Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware blocking internet access


  • This topic is locked This topic is locked
30 replies to this topic

#1 Aelares

Aelares

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:22 AM

Posted 10 March 2014 - 04:33 PM

Please help - am desperate!  Two computers in the house (one wired XP, one wireless Win 7) lost internet access almost completely, in a day.  Some websites load fine, but others (google, gmail) are extremely slow or fail to load.  Most virus definitions were extremely slow to update, and I can't download any anti-malware programs.  The Verizon DSL gateway shows each laptop getting 130Mbps and "excellent" signal, but when I try to download any diagnostic or anti-malware file (e.g. dds), it goes at <1Kbps or fails.  Two other computers had no problem using the same wireless source.  

 

A few days ago, a friend accidentally went to goggle.com instead of google.com >:(, and NIS warned that it intercepted an attack.  I immediately scanned with NIS and MBAM and found nothing, and everything was fine for a few days.

 

The Win 7 laptop is fairly tweaked, plus this started happening overnight.  I've scanned with NIS and MBAM in safe mode, plus MBAR, but found nothing.  I cleaned with CCleaner.  I flushed DNS and checked hosts file.  I looked over running processes and services, but don't see anything unfamiliar.  Chrome works a little better than Firefox, but is also slow and cannot download any anti-malware programs.

 
Could you please look over my DDS and/or suggest anything?
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer:   BrowserJavaVersion: 10.51.2
Run by LRS at 16:35:01 on 2014-03-10
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.1.1033.18.4063.2757 [GMT -4:00]
.
AV: Norton Internet Security *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_ccf0dd3cb081af84\STacSV64.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Hpservice.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Norton Internet Security\Engine\21.1.0.18\NIS.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Norton Internet Security\Engine\21.1.0.18\NIS.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\IDT\WDM\sttray64.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\explorer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mDefault_Page_URL = hxxp://www.google.com
BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\21.1.0.18\coieplg.dll
BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\21.1.0.18\IPS\ipsbho.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - <orphaned>
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - <orphaned>
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - LocalServer32 - <no file>
EB: <No Name>: {555D4D79-4BD2-4094-A395-CFC534424A05} - LocalServer32 - <no file>
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [QlbCtrl.exe] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [WirelessAssistant] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-System: WallpaperStyle = 2
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
mPolicies-System: WallpaperStyle = 2
IE: E&xport to Microsoft Excel - G:\MICROS~1\Office12\EXCEL.EXE/3000
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_21-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_21-windows-i586.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{2C3C99CB-EFE2-408F-A445-B1EB98FCB2A0} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{2C3C99CB-EFE2-408F-A445-B1EB98FCB2A0}\43C405864332D4259493 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{2C3C99CB-EFE2-408F-A445-B1EB98FCB2A0}\7796C6C69616D6 : DHCPNameServer = 192.168.5.1
TCP: Interfaces\{2C3C99CB-EFE2-408F-A445-B1EB98FCB2A0}\B4C44593B4 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{5171070C-B9D6-410E-9462-4F033E32E3AF} : DHCPNameServer = 192.168.1.1
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.146\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=Pavilion&pf=cnnb
x64-BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine64\21.1.0.18\CoIEPlg.dll
x64-TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - LocalServer32 - <no file>
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe
.
INFO: x64-HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
x64-DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_21-windows-i586.cab
x64-DPF: {CAFEEFAC-0017-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_21-windows-i586.cab
x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_21-windows-i586.cab
x64-SSODL: WebCheck - <orphaned>
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\LRS\AppData\Roaming\Mozilla\Firefox\Profiles\0vglwr4n.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.22.5\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_8_800_94.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;C:\Windows\System32\drivers\NISx64\1501000.012\SymDS64.sys [2014-1-1 493656]
R0 SymEFA;Symantec Extended File Attributes;C:\Windows\System32\drivers\NISx64\1501000.012\SymEFA64.sys [2014-1-1 1147480]
R1 BHDrvx64;BHDrvx64;C:\Program Files (x86)\Norton Internet Security\NortonData\21.1.0.18\Definitions\BASHDefs\20140214.001\BHDrvx64.sys [2014-2-19 1526488]
R1 ccSet_NIS;NIS Settings Manager;C:\Windows\System32\drivers\NISx64\1501000.012\ccSetx64.sys [2014-1-1 162392]
R1 IDSVia64;IDSVia64;C:\Program Files (x86)\Norton Internet Security\NortonData\21.1.0.18\Definitions\IPSDefs\20140307.001\IDSviA64.sys [2014-3-8 524504]
R1 SymIRON;Symantec Iron Driver;C:\Windows\System32\drivers\NISx64\1501000.012\Ironx64.sys [2014-1-1 264280]
R1 SymNetS;Symantec Network Security WFP Driver;C:\Windows\System32\drivers\NISx64\1501000.012\symnets.sys [2014-1-1 590936]
R2 {55662437-DA8C-40c0-AADA-2C816A897A49};Power Control [2009/08/25 02:11:54];C:\Program Files (x86)\Hewlett-Packard\Media\DVD\000.fcl [2009-8-25 146928]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2009-7-2 203264]
R2 hpsrv;HP Service;C:\Windows\System32\hpservice.exe [2010-2-26 30520]
R2 NIS;Norton Internet Security;C:\Program Files (x86)\Norton Internet Security\Engine\21.1.0.18\NIS.exe [2014-1-1 275696]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-12-31 1153368]
R3 Com4QLBEx;Com4QLBEx;C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2009-8-9 228408]
R3 enecir;ENE CIR Receiver;C:\Windows\System32\drivers\enecir.sys [2009-6-29 70656]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2014-1-22 137648]
R3 JMCR;JMCR;C:\Windows\System32\drivers\jmcr.sys [2009-7-20 140712]
R3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\System32\drivers\NETw5s64.sys [2010-1-13 7675392]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2009-8-25 233472]
S3 btwl2cap;Bluetooth L2CAP Service;C:\Windows\System32\drivers\btwl2cap.sys [2009-8-25 35104]
S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\System32\drivers\NETw5v64.sys [2009-8-25 5435904]
S3 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);C:\Program Files (x86)\VERIZONDM\bin\sprtsvc.exe [2011-5-16 206120]
S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\System32\drivers\VSTAZL6.SYS [2009-7-13 292864]
S3 SrvHsfV92;SrvHsfV92;C:\Windows\System32\drivers\VSTDPV6.SYS [2009-7-13 1485312]
S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\System32\drivers\VSTCNXT6.SYS [2009-7-13 740864]
S3 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);C:\Program Files (x86)\VERIZONDM\bin\tgsrvc.exe [2011-5-16 185640]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2013-8-23 1255736]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\System32\drivers\yk62x64.sys [2009-6-10 389120]
S4 AESTFilters;Andrea ST Filters Service;C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_ccf0dd3cb081af84\AESTSr64.exe [2009-8-25 89600]
.
=============== Created Last 30 ================
.
2014-03-10 20:16:18 -------- d-----w- C:\Windows\ERUNT
2014-03-10 19:47:02 -------- d-----w- C:\AdwCleaner
2014-03-09 23:33:57 119000 ----a-w- C:\Windows\System32\drivers\MBAMSwissArmy.sys
2014-03-09 23:27:52 91352 ----a-w- C:\Windows\System32\drivers\mbamchameleon.sys
2014-03-09 16:16:50 10536864 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{500854AB-D27C-4A6C-8FC7-099AA841D967}\mpengine.dll
2014-02-15 16:04:47 96168 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2014-02-15 16:02:46 108968 ----a-w- C:\Windows\System32\WindowsAccessBridge-64.dll
.
==================== Find3M  ====================
.
2014-02-03 16:20:54 270496 ------w- C:\Windows\System32\MpSigStub.exe
2014-01-01 17:59:41 177752 ----a-w- C:\Windows\System32\drivers\SYMEVENT64x86.SYS
.
============= FINISH: 16:35:14.46 ===============
 
Thank you!!!

 

Attached Files



BC AdBot (Login to Remove)

 


m

#2 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:22 AM

Posted 12 March 2014 - 06:47 AM

Hi and Welcome!!   
 
My name is Jeff. I would be more than happy to take a look at your malware results logs and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:

  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
  • If you happen to have a flash drive/thumb drive please have that ready in the event that we need to use it.
  • Please be sure to subscribe to the topic if you have not already done so.

IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your operating system and losing all your programs and data.

 
Having said that....   YBCQLm4.gif   Let's get going!!  
----------
 

weVCzW0.jpg Please download TDSSKiller

  • Double click TDSSKiller.exe
  • Press Start Scan but do nothing else as we are just looking for what is there.
  • If Malicious objects are found, select Skip by changing the Cure dropdown in the upper right.
  • Attach the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)

----------
 
ywca7TI.jpg Please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.
  • ----------

WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#3 Aelares

Aelares
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:22 AM

Posted 12 March 2014 - 07:22 PM

Thank you so much!!

 

Farbar is posted below, and TDSS is attached.  

 

Farbar shows exactly my problem - can't get on google or gmail (or can get there but very painfully), but bing or yahoo work fine.  Likewise, can update Norton (or so it says) but can't update MBAM (or can update, but painfully slowly).  Could download TDSS, but can't download anything from bleepingcomputer (had to workaround).

 

Now my healthy Win 7 work laptop (which appears armed to the teeth, encrypted, etc.), which can access internet fine using the same wireless, has started to trip DEP on seemingly random pages - it'll start to load, then claim that IE has stopped working, then declare that "a malfunctioning or malicious add-on has caused IE to close this webpage."  It would do it to one bleepingcomputer forum thread, but not another; government webpages, Starbucks, etc.  The only two things it shared with the sick laptop were the router, and I had gmail and yahoo mail open simultaneously on both.

 

Farbar Service Scanner Version: 25-02-2014
Ran by LRS (administrator) on 12-03-2014 at 20:02:51
Running from "C:\"
Microsoft Windows 7 Home Premium   (X64)
Boot Mode: Normal
****************************************************************
 
Internet Services:
============
 
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Attempt to access Google.com returned error: Google.com is unreachable
Yahoo.com is accessible.
 
 
Windows Firewall:
=============
 
Firewall Disabled Policy: 
==================
 
 
System Restore:
============
 
System Restore Disabled Policy: 
========================
 
 
Action Center:
============
 
 
Windows Update:
============
 
Windows Autoupdate Disabled Policy: 
============================
 
 
Windows Defender:
==============
 
Other Services:
==============
 
 
File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys
[2013-05-29 10:49] - [2013-01-04 01:41] - 1893224 ____A (Microsoft Corporation) 5CFB7AB8F9524D1A1E14369DE63B83CC
 
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
 
 
**** End of log ****

 

Attached Files



#4 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:22 AM

Posted 12 March 2014 - 08:14 PM

Hi,
 
Ok....thanks for posting those and letting me know what is going on.   :)
 
1QYkxTZ.jpg Please download aswMBR to your desktop.

  • Double click the aswMBR icon to run it.
  • Click the Scan button to start scan.
  • If you are asked to update the Avast Virus database please allow it to do so.
  • When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply.

----------
 

81mYIKe.jpg  AdwCleaner
 
Please download AdwCleaner by Xplode and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool
    Vista/Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

----------


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#5 Aelares

Aelares
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:22 AM

Posted 13 March 2014 - 06:39 PM

Thanks.

 

Here is aswMBR:

(the laptop does actually have two physical hard drives - not sure if it matters: OS and programs are on one disk; pagefile and data (incl. user documents) on the other disk)

 

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2014-03-13 18:52:26
-----------------------------
18:52:26.513    OS Version: Windows x64 6.1.7600 
18:52:26.513    Number of processors: 2 586 0x170A
18:52:26.513    ComputerName: NAMELESS  UserName: LRS
18:52:27.340    Initialize success
18:59:29.193    AVAST engine defs: 14031301
18:59:56.743    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
18:59:56.758    Disk 0 Vendor: WDC_WD3200BEKT-60F3T1 12.01A12 Size: 305245MB BusType: 11
18:59:56.758    Disk 1  \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP2T0L0-2
18:59:56.758    Disk 1 Vendor: WDC_WD3200BEKT-60F3T1 12.01A12 Size: 305245MB BusType: 11
18:59:56.977    Disk 0 MBR read successfully
18:59:56.977    Disk 0 MBR scan
18:59:56.992    Disk 0 unknown MBR code
18:59:57.008    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS          199 MB offset 2048
18:59:57.024    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS        81920 MB offset 409600
18:59:57.024    Disk 0 Partition - 00     0F Extended LBA            207821 MB offset 168181760
18:59:57.070    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS        15303 MB offset 593799168
18:59:57.102    Disk 0 Partition 4 00     07    HPFS/NTFS NTFS       207820 MB offset 168183808
18:59:57.133    Disk 0 scanning C:\Windows\system32\drivers
19:00:04.886    Service scanning
19:00:07.101    Service BHDrvx64 C:\Program Files (x86)\Norton Internet Security\NortonData\21.1.0.18\Definitions\BASHDefs\20140214.001\BHDrvx64.sys **LOCKED** 5
19:00:09.067    Service eeCtrl C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys **LOCKED** 5
19:00:09.223    Service EraserUtilRebootDrv C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys **LOCKED** 5
19:00:10.892    Service IDSVia64 C:\Program Files (x86)\Norton Internet Security\NortonData\21.1.0.18\Definitions\IPSDefs\20140311.001\IDSvia64.sys **LOCKED** 5
19:00:12.982    Service NAVENG C:\Program Files (x86)\Norton Internet Security\NortonData\21.1.0.18\Definitions\VirusDefs\20140312.001\ENG64.SYS **LOCKED** 5
19:00:13.138    Service NAVEX15 C:\Program Files (x86)\Norton Internet Security\NortonData\21.1.0.18\Definitions\VirusDefs\20140312.001\EX64.SYS **LOCKED** 5
19:00:21.968    Modules scanning
19:00:21.984    Disk 0 trace - called modules:
19:00:22.030    ntoskrnl.exe CLASSPNP.SYS disk.sys hpdskflt.sys ACPI.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys 
19:00:22.046    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004c8b060]
19:00:22.062    3 CLASSPNP.SYS[fffff8800115143f] -> nt!IofCallDriver -> [0xfffffa8004c8a040]
19:00:22.077    5 hpdskflt.sys[fffff88001cd2289] -> nt!IofCallDriver -> [0xfffffa8004ae9520]
19:00:22.077    7 ACPI.sys[fffff88000fac781] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8004ae5680]
19:00:23.559    AVAST engine scan C:\Windows
19:00:25.057    AVAST engine scan C:\Windows\system32
19:02:31.308    AVAST engine scan C:\Windows\system32\drivers
19:02:42.852    AVAST engine scan C:\Users\LRS
19:03:31.914    AVAST engine scan C:\ProgramData
19:04:04.346    Scan finished successfully
19:04:18.449    Disk 0 MBR has been saved successfully to "C:\Users\LRS\Desktop\MBR.dat"
19:04:18.449    The log file has been saved successfully to "C:\Users\LRS\Desktop\aswMBR.txt"
 
 
And here is AdwCleaner:
 
# AdwCleaner v3.022 - Report created 13/03/2014 at 19:26:52
# Updated 13/03/2014 by Xplode
# Operating System : Windows 7 Home Premium  (64 bits)
# Username : LRS - NAMELESS
# Running from : C:\Users\LRS\Desktop\adwcleaner.exe
# Option : Scan
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v0.0.0.0
 
 
-\\ Mozilla Firefox v27.0.1 (en-US)
 
[ File : C:\Users\LRS\AppData\Roaming\Mozilla\Firefox\Profiles\0vglwr4n.default\prefs.js ]
 
 
[ File : C:\Users\Aurica\AppData\Roaming\Mozilla\Firefox\Profiles\gqxf4ebx.default\prefs.js ]
 
 
-\\ Google Chrome v33.0.1750.149
 
[ File : C:\Users\LRS\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
 
[ File : C:\Users\Aurica\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
 
*************************
 
AdwCleaner[R0].txt - [1734 octets] - [10/03/2014 15:47:07]
AdwCleaner[R1].txt - [1178 octets] - [10/03/2014 15:53:10]
AdwCleaner[R2].txt - [1039 octets] - [13/03/2014 19:26:52]
AdwCleaner[S0].txt - [1813 octets] - [10/03/2014 15:49:32]
AdwCleaner[S1].txt - [1240 octets] - [10/03/2014 15:54:09]
 
########## EOF - C:\AdwCleaner\AdwCleaner[R2].txt - [1219 octets] ##########
 
 
I have to confess that I tried to self-medicate and ran AdwCleaner myself before I started this post, and this is what the report was (I also clicked Clean, so these keys were deleted; then I also ran JRT and it "repaired" some keys; neither one made the problems go away or change any symptoms):
 
# AdwCleaner v3.021 - Report created 10/03/2014 at 15:47:07
# Updated 10/03/2014 by Xplode
# Operating System : Windows 7 Home Premium  (64 bits)
# Username : LRS - NAMELESS
# Running from : C:\Users\LRS\Desktop\adwcleaner.exe
# Option : Scan
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Found : HKLM\Software\caphyon
Key Found : HKLM\SOFTWARE\Classes\CLSID\{761F6A83-F007-49E4-8EAC-CDB6808EF06F}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{76C45B18-A29E-43EA-AAF8-AF55C2E1AE17}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{7CD74AFF-3433-4E34-92E2-D98DFDB30754}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{96EF404C-24C7-43D0-9096-4CCC8BB7CCAC}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{97720195-206A-42AE-8E65-260B9BA5589F}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{97D69524-BB57-4185-9C7F-5F05593B771A}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{986F7A5A-9676-47E1-8642-F41F8C3FCF82}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{B18788A4-92BD-440E-A4D1-380C36531119}
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v0.0.0.0
 
 
-\\ Mozilla Firefox v27.0.1 (en-US)
 
[ File : C:\Users\LRS\AppData\Roaming\Mozilla\Firefox\Profiles\0vglwr4n.default\prefs.js ]
 
 
[ File : C:\Users\Aurica\AppData\Roaming\Mozilla\Firefox\Profiles\gqxf4ebx.default\prefs.js ]
 
 
-\\ Google Chrome v33.0.1750.146
 
[ File : C:\Users\LRS\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
 
[ File : C:\Users\Aurica\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
 
*************************
 
AdwCleaner[R0].txt - [1594 octets] - [10/03/2014 15:47:07]
 
########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [1654 octets] ##########
 

 

Thanks for all your time.



#6 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:22 AM

Posted 13 March 2014 - 06:50 PM

ComboFix
 
Download Combofix from either of the links below, and save it to your desktop.  
Link 1
Link 2
 
**Note:  It is important that it is saved directly to your desktop**
If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.


 
--------------------------------------------------------------------
 
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
 
--------------------------------------------------------------------
 
Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.

  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt for further review.

WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#7 Aelares

Aelares
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:22 AM

Posted 13 March 2014 - 07:33 PM

Jeff, I think I just hosed the machine...  I didn't expect ComboFix to reboot (the one thing I did not read up on).  I ran ComboFix from the Admin account, but I have the laptop setup to automatically log into the User account (both are password-protected, but User logs in automatically).  Also, I only disabled AV until reboot.  So when ComboFix rebooted, the laptop went straight into the User account, possibly with AV enabled, and now some kind of a cmd console is rapidly running through a loop (it's like it's opens and instantly closes, but fast and blurry), and I can't get to the Start menu to log off.  I got scared and put it to sleep via keyboard.  Any idea how to backpedal?..  Sorry for making a mess.



#8 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:22 AM

Posted 13 March 2014 - 07:42 PM

No worries.

 

Go ahead and reboot your system and let me know what is happening.  :)


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#9 Aelares

Aelares
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:22 AM

Posted 13 March 2014 - 08:15 PM

Phew!  I'm stupid - while I was trying to figure out how to force a reboot, I realized I can just as well force log off from User via Ctrl+Alt+Del :facepalm:  Then I logged into Admin and ComboFix finished the report.

 

 

ComboFix 14-03-10.01 - LRS 03/13/2014  20:20:11.1.2 - x64
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.1.1033.18.4063.2752 [GMT -4:00]
Running from: c:\users\LRS\Desktop\ComboFix.exe
AV: Norton Internet Security *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Internet Security *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Aurica\g2mdlhlpx.exe
.
.
(((((((((((((((((((((((((   Files Created from 2014-02-14 to 2014-03-14  )))))))))))))))))))))))))))))))
.
.
2014-03-12 23:46 . 2014-03-12 23:56 409600 ----a-w- C:\FSS.exe
2014-03-10 20:16 . 2014-03-10 20:16 -------- d-----w- c:\windows\ERUNT
2014-03-10 19:47 . 2014-03-13 23:27 -------- d-----w- C:\AdwCleaner
2014-03-10 19:27 . 2014-03-10 19:30 -------- d-----w- c:\program files (x86)\Google
2014-03-09 23:27 . 2014-03-09 23:27 91352 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-03-09 16:16 . 2014-02-06 09:01 10536864 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{500854AB-D27C-4A6C-8FC7-099AA841D967}\mpengine.dll
2014-02-27 19:26 . 2014-02-27 19:26 4130656 ----a-w- C:\TDSSKiller.exe
2014-02-15 16:05 . 2014-02-15 16:05 -------- d-----w- c:\program files (x86)\Common Files\Java
2014-02-15 16:04 . 2014-02-15 16:04 96168 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2014-02-15 16:04 . 2014-02-15 16:04 -------- d-----w- c:\program files (x86)\Java
2014-02-15 16:02 . 2014-02-15 16:02 312744 ----a-w- c:\windows\system32\javaws.exe
2014-02-15 16:02 . 2014-02-15 16:02 189352 ----a-w- c:\windows\system32\javaw.exe
2014-02-15 16:02 . 2014-02-15 16:02 189352 ----a-w- c:\windows\system32\java.exe
2014-02-15 16:02 . 2014-02-15 16:02 108968 ----a-w- c:\windows\system32\WindowsAccessBridge-64.dll
2014-02-15 16:02 . 2014-02-15 16:02 -------- d-----w- c:\program files\Java
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-02-03 16:20 . 2010-01-15 04:25 270496 ------w- c:\windows\system32\MpSigStub.exe
2014-01-01 17:59 . 2014-01-01 17:59 177752 ----a-w- c:\windows\system32\drivers\SYMEVENT64x86.SYS
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-07-02 98304]
"QlbCtrl.exe"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2009-06-24 320056]
"WirelessAssistant"="c:\program files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2009-07-23 498744]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"WallpaperStyle"= 2
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer2"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys;c:\windows\SYSNATIVE\DRIVERS\btwl2cap.sys [x]
R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys;c:\windows\SYSNATIVE\DRIVERS\netw5v64.sys [x]
R3 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files (x86)\VERIZONDM\bin\sprtsvc.exe;c:\program files (x86)\VERIZONDM\bin\sprtsvc.exe [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTAZL6.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTDPV6.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTCNXT6.SYS [x]
R3 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files (x86)\VERIZONDM\bin\tgsrvc.exe;c:\program files (x86)\VERIZONDM\bin\tgsrvc.exe [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys;c:\windows\SYSNATIVE\DRIVERS\yk62x64.sys [x]
R4 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_ccf0dd3cb081af84\AESTSr64.exe;c:\windows\SYSNATIVE\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_ccf0dd3cb081af84\AESTSr64.exe [x]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NISx64\1501000.012\SYMDS64.SYS;c:\windows\SYSNATIVE\drivers\NISx64\1501000.012\SYMDS64.SYS [x]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NISx64\1501000.012\SYMEFA64.SYS;c:\windows\SYSNATIVE\drivers\NISx64\1501000.012\SYMEFA64.SYS [x]
S1 BHDrvx64;BHDrvx64;c:\program files (x86)\Norton Internet Security\NortonData\21.1.0.18\Definitions\BASHDefs\20140214.001\BHDrvx64.sys;c:\program files (x86)\Norton Internet Security\NortonData\21.1.0.18\Definitions\BASHDefs\20140214.001\BHDrvx64.sys [x]
S1 ccSet_NIS;NIS Settings Manager;c:\windows\system32\drivers\NISx64\1501000.012\ccSetx64.sys;c:\windows\SYSNATIVE\drivers\NISx64\1501000.012\ccSetx64.sys [x]
S1 IDSVia64;IDSVia64;c:\program files (x86)\Norton Internet Security\NortonData\21.1.0.18\Definitions\IPSDefs\20140312.001\IDSvia64.sys;c:\program files (x86)\Norton Internet Security\NortonData\21.1.0.18\Definitions\IPSDefs\20140312.001\IDSvia64.sys [x]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NISx64\1501000.012\Ironx64.SYS;c:\windows\SYSNATIVE\drivers\NISx64\1501000.012\Ironx64.SYS [x]
S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\system32\drivers\NISx64\1501000.012\SYMNETS.SYS;c:\windows\SYSNATIVE\drivers\NISx64\1501000.012\SYMNETS.SYS [x]
S2 {55662437-DA8C-40c0-AADA-2C816A897A49};Power Control [2009/08/25 02:11];c:\program files (x86)\Hewlett-Packard\Media\DVD\000.fcl;c:\program files (x86)\Hewlett-Packard\Media\DVD\000.fcl [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe;c:\windows\SYSNATIVE\Hpservice.exe [x]
S2 NIS;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\21.1.0.18\NIS.exe;c:\program files (x86)\Norton Internet Security\Engine\21.1.0.18\NIS.exe [x]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [x]
S3 Com4QLBEx;Com4QLBEx;c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe;c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [x]
S3 enecir;ENE CIR Receiver;c:\windows\system32\DRIVERS\enecir.sys;c:\windows\SYSNATIVE\DRIVERS\enecir.sys [x]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x]
S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys;c:\windows\SYSNATIVE\DRIVERS\jmcr.sys [x]
S3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETw5s64.sys;c:\windows\SYSNATIVE\DRIVERS\NETw5s64.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\AutorunsDisabled\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-06-17 19:11 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-03-13 23:18 1150280 ----a-w- c:\program files (x86)\Google\Chrome\Application\33.0.1750.149\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-03-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2014-03-10 19:27]
.
2014-03-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2014-03-10 19:27]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2009-07-22 450048]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://www.google.com
mDefault_Page_URL = hxxp://www.google.com
IE: E&xport to Microsoft Excel - g:\micros~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\LRS\AppData\Roaming\Mozilla\Firefox\Profiles\0vglwr4n.default\
FF - prefs.js: browser.startup.homepage - www.google.com
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NIS]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\21.1.0.18\NIS.exe\" /s \"NIS\" /m \"c:\program files (x86)\Norton Internet Security\Engine\21.1.0.18\diMaster.dll\" /prefetch:1"
"ImagePath"="\SystemRoot\system32\drivers\NISx64\1501000.012\SYMNETS.SYS"
"TrustedImagePaths"="c:\program files (x86)\Norton Internet Security\Engine\21.1.0.18;c:\program files (x86)\Norton Internet Security\Engine64\21.1.0.18"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\{55662437-DA8C-40c0-AADA-2C816A897A49}]
"ImagePath"="\??\c:\program files (x86)\Hewlett-Packard\Media\DVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files (x86)\Norton Internet Security\Engine\21.1.0.18\symerr.exe
c:\program files (x86)\NORTON INTERNET SECURITY\ENGINE\21.1.0.18\cltLMH.exe
.
**************************************************************************
.
Completion time: 2014-03-13  21:01:39 - machine was rebooted
ComboFix-quarantined-files.txt  2014-03-14 01:01
.
Pre-Run: 55,090,679,808 bytes free
Post-Run: 54,802,886,656 bytes free
.
- - End Of File - - 4DB47B26BCA0F0286DFD2A77385489B6
2BE5D1F8957642D6729C3D53AE9C15B9
 
 
Thanks for holding my hand!!
Also, I have to sign off now unfortunately, so please don't make me a priority for tonight (I'm sure your time is priceless and scarce!)


#10 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:22 AM

Posted 14 March 2014 - 10:58 AM

Hi,

 

I am not seeing much in regards to an infection?  How is your system running?  :)


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#11 Aelares

Aelares
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:22 AM

Posted 14 March 2014 - 10:17 PM

Haha, I was afraid you were gonna say that.  Things are still the same - google takes 45-70secs to load; gmail takes at least 70secs or fails.  Other sites (bing or yahoo) are instant.  It's bewildering.  I guess it's overkill but my only option is to reformat the drives and reimage - the problem is that my last image is 1-2yrs old so it will be very sad...  Thanks so much for all your time, I really appreciate it.  Gives me closure!  =)



#12 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:22 AM

Posted 15 March 2014 - 10:41 AM

Let's not give up that easy.  :)  What browser(s) are you experiencing these problems in?


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#13 Aelares

Aelares
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:22 AM

Posted 15 March 2014 - 08:33 PM

I've always used Firefox (all updated); after this weirdness started happening, I installed Chrome, and it works a tinsy winsy bit better but generally is just as slow loading major sites.  

 

I've had IE "disabled" (via "Turn Windows features on/off" option in the Control Panel) since I got the machine.  I think that was back when it was IE8.  I half wonder if that is the problem - I think I would have allowed it to update via Windows Update, but I don't know if it would have been effective since it was disabled.  In the Windows features options, the checkbox says "Internet Explorer 8".

 

Speaking of updates, I normally manually let Windows Update search for them, then review one by one and refuse the ones that appear clearly unimportant (like, compatibility for old games or somesuch).  But, looking at the list, I haven't installed any since 8/2013 - I've ran Windows Update, but it hasn't offered me anything other than the monthly malware removal tool.  I did mean to go on MS site and see what shows up there and maybe try to push the missing ones manually.  I also never installed SP1 (was just wary of taking the same performance hit as it did to my XP).  Could any of this have hurt?  The problem is that there is also an XP machine in the house that is having the exact same behavior problems (on IE, FireFox, Chrome), so I'm inclined to say that there is something that is not system-specific that's causing this...  I've even thought the router was compromised, maybe DNS (I'm just making this up b/c I don't really know what I'm talking about), but the work laptops have no problems working off the same wireless.



#14 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:22 AM

Posted 16 March 2014 - 10:04 AM

Hi,

 

Ok....you need to go ahead and install any and all updates to Win7 that are available...especially any service packs.  If you don't add the updates (patches) there will be holes left in your system that any, even noob hackers, can use to get into your system even with a firewall and antivirus.  Please do that and then once done, run a new scan with DDS and post the new DDS.txt log.  :)


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#15 Aelares

Aelares
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:22 AM

Posted 17 March 2014 - 07:03 PM

Hi again.

 

So, I installed the prereq to Win7 SP1, which in turn allowed SP1, and installing SP1 in turn allowed ~8 months worth of security and other updates.  After all that, I ran Update again and got two more for .NET 4.5.1.  After that, I ran it again and it's not offering anything else, so that's done.  Google seemed to load well the first few times right after that, but now everything is back to abnormal - ultra-slow google, can't download from bleepingcomputer, etc.  =(  Also, I now have $RECYCLE.BIN on every partition (not sure when it appeared).

 

Also, turns out that one of the "ok" machines that used the same wireless was actually plagued with a ton of PUPs (TidyNetwork and Surftastic) that were causing popups/redirects.  That machine was only used for Netflix (where it apparently got infected) and had absolutely no contact with the other machines (other than sharing the router).  But it seems to exhibit the same behavior (slow to load major sites, difficult to load MBAM updates, etc.).  It's an epidemic, though I honestly can't say where it started...  The other odd bit is that sometimes it's possible to get to an ultra-slow-loading page reasonably fast by searching for it in bing.com and clicking through there.

 

Would it hurt (or be entirely pointless) if I stuck a pin into the "Reset" hole in the modem/router?  I just feel like doing physical damage to something...  =/  Or replace the modem/router with a different slightly older one I have laying around?  I'm just puzzled by the epidemicness of it.

 

Here is the DDS after all Windows Updates.  

The attach.txt says something re Remote Desktop Service attempting to start, at bottom - is that bad?  From the start, I had disabled all Remote stuff in system properties, and disabled Remote Access and Registry services, but could never get TermService to stay disabled - it just reverts to automatic.

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer:   BrowserJavaVersion: 10.51.2
Run by LRS at 19:20:19 on 2014-03-17
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.4063.2845 [GMT -4:00]
.
AV: Norton Internet Security *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_ccf0dd3cb081af84\STacSV64.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Hpservice.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Norton Internet Security\Engine\21.1.0.18\NIS.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Norton Internet Security\Engine\21.1.0.18\NIS.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\IDT\WDM\sttray64.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mDefault_Page_URL = hxxp://www.google.com
BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\21.1.0.18\coieplg.dll
BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\21.1.0.18\IPS\ipsbho.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - <orphaned>
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - <orphaned>
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - LocalServer32 - <no file>
EB: <No Name>: {555D4D79-4BD2-4094-A395-CFC534424A05} - LocalServer32 - <no file>
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [QlbCtrl.exe] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [WirelessAssistant] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
mPolicies-System: WallpaperStyle = 2
IE: E&xport to Microsoft Excel - G:\MICROS~1\Office12\EXCEL.EXE/3000
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_21-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_21-windows-i586.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{2C3C99CB-EFE2-408F-A445-B1EB98FCB2A0} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{2C3C99CB-EFE2-408F-A445-B1EB98FCB2A0}\43C405864332D4259493 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{2C3C99CB-EFE2-408F-A445-B1EB98FCB2A0}\7796C6C69616D6 : DHCPNameServer = 192.168.5.1
TCP: Interfaces\{2C3C99CB-EFE2-408F-A445-B1EB98FCB2A0}\B4C44593B4 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{5171070C-B9D6-410E-9462-4F033E32E3AF} : DHCPNameServer = 192.168.1.1
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.154\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=Pavilion&pf=cnnb
x64-BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine64\21.1.0.18\CoIEPlg.dll
x64-BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - 
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - 
x64-TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - LocalServer32 - <no file>
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe
.
INFO: x64-HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
x64-DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_21-windows-i586.cab
x64-DPF: {CAFEEFAC-0017-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_21-windows-i586.cab
x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_21-windows-i586.cab
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\LRS\AppData\Roaming\Mozilla\Firefox\Profiles\0vglwr4n.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.22.5\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;C:\Windows\System32\drivers\NISx64\1501000.012\SymDS64.sys [2014-1-1 493656]
R0 SymEFA;Symantec Extended File Attributes;C:\Windows\System32\drivers\NISx64\1501000.012\SymEFA64.sys [2014-1-1 1147480]
R1 BHDrvx64;BHDrvx64;C:\Program Files (x86)\Norton Internet Security\NortonData\21.1.0.18\Definitions\BASHDefs\20140214.001\BHDrvx64.sys [2014-2-19 1526488]
R1 ccSet_NIS;NIS Settings Manager;C:\Windows\System32\drivers\NISx64\1501000.012\ccSetx64.sys [2014-1-1 162392]
R1 IDSVia64;IDSVia64;C:\Program Files (x86)\Norton Internet Security\NortonData\21.1.0.18\Definitions\IPSDefs\20140314.001\IDSviA64.sys [2014-3-15 524504]
R1 SymIRON;Symantec Iron Driver;C:\Windows\System32\drivers\NISx64\1501000.012\Ironx64.sys [2014-1-1 264280]
R1 SymNetS;Symantec Network Security WFP Driver;C:\Windows\System32\drivers\NISx64\1501000.012\symnets.sys [2014-1-1 590936]
R2 {55662437-DA8C-40c0-AADA-2C816A897A49};Power Control [2009/08/25 02:11:54];C:\Program Files (x86)\Hewlett-Packard\Media\DVD\000.fcl [2009-8-25 146928]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2009-7-2 203264]
R2 hpsrv;HP Service;C:\Windows\System32\hpservice.exe [2010-2-26 30520]
R2 NIS;Norton Internet Security;C:\Program Files (x86)\Norton Internet Security\Engine\21.1.0.18\NIS.exe [2014-1-1 275696]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-12-31 1153368]
R3 Com4QLBEx;Com4QLBEx;C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2009-8-9 228408]
R3 enecir;ENE CIR Receiver;C:\Windows\System32\drivers\enecir.sys [2009-6-29 70656]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2014-1-22 137648]
R3 JMCR;JMCR;C:\Windows\System32\drivers\jmcr.sys [2009-7-20 140712]
R3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\System32\drivers\NETw5s64.sys [2010-1-13 7675392]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2009-8-25 233472]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
S3 btwl2cap;Bluetooth L2CAP Service;C:\Windows\System32\drivers\btwl2cap.sys [2009-8-25 35104]
S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\System32\drivers\NETw5v64.sys [2009-8-25 5435904]
S3 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);C:\Program Files (x86)\VERIZONDM\bin\sprtsvc.exe [2011-5-16 206120]
S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\System32\drivers\VSTAZL6.SYS [2009-7-13 292864]
S3 SrvHsfV92;SrvHsfV92;C:\Windows\System32\drivers\VSTDPV6.SYS [2009-7-13 1485312]
S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\System32\drivers\VSTCNXT6.SYS [2009-7-13 740864]
S3 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);C:\Program Files (x86)\VERIZONDM\bin\tgsrvc.exe [2011-5-16 185640]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2014-3-17 59392]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2013-8-23 1255736]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\System32\drivers\yk62x64.sys [2009-6-10 389120]
S4 AESTFilters;Andrea ST Filters Service;C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_ccf0dd3cb081af84\AESTSr64.exe [2009-8-25 89600]
.
=============== Created Last 30 ================
.
2014-03-17 19:49:05 -------- d-----w- C:\Windows\Migration
2014-03-17 19:32:59 70656 ----a-w- C:\Windows\System32\nlaapi.dll
2014-03-17 19:31:59 99840 ----a-w- C:\Windows\System32\drivers\usbccgp.sys
2014-03-17 19:28:00 376768 ----a-w- C:\Windows\System32\drivers\netio.sys
2014-03-17 19:28:00 1903552 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2014-03-17 19:26:58 983488 ----a-w- C:\Windows\System32\drivers\dxgkrnl.sys
2014-03-17 19:26:58 265064 ----a-w- C:\Windows\System32\drivers\dxgmms1.sys
2014-03-17 19:26:58 144384 ----a-w- C:\Windows\System32\cdd.dll
2014-03-17 19:26:16 461312 ----a-w- C:\Windows\System32\scavengeui.dll
2014-03-17 19:23:56 859648 ----a-w- C:\Windows\System32\IKEEXT.DLL
2014-03-17 19:23:56 830464 ----a-w- C:\Windows\System32\nshwfp.dll
2014-03-17 19:23:56 656896 ----a-w- C:\Windows\SysWow64\nshwfp.dll
2014-03-17 19:23:56 324096 ----a-w- C:\Windows\System32\FWPUCLNT.DLL
2014-03-17 19:23:56 216576 ----a-w- C:\Windows\SysWow64\FWPUCLNT.DLL
2014-03-17 18:22:28 -------- d-----w- C:\Windows\System32\SPReview
2014-03-17 18:21:30 -------- d-----w- C:\Windows\System32\EventProviders
2014-03-17 18:19:05 48976 ----a-w- C:\Windows\System32\netfxperf.dll
2014-03-17 18:19:05 1942856 ----a-w- C:\Windows\System32\dfshim.dll
2014-03-17 18:17:59 726528 ----a-w- C:\Windows\System32\appwiz.cpl
2014-03-17 18:14:04 529408 ----a-w- C:\Windows\System32\wbemcomn.dll
2014-03-17 16:39:03 -------- d-----w- C:\Windows\System32\MRT
2014-03-17 16:38:49 10536864 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{B0B57173-0170-4CA8-917D-902CED1288CA}\mpengine.dll
2014-03-17 16:35:53 142336 ----a-w- C:\Windows\System32\poqexec.exe
2014-03-17 16:35:53 123904 ----a-w- C:\Windows\SysWow64\poqexec.exe
2014-03-17 16:35:50 33792 ----a-w- C:\Windows\System32\profprov.dll
2014-03-17 16:35:50 209920 ----a-w- C:\Windows\System32\profsvc.dll
2014-03-14 00:58:23 -------- d-----w- C:\$RECYCLE.BIN
2014-03-14 00:18:41 98816 ----a-w- C:\Windows\sed.exe
2014-03-14 00:18:41 256000 ----a-w- C:\Windows\PEV.exe
2014-03-14 00:18:41 208896 ----a-w- C:\Windows\MBR.exe
2014-03-12 23:46:26 409600 ----a-w- C:\FSS.exe
2014-03-10 20:16:18 -------- d-----w- C:\Windows\ERUNT
2014-03-10 19:47:02 -------- d-----w- C:\AdwCleaner
2014-03-09 23:27:52 91352 ----a-w- C:\Windows\System32\drivers\mbamchameleon.sys
2014-02-27 19:26:40 4130656 ----a-w- C:\TDSSKiller.exe
.
==================== Find3M  ====================
.
2014-03-17 18:29:44 175616 ----a-w- C:\Windows\System32\msclmd.dll
2014-03-17 18:29:44 152576 ----a-w- C:\Windows\SysWow64\msclmd.dll
2014-02-15 16:04:42 96168 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2014-02-15 16:02:41 108968 ----a-w- C:\Windows\System32\WindowsAccessBridge-64.dll
2014-02-07 01:23:30 3156480 ----a-w- C:\Windows\System32\win32k.sys
2014-02-04 02:32:12 624128 ----a-w- C:\Windows\System32\qedit.dll
2014-02-04 02:04:11 509440 ----a-w- C:\Windows\SysWow64\qedit.dll
2014-02-03 16:20:54 270496 ------w- C:\Windows\System32\MpSigStub.exe
2014-01-29 02:32:18 484864 ----a-w- C:\Windows\System32\wer.dll
2014-01-29 02:06:47 381440 ----a-w- C:\Windows\SysWow64\wer.dll
2014-01-28 02:32:46 228864 ----a-w- C:\Windows\System32\wwansvc.dll
2014-01-01 17:59:41 177752 ----a-w- C:\Windows\System32\drivers\SYMEVENT64x86.SYS
.
============= FINISH: 19:21:03.22 ===============
 

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users