Jump to content


Photo

hijacked - only works in safe mode


  • This topic is locked This topic is locked
30 replies to this topic

#1 helgymatt

helgymatt

    Member

  • Full Member
  • Pip
  • 53 posts

Posted 02 January 2012 - 09:46 AM

I have windows 7 -
For a couple of weeks I had a popup from McAfee telling me the firewall was not enabled. As soon as I would press enable it would automatically disable. I ignored it from there on. I could not do anything with the windows firewall as well. Then the other day while browsing web an error came across the screen and then a dozen more of the same tiled across the screen and windows crashed. Something came up about doing a "system security check". Same thing happens every time in normal opperating mode. Safe mode works fine with networking, but still get the firewall popup bottom left. What diagnostic can I do in safe mode or please recommend how to proceed?
Thanks.

EDIT: Please read the FAQ and post the requested logs.
http://www.spywarein...showtopic=79038

Edited by Rocket Grannie, 02 January 2012 - 10:41 AM.
Request logs


#2 helgymatt

helgymatt

    Member

  • Full Member
  • Pip
  • 53 posts

Posted 02 January 2012 - 11:43 AM

As I said, the computer does not fuction right in normal running mode. I cannot run any programs or get any logs. The computer operates fine in Safe Mode. Can I run Malwarebytes and the other programs in safemode? How do I do that. The icon for Malwarebytes says "empty".

I was able to run McAfee in safemode and it detected "fakealert!grb". I started back up in normal mode and it didn't seem to fix anything. A fake virus scanning program starts running.

#3 helgymatt

helgymatt

    Member

  • Full Member
  • Pip
  • 53 posts

Posted 02 January 2012 - 12:42 PM

I got the programs to download and run. The malware must have disabled my old version of Malwarebytes. System seems to at least be functioning now. The wallpaper screen is black. Net browsers are definitely hijacked.


Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.02.04

Windows 7 Service Pack 1 x64 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.7601.17514
Matt :: MATT-PC [administrator]

1/2/2012 10:58:09 AM
mbam-log-2012-01-02 (11-08-38).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 177383
Time elapsed: 8 minute(s), 23 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|avPYOWQgOag.exe (Rogue.FakeHDD) -> Data: C:\ProgramData\avPYOWQgOag.exe -> No action taken.

Registry Data Items Detected: 4
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> No action taken.

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\ProgramData\avPYOWQgOag.exe (Rogue.FakeHDD) -> No action taken.
C:\ProgramData\r1OB4GJtdiTytq.exe (Trojan.FakeAlert) -> No action taken.

(end)


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 12/6/2010 3:28:27 PM
System Uptime: 1/2/2012 11:10:04 AM (0 hours ago)
.
Motherboard: Dell Inc. | | 018D1Y
Processor: Pentium® Dual-Core CPU E5700 @ 3.00GHz | CPU 1 | 3003/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 454 GiB total, 328.923 GiB free.
D: is CDROM (CDFS)
E: is Removable
F: is Removable
G: is Removable
H: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Realtek PCIe GBE Family Controller
Device ID: PCI\VEN_10EC&DEV_8168&SUBSYS_04391028&REV_03\4&CE42100&0&00E2
Manufacturer: Realtek
Name: Realtek PCIe GBE Family Controller
PNP Device ID: PCI\VEN_10EC&DEV_8168&SUBSYS_04391028&REV_03\4&CE42100&0&00E2
Service: RTL8167
.
Class GUID:
Description:
Device ID: USB\VID_07D0&PID_0004&MI_00\6&726CB0D&0&0000
Manufacturer:
Name:
PNP Device ID: USB\VID_07D0&PID_0004&MI_00\6&726CB0D&0&0000
Service:
.
Class GUID:
Description:
Device ID: USB\VID_07D0&PID_0004&MI_01\6&726CB0D&0&0001
Manufacturer:
Name:
PNP Device ID: USB\VID_07D0&PID_0004&MI_01\6&726CB0D&0&0001
Service:
.
Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318}
Description: Officejet 4500 G510n-z
Device ID: ROOT\MULTIFUNCTION\0000
Manufacturer: HP
Name: Officejet 4500 G510n-z
PNP Device ID: ROOT\MULTIFUNCTION\0000
Service:
.
==== System Restore Points ===================
.
RP96: 11/23/2011 8:23:08 AM - Scheduled Checkpoint
RP97: 12/1/2011 6:56:33 AM - Scheduled Checkpoint
RP98: 12/8/2011 7:34:39 AM - Scheduled Checkpoint
RP99: 12/14/2011 3:00:34 AM - Windows Update
RP100: 12/21/2011 6:55:16 AM - Scheduled Checkpoint
.
==== Installed Programs ======================
.
4500_G510nz_Help
4500G510nz
4500G510nz_Software_Min
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Flash Player 11 ActiveX
Adobe Reader 9.2
Apple Application Support
Apple Software Update
Ask Toolbar
Bing Bar
BookSmart® 2.9.4 2.9.4
BufferChm
Canon DIGITAL CAMERA Solution Disk Software Guide
CANON iMAGE GATEWAY MyCamera Download Plugin
CANON iMAGE GATEWAY Task for ZoomBrowser EX
Canon Internet Library for ZoomBrowser EX
Canon MOV Decoder
Canon MOV Encoder
Canon MovieEdit Task for ZoomBrowser EX
Canon Personal Printing Guide
Canon PowerShot S95 Camera User Guide
Canon Utilities CameraWindow DC 8
Canon Utilities CameraWindow Launcher
Canon Utilities Digital Photo Professional 3.9
Canon Utilities Movie Uploader for YouTube
Canon Utilities MyCamera
Canon Utilities PhotoStitch
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
CardRecovery 5.30
CenturyLink Installer
Citrix online plug-in (Web)
D3DX10
Dell DataSafe Local Backup
Dell DataSafe Local Backup - Support Software
Dell DataSafe Online
Dell Dock
Dell Getting Started Guide
Destinations
DeviceDiscovery
DocMgr
DocProc
Fax
Google Chrome
Google Toolbar for Internet Explorer
Google Update Helper
GoToAssist Corporate
GPBaseService2
HP Update
HPDiagnosticAlert
HPProductAssistant
HPSSupply
ieSpell
Intel® Control Center
Intel® Rapid Storage Technology
Internet Explorer
IrfanView (remove only)
Java Auto Updater
Java™ 6 Update 26
Junk Mail filter update
Malwarebytes Anti-Malware version 1.60.0.1800
MarketResearch
McAfee SecurityCenter
meta-iPod, the iTunes Cleaner 1.8
Microsoft Office 2010
Microsoft Office Click-to-Run 2010
Microsoft Office Starter 2010 - English
Microsoft PowerPoint Viewer
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable - KB2467175
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
MSVCRT
MSVCRT_amd64
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nerxy File Orgainzer
NETGEAR WPN311 Wireless Adapter
Octoshape add-in for Adobe Flash Player
PhotoScape
Picasa 3
QuickTime
Realtek High Definition Audio Driver
Roxio Burn
Safari
Scan
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Skype Toolbars
Skype™ 4.2
SmartWebPrinting
SolutionCenter
Status
StumbleUpon IE Toolbar
TidySongs
Toolbox
TrayApp
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
WebReg
WildTangent Games
Windows Live Communications Platform
Windows Live Essentials
Windows Live Installer
Windows Live Mail
Windows Live Messenger
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live Sync
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
Yahoo! Toolbar
.
==== Event Viewer Messages From Past Week ========
.
12/26/2011 7:43:35 PM, Error: Microsoft-Windows-DistributedCOM [10016] - The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {10DA4F3C-CC99-4190-BE4D-58330754E882} and APPID {7DDEFEA6-98EE-4F13-A25B-EC83D9BC5541} to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
1/2/2012 8:15:36 AM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
1/2/2012 8:13:27 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
1/2/2012 8:13:27 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
1/2/2012 8:13:04 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD DfsC discache mfehidk mfenlfk NetBIOS NetBT nsiproxy Psched rdbss spldr tdx vwififlt Wanarpv6 WfpLwf
1/2/2012 8:13:04 AM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
1/2/2012 8:13:04 AM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
1/2/2012 8:13:04 AM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
1/2/2012 8:13:04 AM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
1/2/2012 8:13:04 AM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
1/2/2012 8:13:04 AM, Error: Service Control Manager [7001] - The McAfee Validation Trust Protection Service service depends on the McAfee Inc. mfehidk service which failed to start because of the following error: A device attached to the system is not functioning.
1/2/2012 8:13:04 AM, Error: Service Control Manager [7001] - The McAfee Proxy Service service depends on the McAfee Firewall Core Service service which failed to start because of the following error: The dependency service or group failed to start.
1/2/2012 8:13:04 AM, Error: Service Control Manager [7001] - The McAfee McShield service depends on the McAfee Validation Trust Protection Service service which failed to start because of the following error: The dependency service or group failed to start.
1/2/2012 8:13:04 AM, Error: Service Control Manager [7001] - The McAfee Firewall Core Service service depends on the McAfee Validation Trust Protection Service service which failed to start because of the following error: The dependency service or group failed to start.
1/2/2012 8:13:03 AM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
1/2/2012 8:13:03 AM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.
1/2/2012 8:13:03 AM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/2/2012 8:13:03 AM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
1/2/2012 8:00:53 AM, Error: Service Control Manager [7023] - The HP Network Devices Support service terminated with the following error: %%-2147467243
1/2/2012 11:12:45 AM, Error: Service Control Manager [7003] - The McAfee Personal Firewall Service service depends the following service: MpsSvc. This service might not be installed.
1/2/2012 11:11:35 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the SftService service.
1/2/2012 11:10:26 AM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.
1/2/2012 11:10:26 AM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.
1/2/2012 11:10:25 AM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
1/2/2012 10:58:58 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service McNaiAnn with arguments "" in order to run the server: {DC7EF8E1-824F-4110-AB43-1604DA9B4F40}
1/2/2012 10:55:06 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
1/2/2012 10:55:06 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
1/2/2012 10:55:04 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
1/2/2012 10:54:58 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
1/2/2012 10:54:54 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: discache spldr Wanarpv6
1/2/2012 10:54:51 AM, Error: Service Control Manager [7001] - The Client Virtualization Handler service depends on the Application Virtualization Client service which failed to start because of the following error: The dependency service or group failed to start.
1/2/2012 10:54:50 AM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
1/2/2012 10:53:51 AM, Error: Service Control Manager [7038] - The WdiServiceHost service was unable to log on as NT AUTHORITY\LocalService with the currently configured password due to the following error: The request is not supported. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
1/2/2012 10:53:51 AM, Error: Service Control Manager [7038] - The HPSLPSVC service was unable to log on as NT AUTHORITY\SYSTEM with the currently configured password due to the following error: The security account manager (SAM) or local security authority (LSA) server was in the wrong state to perform the security operation. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
1/2/2012 10:53:51 AM, Error: Service Control Manager [7023] - The hpqcxs08 service terminated with the following error: %%-2147467243
1/2/2012 10:53:51 AM, Error: Service Control Manager [7000] - The HP Network Devices Support service failed to start due to the following error: The service did not start due to a logon failure.
1/2/2012 10:53:51 AM, Error: Service Control Manager [7000] - The Diagnostic Service Host service failed to start due to the following error: The service did not start due to a logon failure.
1/2/2012 10:53:51 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1069" attempting to start the service HPSLPSVC with arguments "" in order to run the server: {10DA4F3C-CC99-4190-BE4D-58330754E882}
.
==== End Of File ===========================

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514
Run by Matt at 11:14:16 on 2012-01-02
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4061.2128 [GMT -6:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Windows\system32\sppsvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\LogonUI.exe
C:\Users\Matt\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Matt\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\taskhost.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Matt\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Matt\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mWinlogon: Userinit=userinit.exe,
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
BHO: StumbleUpon Launcher: {145b29f4-a56b-4b90-bbac-45784ebebbb7} - C:\Program Files (x86)\StumbleUpon\StumbleUponIEBar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20111221183415.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7018.1622\swg.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
TB: StumbleUpon Toolbar: {5093eb4c-3e93-40ab-9266-b607ba87bdc8} - C:\Program Files (x86)\StumbleUpon\StumbleUponIEBar.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
uRun: [Nerxy] C:\Program Files (x86)\Nerxy\Nerxy File Orgainzer\FileOrganiser.exe /m
uRun: [Google Update] "C:\Users\Matt\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
mRun: [Dell DataSafe Online] "C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe" /m
mRun: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
mRun: [<NO NAME>]
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [CenturyLinkTouchPointAgent] "C:\Program Files (x86)\CenturyLink\Desktop\CenturyLinkTouchPointAgent.exe" /autostart
mRun: [ConnectionCenter] "C:\Program Files (x86)\Citrix\ICA Client\concentr.exe" /startup
mRunOnce: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"
StartupFolder: C:\Users\Matt\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\DELLDO~1.LNK - C:\Program Files (x86)\Dell\DellDock\DellDock.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: &ieSpell Options - C:\Program Files (x86)\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - C:\Program Files (x86)\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Lookup on Merriam Webster - file://C:\Program Files (x86)\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://C:\Program Files (x86)\ieSpell\wikipedia.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://C:\Program Files (x86)\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://C:\Program Files (x86)\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} - hxxp://h20364.www2.hp.com/CSMWeb/Customer/cabs/HPISDataManager.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 192.168.0.1 205.171.3.25
TCP: Interfaces\{8309C246-C381-4003-A845-308427857D93} : DhcpNameServer = 192.168.0.1 205.171.3.25
TCP: Interfaces\{FE16FAA8-1D47-4696-84F3-8822D283831E} : DhcpNameServer = 192.168.0.1 205.171.3.25
TCP: Interfaces\{FE16FAA8-1D47-4696-84F3-8822D283831E}\2375942554835343 : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{FE16FAA8-1D47-4696-84F3-8822D283831E}\2657E67616C6F677 : DhcpNameServer = 192.168.0.1
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\PROGRA~2\McAfee\msc\McSnIePl.dll
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
mASetup: {2D46B6DC-2207-486B-B523-A557E6D54B47} - C:\Windows\system32\cmd.exe /D /C start C:\Windows\system32\ie4uinit.exe -ClearIconCache
BHO-X64: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
BHO-X64: 0x1 - No File
BHO-X64: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
BHO-X64: HP Print Enhancer - No File
BHO-X64: StumbleUpon Launcher: {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files (x86)\StumbleUpon\StumbleUponIEBar.dll
BHO-X64: StumbleUpon Launcher - No File
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20111221183415.dll
BHO-X64: scriptproxy - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO-X64: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO-X64: SkypeIEPluginBHO - No File
BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7018.1622\swg.dll
BHO-X64: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
BHO-X64: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
BHO-X64: Ask Toolbar BHO - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: SingleInstance Class: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
BHO-X64: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
BHO-X64: HP Smart BHO Class - No File
TB-X64: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
TB-X64: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
TB-X64: StumbleUpon Toolbar: {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files (x86)\StumbleUpon\StumbleUponIEBar.dll
TB-X64: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
EB-X64: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File
mRun-x64: [Dell DataSafe Online] "C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe" /m
mRun-x64: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
mRun-x64: [(Default)]
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [CenturyLinkTouchPointAgent] "C:\Program Files (x86)\CenturyLink\Desktop\CenturyLinkTouchPointAgent.exe" /autostart
mRun-x64: [ConnectionCenter] "C:\Program Files (x86)\Citrix\ICA Client\concentr.exe" /startup
mRunOnce-x64: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"
IE-X64: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://C:\Program Files (x86)\ieSpell\iespell.dll/SPELLCHECK.HTM
IE-X64: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://C:\Program Files (x86)\ieSpell\iespell.dll/SPELLOPTION.HTM
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;C:\Windows\system32\drivers\mfehidk.sys --> C:\Windows\system32\drivers\mfehidk.sys [?]
R0 mfewfpk;McAfee Inc. mfewfpk;C:\Windows\system32\drivers\mfewfpk.sys --> C:\Windows\system32\drivers\mfewfpk.sys [?]
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R1 mfenlfk;McAfee NDIS Light Filter;C:\Windows\system32\DRIVERS\mfenlfk.sys --> C:\Windows\system32\DRIVERS\mfenlfk.sys [?]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;C:\Windows\system32\drivers\IntcHdmi.sys --> C:\Windows\system32\drivers\IntcHdmi.sys [?]
R3 mfeavfk;McAfee Inc. mfeavfk;C:\Windows\system32\drivers\mfeavfk.sys --> C:\Windows\system32\drivers\mfeavfk.sys [?]
R3 mfefirek;McAfee Inc. mfefirek;C:\Windows\system32\drivers\mfefirek.sys --> C:\Windows\system32\drivers\mfefirek.sys [?]
R3 Sftfs;Sftfs;C:\Windows\system32\DRIVERS\Sftfslh.sys --> C:\Windows\system32\DRIVERS\Sftfslh.sys [?]
R3 Sftplay;Sftplay;C:\Windows\system32\DRIVERS\Sftplaylh.sys --> C:\Windows\system32\DRIVERS\Sftplaylh.sys [?]
R3 Sftredir;Sftredir;C:\Windows\system32\DRIVERS\Sftredirlh.sys --> C:\Windows\system32\DRIVERS\Sftredirlh.sys [?]
R3 Sftvol;Sftvol;C:\Windows\system32\DRIVERS\Sftvollh.sys --> C:\Windows\system32\DRIVERS\Sftvollh.sys [?]
S3 cfwids;McAfee Inc. cfwids;C:\Windows\system32\drivers\cfwids.sys --> C:\Windows\system32\drivers\cfwids.sys [?]
S3 mferkdet;McAfee Inc. mferkdet;C:\Windows\system32\drivers\mferkdet.sys --> C:\Windows\system32\drivers\mferkdet.sys [?]
S3 rcmirror;rcmirror;C:\Windows\system32\DRIVERS\rcmirror.sys --> C:\Windows\system32\DRIVERS\rcmirror.sys [?]
S3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
.
=============== Created Last 30 ================
.
2011-12-29 14:29:18 -------- d-----w- C:\Users\Matt\AppData\Local\{47D8C763-7ED0-48EE-B904-CE59D97384FE}
2011-12-29 14:29:06 -------- d-----w- C:\Users\Matt\AppData\Local\{3B56D3B1-31E3-48B0-94C0-5ABA904859E5}
2011-12-27 22:05:10 -------- d-----w- C:\Users\Matt\AppData\Local\{7A572FF6-4A08-4635-8B76-78EA11802301}
2011-12-27 22:05:00 -------- d-----w- C:\Users\Matt\AppData\Local\{324F4AA7-88B9-4CC6-8C45-9F178AAF74E2}
2011-12-27 17:45:25 -------- d-----w- C:\Users\Matt\AppData\Local\{7FD09CD0-1DA3-4680-A5BC-53603B9B6F55}
2011-12-27 17:45:11 -------- d-----w- C:\Users\Matt\AppData\Local\{2F7051F4-86F3-459D-99C0-BE0F5638D134}
2011-12-27 01:26:05 -------- d-----w- C:\Users\Matt\AppData\Local\{3AEC3B0A-BBB2-447B-80CE-8A2DDADB4E3A}
2011-12-27 01:25:55 -------- d-----w- C:\Users\Matt\AppData\Local\{DAB8B9DC-A8CF-4ABB-8855-D714F0BC2113}
2011-12-22 12:29:45 -------- d-----w- C:\Users\Matt\AppData\Local\{9A205A3D-B4B5-4299-B854-3923307C9E25}
2011-12-22 12:29:35 -------- d-----w- C:\Users\Matt\AppData\Local\{F8DDC08C-81DB-4DC7-88C5-1CBB53DEECF4}
2011-12-17 15:53:47 -------- d-----w- C:\Users\Matt\AppData\Roaming\ZoomBrowser EX
2011-12-15 23:57:07 -------- d-----w- C:\ProgramData\ZoomBrowser
2011-12-15 23:56:46 -------- d-----w- C:\Program Files (x86)\Canon
2011-12-15 23:56:02 -------- d-----w- C:\Program Files (x86)\Common Files\Canon
2011-12-06 03:22:20 -------- d-----w- C:\Users\Matt\AppData\Local\{4663AE3A-52C8-46B6-80B5-E270F0BDB483}
2011-12-06 03:22:09 -------- d-----w- C:\Users\Matt\AppData\Local\{28A5537E-0599-4585-A502-C2DEBEEF1B54}
2011-12-06 03:21:01 -------- d-----w- C:\Users\Matt\AppData\Local\{3FDF7507-1AFF-483B-9B38-E29DCE266D5A}
2011-12-06 03:20:50 -------- d-----w- C:\Users\Matt\AppData\Local\{76D16472-62CF-4F2D-8E32-92509BE0EDC1}
.
==================== Find3M ====================
.
2011-11-24 04:52:09 3145216 ----a-w- C:\Windows\System32\win32k.sys
2011-11-05 05:41:43 1188864 ----a-w- C:\Windows\System32\wininet.dll
2011-11-05 05:32:50 2048 ----a-w- C:\Windows\System32\tzres.dll
2011-11-05 04:35:00 981504 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-11-05 04:26:03 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2011-11-05 03:32:47 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2011-11-05 02:48:51 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-10-26 05:21:20 43520 ----a-w- C:\Windows\System32\csrsrv.dll
2011-10-22 14:50:32 152576 ----a-w- C:\Windows\SysWow64\msclmd.dll
2011-10-22 14:50:31 175616 ----a-w- C:\Windows\System32\msclmd.dll
2011-10-22 13:05:28 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-10-15 19:16:16 75808 ----a-w- C:\Windows\System32\drivers\mfenlfk.sys
2011-10-15 19:16:16 65264 ----a-w- C:\Windows\System32\drivers\cfwids.sys
2011-10-15 19:16:16 647080 ----a-w- C:\Windows\System32\drivers\mfehidk.sys
2011-10-15 19:16:16 481768 ----a-w- C:\Windows\System32\drivers\mfefirek.sys
2011-10-15 19:16:16 284648 ----a-w- C:\Windows\System32\drivers\mfewfpk.sys
2011-10-15 19:16:16 229528 ----a-w- C:\Windows\System32\drivers\mfeavfk.sys
2011-10-15 19:16:16 160280 ----a-w- C:\Windows\System32\drivers\mfeapfk.sys
2011-10-15 19:16:16 10248 ----a-w- C:\Windows\System32\drivers\mfeclnk.sys
2011-10-15 19:16:16 100912 ----a-w- C:\Windows\System32\drivers\mferkdet.sys
2011-10-15 06:31:56 723456 ----a-w- C:\Windows\System32\EncDec.dll
2011-10-15 05:38:59 534528 ----a-w- C:\Windows\SysWow64\EncDec.dll
.
============= FINISH: 11:28:41.83 ===============


Results of screen317's Security Check version 0.99.30
Windows 7 x64 (UAC is disabled!)
Internet Explorer 8 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!
McAfee SecurityCenter
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

meta-iPod, the iTunes Cleaner 1.8
Java™ 6 Update 26
Java version out of date!
Adobe Flash Player 10.2.152.26 Flash Player out of Date!
Adobe Reader 9 Adobe Reader out of date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

mcafee VirusScan mcods.exe
``````````End of Log````````````

Edited by helgymatt, 02 January 2012 - 01:04 PM.


#4 lance_yien

lance_yien

    Forum Deity

  • Malware Support Mod
  • PipPipPipPipPip
  • 2,442 posts

Posted 03 January 2012 - 11:55 AM

Hello helgymatt and welcome to SWI.

I'm lance_yien and will be helping you.

 Very Important!

Posted Image >>> Please do immediately:
  • In the upper right hand corner of the topic you will see a button called "Watch this topic", by clicking on this => "Immediate E-Mail notification" => "Proceed" you will be advised when we respond to your topic and facilitate the cleaning of your machine.
  • Back up your personal documents by copying them to a location of your choice (other than your system drive).
  • Spybot's TeaTimer may interfere with our tools. Please disable it (if running on your computer): Run Spybot S&D => "Mode" => "Advanced..." => "Tools" => "Resident" and Uncheck "Resident TeaTimer" and OK any prompts.
    Close Spybot S&D.
Posted Image >>> During this cleanup,
Please DO NOT run, install and/or uninstall any tools/ programs other than those I suggest to you because some programs can interfere with others and/ or can cause some problems to your system.

Posted Image >>> When you receive new instructions,
  • Please Read the whole message.
  • All our tools must be downloaded to the Desktop and launched from there (unless otherwise specified).
  • Please perform all steps in the received order and DO NOT proceed if you need clarification.
  • Please DO NOT re-run any program I suggest. If you encounter problems please stop and tell me about it.
Posted Image >>> When replying,
  • Please use the "Add Reply" button Posted Image. I do not need to see my previous instructions. Thank you!
  • Please copy and paste your logs into your post unless specifically asked to attach one.
 

Please print out these instructions or copy them to a Notepad file for an easier reading abd reboot your computer. Tap the F8 key continually, just before Windows starts to load and.Select the "Safe Mode with Networking" and press ENTER.

Then download to your Desktop:

>>> Run Rkill Please right-click on Rkill => "Run as administrator". It will kill some processes from malware to allow you running our tools.
- If the first one does not run successfully, download and try the other copies (with a different file extensions) and see if one of them will run.
- If fore some reasons your computer should restart, please do so and re-run Rkill once again.
- I don't need to see any log from it.


>>> Use Malwarebytes' Anti-Malware (MBAM): "-> No action taken." in your MBAM log indicates that you had not clicked the Remove Selected button.
Please make sure you are connected to the Internet and run MBAM.
Click the "Update" tab button => "Check for Updates". If an update is found, it will download and install the latest version.
- If you encounter any problems while downloading the updates, please manually download them from here and just double-click/right-click on mbam-rules.exe => "Run as administrator" to install.
On the "Scanner" tab, make sure the "Perform Quick Scan" option is selected (If asked to select the drives to scan, leave all the drives selected) and click on the Scan button.
When the scan is complete, click "OK" and Show Results to view the results. Then, be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. It is automatically saved and can be viewed by clicking the Logs tab in MBAM.
- If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click "OK" to either and let MBAM proceed with the disinfection process.
- If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Please copy and paste the contents of the log into your next reply.
For complete or visual instructions on installing and running MBAM, please see here.


>>> ComboFix scan: Please close all running programs and disabled all your protection programs: antivirus, firewall and antispyware (see here and/or here to know how to disable your programs).
Then, right-click on "ComboFix.exe" => "Run as administrator" and follow the on-screen prompts.
Please, DO NOT click ComboFix's window while it is running. This may cause it to hang.
A log file (ComboFix.txt) will be saved at the root of the System drive (typically C:\ComboFix.txt). Please copy and paste its contents in your next reply.


>>> TDSSKiller: Right-click on TDSSKiller.exe => "Run as administrator", click on the "Start Scan" button and wait for the scan and disinfection process to be over.
If an infected file is detected, the default action will be "Cure" and if a suspicious file is detected, the default action will be "Skip".
Please DO NOT make any changes and click on the "Continue" button.
If you are asked to reboot the computer to complete the process, click on the "Reboot Now" button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt).
If no reboot is required, click on "Report". A log file will appear.
Please copy and paste the contents of that file in your next reply.


>>> In your next reply, please include the following:
  • Malwarebytes Anti-Malware log
  • ComboFix.txt
  • TDSSKiller_log.txt
Any improvements?
EI | SWI | ZEBULON | Posted Image | Posted Image

My help is free, but if you wish to help keep these forums running please consider a donation. Please, see here for details.

#5 helgymatt

helgymatt

    Member

  • Full Member
  • Pip
  • 53 posts

Posted 03 January 2012 - 09:41 PM

I was able to run everything EXCEPT TDSSKiller. I downloaded it and extracted, but the program would not open when clicking "open as administrator". Computer restarted during combofix and I reran RKill, and TDSSKiller still did not run. I'm still getting a popup from Mcafee saying the firewall is off and it will not turn on. Also - I disabled mcafee to the best I could, but Combofix still said it was enabled - don't know what that is about. The Mcafee Security center said they were both disabled. Here are the logs for Malwarebytes and ComboFix

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.03.04

Windows 7 Service Pack 1 x64 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.7601.17514
Matt :: MATT-PC [administrator]

1/3/2012 5:24:07 PM
mbam-log-2012-01-03 (17-24-07).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 184621
Time elapsed: 4 minute(s), 41 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

ComboFix 12-01-03.07 - Matt 01/03/2012 17:50:38.1.2 - x64 NETWORK
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4061.3253 [GMT -6:00]
Running from: c:\users\Matt\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Matt\GoToAssistDownloadHelper.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-12-04 to 2012-01-04 )))))))))))))))))))))))))))))))
.
.
2012-01-04 01:08 . 2012-01-04 01:08 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-02 17:51 . 2012-01-02 17:51 -------- d-----w- c:\programdata\Kaspersky Lab
2011-12-27 04:58 . 2011-12-27 04:58 -------- d-----w- c:\program files (x86)\Apple Software Update
2011-12-17 15:53 . 2011-12-19 12:22 -------- d-----w- c:\users\Matt\AppData\Roaming\ZoomBrowser EX
2011-12-15 23:57 . 2011-12-17 15:53 -------- d-----w- c:\programdata\ZoomBrowser
2011-12-15 23:56 . 2011-12-15 23:58 -------- d-----w- c:\program files (x86)\Canon
2011-12-15 23:56 . 2011-12-15 23:56 -------- d-----w- c:\program files (x86)\Common Files\Canon
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-22 14:50 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
2011-10-22 14:50 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
2011-10-22 13:05 . 2011-05-25 11:10 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-10-15 19:16 . 2010-12-02 00:06 10248 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-10-15 19:16 . 2010-01-06 00:04 75808 ----a-w- c:\windows\system32\drivers\mfenlfk.sys
2011-10-15 19:16 . 2010-01-06 00:04 65264 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-10-15 19:16 . 2010-01-06 00:04 647080 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-10-15 19:16 . 2010-01-06 00:04 481768 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-10-15 19:16 . 2010-01-06 00:04 284648 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2011-10-15 19:16 . 2010-01-06 00:04 229528 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-10-15 19:16 . 2010-01-06 00:04 160280 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2011-10-15 19:16 . 2010-01-06 00:04 100912 ----a-w- c:\windows\system32\drivers\mferkdet.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2011-07-26 23:23 1493160 ----a-w- c:\program files (x86)\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2011-07-26 1493160]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Nerxy"="c:\program files (x86)\Nerxy\Nerxy File Orgainzer\FileOrganiser.exe" [2009-11-29 2005752]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-12-13 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Dell DataSafe Online"="c:\program files (x86)\Dell DataSafe Online\DataSafeOnline.exe" [2010-02-09 1807680]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-11-22 1675160]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"CenturyLinkTouchPointAgent"="c:\program files (x86)\CenturyLink\Desktop\CenturyLinkTouchPointAgent.exe" [2011-07-12 46208]
"ConnectionCenter"="c:\program files (x86)\Citrix\ICA Client\concentr.exe" [2010-10-12 304568]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"="c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe" [2011-10-13 559616]
.
c:\users\Matt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2010-5-28 1324384]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
NETGEAR WPN311 Smart Wizard.lnk - c:\program files (x86)\NETGEAR\WPN311\wlancfg5.exe [2007-4-10 1695744]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2010-5-28 1324384]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-12-13 135664]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-01-27 249936]
R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-02-28 183560]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-12-13 135664]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 rcmirror;rcmirror;c:\windows\system32\DRIVERS\rcmirror.sys [x]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
R3 StumbleUponUpdateService;StumbleUponUpdateService;c:\program files (x86)\StumbleUpon\StumbleUponUpdateService.exe [2011-04-14 103336]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 McOobeSv;McAfee OOBE Service;c:\program files\Common Files\mcafee\McSvcHost\McSvHost.exe [2011-01-27 249936]
S0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-10-20 821664]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2009-06-09 155648]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-03-04 13336]
S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\mcafee\McSvcHost\McSvHost.exe [2011-01-27 249936]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2011-10-18 208536]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [2011-10-18 161168]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2010-09-14 508264]
S2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [2011-08-18 1692480]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [x]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2010-09-14 219496]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{2D46B6DC-2207-486B-B523-A557E6D54B47}]
2010-11-20 12:17 302592 ----a-w- c:\windows\System32\cmd.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-12-13 04:03]
.
2012-01-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-12-13 04:03]
.
2011-12-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3918426166-2314642023-325945995-1000Core.job
- c:\users\Matt\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-23 20:55]
.
2012-01-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3918426166-2314642023-325945995-1000UA.job
- c:\users\Matt\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-23 20:55]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-10-21 8306208]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &ieSpell Options - c:\program files (x86)\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files (x86)\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Lookup on Merriam Webster - file://c:\program files (x86)\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files (x86)\ieSpell\wikipedia.HTM
TCP: DhcpNameServer = 192.168.0.1 205.171.3.25
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Toolbar-Locked - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
AddRemove-{6304587B-3C05-4031-A8E7-7938CB9162E7}_is1 - c:\program files (x86)\meta-iPod
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3918426166-2314642023-325945995-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-3918426166-2314642023-325945995-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Bonjour\mDNSResponder.exe
c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE
c:\program files (x86)\Dell DataSafe Local Backup\TOASTER.EXE
c:\program files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE
c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
c:\program files (x86)\Citrix\ICA Client\wfcrun32.exe
.
**************************************************************************
.
Completion time: 2012-01-03 19:34:56 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-04 01:34
.
Pre-Run: 360,029,667,328 bytes free
Post-Run: 360,360,996,864 bytes free
.
- - End Of File - - 46D6A0924C7CDD464C667FE7BE4A5F54

Edited by helgymatt, 03 January 2012 - 09:51 PM.


#6 lance_yien

lance_yien

    Forum Deity

  • Malware Support Mod
  • PipPipPipPipPip
  • 2,442 posts

Posted 04 January 2012 - 02:23 AM

Please reboot your computer and tap the F8 key continually, just before Windows starts to load and.Select the "Safe Mode with Networking" and press ENTER.


>>> ComboFix fixes: Please go to "Start" => "Run", type Notepad in the Open field and click OK.
Copy and paste the text present inside the quote box below and save this as CFScript.txt, in the same location as ComboFix.exe:

Folde::
c:\program files (x86)\Ask.com

Registry;;
[-HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= -
[-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

DDS::
uInternet Settings,ProxyOverride = *.local

RegLock::
[HKEY_USERS\S-1-5-21-3918426166-2314642023-325945995-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
[HKEY_USERS\S-1-5-21-3918426166-2314642023-325945995-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID] .
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

Now, close any open browsers and disable all your Protection Programs so they do not interfere with the running of ComboFix. The log is saved as "ComboFix.txt" at the root of the System drive (typically C:\ComboFix.txt).

Posted Image

Referring to the screenshot above, drag CFScript.txt into "ComboFix.exe".
This will start ComboFix again.
After reboot, (in case it asks to reboot), it will produce a log for you.
Please reboot the computer (if ComboFix did not ask for a reboot) and post the Combofix log in your next reply. This log can be found at the root of your System drive (typically C:\ComboFix.txt). Please copy and paste its contents in your next reply.


>>> Use RogueKiller: Please download to your Desktop, RogueKiller (by Tigzy) from here.
Close all running programs and right-click on "RogueKiller.exe" => "Run as administratorr".
Type 1 and hit "Enter" and let it run uninterrupted.
If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe.
A log "RKreport[x].txt" will be saved at the same location as RogueKiller.exe, please copy and paste its contents in your next reply.


>>> In your next reply, please include the following:
  • ComboFix.txt
  • RKreport[x].tx

EI | SWI | ZEBULON | Posted Image | Posted Image

My help is free, but if you wish to help keep these forums running please consider a donation. Please, see here for details.

#7 helgymatt

helgymatt

    Member

  • Full Member
  • Pip
  • 53 posts

Posted 04 January 2012 - 01:17 PM

Here are the two reports - Brower is still hijacked.


ComboFix 12-01-03.08 - Matt 01/04/2012 6:47.2.2 - x64 NETWORK
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4061.3272 [GMT -6:00]
Running from: c:\users\Matt\Desktop\ComboFix.exe
Command switches used :: c:\users\Matt\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2011-12-04 to 2012-01-04 )))))))))))))))))))))))))))))))
.
.
2012-01-04 14:04 . 2012-01-04 14:04 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-02 17:51 . 2012-01-02 17:51 -------- d-----w- c:\programdata\Kaspersky Lab
2011-12-27 04:58 . 2011-12-27 04:58 -------- d-----w- c:\program files (x86)\Apple Software Update
2011-12-17 15:53 . 2011-12-19 12:22 -------- d-----w- c:\users\Matt\AppData\Roaming\ZoomBrowser EX
2011-12-15 23:57 . 2011-12-17 15:53 -------- d-----w- c:\programdata\ZoomBrowser
2011-12-15 23:56 . 2011-12-15 23:58 -------- d-----w- c:\program files (x86)\Canon
2011-12-15 23:56 . 2011-12-15 23:56 -------- d-----w- c:\program files (x86)\Common Files\Canon
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-22 14:50 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
2011-10-22 14:50 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
2011-10-22 13:05 . 2011-05-25 11:10 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-10-15 19:16 . 2010-12-02 00:06 10248 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-10-15 19:16 . 2010-01-06 00:04 75808 ----a-w- c:\windows\system32\drivers\mfenlfk.sys
2011-10-15 19:16 . 2010-01-06 00:04 65264 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-10-15 19:16 . 2010-01-06 00:04 647080 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-10-15 19:16 . 2010-01-06 00:04 481768 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-10-15 19:16 . 2010-01-06 00:04 284648 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2011-10-15 19:16 . 2010-01-06 00:04 229528 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-10-15 19:16 . 2010-01-06 00:04 160280 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2011-10-15 19:16 . 2010-01-06 00:04 100912 ----a-w- c:\windows\system32\drivers\mferkdet.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2012-01-04_01.12.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-01-04 12:26 . 2012-01-04 12:26 13306 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
- 2012-01-03 23:12 . 2012-01-03 23:12 13306 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
- 2009-07-14 04:54 . 2012-01-04 01:11 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-01-04 14:05 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2012-01-04 01:11 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-01-04 14:05 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-01-04 01:11 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-01-04 14:05 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-12-02 00:16 . 2012-01-04 12:22 41774 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-01-04 12:22 36052 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2010-12-06 21:48 . 2012-01-04 12:22 11516 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3918426166-2314642023-325945995-1000_UserData.bin
+ 2010-12-06 21:26 . 2012-01-04 14:40 32768 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-12-06 21:26 . 2012-01-03 21:48 32768 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-12-06 21:26 . 2012-01-04 14:40 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-12-06 21:26 . 2012-01-03 21:48 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-01-03 21:48 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-01-04 14:40 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-12-07 23:02 . 2012-01-04 01:11 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-12-07 23:02 . 2012-01-04 14:05 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2012-01-02 14:28 . 2012-01-04 14:08 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
- 2012-01-02 14:28 . 2012-01-03 21:24 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
- 2012-01-02 14:28 . 2012-01-03 21:24 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\History\History.IE5\index.dat
+ 2012-01-02 14:28 . 2012-01-04 14:08 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\History\History.IE5\index.dat
+ 2012-01-02 14:28 . 2012-01-04 14:08 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Cookies\index.dat
- 2012-01-02 14:28 . 2012-01-03 21:24 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Cookies\index.dat
- 2010-12-07 23:02 . 2012-01-04 01:11 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-12-07 23:02 . 2012-01-04 14:08 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-12-07 23:02 . 2012-01-04 01:11 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-12-07 23:02 . 2012-01-04 14:05 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-12-06 22:27 . 2012-01-03 23:03 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-12-06 22:27 . 2012-01-04 17:01 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-12-06 22:27 . 2012-01-04 17:01 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-12-06 22:27 . 2012-01-03 23:03 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2012-01-04 01:11 . 2012-01-04 01:11 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-01-04 14:05 . 2012-01-04 14:05 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-01-04 14:05 . 2012-01-04 14:05 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-01-04 01:11 . 2012-01-04 01:11 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 02:36 . 2012-01-03 23:19 624606 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-01-04 14:12 624606 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-01-04 14:12 106724 c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2012-01-03 23:19 106724 c:\windows\system32\perfc009.dat
- 2009-07-14 05:01 . 2012-01-03 23:11 229632 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-01-04 12:26 229632 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2011-07-26 23:23 1493160 ----a-w- c:\program files (x86)\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2011-07-26 1493160]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Nerxy"="c:\program files (x86)\Nerxy\Nerxy File Orgainzer\FileOrganiser.exe" [2009-11-29 2005752]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-12-13 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Dell DataSafe Online"="c:\program files (x86)\Dell DataSafe Online\DataSafeOnline.exe" [2010-02-09 1807680]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-11-22 1675160]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"CenturyLinkTouchPointAgent"="c:\program files (x86)\CenturyLink\Desktop\CenturyLinkTouchPointAgent.exe" [2011-07-12 46208]
"ConnectionCenter"="c:\program files (x86)\Citrix\ICA Client\concentr.exe" [2010-10-12 304568]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"="c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe" [2011-10-13 559616]
.
c:\users\Matt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2010-5-28 1324384]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
NETGEAR WPN311 Smart Wizard.lnk - c:\program files (x86)\NETGEAR\WPN311\wlancfg5.exe [2007-4-10 1695744]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2010-5-28 1324384]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-12-13 135664]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-01-27 249936]
R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-02-28 183560]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-12-13 135664]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 rcmirror;rcmirror;c:\windows\system32\DRIVERS\rcmirror.sys [x]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
R3 StumbleUponUpdateService;StumbleUponUpdateService;c:\program files (x86)\StumbleUpon\StumbleUponUpdateService.exe [2011-04-14 103336]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 McOobeSv;McAfee OOBE Service;c:\program files\Common Files\mcafee\McSvcHost\McSvHost.exe [2011-01-27 249936]
S0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-10-20 821664]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2009-06-09 155648]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-03-04 13336]
S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\mcafee\McSvcHost\McSvHost.exe [2011-01-27 249936]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2011-10-18 208536]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [2011-10-18 161168]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2010-09-14 508264]
S2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [2011-08-18 1692480]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [x]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2010-09-14 219496]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{2D46B6DC-2207-486B-B523-A557E6D54B47}]
2010-11-20 12:17 302592 ----a-w- c:\windows\System32\cmd.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-12-13 04:03]
.
2012-01-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-12-13 04:03]
.
2011-12-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3918426166-2314642023-325945995-1000Core.job
- c:\users\Matt\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-23 20:55]
.
2012-01-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3918426166-2314642023-325945995-1000UA.job
- c:\users\Matt\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-23 20:55]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-10-21 8306208]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &ieSpell Options - c:\program files (x86)\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files (x86)\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Lookup on Merriam Webster - file://c:\program files (x86)\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files (x86)\ieSpell\wikipedia.HTM
TCP: DhcpNameServer = 192.168.0.1 205.171.3.25
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Bonjour\mDNSResponder.exe
c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE
c:\program files (x86)\Dell DataSafe Local Backup\TOASTER.EXE
c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
c:\program files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE
c:\program files (x86)\Citrix\ICA Client\wfcrun32.exe
.
**************************************************************************
.
Completion time: 2012-01-04 12:03:15 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-04 18:03
ComboFix2.txt 2012-01-04 01:35
.
Pre-Run: 360,176,308,224 bytes free
Post-Run: 357,816,987,648 bytes free
.
- - End Of File - - 53D76F1CD5CD8BC613E9D5273091066A



RogueKiller V6.2.2 [12/31/2011] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User: Matt [Admin rights]
Mode: Scan -- Date : 01/04/2012 12:14:22

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 10 ¤¤¤
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[WallPP] HKCU\[...]\Desktop : Wallpaper () -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
[HJ] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: +++++
--- User ---
[MBR] 7d1580144c1c78abdc52d18690c4c72e
[BSP] 0ec75d35f40aef34d4393a1738aa9c4d : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] FAT16 [HIDDEN!] Offset (sectors): 63 | Size: 41 Mo
1 - [ACTIVE] NTFS [VISIBLE] Offset (sectors): 81920 | Size: 12287 Mo
2 - [XXXXXX] NTFS [VISIBLE] Offset (sectors): 24080384 | Size: 487777 Mo
User != LL1 ... KO!
--- LL1 ---
[MBR] cffae6f2f6e7437accd8cb9d0a5d284c
[BSP] 0ec75d35f40aef34d4393a1738aa9c4d : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] FAT16 [HIDDEN!] Offset (sectors): 63 | Size: 41 Mo
1 - [XXXXXX] NTFS [VISIBLE] Offset (sectors): 81920 | Size: 12287 Mo
2 - [XXXXXX] NTFS [VISIBLE] Offset (sectors): 24080384 | Size: 487777 Mo
3 - [ACTIVE] NTFS [HIDDEN!] Offset (sectors): 976771072 | Size: 1 Mo
User != LL2 ... KO!
--- LL2 ---
[MBR] cffae6f2f6e7437accd8cb9d0a5d284c
[BSP] 0ec75d35f40aef34d4393a1738aa9c4d : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] FAT16 [HIDDEN!] Offset (sectors): 63 | Size: 41 Mo
1 - [XXXXXX] NTFS [VISIBLE] Offset (sectors): 81920 | Size: 12287 Mo
2 - [XXXXXX] NTFS [VISIBLE] Offset (sectors): 24080384 | Size: 487777 Mo
3 - [ACTIVE] NTFS [HIDDEN!] Offset (sectors): 976771072 | Size: 1 Mo

Finished : << RKreport[1].txt >>
RKreport[1].txt

#8 lance_yien

lance_yien

    Forum Deity

  • Malware Support Mod
  • PipPipPipPipPip
  • 2,442 posts

Posted 05 January 2012 - 01:25 AM

Please print out these instructions or copy them to a Notepad file for an easier reading.

Please reboot your computer and tap the F8 key continually, just before Windows starts to load and.Select the "Safe Mode with Networking" and press ENTER.


>>> ComboFix fixes: Please go to "Start" => "Run", type Notepad in the Open field and click OK.
Copy and paste the text present inside the quote box below and save this as CFScript.txt, in the same location as ComboFix.exe:

Registry::
[-HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= -
[-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

Now, close any open browsers and disable all your Protection Programs so they do not interfere with the running of ComboFix. The log is saved as "ComboFix.txt" at the root of the System drive (typically C:\ComboFix.txt).

Posted Image

Referring to the screenshot above, drag CFScript.txt into "ComboFix.exe".
This will start ComboFix again.
After reboot, (in case it asks to reboot), it will produce a log for you.
Please reboot the computer (if ComboFix did not ask for a reboot) and post the Combofix log in your next reply. This log can be found at the root of your System drive (typically C:\ComboFix.txt). Please copy and paste its contents in your next reply.


>>> Run RogueKiller: Please right-click on "RogueKiller.exe" => "Run as administratorr".
Type 2 (Delete) and hit "Enter" and let it run uninterrupted.
If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe.
A log "RKreport[x].txt" will be saved at the same location as RogueKiller.exe, please copy and paste its contents in your next reply.


>>> Use MBRCheck: Please download to your Desktop MBRCheck (by a_d_13) from one of these locations:
http://ad13.geekstogo.com/MBRCheck.exe
http://download.blee...al/MBRCheck.exe
http://www.kernelmod...fo/MBRCheck.exe.
Close all opened programs/ windows and double-click on MBRCheck.exe.
It will produce a log file saved automatically on your Desktop as "MBRCheck_Date_Time.txt".
Press the "Enter" key to close the MBRCheck window and post the contents of the log file.


>>>: Please go to "Start" => "Run", type (or copy/paste) diskmgmt.msc and click the OK button.
Take and save a screen-shot of the Disk Management window and post it to your reply. You can use Gadwin PrintScreen.


>>> In your next reply, please include the following:
  • ComboFix.txt
  • RKreport[x].tx
  • MBRCheck log

EI | SWI | ZEBULON | Posted Image | Posted Image

My help is free, but if you wish to help keep these forums running please consider a donation. Please, see here for details.

#9 helgymatt

helgymatt

    Member

  • Full Member
  • Pip
  • 53 posts

Posted 05 January 2012 - 01:19 PM

ComboFix 12-01-05.01 - Matt 01/05/2012 8:34.3.2 - x64 NETWORK
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4061.3153 [GMT -6:00]
Running from: c:\users\Matt\Desktop\ComboFix.exe
Command switches used :: c:\users\Matt\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2011-12-05 to 2012-01-05 )))))))))))))))))))))))))))))))
.
.
2012-01-05 15:48 . 2012-01-05 15:48 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-02 17:51 . 2012-01-02 17:51 -------- d-----w- c:\programdata\Kaspersky Lab
2011-12-27 04:58 . 2011-12-27 04:58 -------- d-----w- c:\program files (x86)\Apple Software Update
2011-12-17 15:53 . 2011-12-19 12:22 -------- d-----w- c:\users\Matt\AppData\Roaming\ZoomBrowser EX
2011-12-15 23:57 . 2011-12-17 15:53 -------- d-----w- c:\programdata\ZoomBrowser
2011-12-15 23:56 . 2011-12-15 23:58 -------- d-----w- c:\program files (x86)\Canon
2011-12-15 23:56 . 2011-12-15 23:56 -------- d-----w- c:\program files (x86)\Common Files\Canon
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-22 14:50 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
2011-10-22 14:50 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
2011-10-22 13:05 . 2011-05-25 11:10 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-10-15 19:16 . 2010-12-02 00:06 10248 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-10-15 19:16 . 2010-01-06 00:04 75808 ----a-w- c:\windows\system32\drivers\mfenlfk.sys
2011-10-15 19:16 . 2010-01-06 00:04 65264 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-10-15 19:16 . 2010-01-06 00:04 647080 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-10-15 19:16 . 2010-01-06 00:04 481768 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-10-15 19:16 . 2010-01-06 00:04 284648 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2011-10-15 19:16 . 2010-01-06 00:04 229528 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-10-15 19:16 . 2010-01-06 00:04 160280 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2011-10-15 19:16 . 2010-01-06 00:04 100912 ----a-w- c:\windows\system32\drivers\mferkdet.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2012-01-04_01.12.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-01-05 14:15 . 2012-01-05 14:15 13306 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
- 2012-01-03 23:12 . 2012-01-03 23:12 13306 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
- 2009-07-14 04:54 . 2012-01-04 01:11 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-01-05 15:49 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2012-01-04 01:11 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-01-05 15:49 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-01-04 01:11 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-01-05 15:49 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-12-02 00:16 . 2012-01-04 20:41 42106 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-01-04 20:41 36128 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2010-12-06 21:48 . 2012-01-04 20:41 11564 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3918426166-2314642023-325945995-1000_UserData.bin
+ 2010-12-06 21:26 . 2012-01-05 15:57 32768 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-12-06 21:26 . 2012-01-03 21:48 32768 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-12-06 21:26 . 2012-01-05 15:57 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-12-06 21:26 . 2012-01-03 21:48 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-01-03 21:48 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-01-05 15:57 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-12-07 23:02 . 2012-01-04 01:11 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-12-07 23:02 . 2012-01-05 15:49 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2012-01-02 14:28 . 2012-01-05 15:52 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
- 2012-01-02 14:28 . 2012-01-03 21:24 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
- 2012-01-02 14:28 . 2012-01-03 21:24 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\History\History.IE5\index.dat
+ 2012-01-02 14:28 . 2012-01-05 15:52 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\History\History.IE5\index.dat
+ 2012-01-02 14:28 . 2012-01-05 15:52 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Cookies\index.dat
- 2012-01-02 14:28 . 2012-01-03 21:24 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Cookies\index.dat
- 2010-12-07 23:02 . 2012-01-04 01:11 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-12-07 23:02 . 2012-01-05 15:52 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-12-07 23:02 . 2012-01-04 01:11 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-12-07 23:02 . 2012-01-05 15:49 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-12-06 22:27 . 2012-01-03 23:03 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-12-06 22:27 . 2012-01-05 16:11 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-12-06 22:27 . 2012-01-05 16:11 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-12-06 22:27 . 2012-01-03 23:03 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2012-01-04 01:11 . 2012-01-04 01:11 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-01-05 15:49 . 2012-01-05 15:49 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-01-05 15:49 . 2012-01-05 15:49 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-01-04 01:11 . 2012-01-04 01:11 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 02:36 . 2012-01-03 23:19 624606 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-01-05 15:55 624606 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-01-05 15:55 106724 c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2012-01-03 23:19 106724 c:\windows\system32\perfc009.dat
- 2009-07-14 05:01 . 2012-01-03 23:11 229632 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-01-05 14:15 229632 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Nerxy"="c:\program files (x86)\Nerxy\Nerxy File Orgainzer\FileOrganiser.exe" [2009-11-29 2005752]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-12-13 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Dell DataSafe Online"="c:\program files (x86)\Dell DataSafe Online\DataSafeOnline.exe" [2010-02-09 1807680]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-11-22 1675160]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"CenturyLinkTouchPointAgent"="c:\program files (x86)\CenturyLink\Desktop\CenturyLinkTouchPointAgent.exe" [2011-07-12 46208]
"ConnectionCenter"="c:\program files (x86)\Citrix\ICA Client\concentr.exe" [2010-10-12 304568]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"="c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe" [2011-10-13 559616]
.
c:\users\Matt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2010-5-28 1324384]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
NETGEAR WPN311 Smart Wizard.lnk - c:\program files (x86)\NETGEAR\WPN311\wlancfg5.exe [2007-4-10 1695744]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2010-5-28 1324384]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-12-13 135664]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-01-27 249936]
R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-02-28 183560]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-12-13 135664]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 rcmirror;rcmirror;c:\windows\system32\DRIVERS\rcmirror.sys [x]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
R3 StumbleUponUpdateService;StumbleUponUpdateService;c:\program files (x86)\StumbleUpon\StumbleUponUpdateService.exe [2011-04-14 103336]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 McOobeSv;McAfee OOBE Service;c:\program files\Common Files\mcafee\McSvcHost\McSvHost.exe [2011-01-27 249936]
S0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-10-20 821664]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2009-06-09 155648]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-03-04 13336]
S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\mcafee\McSvcHost\McSvHost.exe [2011-01-27 249936]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2011-10-18 208536]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [2011-10-18 161168]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2010-09-14 508264]
S2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [2011-08-18 1692480]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [x]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2010-09-14 219496]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{2D46B6DC-2207-486B-B523-A557E6D54B47}]
2010-11-20 12:17 302592 ----a-w- c:\windows\System32\cmd.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-12-13 04:03]
.
2012-01-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-12-13 04:03]
.
2012-01-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3918426166-2314642023-325945995-1000Core.job
- c:\users\Matt\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-23 20:55]
.
2012-01-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3918426166-2314642023-325945995-1000UA.job
- c:\users\Matt\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-23 20:55]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-10-21 8306208]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &ieSpell Options - c:\program files (x86)\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files (x86)\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Lookup on Merriam Webster - file://c:\program files (x86)\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files (x86)\ieSpell\wikipedia.HTM
TCP: DhcpNameServer = 192.168.0.1 205.171.3.25
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Bonjour\mDNSResponder.exe
c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE
c:\program files (x86)\Dell DataSafe Local Backup\TOASTER.EXE
c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
c:\program files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE
c:\program files (x86)\Citrix\ICA Client\wfcrun32.exe
.
**************************************************************************
.
Completion time: 2012-01-05 11:15:15 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-05 17:14
ComboFix2.txt 2012-01-04 18:03
ComboFix3.txt 2012-01-04 01:35
.
Pre-Run: 357,513,175,040 bytes free
Post-Run: 357,574,840,320 bytes free
.
- - End Of File - - 1398F3B2317399CC21627954FDBD5EEC

RogueKiller V6.2.2 [12/31/2011] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User: Matt [Admin rights]
Mode: Remove -- Date : 01/05/2012 12:04:26

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 10 ¤¤¤
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> REPLACED (2)
[HJ] HKLM\[...]\System : EnableLUA (0) -> REPLACED (1)
[WallPP] HKCU\[...]\Desktop : Wallpaper () -> REPLACED (C:\Users\Matt\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg)
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> REPLACED (0)
[HJ] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: +++++
--- User ---
[MBR] 7d1580144c1c78abdc52d18690c4c72e
[BSP] 0ec75d35f40aef34d4393a1738aa9c4d : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] FAT16 [HIDDEN!] Offset (sectors): 63 | Size: 41 Mo
1 - [ACTIVE] NTFS [VISIBLE] Offset (sectors): 81920 | Size: 12287 Mo
2 - [XXXXXX] NTFS [VISIBLE] Offset (sectors): 24080384 | Size: 487777 Mo
User != LL1 ... KO!
--- LL1 ---
[MBR] cffae6f2f6e7437accd8cb9d0a5d284c
[BSP] 0ec75d35f40aef34d4393a1738aa9c4d : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] FAT16 [HIDDEN!] Offset (sectors): 63 | Size: 41 Mo
1 - [XXXXXX] NTFS [VISIBLE] Offset (sectors): 81920 | Size: 12287 Mo
2 - [XXXXXX] NTFS [VISIBLE] Offset (sectors): 24080384 | Size: 487777 Mo
3 - [ACTIVE] NTFS [HIDDEN!] Offset (sectors): 976771072 | Size: 1 Mo
User != LL2 ... KO!
--- LL2 ---
[MBR] cffae6f2f6e7437accd8cb9d0a5d284c
[BSP] 0ec75d35f40aef34d4393a1738aa9c4d : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] FAT16 [HIDDEN!] Offset (sectors): 63 | Size: 41 Mo
1 - [XXXXXX] NTFS [VISIBLE] Offset (sectors): 81920 | Size: 12287 Mo
2 - [XXXXXX] NTFS [VISIBLE] Offset (sectors): 24080384 | Size: 487777 Mo
3 - [ACTIVE] NTFS [HIDDEN!] Offset (sectors): 976771072 | Size: 1 Mo

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt



MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows 7 Home Premium Edition
Windows Information: Service Pack 1 (build 7601), 64-bit
Base Board Manufacturer: Dell Inc.
BIOS Manufacturer: Dell Inc.
System Manufacturer: Dell Inc.
System Product Name: Inspiron 560
Logical Drives Mask: 0x000100fc

Kernel Drivers (total 187):
0x03257000 \SystemRoot\system32\ntoskrnl.exe
0x0320E000 \SystemRoot\system32\hal.dll
0x00BB1000 \SystemRoot\system32\kdcom.dll
0x00C9D000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x00CEC000 \SystemRoot\system32\PSHED.dll
0x00D00000 \SystemRoot\system32\CLFS.SYS
0x00EE3000 \SystemRoot\system32\CI.dll
0x00E00000 \SystemRoot\system32\drivers\Wdf01000.sys
0x00EA4000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x00FA3000 \SystemRoot\system32\drivers\ACPI.sys
0x00EB3000 \SystemRoot\system32\drivers\WMILIB.SYS
0x00EBC000 \SystemRoot\system32\drivers\msisadrv.sys
0x00D5E000 \SystemRoot\system32\drivers\pci.sys
0x00EC6000 \SystemRoot\system32\drivers\vdrvroot.sys
0x00D91000 \SystemRoot\System32\drivers\partmgr.sys
0x00DA6000 \SystemRoot\system32\drivers\volmgr.sys
0x00C00000 \SystemRoot\System32\drivers\volmgrx.sys
0x00C5C000 \SystemRoot\System32\drivers\mountmgr.sys
0x010D6000 \SystemRoot\system32\DRIVERS\iaStor.sys
0x011F2000 \SystemRoot\system32\drivers\amdxata.sys
0x01000000 \SystemRoot\system32\drivers\fltmgr.sys
0x0104C000 \SystemRoot\system32\drivers\fileinfo.sys
0x0121B000 \SystemRoot\system32\drivers\mfehidk.sys
0x012B7000 \SystemRoot\System32\Drivers\PxHlpa64.sys
0x0143A000 \SystemRoot\System32\Drivers\Ntfs.sys
0x012C3000 \SystemRoot\System32\Drivers\msrpc.sys
0x015DD000 \SystemRoot\System32\Drivers\ksecdd.sys
0x01321000 \SystemRoot\System32\Drivers\cng.sys
0x01400000 \SystemRoot\System32\drivers\pcw.sys
0x01411000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x016BF000 \SystemRoot\system32\drivers\ndis.sys
0x01600000 \SystemRoot\system32\drivers\NETIO.SYS
0x01660000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x018DE000 \SystemRoot\System32\drivers\tcpip.sys
0x01AE2000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x01B2C000 \SystemRoot\system32\drivers\mfewfpk.sys
0x01B70000 \SystemRoot\system32\drivers\volsnap.sys
0x01BBC000 \SystemRoot\System32\Drivers\spldr.sys
0x01BC4000 \SystemRoot\System32\drivers\rdyboost.sys
0x01800000 \SystemRoot\System32\Drivers\mup.sys
0x01812000 \SystemRoot\System32\drivers\hwpolicy.sys
0x0181B000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x01855000 \SystemRoot\system32\DRIVERS\disk.sys
0x0186B000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
0x03D77000 \SystemRoot\system32\drivers\cdrom.sys
0x03DA1000 \SystemRoot\System32\Drivers\Null.SYS
0x03DAA000 \SystemRoot\System32\Drivers\Beep.SYS
0x03DB1000 \SystemRoot\System32\drivers\vga.sys
0x03DBF000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x03DE4000 \SystemRoot\System32\drivers\watchdog.sys
0x03DF4000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x03C00000 \SystemRoot\system32\drivers\rdpencdd.sys
0x03C09000 \SystemRoot\system32\drivers\rdprefmp.sys
0x03C12000 \SystemRoot\System32\Drivers\Msfs.SYS
0x03C1D000 \SystemRoot\System32\Drivers\Npfs.SYS
0x018A9000 \SystemRoot\system32\DRIVERS\tdx.sys
0x03C2E000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x017B2000 \SystemRoot\System32\DRIVERS\netbt.sys
0x03EE2000 \SystemRoot\system32\drivers\afd.sys
0x03F6B000 \SystemRoot\system32\drivers\ws2ifsl.sys
0x03F76000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x03F7F000 \SystemRoot\system32\DRIVERS\pacer.sys
0x03FA5000 \SystemRoot\system32\DRIVERS\mfenlfk.sys
0x03FB6000 \SystemRoot\system32\DRIVERS\vwififlt.sys
0x03FCC000 \SystemRoot\system32\DRIVERS\netbios.sys
0x03FDB000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x03E00000 \SystemRoot\system32\drivers\termdd.sys
0x03E14000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x03E65000 \SystemRoot\system32\drivers\nsiproxy.sys
0x03E71000 \SystemRoot\system32\drivers\mssmbios.sys
0x03E7C000 \SystemRoot\System32\drivers\discache.sys
0x03E8B000 \SystemRoot\System32\Drivers\dfsc.sys
0x03EA9000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x03EBA000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x0168B000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x04A04000 \SystemRoot\system32\DRIVERS\igdkmd64.sys
0x05423000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x05517000 \SystemRoot\System32\drivers\dxgmms1.sys
0x0555D000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x0556A000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x055C0000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x055D1000 \SystemRoot\system32\drivers\HDAudBus.sys
0x04013000 \SystemRoot\system32\DRIVERS\athrx.sys
0x04190000 \SystemRoot\system32\DRIVERS\vwifibus.sys
0x0419D000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0x041AA000 \SystemRoot\system32\drivers\CompositeBus.sys
0x041BA000 \SystemRoot\system32\DRIVERS\serscan.sys
0x041C2000 \SystemRoot\system32\drivers\ksthunk.sys
0x01393000 \SystemRoot\system32\drivers\ks.sys
0x041C8000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x013D6000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x041DE000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x01060000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x016A1000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x0108F000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x0141B000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x041EA000 \SystemRoot\system32\drivers\kbdclass.sys
0x04000000 \SystemRoot\system32\drivers\mouclass.sys
0x0400F000 \SystemRoot\system32\drivers\swenum.sys
0x018CB000 \SystemRoot\system32\drivers\umbus.sys
0x044E3000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x0453D000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x06006000 \SystemRoot\system32\drivers\RTKVHD64.sys
0x04552000 \SystemRoot\system32\drivers\portcls.sys
0x0458F000 \SystemRoot\system32\drivers\drmk.sys
0x045B1000 \SystemRoot\system32\drivers\IntcHdmi.sys
0x04400000 \SystemRoot\system32\drivers\mfeavfk.sys
0x04436000 \SystemRoot\system32\drivers\mfefirek.sys
0x061F0000 \SystemRoot\System32\Drivers\crashdmp.sys
0x03C3B000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0x044AA000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x00060000 \SystemRoot\System32\win32k.sys
0x044BD000 \SystemRoot\System32\drivers\Dxapi.sys
0x044C9000 \SystemRoot\system32\drivers\hidusb.sys
0x045D8000 \SystemRoot\system32\drivers\HIDCLASS.SYS
0x045F1000 \SystemRoot\system32\drivers\HIDPARSE.SYS
0x061FE000 \SystemRoot\system32\drivers\USBD.SYS
0x03D57000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x03D64000 \SystemRoot\system32\drivers\kbdhid.sys
0x0189B000 \SystemRoot\system32\DRIVERS\monitor.sys
0x00550000 \SystemRoot\System32\TSDDD.dll
0x01200000 \SystemRoot\system32\drivers\USBSTOR.SYS
0x006B0000 \SystemRoot\System32\cdd.dll
0x010B0000 \SystemRoot\system32\drivers\luafv.sys
0x044D7000 \SystemRoot\system32\DRIVERS\Sftvollh.sys
0x00C76000 \SystemRoot\system32\drivers\WudfPf.sys
0x00DBB000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x03A40000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x03A93000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x03AA6000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x03ABE000 \SystemRoot\system32\drivers\HTTP.sys
0x03B87000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x03BB8000 \SystemRoot\system32\DRIVERS\bowser.sys
0x03A00000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x056B2000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x05700000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x05724000 \SystemRoot\System32\DRIVERS\srv2.sys
0x05600000 \SystemRoot\System32\DRIVERS\srv.sys
0x0701D000 \SystemRoot\system32\drivers\peauth.sys
0x070C3000 \SystemRoot\System32\Drivers\secdrv.SYS
0x070CE000 \SystemRoot\system32\DRIVERS\Sftfslh.sys
0x0718F000 \SystemRoot\system32\DRIVERS\Sftplaylh.sys
0x071DC000 \SystemRoot\System32\drivers\tcpipreg.sys
0x057C3000 \SystemRoot\system32\drivers\mfeapfk.sys
0x071EE000 \SystemRoot\system32\DRIVERS\Sftredirlh.sys
0x0578D000 \SystemRoot\system32\DRIVERS\WUDFRd.sys
0x07E53000 \SystemRoot\System32\Drivers\fastfat.SYS
0x07EFA000 \??\C:\Windows\system32\Drivers\PROCEXP113.SYS
0x77370000 \Windows\System32\ntdll.dll
0x47DB0000 \Windows\System32\smss.exe
0xFF690000 \Windows\System32\apisetschema.dll
0xFF600000 \Windows\System32\autochk.exe
0xFF5E0000 \Windows\System32\comdlg32.dll
0xFF5D0000 \Windows\System32\nsi.dll
0xFF5A0000 \Windows\System32\imm32.dll
0xFF500000 \Windows\System32\msvcrt.dll
0x77540000 \Windows\System32\psapi.dll
0xFF4E0000 \Windows\System32\sechost.dll
0xFF2D0000 \Windows\System32\ole32.dll
0xFF1C0000 \Windows\System32\msctf.dll
0xFF0E0000 \Windows\System32\oleaut32.dll
0x77530000 \Windows\System32\normaliz.dll
0xFEFB0000 \Windows\System32\rpcrt4.dll
0xFE220000 \Windows\System32\shell32.dll
0xFE040000 \Windows\System32\setupapi.dll
0xFDF10000 \Windows\System32\wininet.dll
0xFDEF0000 \Windows\System32\imagehlp.dll
0xFDEA0000 \Windows\System32\ws2_32.dll
0xFDD20000 \Windows\System32\urlmon.dll
0xFDC50000 \Windows\System32\usp10.dll
0xFDBD0000 \Windows\System32\shlwapi.dll
0xFDB50000 \Windows\System32\difxapi.dll
0xFDAE0000 \Windows\System32\gdi32.dll
0xFDAD0000 \Windows\System32\lpk.dll
0xFDA30000 \Windows\System32\clbcatq.dll
0xFD7D0000 \Windows\System32\iertutil.dll
0x77270000 \Windows\System32\user32.dll
0x77150000 \Windows\System32\kernel32.dll
0xFD770000 \Windows\System32\Wldap32.dll
0xFD690000 \Windows\System32\advapi32.dll
0xFD5F0000 \Windows\System32\comctl32.dll
0xFD5D0000 \Windows\System32\devobj.dll
0xFD590000 \Windows\System32\cfgmgr32.dll
0xFD520000 \Windows\System32\KernelBase.dll
0xFD3B0000 \Windows\System32\crypt32.dll
0xFD370000 \Windows\System32\wintrust.dll
0xFD360000 \Windows\System32\msasn1.dll

Processes (total 67):
0 System Idle Process
4 System
316 C:\Windows\System32\smss.exe
516 csrss.exe
576 C:\Windows\System32\wininit.exe
592 csrss.exe
640 C:\Windows\System32\services.exe
664 C:\Windows\System32\lsass.exe
676 C:\Windows\System32\lsm.exe
684 C:\Windows\System32\winlogon.exe
824 C:\Windows\System32\svchost.exe
904 C:\Windows\System32\svchost.exe
964 C:\Windows\System32\svchost.exe
108 C:\Windows\System32\svchost.exe
352 C:\Windows\System32\svchost.exe
372 C:\Windows\System32\svchost.exe
1068 C:\Program Files\Dell\DellDock\DockLogin.exe
1124 C:\Windows\System32\svchost.exe
1364 C:\Windows\System32\spoolsv.exe
1468 C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
1520 C:\Program Files (x86)\Bonjour\mDNSResponder.exe
1552 C:\Windows\System32\svchost.exe
1584 C:\Windows\SysWOW64\svchost.exe
1616 C:\Program Files\Common Files\mcafee\systemcore\mfevtps.exe
1644 C:\Windows\System32\svchost.exe
1728 C:\Windows\System32\svchost.exe
1752 C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
1064 C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe
1144 C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
1516 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
2064 C:\Program Files\Common Files\mcafee\systemcore\mcshield.exe
2116 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
2144 C:\Program Files\Common Files\mcafee\systemcore\mfefire.exe
2316 C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
2460 C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe
2632 C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE
2716 C:\Windows\System32\svchost.exe
2856 WUDFHost.exe
2348 C:\Windows\System32\svchost.exe
2808 C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
1264 C:\Windows\System32\SearchIndexer.exe
2980 C:\Program Files\Windows Media Player\wmpnetwk.exe
3972 C:\Windows\System32\taskhost.exe
3808 C:\Windows\System32\dwm.exe
3516 C:\Program Files (x86)\Dell DataSafe Local Backup\Toaster.exe
3288 C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
3268 C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Scheduler\STService.exe
4476 C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
4496 C:\Program Files (x86)\Nerxy\Nerxy File Orgainzer\FileOrganiser.exe
4508 C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
4524 C:\Program Files (x86)\NETGEAR\WPN311\wlancfg5.exe
4576 C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe
4600 C:\Program Files\mcafee.com\agent\mcagent.exe
4608 C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
4616 C:\Program Files (x86)\Citrix\ICA Client\concentr.exe
4792 C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe
5236 C:\Windows\System32\wuauclt.exe
5976 C:\Program Files\mcafee\virusscan\McVsShld.exe
4964 C:\Windows\explorer.exe
3784 C:\Program Files (x86)\Internet Explorer\iexplore.exe
3228 C:\Windows\System32\audiodg.exe
5496 C:\Windows\System32\SearchProtocolHost.exe
5316 C:\Windows\System32\taskeng.exe
5756 C:\Windows\System32\SearchFilterHost.exe
5108 C:\Windows\System32\SearchProtocolHost.exe
6012 C:\Users\Matt\Desktop\MBRCheck.exe
1284 C:\Windows\System32\conhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000002`dee00000 (NTFS)
\\.\Q: --> error 5

PhysicalDrive0 Model Number: WDCWD5000AAKS-75V0A0, Rev: 05.01D05

Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive0 MBR Code Faked!
SHA1: AE3E0A945D44C8EA304A19A8F50F69065C34344B


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice:

Posted Image

#10 lance_yien

lance_yien

    Forum Deity

  • Malware Support Mod
  • PipPipPipPipPip
  • 2,442 posts

Posted 06 January 2012 - 04:40 AM

Your logs confirm that your computer is infected with the latest version of the MBR infection that creates a hidden partition at the end of the hard drive where it stashes its malicious file(s) system (for more information see here).

>>> aswMBR scan: Please visit this page for the download link and the instructions to scan your computer.
When the scan completed successfully, click the "Save log" button and save it to your Desktop as "aswmbr.txt". Please copy and paste its contents in your next reply (DO NOT fix anything!).
Also the program will save a "MBR.dat" file (on your Desktop). Please go here and click on the "Browse" button.
Navigate to and double-click on "MBR.dat". Click the "Upload" button.
Please copy the content of the "Download link" field and paste it in your next reply. Posted Image.


>>> Next: Please make sure you have aswMBR.exe on your Desktop (if not the following will not work) and copy the following text (in bold).

%userprofile%\Desktop\aswMBR.exe -ap 1

Go to "Start" => "All Programs" => "Accessories", then right click on "Command Prompt" and click on "Run as administrator".
Right-click in the window that opens => "Paste" and press "Enter" (click Yes/OK for any prompts). Let it run uninterrupted.
When it's done, type exit and press "Enter" to close the window.
Restart your computer and let me know how it is functioning now.
EI | SWI | ZEBULON | Posted Image | Posted Image

My help is free, but if you wish to help keep these forums running please consider a donation. Please, see here for details.

#11 helgymatt

helgymatt

    Member

  • Full Member
  • Pip
  • 53 posts

Posted 06 January 2012 - 05:24 PM

aswMBR version 0.9.9.1156 Copyright© 2011 AVAST Software
Run date: 2012-01-06 06:05:21
-----------------------------
06:05:21.906 OS Version: Windows x64 6.1.7601 Service Pack 1
06:05:21.906 Number of processors: 2 586 0x170A
06:05:21.906 ComputerName: MATT-PC UserName: Matt
06:05:24.995 Initialize success
06:07:29.717 AVAST engine defs: 12010600
06:07:48.827 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
06:07:48.827 Disk 0 Vendor: WDC_WD50 05.0 Size: 476940MB BusType: 3
06:07:48.843 Disk 0 MBR read successfully
06:07:48.843 Disk 0 MBR scan
06:07:48.859 Disk 0 Windows VISTA default MBR code
06:07:48.859 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 39 MB offset 63
06:07:48.890 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 11718 MB offset 81920
06:07:48.905 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 465181 MB offset 24080384
06:07:48.905 Service scanning
06:07:52.025 Modules scanning
06:07:52.025 Disk 0 trace - called modules:
06:07:52.041 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xfffffa800548a334]<<
06:07:52.041 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800546b1d0]
06:07:52.556 3 CLASSPNP.SYS[fffff88001b9d43f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa80044cf050]
06:07:52.556 \Driver\iaStor[0xfffffa80039ea570] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0xfffffa800548a334
06:07:54.022 AVAST engine scan C:\Windows
06:08:10.433 AVAST engine scan C:\Windows\system32
06:09:43.035 AVAST engine scan C:\Windows\system32\drivers
06:09:50.710 AVAST engine scan C:\Users\Matt
06:16:05.704 File: C:\Users\Matt\AppData\Local\sct.exe **INFECTED** Win32:Sirefef-JH [Trj]
06:16:21.429 File: C:\Users\Matt\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27\4b57c39b-76dc4871 **INFECTED** Win32:Sirefef-JH [Trj]
06:29:17.967 AVAST engine scan C:\ProgramData
06:39:24.870 Scan finished successfully
07:34:14.043 Disk 0 MBR has been saved successfully to "C:\Users\Matt\Desktop\MBR.dat"
07:34:14.043 The log file has been saved successfully to "C:\Users\Matt\Desktop\aswMBR.txt"


Here is the "download link" field - not sure if this is what you want or not...I did not click on the link field.

http://www.sendspace.com/file/b8nejf


MBR.dat (512B)


Download Link
http://www.sendspace.com/file/b8nejf
CopiedShareDelete File Link
http://www.sendspace...af9ed84eef8fbf7
Copy LinkHTML & Forum Links (Toggle)

#12 helgymatt

helgymatt

    Member

  • Full Member
  • Pip
  • 53 posts

Posted 06 January 2012 - 05:59 PM

I did all the actions - computer is not performing any better. I can only perform your actions in safe mode.
I cannot do much of anything in regular startup mode. I get popups of fake programs doing security scans and when I start IE it gets blocked and closes. All the icons on the desktop for aswMBR, Combofix, and other malware removal programs have a little green and blue sheild in the bottom corner of them. This was not there before. I think more infections have taken place since my last post yesterday.
Thanks for your help so far! I have not seen any improvement yet so the work continues.

Is there a way you can "chat" with me to get a faster response to get this resolved? I noticed the chat option last night. Perhaps there is a time we can both log on and I can provide quick feedback on the scans, logs, etc. You seem to be working in the middle of the night (my time), but I could chat anytime you would need.

#13 lance_yien

lance_yien

    Forum Deity

  • Malware Support Mod
  • PipPipPipPipPip
  • 2,442 posts

Posted 07 January 2012 - 02:07 AM

Is there a way you can "chat" with me to get a faster response to get this resolved?

No, because the problems are fixed here, so that profits to everyone. Please be patient.

Your MBR seems to have been repaired.

Please reboot your computeand tap the F8 key continually, just before Windows starts to load and.Select the "Safe Mode with Networking" and press ENTER.

>>> Please right-click on Rkill => "Run as administrator". It will kill some processes from malware to allow you running our tools.
- If the first one does not run successfully, download and try the other copies (with a different file extensions) and see if one of them will run.
- If fore some reasons your computer should restart, please do so and re-run Rkill once again.
- I don't need to see any log from it.


>>> ComboFix fixes: Please go to "Start" => "Run", type Notepad in the Open field and click OK.
Copy and paste the text present inside the code box below (starting with http:) and save this as CFScript.txt, in the same location as ComboFix.exe:

http://www.spywareinfoforum.com/index.php?showtopic=133104
Collect::[4]
C:\Users\Matt\AppData\Local\sct.exe
C:\Users\Matt\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27\4b57c39b-76dc4871
Now, close any open browsers and disable all your Protection Programs so they do not interfere with the running of ComboFix. The log is saved as "ComboFix.txt" at the root of the System drive (typically C:\ComboFix.txt).

Posted Image

Referring to the screenshot above, drag CFScript.txt into "ComboFix.exe".
This will start ComboFix again.
After reboot, (in case it asks to reboot), it will produce a log for you.
Please reboot the computer (if ComboFix did not ask for a reboot) and post the Combofix log in your next reply. This log can be found at the root of your System drive (typically C:\ComboFix.txt). Please copy and paste its contents in your next reply.


>>> Use Malwarebytes' Anti-Malware (MBAM): Please make sure you are connected to the Internet and run MBAM. Click the "Update" tab => "Check for Updates"[/color]). If an update is found, it will download and install the latest version.
At the "the database was successfully updated..." message, press the "OK" button to close the box.
- If you encounter any problems while downloading the updates, please manually download them from here and just double-click/right-click on mbam-rules.exe => "Run as administrator" to install.
On the "Scanner" tab, make sure the "Perform Quick Scan" option is selected (If asked to select the drives to scan, leave all the drives selected) and click on the Scan button.
When the scan is complete, click "OK" and Show Results to view the results. Then, be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. It is automatically saved and can be viewed by clicking the Logs tab in MBAM.
- If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click "OK" to either and let MBAM proceed with the disinfection process.
- If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Please copy and paste the contents of the log into your next reply.
For complete or visual instructions on installing and running MBAM, please see here.


>>> TDSSKiller: Double-click/Right-click on TDSSKiller.exe => "Run as administrator", click on the "Start Scan" button and wait for the scan and disinfection process to be over.
If an infected file is detected, the default action will be "Cure" and if a suspicious file is detected, the default action will be "Skip".
Please DO NOT make any changes and click on the "Continue" button.
If you are asked to reboot the computer to complete the process, click on the "Reboot Now" button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt).
If no reboot is required, click on "Report". A log file will appear.
Please copy and paste the contents of that file in your next reply.


>>> In your next reply, please include the following:
  • ComboFix.txt
  • Malwarebytes Anti-Malware log
  • TDSSKiller_log.txt

EI | SWI | ZEBULON | Posted Image | Posted Image

My help is free, but if you wish to help keep these forums running please consider a donation. Please, see here for details.

#14 helgymatt

helgymatt

    Member

  • Full Member
  • Pip
  • 53 posts

Posted 07 January 2012 - 11:44 AM

Still not able to run TDSSkiller. It will not open after clicking "run as administrator" or any other way. System is improving - still seeing if all problems are gone and if things acting normally. I have not seen anymore popups or browser redirects. Mcafee still does not work right - firewall and virus scan turn off automatically.

ComboFix 12-01-06.03 - Matt 01/07/2012 6:02.4.2 - x64 NETWORK
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4061.3158 [GMT -6:00]
Running from: c:\users\Matt\Desktop\ComboFix.exe
Command switches used :: c:\users\Matt\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Matt\AppData\Local\sct.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-12-07 to 2012-01-07 )))))))))))))))))))))))))))))))
.
.
2012-01-07 13:17 . 2012-01-07 13:17 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-06 04:58 . 2012-01-06 04:58 -------- d-----w- c:\users\Matt\AppData\Local\ElevatedDiagnostics
2012-01-05 18:11 . 2012-01-05 18:11 -------- d-----w- c:\program files (x86)\Gadwin Systems
2012-01-02 17:51 . 2012-01-02 17:51 -------- d-----w- c:\programdata\Kaspersky Lab
2011-12-27 04:58 . 2011-12-27 04:58 -------- d-----w- c:\program files (x86)\Apple Software Update
2011-12-17 15:53 . 2011-12-19 12:22 -------- d-----w- c:\users\Matt\AppData\Roaming\ZoomBrowser EX
2011-12-15 23:57 . 2011-12-17 15:53 -------- d-----w- c:\programdata\ZoomBrowser
2011-12-15 23:56 . 2011-12-15 23:58 -------- d-----w- c:\program files (x86)\Canon
2011-12-15 23:56 . 2011-12-15 23:56 -------- d-----w- c:\program files (x86)\Common Files\Canon
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-22 14:50 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
2011-10-22 14:50 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
2011-10-22 13:05 . 2011-05-25 11:10 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-10-15 19:16 . 2010-12-02 00:06 10248 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-10-15 19:16 . 2010-01-06 00:04 75808 ----a-w- c:\windows\system32\drivers\mfenlfk.sys
2011-10-15 19:16 . 2010-01-06 00:04 65264 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-10-15 19:16 . 2010-01-06 00:04 647080 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-10-15 19:16 . 2010-01-06 00:04 481768 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-10-15 19:16 . 2010-01-06 00:04 284648 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2011-10-15 19:16 . 2010-01-06 00:04 229528 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-10-15 19:16 . 2010-01-06 00:04 160280 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2011-10-15 19:16 . 2010-01-06 00:04 100912 ----a-w- c:\windows\system32\drivers\mferkdet.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2012-01-04_01.12.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-01-06 22:48 . 2012-01-06 22:48 13306 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
- 2012-01-03 23:12 . 2012-01-03 23:12 13306 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
- 2009-07-14 04:54 . 2012-01-04 01:11 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-01-07 13:19 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-01-07 13:19 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-01-04 01:11 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-01-07 13:19 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-01-04 01:11 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-12-02 00:16 . 2012-01-07 13:49 42486 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-01-07 13:49 36176 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2010-12-06 21:48 . 2012-01-07 13:49 11604 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3918426166-2314642023-325945995-1000_UserData.bin
+ 2010-12-06 21:26 . 2012-01-07 13:27 32768 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-12-06 21:26 . 2012-01-03 21:48 32768 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-12-06 21:26 . 2012-01-03 21:48 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-12-06 21:26 . 2012-01-07 13:27 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-01-07 13:27 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-01-03 21:48 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-12-07 23:02 . 2012-01-04 01:11 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-12-07 23:02 . 2012-01-07 13:18 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2012-01-02 14:28 . 2012-01-07 13:21 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
- 2012-01-02 14:28 . 2012-01-03 21:24 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
- 2012-01-02 14:28 . 2012-01-03 21:24 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\History\History.IE5\index.dat
+ 2012-01-02 14:28 . 2012-01-07 13:21 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\History\History.IE5\index.dat
- 2012-01-02 14:28 . 2012-01-03 21:24 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Cookies\index.dat
+ 2012-01-02 14:28 . 2012-01-07 13:21 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Cookies\index.dat
- 2010-12-07 23:02 . 2012-01-04 01:11 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-12-07 23:02 . 2012-01-07 13:21 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-12-07 23:02 . 2012-01-07 13:18 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-12-07 23:02 . 2012-01-04 01:11 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-12-06 22:27 . 2012-01-03 23:03 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-12-06 22:27 . 2012-01-07 13:21 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-12-06 22:27 . 2012-01-03 23:03 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-12-06 22:27 . 2012-01-07 13:21 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2012-01-04 01:11 . 2012-01-04 01:11 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-01-07 13:18 . 2012-01-07 13:18 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-01-07 13:18 . 2012-01-07 13:18 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-01-04 01:11 . 2012-01-04 01:11 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 02:36 . 2012-01-03 23:19 624606 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-01-07 13:25 624606 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2012-01-03 23:19 106724 c:\windows\system32\perfc009.dat
+ 2009-07-14 02:36 . 2012-01-07 13:25 106724 c:\windows\system32\perfc009.dat
- 2009-07-14 05:12 . 2012-01-02 17:31 262144 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-07-14 05:12 . 2012-01-06 03:13 262144 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2009-07-14 05:01 . 2012-01-03 23:11 229632 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-01-06 22:48 229632 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2011-11-02 21:55 . 2011-12-23 23:07 648948 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3918426166-2314642023-325945995-1000-12288.dat
+ 2011-11-02 21:55 . 2012-01-06 03:58 648948 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3918426166-2314642023-325945995-1000-12288.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Nerxy"="c:\program files (x86)\Nerxy\Nerxy File Orgainzer\FileOrganiser.exe" [2009-11-29 2005752]
"Gadwin PrintScreen"="c:\program files (x86)\Gadwin Systems\PrintScreen\PrintScreen.exe" [2011-05-03 487424]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Dell DataSafe Online"="c:\program files (x86)\Dell DataSafe Online\DataSafeOnline.exe" [2010-02-09 1807680]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-11-22 1675160]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"CenturyLinkTouchPointAgent"="c:\program files (x86)\CenturyLink\Desktop\CenturyLinkTouchPointAgent.exe" [2011-07-12 46208]
"ConnectionCenter"="c:\program files (x86)\Citrix\ICA Client\concentr.exe" [2010-10-12 304568]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"="c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe" [2011-10-13 559616]
.
c:\users\Matt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2010-5-28 1324384]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
NETGEAR WPN311 Smart Wizard.lnk - c:\program files (x86)\NETGEAR\WPN311\wlancfg5.exe [2007-4-10 1695744]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2010-5-28 1324384]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-12-13 135664]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-01-27 249936]
R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-02-28 183560]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-12-13 135664]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 rcmirror;rcmirror;c:\windows\system32\DRIVERS\rcmirror.sys [x]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
R3 StumbleUponUpdateService;StumbleUponUpdateService;c:\program files (x86)\StumbleUpon\StumbleUponUpdateService.exe [2011-04-14 103336]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 McOobeSv;McAfee OOBE Service;c:\program files\Common Files\mcafee\McSvcHost\McSvHost.exe [2011-01-27 249936]
S0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-10-20 821664]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2009-06-09 155648]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-03-04 13336]
S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\mcafee\McSvcHost\McSvHost.exe [2011-01-27 249936]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2011-10-18 208536]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [2011-10-18 161168]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2010-09-14 508264]
S2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [2011-08-18 1692480]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [x]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2010-09-14 219496]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{2D46B6DC-2207-486B-B523-A557E6D54B47}]
2010-11-20 12:17 302592 ----a-w- c:\windows\System32\cmd.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-12-13 04:03]
.
2012-01-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-12-13 04:03]
.
2012-01-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3918426166-2314642023-325945995-1000Core.job
- c:\users\Matt\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-23 20:55]
.
2012-01-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3918426166-2314642023-325945995-1000UA.job
- c:\users\Matt\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-23 20:55]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-10-21 8306208]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\system32\blank.htm
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TCP: DhcpNameServer = 192.168.0.1 205.171.3.25
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Bonjour\mDNSResponder.exe
c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE
c:\program files (x86)\Dell DataSafe Local Backup\TOASTER.EXE
c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
c:\program files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE
c:\program files (x86)\Citrix\ICA Client\wfcrun32.exe
.
**************************************************************************
.
Completion time: 2012-01-07 08:09:45 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-07 14:09
ComboFix2.txt 2012-01-05 17:15
ComboFix3.txt 2012-01-04 18:03
ComboFix4.txt 2012-01-04 01:35
.
Pre-Run: 356,817,313,792 bytes free
Post-Run: 356,870,606,848 bytes free
.
- - End Of File - - 6566B91B5F9BC214A78F09F79423158F



Logs for combofix and MBAM.
Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.07.01

Windows 7 Service Pack 1 x64 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.7601.17514
Matt :: MATT-PC [administrator]

1/7/2012 8:15:36 AM
mbam-log-2012-01-07 (08-15-36).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 177562
Time elapsed: 2 minute(s), 38 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 1
HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command| (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Matt\AppData\Local\sct.exe" -a "iexplore.exe") Good: (iexplore.exe) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Edited by helgymatt, 07 January 2012 - 11:45 AM.


#15 lance_yien

lance_yien

    Forum Deity

  • Malware Support Mod
  • PipPipPipPipPip
  • 2,442 posts

Posted 07 January 2012 - 12:10 PM

Please print out these instructions or copy them to a Notepad file for an easier reading

>>> Run BDRemovalTool_TDSS-Clones: Please go here and click Download the 64-bit version of the tool to download BDRemovalTool_TDSS-Clones and save it to your Desktop.
Close all running programs and disabled all your protection programs: antivirus, firewall and antispyware (see here and/or here to know how to disable your programs).
Right-click on "BDRemovalTool_TDSS-Clones" => "Run as administrator". Click "START SCAN" and let it run uninterrupted.
When it's done, please copy and paste the results in your next reply (or take a screen-shot).


>>> OTL scan: Please download to your Desktop OTL (by OldTimer) from here or here.
Close all open windows, right-click on OTL.exe => "Run as administrator" and paste the following (starting with netsvcs) in the "Custom Scans/Fixes" window:

netsvcs
drivers32
%SYSTEMDRIVE%\*.* /90
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /90
%systemroot%\Tasks\*.job
%systemroot%\system32\drivers\*.sys /90
CREATERESTOREPOINT
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
SAVEMBR:0

Click the Run Scan button and let the program run uninterrupted.
When the scan completes, it will open two Notepad windows - "OTL.txt" (opened) and "Extras.txt" (minimized). These are saved in the same location as OTL.
Please copy and paste the contents of these files in your next reply (please post only one at a time).
EI | SWI | ZEBULON | Posted Image | Posted Image

My help is free, but if you wish to help keep these forums running please consider a donation. Please, see here for details.

#16 helgymatt

helgymatt

    Member

  • Full Member
  • Pip
  • 53 posts

Posted 07 January 2012 - 12:42 PM

BDRemovalTool does not run either - not in safemode either. It gained the little blue and yellow badge on the icon as well. I suspect the malware is preventing it from opening? Should I run the OTL scan anyway? Please advise.

Also - I removed McAfee and installed Avira. Hope this poses no problems. Still have NO firewall working at all. Windows one does not work - errors pop up when I try to enable (Error Code: 0x80070424) Please advise if I should download a free firewall until I get Windows firewall working.

Edited by helgymatt, 07 January 2012 - 01:57 PM.


#17 lance_yien

lance_yien

    Forum Deity

  • Malware Support Mod
  • PipPipPipPipPip
  • 2,442 posts

Posted 08 January 2012 - 01:18 AM

We will see later for your firewall program. Please read the "Very important!" note in my first message; "Please DO NOT run, install and/or uninstall any tools/ programs other than those I suggest to you because some programs can interfere with others and/ or can cause some problems to your system."
--

Let's try the following!

>>> aswMBR fixes: Please close all opened programs/ windows and run aswMBR. Allow it to download latest virus definitions (if prompted) and click the [Scan] button. Let it run uninterrupted.
When it's completed successfully, click the [Fix] button.
Click [Save log], save it to your Desktop and post its contents in your next reply.
Restart your computer.

>>> MBRCheck: Please close all opened programs/ windows and run MBRCheck.
It will produce a log file saved automatically on your Desktop as "MBRCheck_Date_Time.txt".
Press the "Enter" key to close the MBRCheck window and post the contents of the log file.]]]


>>> In your next reply, please include the following:
  • aswmbr.txt
  • MBRCheck log

EI | SWI | ZEBULON | Posted Image | Posted Image

My help is free, but if you wish to help keep these forums running please consider a donation. Please, see here for details.

#18 helgymatt

helgymatt

    Member

  • Full Member
  • Pip
  • 53 posts

Posted 08 January 2012 - 09:42 AM

I ran ASWmbr, but it did not give me chance to save the log. It asked me to restart and I didn't think to save at that point. It did find some errors saying things about "infected" in red.

If you think this is going to continue to be a battle I can easily reformat the drive. At what point is that recommended?

Here is the MBRCheck log - MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows 7 Home Premium Edition
Windows Information: Service Pack 1 (build 7601), 64-bit
Base Board Manufacturer: Dell Inc.
BIOS Manufacturer: Dell Inc.
System Manufacturer: Dell Inc.
System Product Name: Inspiron 560
Logical Drives Mask: 0x000000fc

Kernel Drivers (total 114):
0x0264D000 \SystemRoot\system32\ntoskrnl.exe
0x02604000 \SystemRoot\system32\hal.dll
0x00BAA000 \SystemRoot\system32\kdcom.dll
0x00C95000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x00CE4000 \SystemRoot\system32\PSHED.dll
0x00CF8000 \SystemRoot\system32\CLFS.SYS
0x00E33000 \SystemRoot\system32\CI.dll
0x00EF3000 \SystemRoot\system32\drivers\Wdf01000.sys
0x00F97000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x00FA6000 \SystemRoot\system32\drivers\ACPI.sys
0x00E00000 \SystemRoot\system32\drivers\WMILIB.SYS
0x00E09000 \SystemRoot\system32\drivers\msisadrv.sys
0x00D56000 \SystemRoot\system32\drivers\pci.sys
0x00E13000 \SystemRoot\system32\drivers\vdrvroot.sys
0x00D89000 \SystemRoot\System32\drivers\partmgr.sys
0x00D9E000 \SystemRoot\system32\drivers\volmgr.sys
0x00C00000 \SystemRoot\System32\drivers\volmgrx.sys
0x00C5C000 \SystemRoot\System32\drivers\mountmgr.sys
0x0107E000 \SystemRoot\system32\DRIVERS\iaStor.sys
0x0119A000 \SystemRoot\system32\drivers\amdxata.sys
0x011A5000 \SystemRoot\system32\drivers\fltmgr.sys
0x01000000 \SystemRoot\system32\drivers\fileinfo.sys
0x01014000 \SystemRoot\System32\Drivers\PxHlpa64.sys
0x0122C000 \SystemRoot\System32\Drivers\Ntfs.sys
0x01020000 \SystemRoot\System32\Drivers\msrpc.sys
0x013CF000 \SystemRoot\System32\Drivers\ksecdd.sys
0x01488000 \SystemRoot\System32\Drivers\cng.sys
0x014FA000 \SystemRoot\System32\drivers\pcw.sys
0x0150B000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x0169E000 \SystemRoot\system32\drivers\ndis.sys
0x01791000 \SystemRoot\system32\drivers\NETIO.SYS
0x01600000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x018C0000 \SystemRoot\System32\drivers\tcpip.sys
0x01AC4000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x01B0E000 \SystemRoot\system32\drivers\volsnap.sys
0x01B62000 \SystemRoot\System32\drivers\rdyboost.sys
0x01B9C000 \SystemRoot\System32\Drivers\mup.sys
0x01BAE000 \SystemRoot\System32\drivers\hwpolicy.sys
0x01BB7000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x01800000 \SystemRoot\system32\DRIVERS\disk.sys
0x01816000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
0x02B88000 \SystemRoot\System32\Drivers\Null.SYS
0x02B91000 \SystemRoot\System32\Drivers\Beep.SYS
0x02B98000 \SystemRoot\System32\drivers\vga.sys
0x02BA6000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x02BCB000 \SystemRoot\System32\drivers\watchdog.sys
0x02BDB000 \SystemRoot\system32\drivers\rdpencdd.sys
0x02BE4000 \SystemRoot\System32\Drivers\Msfs.SYS
0x02BEF000 \SystemRoot\System32\Drivers\Npfs.SYS
0x02A00000 \SystemRoot\system32\DRIVERS\tdx.sys
0x02A22000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x01854000 \SystemRoot\System32\DRIVERS\netbt.sys
0x01515000 \SystemRoot\system32\drivers\afd.sys
0x02A2F000 \SystemRoot\system32\drivers\ws2ifsl.sys
0x02A3A000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x01899000 \SystemRoot\system32\DRIVERS\pacer.sys
0x02A43000 \SystemRoot\system32\DRIVERS\vwififlt.sys
0x01BF1000 \SystemRoot\system32\DRIVERS\netbios.sys
0x0162B000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x0167C000 \SystemRoot\system32\drivers\nsiproxy.sys
0x0159E000 \SystemRoot\System32\Drivers\dfsc.sys
0x015BC000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x01688000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x01400000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x01456000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x01200000 \SystemRoot\system32\drivers\HDAudBus.sys
0x02E78000 \SystemRoot\system32\DRIVERS\athrx.sys
0x02E00000 \SystemRoot\system32\DRIVERS\vwifibus.sys
0x02E0D000 \SystemRoot\system32\drivers\cdrom.sys
0x02E37000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0x02E44000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x02E55000 \SystemRoot\system32\drivers\CompositeBus.sys
0x02E65000 \SystemRoot\system32\drivers\mssmbios.sys
0x01467000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x00DB3000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x017F1000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x030E4000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x03113000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x0312E000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x0314F000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x03169000 \SystemRoot\system32\drivers\termdd.sys
0x0317D000 \SystemRoot\system32\drivers\kbdclass.sys
0x0318C000 \SystemRoot\system32\drivers\mouclass.sys
0x0319B000 \SystemRoot\system32\drivers\swenum.sys
0x0319D000 \SystemRoot\system32\drivers\ks.sys
0x031E0000 \SystemRoot\system32\drivers\umbus.sys
0x03000000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x0305A000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x0306F000 \SystemRoot\System32\Drivers\crashdmp.sys
0x02A59000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0x0307D000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x03090000 \SystemRoot\system32\drivers\hidusb.sys
0x0309E000 \SystemRoot\system32\drivers\HIDCLASS.SYS
0x030B7000 \SystemRoot\system32\drivers\HIDPARSE.SYS
0x030C0000 \SystemRoot\system32\drivers\USBD.SYS
0x00000000 \SystemRoot\System32\win32k.sys
0x030C2000 \SystemRoot\System32\drivers\Dxapi.sys
0x030CE000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x015E2000 \SystemRoot\system32\drivers\USBSTOR.SYS
0x00400000 \SystemRoot\System32\drivers\dxg.sys
0x031F2000 \SystemRoot\system32\drivers\kbdhid.sys
0x00660000 \SystemRoot\System32\TSDDD.dll
0x00980000 \SystemRoot\System32\framebuf.dll
0x00DD7000 \SystemRoot\system32\drivers\WudfPf.sys
0x0488A000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x048DD000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x048F0000 \SystemRoot\system32\DRIVERS\bowser.sys
0x0490E000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x0493B000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x04989000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x77A30000 \Windows\System32\ntdll.dll
0x47E70000 \Windows\System32\smss.exe
0xFFD50000 \Windows\System32\apisetschema.dll
0xFF8A0000 \Windows\System32\autochk.exe

Processes (total 22):
0 System Idle Process
4 System
284 C:\Windows\System32\smss.exe
360 csrss.exe
400 csrss.exe
408 C:\Windows\System32\wininit.exe
468 C:\Windows\System32\services.exe
476 C:\Windows\System32\lsass.exe
492 C:\Windows\System32\winlogon.exe
520 C:\Windows\System32\lsm.exe
616 C:\Windows\System32\svchost.exe
696 C:\Windows\System32\svchost.exe
780 C:\Windows\System32\svchost.exe
820 C:\Windows\System32\svchost.exe
880 C:\Windows\System32\svchost.exe
932 C:\Windows\System32\svchost.exe
960 C:\Windows\System32\svchost.exe
1192 C:\Windows\System32\userinit.exe
1200 C:\Windows\explorer.exe
1304 C:\Windows\System32\ctfmon.exe
1652 C:\Users\Matt\Desktop\MBRCheck.exe
1660 C:\Windows\System32\conhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000002`dee00000 (NTFS)

PhysicalDrive0 Model Number: WDCWD5000AAKS-75V0A0, Rev: 05.01D05

Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive0 MBR Code Faked!
SHA1: AE3E0A945D44C8EA304A19A8F50F69065C34344B


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice:

Done!

Edited by helgymatt, 08 January 2012 - 10:07 AM.


#19 lance_yien

lance_yien

    Forum Deity

  • Malware Support Mod
  • PipPipPipPipPip
  • 2,442 posts

Posted 08 January 2012 - 10:20 AM

Please run aswMBR and perform a scan.
Click the [Save log] button and save it to your Desktop. Copy and past its contents in your next reply.
EI | SWI | ZEBULON | Posted Image | Posted Image

My help is free, but if you wish to help keep these forums running please consider a donation. Please, see here for details.

#20 helgymatt

helgymatt

    Member

  • Full Member
  • Pip
  • 53 posts

Posted 08 January 2012 - 11:30 AM

aswMBR will not open now either (in safe mode). I ran it a few hours ago, but now nothing.

#21 lance_yien

lance_yien

    Forum Deity

  • Malware Support Mod
  • PipPipPipPipPip
  • 2,442 posts

Posted 08 January 2012 - 11:52 AM

>>> Tools removal:
  • Please remove ComboFix from your computer by going to "Start" => "Run" and type (or copy and paste): ComboFix /Uninstall in the runbox (make sure to leave a space between "ComboFix" and "/Uninstall"). Click "OK".
    It will remove all its files/ folders and reset your System Restore by flushing out previous restore points and creating a new clean restore point for you.
  • Also, please delete any remaining files/folders from our tools on your Desktop and/or System drive (usually C:\) by right-clicking => "Delete".

>>> Kaspersky Rescue Disk 10: Please go here for instructions and download link to use KRD10.
You can download utility designed for recording the Kaspersky Rescue Disk to USB media here.

Please let me know how the scan went.
Do you have your Windows setup CD/DVD?
EI | SWI | ZEBULON | Posted Image | Posted Image

My help is free, but if you wish to help keep these forums running please consider a donation. Please, see here for details.

#22 helgymatt

helgymatt

    Member

  • Full Member
  • Pip
  • 53 posts

Posted 08 January 2012 - 12:19 PM

I got aswMBR to run - I have not performed the actions in your last post yet. Let me know how you want to proceed with that first.
Here is the log -
aswMBR version 0.9.9.1156 Copyright© 2011 AVAST Software
Run date: 2012-01-06 06:05:21
-----------------------------
06:05:21.906 OS Version: Windows x64 6.1.7601 Service Pack 1
06:05:21.906 Number of processors: 2 586 0x170A
06:05:21.906 ComputerName: MATT-PC UserName: Matt
06:05:24.995 Initialize success
06:07:29.717 AVAST engine defs: 12010600
06:07:48.827 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
06:07:48.827 Disk 0 Vendor: WDC_WD50 05.0 Size: 476940MB BusType: 3
06:07:48.843 Disk 0 MBR read successfully
06:07:48.843 Disk 0 MBR scan
06:07:48.859 Disk 0 Windows VISTA default MBR code
06:07:48.859 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 39 MB offset 63
06:07:48.890 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 11718 MB offset 81920
06:07:48.905 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 465181 MB offset 24080384
06:07:48.905 Service scanning
06:07:52.025 Modules scanning
06:07:52.025 Disk 0 trace - called modules:
06:07:52.041 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xfffffa800548a334]<<
06:07:52.041 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800546b1d0]
06:07:52.556 3 CLASSPNP.SYS[fffff88001b9d43f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa80044cf050]
06:07:52.556 \Driver\iaStor[0xfffffa80039ea570] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0xfffffa800548a334
06:07:54.022 AVAST engine scan C:\Windows
06:08:10.433 AVAST engine scan C:\Windows\system32
06:09:43.035 AVAST engine scan C:\Windows\system32\drivers
06:09:50.710 AVAST engine scan C:\Users\Matt
06:16:05.704 File: C:\Users\Matt\AppData\Local\sct.exe **INFECTED** Win32:Sirefef-JH [Trj]
06:16:21.429 File: C:\Users\Matt\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27\4b57c39b-76dc4871 **INFECTED** Win32:Sirefef-JH [Trj]
06:29:17.967 AVAST engine scan C:\ProgramData
06:39:24.870 Scan finished successfully
07:34:14.043 Disk 0 MBR has been saved successfully to "C:\Users\Matt\Desktop\MBR.dat"
07:34:14.043 The log file has been saved successfully to "C:\Users\Matt\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1297 Copyright© 2011 AVAST Software
Run date: 2012-01-08 10:36:09
-----------------------------
10:36:09.460 OS Version: Windows x64 6.1.7601 Service Pack 1
10:36:09.460 Number of processors: 2 586 0x170A
10:36:09.460 ComputerName: MATT-PC UserName: Matt
10:36:10.208 Initialize success
10:36:15.466 AVAST engine defs: 12010800
10:36:40.426 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
10:36:40.426 Disk 0 Vendor: WDC_WD50 05.0 Size: 476940MB BusType: 3
10:36:40.472 Disk 0 MBR read successfully
10:36:40.472 Disk 0 MBR scan
10:36:40.504 Disk 0 Windows VISTA default MBR code
10:36:40.519 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 39 MB offset 63
10:36:40.550 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 11718 MB offset 81920
10:36:40.582 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 465181 MB offset 24080384
10:36:40.597 Service scanning
10:36:54.590 Modules scanning
10:36:54.590 Disk 0 trace - called modules:
10:36:54.622 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xfffffa80047b1334]<<
10:36:54.622 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800472f060]
10:36:55.136 3 CLASSPNP.SYS[fffff8800180143f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa80043b1050]
10:36:55.136 \Driver\iaStor[0xfffffa800438ce70] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0xfffffa80047b1334
10:36:57.336 AVAST engine scan C:\Windows
10:37:01.938 File: C:\Windows\PEV.exe **INFECTED** Win32:Rootkit-gen [Rtk]
10:37:04.247 AVAST engine scan C:\Windows\system32
10:40:31.876 AVAST engine scan C:\Windows\system32\drivers
10:40:49.270 AVAST engine scan C:\Users\Matt
10:50:09.970 File: C:\Users\Matt\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27\4b57c39b-76dc4871 **INFECTED** Win32:Sirefef-JH [Trj]
11:10:13.665 AVAST engine scan C:\ProgramData
11:11:22.976 Scan finished successfully
11:18:03.132 Disk 0 MBR has been saved successfully to "C:\Users\Matt\Desktop\MBR.dat"
11:18:03.132 The log file has been saved successfully to "C:\Users\Matt\Desktop\aswMBR.txt"

Let me know how to proceed on your previous post since I got this scan to run!

Edited by helgymatt, 08 January 2012 - 12:20 PM.


#23 helgymatt

helgymatt

    Member

  • Full Member
  • Pip
  • 53 posts

Posted 08 January 2012 - 01:04 PM

I do have the windows setup cd.

#24 lance_yien

lance_yien

    Forum Deity

  • Malware Support Mod
  • PipPipPipPipPip
  • 2,442 posts

Posted 08 January 2012 - 01:06 PM

>>> Java cache: Please clear your Java cache.
  • Click Start > Control Panel.
  • Double-click the Java icon.
  • Click Settings under Temporary Internet Files.
  • Click Delete Files.
    There are two options on this window to clear the cache.
    • Applications and Applets
    • Trace and Log Files
  • Click OK on Delete Temporary Files window.
    This will delete all the Downloaded Applications and Applets from the cache.
  • Click OK on Temporary Files Settings window.
  • Close the Java Control Panel
Note: Please repeat this procedure for each "Java Plugin" button in your Control Panel

>>> aswMBR fixes: Please run aswMBR and allow it to download latest virus definitions (if prompted). Click the [Scan] button and let it run uninterrupted.
When it's completed successfully, click the [Fix] button and restart your computer.
Run aswMBR (again) and perform a new scan. save the log to your Desktop and post its contents
EI | SWI | ZEBULON | Posted Image | Posted Image

My help is free, but if you wish to help keep these forums running please consider a donation. Please, see here for details.

#25 helgymatt

helgymatt

    Member

  • Full Member
  • Pip
  • 53 posts

Posted 08 January 2012 - 02:38 PM

I did the aswMBR scan, clicked "fix MBR" (fix was not an option), and then it restarted the computer. Windows opened saying it did not close down property...I opened windows normally. I then scanned again. Here is the log.

aswMBR version 0.9.9.1156 Copyright© 2011 AVAST Software
Run date: 2012-01-06 06:05:21
-----------------------------
06:05:21.906 OS Version: Windows x64 6.1.7601 Service Pack 1
06:05:21.906 Number of processors: 2 586 0x170A
06:05:21.906 ComputerName: MATT-PC UserName: Matt
06:05:24.995 Initialize success
06:07:29.717 AVAST engine defs: 12010600
06:07:48.827 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
06:07:48.827 Disk 0 Vendor: WDC_WD50 05.0 Size: 476940MB BusType: 3
06:07:48.843 Disk 0 MBR read successfully
06:07:48.843 Disk 0 MBR scan
06:07:48.859 Disk 0 Windows VISTA default MBR code
06:07:48.859 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 39 MB offset 63
06:07:48.890 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 11718 MB offset 81920
06:07:48.905 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 465181 MB offset 24080384
06:07:48.905 Service scanning
06:07:52.025 Modules scanning
06:07:52.025 Disk 0 trace - called modules:
06:07:52.041 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xfffffa800548a334]<<
06:07:52.041 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800546b1d0]
06:07:52.556 3 CLASSPNP.SYS[fffff88001b9d43f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa80044cf050]
06:07:52.556 \Driver\iaStor[0xfffffa80039ea570] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0xfffffa800548a334
06:07:54.022 AVAST engine scan C:\Windows
06:08:10.433 AVAST engine scan C:\Windows\system32
06:09:43.035 AVAST engine scan C:\Windows\system32\drivers
06:09:50.710 AVAST engine scan C:\Users\Matt
06:16:05.704 File: C:\Users\Matt\AppData\Local\sct.exe **INFECTED** Win32:Sirefef-JH [Trj]
06:16:21.429 File: C:\Users\Matt\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27\4b57c39b-76dc4871 **INFECTED** Win32:Sirefef-JH [Trj]
06:29:17.967 AVAST engine scan C:\ProgramData
06:39:24.870 Scan finished successfully
07:34:14.043 Disk 0 MBR has been saved successfully to "C:\Users\Matt\Desktop\MBR.dat"
07:34:14.043 The log file has been saved successfully to "C:\Users\Matt\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1297 Copyright© 2011 AVAST Software
Run date: 2012-01-08 10:36:09
-----------------------------
10:36:09.460 OS Version: Windows x64 6.1.7601 Service Pack 1
10:36:09.460 Number of processors: 2 586 0x170A
10:36:09.460 ComputerName: MATT-PC UserName: Matt
10:36:10.208 Initialize success
10:36:15.466 AVAST engine defs: 12010800
10:36:40.426 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
10:36:40.426 Disk 0 Vendor: WDC_WD50 05.0 Size: 476940MB BusType: 3
10:36:40.472 Disk 0 MBR read successfully
10:36:40.472 Disk 0 MBR scan
10:36:40.504 Disk 0 Windows VISTA default MBR code
10:36:40.519 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 39 MB offset 63
10:36:40.550 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 11718 MB offset 81920
10:36:40.582 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 465181 MB offset 24080384
10:36:40.597 Service scanning
10:36:54.590 Modules scanning
10:36:54.590 Disk 0 trace - called modules:
10:36:54.622 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xfffffa80047b1334]<<
10:36:54.622 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800472f060]
10:36:55.136 3 CLASSPNP.SYS[fffff8800180143f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa80043b1050]
10:36:55.136 \Driver\iaStor[0xfffffa800438ce70] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0xfffffa80047b1334
10:36:57.336 AVAST engine scan C:\Windows
10:37:01.938 File: C:\Windows\PEV.exe **INFECTED** Win32:Rootkit-gen [Rtk]
10:37:04.247 AVAST engine scan C:\Windows\system32
10:40:31.876 AVAST engine scan C:\Windows\system32\drivers
10:40:49.270 AVAST engine scan C:\Users\Matt
10:50:09.970 File: C:\Users\Matt\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27\4b57c39b-76dc4871 **INFECTED** Win32:Sirefef-JH [Trj]
11:10:13.665 AVAST engine scan C:\ProgramData
11:11:22.976 Scan finished successfully
11:18:03.132 Disk 0 MBR has been saved successfully to "C:\Users\Matt\Desktop\MBR.dat"
11:18:03.132 The log file has been saved successfully to "C:\Users\Matt\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1297 Copyright© 2011 AVAST Software
Run date: 2012-01-08 12:56:00
-----------------------------
12:56:00.091 OS Version: Windows x64 6.1.7601 Service Pack 1
12:56:00.091 Number of processors: 2 586 0x170A
12:56:00.091 ComputerName: MATT-PC UserName: Matt
12:56:00.793 Initialize success
12:56:04.225 AVAST engine defs: 12010800
12:56:05.988 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
12:56:05.988 Disk 0 Vendor: WDC_WD50 05.0 Size: 476940MB BusType: 3
12:56:06.003 Disk 0 MBR read successfully
12:56:06.003 Disk 0 MBR scan
12:56:06.019 Disk 0 Windows VISTA default MBR code
12:56:06.019 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 39 MB offset 63
12:56:06.034 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 11718 MB offset 81920
12:56:06.050 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 465181 MB offset 24080384
12:56:06.066 Service scanning
12:56:12.181 Modules scanning
12:56:12.181 Disk 0 trace - called modules:
12:56:12.196 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xfffffa800493a334]<<
12:56:12.212 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004915060]
12:56:12.228 3 CLASSPNP.SYS[fffff88001b8a43f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa80043b0050]
12:56:12.243 \Driver\iaStor[0xfffffa800438b060] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0xfffffa800493a334
12:56:13.086 AVAST engine scan C:\Windows
12:56:16.564 File: C:\Windows\PEV.exe **INFECTED** Win32:Rootkit-gen [Rtk]
12:56:20.230 AVAST engine scan C:\Windows\system32
12:59:27.075 AVAST engine scan C:\Windows\system32\drivers
12:59:44.282 AVAST engine scan C:\Users\Matt
13:33:41.371 AVAST engine scan C:\ProgramData
13:34:52.741 Scan finished successfully
13:35:35.704 Disk 0 MBR has been saved successfully to "C:\Users\Matt\Desktop\MBR.dat"
13:35:35.735 The log file has been saved successfully to "C:\Users\Matt\Desktop\aswMBR.txt"

Edited by helgymatt, 08 January 2012 - 02:38 PM.


#26 lance_yien

lance_yien

    Forum Deity

  • Malware Support Mod
  • PipPipPipPipPip
  • 2,442 posts

Posted 09 January 2012 - 01:24 AM

>>> Fix your MBR: Please insert your Windows setup CD/DVD and restart your computer.
If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
Choose your language settings, and then click Next.
Click "Repair your computer" and select the Operating System you want to repair. Then click Next.
On the "System Recovery Options" menu, click Command Prompt
Type bootrec.exe /fixmbr and hit "Enter". Please make sure to leave a space after bootrec.exe.
When it's completed successfully, type exit and hit "Enter" to restart your computer.


>>>Run MBRCheck: Please close all opened programs/ windows and right-click on "MBRCheck.exe" => "Run as administrator".
It will produce a log file saved automatically on your Desktop as "MBRCheck_Date_Time.txt".
Press the "Enter" key to close the MBRCheck window and post the contents of the log file.


>>> Any improvements?
EI | SWI | ZEBULON | Posted Image | Posted Image

My help is free, but if you wish to help keep these forums running please consider a donation. Please, see here for details.

#27 helgymatt

helgymatt

    Member

  • Full Member
  • Pip
  • 53 posts

Posted 09 January 2012 - 10:05 PM

I guess I do not have the windows install cd for my Dell. Apparently Dell does not send them with a computer anymore. So - how to I access "system recovery options". I tried to do a F8 and "repair your computer", but the computer froze on the next screen saying "windows is loading files...". I tried this several times with no sucess. Do I need to disconnect speakers, wireless mouse, wlan, etc for this to work? Do I need to order a windows os CD from Dell? Please advise what to do.

Dell allows other restore methods like the Dell DataSafe Local Backup and Factory Image restore, but it looks like they all require the F8 "repair your computer" which leads to the freeze page.

Edited by helgymatt, 09 January 2012 - 10:27 PM.


#28 lance_yien

lance_yien

    Forum Deity

  • Malware Support Mod
  • PipPipPipPipPip
  • 2,442 posts

Posted 10 January 2012 - 01:19 AM

?? :)

I guess I do not have the windows install cd for my Dell. Apparently Dell does not send them with a computer anymore.

They certainly should allow you to create them.
Please go to their site and try to get information on how to do that.
Also, please see this page.
EI | SWI | ZEBULON | Posted Image | Posted Image

My help is free, but if you wish to help keep these forums running please consider a donation. Please, see here for details.

#29 helgymatt

helgymatt

    Member

  • Full Member
  • Pip
  • 53 posts

Posted 10 January 2012 - 06:28 PM

Dell does not have OS CD's in stock right now - and they make you pay $40 for them. Warranty ran out a month ago - go figure.

Dell DataSafe program to make recovery disks from my own hard drive will not work for me with either DVD's or Flash Drive - go figure. Error after error. I think this malware has really messed up about every function on my comp.

Is system restore an option to rid this Malware? If not - should I try to find some operating system disks or get them on order???


?? :)


I guess I do not have the windows install cd for my Dell. Apparently Dell does not send them with a computer anymore.

They certainly should allow you to create them.
Please go to their site and try to get information on how to do that.
Also, please see this page.


Edited by helgymatt, 10 January 2012 - 06:28 PM.


#30 lance_yien

lance_yien

    Forum Deity

  • Malware Support Mod
  • PipPipPipPipPip
  • 2,442 posts

Posted 11 January 2012 - 01:51 AM

...
Error after error. I think this malware has really messed up about every function on my comp.

That also may be related to a hardware problem. I recommend you take your computer to a repair shop to check for any hardware problem.
If that's OK then try any other solution you want.
EI | SWI | ZEBULON | Posted Image | Posted Image

My help is free, but if you wish to help keep these forums running please consider a donation. Please, see here for details.

#31 lance_yien

lance_yien

    Forum Deity

  • Malware Support Mod
  • PipPipPipPipPip
  • 2,442 posts

Posted 19 January 2012 - 09:03 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
EI | SWI | ZEBULON | Posted Image | Posted Image

My help is free, but if you wish to help keep these forums running please consider a donation. Please, see here for details.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button