Jump to content

apfinger

Members
 View Profile  See their activity

  • Posts

    9

  • Joined

  • Last visited

 Content Type 

Everything posted by apfinger

  1. apfinger
    Seems OK so far - the web isn't effectively shut down anymore and I haven't gotten any random popups yet. You can probably call this case closed, and I'll reopen it only if I see the symptoms again today or tomorrow. Thanks! Assuming all is well for a couple days, I hope to have a PayPal safely set up so I can contribute to MalwareBytes. Sure beats dropping the PC off at a shop for 3 days only to be charged for a Diag and Format!
  2. apfinger
    The scan completed, but there was a popup from Malwarebytes Anti-Malware: {OpenEvent} Failed to perform desired action. Error Code: 2 I don't know if it's a problem or a result of other programs starting up after a fresh reboot (a couple auto-updaters started up once they detected Internet access again). Malwarebytes Anti-Malware 1.62.0.1300 www.malwarebytes.org Database version: v2012.08.16.10 Windows 7 Service Pack 1 x86 NTFS Internet Explorer 9.0.8112.16421 Andy :: ANDY-PC [administrator] Protection: Enabled 8/16/2012 5:50:37 PM mbam-log-2012-08-16 (17-50-37).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 194584 Time elapsed: 5 minute(s), 57 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end)
  3. apfinger
    Again, the server returned an error during upload (combofixlog2.txt as well as a zipped version) ComboFix 12-08-16.01 - Andy 08/16/2012 15:15:02.2.2 - x86 Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3327.2684 [GMT -5:00] Running from: c:\users\Andy\Desktop\ComboFix.exe Command switches used :: c:\users\Andy\Desktop\CFScript.txt SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} * Created a new restore point . FILE :: "c:\windows\System32\drivers\odcvs.sys" . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Service_jihhnci . . ((((((((((((((((((((((((( Files Created from 2012-07-16 to 2012-08-16 ))))))))))))))))))))))))))))))) . . 2012-08-16 20:25 . 2012-08-16 20:25 -------- d-----w- c:\users\Default\AppData\Local\temp 2012-08-16 20:23 . 2012-08-16 20:23 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{8CABC69B-B23D-439C-AB24-E67D8E2FCE6B}\offreg.dll 2012-08-16 17:49 . 2012-08-16 18:26 -------- d-----w- C:\TDSSKiller_Quarantine 2012-08-13 05:06 . 2012-08-13 05:06 -------- d-sh--w- c:\windows\system32\%APPDATA% 2012-08-10 06:52 . 2012-06-29 08:44 6891424 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{8CABC69B-B23D-439C-AB24-E67D8E2FCE6B}\mpengine.dll . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-08-16 17:54 . 2012-08-16 17:54 28460 ----a-w- C:\TDSSKiller.2.8.6.0_16.08.2012_12.45.38_log.zip 2012-08-02 01:43 . 2012-05-07 06:09 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2012-08-02 01:43 . 2011-05-16 12:42 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-07-03 18:46 . 2011-06-09 11:26 22344 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-06-12 02:40 . 2012-07-12 08:01 2345984 ----a-w- c:\windows\system32\win32k.sys 2012-06-06 05:05 . 2012-07-11 08:07 1390080 ----a-w- c:\windows\system32\msxml6.dll 2012-06-06 05:05 . 2012-07-11 08:07 1236992 ----a-w- c:\windows\system32\msxml3.dll 2012-06-06 05:03 . 2012-07-11 08:07 805376 ----a-w- c:\windows\system32\cdosys.dll 2012-06-02 22:19 . 2012-06-24 04:42 53784 ----a-w- c:\windows\system32\wuauclt.exe 2012-06-02 22:19 . 2012-06-24 04:42 45080 ----a-w- c:\windows\system32\wups2.dll 2012-06-02 22:19 . 2012-06-24 04:42 35864 ----a-w- c:\windows\system32\wups.dll 2012-06-02 22:19 . 2012-06-24 04:42 577048 ----a-w- c:\windows\system32\wuapi.dll 2012-06-02 22:19 . 2012-06-24 04:42 1933848 ----a-w- c:\windows\system32\wuaueng.dll 2012-06-02 22:12 . 2012-06-24 04:42 2422272 ----a-w- c:\windows\system32\wucltux.dll 2012-06-02 22:12 . 2012-06-24 04:42 88576 ----a-w- c:\windows\system32\wudriver.dll 2012-06-02 20:19 . 2012-06-24 04:41 171904 ----a-w- c:\windows\system32\wuwebv.dll 2012-06-02 20:12 . 2012-06-24 04:41 33792 ----a-w- c:\windows\system32\wuapp.exe 2012-06-02 08:33 . 2012-07-12 08:03 1800192 ----a-w- c:\windows\system32\jscript9.dll 2012-06-02 08:25 . 2012-07-12 08:03 1129472 ----a-w- c:\windows\system32\wininet.dll 2012-06-02 08:25 . 2012-07-12 08:02 1427968 ----a-w- c:\windows\system32\inetcpl.cpl 2012-06-02 08:20 . 2012-07-12 08:03 142848 ----a-w- c:\windows\system32\ieUnatt.exe 2012-06-02 08:16 . 2012-07-12 08:03 2382848 ----a-w- c:\windows\system32\mshtml.tlb 2012-06-02 04:45 . 2012-07-11 08:07 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys 2012-06-02 04:45 . 2012-07-11 08:07 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys 2012-06-02 04:40 . 2012-07-11 08:07 369336 ----a-w- c:\windows\system32\drivers\cng.sys 2012-06-02 04:40 . 2012-07-11 08:07 225280 ----a-w- c:\windows\system32\schannel.dll 2012-06-02 04:39 . 2012-07-11 08:07 219136 ----a-w- c:\windows\system32\ncrypt.dll 2012-05-31 17:25 . 2011-04-30 14:42 237072 ------w- c:\windows\system32\MpSigStub.exe . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 0 (0x0) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) "PromptOnSecureDesktop"= 0 (0x0) . [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup backupExtension=.CommonStartup . [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Nikon Monitor.lnk] path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Nikon Monitor.lnk backup=c:\windows\pss\Nikon Monitor.lnk.CommonStartup backupExtension=.CommonStartup . [HKLM\~\startupfolder\C:^Users^Andy^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.3.lnk] path=c:\users\Andy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk backup=c:\windows\pss\OpenOffice.org 3.3.lnk.Startup backupExtension=.Startup . [HKLM\~\startupfolder\C:^Users^Andy^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^WinEQ2.exe - Shortcut.lnk] path=c:\users\Andy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinEQ2.exe - Shortcut.lnk backup=c:\windows\pss\WinEQ2.exe - Shortcut.lnk.Startup backupExtension=.Startup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AMD AVT] start AMD Accelerated Video Transcoding device initialization [X] . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM] 2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cdloader] 2011-08-23 20:03 50592 ----a-w- c:\users\Andy\AppData\Roaming\mjusbsp\cdloader2.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper] 2010-03-19 00:17 19456 ----a-w- c:\windows\System32\CtHelper.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp] 2007-04-09 17:32 19968 ----a-w- c:\windows\System32\Ctxfihlp.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds] 2009-09-24 00:30 173592 ----a-w- c:\windows\System32\hkcmd.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray] 2009-09-24 00:30 141848 ----a-w- c:\windows\System32\igfxtray.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware] 2012-07-03 18:46 462920 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nikon Message Center 2] 2010-05-26 00:16 619008 ----a-w- c:\program files\Nikon\Nikon Message Center 2\NkMC2.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence] 2009-09-24 00:30 150552 ----a-w- c:\windows\System32\igfxpers.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC] 2012-04-06 06:24 641664 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2012-01-18 19:02 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirtualCloneDrive] 2011-03-07 13:33 89456 ----a-w- c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe . R3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.SYS [x] R3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.SYS [x] R3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\System32\drivers\CTERFXFX.SYS [x] R3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.SYS [x] R3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.SYS [x] R3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\DRIVERS\gan_adapter.sys [x] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x] R3 MSICDSetup;MSICDSetup;D:\CDriver.sys [x] R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [x] R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\rtl8187B.sys [x] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x] R4 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x] R4 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x] R4 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [x] R4 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [x] R4 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [x] R4 MSSQL$SQLSERVER2008ER2;SQL Server (SQLSERVER2008ER2);c:\program files\Microsoft SQL Server\MSSQL10_50.SQLSERVER2008ER2\MSSQL\Binn\sqlservr.exe [x] R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [x] R4 RsFx0103;RsFx0103 Driver;c:\windows\system32\DRIVERS\RsFx0103.sys [x] R4 RsFx0150;RsFx0150 Driver;c:\windows\system32\DRIVERS\RsFx0150.sys [x] R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [x] R4 SQLAgent$SQLSERVER2008ER2;SQL Server Agent (SQLSERVER2008ER2);c:\program files\Microsoft SQL Server\MSSQL10_50.SQLSERVER2008ER2\MSSQL\Binn\SQLAGENT.EXE [x] R4 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x] S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x] S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x] S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x] S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [x] S3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\System32\drivers\COMMONFX.SYS [x] S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\System32\drivers\CTAUDFX.SYS [x] S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\System32\drivers\CTSBLFX.SYS [x] S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x] . . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 Trusted Zone: clonewarsadventures.com Trusted Zone: freerealms.com Trusted Zone: intuit.com\ttlc Trusted Zone: soe.com Trusted Zone: sony.com TCP: DhcpNameServer = 192.168.10.1 . . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions] @Denied: (2) (LocalSystem) "{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc, 1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7 "{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db, df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd "{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16, fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17 "{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9, b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b . [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration] @Denied: (2) (LocalSystem) "Timestamp"=hex:57,b3,8b,89,7c,c5,cc,01 . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\taskhost.exe c:\windows\system32\conhost.exe . ************************************************************************** . Completion time: 2012-08-16 16:49:18 - machine was rebooted ComboFix-quarantined-files.txt 2012-08-16 21:49 ComboFix2.txt 2012-08-16 18:55 . Pre-Run: 129,362,882,560 bytes free Post-Run: 129,122,095,104 bytes free . - - End Of File - - D9356C2C9D3AD2324D978D96D411A921
  4. apfinger
    I had to reboot once due to the message popup indicating something about illegal operation attempted on registry. The website will not allow me to attach the log file. Here is a paste: ComboFix 12-08-16.01 - Andy 08/16/2012 13:32:20.1.2 - x86 Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3327.2873 [GMT -5:00] Running from: c:\users\Andy\Desktop\ComboFix.exe * Created a new restore point . . ((((((((((((((((((((((((( Files Created from 2012-07-16 to 2012-08-16 ))))))))))))))))))))))))))))))) . . 2012-08-16 17:49 . 2012-08-16 18:26 -------- d-----w- C:\TDSSKiller_Quarantine 2012-08-13 05:06 . 2012-08-13 05:06 -------- d-sh--w- c:\windows\system32\%APPDATA% 2012-08-11 09:25 . 2012-08-11 09:25 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{8CABC69B-B23D-439C-AB24-E67D8E2FCE6B}\offreg.dll 2012-08-10 06:52 . 2012-06-29 08:44 6891424 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{8CABC69B-B23D-439C-AB24-E67D8E2FCE6B}\mpengine.dll . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-08-16 17:54 . 2012-08-16 17:54 28460 ----a-w- C:\TDSSKiller.2.8.6.0_16.08.2012_12.45.38_log.zip 2012-08-02 01:43 . 2012-05-07 06:09 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2012-08-02 01:43 . 2011-05-16 12:42 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-07-03 18:46 . 2011-06-09 11:26 22344 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-06-12 02:40 . 2012-07-12 08:01 2345984 ----a-w- c:\windows\system32\win32k.sys 2012-06-06 05:05 . 2012-07-11 08:07 1390080 ----a-w- c:\windows\system32\msxml6.dll 2012-06-06 05:05 . 2012-07-11 08:07 1236992 ----a-w- c:\windows\system32\msxml3.dll 2012-06-06 05:03 . 2012-07-11 08:07 805376 ----a-w- c:\windows\system32\cdosys.dll 2012-06-02 22:19 . 2012-06-24 04:42 53784 ----a-w- c:\windows\system32\wuauclt.exe 2012-06-02 22:19 . 2012-06-24 04:42 45080 ----a-w- c:\windows\system32\wups2.dll 2012-06-02 22:19 . 2012-06-24 04:42 35864 ----a-w- c:\windows\system32\wups.dll 2012-06-02 22:19 . 2012-06-24 04:42 577048 ----a-w- c:\windows\system32\wuapi.dll 2012-06-02 22:19 . 2012-06-24 04:42 1933848 ----a-w- c:\windows\system32\wuaueng.dll 2012-06-02 22:12 . 2012-06-24 04:42 2422272 ----a-w- c:\windows\system32\wucltux.dll 2012-06-02 22:12 . 2012-06-24 04:42 88576 ----a-w- c:\windows\system32\wudriver.dll 2012-06-02 20:19 . 2012-06-24 04:41 171904 ----a-w- c:\windows\system32\wuwebv.dll 2012-06-02 20:12 . 2012-06-24 04:41 33792 ----a-w- c:\windows\system32\wuapp.exe 2012-06-02 08:33 . 2012-07-12 08:03 1800192 ----a-w- c:\windows\system32\jscript9.dll 2012-06-02 08:25 . 2012-07-12 08:03 1129472 ----a-w- c:\windows\system32\wininet.dll 2012-06-02 08:25 . 2012-07-12 08:02 1427968 ----a-w- c:\windows\system32\inetcpl.cpl 2012-06-02 08:20 . 2012-07-12 08:03 142848 ----a-w- c:\windows\system32\ieUnatt.exe 2012-06-02 08:16 . 2012-07-12 08:03 2382848 ----a-w- c:\windows\system32\mshtml.tlb 2012-06-02 04:45 . 2012-07-11 08:07 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys 2012-06-02 04:45 . 2012-07-11 08:07 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys 2012-06-02 04:40 . 2012-07-11 08:07 369336 ----a-w- c:\windows\system32\drivers\cng.sys 2012-06-02 04:40 . 2012-07-11 08:07 225280 ----a-w- c:\windows\system32\schannel.dll 2012-06-02 04:39 . 2012-07-11 08:07 219136 ----a-w- c:\windows\system32\ncrypt.dll 2012-05-31 17:25 . 2011-04-30 14:42 237072 ------w- c:\windows\system32\MpSigStub.exe . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 0 (0x0) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) "PromptOnSecureDesktop"= 0 (0x0) . [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup backupExtension=.CommonStartup . [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Nikon Monitor.lnk] path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Nikon Monitor.lnk backup=c:\windows\pss\Nikon Monitor.lnk.CommonStartup backupExtension=.CommonStartup . [HKLM\~\startupfolder\C:^Users^Andy^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.3.lnk] path=c:\users\Andy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk backup=c:\windows\pss\OpenOffice.org 3.3.lnk.Startup backupExtension=.Startup . [HKLM\~\startupfolder\C:^Users^Andy^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^WinEQ2.exe - Shortcut.lnk] path=c:\users\Andy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinEQ2.exe - Shortcut.lnk backup=c:\windows\pss\WinEQ2.exe - Shortcut.lnk.Startup backupExtension=.Startup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AMD AVT] start AMD Accelerated Video Transcoding device initialization [X] . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM] 2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cdloader] 2011-08-23 20:03 50592 ----a-w- c:\users\Andy\AppData\Roaming\mjusbsp\cdloader2.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper] 2010-03-19 00:17 19456 ----a-w- c:\windows\System32\CtHelper.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp] 2007-04-09 17:32 19968 ----a-w- c:\windows\System32\Ctxfihlp.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds] 2009-09-24 00:30 173592 ----a-w- c:\windows\System32\hkcmd.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray] 2009-09-24 00:30 141848 ----a-w- c:\windows\System32\igfxtray.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware] 2012-07-03 18:46 462920 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nikon Message Center 2] 2010-05-26 00:16 619008 ----a-w- c:\program files\Nikon\Nikon Message Center 2\NkMC2.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence] 2009-09-24 00:30 150552 ----a-w- c:\windows\System32\igfxpers.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC] 2012-04-06 06:24 641664 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2012-01-18 19:02 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirtualCloneDrive] 2011-03-07 13:33 89456 ----a-w- c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe . R0 jihhnci;jihhnci;c:\windows\System32\drivers\odcvs.sys [x] R3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.SYS [x] R3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.SYS [x] R3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\System32\drivers\CTERFXFX.SYS [x] R3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.SYS [x] R3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.SYS [x] R3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\DRIVERS\gan_adapter.sys [x] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x] R3 MSICDSetup;MSICDSetup;D:\CDriver.sys [x] R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [x] R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\rtl8187B.sys [x] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x] R4 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x] R4 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x] R4 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [x] R4 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [x] R4 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [x] R4 MSSQL$SQLSERVER2008ER2;SQL Server (SQLSERVER2008ER2);c:\program files\Microsoft SQL Server\MSSQL10_50.SQLSERVER2008ER2\MSSQL\Binn\sqlservr.exe [x] R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [x] R4 RsFx0103;RsFx0103 Driver;c:\windows\system32\DRIVERS\RsFx0103.sys [x] R4 RsFx0150;RsFx0150 Driver;c:\windows\system32\DRIVERS\RsFx0150.sys [x] R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [x] R4 SQLAgent$SQLSERVER2008ER2;SQL Server Agent (SQLSERVER2008ER2);c:\program files\Microsoft SQL Server\MSSQL10_50.SQLSERVER2008ER2\MSSQL\Binn\SQLAGENT.EXE [x] R4 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x] S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x] S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x] S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x] S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [x] S3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\System32\drivers\COMMONFX.SYS [x] S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\System32\drivers\CTAUDFX.SYS [x] S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\System32\drivers\CTSBLFX.SYS [x] S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x] . . --- Other Services/Drivers In Memory --- . *NewlyCreated* - WS2IFSL . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 Trusted Zone: clonewarsadventures.com Trusted Zone: freerealms.com Trusted Zone: intuit.com\ttlc Trusted Zone: soe.com Trusted Zone: sony.com TCP: DhcpNameServer = 192.168.10.1 . - - - - ORPHANS REMOVED - - - - . SafeBoot-33771034.sys MSConfigStartUp-HP Software Update - c:\program files\HP\HP Software Update\HPWuSchd2.exe MSConfigStartUp-hpqSRMon - c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe . . . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions] @Denied: (2) (LocalSystem) "{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc, 1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7 "{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db, df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd "{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16, fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17 "{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9, b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b . [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration] @Denied: (2) (LocalSystem) "Timestamp"=hex:57,b3,8b,89,7c,c5,cc,01 . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\taskhost.exe c:\windows\system32\conhost.exe . ************************************************************************** . Completion time: 2012-08-16 13:55:36 - machine was rebooted ComboFix-quarantined-files.txt 2012-08-16 18:55 . Pre-Run: 128,179,048,448 bytes free Post-Run: 129,291,276,288 bytes free . - - End Of File - - 88D9DBDFC5DF6E8DA0EEAE382CFAF722
  5. apfinger
    Thanks so far. I'll check back in after lunch with the log. Maybe I'll be able to contribute once this is all cleared up. However, after reading up on this malware, I think it best not to set up a PayPal acct until I'm sure the system is clean!
  6. apfinger
    I've run TDSSKiller.exe and rebooted. Attached is a zip file of the 3 logs generated. TDSSKiller.2.8.6.0_16.08.2012_12.45.38_log.zip
  7. apfinger
    I ran Fix twice - I didn't know that FRST would remove fixlist.txt, so I thought perhaps I forgot to save it to the Flash drive. However, I did view the contents of the initial Fixlog.txt. The two "not found" in the attached file were actually successfully moved. Should I go forward to run ComboFix after ensuring any anti-virus / blockers are disabled? Fixlog.txt
  8. apfinger
    I didn't see an edit option for my first post. My sources are: http://forums.malwarebytes.org/index.php?showtopic=113756 That's a resolved thread, indicating I will need to run a "Fix" command from FRST before running ComboFix. http://forums.malwarebytes.org/index.php?showtopic=114358 An open thread which utilizes RogueKiller thus far, but no further instructions.
  9. apfinger
    I recently ran a scan and came across the following guys: Disabled.Cryptsvc, which I read was not a problem, but a symptom of other problems Rootkit.Zaccess Rootkit.0access Trojan.Dropper.BCMiner Trojan.Agent.BRVGen Searching other threads, I went ahead and ran some additional scans. Attached are the scans from DDS, RogueKiller, and FRST. From what I have read in a previously resolved thread on this issue, I'll need ComboFix and a text file created specifically for my system to attempt a purge of these bad guys. I'm downloading ComboFix as soon as I'm done posting here. Thank you in advance for your assistance! Attach.txt DDS.txt FRST.txt RKreport1.txt Search.txt
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.