 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-08-07 13:32 . 2013-08-07 13:32 -------- d-----w- c:\users\Cal\AppData\Local\temp
2013-08-06 14:24 . 2013-07-02 08:34 9460976 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{9EEC0D0F-6444-4CD2-B63A-5AA08331F4B0}\mpengine.dll
2013-08-04 16:16 . 2013-08-04 16:16 -------- d-----w- c:\users\Maddy\AppData\Local\Apple
2013-08-04 16:16 . 2013-08-04 16:16 -------- d-----w- c:\users\Maddy\AppData\Local\Apple Computer
2013-07-22 21:41 . 2013-07-22 21:41 -------- d-----w- c:\users\user\AppData\Local\Adobe
2013-07-16 14:14 . 2013-07-16 14:14 -------- d-----w- c:\users\user\AppData\Local\Apple
2013-07-15 20:49 . 2013-07-15 20:56 -------- d-----w- c:\users\Maddy\AppData\Roaming\ftblauncher
2013-07-10 18:51 . 2013-05-27 05:50 1011712 ----a-w- c:\program files\Windows Defender\MpSvc.dll
2013-07-10 18:50 . 2013-04-09 23:34 1247744 ----a-w- c:\windows\SysWow64\DWrite.dll
2013-07-10 18:50 . 2013-04-02 22:51 1643520 ----a-w- c:\windows\system32\DWrite.dll
2013-07-09 02:26 . 2013-07-11 16:22 -------- d-----w- c:\users\user\AppData\Local\Apple Computer
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-07-11 15:38 . 2013-03-20 16:13 78185248 ----a-w- c:\windows\system32\MRT.exe
2013-06-23 15:18 . 2013-06-23 15:19 96168 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-06-23 15:18 . 2012-06-17 15:00 867240 ----a-w- c:\windows\SysWow64\npdeployJava1.dll
2013-06-23 15:18 . 2010-10-16 19:35 789416 ----a-w- c:\windows\SysWow64\deployJava1.dll
2013-05-16 15:04 . 2010-06-24 18:33 22240 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2013-05-13 05:51 . 2013-06-12 11:50 184320 ----a-w- c:\windows\system32\cryptsvc.dll
2013-05-13 05:51 . 2013-06-12 11:50 1464320 ----a-w- c:\windows\system32\crypt32.dll
2013-05-13 05:51 . 2013-06-12 11:50 139776 ----a-w- c:\windows\system32\cryptnet.dll
2013-05-13 05:50 . 2013-06-12 11:50 52224 ----a-w- c:\windows\system32\certenc.dll
2013-05-13 04:45 . 2013-06-12 11:50 140288 ----a-w- c:\windows\SysWow64\cryptsvc.dll
2013-05-13 04:45 . 2013-06-12 11:50 1160192 ----a-w- c:\windows\SysWow64\crypt32.dll
2013-05-13 04:45 . 2013-06-12 11:50 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll
2013-05-13 03:43 . 2013-06-12 11:50 1192448 ----a-w- c:\windows\system32\certutil.exe
2013-05-13 03:08 . 2013-06-12 11:50 903168 ----a-w- c:\windows\SysWow64\certutil.exe
2013-05-13 03:08 . 2013-06-12 11:50 43008 ----a-w- c:\windows\SysWow64\certenc.dll
2013-05-10 05:49 . 2013-06-12 11:51 30720 ----a-w- c:\windows\system32\cryptdlg.dll
2013-05-10 03:20 . 2013-06-12 11:51 24576 ----a-w- c:\windows\SysWow64\cryptdlg.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{A7DF592F-6E2A-45C4-9A87-4BD217D714ED}]
c:\users\user\AppData\Local\Rich Media Player\BrowserExtensions\IE\RichMediaDownloader.dll [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{adff4c9a-4f49-4a1f-8885-360e107b7938}]
2010-11-05 01:58 297808 ----a-w- c:\windows\System32\mscoree.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2013-05-17 39408]
"ZumoDrive"="c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ZumoLauncher.lnk" [2012-05-30 2080]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Norton Online Backup"="c:\program files (x86)\Symantec\Norton Online Backup\NOBuClient.exe" [2010-06-01 1155928]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
"HP Quick Launch"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2010-11-09 586296]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-06-07 421776]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-05-11 958576]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
R1 btubjkdi;btubjkdi;c:\windows\system32\drivers\btubjkdi.sys;c:\windows\SYSNATIVE\drivers\btubjkdi.sys [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe;c:\program files (x86)\Google\Update\GoogleUpdate.exe [x]
R2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [x]
R2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [x]
R2 RtVOsdService;RtVOsdService Installer;c:\program files\Realtek\RtVOsd\RtVOsdService.exe;c:\program files\Realtek\RtVOsd\RtVOsdService.exe [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe;c:\program files (x86)\Google\Update\GoogleUpdate.exe [x]
R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys;c:\windows\SYSNATIVE\DRIVERS\netw5v64.sys [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTAZL6.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTDPV6.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTCNXT6.SYS [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys;c:\windows\SYSNATIVE\DRIVERS\yk62x64.sys [x]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [x]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [x]
S2 HPClientSvc;HP Client Services;c:\program files\Hewlett-Packard\HP Client Services\HPClientServices.exe;c:\program files\Hewlett-Packard\HP Client Services\HPClientServices.exe [x]
S2 HPWMISVC;HPWMISVC;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [x]
S2 NOBU;Norton Online Backup;c:\program files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe SERVICE;c:\program files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe SERVICE [x]
S2 RoxioNow Service;RoxioNow Service;c:\program files (x86)\Roxio\RoxioNow Player\RNowSvc.exe;c:\program files (x86)\Roxio\RoxioNow Player\RNowSvc.exe [x]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [x]
S3 clwvd;CyberLink WebCam Virtual Driver;c:\windows\system32\DRIVERS\clwvd.sys;c:\windows\SYSNATIVE\DRIVERS\clwvd.sys [x]
S3 netr28x;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\DRIVERS\netr28x.sys;c:\windows\SYSNATIVE\DRIVERS\netr28x.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-08-16 20:43 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-08-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-05-17 17:24]
.
2013-08-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-05-17 17:24]
.
2013-08-05 c:\windows\Tasks\HPCeeScheduleForUSER-HP$.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 05:15]
.
2013-07-18 c:\windows\Tasks\HPCeeScheduleForuser.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 05:15]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00Zecter]
@="{D25B32FE-CB96-491A-98FF-AD59DA382D69}"
[HKEY_CLASSES_ROOT\CLSID\{D25B32FE-CB96-491A-98FF-AD59DA382D69}]
2010-09-23 04:53 2210304 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\01Zecter]
@="{EB24CA6D-F315-4A81-AC1A-C79CFD77F3F5}"
[HKEY_CLASSES_ROOT\CLSID\{EB24CA6D-F315-4A81-AC1A-C79CFD77F3F5}]
2010-09-23 04:53 2210304 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\02Zecter]
@="{B3C78E40-6B64-47C3-AE34-60B770881EB8}"
[HKEY_CLASSES_ROOT\CLSID\{B3C78E40-6B64-47C3-AE34-60B770881EB8}]
2010-09-23 04:53 2210304 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\03Zecter]
@="{622AFE52-33F6-4D9F-9966-E0BC52D7D69D}"
[HKEY_CLASSES_ROOT\CLSID\{622AFE52-33F6-4D9F-9966-E0BC52D7D69D}]
2010-09-23 04:53 2210304 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\04Zecter]
@="{855156F0-2A0F-11DE-8C30-0800200C9A66}"
[HKEY_CLASSES_ROOT\CLSID\{855156F0-2A0F-11DE-8C30-0800200C9A66}]
2010-09-23 04:53 2210304 ----a-w- c:\program files (x86)\Hewlett-Packard\HP CloudDrive\ShellExt64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-07-29 166424]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-07-29 391192]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-07-29 410648]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtkNGUI64.exe" [2010-09-22 6489704]
"HPWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe" [2010-07-21 8192]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = https://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: {{A7DF592F-6E2A-45C4-9A87-4BD217D714ED} - {A7DF592F-6E2A-45C4-9A87-4BD217D714ED} - c:\users\user\AppData\Local\Rich Media Player\BrowserExtensions\IE\RichMediaDownloader.dll
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{5F815AD7-A955-4943-91C4-7A96C2932399} - (no file)
AddRemove-{EE202411-2C26-49E8-9784-1BC1DBF7DE96} - c:\program files (x86)\InstallShield Installation Information\{EE202411-2C26-49E8-9784-1BC1DBF7DE96}\setup.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_265_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_265_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
c:\program files (x86)\CyberLink\YouCam\YCMMirage.exe
.
**************************************************************************
.
Completion time: 2013-08-07  09:38:52 - machine was rebooted
ComboFix-quarantined-files.txt  2013-08-07 13:38
ComboFix2.txt  2013-08-05 16:22
.
Pre-Run: 108,549,160,960 bytes free
Post-Run: 108,480,729,088 bytes free
.
- - End Of File - - 46A2F18D51A67578E78CB71906C12584
D41D8CD98F00B204E9800998ECF8427E



#15 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:47 PM

Posted 07 August 2013 - 09:57 AM

Please go to: VirusTotal
On the page you'll find a "Choose File" button.
Click on the Choose File button.
In the Choose File to Upload window which opens, copy and paste this into the File Name box.
 
c:\windows\SYSNATIVE\drivers\btubjkdi.sys
 
Next, click the Open button.
Then click the "Scan It!" button just below.
This will scan the file. Please be patient.
If you get a message saying File has already been analyzed: click Reanalyze file now
Once scanned, copy and paste the link to the results page in your next reply.
----------


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users