gooseonator
-
Posts
22 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Everything posted by gooseonator
-
ohh and thanks again!
-
some of my programs still aren't working but its some stupid industry software for appraisers. Im gonna troubleshoot this some more and ill report back if neccessary. If things run smooth for couple days ill send ya some cash. Im good on my word
-
anyways... whats next or are we free and clear?
-
thats the qoobox quarantinei am referring to. there is nothing in rk quarantine folder with .vir
-
They are not. i see other files from 4/18 when i had gotten the initial virus but nothing new with the .vir extension
-
Hmm not sure what im looking for.. here is the log from RK quarantine Time : 30/05/2013 19:03:17 -------------------------- ERROR [xauwp.exe.vir] -> C:\Users\Backup\AppData\Roaming\Yjitwu\xauwp.exe ERROR [xauwp.exe.vir] -> C:\Users\Backup\AppData\Roaming\Yjitwu\xauwp.exe ERROR [CarboniteUpgrade.exe.vir] -> C:\ProgramData\Carbonite\Carbonite Backup\CarboniteUpgrade.exe Time : 30/05/2013 19:22:48 -------------------------- ERROR [xauwp.exe.vir] -> C:\Users\Backup\AppData\Roaming\Yjitwu\xauwp.exe ERROR [xauwp.exe.vir] -> C:\Users\Backup\AppData\Roaming\Yjitwu\xauwp.exe ERROR [CarboniteUpgrade.exe.vir] -> C:\ProgramData\Carbonite\Carbonite Backup\CarboniteUpgrade.exe ERROR [xauwp.exe.vir] -> C:\Users\Backup\AppData\Roaming\Yjitwu\xauwp.exe ERROR [xauwp.exe.vir] -> C:\Users\Backup\AppData\Roaming\Yjitwu\xauwp.exe ERROR [CarboniteUpgrade.exe.vir] -> C:\ProgramData\Carbonite\Carbonite Backup\CarboniteUpgrade.exe Time : 30/05/2013 19:24:27 -------------------------- ERROR [xauwp.exe.vir] -> C:\Users\Backup\AppData\Roaming\Yjitwu\xauwp.exe ERROR [xauwp.exe.vir] -> C:\Users\Backup\AppData\Roaming\Yjitwu\xauwp.exe ERROR [CarboniteUpgrade.exe.vir] -> C:\ProgramData\Carbonite\Carbonite Backup\CarboniteUpgrade.exe ERROR [xauwp.exe.vir] -> C:\Users\Backup\AppData\Roaming\Yjitwu\xauwp.exe ERROR [xauwp.exe.vir] -> C:\Users\Backup\AppData\Roaming\Yjitwu\xauwp.exe ERROR [CarboniteUpgrade.exe.vir] -> C:\ProgramData\Carbonite\Carbonite Backup\CarboniteUpgrade.exe ERROR [xauwp.exe.vir] -> C:\Users\Backup\AppData\Roaming\Yjitwu\xauwp.exe ERROR [CarboniteUpgrade.exe.vir] -> C:\ProgramData\Carbonite\Carbonite Backup\CarboniteUpgrade.exe Time : 30/05/2013 19:25:57 -------------------------- ERROR [xauwp.exe.vir] -> C:\Users\Backup\AppData\Roaming\Yjitwu\xauwp.exe ERROR [xauwp.exe.vir] -> C:\Users\Backup\AppData\Roaming\Yjitwu\xauwp.exe ERROR [CarboniteUpgrade.exe.vir] -> C:\ProgramData\Carbonite\Carbonite Backup\CarboniteUpgrade.exe ERROR [xauwp.exe.vir] -> C:\Users\Backup\AppData\Roaming\Yjitwu\xauwp.exe ERROR [xauwp.exe.vir] -> C:\Users\Backup\AppData\Roaming\Yjitwu\xauwp.exe ERROR [CarboniteUpgrade.exe.vir] -> C:\ProgramData\Carbonite\Carbonite Backup\CarboniteUpgrade.exe ERROR [xauwp.exe.vir] -> C:\Users\Backup\AppData\Roaming\Yjitwu\xauwp.exe ERROR [CarboniteUpgrade.exe.vir] -> C:\ProgramData\Carbonite\Carbonite Backup\CarboniteUpgrade.exe ERROR [CarboniteUpgrade.exe.vir] -> C:\ProgramData\Carbonite\Carbonite Backup\CarboniteUpgrade.exe Time : 30/05/2013 20:17:54 -------------------------- ERROR [CarboniteUpgrade.exe.vir] -> C:\ProgramData\Carbonite\Carbonite Backup\CarboniteUpgrade.exe Time : 30/05/2013 20:34:53 -------------------------- ERROR [CarboniteUpgrade.exe.vir] -> C:\ProgramData\Carbonite\Carbonite Backup\CarboniteUpgrade.exe
-
# AdwCleaner v2.301 - Logfile created 05/30/2013 at 21:09:39 # Updated 16/05/2013 by Xplode # Operating system : Windows 7 Professional Service Pack 1 (32 bits) # User : Backup - BACKUP-PC # Boot Mode : Normal # Running from : C:\Users\Backup\Desktop\adwcleaner.exe # Option [Delete] ***** [services] ***** ***** [Files / Folders] ***** ***** [Registry] ***** Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847} Key Deleted : HKCU\Software\pc optimizer pro Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847} ***** [internet Browsers] ***** -\\ Internet Explorer v10.0.9200.16537 Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\Main - Start Page] = hxxp://start.sweetpacks.com/?src=10&st=12&crg=3.5000006.10045&barid={CFC5CFD3-BF42-11E2-9B71-BCAEC56D2107} --> hxxp://www.google.com ************************* AdwCleaner[R1].txt - [1205 octets] - [30/05/2013 21:01:30] AdwCleaner[s1].txt - [1027 octets] - [30/05/2013 21:09:39] ########## EOF - C:\AdwCleaner[s1].txt - [1087 octets] ##########
-
okay will do, one quick question though. whatever happened to those files i was supposed to delete... Combofix was finding the same files earlier but they would reappear after a reboot and now they are just gone. I never deleted them manually and when i rescanned with rouge killer it wasnt finding them all of a sudden. Just makes me worry bc i have "removed" this virus several times now and it keeps coming back
-
And yes as I disclosed initially, and asked for forgiveness, I did run combo fix before coming on here. Sorry about that..
-
# AdwCleaner v2.301 - Logfile created 05/30/2013 at 21:01:30 # Updated 16/05/2013 by Xplode # Operating system : Windows 7 Professional Service Pack 1 (32 bits) # User : Backup - BACKUP-PC # Boot Mode : Normal # Running from : C:\Users\Backup\Desktop\adwcleaner.exe # Option [search] ***** [services] ***** ***** [Files / Folders] ***** ***** [Registry] ***** Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847} Key Found : HKCU\Software\pc optimizer pro Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847} Key Found : HKU\S-1-5-21-516662134-4216643879-2606995567-1000\Software\Microsoft\Internet Explorer\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847} ***** [internet Browsers] ***** -\\ Internet Explorer v10.0.9200.16537 [HKLM\SOFTWARE\Microsoft\Internet Explorer\Main - Start Page] = hxxp://start.sweetpacks.com/?src=10&st=12&crg=3.5000006.10045&barid={CFC5CFD3-BF42-11E2-9B71-BCAEC56D2107} ************************* AdwCleaner[R1].txt - [1076 octets] - [30/05/2013 21:01:30] ########## EOF - C:\AdwCleaner[R1].txt - [1136 octets] ##########
-
oops ComboFix 13-05-30.02 - Backup 05/30/2013 20:22:51.7.4 - x86 Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.2985.2127 [GMT -5:00] Running from: c:\users\Backup\Desktop\dakjgahelhg.exe SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((( Files Created from 2013-04-28 to 2013-05-31 ))))))))))))))))))))))))))))))) . . 2013-05-31 01:25 . 2013-05-31 01:25 -------- d-----w- c:\users\Public\AppData\Local\temp 2013-05-31 01:25 . 2013-05-31 01:25 -------- d-----w- c:\users\Marty\AppData\Local\temp 2013-05-31 01:25 . 2013-05-31 01:25 -------- d-----w- c:\users\Lori\AppData\Local\temp 2013-05-31 01:25 . 2013-05-31 01:25 -------- d-----w- c:\users\Laurie\AppData\Local\temp 2013-05-31 01:25 . 2013-05-31 01:25 -------- d-----w- c:\users\Default\AppData\Local\temp 2013-05-31 01:25 . 2013-05-31 01:25 -------- d-----w- c:\users\Ashley\AppData\Local\temp 2013-05-31 01:25 . 2013-05-31 01:25 -------- d-----w- c:\users\Appraiser1\AppData\Local\temp 2013-05-31 00:39 . 2013-05-31 00:53 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable) 2013-05-30 23:02 . 2013-05-30 23:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2013-05-30 23:02 . 2013-04-04 19:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys 2013-05-30 22:38 . 2013-05-31 01:25 -------- d-----w- c:\users\Backup\AppData\Local\temp 2013-05-30 21:53 . 2013-05-30 22:02 -------- d-----w- C:\dakjgahelhg 2013-05-17 23:11 . 2013-05-17 23:11 12872 ----a-w- c:\windows\system32\bootdelete.exe 2013-05-17 22:49 . 2013-05-17 22:49 -------- d-----w- c:\programdata\PC Optimizer Pro 2013-05-17 22:43 . 2013-05-17 23:11 -------- d-----w- c:\programdata\HitmanPro . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2013-05-02 15:28 . 2011-06-23 16:43 238872 ------w- c:\windows\system32\MpSigStub.exe 2013-04-19 17:05 . 2013-04-19 17:05 866720 ----a-w- c:\windows\system32\npDeployJava1.dll 2013-04-19 17:05 . 2013-04-19 17:05 788896 ----a-w- c:\windows\system32\deployJava1.dll 2013-04-15 20:14 . 2011-06-23 21:18 833832 ----a-w- c:\windows\system32\alaaird.ocx 2013-04-11 20:25 . 2011-06-23 21:19 911656 ------w- c:\windows\system32\wtapi.exe 2013-04-02 08:03 . 2013-04-02 08:03 745472 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe 2013-04-02 08:03 . 2013-04-02 08:03 185344 ----a-w- c:\windows\system32\elshyph.dll 2013-04-02 08:03 . 2013-04-02 08:03 73728 ----a-w- c:\windows\system32\SetIEInstalledDate.exe 2013-04-02 08:03 . 2013-04-02 08:03 523264 ----a-w- c:\windows\system32\vbscript.dll 2013-04-02 08:03 . 2013-04-02 08:03 48640 ----a-w- c:\windows\system32\mshtmler.dll 2013-04-02 08:03 . 2013-04-02 08:03 38400 ----a-w- c:\windows\system32\imgutil.dll 2013-04-02 08:03 . 2013-04-02 08:03 158720 ----a-w- c:\windows\system32\msls31.dll 2013-04-02 08:03 . 2013-04-02 08:03 150528 ----a-w- c:\windows\system32\iexpress.exe 2013-04-02 08:03 . 2013-04-02 08:03 138752 ----a-w- c:\windows\system32\wextract.exe 2013-04-02 08:03 . 2013-04-02 08:03 137216 ----a-w- c:\windows\system32\ieUnatt.exe 2013-04-02 08:03 . 2013-04-02 08:03 12800 ----a-w- c:\windows\system32\mshta.exe 2013-04-02 08:03 . 2013-04-02 08:03 110592 ----a-w- c:\windows\system32\IEAdvpack.dll 2013-04-02 08:03 . 2013-04-02 08:03 719360 ----a-w- c:\windows\system32\mshtmlmedia.dll 2013-04-02 08:03 . 2013-04-02 08:03 61952 ----a-w- c:\windows\system32\tdc.ocx 2013-04-02 08:03 . 2013-04-02 08:03 361984 ----a-w- c:\windows\system32\html.iec 2013-04-02 08:03 . 2013-04-02 08:03 23040 ----a-w- c:\windows\system32\licmgr10.dll 2013-04-02 08:03 . 2013-04-02 08:03 1441280 ----a-w- c:\windows\system32\inetcpl.cpl 2013-04-02 08:02 . 2013-04-02 08:02 9728 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll 2013-04-02 08:02 . 2013-04-02 08:02 906240 ----a-w- c:\windows\system32\FntCache.dll 2013-04-02 08:02 . 2013-04-02 08:02 5632 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll 2013-04-02 08:02 . 2013-04-02 08:02 5632 ---ha-w- c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll 2013-04-02 08:02 . 2013-04-02 08:02 417792 ----a-w- c:\windows\system32\WMPhoto.dll 2013-04-02 08:02 . 2013-04-02 08:02 4096 ---ha-w- c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll 2013-04-02 08:02 . 2013-04-02 08:02 364544 ----a-w- c:\windows\system32\XpsGdiConverter.dll 2013-04-02 08:02 . 2013-04-02 08:02 3584 ---ha-w- c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll 2013-04-02 08:02 . 2013-04-02 08:02 3072 ---ha-w- c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll 2013-04-02 08:02 . 2013-04-02 08:02 3072 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll 2013-04-02 08:02 . 2013-04-02 08:02 2560 ---ha-w- c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll 2013-04-02 08:02 . 2013-04-02 08:02 2284544 ----a-w- c:\windows\system32\msmpeg2vdec.dll 2013-04-02 08:02 . 2013-04-02 08:02 220160 ----a-w- c:\windows\system32\d3d10core.dll 2013-04-02 08:02 . 2013-04-02 08:02 1504768 ----a-w- c:\windows\system32\d3d11.dll 2013-04-02 08:02 . 2013-04-02 08:02 1247744 ----a-w- c:\windows\system32\DWrite.dll 2013-04-02 08:02 . 2013-04-02 08:02 1158144 ----a-w- c:\windows\system32\XpsPrint.dll 2013-04-02 08:02 . 2013-04-02 08:02 1080832 ----a-w- c:\windows\system32\d3d10.dll 2013-04-02 08:02 . 2013-04-02 08:02 10752 ---ha-w- c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll 2013-04-02 08:02 . 2013-04-02 08:02 207872 ----a-w- c:\windows\system32\WindowsCodecsExt.dll 2013-04-02 08:02 . 2013-04-02 08:02 604160 ----a-w- c:\windows\system32\d3d10level9.dll 2013-04-02 08:02 . 2013-04-02 08:02 3419136 ----a-w- c:\windows\system32\d2d1.dll 2013-04-02 08:02 . 2013-04-02 08:02 293376 ----a-w- c:\windows\system32\dxgi.dll 2013-04-02 08:02 . 2013-04-02 08:02 249856 ----a-w- c:\windows\system32\d3d10_1core.dll 2013-04-02 08:02 . 2013-04-02 08:02 1988096 ----a-w- c:\windows\system32\d3d10warp.dll 2013-04-02 08:02 . 2013-04-02 08:02 187392 ----a-w- c:\windows\system32\UIAnimation.dll 2013-04-02 08:02 . 2013-04-02 08:02 161792 ----a-w- c:\windows\system32\d3d10_1.dll 2013-04-02 08:02 . 2013-04-02 08:02 1230336 ----a-w- c:\windows\system32\WindowsCodecs.dll 2013-03-19 05:04 . 2013-04-10 01:29 3968856 ----a-w- c:\windows\system32\ntkrnlpa.exe 2013-03-19 05:04 . 2013-04-10 01:29 3913560 ----a-w- c:\windows\system32\ntoskrnl.exe 2013-03-19 04:48 . 2013-04-10 01:29 38912 ----a-w- c:\windows\system32\csrsrv.dll 2013-03-19 02:49 . 2013-04-10 01:29 69632 ----a-w- c:\windows\system32\smss.exe 2013-03-02 05:07 . 2013-04-10 01:29 1212264 ----a-w- c:\windows\system32\drivers\ntfs.sys . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green] @="{95A27763-F62A-4114-9072-E81D87DE3B68}" [HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}] 2012-08-29 19:51 1014344 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial] @="{E300CD91-100F-4E67-9AF3-1384A6124015}" [HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}] 2012-08-29 19:51 1014344 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow] @="{5E529433-B50E-4bef-A63B-16A6B71B071A}" [HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}] 2012-08-29 19:51 1014344 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-03-26 143384] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-03-26 176664] "Persistence"="c:\windows\system32\igfxpers.exe" [2011-03-26 178200] "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2010-11-19 9874024] "NUSB3MON"="c:\program files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-04-27 113288] "The Assistant"="c:\program files\a la mode\Sched\eSched.exe" [2012-04-02 104304] "Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2012-08-29 1061960] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 0 (0x0) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) "PromptOnSecureDesktop"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au] "NoAutoUpdate"= 1 (0x1) . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot] @="" . R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [x] R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [x] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x] R3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\DRIVERS\WSDScan.sys [x] S1 AsUpIO;AsUpIO;c:\windows\system32\drivers\AsUpIO.sys [x] S2 asComSvc;ASUS Com Service;c:\program files\ASUS\AXSP\1.00.13\atkexComSvc.exe [x] S2 asHmComSvc;ASUS HM Com Service;c:\program files\ASUS\AAHM\1.00.13\aaHMSvc.exe [x] S2 AsSysCtrlService;ASUS System Control Service;c:\program files\ASUS\AsSysCtrlService\1.00.11\AsSysCtrlService.exe [x] S2 MSSQL$ALAMODE;SQL Server (ALAMODE);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [x] S3 MEI;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECI.sys [x] S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [x] S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [x] S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x] . . --- Other Services/Drivers In Memory --- . *NewlyCreated* - 60000399 *Deregistered* - 60000399 *Deregistered* - TrueSight . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS fdrespub AppIDSvc QWAVE wcncsvc Mcx2Svc SensrSvc . HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalService FontCache . . . ------- Supplementary Scan ------- . uStart Page = hxxp://google.com/ mStart Page = hxxp://start.sweetpacks.com/?src=10&st=12&crg=3.5000006.10045&barid={CFC5CFD3-BF42-11E2-9B71-BCAEC56D2107} IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 TCP: Interfaces\{555888EF-6A62-4E06-83D0-C45B32447320}: NameServer = 68.238.96.12,68.238.112.12 DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} - hxxp://bcs.mlxchange.com/5.5.04.23503/Control/IRCSharc.cab . . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'Explorer.exe'(2364) c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll . Completion time: 2013-05-30 20:26:09 ComboFix-quarantined-files.txt 2013-05-31 01:26 ComboFix2.txt 2013-05-30 22:44 ComboFix3.txt 2013-05-30 22:11 ComboFix4.txt 2013-05-30 22:02 ComboFix5.txt 2013-05-31 01:22 . Pre-Run: 959,972,089,856 bytes free Post-Run: 959,655,649,280 bytes free . - - End Of File - - 063B92D7751545142D9611B33A3FA797
-
im silly and have a habit i picked up somewhere , i always rename combofix something random bc one time something i was fighting kept deleting CF if it was named "combofix" anyways CF was renamed dakjgahelhg... Malwarebytes Anti-Rootkit BETA 1.06.0.1003 www.malwarebytes.org Database version: v2013.05.31.01 Windows 7 Service Pack 1 x86 NTFS Internet Explorer 10.0.9200.16540 Backup :: BACKUP-PC [administrator] 5/30/2013 7:39:36 PM mbar-log-2013-05-30 (19-39-36).txt Scan type: Quick scan Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P Scan options disabled: Deep Anti-Rootkit Scan | PUP Objects scanned: 326558 Time elapsed: 4 minute(s), 42 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) Physical Sectors Detected: 0 (No malicious items detected) (end)
-
starting scans now
-
Malwarebytes Anti-Rootkit BETA 1.06.0.1003 www.malwarebytes.org Database version: v2013.05.31.01 Windows 7 Service Pack 1 x86 NTFS Internet Explorer 10.0.9200.16540 Backup :: BACKUP-PC [administrator] 5/30/2013 7:39:36 PM mbar-log-2013-05-30 (19-39-36).txt Scan type: Quick scan Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P Scan options disabled: Deep Anti-Rootkit Scan | PUP Objects scanned: 326558 Time elapsed: 4 minute(s), 42 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) Physical Sectors Detected: 0 (No malicious items detected) (end)
-
--------------------------------------- Malwarebytes Anti-Rootkit BETA 1.06.0.1003 © Malwarebytes Corporation 2011-2012 OS version: 6.1.7601 Windows 7 Service Pack 1 x86 Account is Administrative Internet Explorer version: 10.0.9200.16540 File system is: NTFS Disk drives: C:\ DRIVE_FIXED, E:\ DRIVE_FIXED CPU speed: 3.292000 GHz Memory total: 3130257408, free: 2027151360 Downloaded database version: v2013.05.31.01 Downloaded database version: v2013.05.22.01 Initializing... ------------ Kernel report ------------ 05/30/2013 19:39:33 ------------ Loaded modules ----------- \SystemRoot\system32\ntkrnlpa.exe \SystemRoot\system32\halmacpi.dll \SystemRoot\system32\kdcom.dll \SystemRoot\system32\mcupdate_GenuineIntel.dll \SystemRoot\system32\PSHED.dll \SystemRoot\system32\BOOTVID.dll \SystemRoot\system32\CLFS.SYS \SystemRoot\system32\CI.dll \SystemRoot\system32\drivers\Wdf01000.sys \SystemRoot\system32\drivers\WDFLDR.SYS \SystemRoot\system32\drivers\ACPI.sys \SystemRoot\system32\drivers\WMILIB.SYS \SystemRoot\system32\drivers\msisadrv.sys \SystemRoot\system32\drivers\pci.sys \SystemRoot\system32\drivers\vdrvroot.sys \SystemRoot\System32\drivers\partmgr.sys \SystemRoot\system32\drivers\volmgr.sys \SystemRoot\System32\drivers\volmgrx.sys \SystemRoot\system32\drivers\pciide.sys \SystemRoot\system32\drivers\PCIIDEX.SYS \SystemRoot\System32\drivers\mountmgr.sys \SystemRoot\system32\drivers\vmbus.sys \SystemRoot\system32\drivers\winhv.sys \SystemRoot\system32\drivers\atapi.sys \SystemRoot\system32\drivers\ataport.SYS \SystemRoot\system32\drivers\amdxata.sys \SystemRoot\system32\drivers\fltmgr.sys \SystemRoot\system32\drivers\fileinfo.sys \SystemRoot\System32\Drivers\Ntfs.sys \SystemRoot\System32\Drivers\msrpc.sys \SystemRoot\System32\Drivers\ksecdd.sys \SystemRoot\System32\Drivers\cng.sys \SystemRoot\System32\drivers\pcw.sys \SystemRoot\System32\Drivers\Fs_Rec.sys \SystemRoot\system32\drivers\ndis.sys \SystemRoot\system32\drivers\NETIO.SYS \SystemRoot\System32\Drivers\ksecpkg.sys \SystemRoot\System32\drivers\tcpip.sys \SystemRoot\System32\drivers\fwpkclnt.sys \SystemRoot\system32\drivers\vmstorfl.sys \SystemRoot\system32\drivers\volsnap.sys \SystemRoot\System32\Drivers\spldr.sys \SystemRoot\System32\drivers\rdyboost.sys \SystemRoot\System32\Drivers\mup.sys \SystemRoot\System32\drivers\hwpolicy.sys \SystemRoot\System32\DRIVERS\fvevol.sys \SystemRoot\system32\DRIVERS\disk.sys \SystemRoot\system32\DRIVERS\CLASSPNP.SYS \SystemRoot\system32\drivers\cdrom.sys \SystemRoot\System32\Drivers\Null.SYS \SystemRoot\System32\Drivers\Beep.SYS \SystemRoot\System32\drivers\vga.sys \SystemRoot\System32\drivers\VIDEOPRT.SYS \SystemRoot\System32\drivers\watchdog.sys \SystemRoot\System32\DRIVERS\RDPCDD.sys \SystemRoot\system32\drivers\rdpencdd.sys \SystemRoot\system32\drivers\rdprefmp.sys \SystemRoot\System32\Drivers\Msfs.SYS \SystemRoot\System32\Drivers\Npfs.SYS \SystemRoot\system32\DRIVERS\tdx.sys \SystemRoot\system32\DRIVERS\TDI.SYS \SystemRoot\system32\drivers\afd.sys \SystemRoot\System32\DRIVERS\netbt.sys \SystemRoot\system32\drivers\ws2ifsl.sys \SystemRoot\system32\DRIVERS\wfplwf.sys \SystemRoot\system32\DRIVERS\pacer.sys \SystemRoot\system32\DRIVERS\netbios.sys \SystemRoot\system32\DRIVERS\wanarp.sys \SystemRoot\system32\drivers\termdd.sys \SystemRoot\system32\DRIVERS\rdbss.sys \SystemRoot\system32\drivers\nsiproxy.sys \SystemRoot\system32\drivers\mssmbios.sys \SystemRoot\System32\drivers\discache.sys \SystemRoot\system32\drivers\csc.sys \SystemRoot\System32\Drivers\dfsc.sys \SystemRoot\system32\DRIVERS\blbdrive.sys \SystemRoot\system32\drivers\AsUpIO.sys \SystemRoot\system32\drivers\AsIO.sys \SystemRoot\system32\DRIVERS\tunnel.sys \SystemRoot\system32\DRIVERS\igdkmd32.sys \SystemRoot\System32\drivers\dxgkrnl.sys \SystemRoot\System32\drivers\dxgmms1.sys \SystemRoot\system32\DRIVERS\HECI.sys \SystemRoot\system32\DRIVERS\usbehci.sys \SystemRoot\system32\DRIVERS\USBPORT.SYS \SystemRoot\system32\drivers\HDAudBus.sys \SystemRoot\system32\DRIVERS\Rt86win7.sys \SystemRoot\system32\DRIVERS\nusb3xhc.sys \SystemRoot\system32\DRIVERS\USBD.SYS \SystemRoot\system32\drivers\wmiacpi.sys \SystemRoot\system32\DRIVERS\intelppm.sys \SystemRoot\system32\drivers\CompositeBus.sys \SystemRoot\system32\DRIVERS\AgileVpn.sys \SystemRoot\system32\DRIVERS\rasl2tp.sys \SystemRoot\system32\DRIVERS\ndistapi.sys \SystemRoot\system32\DRIVERS\ndiswan.sys \SystemRoot\system32\DRIVERS\raspppoe.sys \SystemRoot\system32\DRIVERS\raspptp.sys \SystemRoot\system32\DRIVERS\rassstp.sys \SystemRoot\system32\DRIVERS\rdpbus.sys \SystemRoot\system32\DRIVERS\kbdclass.sys \SystemRoot\system32\DRIVERS\mouclass.sys \SystemRoot\system32\drivers\swenum.sys \SystemRoot\system32\drivers\ks.sys \SystemRoot\system32\DRIVERS\umbus.sys \SystemRoot\system32\DRIVERS\usbhub.sys \SystemRoot\system32\DRIVERS\nusb3hub.sys \SystemRoot\System32\Drivers\NDProxy.SYS \SystemRoot\system32\drivers\RTKVHDA.sys \SystemRoot\system32\drivers\portcls.sys \SystemRoot\system32\drivers\drmk.sys \SystemRoot\system32\drivers\HdAudio.sys \SystemRoot\System32\Drivers\crashdmp.sys \SystemRoot\System32\Drivers\dump_dumpata.sys \SystemRoot\System32\Drivers\dump_atapi.sys \SystemRoot\System32\Drivers\dump_dumpfve.sys \SystemRoot\System32\win32k.sys \SystemRoot\System32\drivers\Dxapi.sys \SystemRoot\system32\DRIVERS\monitor.sys \SystemRoot\System32\TSDDD.dll \SystemRoot\System32\cdd.dll \SystemRoot\system32\DRIVERS\hidusb.sys \SystemRoot\system32\DRIVERS\HIDCLASS.SYS \SystemRoot\system32\DRIVERS\HIDPARSE.SYS \SystemRoot\system32\DRIVERS\mouhid.sys \SystemRoot\system32\DRIVERS\kbdhid.sys \SystemRoot\system32\drivers\luafv.sys \SystemRoot\system32\DRIVERS\lltdio.sys \SystemRoot\system32\DRIVERS\rspndr.sys \SystemRoot\system32\drivers\HTTP.sys \SystemRoot\System32\DRIVERS\srvnet.sys \SystemRoot\system32\DRIVERS\bowser.sys \SystemRoot\System32\drivers\mpsdrv.sys \SystemRoot\system32\DRIVERS\mrxsmb.sys \SystemRoot\system32\DRIVERS\mrxsmb10.sys \SystemRoot\system32\DRIVERS\mrxsmb20.sys \SystemRoot\System32\DRIVERS\srv2.sys \SystemRoot\System32\DRIVERS\srv.sys \SystemRoot\system32\drivers\peauth.sys \SystemRoot\System32\Drivers\secdrv.SYS \SystemRoot\System32\drivers\tcpipreg.sys \SystemRoot\System32\drivers\rdpdr.sys \SystemRoot\system32\drivers\tdtcp.sys \SystemRoot\System32\DRIVERS\tssecsrv.sys \SystemRoot\System32\Drivers\RDPWD.SYS \SystemRoot\System32\Drivers\fastfat.SYS \SystemRoot\system32\drivers\WudfPf.sys \SystemRoot\system32\DRIVERS\USBSTOR.SYS \SystemRoot\system32\DRIVERS\asyncmac.sys \??\C:\Users\Backup\AppData\Local\Temp\mbr.sys \??\C:\Windows\system32\drivers\TrueSight.sys \SystemRoot\system32\DRIVERS\WUDFRd.sys \??\C:\Windows\system32\drivers\mbamchameleon.sys \??\C:\Windows\system32\drivers\mbamswissarmy.sys \Windows\System32\ntdll.dll \Windows\System32\smss.exe \Windows\System32\apisetschema.dll \Windows\System32\autochk.exe \Windows\System32\psapi.dll \Windows\System32\user32.dll \Windows\System32\ole32.dll \Windows\System32\rpcrt4.dll \Windows\System32\ws2_32.dll \Windows\System32\msvcrt.dll \Windows\System32\shell32.dll \Windows\System32\normaliz.dll \Windows\System32\usp10.dll \Windows\System32\kernel32.dll \Windows\System32\setupapi.dll \Windows\System32\clbcatq.dll \Windows\System32\difxapi.dll \Windows\System32\urlmon.dll \Windows\System32\imagehlp.dll \Windows\System32\gdi32.dll \Windows\System32\advapi32.dll \Windows\System32\oleaut32.dll \Windows\System32\nsi.dll \Windows\System32\imm32.dll \Windows\System32\shlwapi.dll \Windows\System32\sechost.dll \Windows\System32\wininet.dll \Windows\System32\comdlg32.dll \Windows\System32\Wldap32.dll \Windows\System32\iertutil.dll \Windows\System32\msctf.dll \Windows\System32\lpk.dll \Windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll \Windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll \Windows\System32\cfgmgr32.dll \Windows\System32\wintrust.dll \Windows\System32\crypt32.dll \Windows\System32\devobj.dll \Windows\System32\KernelBase.dll \Windows\System32\api-ms-win-downlevel-normaliz-l1-1-0.dll \Windows\System32\api-ms-win-downlevel-advapi32-l1-1-0.dll \Windows\System32\api-ms-win-downlevel-version-l1-1-0.dll \Windows\System32\comctl32.dll \Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll \Windows\System32\msasn1.dll ----------- End ----------- Done! <<<1>>> Upper Device Name: \Device\Harddisk2\DR7 Upper Device Object: 0xffffffff87921240 Upper Device Driver Name: \Driver\Disk\ Lower Device Name: \Device\00000083\ Lower Device Object: 0xffffffff86155ca8 Lower Device Driver Name: \Driver\USBSTOR\ <<<1>>> Upper Device Name: \Device\Harddisk1\DR1 Upper Device Object: 0xffffffff8618e030 Upper Device Driver Name: \Driver\Disk\ Lower Device Name: \Device\Ide\IdeDeviceP2T0L0-3\ Lower Device Object: 0xffffffff85c77908 Lower Device Driver Name: \Driver\atapi\ <<<1>>> Upper Device Name: \Device\Harddisk0\DR0 Upper Device Object: 0xffffffff8618d030 Upper Device Driver Name: \Driver\Disk\ Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-0\ Lower Device Object: 0xffffffff8535b908 Lower Device Driver Name: \Driver\atapi\ <<<2>>> Device number: 1, partition: 1 Physical Sector Size: 512 Drive: 1, DevicePointer: 0xffffffff8618e030, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\ --------- Disk Stack ------ DevicePointer: 0xffffffff8618d6a8, DeviceName: Unknown, DriverName: \Driver\partmgr\ DevicePointer: 0xffffffff8618e030, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\ DevicePointer: 0xffffffff85c36918, DeviceName: Unknown, DriverName: \Driver\ACPI\ DevicePointer: 0xffffffff85c77908, DeviceName: \Device\Ide\IdeDeviceP2T0L0-3\, DriverName: \Driver\atapi\ ------------ End ---------- Alternate DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\ Upper DeviceData: 0x0, 0x0, 0x0 Lower DeviceData: 0x0, 0x0, 0x0 <<<3>>> Volume: C: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes <<<2>>> Device number: 1, partition: 1 <<<3>>> Volume: C: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes Scanning drivers directory: C:\Windows\system32\drivers... <<<2>>> Device number: 1, partition: 1 <<<3>>> Volume: C: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes Done! Physical Sector Size: 512 Drive: 0, DevicePointer: 0xffffffff8618d030, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ --------- Disk Stack ------ DevicePointer: 0xffffffff8618dc68, DeviceName: Unknown, DriverName: \Driver\partmgr\ DevicePointer: 0xffffffff8618d030, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ DevicePointer: 0xffffffff85c27760, DeviceName: Unknown, DriverName: \Driver\ACPI\ DevicePointer: 0xffffffff8535b908, DeviceName: \Device\Ide\IdeDeviceP0T0L0-0\, DriverName: \Driver\atapi\ ------------ End ---------- Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ Upper DeviceData: 0x0, 0x0, 0x0 Lower DeviceData: 0x0, 0x0, 0x0 Drive 0 Scanning MBR on drive 0... Inspecting partition table: MBR Signature: 55AA Disk Signature: D85A9FBC Partition information: Partition 0 type is Primary (0x7) Partition is NOT ACTIVE. Partition starts at LBA: 63 Numsec = 976768002 Partition 1 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Partition 2 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Partition 3 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Disk Size: 500107862016 bytes Sector size: 512 bytes Scanning physical sectors of unpartitioned space on drive 0 (1-62-976753168-976773168)... Done! Drive 1 Scanning MBR on drive 1... Inspecting partition table: MBR Signature: 55AA Disk Signature: 9BBE6D5C Partition information: Partition 0 type is Primary (0x7) Partition is ACTIVE. Partition starts at LBA: 2048 Numsec = 1953519616 Partition file system is NTFS Partition is bootable Partition 1 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Partition 2 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Partition 3 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Disk Size: 1000204886016 bytes Sector size: 512 bytes Done! Physical Sector Size: 512 Drive: 2, DevicePointer: 0xffffffff87921240, DeviceName: \Device\Harddisk2\DR7\, DriverName: \Driver\Disk\ --------- Disk Stack ------ DevicePointer: 0xffffffff85cff9b8, DeviceName: Unknown, DriverName: \Driver\partmgr\ DevicePointer: 0xffffffff87921240, DeviceName: \Device\Harddisk2\DR7\, DriverName: \Driver\Disk\ DevicePointer: 0xffffffff86155ca8, DeviceName: \Device\00000083\, DriverName: \Driver\USBSTOR\ ------------ End ---------- Alternate DeviceName: \Device\Harddisk2\DR7\, DriverName: \Driver\Disk\ Upper DeviceData: 0x0, 0x0, 0x0 Lower DeviceData: 0x0, 0x0, 0x0 Drive 2 Scanning MBR on drive 2... Inspecting partition table: MBR Signature: 55AA Disk Signature: 0 Partition information: Partition 0 type is Other (0xc) Partition is NOT ACTIVE. Partition starts at LBA: 32 Numsec = 31266784 Partition 1 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Partition 2 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Partition 3 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Disk Size: 16008609792 bytes Sector size: 512 bytes Done! Scan finished ======================================= Removal queue found; removal started Removing c:\programdata\malwarebytes' anti-malware (portable)\mbr_0_i.mbam... Removing c:\programdata\malwarebytes' anti-malware (portable)\mbr_0_r.mbam... Removing c:\programdata\malwarebytes' anti-malware (portable)\mbr_1_i.mbam... Removing c:\programdata\malwarebytes' anti-malware (portable)\bootstrap_1_0_2048_i.mbam... Removing c:\programdata\malwarebytes' anti-malware (portable)\mbr_1_r.mbam... Removing c:\programdata\malwarebytes' anti-malware (portable)\mbr_2_i.mbam... Removing c:\programdata\malwarebytes' anti-malware (portable)\mbr_2_r.mbam... Removal finished
-
Well no luck, i have unhidden all files and even selected show OS files jic but couldnt ever find it in appdata. I moved on and ran the mbam rootkit stuff but it didnt find anything. Please advise and thanks
-
Im going to assume that is okay. i wanted to delete them myself, but ill accept that they deleted themselves Im will procede now to move on through your steps. just an fyi
-
New log file RogueKiller V8.5.4 [Mar 18 2013] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/ Website : http://tigzy.geekstogo.com/roguekiller.php Blog : http://tigzyrk.blogspot.com/ Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version Started in : Normal mode User : Backup [Admin rights] Mode : Scan -- Date : 05/30/2013 19:25:57 | ARK || FAK || MBR | ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 6 ¤¤¤ [TASK][sUSP PATH] {5F6010C8-60E5-41f3-BF5B-C3AF5DBE12D4} : "C:\ProgramData\Carbonite\Carbonite Backup\CarboniteUpgrade.exe" /silent $(Arg0) [x] -> FOUND [DNS] HKLM\[...]\ControlSet001\Services\Tcpip\Interfaces\{555888EF-6A62-4E06-83D0-C45B32447320} : NameServer (68.238.96.12,68.238.112.12) -> FOUND [DNS] HKLM\[...]\ControlSet002\Services\Tcpip\Interfaces\{555888EF-6A62-4E06-83D0-C45B32447320} : NameServer (68.238.96.12,68.238.112.12) -> FOUND [HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND [HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND [HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [LOADED] ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> C:\Windows\system32\drivers\etc\hosts 127.0.0.1 localhost ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: WDC WD5000AACS-00ZUB0 ATA Device +++++ --- User --- [MBR] 8379241c58c836023768bae24ac80672 [bSP] 1dc1ab2651e2f7f53123a08583404588 : Windows XP MBR Code Partition table: 0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476937 Mo User = LL1 ... OK! User = LL2 ... OK! +++++ PhysicalDrive1: WDC WD10EALS-00Z8A0 ATA Device +++++ --- User --- [MBR] 97ee0df68970354ce54b21584af3e2a0 [bSP] 188298a9fd14d021d85bc0b9f65786f9 : Windows 7/8 MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 953867 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[4]_S_05302013_02d1925.txt >> RKreport[1]_S_05302013_02d1903.txt ; RKreport[2]_S_05302013_02d1922.txt ; RKreport[3]_D_05302013_02d1924.txt ; RKreport[4]_S_05302013_02d1925.txt
-
got hung up on step one... I was abe to check and delete the following: RUN][sUSP PATH] HKCU\[...]\Run : {5D016516-C8AA-AD40-B7E0-95FCB2F8B6E1} (C:\Users\Backup\AppData\Roaming\Yjitwu\xauwp.exe) [x] -> FOUND [RUN][sUSP PATH] HKUS\S-1-5-21-516662134-4216643879-2606995567-1000[...]\Run : {5D016516-C8AA-AD40-B7E0-95FCB2F8B6E1 However, the last entry was not shown in my list and the folder i was to manually delete is not in appdata\roaming. Please advise
-
RogueKiller V8.5.4 [Mar 18 2013] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/ Website : http://tigzy.geekstogo.com/roguekiller.php Blog : http://tigzyrk.blogspot.com/ Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version Started in : Normal mode User : Backup [Admin rights] Mode : Scan -- Date : 05/30/2013 19:03:17 | ARK || FAK || MBR | ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 10 ¤¤¤ [RUN][sUSP PATH] HKCU\[...]\Run : {5D016516-C8AA-AD40-B7E0-95FCB2F8B6E1} (C:\Users\Backup\AppData\Roaming\Yjitwu\xauwp.exe) [x] -> FOUND [RUN][sUSP PATH] HKUS\S-1-5-21-516662134-4216643879-2606995567-1000[...]\Run : {5D016516-C8AA-AD40-B7E0-95FCB2F8B6E1} (C:\Users\Backup\AppData\Roaming\Yjitwu\xauwp.exe) [x] -> FOUND [TASK][sUSP PATH] {5F6010C8-60E5-41f3-BF5B-C3AF5DBE12D4} : "C:\ProgramData\Carbonite\Carbonite Backup\CarboniteUpgrade.exe" /silent $(Arg0) [x] -> FOUND [DNS] HKLM\[...]\ControlSet001\Services\Tcpip\Interfaces\{555888EF-6A62-4E06-83D0-C45B32447320} : NameServer (68.238.96.12,68.238.112.12) -> FOUND [DNS] HKLM\[...]\ControlSet002\Services\Tcpip\Interfaces\{555888EF-6A62-4E06-83D0-C45B32447320} : NameServer (68.238.96.12,68.238.112.12) -> FOUND [HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND [HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND [HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [LOADED] ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> C:\Windows\system32\drivers\etc\hosts 127.0.0.1 localhost ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: WDC WD5000AACS-00ZUB0 ATA Device +++++ --- User --- [MBR] 8379241c58c836023768bae24ac80672 [bSP] 1dc1ab2651e2f7f53123a08583404588 : Windows XP MBR Code Partition table: 0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476937 Mo User = LL1 ... OK! User = LL2 ... OK! +++++ PhysicalDrive1: WDC WD10EALS-00Z8A0 ATA Device +++++ --- User --- [MBR] 97ee0df68970354ce54b21584af3e2a0 [bSP] 188298a9fd14d021d85bc0b9f65786f9 : Windows 7/8 MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 953867 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[1]_S_05302013_02d1903.txt >> RKreport[1]_S_05302013_02d1903.txt
-
Hi Mr. Charlie. Thank you for your time. I will be happy to reward you via paypal once given the all clear. Starting with step 1 now...
-
Thanks in advance. Longtime lurker but I am having a hard time getting rid of this virus. It is affecting several of my computers. The attached logs are from the server that I believe is facilitating the spread across my network/client pc's. I have made an image for my machine here jic, but (dont hate me) i have also run combofix with no luck. Below are the requested logs. DDS (Ver_2012-11-20.01) - NTFS_x86 Internet Explorer: 10.0.9200.16537 Run by Backup at 17:48:50 on 2013-05-30 Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.2985.2144 [GMT -5:00] . SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . ============== Running Processes ================ . C:\Windows\system32\wininit.exe C:\Windows\system32\lsm.exe C:\Windows\System32\spoolsv.exe C:\Program Files\ASUS\AXSP\1.00.13\atkexComSvc.exe C:\Program Files\ASUS\AAHM\1.00.13\aaHMSvc.exe C:\Program Files\ASUS\AsSysCtrlService\1.00.11\AsSysCtrlService.exe C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe C:\Users\Backup\AppData\Local\Apps\2.0\8K0WBD4W.AQK\9E3HRWG6.1MT\elsi..tion_69acd703c415f77d_0003.0001_985532aec2d92098\Elsinore.ScreenConnect.GuestService.exe C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\Windows\system32\taskhost.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\System32\igfxtray.exe C:\Windows\System32\hkcmd.exe C:\Windows\System32\igfxpers.exe C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe C:\Program Files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchProtocolHost.exe C:\Windows\system32\SearchFilterHost.exe C:\Users\Backup\AppData\Local\Apps\2.0\8K0WBD4W.AQK\9E3HRWG6.1MT\elsi..tion_69acd703c415f77d_0003.0001_985532aec2d92098\Elsinore.ScreenConnect.WindowsClient.exe C:\Windows\system32\taskeng.exe C:\Program Files\a la mode\Sched\eSched.exe \\?\C:\Windows\system32\wbem\WMIADAP.EXE C:\Windows\system32\wbem\wmiprvse.exe C:\Windows\System32\WUDFHost.exe C:\Windows\system32\sppsvc.exe C:\Windows\system32\conhost.exe C:\Windows\system32\wbem\wmiprvse.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\svchost.exe -k RPCSS C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted C:\Windows\system32\svchost.exe -k imgsvc C:\Windows\System32\svchost.exe -k secsvcs . ============== Pseudo HJT Report =============== . uStart Page = hxxp://google.com/ mStart Page = hxxp://start.sweetpacks.com/?src=10&st=12&crg=3.5000006.10045&barid={CFC5CFD3-BF42-11E2-9B71-BCAEC56D2107} uRun: [{5D016516-C8AA-AD40-B7E0-95FCB2F8B6E1}] c:\users\backup\appdata\roaming\yjitwu\xauwp.exe mRun: [igfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [Persistence] c:\windows\system32\igfxpers.exe mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s mRun: [NUSB3MON] "c:\program files\renesas electronics\usb 3.0 host controller driver\application\nusb3mon.exe" mRun: [The Assistant] c:\program files\a la mode\sched\eSched.exe /checkuac mRun: [Carbonite Backup] c:\program files\carbonite\carbonite backup\CarboniteUI.exe uPolicies-Explorer: NoDriveTypeAutoRun = dword:145 uPolicies-Explorer: NoDrives = dword:0 mPolicies-Explorer: NoDrives = dword:0 mPolicies-System: ConsentPromptBehaviorAdmin = dword:0 mPolicies-System: ConsentPromptBehaviorUser = dword:3 mPolicies-System: EnableLUA = dword:0 mPolicies-System: EnableUIADesktopToggle = dword:0 mPolicies-System: PromptOnSecureDesktop = dword:0 IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000 IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} - hxxp://bcs.mlxchange.com/5.5.04.23503/Control/IRCSharc.cab TCP: Interfaces\{555888EF-6A62-4E06-83D0-C45B32447320} : NameServer = 68.238.96.12,68.238.112.12 Notify: igfxcui - igfxdev.dll SSODL: WebCheck - <orphaned> . ============= SERVICES / DRIVERS =============== . R1 AsUpIO;AsUpIO;c:\windows\system32\drivers\AsUpIO.sys [2010-8-3 11832] R2 asComSvc;ASUS Com Service;c:\program files\asus\axsp\1.00.13\atkexComSvc.exe [2010-11-3 918144] R2 asHmComSvc;ASUS HM Com Service;c:\program files\asus\aahm\1.00.13\aaHMSvc.exe [2010-12-1 915584] R2 AsSysCtrlService;ASUS System Control Service;c:\program files\asus\assysctrlservice\1.00.11\AsSysCtrlService.exe [2011-6-23 586880] R2 MSSQL$ALAMODE;SQL Server (ALAMODE);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2010-12-10 29293408] R2 ScreenConnect Guest Client (4146266c-909f-4991-a528-a05093c6f02a);ScreenConnect Guest Client (4146266c-909f-4991-a528-a05093c6f02a);c:\users\backup\appdata\local\apps\2.0\8k0wbd4w.aqk\9e3hrwg6.1mt\elsi..tion_69acd703c415f77d_0003.0001_985532aec2d92098\Elsinore.ScreenConnect.GuestService.exe [2013-4-18 48696] R3 MEI;Intel® Management Engine Interface;c:\windows\system32\drivers\HECI.sys [2010-10-20 41088] R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys [2010-4-26 64904] R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys [2010-4-26 146568] R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2010-6-23 275048] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384] S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888] S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992] S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-6-24 52224] S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-6-23 1343400] S3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\drivers\WSDScan.sys [2009-7-13 20480] . =============== File Associations =============== . FileExt: .inf: inffile=c:\windows\system32\NOTEPAD.EXE %1 [userChoice] . =============== Created Last 30 ================ . 2013-05-30 22:43:09 -------- d-----w- C:\$RECYCLE.BIN 2013-05-30 22:38:38 -------- d-----w- c:\users\backup\appdata\local\temp 2013-05-30 21:53:43 -------- d-----w- C:\dakjgahelhg 2013-05-17 23:11:44 12872 ----a-w- c:\windows\system32\bootdelete.exe 2013-05-17 23:01:31 -------- d-----w- c:\windows\system32\appmgmt 2013-05-17 22:49:47 -------- d-----w- c:\programdata\PC Optimizer Pro 2013-05-17 22:43:14 -------- d-----w- c:\programdata\HitmanPro . ==================== Find3M ==================== . 2013-05-02 15:28:50 238872 ------w- c:\windows\system32\MpSigStub.exe 2013-04-19 17:05:24 866720 ----a-w- c:\windows\system32\npDeployJava1.dll 2013-04-19 17:05:24 788896 ----a-w- c:\windows\system32\deployJava1.dll 2013-04-15 20:14:14 833832 ----a-w- c:\windows\system32\alaaird.ocx 2013-04-11 20:25:52 911656 ------w- c:\windows\system32\wtapi.exe 2013-04-02 08:02:20 9728 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll 2013-03-19 05:04:13 3968856 ----a-w- c:\windows\system32\ntkrnlpa.exe 2013-03-19 05:04:10 3913560 ----a-w- c:\windows\system32\ntoskrnl.exe 2013-03-19 04:48:45 38912 ----a-w- c:\windows\system32\csrsrv.dll 2013-03-19 02:49:16 69632 ----a-w- c:\windows\system32\smss.exe 2013-03-02 05:07:36 1212264 ----a-w- c:\windows\system32\drivers\ntfs.sys . ============= FINISH: 17:49:05.73 =============== . UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT . DDS (Ver_2012-11-20.01) . Microsoft Windows 7 Professional Boot Device: \Device\HarddiskVolume2 Install Date: 6/23/2011 12:59:23 PM System Uptime: 5/30/2013 5:45:49 PM (0 hours ago) . Motherboard: ASUSTeK Computer INC. | | P8H67-M LE Processor: Intel® Core i5-2500 CPU @ 3.30GHz | LGA1155 | 2871/100mhz . ==== Disk Partitions ========================= . C: is FIXED (NTFS) - 932 GiB total, 894.926 GiB free. D: is CDROM () E: is FIXED (NTFS) - 466 GiB total, 127.503 GiB free. F: is Removable . ==== Disabled Device Manager Items ============= . Class GUID: Description: SM Bus Controller Device ID: PCI\VEN_8086&DEV_1C22&SUBSYS_844D1043&REV_05\3&11583659&0&FB Manufacturer: Name: SM Bus Controller PNP Device ID: PCI\VEN_8086&DEV_1C22&SUBSYS_844D1043&REV_05\3&11583659&0&FB Service: . ==== System Restore Points =================== . RP227: 4/13/2013 3:17:05 AM - Windows Update RP228: 4/17/2013 1:18:29 AM - Windows Update RP229: 4/20/2013 4:33:49 PM - Windows Update RP230: 4/24/2013 4:33:52 PM - Windows Update RP231: 4/28/2013 4:33:52 PM - Windows Update RP232: 5/2/2013 4:34:18 PM - Windows Update RP233: 5/6/2013 4:33:50 PM - Windows Update RP234: 5/10/2013 4:33:48 PM - Windows Update RP235: 5/14/2013 4:34:42 PM - Windows Update RP236: 5/17/2013 6:00:38 PM - Removed Internet Explorer Toolbar 4.8 by SweetPacks RP237: 5/18/2013 4:34:28 PM - Windows Update RP238: 5/22/2013 4:34:10 PM - Windows Update RP239: 5/26/2013 4:34:09 PM - Windows Update RP240: 5/30/2013 4:35:53 PM - Removed Adobe Reader XI (11.0.02). RP241: 5/30/2013 4:36:43 PM - Removed Java 7 Update 21 RP242: 5/30/2013 4:41:51 PM - Removed Microsoft Silverlight . ==== Installed Programs ====================== . Carbonite Microsoft .NET Framework 4 Client Profile Microsoft Office File Validation Add-In Microsoft Office Professional Edition 2003 Microsoft SQL Server 2005 Microsoft SQL Server 2005 Express Edition (ALAMODE) Microsoft SQL Server 2005 Tools Express Edition Microsoft SQL Server Native Client Microsoft SQL Server Setup Support Files (English) Microsoft SQL Server VSS Writer Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 MSXML 4.0 SP2 (KB954430) MSXML 4.0 SP2 (KB973688) PDF-XChange 3 Realtek Ethernet Controller Driver For Windows Vista and Later Realtek High Definition Audio Driver Renesas Electronics USB 3.0 Host Controller Driver Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708) Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663) Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870) Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636) Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078) Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121) Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870) Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351) Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368) Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2) Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405) Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827) Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449) Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019) Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595) Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642) swMSM Update for Microsoft .NET Framework 4 Client Profile (KB2468871) Update for Microsoft .NET Framework 4 Client Profile (KB2533523) Update for Microsoft .NET Framework 4 Client Profile (KB2600217) . ==== Event Viewer Messages From Past Week ======== . 5/30/2013 5:37:42 PM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly. 5/30/2013 5:35:51 PM, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume Windows. 5/30/2013 5:07:24 PM, Error: Service Control Manager [7034] - The ScreenConnect Guest Client (4146266c-909f-4991-a528-a05093c6f02a) service terminated unexpectedly. It has done this 1 time(s). 5/30/2013 4:49:42 PM, Error: Service Control Manager [7024] - The Windows Firewall service terminated with service-specific error Access is denied.. 5/30/2013 2:44:54 PM, Error: Service Control Manager [7003] - The Microsoft Network Inspection System service depends the following service: BFE. This service might not be installed. 5/30/2013 2:44:54 PM, Error: Service Control Manager [7001] - The Microsoft Network Inspection service depends on the Microsoft Network Inspection System service which failed to start because of the following error: The dependency service does not exist or has been marked for deletion. 5/30/2013 2:44:54 PM, Error: Microsoft Antimalware [3002] - 5/30/2013 2:44:48 PM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed. 5/30/2013 2:44:48 PM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed. 5/30/2013 2:44:46 PM, Error: Service Control Manager [7003] - The Windows Firewall service depends the following service: BFE. This service might not be installed. 5/29/2013 4:34:34 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Definition Update for Microsoft Security Essentials - KB2310138 (Definition 1.151.1197.0). 5/28/2013 4:34:35 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Definition Update for Microsoft Security Essentials - KB2310138 (Definition 1.151.1103.0). 5/27/2013 4:34:39 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Definition Update for Microsoft Security Essentials - KB2310138 (Definition 1.151.1039.0). 5/26/2013 4:35:01 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Definition Update for Microsoft Security Essentials - KB2310138 (Definition 1.151.952.0). 5/25/2013 4:34:29 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Definition Update for Microsoft Security Essentials - KB2310138 (Definition 1.151.929.0). 5/24/2013 4:34:34 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Definition Update for Microsoft Security Essentials - KB2310138 (Definition 1.151.851.0). 5/23/2013 4:34:34 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Definition Update for Microsoft Security Essentials - KB2310138 (Definition 1.151.765.0). . ==== End Of File ===========================