Tim0

Members

View Profile See their activity

Posts
2
Joined
January 11, 2013
Last visited
January 12, 2013

Reputation

0 Neutral

Svchost infected?

Tim0 replied to Tim0's topic in Resolved Malware Removal Logs

Hi there, I believe I got everything taken care of, so this can be closed. Thanks!
- January 12, 2013
- 4 replies
Svchost infected?

Tim0 posted a topic in Resolved Malware Removal Logs

So I connected my external harddrive and as I was browsing through directories I got a notice from McAfee saying a trojan had been quarantined. However, TeaTimer began telling me that registry keys DisableTaskMgr and DisableRegistryTools were trying to be added and every time I clicked deny change it would pop up again. I don't understand how the trojan would have gotten executed though, since I never clicked on it. Is it possible it was autorun off my external harddrive? I'm confused and worried lol. I ran MBAM and restarted my computer even though it found nothing. There are no more changes to my registry popping up anymore but I don't want to assume I'm clean. Also firefox just installed an update and won't load any pages anymore, I don't know if it's related, but I cannot use firefox at all suddenly. DDS (Ver_2012-11-20.01) - NTFS_AMD64 Internet Explorer: 9.0.8112.16457 BrowserJavaVersion: 10.9.2 Run by Tim at 18:22:18 on 2013-01-10 Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8086.6058 [GMT -6:00] . AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892} SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F} SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} FW: McAfee Firewall *Enabled* {959DA8E2-3527-57D1-4915-924367AD4FE9} . ============== Running Processes =============== . C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\nvvsvc.exe C:\Windows\system32\svchost.exe -k RPCSS C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\svchost.exe -k LocalService C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe C:\Windows\system32\nvvsvc.exe C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\System32\spoolsv.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation C:\Program Files\Mediafour\MacDrive 9\MacDrive9Service.exe C:\Windows\system32\mfevtps.exe C:\Windows\system32\svchost.exe -k imgsvc C:\Windows\system32\taskhost.exe C:\Windows\Explorer.EXE C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE C:\Windows\system32\Dwm.exe C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted C:\Windows\system32\wbem\wmiprvse.exe C:\Windows\System32\rundll32.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Windows\System32\igfxtray.exe C:\Windows\System32\hkcmd.exe C:\Windows\System32\igfxpers.exe C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe C:\Program Files\Dell\QuickSet\quickset.exe C:\Program Files\Ditto\Ditto.exe C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\McAfee.com\Agent\mcagent.exe C:\Users\Tim\AppData\Roaming\Dropbox\bin\Dropbox.exe C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Synaptics\SynTP\SynTPHelper.exe C:\Windows\system32\SearchIndexer.exe C:\Program Files\iPod\bin\iPodService.exe C:\Users\Tim\Desktop\ProcessExplorer\procexp.exe C:\Users\Tim\Desktop\ProcessExplorer\procexp64.exe C:\Program Files\McAfee\MAT\McPvTray.exe C:\Windows\system32\wuauclt.exe C:\Users\Tim\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\Tim\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\Tim\AppData\Local\Google\Chrome\Application\chrome.exe C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe C:\Users\Tim\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\Tim\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\Tim\AppData\Local\Google\Chrome\Application\chrome.exe C:\Windows\system32\spool\DRIVERS\x64\3\HP1006MC.EXE C:\Users\Tim\Desktop\mbar-1.01.0.1011\mbar\mbar.exe C:\Users\Tim\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\Tim\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\Tim\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\Tim\AppData\Local\Google\Chrome\Application\chrome.exe C:\Windows\system32\SearchProtocolHost.exe C:\Windows\system32\SearchFilterHost.exe C:\Windows\system32\wbem\wmiprvse.exe C:\Windows\System32\cscript.exe . ============== Pseudo HJT Report =============== . uStart Page = www.dell.com uDefault_Page_URL = www.dell.com mWinlogon: Userinit = userinit.exe, BHO: Octh Class: {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files (x86)\Orbitdownloader\orbitcth.dll BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll BHO: McAfee Phishing Filter: {27B4851A-3207-45A2-B947-BE8AFE6163AB} - BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll uRun: [Ditto] C:\Program Files\Ditto\Ditto.exe uRun: [spybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe mRun: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" mRun: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" mRun: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" mRunOnce: [Z1] C:\Users\Tim\Desktop\mbar-1.01.0.1011\mbar\mbar.exe /cleanup /s StartupFolder: C:\Users\Tim\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\Tim\AppData\Roaming\Dropbox\bin\Dropbox.exe mPolicies-Explorer: NoActiveDesktop = dword:1 mPolicies-Explorer: NoActiveDesktopChanges = dword:1 mPolicies-System: ConsentPromptBehaviorAdmin = dword:5 mPolicies-System: ConsentPromptBehaviorUser = dword:3 mPolicies-System: EnableUIADesktopToggle = dword:0 IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000 IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105 IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files (x86)\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab TCP: NameServer = 192.168.1.1 TCP: Interfaces\{1A8BAB6D-A2D4-4130-9E2A-3F9CAC69451C} : DHCPNameServer = 192.168.1.1 TCP: Interfaces\{1A8BAB6D-A2D4-4130-9E2A-3F9CAC69451C}\2375942554431343 : DHCPNameServer = 192.168.1.254 TCP: Interfaces\{1A8BAB6D-A2D4-4130-9E2A-3F9CAC69451C}\2375942554635353 : DHCPNameServer = 192.168.1.254 Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files (x86)\McAfee\MSC\McSnIePl.dll Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll SSODL: WebCheck - <orphaned> x64-BHO: McAfee Phishing Filter: {27B4851A-3207-45A2-B947-BE8AFE6163AB} - x64-BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll x64-Run: [synTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe x64-Run: [igfxTray] C:\Windows\System32\igfxtray.exe x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe x64-Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe -s x64-Run: [RtHDVBg] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe /MAXX3 x64-Run: [NVHotkey] rundll32.exe C:\Windows\System32\nvHotkey.dll,Start x64-Run: [QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe x64-RunOnce: [NCInstallQueue] rundll32 netman.dll,ProcessQueue x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll x64-Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\McAfee\MSC\McSnIePl64.dll x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned> x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned> x64-Notify: igfxcui - igfxdev.dll x64-SSODL: WebCheck - <orphaned> . ================= FIREFOX =================== . FF - ProfilePath - C:\Users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\n45975sf.default\ FF - prefs.js: browser.startup.homepage - www.google.com FF - prefs.js: network.proxy.ftp - 146.186.162.3 FF - prefs.js: network.proxy.ftp_port - 3128 FF - prefs.js: network.proxy.http - 146.186.162.3 FF - prefs.js: network.proxy.http_port - 3128 FF - prefs.js: network.proxy.socks - 146.186.162.3 FF - prefs.js: network.proxy.socks_port - 3128 FF - prefs.js: network.proxy.ssl - 146.186.162.3 FF - prefs.js: network.proxy.ssl_port - 3128 FF - prefs.js: network.proxy.type - 0 FF - plugin: c:\PROGRA~2\mcafee\msc\npMcSnFFPl.dll FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrlui.dll FF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll FF - plugin: C:\Program Files (x86)\Photosynth\npPhotosynthMozilla.dll FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll FF - plugin: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll FF - plugin: C:\Users\Tim\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll FF - plugin: C:\Users\Tim\AppData\Local\Google\Update\1.3.21.123\npGoogleUpdate3.dll FF - plugin: C:\Users\Tim\AppData\Local\Spoon\3.33.2.7\npMozillaSpoonPlugin.dll FF - plugin: C:\Users\Tim\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll FF - plugin: C:\Users\Tim\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_287.dll FF - plugin: C:\Windows\SysWOW64\npdeployJava1.dll FF - plugin: C:\Windows\SysWOW64\npmproxy.dll . ============= SERVICES / DRIVERS =============== . R0 McPvDrv;McPvDrv Driver;C:\Windows\System32\drivers\McPvDrv.sys [2012-9-29 73096] R0 MDFSYSNT;MacDrive file system driver;C:\Windows\System32\drivers\MDFSYSNT.SYS [2012-6-6 317136] R0 MDPMGRNT;MacDrive Partition Driver;C:\Windows\System32\drivers\MDPMGRNT.SYS [2012-10-11 32464] R0 mfehidk;McAfee Inc. mfehidk;C:\Windows\System32\drivers\mfehidk.sys [2012-1-3 771096] R0 mfewfpk;McAfee Inc. mfewfpk;C:\Windows\System32\drivers\mfewfpk.sys [2012-1-3 339776] R0 nvpciflt;nvpciflt;C:\Windows\System32\drivers\nvpciflt.sys [2011-12-16 25960] R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2011-12-16 55856] R0 stdcfltn;Disk Class Filter Driver for Accelerometer;C:\Windows\System32\drivers\stdcfltn.sys [2011-12-16 21616] R1 CBDisk;CBDisk;C:\Windows\System32\drivers\CBDisk.sys [2012-10-11 70344] R2 AERTFilters;Andrea RT Filters Service;C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe [2011-12-16 98208] R2 MacDrive9Service;MacDrive 9 service;C:\Program Files\Mediafour\MacDrive 9\MacDrive9Service.exe [2012-5-21 178176] R2 McMPFSvc;McAfee Personal Firewall Service;C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [2012-10-18 201304] R2 McNaiAnn;McAfee VirusScan Announcer;C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [2012-10-18 201304] R2 McProxy;McAfee Proxy Service;C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [2012-10-18 201304] R2 McShield;McAfee McShield;C:\Program Files\Common Files\mcafee\systemcore\mcshield.exe [2012-1-3 241016] R2 mfefire;McAfee Firewall Core Service;C:\Program Files\Common Files\mcafee\systemcore\mfefire.exe [2012-1-3 218320] R2 mfevtp;McAfee Validation Trust Protection Service;C:\Windows\System32\mfevtps.exe [2011-3-13 177680] R2 vpnagent;Cisco AnyConnect VPN Agent;C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2012-6-19 645088] R3 Acceler;Accelerometer Service;C:\Windows\System32\drivers\Accelern.sys [2011-12-16 27760] R3 cfwids;McAfee Inc. cfwids;C:\Windows\System32\drivers\cfwids.sys [2012-1-3 69672] R3 CtClsFlt;Creative Camera Class Upper Filter Driver;C:\Windows\System32\drivers\CtClsFlt.sys [2011-12-16 172704] R3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2011-12-16 317440] R3 mbamchameleon;mbamchameleon;C:\Windows\System32\drivers\mbamchameleon.sys [2013-1-10 36680] R3 mbamswissarmy;mbamswissarmy;C:\Windows\System32\drivers\mbamswissarmy.sys [2013-1-10 150640] R3 mfeavfk;McAfee Inc. mfeavfk;C:\Windows\System32\drivers\mfeavfk.sys [2012-1-3 309400] R3 mfefirek;McAfee Inc. mfefirek;C:\Windows\System32\drivers\mfefirek.sys [2012-1-3 515528] R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\Windows\System32\drivers\nusb3hub.sys [2011-9-13 95744] R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\Windows\System32\drivers\nusb3xhc.sys [2011-9-13 212992] R3 qicflt;upper Device Filter Driver;C:\Windows\System32\drivers\qicflt.sys [2010-7-2 29288] R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-6-10 539240] R3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\System32\drivers\wdcsam64.sys [2008-5-6 14464] S2 CLKMSVC10_9EC60124;CyberLink Product - 2011/12/16 01:31:14;C:\Program Files (x86)\CyberLink\PowerDVD9\NavFilter\kmsvc.exe [2010-10-26 236016] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384] S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576] S2 RoxWatch12;Roxio Hard Drive Watcher 12;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-11-25 219632] S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-6-14 160944] S3 BrlAPI;BrlAPI;C:\cygwin\bin\cygrunsrv.exe --> C:\cygwin\bin\cygrunsrv.exe [?] S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;C:\Program Files (x86)\Dragon Age\bin_ship\daupdatersvc.service.exe [2009-12-15 25832] S3 HipShieldK;McAfee Inc. HipShieldK;C:\Windows\System32\drivers\HipShieldK.sys [2012-9-29 196440] S3 Impcd;Impcd;C:\Windows\System32\drivers\Impcd.sys [2011-12-16 158976] S3 McAWFwk;McAfee Activation Service;C:\PROGRA~1\mcafee\msc\mcawfwk.exe [2012-1-3 225216] S3 mferkdet;McAfee Inc. mferkdet;C:\Windows\System32\drivers\mferkdet.sys [2012-1-3 106112] S3 RoxMediaDB12OEM;RoxMediaDB12OEM;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-11-25 1116656] S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392] S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232] S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-9-28 53760] S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-12-29 1255736] S4 McOobeSv;McAfee OOBE Service;C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [2012-10-18 201304] . =============== Created Last 30 ================ . 2013-01-11 00:12:01 36680 ----a-w- C:\Windows\System32\drivers\mbamchameleon.sys 2013-01-11 00:12:01 150640 ----a-w- C:\Windows\System32\drivers\mbamswissarmy.sys 2013-01-10 23:43:45 710504 ----a-w- C:\Windows\isRS-000.tmp 2012-12-21 09:00:11 46080 ----a-w- C:\Windows\System32\atmlib.dll 2012-12-21 09:00:11 367616 ----a-w- C:\Windows\System32\atmfd.dll 2012-12-21 09:00:11 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll 2012-12-21 09:00:11 295424 ----a-w- C:\Windows\SysWow64\atmfd.dll 2012-12-16 21:54:26 -------- d-----w- C:\ProgramData\VanDyke 2012-12-16 21:50:29 -------- d-----w- C:\Users\Tim\AppData\Roaming\VanDyke 2012-12-16 21:50:03 -------- d-----w- C:\Program Files\VanDyke Software 2012-12-16 20:23:13 -------- d-----w- C:\Program Files (x86)\Heroes of Might and Magic III 2012-12-16 20:22:58 -------- d-----w- C:\Users\Tim\AppData\Local\Programs 2012-12-14 07:45:44 2048 ----a-w- C:\Windows\SysWow64\tzres.dll 2012-12-14 07:44:50 478208 ----a-w- C:\Windows\System32\dpnet.dll 2012-12-14 07:44:50 376832 ----a-w- C:\Windows\SysWow64\dpnet.dll 2012-12-12 05:21:51 -------- d-----w- C:\Program Files (x86)\EaseUS . ==================== Find3M ==================== . 2012-12-14 22:49:28 24176 ----a-w- C:\Windows\System32\drivers\mbam.sys 2012-11-22 03:26:40 3149824 ----a-w- C:\Windows\System32\win32k.sys 2012-11-14 06:11:44 2312704 ----a-w- C:\Windows\System32\jscript9.dll 2012-11-14 06:04:11 1392128 ----a-w- C:\Windows\System32\wininet.dll 2012-11-14 06:02:49 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl 2012-11-14 05:57:46 599040 ----a-w- C:\Windows\System32\vbscript.dll 2012-11-14 05:57:35 173056 ----a-w- C:\Windows\System32\ieUnatt.exe 2012-11-14 05:52:40 2382848 ----a-w- C:\Windows\System32\mshtml.tlb 2012-11-14 02:09:22 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll 2012-11-14 01:58:15 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl 2012-11-14 01:57:37 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll 2012-11-14 01:49:25 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe 2012-11-14 01:48:27 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll 2012-11-14 01:44:42 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb 2012-11-09 12:40:24 69672 ----a-w- C:\Windows\System32\drivers\cfwids.sys 2012-11-09 12:37:42 339776 ----a-w- C:\Windows\System32\drivers\mfewfpk.sys 2012-11-09 12:37:30 177680 ----a-w- C:\Windows\System32\mfevtps.exe 2012-11-09 12:36:40 10288 ----a-w- C:\Windows\System32\drivers\mfeclnk.sys 2012-11-09 12:36:30 106112 ----a-w- C:\Windows\System32\drivers\mferkdet.sys 2012-11-09 12:35:50 771096 ----a-w- C:\Windows\System32\drivers\mfehidk.sys 2012-11-09 12:34:58 515528 ----a-w- C:\Windows\System32\drivers\mfefirek.sys 2012-11-09 12:34:18 309400 ----a-w- C:\Windows\System32\drivers\mfeavfk.sys 2012-11-09 12:33:58 178840 ----a-w- C:\Windows\System32\drivers\mfeapfk.sys 2012-11-09 05:45:09 2048 ----a-w- C:\Windows\System32\tzres.dll 2012-10-16 08:38:37 135168 ----a-w- C:\Windows\apppatch\AppPatch64\AcXtrnal.dll 2012-10-16 08:38:34 350208 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll 2012-10-16 07:39:52 561664 ----a-w- C:\Windows\apppatch\AcLayers.dll 2012-10-15 14:19:36 696760 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe . ============= FINISH: 18:23:49.67 =============== Ok so added at 5:33pm all at the same time were the registry keys HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer NoActiveDesktop REG_DWORD 0x00000001 (1) 1/10/2013 5:33:23 PM 4 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer NoActiveDesktopChanges REG_DWORD 0x00000001 (1) 1/10/2013 5:33:23 PM 4 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer ForceActiveDesktopOn REG_DWORD 0x00000000 (0) 1/10/2013 5:33:23 PM 4 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer NoRun REG_DWORD 0x00000000 (0) 1/10/2013 5:33:23 PM 4 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer NoControlPanel REG_DWORD 0x00000000 (0) 1/10/2013 5:33:23 PM 4 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ConsentPromptBehaviorAdmin REG_DWORD 0x00000005 (5) 1/10/2013 5:33:23 PM 4 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ConsentPromptBehaviorUser REG_DWORD 0x00000003 (3) 1/10/2013 5:33:23 PM 4 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableInstallerDetection REG_DWORD 0x00000001 (1) 1/10/2013 5:33:23 PM 4 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA REG_DWORD 0x00000001 (1) 1/10/2013 5:33:23 PM 4 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableSecureUIAPaths REG_DWORD 0x00000001 (1) 1/10/2013 5:33:23 PM 4 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableUIADesktopToggle REG_DWORD 0x00000000 (0) 1/10/2013 5:33:23 PM 4 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableVirtualization REG_DWORD 0x00000001 (1) 1/10/2013 5:33:23 PM 4 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System PromptOnSecureDesktop REG_DWORD 0x00000001 (1) 1/10/2013 5:33:23 PM 4 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ValidateAdminCodeSignatures REG_DWORD 0x00000000 (0) 1/10/2013 5:33:23 PM 4 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System dontdisplaylastusername REG_DWORD 0x00000000 (0) 1/10/2013 5:33:23 PM 4 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System legalnoticecaption REG_SZ 1/10/2013 5:33:23 PM 1 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System legalnoticetext REG_SZ 1/10/2013 5:33:23 PM 2 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System scforceoption REG_DWORD 0x00000000 (0) 1/10/2013 5:33:23 PM 4 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System shutdownwithoutlogon REG_DWORD 0x00000001 (1) 1/10/2013 5:33:23 PM 4 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System undockwithoutlogon REG_DWORD 0x00000001 (1) 1/10/2013 5:33:23 PM 4 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System FilterAdministratorToken REG_DWORD 0x00000000 (0) 1/10/2013 5:33:23 PM 4 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgr REG_DWORD 0x00000000 (0) 1/10/2013 5:33:23 PM 4 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System DisableRegistryTools REG_DWORD 0x00000000 (0) 1/10/2013 5:33:23 PM 4 attach.txt
- January 11, 2013
- 4 replies

Sign In

Tim0

Posts

Joined

Last visited

Reputation

Svchost infected?

Svchost infected?

Browse

Activity

Personal

Business

Business Modules

Partners

Learn

Start here

Type of malware/attacks

How does it get on my computer?

Scams and grifts

Support

Important Information