Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Plagued by TR/Patched.Ren.Gen & Opachki.ru


  • This topic is locked This topic is locked
26 replies to this topic

#1 Sparky131

Sparky131

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:20 PM

Posted 16 October 2013 - 11:28 AM

First Indication of infection: When signing in to email, the first or second keystroke popped up a small "run" window. It said: "type the name of a program, doc, folder, or Internet resource, & Windows will find it for you". That is not normal, and I was immediately on alert. I was careful not to enter anything and was even hesitant to click to close. Then data entry all over the place produced unexpected results...browsers popping up, keys not working and sometimes not inserting the correct character. I use Avira, Malwarebytes, SpywareBlaster, Spybot Search & Destroy, Panda Cloud Cleaner, and Trend Micro's Housecall. I keep versions and definitions up to date and scan regularly.  The two machines involved: Vista & Win7 on a wireless LAN.

After the email issue, I immediately deep scanned with all resources. No detections except Antivir did not complete. I re-ran and still did not finish. Same thing on a networked Win7 laptop. The following day, Antivir completed with 1 detection (TR/Patched.Ren.Gen) Reading up, sources indicate that this is unlikely to be managed by normal defenses. The detection is quarantined. Immediately thereafter, the computer regained speed and a measure of normalcy. 

 

Repeated scans have been hit or miss...with too many hits. Spybot Search & Destroy found (9) instances of Opachki.ru after the TR/Patched.Ren.Gen was detected by Antivir.  It also listed a "Uniblue Scanner" as suspect.

Both computers do appear now to be largely functional, with minimal outward symptoms.  I doubt that this problem has been eradicated, as subsequent scans continue to uncover reincarnated infections.

Thank you for your consideration,



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:20 PM

Posted 16 October 2013 - 01:13 PM



Hello Sparky131

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.


Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.





I need to get some reports to get a base to start from so I need you to run these programs first.



-Download DDS-
  • Please download DDS from one of the links below and save it to your desktop:

    dds_scr.gif
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3
    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
      • DDS.txt
      • Attach.txt
    • A window will open instructing you save & post the logs
    • Save the logs to a convenient place such as your desktop
    • Copy the contents of both logs & post in your next reply
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Sparky131

Sparky131
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:20 PM

Posted 16 October 2013 - 09:42 PM

Thanks Gringo for the quick response.

 

Note: I could not find the "Receive Notification" box to check it.  

I would have replied earlier, but apparently there was a problem with the Website.

 

Here are the logs:

 

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft® Windows Vista™ Home Premium 
Boot Device: \Device\HarddiskVolume1
Install Date: 8/29/2008 2:19:22 PM
System Uptime: 10/16/2013 9:27:46 AM (5 hours ago)
.
Motherboard: MSI |  | Boston
Processor: Intel® Pentium® Dual  CPU  E2160  @ 1.80GHz | Socket 775 | 1800/800mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 289 GiB total, 180.935 GiB free.
D: is FIXED (NTFS) - 9 GiB total, 0.944 GiB free.
E: is CDROM ()
F: is FIXED (FAT32) - 75 GiB total, 59.738 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft 6to4 Adapter
Device ID: ROOT\*6TO4MP\0002
Manufacturer: Microsoft
Name: Microsoft 6to4 Adapter #2
PNP Device ID: ROOT\*6TO4MP\0002
Service: tunnel
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft 6to4 Adapter
Device ID: ROOT\*6TO4MP\0013
Manufacturer: Microsoft
Name: Microsoft 6to4 Adapter #7
PNP Device ID: ROOT\*6TO4MP\0013
Service: tunnel
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft 6to4 Adapter
Device ID: ROOT\*6TO4MP\0016
Manufacturer: Microsoft
Name: Microsoft 6to4 Adapter #9
PNP Device ID: ROOT\*6TO4MP\0016
Service: tunnel
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft 6to4 Adapter
Device ID: ROOT\*6TO4MP\0018
Manufacturer: Microsoft
Name: Microsoft 6to4 Adapter #11
PNP Device ID: ROOT\*6TO4MP\0018
Service: tunnel
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft 6to4 Adapter
Device ID: ROOT\*6TO4MP\0038
Manufacturer: Microsoft
Name: Microsoft 6to4 Adapter #28
PNP Device ID: ROOT\*6TO4MP\0038
Service: tunnel
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft 6to4 Adapter
Device ID: ROOT\*6TO4MP\0073
Manufacturer: Microsoft
Name: Microsoft 6to4 Adapter #60
PNP Device ID: ROOT\*6TO4MP\0073
Service: tunnel
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft 6to4 Adapter
Device ID: ROOT\*6TO4MP\0075
Manufacturer: Microsoft
Name: Microsoft 6to4 Adapter #62
PNP Device ID: ROOT\*6TO4MP\0075
Service: tunnel
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft 6to4 Adapter
Device ID: ROOT\*6TO4MP\0081
Manufacturer: Microsoft
Name: Microsoft 6to4 Adapter #68
PNP Device ID: ROOT\*6TO4MP\0081
Service: tunnel
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft 6to4 Adapter
Device ID: ROOT\*6TO4MP\0088
Manufacturer: Microsoft
Name: Microsoft 6to4 Adapter #73
PNP Device ID: ROOT\*6TO4MP\0088
Service: tunnel
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft 6to4 Adapter
Device ID: ROOT\*6TO4MP\0108
Manufacturer: Microsoft
Name: Microsoft 6to4 Adapter #90
PNP Device ID: ROOT\*6TO4MP\0108
Service: tunnel
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft 6to4 Adapter
Device ID: ROOT\*6TO4MP\0113
Manufacturer: Microsoft
Name: Microsoft 6to4 Adapter #93
PNP Device ID: ROOT\*6TO4MP\0113
Service: tunnel
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft 6to4 Adapter
Device ID: ROOT\*6TO4MP\0134
Manufacturer: Microsoft
Name: Microsoft 6to4 Adapter #111
PNP Device ID: ROOT\*6TO4MP\0134
Service: tunnel
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft 6to4 Adapter
Device ID: ROOT\*6TO4MP\0135
Manufacturer: Microsoft
Name: Microsoft 6to4 Adapter #168
PNP Device ID: ROOT\*6TO4MP\0135
Service: tunnel
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft 6to4 Adapter
Device ID: ROOT\*6TO4MP\0140
Manufacturer: Microsoft
Name: Microsoft 6to4 Adapter #116
PNP Device ID: ROOT\*6TO4MP\0140
Service: tunnel
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft 6to4 Adapter
Device ID: ROOT\*6TO4MP\0184
Manufacturer: Microsoft
Name: Microsoft 6to4 Adapter #153
PNP Device ID: ROOT\*6TO4MP\0184
Service: tunnel
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft 6to4 Adapter
Device ID: ROOT\*6TO4MP\0216
Manufacturer: Microsoft
Name: 6TO4 Adapter
PNP Device ID: ROOT\*6TO4MP\0216
Service: tunnel
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft ISATAP Adapter
Device ID: ROOT\*ISATAP\0014
Manufacturer: Microsoft
Name: Microsoft ISATAP Adapter #12
PNP Device ID: ROOT\*ISATAP\0014
Service: tunnel
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
32 Bit HP CIO Components Installer
Adobe Flash Player Plugin
Adobe Reader X (10.1.4)
Adobe Shockwave Player 11
APC PowerChute Personal Edition
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Avira Free Antivirus
Bonjour
Canon D400-450
Canon Easy-PhotoPrint EX
Canon Inkjet Printer Driver Add-On Module
Canon MF Toolbox 4.9.1.1.mf13
Canon MF4800 Series
Canon MP Navigator 1.0
Canon MP780
Canon ScanGear Starter
Canon Utilities Easy-PhotoPrint
Cards_Calendar_OrderGift_DoMorePlugout
CCleaner
Cisco EAP-FAST Module
Cisco LEAP Module
Cisco PEAP Module
Compaq Demo
Compatibility Pack for the 2007 Office system
CutePDF Writer 2.8
CyberLink DVD Suite Deluxe
DriveImage XML (Private Edition)
eReg
Firefox Backup Tool version 1.0
Free DWG Viewer 6.3
Google Chrome
Google SketchUp 6
Hardware Diagnostic Tools
Hewlett-Packard Active Check
Hewlett-Packard Asset Agent for Health Check
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Customer Experience Enhancements
HP Customer Feedback
HP Easy Setup - Frontend
HP On-Screen Cap/Num/Scroll Lock Indicator
HP Photosmart Essential 2.5
HP Total Care Advisor
HP Update
HPPhotoSmartPhotobookWebPack1
InstallVC90Support
Intel® Graphics Media Accelerator Driver
iTunes
LabelPrint
LightScribe System Software  1.10.23.1
LightScribeTemplateLabeler
Logitech SetPoint 6.1
Malwarebytes Anti-Malware version 1.75.0.1300
MasterCook 5: Cooking Light
MasterCook Betty Crocker
MasterCook Deluxe 8
MasterCook Deluxe 9
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Office 2000 Disc 2
Microsoft Office 2000 Small Business
Microsoft Office Home and Student 60 day trial
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Streets and Trips 2001
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
Microsoft Works
Mozilla Firefox 10.0.2 (x86 en-US)
Mozilla Thunderbird (3.1.20)
muvee autoProducer 6.1
My HP Games
OmniPage SE
Panda ActiveScan 2.0
Panda Cloud Cleaner
PDF-Viewer
PDF-XChange Lite 4
Power2Go
PowerChute Personal Edition 3.0.2
PowerDirector
Presto! PageManager 6.03
Presto! PageManager 7.15.37
PSSWCORE
Python 2.5
QuickTime
Ralink RT2870 Wireless LAN Card
Realtek High Definition Audio Driver
Revo Uninstaller 1.95
SAMSUNG USB Driver for Mobile Phones V5.16.0.0
ScanTool
Secure Online Account Numbers
SecureZIP for Windows 12.20.0021
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2840629)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2861697)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2736428)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2832407)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2835393)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2858302v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2861188)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Security Update for Microsoft .NET Framework 4 Extended (KB2736428)
Security Update for Microsoft .NET Framework 4 Extended (KB2742595)
Security Update for Microsoft .NET Framework 4 Extended (KB2858302v2)
SketchUp 2013
Snapfish Picture Mover
Soft Data Fax Modem with SmartCP
Spybot - Search & Destroy
SpywareBlaster 5.0
Ubuntu
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939v3)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2600217)
Update for Microsoft .NET Framework 4 Extended (KB2836939)
Update for Microsoft .NET Framework 4 Extended (KB2836939v3)
USB Modem
VideoToolkit01
Visio Technical
WeatherBug Gadget
Windows Media Player Firefox Plugin
WinRAR archiver
WONswap
Yahoo! Toolbar
.
==== End Of File ===========================
 
DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 7.0.6002.18005
Run by Wes Net at 14:36:48 on 2013-10-16
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.3060.1013 [GMT -4:00]
.
AV: Avira Desktop *Enabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Enabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT.EXE
C:\Windows\System32\spool\drivers\w32x86\3\WrtMon.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\APC\PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\System32\spool\drivers\w32x86\3\WrtProc.exe
C:\Program Files\Ralink\Common\RaUI.exe
C:\Program Files\Ralink\Common\RaRegistry.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\ACFXAU32.exe
C:\Program Files\APC\PowerChute Personal Edition\dataserv.exe
C:\Program Files\APC\PowerChute Personal Edition\apcsystray.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\System32\alg.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\wuauclt.exe
C:\Users\Wes Net\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Wes Net\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Wes Net\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Wes Net\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Wes Net\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Wes Net\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Wes Net\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Wes Net\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Wes Net\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Wes Net\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Users\Wes Net\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Wes Net\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Wes Net\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Wes Net\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Wes Net\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.toast.net/start/
BHO: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - <orphaned>
TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [Google Update] "c:\users\wes net\appdata\local\google\update\GoogleUpdate.exe" /c
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming
mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Display] c:\program files\apc\powerchute personal edition\DataCollectionLauncher.exe
mRun: [MFNetworkScanUtility] c:\program files\canon\canon mf network scan utility\CNMFSUT.EXE
mRun: [WrtMon.exe] c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\powerchute personal edition\Display.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\ralink~1.lnk - c:\program files\ralink\common\RaUI.exe
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: MasterCook: Select Image - c:\program files\mastercook 9\web\MCIEContext.hta
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
IE: {E6EF5071-7647-4E85-9785-87B6CF5CB561} - {C92041C1-6D22-4069-BA0E-66246AA752B0}
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
TCP: NameServer = 75.75.76.76 75.75.75.75
TCP: Interfaces\{52B64376-08C4-4964-8C0A-E7B6CE5D16EF} : DHCPNameServer = 75.75.76.76 75.75.75.75
Notify: igfxcui - igfxdev.dll
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
Hosts: 127.0.0.1	www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\wes net\appdata\roaming\mozilla\firefox\profiles\o8xqpqe8.default\
FF - prefs.js: browser.search.selectedEngine - Amazon.com
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
FF - plugin: c:\program files\mozilla firefox\plugins\npPDFXCviewNPPlugin.dll
FF - plugin: c:\program files\tracker software\pdf viewer\npPDFXCviewNPPlugin.dll
FF - plugin: c:\users\wes net\appdata\local\google\update\1.3.21.165\npGoogleUpdate3.dll
.
============= SERVICES / DRIVERS ===============
.
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-4-16 28552]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2012-12-20 37352]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2012-12-20 440392]
R2 AntiVirService;Avira Real-Time Protection;c:\program files\avira\antivir desktop\avguard.exe [2012-12-20 440392]
R2 APC Data Service;APC Data Service;c:\program files\apc\powerchute personal edition\dataserv.exe [2012-1-24 21880]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2012-12-20 89376]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 RalinkRegistryWriter;Ralink Registry Writer;c:\program files\ralink\common\RaRegistry.exe [2013-1-13 185632]
R3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\drivers\LEqdUsb.sys [2010-3-18 40912]
R3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\drivers\LHidEqd.sys [2010-3-18 10448]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 acfva;acfva;c:\windows\system32\drivers\ACFVA32.sys [2007-6-29 86656]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\drivers\ssudbus.sys [2012-9-19 83168]
S3 dgcfltr;DGC Filter Driver;c:\windows\system32\drivers\ACFDCP32.sys [2007-7-10 28800]
S3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr28u.sys [2013-1-13 822272]
S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2013-2-6 1690784]
S3 SIUSBXP;SIUSBXP;c:\windows\system32\drivers\SiUSBXp.sys [2007-2-6 14848]
S3 ssudmdm;SAMSUNG  Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\drivers\ssudmdm.sys [2012-9-19 181344]
S3 SWDUMon;SWDUMon;c:\windows\system32\drivers\SWDUMon.sys [2013-10-11 13464]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-7-20 754856]
.
=============== File Associations ===============
.
FileExt: .txt: Applications\firefox.exe="c:\program files\mozilla firefox\firefox.exe" "%1" [UserChoice]
.
=============== Created Last 30 ================
.
2013-10-16 14:36:44	--------	d-----w-	c:\program files\Runtime Software
2013-10-15 13:46:23	7328304	----a-w-	c:\programdata\microsoft\windows defender\definition updates\{bf5ba88e-00f9-4b07-abbf-4661c792aaae}\mpengine.dll
2013-10-15 02:39:37	--------	d-----w-	c:\programdata\Canon
2013-10-15 01:45:32	94208	----a-w-	c:\windows\system32\CNCLSC44a.DLL
2013-10-15 01:45:32	204800	----a-w-	c:\windows\system32\CNCLSU44a.DLL
2013-10-15 01:45:32	131072	----a-w-	c:\windows\system32\CNCLSD44a.DLL
2013-10-15 01:45:32	122880	----a-w-	c:\windows\system32\CNCLSI44a.DLL
2013-10-15 01:45:32	106496	----a-w-	c:\windows\system32\CNCLST44a.DLL
2013-10-15 01:45:31	53248	----a-w-	c:\windows\system32\CNCLSO44a.dll
2013-10-15 01:45:31	135168	----a-w-	c:\windows\system32\CNCL4800.DLL
2013-10-15 01:45:30	327680	----a-w-	c:\windows\system32\CNCC4800.DLL
2013-10-15 01:45:30	159744	----a-w-	c:\windows\system32\CNCE4800.DLL
2013-10-15 01:45:30	102400	----a-w-	c:\windows\system32\CNCI4800.DLL
2013-10-15 01:42:34	679936	----a-w-	c:\windows\system32\CNAS0MOK.DLL
2013-10-15 01:40:58	204800	----a-w-	c:\windows\system32\CNCENPR.dll
2013-10-15 01:40:58	139264	----a-w-	c:\windows\system32\CNCENPM.dll
2013-10-15 01:40:58	110592	----a-w-	c:\windows\system32\CNCENPU.dll
2013-10-11 14:54:10	13464	----a-w-	c:\windows\system32\drivers\SWDUMon.sys
2013-10-11 14:54:08	--------	d-----w-	c:\users\wes net\appdata\local\SlimWare Utilities Inc
2013-10-10 18:17:38	31848	----a-w-	c:\windows\system32\drivers\DasPtct.SYS
2013-10-10 13:15:06	18656	----a-w-	c:\windows\system32\PCloudBroom.exe
2013-10-09 17:37:04	527064	----a-w-	c:\windows\system32\drivers\Wdf01000.sys
2013-10-09 17:34:50	532480	----a-w-	c:\windows\system32\comctl32.dll
2013-10-03 11:59:14	--------	d-----w-	c:\program files\Revo Uninstaller
.
==================== Find3M  ====================
.
2013-10-09 18:25:50	16400	----a-w-	c:\windows\system32\drivers\LNonPnP.sys
2013-10-07 12:51:22	89376	----a-w-	c:\windows\system32\drivers\avgntflt.sys
2013-10-07 12:51:22	37352	----a-w-	c:\windows\system32\drivers\avkmgr.sys
2013-09-24 03:07:44	834048	----a-w-	c:\windows\system32\wininet.dll
2013-09-24 03:07:05	53760	----a-w-	c:\windows\apppatch\iebrshim.dll
2013-09-24 03:06:56	19456	----a-w-	c:\windows\system32\corpol.dll
2013-09-23 20:13:08	389632	----a-w-	c:\windows\system32\html.iec
2013-09-23 20:01:13	1383424	----a-w-	c:\windows\system32\mshtml.tlb
2013-08-29 07:56:16	27648	----a-w-	c:\windows\system32\drivers\usbser.sys
2013-08-29 07:36:04	2050048	----a-w-	c:\windows\system32\win32k.sys
2013-08-27 02:47:50	219648	----a-w-	c:\windows\system32\d3d10_1core.dll
2013-08-27 02:47:50	189952	----a-w-	c:\windows\system32\d3d10core.dll
2013-08-27 02:47:50	160768	----a-w-	c:\windows\system32\d3d10_1.dll
2013-08-27 02:47:50	1029120	----a-w-	c:\windows\system32\d3d10.dll
2013-08-27 01:52:08	1172480	----a-w-	c:\windows\system32\d3d10warp.dll
2013-08-27 01:50:40	486400	----a-w-	c:\windows\system32\d3d10level9.dll
2013-08-27 01:32:20	683008	----a-w-	c:\windows\system32\d2d1.dll
2013-08-27 01:28:36	1069056	----a-w-	c:\windows\system32\DWrite.dll
2013-08-27 01:28:35	798208	----a-w-	c:\windows\system32\FntCache.dll
2013-08-07 08:22:04	238872	------w-	c:\windows\system32\MpSigStub.exe
2013-08-02 04:09:35	1548288	----a-w-	c:\windows\system32\WMVDECOD.DLL
2013-08-01 03:16:32	638400	----a-w-	c:\windows\system32\drivers\dxgkrnl.sys
2013-08-01 02:49:15	37376	----a-w-	c:\windows\system32\cdd.dll
2013-07-20 10:44:53	102608	----a-w-	c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2003-06-11 12:36:24	155770	----a-w-	c:\program files\worksafe.exe
2003-06-11 12:36:04	413816	----a-w-	c:\program files\apcsystray.exe
2003-06-11 12:34:58	155770	----a-w-	c:\program files\mainserv.exe
2003-06-11 12:33:18	155764	----a-w-	c:\program files\force.exe
2003-06-11 12:32:26	467067	----a-w-	c:\program files\PowerChute.exe
2003-06-11 12:30:26	233592	----a-w-	c:\program files\drvutil.dll
2003-06-11 12:29:28	61440	----a-w-	c:\program files\ntutil.dll
2003-06-11 12:29:16	249974	----a-w-	c:\program files\MsgDll.dll
2003-06-11 12:28:54	49152	----a-w-	c:\program files\ExecuteProcess.exe
2003-06-11 12:28:38	278654	----a-w-	c:\program files\UpsControl.dll
2003-06-11 12:28:14	262268	----a-w-	c:\program files\UpsDevice.dll
2003-06-11 12:28:02	245885	----a-w-	c:\program files\pdcdll.dll
2003-06-11 12:27:12	135296	----a-w-	c:\program files\EventViewer.exe
2003-06-11 12:26:46	209016	----a-w-	c:\program files\Display.exe
2003-06-11 11:59:02	839827	----a-w-	c:\program files\res.dll
2003-06-11 11:58:02	1024149	----a-w-	c:\program files\pchuteres.dll
2003-03-26 16:03:18	257	----a-w-	c:\program files\DisableSplashScreen.reg
2003-03-26 16:03:18	255	----a-w-	c:\program files\EnableSplashScreen.reg
2003-03-26 16:03:18	135	----a-w-	c:\program files\Enable ADS.reg
2003-03-26 16:03:18	135	----a-w-	c:\program files\Disable ADS.reg
2003-03-26 16:03:18	130	----a-w-	c:\program files\AllowStandby.reg
2000-03-29 20:44:24	2465	----a-w-	c:\program files\ehib.exe
.
============= FINISH: 14:42:31.57 ===============

 



#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:20 PM

Posted 16 October 2013 - 11:11 PM


Hello Sparky131

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Sparky131

Sparky131
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:20 PM

Posted 17 October 2013 - 12:03 AM

Machine appears in the grip of the malware...I had difficulty getting commands to work on Antivir and Windows Defender, but finally they closed.

Combofix log:

 

ComboFix 13-10-16.02 - Wes Net 10/17/2013   0:42.1.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.3060.1711 [GMT -4:00]
Running from: c:\users\Wes Net\Desktop\ComboFix.exe
AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\etc\hosts.ics
.
.
(((((((((((((((((((((((((   Files Created from 2013-09-17 to 2013-10-17  )))))))))))))))))))))))))))))))
.
.
2013-10-17 04:51 . 2013-10-17 04:51 -------- d-----w- c:\users\Wes Net\AppData\Local\temp
2013-10-17 04:51 . 2013-10-17 04:51 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-10-16 14:36 . 2013-10-16 14:36 -------- d-----w- c:\program files\Runtime Software
2013-10-15 13:46 . 2013-09-16 04:50 7328304 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{BF5BA88E-00F9-4B07-ABBF-4661C792AAAE}\mpengine.dll
2013-10-15 02:39 . 2013-10-15 02:39 -------- d-----w- c:\programdata\Canon
2013-10-15 01:45 . 2012-04-17 19:08 122880 ----a-w- c:\windows\system32\CNCLSI44a.DLL
2013-10-15 01:45 . 2012-04-17 19:08 131072 ----a-w- c:\windows\system32\CNCLSD44a.DLL
2013-10-15 01:45 . 2012-04-17 19:08 94208 ----a-w- c:\windows\system32\CNCLSC44a.DLL
2013-10-15 01:45 . 2012-04-17 19:08 106496 ----a-w- c:\windows\system32\CNCLST44a.DLL
2013-10-15 01:45 . 2012-04-17 19:07 204800 ----a-w- c:\windows\system32\CNCLSU44a.DLL
2013-10-15 01:45 . 2012-04-17 19:08 53248 ----a-w- c:\windows\system32\CNCLSO44a.dll
2013-10-15 01:45 . 2012-04-17 19:06 135168 ----a-w- c:\windows\system32\CNCL4800.DLL
2013-10-15 01:45 . 2012-04-17 19:07 159744 ----a-w- c:\windows\system32\CNCE4800.DLL
2013-10-15 01:45 . 2012-04-17 19:07 102400 ----a-w- c:\windows\system32\CNCI4800.DLL
2013-10-15 01:45 . 2012-04-17 19:07 327680 ----a-w- c:\windows\system32\CNCC4800.DLL
2013-10-15 01:42 . 2011-04-11 20:40 679936 ----a-w- c:\windows\system32\CNAS0MOK.DLL
2013-10-15 01:40 . 2012-03-12 20:34 139264 ----a-w- c:\windows\system32\CNCENPM.dll
2013-10-15 01:40 . 2011-05-10 10:29 110592 ----a-w- c:\windows\system32\CNCENPU.dll
2013-10-15 01:40 . 2009-06-18 18:43 204800 ----a-w- c:\windows\system32\CNCENPR.dll
2013-10-11 14:54 . 2013-10-12 12:06 13464 ----a-w- c:\windows\system32\drivers\SWDUMon.sys
2013-10-11 14:54 . 2013-10-11 14:54 -------- d-----w- c:\users\Wes Net\AppData\Local\SlimWare Utilities Inc
2013-10-10 18:17 . 2013-06-12 18:10 31848 ----a-w- c:\windows\system32\drivers\DasPtct.SYS
2013-10-10 13:15 . 2013-04-08 20:30 18656 ----a-w- c:\windows\system32\PCloudBroom.exe
2013-10-09 17:37 . 2013-06-26 23:01 527064 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
2013-10-09 17:34 . 2013-07-04 04:21 532480 ----a-w- c:\windows\system32\comctl32.dll
2013-10-03 11:59 . 2013-10-12 16:49 -------- d-----w- c:\program files\Revo Uninstaller
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-10-09 18:25 . 2012-02-23 00:39 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2013-10-07 12:51 . 2012-12-20 14:39 89376 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2013-10-07 12:51 . 2012-12-20 14:39 37352 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2013-10-07 12:51 . 2012-12-20 14:39 137208 ----a-w- c:\windows\system32\drivers\avipbb.sys
2013-09-24 03:07 . 2013-10-09 17:54 53760 ----a-w- c:\windows\apppatch\iebrshim.dll
2013-08-07 08:22 . 2009-10-03 20:50 238872 ------w- c:\windows\system32\MpSigStub.exe
2013-08-02 04:09 . 2013-08-28 15:15 1548288 ----a-w- c:\windows\system32\WMVDECOD.DLL
2003-06-11 12:36 . 2009-10-09 12:43 155770 ----a-w- c:\program files\worksafe.exe
2003-06-11 12:36 . 2009-10-09 12:43 413816 ----a-w- c:\program files\apcsystray.exe
2003-06-11 12:34 . 2009-10-09 12:43 155770 ----a-w- c:\program files\mainserv.exe
2003-06-11 12:33 . 2009-10-09 12:43 155764 ----a-w- c:\program files\force.exe
2003-06-11 12:32 . 2009-10-09 12:43 467067 ----a-w- c:\program files\PowerChute.exe
2003-06-11 12:30 . 2009-10-09 12:43 233592 ----a-w- c:\program files\drvutil.dll
2003-06-11 12:29 . 2009-10-09 12:43 61440 ----a-w- c:\program files\ntutil.dll
2003-06-11 12:29 . 2009-10-09 12:43 249974 ----a-w- c:\program files\MsgDll.dll
2003-06-11 12:28 . 2009-10-09 12:43 49152 ----a-w- c:\program files\ExecuteProcess.exe
2003-06-11 12:28 . 2009-10-09 12:43 278654 ----a-w- c:\program files\UpsControl.dll
2003-06-11 12:28 . 2009-10-09 12:43 262268 ----a-w- c:\program files\UpsDevice.dll
2003-06-11 12:28 . 2009-10-09 12:43 245885 ----a-w- c:\program files\pdcdll.dll
2003-06-11 12:27 . 2009-10-09 12:43 135296 ----a-w- c:\program files\EventViewer.exe
2003-06-11 12:26 . 2009-10-09 12:43 209016 ----a-w- c:\program files\Display.exe
2003-06-11 11:59 . 2009-10-09 12:43 839827 ----a-w- c:\program files\res.dll
2003-06-11 11:58 . 2009-10-09 12:43 1024149 ----a-w- c:\program files\pchuteres.dll
2003-03-26 16:03 . 2009-10-09 12:43 130 ----a-w- c:\program files\AllowStandby.reg
2003-03-26 16:03 . 2009-10-09 12:43 257 ----a-w- c:\program files\DisableSplashScreen.reg
2003-03-26 16:03 . 2009-10-09 12:43 255 ----a-w- c:\program files\EnableSplashScreen.reg
2003-03-26 16:03 . 2009-10-09 12:43 135 ----a-w- c:\program files\Enable ADS.reg
2003-03-26 16:03 . 2009-10-09 12:43 135 ----a-w- c:\program files\Disable ADS.reg
2000-03-29 20:44 . 2009-10-09 12:43 2465 ----a-w- c:\program files\ehib.exe
2012-02-16 14:40 . 2012-03-10 19:45 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-05-18 1311312]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2013-10-07 681032]
"MFNetworkScanUtility"="c:\program files\Canon\Canon MF Network Scan Utility\CNMFSUT.EXE" [2009-12-15 484760]
"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 20480]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\PowerChute Personal Edition\Display.exe [2012-1-24 271736]
Ralink Wireless Utility.lnk - c:\program files\Ralink\Common\RaUI.exe -s [2013-1-13 1643808]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Snapfish Media Detector.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Snapfish Media Detector.lnk
backup=c:\windows\pss\Snapfish Media Detector.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^Wes Net^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^wkcalrem.LNK]
path=c:\users\Wes Net\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wkcalrem.LNK
backup=c:\windows\pss\wkcalrem.LNK.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2012-03-09 20:43 136176 ----atw- c:\users\Wes Net\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2009-02-26 23:57 173592 ----a-w- c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2009-02-26 23:57 141848 ----a-w- c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-06-15 20:33 141624 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
2003-05-08 17:00 49152 ----a-w- c:\program files\ScanSoft\OmniPageSE2.0\opwareSE2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2009-02-26 23:57 150552 ----a-w- c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-19 02:16 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2008-01-15 11:26 4874240 ----a-w- c:\windows\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateReg]
2007-04-07 09:56 54936 ----a-w- c:\windows\System32\jureg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WrtMon.exe]
2006-09-20 12:35 20480 ----a-w- c:\windows\System32\spool\drivers\w32x86\3\WrtMon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HP Health Check Scheduler"=[ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"PKWARE Certificate Proxy Client"=c:\progra~1\PKWARE\PKZIPW\pkpcsr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R3 acfva;acfva;c:\windows\system32\DRIVERS\ACFVA32.sys [2007-06-29 86656]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ   Pml Driver HPZ12 Net Driver HPZ12
LocalServiceAndNoImpersonation REG_MULTI_SZ   FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2013-10-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3521371533-283708137-4137571409-1000Core.job
- c:\users\Wes Net\AppData\Local\Google\Update\GoogleUpdate.exe [2012-03-09 20:43]
.
2013-10-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3521371533-283708137-4137571409-1000UA.job
- c:\users\Wes Net\AppData\Local\Google\Update\GoogleUpdate.exe [2012-03-09 20:43]
.
2013-10-16 c:\windows\Tasks\User_Feed_Synchronization-{8DB810DF-66F8-49A9-B2A3-59C87D2E4CF3}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.toast.net/start/
uInternet Settings,ProxyOverride = *.local
IE: MasterCook: Select Image - c:\program files\MasterCook 9\Web\MCIEContext.hta
Trusted Zone: download.microsoft
Trusted Zone: microsoft.com\update
Trusted Zone: update.microsoft
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
FF - ProfilePath - c:\users\Wes Net\AppData\Roaming\Mozilla\Firefox\Profiles\o8xqpqe8.default\
FF - prefs.js: browser.search.selectedEngine - Amazon.com
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-WudfPf
SafeBoot-WudfRd
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-10-17 00:51
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2013-10-17  00:55:55
ComboFix-quarantined-files.txt  2013-10-17 04:55
.
Pre-Run: 194,240,098,304 bytes free
Post-Run: 193,900,548,096 bytes free
.
- - End Of File - - 9609D9B988CED437C2DD95D1947A3597
03BA8F890B47C0BE359A4D5A636D214D


#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:20 PM

Posted 17 October 2013 - 04:50 AM


Hello Sparky131

I would like you to try and run these next.

TDSSKiller

Please download the latest version of TDSSKiller from here and save it to your Desktop.
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
  • Put a checkmark beside loaded modules.
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
  • Click the Start Scan button.
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
  • If malicious objects are found, they will show in the Scan results
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • more than one report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". The one that I need is the larger one. Please copy and paste the contents of that file here.

    Note** this report can be very long - so if the website gives you an error saying it is to long you may attache it

    If the forum still complains about it being to long send me everything that is at the end of the report after where it says

    ==================
    Scan finished
    ==================
and I will see if I want to see the whole report

--RogueKiller--

Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit
  • Quit all programs that you may have started.
  • Please disconnect any external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • the scan will make two reports the one I would like to see is called RKreport[2].txt on your Desktop
  • Exit/Close RogueKiller+
send me the reports made from TDSSKiller and Roguekiller and also let me know how the computer is doing at this time.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Sparky131

Sparky131
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:20 PM

Posted 17 October 2013 - 07:24 AM

Morning Gringo,

When downloading TDSSkiller, it prompts to download update. (Vers. 2.0.16.0 to vers. 3.0.0.14) The CPU can't open the zip file update with this message: "Unable to load module...C:\Program Files\Common Files\PKWare\PKZip7\PKArchive86u.dll   C:\Progra~1\PKWare\PKZipw\PKArchive86u.dll  PKArchive86u.dll" 



#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:20 PM

Posted 17 October 2013 - 10:34 PM

Hello sparky

sorry about the delay - go ahead and move to the next item


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 Sparky131

Sparky131
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:20 PM

Posted 18 October 2013 - 04:50 PM

Gringo,

 

I have tried twice to post the logs from TDSSKiller and RogueKiller and each time I hit the "post" button and it says "saving post" but appears to stall.  It doesn't show up as a new post.  the "Add Reply" and "Preview Post" buttons were not present in the reply boxes that I tried.  Confused and frustrated.

 

Sparky131



#10 Sparky131

Sparky131
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:20 PM

Posted 18 October 2013 - 05:13 PM

Gringo,

 

Update: Tried "more reply options", resulting in 524 error, timing out.  I will attach them and see if that works. Nope, too large.  Can you be specific on what parts I should cut and paste in my next post?



#11 Sparky131

Sparky131
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:20 PM

Posted 18 October 2013 - 08:35 PM

Sparky131 again,

 

New scary discovery...Spybot scan now shows 15,000+ Global Host files.  Immunization blocked by Avira.



#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:20 PM

Posted 18 October 2013 - 10:42 PM

Hello

See if you can upload the files here - https://www.wetransfer.com/ and send me the link


.Spybot scan now shows 15,000+ Global Host files. Immunization blocked by Avira. - this sounds like one wants to do something and the other is blocking it - I don't think it is anything bad but if you can send me at least part of that report then I will check it
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 Sparky131

Sparky131
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:20 PM

Posted 19 October 2013 - 03:51 PM

Hi Gringo,

 

Success!  Here is the link.  http://we.tl/PDmNHUnx0V

 

And when I pulled the Spybot log, it only shows the one host: "localhost 127.0.0.1, so I don't know what's up with that.



#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:20 PM

Posted 19 October 2013 - 09:57 PM


Hello Sparky131

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Please start by opening Notepad and copy/paste the text in the box into the window:

ClearJavaCache::


 
Save it to your desktop as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe
CFScriptB-4.gif
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
    • report from Combofix
    • let me know of any problems you may have had
    • How is the computer doing now after running the script?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 Sparky131

Sparky131
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:20 PM

Posted 19 October 2013 - 11:18 PM

Hi Gringo,

 

On 1st try, ComboFix found infection in Windows\system32\userinit and soon after got the blue screen..."Windows has shut down to protect your system".  I reran ComboFix after restart and it completed.  The log is below.  I restarted the computer in normal mode, and it seems to be acting OK, but I have not attempted anything other than necessary to carry out your directives.  

 

ComboFix Log:

 

ComboFix 13-10-19.02 - Wes Net 10/19/2013  23:58:04.1.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.3060.1965 [GMT -4:00]
Running from: c:\users\Wes Net\Desktop\ComboFix.exe
Command switches used :: c:\users\Wes Net\Desktop\CFScript.txt
AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\etc\hosts.ics
.
-- Previous Run --
.
Infected copy of c:\windows\system32\userinit.exe was found and disinfected 
Restored copy from - c:\windows\ERDNT\cache\userinit.exe 
.
--------
.
.
(((((((((((((((((((((((((   Files Created from 2013-09-20 to 2013-10-20  )))))))))))))))))))))))))))))))
.
.
2013-10-20 04:06 . 2013-10-20 04:06 -------- d-----w- c:\users\Wes Net\AppData\Local\temp
2013-10-20 04:06 . 2013-10-20 04:06 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-10-18 21:09 . 2013-10-14 06:39 7796464 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{29D48767-2CFA-4518-93A0-E2EF1BB6494D}\mpengine.dll
2013-10-16 14:36 . 2013-10-16 14:36 -------- d-----w- c:\program files\Runtime Software
2013-10-15 02:39 . 2013-10-15 02:39 -------- d-----w- c:\programdata\Canon
2013-10-15 01:45 . 2012-04-17 19:08 122880 ----a-w- c:\windows\system32\CNCLSI44a.DLL
2013-10-15 01:45 . 2012-04-17 19:08 131072 ----a-w- c:\windows\system32\CNCLSD44a.DLL
2013-10-15 01:45 . 2012-04-17 19:08 94208 ----a-w- c:\windows\system32\CNCLSC44a.DLL
2013-10-15 01:45 . 2012-04-17 19:08 106496 ----a-w- c:\windows\system32\CNCLST44a.DLL
2013-10-15 01:45 . 2012-04-17 19:07 204800 ----a-w- c:\windows\system32\CNCLSU44a.DLL
2013-10-15 01:45 . 2012-04-17 19:08 53248 ----a-w- c:\windows\system32\CNCLSO44a.dll
2013-10-15 01:45 . 2012-04-17 19:06 135168 ----a-w- c:\windows\system32\CNCL4800.DLL
2013-10-15 01:45 . 2012-04-17 19:07 159744 ----a-w- c:\windows\system32\CNCE4800.DLL
2013-10-15 01:45 . 2012-04-17 19:07 102400 ----a-w- c:\windows\system32\CNCI4800.DLL
2013-10-15 01:45 . 2012-04-17 19:07 327680 ----a-w- c:\windows\system32\CNCC4800.DLL
2013-10-15 01:42 . 2011-04-11 20:40 679936 ----a-w- c:\windows\system32\CNAS0MOK.DLL
2013-10-15 01:40 . 2012-03-12 20:34 139264 ----a-w- c:\windows\system32\CNCENPM.dll
2013-10-15 01:40 . 2011-05-10 10:29 110592 ----a-w- c:\windows\system32\CNCENPU.dll
2013-10-15 01:40 . 2009-06-18 18:43 204800 ----a-w- c:\windows\system32\CNCENPR.dll
2013-10-11 14:54 . 2013-10-12 12:06 13464 ----a-w- c:\windows\system32\drivers\SWDUMon.sys
2013-10-11 14:54 . 2013-10-11 14:54 -------- d-----w- c:\users\Wes Net\AppData\Local\SlimWare Utilities Inc
2013-10-10 18:17 . 2013-06-12 18:10 31848 ----a-w- c:\windows\system32\drivers\DasPtct.SYS
2013-10-10 13:15 . 2013-04-08 20:30 18656 ----a-w- c:\windows\system32\PCloudBroom.exe
2013-10-09 17:37 . 2013-06-26 23:01 527064 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
2013-10-09 17:34 . 2013-07-04 04:21 532480 ----a-w- c:\windows\system32\comctl32.dll
2013-10-03 11:59 . 2013-10-12 16:49 -------- d-----w- c:\program files\Revo Uninstaller
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-10-09 18:25 . 2012-02-23 00:39 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2013-10-07 12:51 . 2012-12-20 14:39 89376 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2013-10-07 12:51 . 2012-12-20 14:39 37352 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2013-10-07 12:51 . 2012-12-20 14:39 137208 ----a-w- c:\windows\system32\drivers\avipbb.sys
2013-09-24 03:07 . 2013-10-09 17:54 53760 ----a-w- c:\windows\apppatch\iebrshim.dll
2013-09-03 18:35 . 2009-10-03 20:50 238872 ------w- c:\windows\system32\MpSigStub.exe
2013-08-02 04:09 . 2013-08-28 15:15 1548288 ----a-w- c:\windows\system32\WMVDECOD.DLL
2003-06-11 12:36 . 2009-10-09 12:43 155770 ----a-w- c:\program files\worksafe.exe
2003-06-11 12:36 . 2009-10-09 12:43 413816 ----a-w- c:\program files\apcsystray.exe
2003-06-11 12:34 . 2009-10-09 12:43 155770 ----a-w- c:\program files\mainserv.exe
2003-06-11 12:33 . 2009-10-09 12:43 155764 ----a-w- c:\program files\force.exe
2003-06-11 12:32 . 2009-10-09 12:43 467067 ----a-w- c:\program files\PowerChute.exe
2003-06-11 12:30 . 2009-10-09 12:43 233592 ----a-w- c:\program files\drvutil.dll
2003-06-11 12:29 . 2009-10-09 12:43 61440 ----a-w- c:\program files\ntutil.dll
2003-06-11 12:29 . 2009-10-09 12:43 249974 ----a-w- c:\program files\MsgDll.dll
2003-06-11 12:28 . 2009-10-09 12:43 49152 ----a-w- c:\program files\ExecuteProcess.exe
2003-06-11 12:28 . 2009-10-09 12:43 278654 ----a-w- c:\program files\UpsControl.dll
2003-06-11 12:28 . 2009-10-09 12:43 262268 ----a-w- c:\program files\UpsDevice.dll
2003-06-11 12:28 . 2009-10-09 12:43 245885 ----a-w- c:\program files\pdcdll.dll
2003-06-11 12:27 . 2009-10-09 12:43 135296 ----a-w- c:\program files\EventViewer.exe
2003-06-11 12:26 . 2009-10-09 12:43 209016 ----a-w- c:\program files\Display.exe
2003-06-11 11:59 . 2009-10-09 12:43 839827 ----a-w- c:\program files\res.dll
2003-06-11 11:58 . 2009-10-09 12:43 1024149 ----a-w- c:\program files\pchuteres.dll
2003-03-26 16:03 . 2009-10-09 12:43 130 ----a-w- c:\program files\AllowStandby.reg
2003-03-26 16:03 . 2009-10-09 12:43 257 ----a-w- c:\program files\DisableSplashScreen.reg
2003-03-26 16:03 . 2009-10-09 12:43 255 ----a-w- c:\program files\EnableSplashScreen.reg
2003-03-26 16:03 . 2009-10-09 12:43 135 ----a-w- c:\program files\Enable ADS.reg
2003-03-26 16:03 . 2009-10-09 12:43 135 ----a-w- c:\program files\Disable ADS.reg
2000-03-29 20:44 . 2009-10-09 12:43 2465 ----a-w- c:\program files\ehib.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-05-18 1311312]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2013-10-07 681032]
"MFNetworkScanUtility"="c:\program files\Canon\Canon MF Network Scan Utility\CNMFSUT.EXE" [2009-12-15 484760]
"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 20480]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\PowerChute Personal Edition\Display.exe [2012-1-24 271736]
Ralink Wireless Utility.lnk - c:\program files\Ralink\Common\RaUI.exe -s [2013-1-13 1643808]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Snapfish Media Detector.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Snapfish Media Detector.lnk
backup=c:\windows\pss\Snapfish Media Detector.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^Wes Net^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^wkcalrem.LNK]
path=c:\users\Wes Net\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wkcalrem.LNK
backup=c:\windows\pss\wkcalrem.LNK.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2012-03-09 20:43 136176 ----atw- c:\users\Wes Net\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2009-02-26 23:57 173592 ----a-w- c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2009-02-26 23:57 141848 ----a-w- c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-06-15 20:33 141624 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
2003-05-08 17:00 49152 ----a-w- c:\program files\ScanSoft\OmniPageSE2.0\opwareSE2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2009-02-26 23:57 150552 ----a-w- c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-19 02:16 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2008-01-15 11:26 4874240 ----a-w- c:\windows\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateReg]
2007-04-07 09:56 54936 ----a-w- c:\windows\System32\jureg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WrtMon.exe]
2006-09-20 12:35 20480 ----a-w- c:\windows\System32\spool\drivers\w32x86\3\WrtMon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HP Health Check Scheduler"=[ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"PKWARE Certificate Proxy Client"=c:\progra~1\PKWARE\PKZIPW\pkpcsr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R3 acfva;acfva;c:\windows\system32\DRIVERS\ACFVA32.sys [2007-06-29 86656]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ   Pml Driver HPZ12 Net Driver HPZ12
LocalServiceAndNoImpersonation REG_MULTI_SZ   FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2013-10-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3521371533-283708137-4137571409-1000Core.job
- c:\users\Wes Net\AppData\Local\Google\Update\GoogleUpdate.exe [2012-03-09 20:43]
.
2013-10-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3521371533-283708137-4137571409-1000UA.job
- c:\users\Wes Net\AppData\Local\Google\Update\GoogleUpdate.exe [2012-03-09 20:43]
.
2013-10-20 c:\windows\Tasks\User_Feed_Synchronization-{8DB810DF-66F8-49A9-B2A3-59C87D2E4CF3}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.toast.net/start/
uInternet Settings,ProxyOverride = *.local
IE: MasterCook: Select Image - c:\program files\MasterCook 9\Web\MCIEContext.hta
Trusted Zone: download.microsoft
Trusted Zone: microsoft.com\update
Trusted Zone: update.microsoft
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
FF - ProfilePath - c:\users\Wes Net\AppData\Roaming\Mozilla\Firefox\Profiles\o8xqpqe8.default\
FF - prefs.js: browser.search.selectedEngine - Amazon.com
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-47289770.sys
SafeBoot-82828558.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-10-20 00:06
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2013-10-20  00:11:46
ComboFix-quarantined-files.txt  2013-10-20 04:11
ComboFix2.txt  2013-10-17 04:55
.
Pre-Run: 194,346,020,864 bytes free
Post-Run: 194,280,820,736 bytes free
.
- - End Of File - - 9A828BCA9B5DA11E638977647AC3C62B
03BA8F890B47C0BE359A4D5A636D214D





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users