Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible MalWare - Cannot Install TFC, DDS, etc due to "missing" temp folder


  • This topic is locked This topic is locked
33 replies to this topic

#1 jac335

jac335

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:08:17 PM

Posted 18 January 2014 - 01:01 PM

Hello,

 

I think my laptop (Windows 7 64 bit) may be infected.  I cannot install programs such as Temporary File Cleaner, DDS, TN PageDefrag.  I receive an error: "Error writing temporary file. Make sure your temp folder is valid."

 

I have checked using Windows explorer, and both the C:\Users\[user name]\AppData and C:\Windows\Temp folder exist.  They may have been corrupted, but they are there.

 

Also, according to the Windows Action Center (in Control Panel), my antivirus program (McAfee) is turned off.  However, when I open McAfee, it says it is turned on.  Please see attached screenshots.  Is Windows not recognizing my antivirus software? I am vulnerable to (further) infection?

 

I do not know how to clean my PC and possibly rid it of any malware, since I cannot install these programs.
 

Please help!

 

J

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:17 PM

Posted 23 January 2014 - 01:05 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/521236 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 jac335

jac335
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:08:17 PM

Posted 23 January 2014 - 11:09 PM

Hello, and thanks for the response.

 

1.  I have completed the survey, I do still require assistance.

 

2.  I CANNOT run DDS. I have downloaded the program from the link above.  But when I try to run the program, I receive the error: "Error writing temporary file: make sure your temp folder is valid"  (see attached screenshot of this error).

 

I have checked using Windows explorer, and both the C:\Users\[user name]\AppData and C:\Windows\Temp folder exist.  They may have been corrupted, but they are there.

 

Also, according to the Windows Action Center (in Control Panel), my antivirus program (McAfee) is turned off.  However, when I open McAfee, it says it is turned on. Please see attached screenshots.  Is Windows (Windows 7, 64-bit) not recognizing my antivirus software? I am vulnerable to (further) infection?

 

I do not know how to clean my PC and possibly rid it of any malware, since I cannot install DDS or other programs.  Is there a way we can manually re-create the "missing" temp folder so that I can install these diagnostic programs?

 

3. No, I do not have Windows Installation CD, but I do have several system restore points.

 

Thanks,

J



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,752 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:17 PM

Posted 26 January 2014 - 09:08 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Try this tool and post the log is you can.

Download correct tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
===

#5 jac335

jac335
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:08:17 PM

Posted 26 January 2014 - 04:34 PM

Hello nasdaq.

 

There is an issue with this Farbar scan.  I can download and run it, however it does NOT generate the 2 .txt file logs.  Instead, it begins to scan and then creates a few errors (see attached screenshots).  

 

When the scan gets to the "Scanning firefox: extensions" step, it creates an error: "cannot create shortcut here, place it on the desktop instead?"  When I click yes,another error is generated "Cannot create error, check to see if disk is full".  I am not sure what this means: I have about 147 Gigs of free space on my hard drive, it is far from full.

 

The scan takes a long time (~2 mins) at the "Scanning Chrome: Plug-ins" step.  As far as I know, I do not even have any Chrome plugins installed (at least none that I have installed intentionally).

 

When the scan finishes, it generates a pop-up: "Scan competed, the FRST.txt is saved in the same location FRST tool is run." However when I open that location (I saved Farbar to a folder on my Desktop), there is no .txt file in there, there is only the FRST .exe file.  I then get another error: "Cannot find location of Addition.txt, do you wish to create another one?" and then a BLANK .txt file opens (there is no log generate). Please see the attached screenshot of this.

 

Please let me know what I can do to get these logs to save correctly so I can give them to you.

 

Thanks for your help,

 

J

Attached Files



#6 jac335

jac335
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:08:17 PM

Posted 26 January 2014 - 04:49 PM

nasdaq,

 

I moved the frst.exe file onto the desktop rather than in a folder on the desktop.  I was able to save the logs.  Below is the FRST.txt log:

 

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 26-01-2014 02
Ran by Jake (administrator) on JAKE-PC on 26-01-2014 16:43:18
Running from C:\Users\Jake\Desktop
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 11
Boot Mode: Normal
 
The only official download link for FRST:
Download link from any site other than Bleeping Computer is unpermitted or outdated.
 
==================== Processes (Whitelisted) =================
 
(IDT, Inc.) C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_58afa5ca50c7b5e7\stacsv64.exe
(Stardock Corporation) C:\Program Files\Dell\DellDock\DockLogin.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Wacom\WTabletServicePro.exe
(Dell Inc.) C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Dell Inc.) C:\Program Files\Dell\DW WLAN Card\BCMWLTRY.EXE
(Andrea Electronics Corporation) C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_58afa5ca50c7b5e7\AESTSr64.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\systemcore\mfevtps.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
(SoftThinks SAS) C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(McAfee, Inc.) C:\Program Files\mcafee\msc\McAPExe.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\AMCore\mcshield.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Wacom Technology, Corp.) C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe
(Wacom Technology) C:\Program Files\Tablet\Wacom\WacomHost.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\sttray64.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Dell Inc.) C:\Program Files\Dell\DW WLAN Card\WLTRAY.EXE
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Google Inc.) C:\Users\Jake\AppData\Local\Google\Update\GoogleUpdate.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(SupportSoft, Inc.) C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(SupportSoft, Inc.) C:\Program Files (x86)\Dell Support Center\bin\sprtsvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunes.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe
(McAfee, Inc.) C:\Program Files\mcafee\msm\McSmtFwk.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\systemcore\mfefire.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\Platform\McUICnt.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe
(McAfee, Inc.) C:\Program Files\mcafee\virusscan\mcods.exe
 
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [SysTrayApp] - C:\Program Files\IDT\WDM\sttray64.exe [487424 2010-03-17] (IDT, Inc.)
HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1890088 2010-03-17] (Synaptics Incorporated)
HKLM\...\Run: [Broadcom Wireless Manager UI] - C:\Program Files\Dell\DW WLAN Card\WLTRAY.exe [5712896 2010-02-03] (Dell Inc.)
HKLM\...\Run: [asetup] - ",RESTORE
HKLM-x32\...\Run: [IAStorIcon] - C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2009-12-23] (Intel Corporation)
HKLM-x32\...\Run: [mcui_exe] - C:\Program Files\McAfee.com\Agent\mcagent.exe [537512 2013-09-24] (McAfee, Inc.)
HKLM-x32\...\Run: [dellsupportcenter] - C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe [206064 2009-05-21] (SupportSoft, Inc.)
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-09-13] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-09-17] (Apple Inc.)
HKLM-x32\...\Run: [mcpltui_exe] - C:\Program Files\McAfee.com\Agent\mcagent.exe [537512 2013-09-24] (McAfee, Inc.)
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKCU\...\Run: [Google Update] - C:\Users\Jake\AppData\Local\Google\Update\GoogleUpdate.exe [136176 2011-01-06] (Google Inc.)
HKCU\...409d6c4515e9\InprocServer32: [Default-shell32]  <==== ATTENTION!
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
 
==================== Internet (Whitelisted) ====================
 
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKCU - {171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E} URL = http://websearch.ask.com/redirect?client=ie&tb=BT5&o=&src=crm&q={searchTerms}&locale=
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: No Name - {DBC80044-A445-435b-BC74-9C25C1C588A9} -  No File
BHO-x32: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
BHO-x32: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO-x32: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll (Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
Toolbar: HKCU - No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -  No File
DPF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - C:\Program Files\mcafee\msc\McSnIePl64.dll (McAfee, Inc.)
Filter-x32: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - C:\Program Files (x86)\McAfee\msc\McSnIePl.dll (McAfee, Inc.)
ShellExecuteHooks:  - {AEB6717E-7E19-11d0-97EE-00C04FD91972} -  No File [ ]
ShellExecuteHooks-x32:  - {AEB6717E-7E19-11d0-97EE-00C04FD91972} -  No File [ ]
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76
 
FireFox:
========
FF ProfilePath: C:\Users\Jake\AppData\Roaming\Mozilla\Firefox\Profiles\z1r4vz71.default
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_11_9_900_170.dll ()
FF Plugin: @divx.com/DivX VOD Helper,version=1.0.0 - C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF Plugin: @mcafee.com/MSC,version=10 - c:\PROGRA~1\mcafee\msc\NPMCSN~1.DLL ()
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @wacom.com/wtPlugin,version=2.1.0.3 - C:\Program Files\TabletPlugins\npWacomTabletPlugin.dll (Wacom)
FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_9_900_170.dll ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @divx.com/DivX VOD Helper,version=1.0.0 - C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF Plugin-x32: @divx.com/DivX Web Player Plug-In,version=1.0.0 - C:\Program Files (x86)\DivX\DivX Web Player\npdivx32.dll (DivX, LLC)
FF Plugin-x32: @google.com/npPicasa3,version=3.0.0 - C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF Plugin-x32: @java.com/DTPlugin,version=10.5.1 - C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.5.1 - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @mcafee.com/MSC,version=10 - c:\PROGRA~2\mcafee\msc\NPMCSN~1.DLL ()
FF Plugin-x32: @microsoft.com/GENUINE - disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @wacom.com/wtPlugin,version=2.1.0.3 - C:\Program Files (x86)\TabletPlugins\npWacomTabletPlugin.dll (Wacom)
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: @talk.google.com/GoogleTalkPlugin - C:\Users\Jake\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll (Google)
FF Plugin HKCU: @talk.google.com/O1DPlugin - C:\Users\Jake\AppData\Roaming\Mozilla\plugins\npo1d.dll (Google)
FF Plugin HKCU: @talk.google.com/O3DPlugin - C:\Users\Jake\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll ()
FF Plugin HKCU: @tools.google.com/Google Update;version=3 - C:\Users\Jake\AppData\Local\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @tools.google.com/Google Update;version=9 - C:\Users\Jake\AppData\Local\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @unity3d.com/UnityPlayer,version=1.0 - C:\Users\Jake\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
FF Plugin HKCU: wacom.com/WacomTabletPlugin - C:\Program Files\TabletPlugins\npWacomTabletPlugin.dll (Wacom)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\NPOFF12.DLL (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin2.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin3.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin4.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin5.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin6.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin7.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Users\Jake\AppData\Roaming\mozilla\plugins\npgoogletalk.dll (Google)
FF Plugin ProgramFiles/Appdata: C:\Users\Jake\AppData\Roaming\mozilla\plugins\npgtpo3dautoplugin.dll ()
FF Plugin ProgramFiles/Appdata: C:\Users\Jake\AppData\Roaming\mozilla\plugins\npo1d.dll (Google)
FF Extension: NoScript - C:\Users\Jake\AppData\Roaming\Mozilla\Firefox\Profiles\z1r4vz71.default\Extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2011-12-20]
FF HKLM-x32\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF Extension: HP Smart Web Printing - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010-12-05]
FF HKCU\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF Extension: HP Smart Web Printing - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010-12-05]
 
Chrome: 
=======
CHR Extension: (Google Wallet) - C:\Users\Jake\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-30]
CHR StartMenuInternet: Google Chrome - C:\Users\Jake\AppData\Local\Google\Chrome\Application\chrome.exe
 
==================== Services (Whitelisted) =================
 
R2 AESTFilters; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_58afa5ca50c7b5e7\AESTSr64.exe [89600 2010-03-17] (Andrea Electronics Corporation)
S3 BITCOMET_HELPER_SERVICE; C:\Program Files (x86)\BitComet\tools\BitCometService.exe [1296728 2010-12-28] (www.BitComet.com)
R2 HomeNetSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R2 McAPExe; C:\Program Files\McAfee\MSC\McAPExe.exe [178048 2013-11-28] (McAfee, Inc.)
R2 McMPFSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R2 McNaiAnn; C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R3 McODS; C:\Program Files\mcafee\VirusScan\mcods.exe [602944 2013-08-02] (McAfee, Inc.)
S4 McOobeSv; C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
R2 mcpltsvc; C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R2 McProxy; C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R2 mfecore; C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe [1025232 2013-11-26] (McAfee, Inc.)
R2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [219272 2013-12-05] (McAfee, Inc.)
R2 mfevtp; C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe [184800 2013-12-05] (McAfee, Inc.)
R2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_58afa5ca50c7b5e7\STacSV64.exe [244736 2010-03-17] (IDT, Inc.)
R2 wltrysvc; C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe [5088256 2010-02-03] (Dell Inc.)
R2 WTabletServicePro; C:\Program Files\Tablet\Wacom\WTabletServicePro.exe [621336 2013-12-04] (Wacom Technology, Corp.)
S2 0231551390618964mcinstcleanup; C:\Windows\TEMP\023155~1.EXE -cleanup -nolog [x]
 
==================== Drivers (Whitelisted) ====================
 
R3 cfwids; C:\Windows\System32\drivers\cfwids.sys [70112 2013-12-05] (McAfee, Inc.)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [197704 2013-09-23] (McAfee, Inc.)
R2 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [179792 2013-12-05] (McAfee, Inc.)
R2 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [311120 2013-12-05] (McAfee, Inc.)
R3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [519576 2013-12-05] (McAfee, Inc.)
R2 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [782616 2013-12-05] (McAfee, Inc.)
R3 mfencbdc; C:\Windows\System32\DRIVERS\mfencbdc.sys [411944 2013-11-26] (McAfee, Inc.)
S3 mfencrk; C:\Windows\System32\DRIVERS\mfencrk.sys [96112 2013-11-26] (McAfee, Inc.)
R2 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [343696 2013-12-05] (McAfee, Inc.)
R0 sptd; C:\Windows\System32\Drivers\sptd.sys [513080 2011-07-09] ()
U3 afwz5oqi; C:\Windows\System32\Drivers\afwz5oqi.sys [0 ] (Advanced Micro Devices)
U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2014-01-26 16:43 - 2014-01-26 16:43 - 00017723 _____ C:\Users\Jake\Desktop\FRST.txt
2014-01-26 16:43 - 2014-01-26 16:43 - 00000000 ____D C:\FRST
2014-01-26 16:42 - 2014-01-26 14:49 - 02078208 _____ (Farbar) C:\Users\Jake\Desktop\FRST64.exe
2014-01-26 14:50 - 2014-01-26 16:35 - 00000000 ____D C:\Users\Jake\Desktop\farbar
2014-01-21 15:58 - 2013-09-23 13:49 - 00197704 _____ (McAfee, Inc.) C:\Windows\system32\Drivers\HipShieldK.sys
2014-01-19 16:16 - 2014-01-19 16:16 - 00000000 ____D C:\Users\Jake\.android
2014-01-19 16:11 - 2014-01-19 16:16 - 00000000 ____D C:\Users\Jake\AppData\Roaming\WTablet
2014-01-19 16:05 - 2014-01-19 16:05 - 00000000 ____D C:\Program Files\TabletPlugins
2014-01-19 16:05 - 2014-01-19 16:05 - 00000000 ____D C:\Program Files (x86)\TabletPlugins
2014-01-19 16:04 - 2014-01-19 16:04 - 00000000 ____H C:\Windows\system32\Drivers\Msft_Kernel_wacomrouterfilter_01009.Wdf
2014-01-19 16:04 - 2014-01-19 16:04 - 00000000 ____H C:\Windows\system32\Drivers\Msft_Kernel_wachidrouter_01009.Wdf
2014-01-19 16:04 - 2014-01-19 16:04 - 00000000 ____D C:\Program Files\Tablet
2014-01-19 16:04 - 2013-12-04 11:35 - 01945880 _____ (Wacom Technology, Corp.) C:\Windows\system32\Wacom_Tablet.dll
2014-01-19 16:04 - 2013-12-04 11:35 - 01938712 _____ (Wacom Technology, Corp.) C:\Windows\system32\Wacom_Touch_Tablet.dll
2014-01-19 16:04 - 2013-12-04 11:35 - 01808152 _____ (Wacom Technology, Corp.) C:\Windows\system32\Wintab32.dll
2014-01-19 16:04 - 2013-12-04 11:35 - 01805080 _____ (Wacom Technology, Corp.) C:\Windows\system32\WacomMT.dll
2014-01-19 16:04 - 2013-12-04 11:35 - 01604376 _____ (Wacom Technology, Corp.) C:\Windows\SysWOW64\Wacom_Tablet.dll
2014-01-19 16:04 - 2013-12-04 11:35 - 01596696 _____ (Wacom Technology, Corp.) C:\Windows\SysWOW64\Wacom_Touch_Tablet.dll
2014-01-19 16:04 - 2013-12-04 11:35 - 01483032 _____ (Wacom Technology, Corp.) C:\Windows\SysWOW64\Wintab32.dll
2014-01-19 16:04 - 2013-12-04 11:35 - 01479960 _____ (Wacom Technology, Corp.) C:\Windows\SysWOW64\WacomMT.dll
2014-01-19 16:04 - 2013-11-11 19:16 - 00090424 _____ (Wacom Technology) C:\Windows\system32\Drivers\wachidrouter.sys
2014-01-19 16:04 - 2013-11-11 19:16 - 00015160 _____ (Wacom Technology) C:\Windows\system32\Drivers\wacomrouterfilter.sys
2014-01-19 16:04 - 2013-11-11 19:16 - 00014136 _____ (Windows ® Win 7 DDK provider) C:\Windows\system32\Drivers\hidkmdf.sys
2014-01-19 16:04 - 2012-12-11 17:12 - 01721576 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\wdfcoinstaller01009.dll
2014-01-19 10:56 - 2014-01-19 10:56 - 00000000 ____D C:\Users\Jake\Desktop\DCMA Moorestown App
2014-01-14 20:38 - 2013-11-26 20:41 - 00343040 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbhub.sys
2014-01-14 20:38 - 2013-11-26 20:41 - 00325120 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbport.sys
2014-01-14 20:38 - 2013-11-26 20:41 - 00099840 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbccgp.sys
2014-01-14 20:38 - 2013-11-26 20:41 - 00053248 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbehci.sys
2014-01-14 20:38 - 2013-11-26 20:41 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbuhci.sys
2014-01-14 20:38 - 2013-11-26 20:41 - 00025600 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbohci.sys
2014-01-14 20:38 - 2013-11-26 20:41 - 00007808 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbd.sys
2014-01-14 20:38 - 2013-11-26 06:40 - 00376768 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\netio.sys
2014-01-14 20:38 - 2013-11-26 05:32 - 03156480 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2014-01-09 21:32 - 2014-01-09 21:32 - 00000000 ____D C:\Users\Jake\AppData\Local\{89014221-65C5-4CDD-9119-511C210D1232}
2014-01-08 21:27 - 2014-01-08 21:27 - 00000000 ____D C:\Users\Jake\AppData\Local\{667A46E6-2D39-4AC8-97E2-C66C6AA11369}
 
==================== One Month Modified Files and Folders =======
 
2014-01-26 16:43 - 2014-01-26 16:43 - 00017723 _____ C:\Users\Jake\Desktop\FRST.txt
2014-01-26 16:43 - 2014-01-26 16:43 - 00000000 ____D C:\FRST
2014-01-26 16:38 - 2011-12-09 00:02 - 01905513 _____ C:\Windows\WindowsUpdate.log
2014-01-26 16:35 - 2014-01-26 14:50 - 00000000 ____D C:\Users\Jake\Desktop\farbar
2014-01-26 14:49 - 2014-01-26 16:42 - 02078208 _____ (Farbar) C:\Users\Jake\Desktop\FRST64.exe
2014-01-24 22:04 - 2009-07-13 23:45 - 00013872 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-01-24 22:04 - 2009-07-13 23:45 - 00013872 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-01-24 22:03 - 2009-07-14 00:13 - 00730532 _____ C:\Windows\system32\PerfStringBackup.INI
2014-01-24 21:57 - 2009-07-14 00:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2014-01-24 18:55 - 2011-12-11 00:08 - 00000000 ____D C:\Users\Jake\AppData\Roaming\Mozilla
2014-01-23 21:47 - 2011-12-09 01:04 - 00000000 ____D C:\Users\Jake\Desktop\fix
2014-01-23 20:51 - 2010-08-10 18:54 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2014-01-19 16:16 - 2014-01-19 16:16 - 00000000 ____D C:\Users\Jake\.android
2014-01-19 16:16 - 2014-01-19 16:11 - 00000000 ____D C:\Users\Jake\AppData\Roaming\WTablet
2014-01-19 16:16 - 2010-08-10 18:24 - 00000000 ____D C:\Users\Jake
2014-01-19 16:05 - 2014-01-19 16:05 - 00000000 ____D C:\Program Files\TabletPlugins
2014-01-19 16:05 - 2014-01-19 16:05 - 00000000 ____D C:\Program Files (x86)\TabletPlugins
2014-01-19 16:04 - 2014-01-19 16:04 - 00000000 ____H C:\Windows\system32\Drivers\Msft_Kernel_wacomrouterfilter_01009.Wdf
2014-01-19 16:04 - 2014-01-19 16:04 - 00000000 ____H C:\Windows\system32\Drivers\Msft_Kernel_wachidrouter_01009.Wdf
2014-01-19 16:04 - 2014-01-19 16:04 - 00000000 ____D C:\Program Files\Tablet
2014-01-19 10:56 - 2014-01-19 10:56 - 00000000 ____D C:\Users\Jake\Desktop\DCMA Moorestown App
2014-01-18 16:28 - 2010-08-11 09:46 - 00000000 ____D C:\Users\Jake\Documents\Resume Stuff
2014-01-18 13:03 - 2011-09-08 19:36 - 00000000 ____D C:\Users\Jake\Documents\NEU
2014-01-18 11:12 - 2013-02-25 17:00 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-01-18 11:12 - 2011-01-06 18:48 - 00003492 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-1471241226-755212353-2797023242-1001Core
2014-01-18 11:12 - 2011-01-06 18:48 - 00000904 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1471241226-755212353-2797023242-1001UA.job
2014-01-18 11:12 - 2011-01-06 18:48 - 00000852 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1471241226-755212353-2797023242-1001Core.job
2014-01-18 11:09 - 2011-01-06 18:48 - 00003888 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-1471241226-755212353-2797023242-1001UA
2014-01-18 11:08 - 2013-02-25 17:00 - 00003770 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-01-17 22:29 - 2011-04-23 12:39 - 00000000 ____D C:\Users\Jake\Documents\My Kindle Content
2014-01-17 18:30 - 2010-08-07 02:07 - 00000000 ____D C:\Program Files\Common Files\mcafee
2014-01-15 22:14 - 2012-05-08 17:45 - 00001071 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-01-15 22:14 - 2011-01-18 23:10 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-01-15 22:08 - 2012-11-04 10:43 - 00000000 ____D C:\Users\Jake\Desktop\PTP Rent Payments
2014-01-15 22:08 - 2012-08-24 09:45 - 00000000 ____D C:\Users\Jake\Documents\Holtec
2014-01-15 03:25 - 2009-07-13 23:45 - 03046864 _____ C:\Windows\system32\FNTCACHE.DAT
2014-01-15 03:08 - 2010-08-11 09:02 - 00000000 ____D C:\ProgramData\Microsoft Help
2014-01-15 03:06 - 2013-08-14 19:18 - 00000000 ____D C:\Windows\system32\MRT
2014-01-15 03:01 - 2010-08-11 15:53 - 86054176 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-01-14 20:30 - 2011-09-02 18:02 - 00002362 _____ C:\Users\Jake\Desktop\Google Chrome.lnk
2014-01-12 16:39 - 2010-08-12 17:03 - 00000000 ____D C:\Users\Jake\AppData\Local\Apps\2.0
2014-01-09 21:32 - 2014-01-09 21:32 - 00000000 ____D C:\Users\Jake\AppData\Local\{89014221-65C5-4CDD-9119-511C210D1232}
2014-01-09 21:32 - 2010-11-04 19:20 - 00000000 ____D C:\Users\Jake\AppData\Local\Windows Live
2014-01-08 21:27 - 2014-01-08 21:27 - 00000000 ____D C:\Users\Jake\AppData\Local\{667A46E6-2D39-4AC8-97E2-C66C6AA11369}
 
ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-1471241226-755212353-2797023242-1001\$3b99f81f31d5dbab1bcf87d0107a285a
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
 
LastRegBack: 2014-01-19 14:00
 
==================== End Of Log ============================
 
 
 
Attached is the Addition.txt log as requested.
 
Thanks,
 
J

Attached Files



#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,752 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:17 PM

Posted 27 January 2014 - 09:22 AM

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
 
start

Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]
HKCU\...409d6c4515e9\InprocServer32: [Default-shell32]  <==== ATTENTION!
ShellExecuteHooks:  - {AEB6717E-7E19-11d0-97EE-00C04FD91972} -  No File [ ]
ShellExecuteHooks-x32:  - {AEB6717E-7E19-11d0-97EE-00C04FD91972} -  No File [ ]
S2 0231551390618964mcinstcleanup; C:\Windows\TEMP\023155~1.EXE -cleanup -nolog [x]
U3 afwz5oqi; C:\Windows\System32\Drivers\afwz5oqi.sys [0 ] (Advanced Micro Devices)

C:\Windows\System32\Drivers\afwz5oqi.sys

end

Save the files as fixlist.txt in to the same folder as FRST
Run FRST and click Fix only once and wait
The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please let me know what problem persists.

#8 jac335

jac335
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:08:17 PM

Posted 27 January 2014 - 08:40 PM

nasdaq,

 

The fixlog is pasted below.  There were no errors running this scan.

 

Thanks,

J

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 27-01-2014 02
Ran by Jake at 2014-01-27 20:34:35 Run:1
Running from C:\Users\Jake\Desktop
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
start
 
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]
HKCU\...409d6c4515e9\InprocServer32: [Default-shell32]  <==== ATTENTION!
ShellExecuteHooks:  - {AEB6717E-7E19-11d0-97EE-00C04FD91972} -  No File [ ]
ShellExecuteHooks-x32:  - {AEB6717E-7E19-11d0-97EE-00C04FD91972} -  No File [ ]
S2 0231551390618964mcinstcleanup; C:\Windows\TEMP\023155~1.EXE -cleanup -nolog [x]
U3 afwz5oqi; C:\Windows\System32\Drivers\afwz5oqi.sys [0 ] (Advanced Micro Devices)
 
C:\Windows\System32\Drivers\afwz5oqi.sys
 
end
*****************
 
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist => Key deleted successfully.
HKCU\Software\Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} => Key deleted successfully. If the key returned, move the associated file, reboot and list the key for deletion.
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} => Value deleted successfully.
HKCR\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972} => Key not found.
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} => Value deleted successfully.
HKCR\Wow6432Node\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972} => Key not found.
0231551390618964mcinstcleanup => Service not found.
afwz5oqi => Service deleted successfully.
Could not move "C:\Windows\System32\Drivers\afwz5oqi.sys" => Scheduled to move on reboot.
 
=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2014-01-27 20:36:36)<=
 
C:\Windows\System32\Drivers\afwz5oqi.sys => Is moved successfully.
 
==== End of Fixlog ====


#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,752 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:17 PM

Posted 28 January 2014 - 09:17 AM

Please run this tool.
Let me know what problem persists.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

#10 jac335

jac335
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:08:17 PM

Posted 28 January 2014 - 07:34 PM

nasdaq,

 

I could not run the scan.  When i double-clicked the program, it started and then quickly popped up an error: C:\users\[my user name]\AppData\Local\Temp\RarSFX0 folder is not accessible"  (see attached screenshot of this error).

 

i checked my computer, and I did not see that location (see other screenshot)."Temp" exists, but there is no Rarsfx0 subfolder.

Attached Files


Edited by jac335, 28 January 2014 - 07:37 PM.


#11 jac335

jac335
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:08:17 PM

Posted 28 January 2014 - 07:41 PM

The site will not let me attach the other screenshot of the Temp folder, apparently it is too large.   Like I said, there is an AppData\Local\Temp folder,but there is not RarSFX0 in there



#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,752 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:17 PM

Posted 29 January 2014 - 09:18 AM

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall


Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
==============

#13 jac335

jac335
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:08:17 PM

Posted 30 January 2014 - 05:21 PM

nasdaq,

 

As soon as i started combofix, it produced an error: Error writing temporary file.  Make sure your temp folder is valid.  The program did not run.

 

Is there away to manually create this "temp" folder that i continue to get errors about?

 

Thanks,

-J



#14 jac335

jac335
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:08:17 PM

Posted 30 January 2014 - 05:47 PM

nasdaq,

 

I tried running combfix in windows safe mode and received the same error.

 

I do have hijack-this installed (it may be an old version). Should i try that?

 

-J



#15 nasdaq

nasdaq

  • Malware Response Team
  • 40,752 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:17 PM

Posted 31 January 2014 - 08:39 AM

Click on the Windows icon on the far letf of the tool bar.
Click Run
Type CMD in the run box
This will open the dos prompt.

At the prompt type PATH
Hit the enter key.

Copy the compete path reported.

Past the results in your next message.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users