Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Very Advanced Virus Infection


  • This topic is locked This topic is locked
43 replies to this topic

#1 Jim Eddy

Jim Eddy

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:32 AM

Posted 22 August 2013 - 12:01 PM

Hello Bleepers,

 

My Vista machine is moribund.  It no longer talks to the internet.  Many applications will not launch.  An attempt to launch some applications will think for a minute and then return without launching anything.  Other applications will launch after about 10 minutes or so.

 

The machine in question had the FBI MoneyPak virus.  I was able to fight through that with safe mode to the point of being able to boot up and access the machine in normal mode.  For a while the machine seemed to behave ok.  But I am convinced that infection, or some other infection, remains because the behavior of the machine has degraded steadily.  The last thing it did was forget the file- extension/launch-application associations.  It now attempts to open .txt files with Paint.

 

msconfig Startup tab has the entry:

 

regmonstd     Unknown

 

this entry has the command:

 

C:\Windows\System32\rundll32.exe C:\Users\JimEddy\AppData\Local\Temp\b34btbztdb0vavaw.exe,XFG00

 

The location of regmonstd was in my personal startup folder.  The target b34btbztdb0vavaw.exe in not in the target Temp folder and does not appear to exist on the machine.  The target Temp folder does contain many <randomNumber>.od files and many CVR<randomNumber>.cvr files.

 

I disabled the entry in my msconfig Startup list.

 

Here is the text of the dds.txt file.

 

==================================

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16496  BrowserJavaVersion: 10.25.2
Run by JimEddy at 16:02:58 on 2013-08-21
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\ibmpmsvc.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\CISVC.EXE
C:\Program Files\DebugDiag\DbgSvc.exe
C:\Program Files\Dell\PowerNap\PowerNap.Service.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Lenovo\Communications Utility\CAMMUTE.exe
C:\Program Files\Intel\AMT\LMS.exe
c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe
C:\Program Files\McAfee\MSC\McAPExe.exe
C:\Windows\system32\mfevtps.exe
c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Sony\PMB\PMBDeviceInfoProvider.exe
C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Windows\System32\TpShocks.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Real\RealPlayer\realplay.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Lenovo\Message Center Plus\MCPLaunch.exe
C:\Program Files\ThinkVantage\PrdCtr\LPMGR.EXE
C:\Program Files\ThinkVantage\PrdCtr\LPMLCHK.EXE
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\Sony\PMB\PMBVolumeWatcher.exe
C:\Program Files\Roxio 2010\5.0\CPMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Environment\Folders\Taskbar Shuffle\taskbarshuffle.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Dell\PowerNap\PowerNap.exe
C:\Program Files\Dell\PowerNap\PowerNapWatcher.exe
C:\Program Files\Common Files\McAfee\Platform\mcuicnt.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\System32\TPHDEXLG.exe
C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe
C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Common Files\Mcafee\Platform\McSvcHost\McSvHost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\System32\msdtc.exe
c:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Common Files\Roxio Shared\12.0\SharedCOM\RoxMediaDB12.exe
C:\Program Files\McAfee Online Backup\MOBKbackup.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\Program Files\McAfee Online Backup\MOBKbackup.exe
C:\Program Files\mcafee.com\agent\McUpdate.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\sdclt.exe
C:\Windows\system32\cidaemon.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\dllhost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k SDRSVC
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uWindow Title = Internet Explorer, optimized for Bing and MSN
uProxyServer = hxxp=127.0.0.1:49176;https=127.0.0.1:49176
uProxyOverride = <-loopback>
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
dURLSearchHooks: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: {27B4851A-3207-45A2-B947-BE8AFE6163AB} - <orphaned>
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {9D425283-D487-4337-BAB6-AB8354A81457} - <orphaned>
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
BHO: IePasswordManagerHelper Class: {BF468356-BB7E-42D7-9F15-4F3B9BCFCED2} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: SingleInstance Class: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: Real.com: {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\shdocvw.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Taskbar Shuffle] c:\environment\folders\taskbar shuffle\taskbarshuffle.exe
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [TpShocks] TpShocks.exe
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
mRun: [TPFNF7] c:\program files\lenovo\npdirect\TPFNF7SP.exe /r
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\12.0\sharedcom\RoxWatchTray12.exe"
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [PWMTRV] rundll32 c:\progra~1\thinkpad\utilit~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Message Center Plus] c:\program files\lenovo\message center plus\MCPLaunch.exe /start
mRun: [LPManager] c:\progra~1\thinkv~1\prdctr\LPMGR.exe
mRun: [LPMailChecker] c:\progra~1\thinkv~1\prdctr\LPMLCHK.exe
mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [cssauth] "c:\program files\lenovo\client security solution\cssauth.exe" silent
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [ACWlIcon] c:\program files\thinkpad\connectutilities\ACWlIcon.exe
mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [PMBVolumeWatcher] c:\program files\sony\pmb\PMBVolumeWatcher.exe
mRun: [picon] "c:\program files\common files\intel\privacy icon\PrivacyIconClient.exe" -startup
mRun: [CreateLMBCShortCut] "c:\program files\lenovo\mobile broadband connect\UserShortcutCreator.exe"
mRun: [CPMonitor] "c:\program files\roxio 2010\5.0\CPMonitor.exe"
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BTVLogEx.DLL,StartBattLog
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [mcpltui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
IE: {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: mcafee.com
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/4.0.1.0/GarminAxControl_32.CAB
DPF: {BAD4FE2C-503B-45CC-88CD-4B0574057D11} - hxxp://clients.futuremark.com/calico/systeminfodeploy/FMSI_v460.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 204.186.110.76 204.186.80.251 216.144.187.199
TCP: Interfaces\{0ACD7248-79F1-4C13-9806-A50B07C7862F} : DHCPNameServer = 204.186.110.76 204.186.80.251 216.144.187.199
TCP: Interfaces\{A7C72638-EC15-4741-8D97-150C33341983} : NameServer = 0.0.0.0
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\program files\mcafee\msc\McSnIePl.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
LSA: Notification Packages =  scecli ACGina
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\28.0.1500.72\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
============= SERVICES / DRIVERS ===============
.
R? ADExchange;ArcSoft Exchange Service
R? ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect
R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86
R? cpuz132;cpuz132
R? DLPortIO;DriverLINX Port I/O Driver
R? Futuremark SystemInfo Service;Futuremark SystemInfo Service
R? HipShieldK;McAfee Inc. HipShieldK
R? ivusb;Initio Driver for USB Default Controller
R? LENOVO.MICMUTE;Lenovo Microphone Mute
R? mfebopk;McAfee Inc. mfebopk
R? mfencrk;McAfee Inc. mfencrk
R? MUXMP;My WiFi PAN MUX-IM Virtual Miniport Driver
R? MUXP;My WiFi PAN Mux-IM Protocol Driver
R? MyWiFiDHCPDNS;Wireless PAN DHCP Server
R? regi;regi
R? RoxMediaDB10;RoxMediaDB10
R? RoxWatch12;Roxio Hard Drive Watcher 12
R? SessionLauncher;SessionLauncher
R? SkypeUpdate;Skype Updater
R? WDC_SAM;WD SCSI Pass Thru driver
R? WinRing0_1_2_0;WinRing0_1_2_0
R? WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0
S? AMD External Events Utility;AMD External Events Utility
S? cfwids;McAfee Inc. cfwids
S? DbgSvc;Debug Diagnostic Service
S? dell_power_nap_service;Dell Power Nap Service
S? e1yexpress;Intel® Gigabit Network Connections Driver
S? FontCache;Windows Font Cache Service
S? HomeNetSvc;McAfee Home Network
S? intelkmd;intelkmd
S? LENOVO.CAMMUTE;Lenovo Camera Mute
S? lenovo.smi;Lenovo System Interface Driver
S? McAfee SiteAdvisor Service;McAfee SiteAdvisor Service
S? McAPExe;McAfee AP Service
S? McMPFSvc;McAfee Personal Firewall
S? McNaiAnn;McAfee VirusScan Announcer
S? mcpltsvc;McAfee Platform Services
S? McProxy;McAfee Proxy Service
S? mfeavfk;McAfee Inc. mfeavfk
S? mfecore;McAfee Anti-Malware Core
S? mfefire;McAfee Firewall Core Service
S? mfefirek;McAfee Inc. mfefirek
S? mfehidk;McAfee Inc. mfehidk
S? mfencbdc;McAfee Inc. mfencbdc
S? mfevtp;McAfee Validation Trust Protection Service
S? mfewfpk;McAfee Inc. mfewfpk
S? MOBKbackup;McAfee Online Backup
S? MOBKFilter;MOBKFilter
S? NETw5v32;Intel® Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit
S? PMBDeviceInfoProvider;PMBDeviceInfoProvider
S? Power Manager DBC Service;Power Manager DBC Service
S? RoxMediaDB12;RoxMediaDB12
S? TPDIGIMN;TPDIGIMN
S? TPHKSVC;On Screen Display
S? TVT Backup Protection Service;TVT Backup Protection Service
S? TVTI2C;Lenovo SM bus driver
S? uCamMonitor;CamMonitor
S? UNS;Intel® Active Management Technology User Notification Service
.
=============== File Associations ===============
.
FileExt: .txt: Applications\mspaint.exe="c:\windows\system32\mspaint.exe" "%1" [UserChoice] [default=edit - 'Open' doesn't exist]
FileExt: .chm: Applications\notepad.exe=c:\windows\system32\NOTEPAD.EXE %1 [UserChoice]
FileExt: .inf: inffile=c:\windows\system32\NOTEPAD.EXE %1 [UserChoice]
.
=============== Created Last 30 ================
.
.
==================== Find3M  ====================
.
2013-07-19 13:29:26 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-07-19 13:29:25 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-07-10 00:27:29 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-07-10 00:27:06 867240 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-07-10 00:27:05 789416 ----a-w- c:\windows\system32\deployJava1.dll
2013-06-04 01:50:43 2049024 ----a-w- c:\windows\system32\win32k.sys
2013-06-01 04:06:08 505344 ----a-w- c:\windows\system32\qedit.dll
2013-05-29 01:50:14 1800704 ----a-w- c:\windows\system32\jscript9.dll
2013-05-29 01:41:52 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2013-05-29 01:41:08 1129472 ----a-w- c:\windows\system32\wininet.dll
2013-05-29 01:37:15 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2013-05-29 01:36:09 420864 ----a-w- c:\windows\system32\vbscript.dll
2013-05-29 01:33:22 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2001-09-28 21:00:28 164864 ------w- c:\program files\UNWISE.EXE
.
============= FINISH: 16:04:12.08 ===============
 

The attach.txt file is attached.

 

Please let me know what should be my next move.

 

Thank you.

 

Jim Eddy

 

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:32 AM

Posted 23 August 2013 - 03:06 AM


Hello Jim Eddy

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.


Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.


These are the programs I would like you to run next, if you have any problems with one of these just skip it and move on to the next one.

-AdwCleaner-

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
-Junkware-Removal-Tool-

Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
When they are complete let me have the two reports and let me know how things are running.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Jim Eddy

Jim Eddy
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:32 AM

Posted 24 August 2013 - 11:38 AM

Hello Gringo,

Thank you for your help. I believe that there has been some progress. There is attached later on in this post both the AdwCleaner[S0].txt file and the JRT.txt file. Both finished to completion although JRT threw an error along the way. More about that later.

Before reporting on the AdwCleaner and the JRT I want to fill in some things about the behavior of this computer that ought to have been included in my first post.

When the machine boots up it displays this error after the desktop comes up but before the Sidebar:

Task Schedular Engine has stopped working.
A problem caused the program to stop working correctly.
Windows will close the program and notify you if a
solution is available.

After I click Ok a message is displayed above the notification area that says:

Task Schedular Engine was closed to help protect your
computer. Data Execution Prevention has closed Task
Schedular Engine.

This has happened for about the last year whenever the machine is booted stand alone (not connected to its docking station). In order to keep the situation as simple as possible I no longer boot this machine in its docking station. Wireless is, and has been, turned off for the last several months. The only communication that this machine has with the outside world are files that I put on it from a USB flash drive.

As I mentioned in my first post the behavior of the machine has degraded steadily for the last month or so. During this period the Explorer has started to freeze. It freezes one time about 15 minutes or so after each reboot. The freeze lasts about a minute or so and then Explorer is stopped and restarted. It seems to do this once for each reboot.

After reboot there is very much disk activity. Sometimes it is McAfee. Many times it is something else. I don’t know what.

All of this happens without Internet Explorer being launched.


Now comes my adventures with AdwCleaner and Junkware Removal Tool (JRT). As I mentioned above they both ran to completion and there are log files posted below. I hope, Gringo, that you will not mind if I include information about how the exercise went. There are parts of this that may not be helpful virus removal from this computer, but they may be very helpful to others who may read this post. If you want to skip this part just skip down to the marker below.

I learned a very valuable lesson. In your post you instructed me to download and run AdwCleaner and Junkware Removal Tool. I Googled AdwCleaner and went to one of the first hits that were returned. It was to something called JoyDownload. That was a mistake. The download wizard offered to download about 6 items of junkware. When I dismissed them all the only thing that was downloaded was a program that offered to download 6 items of junkware. The thing that downloaded claimed that it was AdwCleaner but it was not. It was about 480K bytes on the desktop. AdwCleaner never came down.

I next attempted to download AdwCleaner from CNET. That was a bigger mistake. That site also offered a different collection of junkware. I carefully dismissed all of it. This did download AdwCleaner but it also installed something called AGV Safeguard Toolbar. (more than 700K bytes this time). It changed my homepage and search engine. It did leave an entry AGV Safeguard Toolbar in the installed programs list but attempts to uninstall it did nothing.

My struggle to get rid of AGV Safeguard Toolbar and it associated junkware took all day. Ultimately I ended up clobbering IE 10 on that machine. That machine is brand new and talks to the internet. Attempts to reinstall IE 10 failed. Microsoft provides a long list of things to try to fix the problem. Nothing worked. At the bottom of the list is the advice to call the computer manuracturer (Lenovo). I did that. Lenovo offered to send me recovery media, but that was it.

Ultimately I discovered that IE 10 could be installed from a different Microsoft site. That worked. My new computer is apparently healthy and has no remaining vestige of AGV Safeguard Toolbar.

All of this took the better part of a day. It is for that reason that it has taken me until the next day to repond with this post.

At this point it was clear what had been my mistake. I went back to Google and discovered that AdwCleaner could be downloaded from Bleeping Computer. I had not noticed that. Bummer. When I downloaded AdwCleaner from Bleeping Computer it came down clean with no junkware offers. That is a mistake that I will not make again.

I next downloaded Junkware Removal Tool (JRT) from Bleeping Computer. That came down quickly with no collateral damage. I moved AdwCleaner and JRT to the sick computer.

Below follows those results.


AdwCleaner ran quickly and produced this report:



# AdwCleaner v3.000 - Report created 23/08/2013 at 16:54:42
# Updated 20/08/2013 by Xplode
# Operating System : Windows Vista ™ Home Basic Service Pack 2 (32 bits)
# Username : JimEddy - RATHBONE
# Running from : C:\Users\JimEddy\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\blekko toolbars
Folder Deleted : C:\ProgramData\WeCareReminder
Folder Deleted : C:\Users\JimEddy\AppData\Local\Conduit
Folder Deleted : C:\Users\JimEddy\AppData\Local\SwvUpdater
Folder Deleted : C:\Users\JimEddy\AppData\LocalLow\Conduit
File Deleted : C:\END
File Deleted : C:\Windows\System32\Tasks\AmiUpdXp

***** [ Shortcuts ] *****

Shortcut Disinfected : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft XNA Game Studio 3.1\XNA Game Studio Documentation.lnk
Shortcut Disinfected : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Visual Studio 2008\Microsoft Visual Studio 2008 Documentation.lnk

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\jcdgjdiieiljkfkdcloehkohchhpekkn
Key Deleted : HKLM\SOFTWARE\Classes\S
Key Deleted : HKLM\SOFTWARE\Classes\pmiFileFmtLib.cFile
Key Deleted : HKLM\SOFTWARE\Classes\pmiFileFmtLib.cFileFormat
Key Deleted : HKLM\SOFTWARE\Classes\pmiFileFmtLib.cFileWizard
Key Deleted : HKLM\SOFTWARE\Classes\pmiFileFmtLib.cPosition
Key Deleted : HKLM\SOFTWARE\Classes\pmiFileFmtLib.cScriptItem
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9D425283-D487-4337-BAB6-AB8354A81457}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9D425283-D487-4337-BAB6-AB8354A81457}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{9D425283-D487-4337-BAB6-AB8354A81457}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{9D425283-D487-4337-BAB6-AB8354A81457}]
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKCU\Software\Zugo
Key Deleted : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\Description
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Anti-phishing Domain Advisor

***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16496


-\\ Google Chrome v28.0.1500.72

[ File : C:\Users\JimEddy\AppData\Local\Google\Chrome\User Data\Default\preferences ]

Deleted : homepage
Deleted : urls_to_restore_on_startup

*************************

AdwCleaner[R0].txt - [4644 octets] - [23/08/2013 16:53:52]
AdwCleaner[S0].txt - [4064 octets] - [23/08/2013 16:54:42]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [4124 octets] ##########



Next I attempted to run JRT. Following my instructions I attempted to turn off the virus protection software on the machine. This is McAfee. It is not clear that the McAfee software has not been hijacked and gone over to the dark side. The user interface agent would not launch either from the notification area or from the menu. It is not possible to turn off the firewall or the real time scanning through the interface. I tried clobbering McAfee in the Task Manager. Some of it would stay dead but some would come back. I unchecked McAfee in msconfig Startup tab and rebooted. After waiting for all the furious disk access to settle down and for Explorer to freeze and restart I ran JRT. It threw up an empty Command Prompt Window and did nothing. Looking at it in the Task Manager showed it to be getting 0 cpu and its memory footprint was about 1000k. After waiting a very long time it displayed this into Command Prompt Window:

[ ]
[ Junkware Removal Tool (JRT) by Thisisu ]
[ Version 5.5.4 (08.22.2013:1) ]
[ Information about this tool can be found at ]
[ www.thisisudax.org ]
[ ]
[ ]
[ Please save any work in your browsers before proceeding. ]
[ Your desktop may temporarily disappear during this scan. ]
[ A Windows Explorer window may also open. ]
[ These actions are normal. Don't panic. ]
[ ]
[ ** DISCLAIMER ** ]
[ ]
[ This software is provided "as is" without ]
[ warranty of any kind. You may use this software ]
[ at your own risk. ]
[ ]
[ Click the [X] in the top-right corner of this window ]
[ if you wish to exit. Otherwise, ]
================================================================

Press any key to continue . . .

After pressing the any key it sat for several minutes. I went away from the display and came back about half an hour later. The display had updated with these additional lines:

Creating a registry backup
Checking Startup
Checking Modules

After another half an hour or so the display updated to:

Creating a registry backup
Checking Startup
Checking Modules
ERROR: Server execution failed
Checking Processes

I boosted its priority in the Task Manager. Nonetheless, here it sat for about 3 hours when I gave up for the night. It was not clear that it was doing anything. I have no cpu meter left on this machine. The Task Manager showed it to be getting 0 cpu time. Its footprint in memory had shrunk down to 204K.

I surmise that it is starved of cpu time and for memory by dark side software that seems to dominate the machine.

When I looked at the machine the next morning it had finished! Amazing. The JRT.txt file is here:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 5.5.4 (08.22.2013:1)
OS: Windows Vista ™ Home Basic x86
Ran by JimEddy on Fri 08/23/2013 at 18:06:41.95
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Toolbar.CT3289847
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{412FB793-273B-445E-A571-0B5095C90715}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{64809273-CB73-4FD0-8A9F-A0B60F2773F3}



~~~ Files



~~~ Folders

Successfully deleted: [Folder] "C:\Users\JimEddy\appdata\local\cre"
Successfully deleted: [Empty Folder] C:\Users\JimEddy\appdata\local\{057EE3D0-85C5-4302-8264-18481239F96E}
Successfully deleted: [Empty Folder] C:\Users\JimEddy\appdata\local\{08617D0D-9E97-4A7A-988A-D2A2045032ED}
Successfully deleted: [Empty Folder] C:\Users\JimEddy\appdata\local\{166722E2-1766-4A57-ACF6-13BAAAF30F9D}
Successfully deleted: [Empty Folder] C:\Users\JimEddy\appdata\local\{1FABEBBA-3821-4DDB-AE7E-D39AC23EF484}
Successfully deleted: [Empty Folder] C:\Users\JimEddy\appdata\local\{386A8DA8-02DD-4FB2-8825-9821F484B23F}
Successfully deleted: [Empty Folder] C:\Users\JimEddy\appdata\local\{42BFD647-9FA3-459A-9D51-16F7180EDB6B}
Successfully deleted: [Empty Folder] C:\Users\JimEddy\appdata\local\{451C5F43-F7A5-4FA9-9755-98A6F127EC07}
Successfully deleted: [Empty Folder] C:\Users\JimEddy\appdata\local\{48363C31-6D4B-4DB1-9709-3DA5B1A60D45}
Successfully deleted: [Empty Folder] C:\Users\JimEddy\appdata\local\{56F181B3-B102-485A-80D1-B5ACBB56F03F}
Successfully deleted: [Empty Folder] C:\Users\JimEddy\appdata\local\{5808F720-B11D-4809-A2EF-CAFDFD16A0C8}
Successfully deleted: [Empty Folder] C:\Users\JimEddy\appdata\local\{93DACC41-A1D0-4DAA-B11F-610225124506}
Successfully deleted: [Empty Folder] C:\Users\JimEddy\appdata\local\{9648E98E-19C3-4764-A7BF-208304D9ED25}
Successfully deleted: [Empty Folder] C:\Users\JimEddy\appdata\local\{988B6134-E8AA-4395-B3E1-76A55B33687D}
Successfully deleted: [Empty Folder] C:\Users\JimEddy\appdata\local\{A3762901-87AE-44F4-BBF6-A181EA31B465}
Successfully deleted: [Empty Folder] C:\Users\JimEddy\appdata\local\{C2716CC7-4A2A-4590-BC83-E8521E5E836B}
Successfully deleted: [Empty Folder] C:\Users\JimEddy\appdata\local\{D047DC65-FB10-4F68-8B38-3719E21B1271}
Successfully deleted: [Empty Folder] C:\Users\JimEddy\appdata\local\{D9BD0215-D468-47B0-B167-58D97F450DBD}
Successfully deleted: [Empty Folder] C:\Users\JimEddy\appdata\local\{DF2E0D63-6EC1-4D4B-885D-913A4CCBC27C}
Successfully deleted: [Empty Folder] C:\Users\JimEddy\appdata\local\{E2F3AB50-4179-4276-82FF-9D06FD07F34D}



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 08/23/2013 at 23:43:59.18
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Note that the scan started at 6:06 PM and finished at 11:43 PM.

Note that it threw an error.



Notes on how the machine is currently running.

I rebooted the machine. It threw up the same message as reported above about the Task Schedular Engine being not working and being stopped by Data Execution Prevention.

The machine goes through its usual sequence of furious disk accesses.

After the first reboot Explorer has not yet frozen and the disk has calmed down after about 15 minutes. Reboot again with McAfee re-enabled.

Same Task Schedular message. However, this time closing that message threw up a message offering to debug the problem in Visual Studio. I had not seen that before (or perhaps in a long time).

The McAfee icon does show up in the notification area. The McAfee UI Agent will open from either the notification area icon or the start menu but it is not clear which one. After attempting to launch the program waited about 45 minutes before coming up. McAfee’s opinion is that the computer is secure and that no action is required. This is very irritating. Attempts to close McAfee throw up a message that McAfee is not responding. Selecting Close the Program on the windows message box does close McAfee after about 10 seconds.

In about an hour Explorer has not frozen and does seem more responsive. The furious disk activity has gone away after about 15 minutes after reboot. This seems more normal.

It does appear that the machine is running better.

I am eager to learn what are the next steps to take.

Thank you for your help.

Jim

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:32 AM

Posted 24 August 2013 - 02:55 PM


Hello Jim Eddy

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Jim Eddy

Jim Eddy
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:32 AM

Posted 25 August 2013 - 11:57 AM

Hello Gringo,

Thank you for your help. I believe that there has been some progress.

Following your instructions I downloaded ComboFix and moved it onto the sick machine. I downloaded it from Bleeping Computer so it came down without incident.

It was difficult to follow your instruction to turn off virus protection. The virus protection the infected machine is McAfee. The instruction provided in Bleeping Computer all involve opening McAfee Security Center or invoking the icon in the notification area. Neither of these will work since the virus on the machine prevent McAfee from being invoked. I tried disabling McAfee services but four of them kept coming back. It turns out that McAfee services are set up not to allow disabling. In order to turn off McAfee it was necessary to uninstall it. At length I uninstalled McAfee.

I ran ComboFix. It threw up a green command prompt window and said that it was saving items from the registry. It got to the end of a long list and then the display remained the same for about 10 minutes. Then the display disappeared and a blue command prompt window appeared. That window displayed the text:

Please wait
ComboFix is preparing to run.

After about 2 minutes it displayed the message:

Scanning for infected files
Typically this does not take more than 10 minutes.
Badly infected machines may take twice as long.

After 5 minutes a message box came up that said:

You are infected with Rootkit.ZeroAccess.
The virus has inserted itself into the tcp/ip stack.
This is a difficult virus infection.

It was a long message that included the suggestion that ComboFix should be run again after the first run finishes. The message box offered an ok box but I did not click it.

After about 2 minutes the message box went away and was replaced with a second message box that said:

Rootkit Detected.

The message box offered an ok box but I did not click it.

After about 2 minutes this message box went away and was replaced with a third message box that said:

Rootkit Activity Detected
ComboFix needs to reboot the machine

It offered an ok box. After waiting in vain for something to happen I clicked the ok box. The machine restarted.

About 10 minutes after the machine came back up it put up a command prompt window that said:

Completed stage 1
Completed stage 2

After about 2 minutes it added:

Completed stage 3

After about 5 minutes it added:

Completed stage 4

After about 2 minutes

Completed stage 5

After about 2 minutes

Completed stage 6
through
Completed stage 32

After about 2 minutes

Completed stage 32a
through
Completed stage 98.

Then the command prompt window went away and was replaced with a second command prompt window that said something like:

ComboFix needs to reboot the machine.
Do not reboot the machine manually.
Allow ComboFix to reboot the machine.

After about 5 minutes the machine shutdown.

Almost.

It shut down to the point where there was no more disk activity. However the processor was doing something. The fan came on. If the power was unplugged there was a beep. If the power was plugged in again there was a beep.

It seemed to me that if I were to follow the instruction in the command prompt window I would wait forever. I searched the web on my other machine. Some pundit said to wait until you are sick of it and then force the machine down with the power button. I waited for half an hour, lost patience, and forced the machine down with the power button. Then I restarted the machine and it came right up.

When the machine was fully up a command prompt window came up and said that a report was being generated. It cranked for 5 minutes or so and then produced the report. This is the report.


ComboFix 13-08-22.01 - JimEddy 08/25/2013 9:07.1.2 - x86
Running from: c:\users\JimEddy\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\INSTALL.LOG
c:\programdata\61B7A4DB04.sys
c:\programdata\Roaming
c:\users\JimEddy\AppData\Local\assembly\tmp
c:\users\JimEddy\GoToAssistDownloadHelper.exe
c:\windows\$NtUninstallKB45143$
c:\windows\$NtUninstallKB45143$\3015747409
c:\windows\msvcr71.dll
c:\windows\system32\~GLH0036.TMP
c:\windows\system32\~GLH0037.TMP
c:\windows\system32\~GLH0038.TMP
c:\windows\system32\~GLH0039.TMP
c:\windows\system32\~GLH003a.TMP
c:\windows\system32\~GLH003b.TMP
c:\windows\system32\~GLH003c.TMP
c:\windows\system32\~GLH003d.TMP
c:\windows\system32\ccrpTmr6.dll
c:\windows\system32\Thumbs.db
c:\windows\system32\TPAPSLOG.LOG
c:\windows\system32\TPHDLOG0.LOG
c:\windows\wininit.ini
S:\AUTORUN.INF
.
.
((((((((((((((((((((((((( Files Created from 2013-07-25 to 2013-08-25 )))))))))))))))))))))))))))))))
.
.
2013-08-25 13:22 . 2013-08-25 13:37 -------- d-----w- c:\users\JimEddy\AppData\Local\temp
2013-08-25 13:22 . 2013-08-25 13:22 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2013-08-25 13:22 . 2013-08-25 13:22 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-08-23 22:06 . 2013-08-23 22:06 -------- d-----w- c:\windows\ERUNT
2013-08-23 20:53 . 2013-08-23 20:54 -------- d-----w- C:\AdwCleaner
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-07-19 13:29 . 2012-04-05 14:07 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-07-19 13:29 . 2011-06-16 13:55 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-07-10 00:27 . 2013-07-10 00:27 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-07-10 00:27 . 2013-07-10 00:28 867240 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-07-10 00:27 . 2010-06-05 11:32 789416 ----a-w- c:\windows\system32\deployJava1.dll
2013-06-04 01:50 . 2013-07-10 08:14 2049024 ----a-w- c:\windows\system32\win32k.sys
2013-06-01 04:06 . 2013-07-10 08:13 505344 ----a-w- c:\windows\system32\qedit.dll
2013-05-29 01:50 . 2013-07-11 07:16 1800704 ----a-w- c:\windows\system32\jscript9.dll
2013-05-29 01:41 . 2013-07-11 07:15 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2013-05-29 01:41 . 2013-07-11 07:16 1129472 ----a-w- c:\windows\system32\wininet.dll
2013-05-29 01:37 . 2013-07-11 07:16 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2013-05-29 01:36 . 2013-07-11 07:16 420864 ----a-w- c:\windows\system32\vbscript.dll
2013-05-29 01:33 . 2013-07-11 07:16 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2001-09-28 21:00 . 2009-07-17 16:55 164864 ------w- c:\program files\UNWISE.EXE
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"Taskbar Shuffle"="c:\environment\Folders\Taskbar Shuffle\taskbarshuffle.exe" [2008-04-17 818176]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2010-12-10 1093632]
"TpShocks"="TpShocks.exe" [2008-06-07 181536]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2009-12-21 69568]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2009-04-15 61728]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-10-06 824616]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\12.0\SharedCOM\RoxWatchTray12.exe" [2009-07-24 240112]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2011-03-31 20480]
"PWMTRV"="c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2009-01-14 644384]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-04-01 154136]
"Message Center Plus"="c:\program files\LENOVO\Message Center Plus\MCPLaunch.exe" [2009-05-28 49976]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2008-08-31 165208]
"LPMailChecker"="c:\progra~1\THINKV~1\PrdCtr\LPMLCHK.exe" [2008-08-31 124248]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2009-02-11 1191936]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-04-01 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-04-01 178712]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2008-06-04 242976]
"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2008-06-25 3077432]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-27 207424]
"ACWlIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWlIcon.exe" [2010-09-17 181608]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2010-09-17 431464]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-22 59720]
"PMBVolumeWatcher"="c:\program files\Sony\PMB\PMBVolumeWatcher.exe" [2011-08-24 651832]
"picon"="c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2008-05-29 367128]
"CreateLMBCShortCut"="c:\program files\Lenovo\Mobile Broadband Connect\UserShortcutCreator.exe" [2009-04-13 40960]
"CPMonitor"="c:\program files\Roxio 2010\5.0\CPMonitor.exe" [2009-07-21 84464]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BTVLogEx.DLL" [2009-01-14 214576]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-11-16 641704]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2013-05-01 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-05-31 152392]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-05-11 958576]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2009-6-22 50688]
PowerNap.lnk - c:\windows\Installer\{2436940B-1C2C-4FB4-A703-0EE9B1350791}\_35E0567647C2420371B885.exe 1 [2012-1-6 372526]
PowerNapWatcher.lnk - c:\windows\Installer\{2436940B-1C2C-4FB4-A703-0EE9B1350791}\_18B4EACA6AED157B14F49D.exe [2012-1-6 10134]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Users^JimEddy^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^regmonstd.lnk]
path=c:\users\JimEddy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regmonstd.lnk
backup=c:\windows\pss\regmonstd.lnk.Startup
backupExtension=.Startup
.
R2 ADExchange;ArcSoft Exchange Service;c:\program files\Common Files\ArcSoft\esinter\Bin\eservutil.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-07-13 04:41 1173456 ----a-w- c:\program files\Google\Chrome\Application\28.0.1500.72\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-08-25 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-05 13:29]
.
2013-08-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-24 16:53]
.
2013-08-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-24 16:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <-loopback>
uInternet Settings,ProxyServer = http=127.0.0.1:49176;https=127.0.0.1:49176
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 204.186.110.76 204.186.80.251 216.144.187.199
TCP: Interfaces\{A7C72638-EC15-4741-8D97-150C33341983}: NameServer = 0.0.0.0
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/4.0.1.0/GarminAxControl_32.CAB
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\WD Quick View.lnk - c:\program files\Western Digital\WD SmartWare\WDDMStatus.exe
SafeBoot-WudfPf
SafeBoot-WudfRd
MSConfigStartUp-mcpltui_exe - c:\program files\McAfee.com\Agent\mcagent.exe
AddRemove-Lenovo Registration - c:\program files\Lenovo Registration\uninstall.exe
AddRemove-McAfee Virtual Technician - c:\program files\McAfee\Supportability\MVT\MVTInstaller.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-08-25 09:40
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(4684)
c:\program files\Lenovo\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\program files\Lenovo\Drag-to-Disc\ShellRes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\atiesrxx.exe
c:\windows\system32\atieclxx.exe
c:\program files\LENOVO\HOTKEY\TPHKSVC.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CISVC.EXE
c:\program files\DebugDiag\DbgSvc.exe
c:\program files\Dell\PowerNap\PowerNap.Service.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Lenovo\Communications Utility\CAMMUTE.exe
c:\program files\Intel\AMT\LMS.exe
c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
c:\program files\Sony\PMB\PMBDeviceInfoProvider.exe
c:\program files\ThinkPad\Utilities\PWMDBSVC.EXE
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\windows\System32\TpShocks.exe
c:\windows\System32\rundll32.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\program files\ThinkVantage\PrdCtr\LPMGR.EXE
c:\program files\ThinkVantage\PrdCtr\LPMLCHK.EXE
c:\program files\Lenovo\Zoom\TpScrex.exe
c:\program files\ThinkPad\Utilities\EZEJMNAP.EXE
c:\program files\Dell\PowerNap\PowerNap.exe
c:\program files\Dell\PowerNap\PowerNapWatcher.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\System32\TPHDEXLG.exe
c:\program files\Lenovo\Client Security Solution\tvttcsd.exe
c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe
c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\Lenovo\System Update\SUService.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\dllhost.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\System32\msdtc.exe
c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
c:\progra~1\ThinkPad\UTILIT~1\PWMUIAux.exe
c:\windows\system32\cidaemon.exe
c:\windows\system32\sdclt.exe
.
**************************************************************************
.
Completion time: 2013-08-25 09:47:09 - machine was rebooted
ComboFix-quarantined-files.txt 2013-08-25 13:47
.
Pre-Run: 77,217,349,632 bytes free
Post-Run: 76,714,012,672 bytes free
.
- - End Of File - - 704D4B6E1BF829AA8DCC72E3168122DA
6CDEB6C7D41A15D446A0571583928580

Questions.

Does the report reveal anything?

Ought I have run ComboFix again because I had a “difficult virus infection”? I don’t know if it cured the tcp/ip infection because this machine talks to the internet via wireless and that is turned off.

Should I attempt to reconnect to the internet via wireless to see if the tcp/ip stack has been fixed and the system communicates normally?

Ought I have waited for the machine fan to stop and its power lights to go off rather than force the shutdown with the power button? If so, how long should I give it before concluding that it will take forever?



How is the machine running?

Data Execution Protection still Closes the Task Scheduler Engine on Bootup.

Explorer did not freeze. It seems to be very responsive.

The RecycleBin is empty.

There is no firewall or other virus protection since McAfee is not installed. To reinstall McAfee require internet access.

There is no internet access since the link is wireless and wireless is turned off. Without internet access I don’t know if the tcp/ip stack has been cured or not.

That is my report.

Thank you again for your help.

I am, as before, eager to learn what is the next step?

Perhaps run ComboFix again?

Jim

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:32 AM

Posted 25 August 2013 - 01:05 PM


Hello Jim

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Please start by opening Notepad and copy/paste the text in the box into the window:

ClearJavaCache::


 
Save it to your desktop as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe
CFScriptB-4.gif
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
    • report from Combofix
    • let me know of any problems you may have had
    • How is the computer doing now after running the script?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Jim Eddy

Jim Eddy
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:32 AM

Posted 26 August 2013 - 12:48 PM

Hello Gringo,

Thank you for your help. There has been very significant progress. However the machine is not yet completely healthy. More about that below. Here attached is the latest ComboFix log.

=============================================

ComboFix 13-08-22.01 - JimEddy 08/25/2013 15:43:23.2.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1977.714 [GMT -4:00]
Running from: c:\users\JimEddy\Desktop\ComboFix.exe
Command switches used :: c:\users\JimEddy\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\JimEddy\AppData\Local\Temp\rad56D9D.tmp\bin\x86\sharpwrapi_Win32.dll
c:\users\JimEddy\AppData\Local\Temp\radEB229.tmp\bin\Gadget.Interop.dll
c:\windows\system32\TPAPSLOG.LOG
c:\windows\system32\TPHDLOG0.LOG
.
.
((((((((((((((((((((((((( Files Created from 2013-07-25 to 2013-08-25 )))))))))))))))))))))))))))))))
.
.
2013-08-25 19:53 . 2013-08-25 19:56 -------- d-----w- c:\users\JimEddy\AppData\Local\temp
2013-08-25 19:53 . 2013-08-25 19:53 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2013-08-25 19:53 . 2013-08-25 19:53 -------- d-----w- c:\users\TEMP\AppData\Local\temp
2013-08-25 19:53 . 2013-08-25 19:53 -------- d-----w- c:\users\TEMP.Rathbone\AppData\Local\temp
2013-08-25 19:53 . 2013-08-25 19:53 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-08-23 22:06 . 2013-08-23 22:06 -------- d-----w- c:\windows\ERUNT
2013-08-23 20:53 . 2013-08-23 20:54 -------- d-----w- C:\AdwCleaner
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-07-19 13:29 . 2012-04-05 14:07 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-07-19 13:29 . 2011-06-16 13:55 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-07-10 00:27 . 2013-07-10 00:27 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-07-10 00:27 . 2013-07-10 00:28 867240 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-07-10 00:27 . 2010-06-05 11:32 789416 ----a-w- c:\windows\system32\deployJava1.dll
2013-06-04 01:50 . 2013-07-10 08:14 2049024 ----a-w- c:\windows\system32\win32k.sys
2013-06-01 04:06 . 2013-07-10 08:13 505344 ----a-w- c:\windows\system32\qedit.dll
2013-05-29 01:50 . 2013-07-11 07:16 1800704 ----a-w- c:\windows\system32\jscript9.dll
2013-05-29 01:41 . 2013-07-11 07:15 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2013-05-29 01:41 . 2013-07-11 07:16 1129472 ----a-w- c:\windows\system32\wininet.dll
2013-05-29 01:37 . 2013-07-11 07:16 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2013-05-29 01:36 . 2013-07-11 07:16 420864 ----a-w- c:\windows\system32\vbscript.dll
2013-05-29 01:33 . 2013-07-11 07:16 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2001-09-28 21:00 . 2009-07-17 16:55 164864 ------w- c:\program files\UNWISE.EXE
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"Taskbar Shuffle"="c:\environment\Folders\Taskbar Shuffle\taskbarshuffle.exe" [2008-04-17 818176]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2010-12-10 1093632]
"TpShocks"="TpShocks.exe" [2008-06-07 181536]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2009-12-21 69568]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2009-04-15 61728]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-10-06 824616]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\12.0\SharedCOM\RoxWatchTray12.exe" [2009-07-24 240112]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2011-03-31 20480]
"PWMTRV"="c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2009-01-14 644384]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-04-01 154136]
"Message Center Plus"="c:\program files\LENOVO\Message Center Plus\MCPLaunch.exe" [2009-05-28 49976]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2008-08-31 165208]
"LPMailChecker"="c:\progra~1\THINKV~1\PrdCtr\LPMLCHK.exe" [2008-08-31 124248]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2009-02-11 1191936]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-04-01 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-04-01 178712]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2008-06-04 242976]
"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2008-06-25 3077432]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-27 207424]
"ACWlIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWlIcon.exe" [2010-09-17 181608]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2010-09-17 431464]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-22 59720]
"PMBVolumeWatcher"="c:\program files\Sony\PMB\PMBVolumeWatcher.exe" [2011-08-24 651832]
"picon"="c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2008-05-29 367128]
"CreateLMBCShortCut"="c:\program files\Lenovo\Mobile Broadband Connect\UserShortcutCreator.exe" [2009-04-13 40960]
"CPMonitor"="c:\program files\Roxio 2010\5.0\CPMonitor.exe" [2009-07-21 84464]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BTVLogEx.DLL" [2009-01-14 214576]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-11-16 641704]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2013-05-01 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-05-31 152392]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-05-11 958576]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2009-6-22 50688]
PowerNap.lnk - c:\windows\Installer\{2436940B-1C2C-4FB4-A703-0EE9B1350791}\_35E0567647C2420371B885.exe 1 [2012-1-6 372526]
PowerNapWatcher.lnk - c:\windows\Installer\{2436940B-1C2C-4FB4-A703-0EE9B1350791}\_18B4EACA6AED157B14F49D.exe [2012-1-6 10134]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Users^JimEddy^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^regmonstd.lnk]
path=c:\users\JimEddy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regmonstd.lnk
backup=c:\windows\pss\regmonstd.lnk.Startup
backupExtension=.Startup
.
R2 ADExchange;ArcSoft Exchange Service;c:\program files\Common Files\ArcSoft\esinter\Bin\eservutil.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-07-13 04:41 1173456 ----a-w- c:\program files\Google\Chrome\Application\28.0.1500.72\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-08-25 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-05 13:29]
.
2013-08-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-24 16:53]
.
2013-08-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-24 16:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <-loopback>
uInternet Settings,ProxyServer = http=127.0.0.1:49176;https=127.0.0.1:49176
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 204.186.110.76 204.186.80.251 216.144.187.199
TCP: Interfaces\{A7C72638-EC15-4741-8D97-150C33341983}: NameServer = 0.0.0.0
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/4.0.1.0/GarminAxControl_32.CAB
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-08-25 15:57
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(5480)
c:\program files\Lenovo\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\program files\Lenovo\Drag-to-Disc\ShellRes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\atiesrxx.exe
c:\windows\system32\atieclxx.exe
c:\program files\LENOVO\HOTKEY\TPHKSVC.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CISVC.EXE
c:\program files\DebugDiag\DbgSvc.exe
c:\program files\Dell\PowerNap\PowerNap.Service.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Lenovo\Communications Utility\CAMMUTE.exe
c:\program files\Intel\AMT\LMS.exe
c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
c:\program files\Sony\PMB\PMBDeviceInfoProvider.exe
c:\program files\ThinkPad\Utilities\PWMDBSVC.EXE
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\windows\System32\TpShocks.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\windows\System32\rundll32.exe
c:\program files\Lenovo\Zoom\TpScrex.exe
c:\program files\ThinkVantage\PrdCtr\LPMGR.EXE
c:\program files\ThinkVantage\PrdCtr\LPMLCHK.EXE
c:\program files\ThinkPad\Utilities\EZEJMNAP.EXE
c:\program files\Dell\PowerNap\PowerNap.exe
c:\program files\Dell\PowerNap\PowerNapWatcher.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\System32\TPHDEXLG.exe
c:\program files\Lenovo\Client Security Solution\tvttcsd.exe
c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe
c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\Lenovo\System Update\SUService.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\windows\system32\dllhost.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\System32\msdtc.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\progra~1\ThinkPad\UTILIT~1\PWMUIAux.exe
c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
c:\windows\system32\cidaemon.exe
.
**************************************************************************
.
Completion time: 2013-08-25 16:03:40 - machine was rebooted
ComboFix-quarantined-files.txt 2013-08-25 20:03
ComboFix2.txt 2013-08-25 13:47
.
Pre-Run: 73,210,798,080 bytes free
Post-Run: 73,118,072,832 bytes free
.
- - End Of File - - 2AEFCB831F91CF915E81907DB7DA1007
6CDEB6C7D41A15D446A0571583928580

============================================================



This time ComboFix took about 20 minutes. The first run took about 40 minutes.

The big news is that the machine now talks to the internet via a wireless link to a home router to a cable modem. That is a huge quality of life improvement.

However, there are still problems. One problem is that I still get the message that Windows Data Execution Prevention is still closing Task Scheduler. The Windows help on Data Execution Prevention says this:


“What is Data Execution Prevention?

Data Execution Prevention (DEP) is a security feature that can help prevent damage to your computer from viruses and other security threats. Harmful programs can try to attack Windows by attempting to run (also known as execute) code from system memory locations reserved for Windows and other authorized programs. These types of attacks can harm your programs and files.

DEP can help protect your computer by monitoring your programs to make sure that they use system memory safely. If DEP notices a program on your computer using memory incorrectly, it closes the program and notifies you.”


Apparently there is something on the computer that is attempting to do something that it should not be doing. Or something is broken.

The bigger problem is that I cannot put McAfee back on the system. Apparently after I uninstalled McAfee through the Windows Control Panel I should have downloaded the McAfee Consumer Product Recovery (MCPR.exe) tool to scrub McAfee bits and pieces that are left on the machine after a Windows Uninstall. I did not do that. Immediately after the Windows Control Panel Uninstall of McAfee I had succeeded in turning off virus protection and so I ran ComboFix. And ran it again in this last iteration. Now, in an attempt to see if things are back to normal I attempted to reinstall McAfee. The first step in that process is to run MCRP.exe But now MCRP.exe does not see what it expects to see and so it throws an error and exits. McAfee says that I cannot reinstall McAfee until MCRP.exe has succeed in the uninstall.

I attempted to chat with McAfee. That was a mistake. All the guy wanted to do was log on to my system, look around a little bit, and then hit me with a sales pitch to buy support from them to solve all my problems. I have been around that loop already in the past. Fortunately the machine that I was poised to log in on was not the machine with the problem. As soon as I told him that he lost interest in his next chat post, told me that he would send me the solution to my problem via email, and indicated that he wanted to close the chat. We rung off.

The email he sent me had the phone number for calling McAfee support.

I could call McAfee support and I will do that if I have to, but I would prefer to get a recommendation from you, Gringo, as to what to do to expunge all of the McAfee references out of my Registry. Then I will rerun MCRP, get a clean bill of health, and then reinstall McAfee. If I achieve that, and fix my Task-Scheduler/Data-Execution-Prevention problem I believe that the machine will be back to normal.

Again, thank you for the help. I eagerly await your next post.

Jim

#8 Jim Eddy

Jim Eddy
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:32 AM

Posted 29 August 2013 - 07:48 AM

Gringo,

Am I done?

Jim

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:32 AM

Posted 29 August 2013 - 10:20 PM


Hello Jim

Sorry I had lost you

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Please start by opening Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

File::
c:\windows\Tasks\Adobe Flash Player Updater.job
c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
c:\program files\Google\Update\GoogleUpdate.exe
C:\windows\Tasks\GoogleUpdateTaskMachineUA.job
c:\program files\Google\Update\GoogleUpdate.exe
 
Save it to your desktop as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe
CFScriptB-4.gif
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
    • report from Combofix
    • let me know of any problems you may have had
    • How is the computer doing now after running the script?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 Jim Eddy

Jim Eddy
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:32 AM

Posted 30 August 2013 - 11:49 AM

Hello Gringo,

Thank you for your help.

When I ran ComboFix it threw up a message box informing me that there were newer versions of ComboFix available and did I want to update ComboFix now. I was concerned that it might download from some site that would want to load up my machine with junk so I declined.

Ought I download another version of ComboFix from Bleeping Computer and run with that? If so, let me know and I will do that.

During the run of ComboFix Windows threw up a message box that said:

PEV.exe has stopped working
A problem caused the program to stop working correctly. Windows will close the program and notify you if a solution is available.
Debug CloseProgram

ComboFix kept running behind the message box so I did not click either Debug or CloseProgram. ComboFix rebooted windows while this message box was still up. After the bootup Windows threw up the same message that it always throws up after a reboot on this machine:

Task Scheduler Engine has stopped working
A problem caused the program to stop working correctly.
Windows will close the program and notify you if a solution is available.
Debug Close Program

Since ComboFix appeared to be running ok behind this message box I let it stand without clicking either Debug or Close Program.

ComboFix displayed:

Preparing Log Report.

Do not run any programs until ComboFix has finished.

while Vista came up. The disk drive was pegged for about 10 minutes. The Explorer restarted and ComboFix changed the display to:

Almost done . . This window will close in a short while
Please wait a few seconds for the report log to show up

ComboFix’s log shall be located at C:\COMBOFIX.TXT

Explorer restarted again. The disk drive is pegged. After about 5 minutes the ComboFix command prompt window closed an a full screen Notepad window came up. Notepad threw up a message that said:

Cannot find the C:\Users\JimEddy\AppData\Local\Temp\log.txt file. Do you want to create a new file?
Yes No Cancel

I do not recall this happening on any of the previous runs of ComboFix. I selected Yes. The full screen file then was renamed from untitled.txt to log.txt. The notepad display of log.txt remained empty. Since there was no longer displayed any ComboFix command prompt window and since disk write activity was light I concluded that ComboFix was done. There was a ComboFix.txt at root. Explorer is now very very slow. The Start Menu is very very slow. The “Task Scheduler Engine has stopped working” message is still up. Since ComboFix is apparently done I clicked Close program on the “Task Scheduler Engine has stopped working” message. At that point I did not get the usual message in the notification area:

Task Schedular Engine was closed to help protect your computer. Data Execution Prevention has closed Task Schedular Engine.

This message has never in my memory not come up after I click “Close program” on the “Task Scheduler Engine has stopped working” message. After I clicked “Close program” Explorer immediately became fast again.

The ComboFix run was successful in that it did produce a log file. Here it is:



ComboFix 13-08-22.01 - JimEddy 08/30/2013 10:02:08.3.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1977.626 [GMT -4:00]
Running from: c:\users\JimEddy\Desktop\ComboFix.exe
Command switches used :: c:\users\JimEddy\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\program files\Google\Update\GoogleUpdate.exe"
"c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe"
"c:\windows\Tasks\Adobe Flash Player Updater.job"
"c:\windows\Tasks\GoogleUpdateTaskMachineCore.job"
"c:\windows\Tasks\GoogleUpdateTaskMachineUA.job"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\JimEddy\AppData\Local\Temp\rad76FF9.tmp\bin\x86\sharpwrapi_Win32.dll
c:\users\JimEddy\AppData\Local\Temp\radC8714.tmp\bin\Gadget.Interop.dll
c:\windows\system32\TPAPSLOG.LOG
c:\windows\system32\TPHDLOG0.LOG
.
.
((((((((((((((((((((((((( Files Created from 2013-07-28 to 2013-08-30 )))))))))))))))))))))))))))))))
.
.
2013-08-30 14:12 . 2013-08-30 14:15 -------- d-----w- c:\users\JimEddy\AppData\Local\temp
2013-08-30 14:12 . 2013-08-30 14:12 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2013-08-30 14:12 . 2013-08-30 14:12 -------- d-----w- c:\users\TEMP\AppData\Local\temp
2013-08-30 14:12 . 2013-08-30 14:12 -------- d-----w- c:\users\TEMP.Rathbone\AppData\Local\temp
2013-08-30 14:12 . 2013-08-30 14:12 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-08-30 12:09 . 2013-08-20 04:47 7166848 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{449BB28A-B9C9-46EC-B0A3-995378CAC37B}\mpengine.dll
2013-08-28 15:00 . 2013-08-02 04:09 1548288 ----a-w- c:\windows\system32\WMVDECOD.DLL
2013-08-26 14:19 . 2013-07-05 04:53 905664 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-08-26 14:19 . 2013-06-15 13:22 15872 ----a-w- c:\windows\system32\icaapi.dll
2013-08-26 14:19 . 2013-06-15 11:23 24064 ----a-w- c:\windows\system32\drivers\tssecsrv.sys
2013-08-26 14:19 . 2013-07-17 19:41 2048 ----a-w- c:\windows\system32\tzres.dll
2013-08-26 14:19 . 2013-07-10 09:47 783360 ----a-w- c:\windows\system32\rpcrt4.dll
2013-08-26 14:19 . 2013-07-09 12:10 1205168 ----a-w- c:\windows\system32\ntdll.dll
2013-08-26 14:19 . 2013-07-08 04:55 3603904 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-08-26 14:19 . 2013-07-08 04:55 3551680 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-08-26 14:19 . 2013-07-08 04:16 133120 ----a-w- c:\windows\system32\cryptsvc.dll
2013-08-26 14:19 . 2013-07-08 04:16 992768 ----a-w- c:\windows\system32\crypt32.dll
2013-08-26 14:19 . 2013-07-08 04:20 172544 ----a-w- c:\windows\system32\wintrust.dll
2013-08-26 14:19 . 2013-07-08 04:16 98304 ----a-w- c:\windows\system32\cryptnet.dll
2013-08-23 22:06 . 2013-08-23 22:06 -------- d-----w- c:\windows\ERUNT
2013-08-23 20:53 . 2013-08-23 20:54 -------- d-----w- C:\AdwCleaner
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-07-19 13:29 . 2012-04-05 14:07 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-07-19 13:29 . 2011-06-16 13:55 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-07-10 00:27 . 2013-07-10 00:27 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-07-10 00:27 . 2013-07-10 00:28 867240 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-07-10 00:27 . 2010-06-05 11:32 789416 ----a-w- c:\windows\system32\deployJava1.dll
2013-06-04 01:50 . 2013-07-10 08:14 2049024 ----a-w- c:\windows\system32\win32k.sys
2001-09-28 21:00 . 2009-07-17 16:55 164864 ------w- c:\program files\UNWISE.EXE
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"Taskbar Shuffle"="c:\environment\Folders\Taskbar Shuffle\taskbarshuffle.exe" [2008-04-17 818176]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2010-12-10 1093632]
"TpShocks"="TpShocks.exe" [2008-06-07 181536]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2009-12-21 69568]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2009-04-15 61728]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-10-06 824616]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\12.0\SharedCOM\RoxWatchTray12.exe" [2009-07-24 240112]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2011-03-31 20480]
"PWMTRV"="c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2009-01-14 644384]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-04-01 154136]
"Message Center Plus"="c:\program files\LENOVO\Message Center Plus\MCPLaunch.exe" [2009-05-28 49976]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2008-08-31 165208]
"LPMailChecker"="c:\progra~1\THINKV~1\PrdCtr\LPMLCHK.exe" [2008-08-31 124248]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2009-02-11 1191936]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-04-01 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-04-01 178712]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2008-06-04 242976]
"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2008-06-25 3077432]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-27 207424]
"ACWlIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWlIcon.exe" [2010-09-17 181608]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2010-09-17 431464]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-22 59720]
"PMBVolumeWatcher"="c:\program files\Sony\PMB\PMBVolumeWatcher.exe" [2011-08-24 651832]
"picon"="c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2008-05-29 367128]
"CreateLMBCShortCut"="c:\program files\Lenovo\Mobile Broadband Connect\UserShortcutCreator.exe" [2009-04-13 40960]
"CPMonitor"="c:\program files\Roxio 2010\5.0\CPMonitor.exe" [2009-07-21 84464]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BTVLogEx.DLL" [2009-01-14 214576]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-11-16 641704]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2013-05-01 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-05-31 152392]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-05-11 958576]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2009-6-22 50688]
PowerNap.lnk - c:\windows\Installer\{2436940B-1C2C-4FB4-A703-0EE9B1350791}\_35E0567647C2420371B885.exe 1 [2012-1-6 372526]
PowerNapWatcher.lnk - c:\windows\Installer\{2436940B-1C2C-4FB4-A703-0EE9B1350791}\_18B4EACA6AED157B14F49D.exe [2012-1-6 10134]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Users^JimEddy^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^regmonstd.lnk]
path=c:\users\JimEddy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regmonstd.lnk
backup=c:\windows\pss\regmonstd.lnk.Startup
backupExtension=.Startup
.
R2 ADExchange;ArcSoft Exchange Service;c:\program files\Common Files\ArcSoft\esinter\Bin\eservutil.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-08-25 21:10 1177552 ----a-w- c:\program files\Google\Chrome\Application\29.0.1547.57\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-08-30 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-05 13:29]
.
2013-08-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-24 16:53]
.
2013-08-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-24 16:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <-loopback>
uInternet Settings,ProxyServer = http=127.0.0.1:49176;https=127.0.0.1:49176
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 204.186.110.76 204.186.80.251 216.144.187.199
TCP: Interfaces\{A7C72638-EC15-4741-8D97-150C33341983}: NameServer = 0.0.0.0
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/4.0.1.0/GarminAxControl_32.CAB
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-08-30 10:19
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(4836)
c:\program files\Lenovo\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\program files\Lenovo\Drag-to-Disc\ShellRes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\atiesrxx.exe
c:\windows\system32\atieclxx.exe
c:\windows\system32\WLANExt.exe
c:\program files\LENOVO\HOTKEY\TPHKSVC.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CISVC.EXE
c:\program files\DebugDiag\DbgSvc.exe
c:\program files\Dell\PowerNap\PowerNap.Service.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Lenovo\Communications Utility\CAMMUTE.exe
c:\program files\Intel\AMT\LMS.exe
c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
c:\program files\Sony\PMB\PMBDeviceInfoProvider.exe
c:\program files\ThinkPad\Utilities\PWMDBSVC.EXE
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\windows\System32\TpShocks.exe
c:\windows\System32\rundll32.exe
c:\program files\ThinkVantage\PrdCtr\LPMGR.EXE
c:\program files\ThinkVantage\PrdCtr\LPMLCHK.EXE
c:\program files\ThinkPad\Utilities\EZEJMNAP.EXE
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\Zoom\TpScrex.exe
c:\program files\Dell\PowerNap\PowerNap.exe
c:\program files\Dell\PowerNap\PowerNapWatcher.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\System32\TPHDEXLG.exe
c:\program files\Lenovo\Client Security Solution\tvttcsd.exe
c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe
c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Lenovo\System Update\SUService.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\windows\system32\WerFault.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\dllhost.exe
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\windows\System32\msdtc.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
c:\windows\system32\cidaemon.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2013-08-30 10:26:05 - machine was rebooted
ComboFix-quarantined-files.txt 2013-08-30 14:26
ComboFix2.txt 2013-08-25 20:03
ComboFix3.txt 2013-08-25 13:47
.
Pre-Run: 79,463,059,456 bytes free
Post-Run: 79,618,564,096 bytes free
.
- - End Of File - - AB08DEEC7E3EB764E0120640DD882A74
6CDEB6C7D41A15D446A0571583928580




Upon reboot the “Task Scheduler Engine has stopped working message” appeared again. When I closed it the “Task Scheduler Engine was closed” message appeared again.

The McAfee Consumer Product Removal Tool still fails to uninstall McAfee successfully. The registry still has many many references to McAfee. The system has no virus protection at the moment.

Explorer is fast. I do have internet connectivity. I still have long periods of high disk usage that I have not been able to pin to a particular process.

Any ideas?

Jim

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:32 AM

Posted 30 August 2013 - 12:45 PM



Blitzblank.

Download BlitzBlank and save it to your desktop. Open Blitzblank.exe
  • Click OK at the warning (and take note of it, this is a VERY powerful tool!).
  • Click the Script tab and copy/paste the following text there:
DeleteFile:
c:\program files\Google\Update\GoogleUpdate.exe
c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
c:\windows\Tasks\Adobe Flash Player Updater.job
c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

  • Click Execute Now. Your computer will need to reboot in order to replace the files.
  • When done, post me the report created by Blitzblank. you can find it at the root of the drive Normaly C:\
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 Jim Eddy

Jim Eddy
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:32 AM

Posted 31 August 2013 - 09:46 AM

Hello Gringo,

Thank you for your help.

Before running BlitzBlank I spent some time staring at the Microsoft Resource Monitor just after bootup. This to try to find out what it was that was causing all the disk activity. The machine always hits the disk very hard for more than 15 minutes after bootup. During the time I was watching there was no process listed that got more than 5% of the cpu and most of them were 2% or less for a very short time. Yet the disk display was pegged at 100 MB/sec. The disk display has a blue line and a green line. The blue line is pegged. The Resource Monitor says that the blue line represents “highest active time percentage” whatever that means.

After staring at the display for a while and to my astonishment the process setup.exe started creeping up. This setup was listed as being associated with GoogleChrome. I don’t use GoogleChrome. At least not on purpose. GoogleChrome setup.exe got 50% of the cpu for more than 2 minutes.

I notice that Google shows up on 3 of the 5 lines in your BlitzBlank script. It will be interesting to see any change in behavior after running BlitzBlank.

Oops. BlitzBlank threw an error on the script:

DeleteFile:
c:\program files\Google\Update\GoogleUpdate.exe
c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
c:\windows\Tasks\Adobe Flash Player Updater.job
c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

It complained about line 2:

Syntax error in line2, Invalid file path.

On a hunch I changed line 2 to c:\progra~1\Google\Update\GoogleUpdate.exe and that was accepted but then the program threw an error on line 4. I suspect it is spaces in the file name.

Then I chickened out. I looked on the web and did not find any sample BlitzBlank scripts. I looked on BleepingComputer and have not yet found any examples of BlitzBlank scripts that contain spaces.

Rather than blow up my computer I decided to wait for instructions.

Waiting for instructions.

Thank you for your help.

Jim

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:32 AM

Posted 31 August 2013 - 12:27 PM

You are right about the spaces

"c:\windows\Tasks\Adobe Flash Player Updater.job" change it to this

I looked the first time and must have missed it


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 Jim Eddy

Jim Eddy
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:32 AM

Posted 31 August 2013 - 01:24 PM

Gringo,

Change it to what?

Jim

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:32 AM

Posted 31 August 2013 - 01:25 PM

I put "" around the line
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users