Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

No internet access after running combofix


  • This topic is locked This topic is locked
7 replies to this topic

#1 TSJ

TSJ

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 17 October 2013 - 09:59 PM

I was helping a friend with his restaurant computer which had many viruses on it.  I used malwarebytes to remove most of them. But the internet was painfully slow to open. 

I then tried Combofix which ahs worked for me many times in the past.  His computer will not connect to internet now and the network says it is an unidentified network and I can not change that.

 

I re-ran combofix so I do not have the internet toolbar that it got rid of.  The internet explorer was screaming fast until a reboot.  Now it does not connect.  I have attached the DDS lof and also ran a FSS log too.

 

Any help would be greatly appreciated as this has caused his business to not be able to process credit card transactions!

 

Thank You

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 10.0.9200.16720
Run by rsi at 21:46:28 on 2013-10-17
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.2012.1335 [GMT -4:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmService.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Common Files\SPBA\upeksvr.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\MidniteExpress\SlipStream\mxSlipStream4.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Realtek\Audio\HDA\RtDCpl.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\MidniteExpress\SlipStream\mxSlipStream4.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\svchost.exe -k SDRSVC
.
============== Pseudo HJT Report ===============
.
uSearch Bar = Preserve
dURLSearchHooks: YTNavAssist.YTNavAssistPlugin Class: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - c:\program files\yahoo!\companion\installs\cpn0\YTNavAssist.dll
BHO: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - c:\program files\windows live\companion\companioncore.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtDCpl.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RemoteControl9] "c:\program files\cyberlink\powerdvd9\PDVD9Serv.exe"
mRun: [PDVD9LanguageShortcut] "c:\program files\cyberlink\powerdvd9\language\Language.exe"
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [mxSlipStream] c:\midniteexpress\slipstream\mxSlipStream4.exe
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil32_11_8_800_175_ActiveX.exe -update activex
dRunOnce: [SPReview] "c:\windows\system32\spreview\SPReview.exe" /sp:1 /errorfwlink:"http://go.microsoft.com/fwlink/?LinkID=122915" /build:7601
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
mPolicies-System: DisableCAD = dword:1
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: Interfaces\{CCE79221-5329-4700-995F-C1A092455F28} : NameServer = 192.168.1.254
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
Notify: spba - c:\program files\common files\spba\homefus2.dll
SSODL: WebCheck - <orphaned>
LSA: Authentication Packages =  msv1_0 wvauth
.
============= SERVICES / DRIVERS ===============
.
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2011-3-1 375120]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-9-17 13624]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2011-6-1 47640]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-10-10 418376]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2013-10-10 701512]
R2 mxSlipStream4;mxSlipStream 4 Service;c:\midniteexpress\slipstream\mxslipstream4.exe -service --> c:\midniteexpress\slipstream\mxSlipStream4.exe -service [?]
R2 SSIPDDP;SSIPDDP Parallel port device driver;c:\windows\system32\drivers\Ssipddp.sys [2011-6-1 52736]
R3 k57nd60x;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\k57nd60x.sys [2011-4-29 273448]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-10-10 22856]
S2 anicup;wyswquv;c:\windows\system32\svchost.exe -k netsvcs [2009-7-13 20992]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 dbgocgpr;Image Windows;c:\windows\system32\svchost.exe -k netsvcs [2009-7-13 20992]
S2 heufijeub;aptur;c:\windows\system32\svchost.exe -k netsvcs [2009-7-13 20992]
S2 mqhummv;Installer Server;c:\windows\system32\svchost.exe -k netsvcs [2009-7-13 20992]
S2 ztwqps;Network Boot;c:\windows\system32\svchost.exe -k netsvcs [2009-7-13 20992]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-6-20 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-6-1 1343400]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== Created Last 30 ================
.
2013-10-18 01:04:56 60872 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{3d79e5f5-3e67-4b27-a3a5-5ee9bedba6fc}\offreg.dll
2013-10-17 23:18:33 -------- d-sh--w- C:\$RECYCLE.BIN
2013-10-17 22:20:42 98816 ----a-w- c:\windows\sed.exe
2013-10-17 22:20:42 256000 ----a-w- c:\windows\PEV.exe
2013-10-17 22:20:42 208896 ----a-w- c:\windows\MBR.exe
2013-10-15 21:43:46 7328304 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{3d79e5f5-3e67-4b27-a3a5-5ee9bedba6fc}\mpengine.dll
2013-10-15 18:09:27 76288 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2013-10-15 18:09:27 6016 ----a-w- c:\windows\system32\drivers\usbd.sys
2013-10-15 18:09:27 43008 ----a-w- c:\windows\system32\drivers\usbehci.sys
2013-10-15 18:09:27 284672 ----a-w- c:\windows\system32\drivers\usbport.sys
2013-10-15 18:09:27 258560 ----a-w- c:\windows\system32\drivers\usbhub.sys
2013-10-15 18:09:27 24064 ----a-w- c:\windows\system32\drivers\usbuhci.sys
2013-10-15 18:09:27 20480 ----a-w- c:\windows\system32\drivers\usbohci.sys
2013-10-14 08:04:00 1230336 ----a-w- c:\windows\system32\WindowsCodecs.dll
2013-10-14 07:02:31 1505280 ----a-w- c:\windows\system32\d3d11.dll
2013-10-13 08:08:27 245760 ----a-w- c:\windows\system32\OxpsConverter.exe
2013-10-13 08:07:58 903168 ----a-w- c:\windows\system32\certutil.exe
2013-10-13 08:06:57 133056 ----a-w- c:\windows\system32\drivers\ataport.sys
2013-10-13 07:52:41 47104 ----a-w- c:\windows\system32\appinfo.dll
2013-10-13 07:52:41 1796096 ----a-w- c:\windows\system32\authui.dll
2013-10-13 07:52:41 101720 ----a-w- c:\windows\system32\consent.exe
2013-10-13 07:05:39 -------- d-----w- c:\windows\system32\SPReview
2013-10-13 07:04:53 -------- d-----w- c:\windows\system32\EventProviders
2013-10-11 08:01:07 1699328 ----a-w- c:\windows\system32\esent.dll
2013-10-11 08:01:07 143744 ----a-w- c:\windows\system32\drivers\nvstor.sys
2013-10-11 08:01:06 80256 ----a-w- c:\windows\system32\drivers\amdsata.sys
2013-10-11 08:01:06 74240 ----a-w- c:\windows\system32\fsutil.exe
2013-10-11 08:01:06 332160 ----a-w- c:\windows\system32\drivers\iaStorV.sys
2013-10-11 08:01:06 22400 ----a-w- c:\windows\system32\drivers\amdxata.sys
2013-10-11 08:01:06 148864 ----a-w- c:\windows\system32\drivers\storport.sys
2013-10-11 08:01:06 117120 ----a-w- c:\windows\system32\drivers\nvraid.sys
2013-10-11 07:21:18 -------- d-----w- c:\windows\system32\MRT
2013-10-11 07:14:40 9728 ----a-w- c:\windows\system32\Wdfres.dll
2013-10-11 07:14:40 47720 ----a-w- c:\windows\system32\drivers\WdfLdr.sys
2013-10-11 07:13:51 73216 ----a-w- c:\windows\system32\WUDFSvc.dll
2013-10-11 07:13:51 66560 ----a-w- c:\windows\system32\drivers\WUDFPf.sys
2013-10-11 07:13:51 613888 ----a-w- c:\windows\system32\WUDFx.dll
2013-10-11 07:13:51 38912 ----a-w- c:\windows\system32\WUDFCoinstaller.dll
2013-10-11 07:13:51 196608 ----a-w- c:\windows\system32\WUDFHost.exe
2013-10-11 07:13:51 172032 ----a-w- c:\windows\system32\WUDFPlatform.dll
2013-10-11 07:13:51 155136 ----a-w- c:\windows\system32\drivers\WUDFRd.sys
2013-10-11 07:13:26 5120 ----a-w- c:\windows\system32\wmi.dll
2013-10-11 07:13:26 19824 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2013-10-11 07:13:25 159232 ----a-w- c:\windows\system32\imagehlp.dll
2013-10-11 01:09:14 317440 ----a-w- c:\windows\system32\spoolsv.exe
2013-10-11 01:09:08 1211752 ----a-w- c:\windows\system32\drivers\ntfs.sys
2013-10-11 01:09:01 626688 ----a-w- c:\windows\system32\usp10.dll
2013-10-11 01:08:54 15872 ----a-w- c:\windows\system32\drivers\usb8023.sys
2013-10-11 01:08:15 376832 ----a-w- c:\windows\system32\dpnet.dll
2013-10-11 01:08:14 2560 ----a-w- c:\windows\system32\dpnaddr.dll
2013-10-11 01:07:48 196328 ----a-w- c:\windows\system32\drivers\fvevol.sys
2013-10-11 01:07:47 708608 ----a-w- c:\program files\common files\system\wab32.dll
2013-10-11 01:07:44 69632 ----a-w- c:\windows\system32\smss.exe
2013-10-11 01:07:44 38912 ----a-w- c:\windows\system32\csrsrv.dll
2013-10-11 01:07:00 75776 ----a-w- c:\windows\system32\psisrndr.ax
2013-10-11 01:07:00 72704 ----a-w- c:\windows\system32\Mpeg2Data.ax
2013-10-11 01:07:00 59904 ----a-w- c:\windows\system32\MSDvbNP.ax
2013-10-11 01:07:00 465408 ----a-w- c:\windows\system32\psisdecd.dll
2013-10-11 01:07:00 204288 ----a-w- c:\windows\system32\MSNP.ax
2013-10-11 01:05:57 36864 ----a-w- c:\windows\system32\tsgqec.dll
2013-10-11 01:05:57 3217408 ----a-w- c:\windows\system32\mstscax.dll
2013-10-11 01:05:57 131584 ----a-w- c:\windows\system32\aaclient.dll
2013-10-11 01:05:34 1389568 ----a-w- c:\windows\system32\msxml6.dll
2013-10-11 01:05:02 240496 ----a-w- c:\windows\system32\drivers\netio.sys
2013-10-11 01:05:02 187752 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2013-10-11 01:05:01 67072 ----a-w- c:\windows\system32\packager.dll
2013-10-11 01:04:59 666624 ----a-w- c:\windows\system32\mssvp.dll
2013-10-11 01:04:59 427520 ----a-w- c:\windows\system32\SearchIndexer.exe
2013-10-11 01:04:59 337408 ----a-w- c:\windows\system32\mssph.dll
2013-10-11 01:04:59 164352 ----a-w- c:\windows\system32\SearchProtocolHost.exe
2013-10-11 01:04:59 1549312 ----a-w- c:\windows\system32\tquery.dll
2013-10-11 01:04:59 1401344 ----a-w- c:\windows\system32\mssrch.dll
2013-10-11 01:04:58 86528 ----a-w- c:\windows\system32\SearchFilterHost.exe
2013-10-11 01:04:58 59392 ----a-w- c:\windows\system32\msscntrs.dll
2013-10-11 01:04:58 197120 ----a-w- c:\windows\system32\mssphtb.dll
2013-10-11 01:03:14 805376 ----a-w- c:\windows\system32\cdosys.dll
2013-10-11 01:03:14 352256 ----a-w- c:\program files\common files\system\ado\msadomd.dll
2013-10-11 01:03:14 1019904 ----a-w- c:\program files\common files\system\ado\msado15.dll
2013-10-11 01:03:13 57344 ----a-w- c:\program files\common files\system\ado\msador15.dll
2013-10-11 01:03:13 372736 ----a-w- c:\program files\common files\system\ado\msadox.dll
2013-10-11 01:03:13 212992 ----a-w- c:\program files\common files\system\msadc\msadco.dll
2013-10-11 01:03:13 143360 ----a-w- c:\program files\common files\system\ado\msjro.dll
2013-10-11 01:02:57 400896 ----a-w- c:\windows\system32\srcore.dll
2013-10-11 01:02:57 262656 ----a-w- c:\windows\system32\rstrui.exe
2013-10-11 01:02:56 102912 ----a-w- c:\windows\system32\browser.dll
2013-10-11 01:02:55 41984 ----a-w- c:\windows\system32\browcli.dll
2013-10-11 01:02:54 534528 ----a-w- c:\windows\system32\EncDec.dll
2013-10-11 01:00:08 514560 ----a-w- c:\windows\system32\qdvd.dll
2013-10-11 01:00:08 1328128 ----a-w- c:\windows\system32\quartz.dll
2013-10-11 00:58:59 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe
2013-10-11 00:58:59 58880 ----a-w- c:\windows\system32\rdpwsx.dll
2013-10-11 00:58:59 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll
2013-10-11 00:58:56 690688 ----a-w- c:\windows\system32\msvcrt.dll
2013-10-11 00:58:55 56176 ----a-w- c:\windows\system32\drivers\partmgr.sys
2013-10-11 00:58:52 28672 ----a-w- c:\windows\system32\profprov.dll
2013-10-11 00:58:52 164352 ----a-w- c:\windows\system32\profsvc.dll
2013-10-11 00:58:50 78336 ----a-w- c:\windows\system32\synceng.dll
2013-10-11 00:58:49 769024 ----a-w- c:\windows\system32\localspl.dll
2013-10-11 00:58:48 30208 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\winprint.dll
2013-10-11 00:58:43 442880 ----a-w- c:\windows\system32\ntshrui.dll
2013-10-11 00:51:13 -------- d-----w- c:\users\rsi\appdata\local\Diagnostics
2013-10-11 00:21:04 826880 ----a-w- c:\windows\system32\rdpcore.dll
2013-10-11 00:21:04 24576 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2013-10-11 00:21:04 18432 ----a-w- c:\windows\system32\drivers\tdpipe.sys
2013-10-10 22:33:07 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-10-10 22:33:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-10-10 22:32:47 -------- d-----w- c:\users\rsi\appdata\local\Programs
2013-10-10 22:31:05 -------- d-----w- c:\users\rsi\appdata\roaming\Malwarebytes
2013-10-10 22:31:05 -------- d-----w- c:\programdata\Malwarebytes
2013-10-10 17:47:52 2422272 ----a-w- c:\windows\system32\wucltux.dll
2013-10-10 17:47:36 88576 ----a-w- c:\windows\system32\wudriver.dll
2013-10-10 17:47:09 33792 ----a-w- c:\windows\system32\wuapp.exe
2013-10-10 17:47:09 171904 ----a-w- c:\windows\system32\wuwebv.dll
2013-10-07 00:35:34 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-10-07 00:35:34 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
.
==================== Find3M  ====================
.
2013-10-13 07:12:24 152576 ----a-w- c:\windows\system32\msclmd.dll
2013-09-14 00:48:58 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2013-09-08 02:07:12 1294272 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-09-08 02:03:58 231424 ----a-w- c:\windows\system32\mswsock.dll
2013-08-29 01:51:45 3969472 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-08-29 01:51:45 3914176 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-08-29 01:50:30 1289096 ----a-w- c:\windows\system32\ntdll.dll
2013-08-29 01:50:16 619520 ----a-w- c:\windows\system32\tdh.dll
2013-08-29 01:48:17 640512 ----a-w- c:\windows\system32\advapi32.dll
2013-08-28 01:04:30 2348544 ----a-w- c:\windows\system32\win32k.sys
2013-08-28 00:57:20 434688 ----a-w- c:\windows\system32\scavengeui.dll
2013-08-07 08:22:04 238872 ------w- c:\windows\system32\MpSigStub.exe
2013-08-02 01:50:36 169984 ----a-w- c:\windows\system32\winsrv.dll
2013-08-02 01:49:19 293376 ----a-w- c:\windows\system32\KernelBase.dll
2013-08-02 00:52:57 271360 ----a-w- c:\windows\system32\conhost.exe
2013-08-02 00:43:05 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2013-08-02 00:43:05 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2013-08-02 00:43:05 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2013-08-02 00:43:05 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2013-08-01 11:03:36 729024 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2013-07-25 08:57:27 1620992 ----a-w- c:\windows\system32\WMVDECOD.DLL
2013-07-20 10:33:12 102608 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
.
============= FINISH: 21:47:58.30 ===============

 

 

Farbar Service Scanner Version: 13-09-2013
Ran by rsi (administrator) on 17-10-2013 at 21:06:01
Running from "C:\Users\RSI\Desktop"
Microsoft Windows 7 Professional  Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Attempt to access Google IP returned error.
Google.com is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0

System Restore:
============

System Restore Disabled Policy:
========================

Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================

Other Services:
==============
Checking ServiceDll of RemoteAccess: ATTENTION!=====> Unable to retrieve ServiceDll of RemoteAccess. The value does not exist.

File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys
[2013-10-13 04:09] - [2013-09-13 20:48] - 0338944 ____A (Microsoft Corporation) F81BB7E487EDCEAB630A7EE66CF23913

C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys
[2013-10-13 04:09] - [2013-09-07 22:07] - 1294272 ____A (Microsoft Corporation) CA59F7C570AF70BC174F477CFE2D9EE3

C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll
[2013-10-13 04:09] - [2013-07-09 00:46] - 0140288 ____A (Microsoft Corporation) 7CA1BECEA5DE2643ADDAD32670E7A4C9

C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit

**** End of log ****

 

Attached Files



BC AdBot (Login to Remove)

 


#2 Oseyerus13

Oseyerus13

  • Members
  • 503 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:01 PM

Posted 21 October 2013 - 08:16 AM

Hi TSJ,
I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible.

 

Oseyerus13



#3 Oseyerus13

Oseyerus13

  • Members
  • 503 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:01 PM

Posted 23 October 2013 - 11:19 AM

Hello TSJ,

Welcome to Bleeping Computer.
My name is Oseyerus13 and I will be helping you with your malware problem.

Please take note of some guidelines for this fix:

  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Please follow the instructions below so we can start removing the malware.

 

Firstly, you should never run Combofix without the support of a trained malware removal expert. Combofix is a very powerful program, and can potentially do significant damage to a computer, even making the computer unbootable, if it is used incorrectly.

 

That being said, now that you have run Combofix, we need to review BOTH logs from the scans you have run.

 

Please include the C:\ComboFix.txt, as well as any of the logs in the C:\qoobox\ folder, in your next reply for further review. Examples of logs you might find are listed below.

C:\qoobox\ComboFix2.txt 2009-12-29 17:07:26
C:\qoobox\ComboFix3.txt 2009-12-27 20:42:53
C:\qoobox\ComboFix4.txt 2009-12-27 15:56:10
C:\qoobox\ComboFix5.txt 2009-12-27 15:33:58

 

Please include BOTH in your reply.

 

Oseyerus13



#4 TSJ

TSJ
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 24 October 2013 - 07:49 PM

Unfortunately I had to do a system restore back to a day before I made changes. I had to do this since the person could not process credit card batches and get the restaurant paid.
This being said, I did run malwarebytes and this time it found nothing. There was a toolbar that was removed by Combofix, but it was put back by the restore so I manually removed it and its toolbar helper adding in explorer.

So I can sedn you the fils you have asked for, but since I did a system restore is there anything else you would like me to send you?

I am traveling out of state tomorrow and will not be able to get the files for you until Monday.

#5 TSJ

TSJ
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 24 October 2013 - 07:51 PM

The system is processing credit cards and the internet has a connection. The browser is now the only thing behaving badly. It opens but the circle keeps spinning and no page is brought up. Unless you open in Private mode. Then you get a chance to get to the options screen, but as soon as you type in an address it sits and spins.

#6 Oseyerus13

Oseyerus13

  • Members
  • 503 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:01 PM

Posted 28 October 2013 - 07:30 PM

We still need to review ALL logs from the ComboFix scans you have run.

 

Please include the C:\ComboFix.txt, as well as any of the logs in the C:\qoobox\ folder, in your next reply for further review. Examples of logs you might find are listed below.

C:\qoobox\ComboFix2.txt 2009-12-29 17:07:26
C:\qoobox\ComboFix3.txt 2009-12-27 20:42:53
C:\qoobox\ComboFix4.txt 2009-12-27 15:56:10
C:\qoobox\ComboFix5.txt 2009-12-27 15:33:58

 

Please include BOTH in your reply.

 

Next, please download DDS by sUBs from one of the following links. Save it to your desktop.
DDS.com
DDS.pif

  • Double click on the DDS icon, allow it to run.
  • Click on Start.
  • After the scan has finished, confirm the message with Ok.
  • DDS will automatically open the logfile.
  • You can find the logfile on your desktop as well.
  • Please post the content of that logfile with your next answer.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

 

Please post all of the logs (all the ComboFix ones from when the user started having the problem and the DDS log) in your next reply.

 

Oseyerus13



#7 Oseyerus13

Oseyerus13

  • Members
  • 503 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:01 PM

Posted 02 November 2013 - 09:58 AM

Have you been able to run the scans or get the logs?



#8 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:12:01 AM

Posted 08 November 2013 - 02:01 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users