Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows 7 Virut.BN Infection Cleaned Need help repairing Windows Files


  • This topic is locked This topic is locked
2 replies to this topic

#1 adrianfallows

adrianfallows

  • Members
  • 2 posts
  • OFFLINE
  •  

Posted 25 February 2016 - 01:21 PM

Hello, I recently had a small virut.bn infection that I caught early enough where it had only modified 30 files or so. I was able to replace these files from a 4 month old back-up. I ran Combofix to repair some of the errors and followed it with SFC /Scannow, but I have some corrupted files in the driver store that can not be repaired.

 

Is anyone able to assist?

 

Combo fix log:

ComboFix 16-02-23.01 - Adrian 02/25/2016   9:58.1.4 - x86
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.3071.1027 [GMT -7:00]
Running from: c:\users\Adrian\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {B7ECF8CD-0188-6703-DBA4-AA65C6ACFB0A}
SP: Microsoft Security Essentials *Disabled/Updated* {0C8D1929-27B2-688D-E114-9117BD2BB1B7}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
[i] ADS - Windows: deleted 72 bytes in 2 streams. [/i]
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Install.exe
c:\program files\pst
c:\program files\pst\Binaries\CenterOneStub.dll
c:\program files\pst\Binaries\ConfigDataServer.dll
c:\program files\pst\Binaries\DotNet35SP1Checker.exe
c:\program files\pst\Binaries\dotnetfx35setup.exe
c:\program files\pst\Binaries\PDL.dll
c:\program files\pst\Binaries\PPRStandard.dll
c:\program files\pst\Binaries\RACurrTray.exe
c:\program files\pst\Binaries\RADTConfig.zip
c:\program files\pst\Binaries\RAISEUpdater.exe
c:\program files\pst\Binaries\RAMediator.dll
c:\program files\pst\Binaries\RUIForJava.dll
c:\program files\pst\Binaries\RUIHost.exe
c:\program files\pst\Binaries\ShareMFCTestDLL.dll
c:\program files\pst\Binaries\UpdaterDll.dll
c:\program files\pst\Binaries\UpdaterDllNT.dll
c:\program files\pst\Binaries\vcredist_x86.exe
c:\program files\pst\Binaries\vcredistchecker.exe
c:\program files\pst\RuntimeCache\bmp\CU_Current.bmp
c:\program files\pst\RuntimeCache\bmp\CU_dotNet.bmp
c:\program files\pst\RuntimeCache\bmp\CU_eCadWorks.bmp
c:\program files\pst\RuntimeCache\bmp\CU_GenericRA.bmp
c:\program files\pst\RuntimeCache\bmp\CU_IAB.bmp
c:\program files\pst\RuntimeCache\bmp\CU_MCSSTAR.bmp
c:\program files\pst\RuntimeCache\bmp\CU_MotionAnalyzer.bmp
c:\program files\pst\RuntimeCache\bmp\CU_NoIcon.bmp
c:\program files\pst\RuntimeCache\bmp\CU_ProposalWorks.bmp
c:\program files\pst\RuntimeCache\bmp\CU_PST.bmp
c:\program files\pst\RuntimeCache\bmp\CU_RailBuilder.bmp
c:\program files\pst\RuntimeCache\bmp\CU_SeminarBuilder.bmp
c:\program files\pst\RuntimeCache\bmp\CU_UDD.bmp
c:\program files\pst\RuntimeCache\bmp\CU_VS2008Redist.bmp
c:\program files\pst\RuntimeCache\bmp\CU_XWorks.bmp
c:\program files\pst\RuntimeCache\cfg\CITUI.cfg
c:\program files\pst\RuntimeCache\cfg\javaui.cfg
c:\program files\pst\RuntimeCache\css\LibStyles.css
c:\program files\pst\RuntimeCache\css\LibStylesIE6.css
c:\program files\pst\RuntimeCache\css\styles.css
c:\program files\pst\RuntimeCache\css\UIBoxes.css
c:\program files\pst\RuntimeCache\css\UIBoxesIE6.css
c:\program files\pst\RuntimeCache\css\UIStyles.css
c:\program files\pst\RuntimeCache\css\UIStylesIE7.css
c:\program files\pst\RuntimeCache\csv\ModName2RegKey.csv
c:\program files\pst\RuntimeCache\gif\ABLogo.gif
c:\program files\pst\RuntimeCache\gif\ball_blue.gif
c:\program files\pst\RuntimeCache\gif\camera.gif
c:\program files\pst\RuntimeCache\gif\check.gif
c:\program files\pst\RuntimeCache\gif\closebutt.gif
c:\program files\pst\RuntimeCache\gif\current_lores.gif
c:\program files\pst\RuntimeCache\gif\current_transparent.gif
c:\program files\pst\RuntimeCache\gif\light-ok.gif
c:\program files\pst\RuntimeCache\gif\light-stop.gif
c:\program files\pst\RuntimeCache\gif\light-warn.gif
c:\program files\pst\RuntimeCache\gif\msg-down.gif
c:\program files\pst\RuntimeCache\gif\msg-up.gif
c:\program files\pst\RuntimeCache\gif\question.gif
c:\program files\pst\RuntimeCache\gif\RaisePower.gif
c:\program files\pst\RuntimeCache\gif\RALogo.gif
c:\program files\pst\RuntimeCache\gif\red-ear-left.gif
c:\program files\pst\RuntimeCache\gif\Rockwell.gif
c:\program files\pst\RuntimeCache\gif\RockwellLogo.gif
c:\program files\pst\RuntimeCache\gif\spindown-active.GIF
c:\program files\pst\RuntimeCache\gif\spindown.GIF
c:\program files\pst\RuntimeCache\gif\spinup-active.GIF
c:\program files\pst\RuntimeCache\gif\spinup.GIF
c:\program files\pst\RuntimeCache\gif\Thumbs.db
c:\program files\pst\RuntimeCache\gif\transback.gif
c:\program files\pst\RuntimeCache\gif\transparent.GIF
c:\program files\pst\RuntimeCache\ico\PST.ico
c:\program files\pst\RuntimeCache\jar\accessories-obf.jar
c:\program files\pst\RuntimeCache\jar\accessories.jar
c:\program files\pst\RuntimeCache\jar\family-obf.jar
c:\program files\pst\RuntimeCache\jar\family.jar
c:\program files\pst\RuntimeCache\jar\simple-obf.jar
c:\program files\pst\RuntimeCache\jar\simple.jar
c:\program files\pst\RuntimeCache\jar\standard-obf.jar
c:\program files\pst\RuntimeCache\jar\standard.jar
c:\program files\pst\RuntimeCache\jpg\DfltSplashPhoto.jpg
c:\program files\pst\RuntimeCache\jpg\PrmDlgCurrLogo.jpg
c:\program files\pst\RuntimeCache\jpg\PST_lores.jpg
c:\program files\pst\RuntimeCache\jpg\RA_Logo_2color.jpg
c:\program files\pst\RuntimeCache\jpg\RALogo.jpg
c:\program files\pst\RuntimeCache\jpg\Thumbs.db
c:\program files\pst\RuntimeCache\js\cfgPageHelp.js
c:\program files\pst\RuntimeCache\js\HierarchicalBrowser.js
c:\program files\pst\RuntimeCache\js\idler.js
c:\program files\pst\RuntimeCache\js\model.js
c:\program files\pst\RuntimeCache\js\UI.js
c:\program files\pst\RuntimeCache\js\UIHelp.js
c:\program files\pst\RuntimeCache\js\utilities.js
c:\program files\pst\RuntimeCache\js\xpath.js
c:\program files\pst\RuntimeCache\pdf\User Guide CurrentUpdater.pdf
c:\program files\pst\RuntimeCache\spt\raisedflt.spt
c:\program files\pst\RuntimeCache\xml\DefaultCfg.xml
c:\program files\pst\RuntimeCache\xml\modname2regkey.xml
c:\program files\pst\RuntimeCache\XSL\AccessoryUI.xsl
c:\program files\pst\RuntimeCache\XSL\AccessoryUI2.xsl
c:\program files\pst\RuntimeCache\XSL\alertviewer.xsl
c:\program files\pst\RuntimeCache\XSL\AttrSelector.xsl
c:\program files\pst\RuntimeCache\XSL\AttrState.xsl
c:\program files\pst\RuntimeCache\XSL\Heading.xsl
c:\program files\pst\RuntimeCache\XSL\ImageViewer.xsl
c:\program files\pst\RuntimeCache\XSL\MsgGizmos.xsl
c:\program files\pst\RuntimeCache\XSL\PIDAssistUI.xsl
c:\program files\pst\RuntimeCache\XSL\pii.xsl
c:\program files\pst\RuntimeCache\XSL\StandardUI.xsl
c:\program files\pst\RuntimeCache\XSLT\copy.xslt
c:\program files\pst\RuntimeCache\XSLT\HierarchicalBrowser.xslt
c:\program files\pst\RuntimeCache\XSLT\ra.xslt
c:\users\Adrian\AppData\Local\assembly\tmp
c:\users\Adrian\ckInfo.exe
c:\windows\sqliteodbc2010.dll
c:\windows\system32\drivers\multikey.sys
c:\windows\system32\logs
c:\windows\system32\logs\log.txt
c:\windows\system32\regobj.dll
c:\windows\wininit.ini
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_multikey
.
.
(((((((((((((((((((((((((   Files Created from 2016-01-25 to 2016-02-25  )))))))))))))))))))))))))))))))
.
.
2016-02-25 17:06 . 2016-02-25 17:08	--------	d-----w-	c:\users\Adrian\AppData\Local\temp
2016-02-25 17:06 . 2016-02-25 17:06	--------	d-----w-	c:\users\DefaultAppPool\AppData\Local\temp
2016-02-25 16:48 . 2016-02-25 16:48	--------	d-----w-	c:\programdata\Kaspersky Lab Setup Files
2016-02-25 16:34 . 2016-02-25 16:34	62576	----a-w-	c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5E37256C-D5F2-4DF6-A605-E187C1006E95}\offreg.932.dll
2016-02-25 16:33 . 2016-02-25 16:33	39168	----a-w-	c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5E37256C-D5F2-4DF6-A605-E187C1006E95}\MpKslf831f19f.sys
2016-02-25 16:14 . 2010-11-20 21:29	586752	----a-w-	C:\dfrgui.exe
2016-02-25 05:20 . 2015-11-25 10:43	9014120	----a-w-	c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5E37256C-D5F2-4DF6-A605-E187C1006E95}\mpengine.dll
2016-02-24 21:40 . 2015-12-24 13:03	305928	----a-w-	c:\windows\system32\drivers\tmcomm.sys
2016-02-24 21:38 . 2015-11-25 10:43	9014120	----a-w-	c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2016-02-24 20:56 . 2016-02-24 20:56	--------	d-----w-	c:\program files\Common Files\AV
2016-02-24 20:48 . 2016-02-25 05:12	--------	d-----w-	c:\programdata\Spybot - Search & Destroy
2016-02-24 20:48 . 2016-02-25 05:13	--------	d-----w-	c:\program files\Spybot - Search & Destroy 2
2016-02-24 20:24 . 2016-02-25 16:36	170200	----a-w-	c:\windows\system32\drivers\MBAMSwissArmy.sys
2016-02-24 20:23 . 2016-02-24 20:23	--------	d-----w-	c:\program files\Malwarebytes Anti-Malware
2016-02-24 20:23 . 2016-02-24 20:23	--------	d-----w-	c:\programdata\Malwarebytes
2016-02-24 20:23 . 2015-10-05 16:50	51928	----a-w-	c:\windows\system32\drivers\mwac.sys
2016-02-24 20:23 . 2015-10-05 16:50	94936	----a-w-	c:\windows\system32\drivers\mbamchameleon.sys
2016-02-24 20:23 . 2015-10-05 16:50	23256	----a-w-	c:\windows\system32\drivers\mbam.sys
2016-02-23 01:33 . 2016-02-23 01:33	--------	d-----w-	c:\users\Adrian\LimitorqueHART
2016-02-23 01:17 . 2016-02-23 01:16	95840	----a-w-	c:\windows\system32\WindowsAccessBridge.dll
2016-02-23 01:16 . 2016-02-23 01:16	--------	d-----w-	c:\program files\Common Files\Java
2016-02-06 22:43 . 2016-02-06 22:43	--------	d-----w-	c:\users\Adrian\AppData\Local\Rockwell_Automation
2016-02-06 19:33 . 2016-02-06 19:33	--------	d-----w-	c:\windows\CCWEDS
2016-02-04 23:21 . 2016-02-04 23:21	--------	d-----w-	c:\users\Adrian\AppData\Roaming\Rockwell Automation
2016-02-04 23:21 . 2016-02-04 23:21	--------	d-----w-	c:\users\Adrian\AppData\Local\Rockwell Automation
2016-02-04 23:19 . 2016-02-04 23:19	--------	d-----w-	c:\program files\OPC Foundation
2016-01-29 22:52 . 2013-12-20 01:03	6656	----a-w-	c:\windows\system32\drivers\IPCType.sys
2016-01-29 22:52 . 2013-09-13 19:31	73728	----a-w-	c:\windows\RtCtrlAPI.dll
2016-01-29 22:50 . 2007-09-18 20:13	0	----a-w-	C:\ABS.sys
2016-01-26 20:12 . 2016-02-19 22:35	--------	d-----w-	c:\users\Adrian\AppData\Local\CrashDumps
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2016-02-13 20:10 . 2015-02-01 00:23	796864	----a-w-	c:\windows\system32\FlashPlayerApp.exe
2016-02-13 20:10 . 2015-02-01 00:23	142528	----a-w-	c:\windows\system32\FlashPlayerCPLApp.cpl
2015-12-09 03:39 . 2014-06-29 22:52	247976	------w-	c:\windows\system32\MpSigStub.exe
2013-05-29 21:18 . 2013-05-29 21:18	158720	----a-w-	c:\program files\internet explorer\plugins\LV2012ActiveXControl.dll
2013-06-21 03:19 . 2013-06-21 03:19	158720	----a-w-	c:\program files\internet explorer\plugins\LV2013ActiveXControl.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GEIPUpdater"="c:\program files\Proficy\GEIPUpdaterInstaller\GEIPUpdater.exe" [2014-01-28 439600]
"SpybotPostWindows10UpgradeReInstall"="c:\program files\Common Files\AV\Spybot - Search and Destroy\Test.exe" [2015-07-29 1011200]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2009-03-15 180224]
"UsbCipHelper"="c:\program files\Rockwell Automation\Rockwell Automation USBCIP Driver Package\UsbCipHelper\UsbCipHelper.exe" [2015-06-24 2834944]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2015-04-30 981688]
"VMware User Process"="c:\program files\VMware\VMware Tools\vmtoolsd.exe" [2015-05-22 64704]
"SOPAS USB Listener"="c:\program files\SICK\SOPAS ET\SopasUSBListener.exe" [2015-09-16 245760]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2016-01-30 594992]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Autodesk Sync"="c:\program files\Autodesk\Autodesk Sync\AdSync.exe" [2014-02-08 1059720]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute	REG_MULTI_SZ   	autocheck autochk *\0\0sdnclean.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^CodeMeter Control Center.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\CodeMeter Control Center.lnk
backup=c:\windows\pss\CodeMeter Control Center.lnk.CommonStartup
backupExtension=.CommonStartup
.
R2 Hart;Hart; [x]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes Anti-Malware\mbamservice.exe [2015-10-05 1135416]
R2 SoftLogix 5800 Slot3;SoftLogix 5800 Slot3;c:\program files\Rockwell Automation\SoftLogix5800\SoftLogix5800.exe [2014-03-05 3180368]
R3 1784-PCIDS DeviceNet;1784-PCIDS DeviceNet;c:\program files\Rockwell Automation\SoftLogix5800\PcidsService.exe [2014-03-05 116048]
R3 c2wts;Claims to Windows Token Service;c:\program files\Windows Identity Foundation\v3.5\c2wtshost.exe [2010-02-02 15768]
R3 CH341SER;CH341SER;c:\windows\system32\Drivers\CH341SER.SYS [2009-06-02 39632]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]
R3 fengyue0;fengyue0;c:\ollydbg\Plugin\fengyue0.sys [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe [2015-11-10 102912]
R3 IrCOMM2k;Virtual IR COM Port;c:\windows\system32\DRIVERS\ircomm2k.sys [x]
R3 IrDAFw2k;IrDA Forward Adapter;c:\windows\system32\DRIVERS\irdafw2k.sys [x]
R3 LogReceiver;LogReceiver;c:\program files\Rockwell Software\RSLinx Enterprise\LogReceiver.exe [2015-10-26 82648]
R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys [2015-10-05 51928]
R3 MosIrUsb;MosIrUsb.sys;c:\windows\system32\DRIVERS\MosIrUsb.sys [2013-07-01 22528]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2015-03-05 95408]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2015-04-30 284504]
R3 pcidnt;A-B 1784-PCIDS;c:\windows\System32\Drivers\pcidnt.sys [x]
R3 Proficy Driver Runtime;Proficy Driver Runtime;c:\program files\Proficy\Proficy Machine Edition\fxView\Runtime\ProficyDrivers\Win32\GefPdfOpc.exe [2006-11-24 192512]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-08-23 14848]
R3 RSSERIAL;RSLinx Classic Serial Driver;c:\windows\SYSTEM32\RSSERIAL.SYS [2015-10-22 155440]
R3 SimModuleService;1789-SIM Simulator Module;c:\program files\Rockwell Automation\SoftLogix5800\SimModuleService.exe [2014-03-05 102736]
R3 Te.Service;Te.Service;c:\program files\Windows Kits\8.1\Testing\Runtimes\TAEF\Wex.Services.exe [2013-08-22 91136]
R3 TitanHide;TitanHide;c:\windows\System32\drivers\TitanHide.sys [2015-03-22 18568]
R3 TPAutoConnSvc;TP AutoConnect Service;c:\program files\VMware\VMware Tools\TPAutoConnSvc.exe [2015-05-22 382288]
R3 TPVCGateway;TP VC Gateway Service;c:\program files\VMware\VMware Tools\TPVCGateway.exe [2015-05-22 406864]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2013-10-02 49152]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
R3 USBDLC;USB Link Cable Driver;c:\windows\system32\Drivers\usbdlc.sys [2004-11-24 12611]
R3 virtnet;VirtNet Network Adapter;c:\windows\system32\DRIVERS\virtnet.sys [2011-05-02 10976]
R3 VLTask;VLTask;c:\program files\ValveLink\VLSERVICE.EXE [2015-04-14 21504]
R3 VLTrace;VLTrace;c:\program files\ValveLink\VLSERVICE.EXE [2015-04-14 21504]
R3 VsEtwService120;Visual Studio ETW Event Collection Service;c:\program files\Microsoft Visual Studio 12.0\Common7\Packages\Debugger\Services\VsEtwService.exe [2013-10-05 71344]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2014-06-30 1343400]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2010-04-03 44896]
R4 RsFx0105;RsFx0105 Driver;c:\windows\system32\DRIVERS\RsFx0105.sys [2011-09-23 238696]
R4 RsFx0151;RsFx0151 Driver;c:\windows\system32\DRIVERS\RsFx0151.sys [2011-06-18 240736]
R4 SQLAgent$FTVIEWX64TAGDB;SQL Server Agent (FTVIEWX64TAGDB);c:\program files\Microsoft SQL Server\MSSQL10_50.FTVIEWX64TAGDB\MSSQL\Binn\SQLAGENT.EXE [2011-06-18 370016]
R4 SQLAgent$SQLFIELDCARE;SQL Server Agent (SQLFIELDCARE);c:\program files\Microsoft SQL Server\MSSQL10.SQLFIELDCARE\MSSQL\Binn\SQLAGENT.EXE [2015-04-04 380064]
S0 vmci;VMware VMCI Bus Driver;c:\windows\system32\DRIVERS\vmci.sys [2015-05-22 71888]
S0 vsock;vSockets Driver;c:\windows\system32\drivers\vsock.sys [2015-05-22 64704]
S1 IPCType;IPCType; [x]
S1 MpKslf831f19f;MpKslf831f19f;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5E37256C-D5F2-4DF6-A605-E187C1006E95}\MpKslf831f19f.sys [2016-02-25 39168]
S1 soldisk5;soldisk5;c:\windows\system32\drivers\soldisk5.sys [2013-12-13 206528]
S1 solfs5;solfs5;c:\windows\system32\drivers\solfs5.sys [2013-12-13 340288]
S1 VirtualBackplane;A-B Virtual Backplane;c:\windows\System32\Drivers\VirtualBackplane.sys [2014-02-24 63512]
S1 vmhgfs;VMware Host Guest Client Redirector;c:\windows\system32\drivers\vmhgfs.sys [2015-05-22 163904]
S1 vmrawdsk;VMware Vista Physical Disk Helper;c:\program files\VMware\VMware Tools\vmrawdsk.sys [2015-05-22 39232]
S2 AEClientHostService2;Proficy AE Client Host Service;c:\program files\Proficy\Proficy Alarm Viewer 2.0\AEClientHostService.exe [2013-08-16 9728]
S2 Autodesk Content Service;Autodesk Content Service;c:\program files\Autodesk\Content Service\Connect.Service.ContentService.exe [2014-02-07 31192]
S2 CodeMeter.exe;CodeMeter Runtime Server;c:\program files\CodeMeter\Runtime\bin\CodeMeter.exe [2015-01-21 3523448]
S2 DbgMsg;Debug Message;c:\windows\System32\Drivers\DbgMsg.sys [2008-07-08 18240]
S2 DiagTrack;Diagnostics Tracking Service;c:\windows\System32\svchost.exe [2009-07-14 20992]
S2 DriverX;DriverX;c:\windows\System32\Drivers\DriverX.sys [2013-12-02 40992]
S2 E+H SFG500 CommServer;E+H SFG500 CommServer;c:\program files\Endress+Hauser\CommDTM\PROFIBUS SFG500\SFG5XXCommSvr\EH.Sfg.Sfg500.CommServer.exe [2015-03-26 9216]
S2 EH.C4DC.Service;Endress+Hauser PAM Service;c:\program files\Endress+Hauser\DeviceCare\PAM_Service\EH.C4DC.WinService.exe [2014-10-25 21504]
S2 FactoryTalk Activation Service;FactoryTalk Activation Service;c:\program files\Rockwell Software\FactoryTalk Activation\lmgrd.exe [2012-12-12 1407312]
S2 FTActivationBoost;FactoryTalk Activation Helper;c:\program files\Rockwell Software\FactoryTalk Activation\Tools\FTActivationBoost.exe [2012-12-22 145888]
S2 FTAE_Archiver;Rockwell Alarm History Archiver;c:\program files\Common Files\Rockwell\FTAEArchiver.exe [2015-10-21 72920]
S2 FTAE_HistServ;Rockwell Alarm Historian;c:\program files\Common Files\Rockwell\FTAE_HistServ.exe [2015-10-21 158936]
S2 FTSysDiagSvcHost;FTSysDiagSvcHost;c:\program files\Common Files\Rockwell\FTSysDiagSvcHost.exe [2015-07-06 76504]
S2 FxControlRuntime;FxControl Runtime;c:\program files\Proficy\Proficy Machine Edition\fxControl\Runtime\NT\FxControl.exe [2014-02-08 651264]
S2 hasplms;Sentinel LDK License Manager;c:\windows\system32\hasplms.exe  -run [x]
S2 LoggingService;Proficy Log Server;c:\program files\Proficy\Proficy Machine Edition\Proficy Event Logger\LoggingService.exe [2014-02-07 151552]
S2 MSSQL$EMERSON2005;SQL Server (EMERSON2005);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2010-12-11 29293408]
S2 MSSQL$FTVIEWX64TAGDB;SQL Server (FTVIEWX64TAGDB);c:\program files\Microsoft SQL Server\MSSQL10_50.FTVIEWX64TAGDB\MSSQL\Binn\sqlservr.exe [2011-06-18 43040096]
S2 MSSQL$SQLFIELDCARE;SQL Server (SQLFIELDCARE);c:\program files\Microsoft SQL Server\MSSQL10.SQLFIELDCARE\MSSQL\Binn\sqlservr.exe [2015-04-04 43044512]
S2 NA_Service;NetAccess Service;c:\windows\system32\NA_Service.exe [2012-06-06 90112]
S2 NDIS4DCP;GEIP PROFINET DCP;c:\windows\system32\DRIVERS\NDIS4DCP.sys [2014-02-08 30440]
S2 NIApplicationWebServer;NI Application Web Server;c:\program files\National Instruments\Shared\NI WebServer\ApplicationWebServer.exe [2013-06-08 57696]
S2 nimDNSResponder;NI mDNS Responder Service;c:\program files\National Instruments\Shared\mDNS Responder\nimdnsResponder.exe [2013-05-11 260976]
S2 NISystemWebServer;NI System Web Server;c:\program files\National Instruments\Shared\NI WebServer\SystemWebServer.exe [2013-06-08 57680]
S2 NmspHost;Rockwell Namespace Services;c:\program files\Common Files\Rockwell\NmspHost.exe [2015-10-20 226008]
S2 PROFIbrd;PROFIBUS V5 Hardware Driver (Softing); [x]
S2 ProficyViewIntegratedOPCDriverLoggerV5;Proficy View Integrated OPC Driver 5.12 Event Logger;c:\program files\Proficy\Proficy View Integrated OPC Driver 5\server_eventlog.exe [2013-12-02 143872]
S2 PROFIprt;PROFIBUS Protocol Driver (Softing); [x]
S2 PROFIstack;PROFIBUS V6 Hardware Driver (Softing); [x]
S2 radaq;RA Data Acquisition;c:\program files\Rockwell Software\Studio 5000\Common\V2\bin\daq.exe [2015-11-04 5337576]
S2 ramkMsgKernelSvc;RA Messaging Kernel;c:\program files\Rockwell Software\Studio 5000\Common\V2\bin\ramkMsgKernelSvc.exe [2015-11-04 51176]
S2 raOSGi;RA OSGi;c:\program files\Rockwell Software\Studio 5000\Common\V2\bin\raOSGi.exe [2015-11-04 86528]
S2 RdcyHost;Rockwell Redundancy Services;c:\program files\Common Files\Rockwell\RdcyHost.exe [2015-10-20 226008]
S2 RnaAeServer;Rockwell Alarm Server;c:\program files\Common Files\Rockwell\RnaAeServer.exe [2015-10-21 165592]
S2 RnaAlarmMux;Rockwell Alarm Multiplexer;c:\program files\Common Files\Rockwell\RnaAlarmMux.exe [2015-10-21 736472]
S2 Rockwell HMI Alarm Logger;Rockwell HMI Alarm Logger;c:\program files\Rockwell Software\RSView Enterprise\RsAlarmLogServ.exe [2014-07-27 132640]
S2 Rockwell HMI Framework;Rockwell HMI Framework;c:\program files\Rockwell Software\RSView Enterprise\ServerFramework.exe [2014-07-27 896032]
S2 SentinelKeysServer;Sentinel Keys Server;c:\program files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe [2013-01-09 376832]
S2 SentinelSecurityRuntime;Sentinel Security Runtime;c:\program files\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe [2013-01-09 293216]
S2 TrapiServer;Trapi File Server;c:\program files\Proficy\Proficy Machine Edition\Common\Components\NT\trapiserver.exe [2014-02-07 184422]
S2 VENBT;EtherNet/IP SoftLogix5800 EtherNet/IP;c:\program files\Rockwell Automation\SoftLogix5800\VENBTService.exe [2014-03-05 98128]
S2 VMMEMCTL;Memory Control Driver;c:\program files\Common Files\VMware\Drivers\memctl\vmmemctl.sys [2015-05-22 18752]
S2 VMTools;VMware Tools;c:\program files\VMware\VMware Tools\vmtoolsd.exe [2015-05-22 64704]
S2 VMware Physical Disk Helper Service;VMware Physical Disk Helper Service;c:\program files\VMware\VMware Tools\vmacthlp.exe [2015-05-22 411328]
S3 AmsHartDriver;AmsHartDriver;c:\windows\system32\DRIVERS\AmsHartDriver.sys [2013-07-31 74600]
S3 EventServer;Rockwell Event Server;c:\program files\Common Files\Rockwell\EventServer.exe [2015-10-20 270552]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2015-10-05 23256]
S3 MmiHartDriver;MmiHartDriver;c:\windows\system32\DRIVERS\MmiHartDriver.sys [2015-11-21 69064]
S3 PNPMEM;Microsoft Memory Module Driver;c:\windows\system32\DRIVERS\pnpmem.sys [2009-07-13 13312]
S3 vm3dmp;vm3dmp;c:\windows\system32\DRIVERS\vm3dmp.sys [2015-05-22 186560]
S3 vmmouse;VMware Pointing Device;c:\windows\system32\DRIVERS\vmmouse.sys [2013-10-18 11800]
S3 vmusbmouse;VMware USB Pointing Device;c:\windows\system32\DRIVERS\vmusbmouse.sys [2013-10-18 11928]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - tmcomm
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
iissvcs	REG_MULTI_SZ   	w3svc was
apphost	REG_MULTI_SZ   	apphostsvc
utcsvc	REG_MULTI_SZ   	DiagTrack
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2016-02-25 16:41	1088664	----a-w-	c:\program files\Google\Chrome\Application\48.0.2564.116\Installer\chrmstp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A6EADE66-0000-0000-484E-7E8A45000000}]
2015-12-18 15:42	286904	----a-w-	c:\program files\Adobe\Acrobat Reader DC\Esl\AiodLite.dll
.
Contents of the 'Scheduled Tasks' folder
.
2016-02-25 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2015-02-01 20:10]
.
2016-02-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2016-02-25 16:40]
.
2016-02-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2016-02-25 16:40]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = localhost:8080
IE: E&xport to Microsoft Excel - c:\progra~1\MIF5BA~1\Office12\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MIF5BA~1\Office14\ONBttnIE.dll/105
LSP: %windir%\system32\vsocklib.dll
TCP: DhcpNameServer = 192.168.147.2
TCP: Interfaces\{F411D3F0-436D-4904-9711-D9E7AD1476D6}: NameServer = 8.8.8.8,8.8.4.4
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-Keylok - c:\vss\Development\SingleFileInstall\Release\install.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\program files\Rockwell Software\RSView Enterprise\TagSrv.exe
c:\program files\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe
c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files\Proficy\Proficy Common\Proficy Common Licensing\CCFLIC0.exe
c:\windows\system32\crypserv.exe
c:\program files\Rockwell Software\RSCommon\RSOBSERV.EXE
c:\windows\system32\hasplms.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\M1 Licensing\iLicenseSvc.exe
c:\windows\system32\lkads.exe
c:\program files\Proficy\Proficy View Integrated OPC Driver 5\server_admin.exe
c:\program files\National Instruments\Shared\Security\nidmsrv.exe
c:\windows\system32\MODBUSDRVSys.exe
c:\windows\system32\conhost.exe
c:\program files\National Instruments\Shared\niSvcLoc\nisvcloc.exe
c:\program files\Common Files\Rockwell\RNADiagnosticsSrv.exe
c:\program files\Rockwell Software\RSView Enterprise\RsActivityLogServ.exe
c:\program files\Rockwell Software\RSView Enterprise\HMIDIAGNOSTICSLSTADAPT.exe
c:\progra~1\ROCKWE~1\RSLinx\RSLINX.EXE
c:\windows\system32\MODBUSDRV.exe
c:\program files\Rockwell Software\RSLinx Enterprise\RSLinxNG.exe
c:\program files\Common Files\Rockwell\RsvcHost.exe
c:\program files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Rockwell Automation\SoftLogix5800\Ethernet_IP_IO.exe
c:\windows\system32\conhost.exe
c:\windows\system32\lkcitdl.exe
c:\windows\system32\lktsrv.exe
c:\program files\Rockwell Software\FactoryTalk Activation\flexsvr.exe
c:\windows\system32\conhost.exe
c:\program files\Common Files\Rockwell\EventClientMultiplexer.exe
c:\program files\Common Files\Rockwell\RnaDirServer.exe
c:\program files\Common Files\Rockwell\RNADirMultiplexor.exe
c:\program files\Proficy\Proficy Machine Edition\fxControl\Runtime\NT\FxControlWin.exe
c:\windows\system32\GWX\GWX.exe
c:\windows\system32\sppsvc.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\dllhost.exe
c:\windows\System32\msdtc.exe
c:\program files\Common Files\Rockwell\RnaAlarmDetector.exe
c:\windows\system32\conhost.exe
c:\windows\system32\vssvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2016-02-25  10:09:55 - machine was rebooted
ComboFix-quarantined-files.txt  2016-02-25 17:09
.
Pre-Run: 146,990,690,304 bytes free
Post-Run: 146,469,752,832 bytes free
.
- - End Of File - - 2A45B09137FCDB773DD0B0CAA7B34E72
A36C5E4F47E84449FF07ED3517B43A31

Attached Files

  • Attached File  CBS.log   1.52MB   3 downloads


BC AdBot (Login to Remove)

 


#2 adrianfallows

adrianfallows
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  

Posted 25 February 2016 - 04:46 PM

Please close this topic. I was able to fix the corrupted files by replacing those found in 

 

\SystemRoot\WinSxS\x86_microsoft-windows-defrag-adminui_31bf3856ad364e35_6.1.7601.17514_none_9b1d78a9ee870c74\dfrgui.exe

\SystemRoot\WinSxS\x86_microsoft-windows-msdt_31bf3856ad364e35_6.1.7600.16385_none_a558b8167eda0eef\msdt.exe

 

with files from the same folders in my backup.

 

SFC comes back with no corruptions now.

 

Cheers



#3 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:04 PM

Posted 25 February 2016 - 08:41 PM

Please close this topic. I was able to fix the corrupted files by replacing those found in 

Good job :thumbup2:

 

This Topic is closed.


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users