ihavebigproblem Posted January 2, 2012 ID:512609 Share Posted January 2, 2012 I have the same ping.exe problem many others appear to have. I've run MBAM, ESET online scan and TDSSKiller. They've found infections but the ping.exe keeps coming back in Task Manager. DDS logs attached. Thanks in advance for your help.Also, why would i get this virus if i only use my computer for research/facebook/and typing (I never download anything). Link to post Share on other sites More sharing options...
D-FRED-BROWN Posted January 3, 2012 ID:512958 Share Posted January 3, 2012 Hello ihavebigproblem and welcome to Malwarebytes! I apologize for the delay.I am D-FRED-BROWN and I will be helping you. Please print or save this topic: it will make it easier for you to follow the instructions and complete all of the necessary steps. -------------Please download Farbar Service Scanner and run it on the computer with the issue.Make sure the following options are checked:Internet ServicesWindows FirewallSystem Restore[*]Press "Scan".[*]It will create a log (FSS.txt) in the same directory the tool is run.[*]Please copy and paste the log to your reply.-------------Please download to your Desktop:TDSSKiller.zip from here and extract it (right click on it => "Extract here").>>> TDSSKiller: Double-click on TDSSKiller.exe to run the application.Click on the Start Scan button and wait for the scan and disinfection process to be over.If an infected file is detected, the default action will be Cure, click on Continue If a suspicious file is detected, the default action will be Skip, click on Continue If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.In your next reply, please include the following (you may need to use two posts to get it all in):TDSSKiller_log.txthow the PC is running now?-------------Please download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/combofix/how-to-use-combofix***IMPORTANT: save ComboFix to your Desktop**** Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Please go here to see a list of programs that should be disabled.**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall** Please include the C:\ComboFix.txt in your next reply for further review.Also, please let me know if any problems still remain.-------------Please print out these instructions or copy them to a Notepad file for an easier reading and download MBRCheck by a_d_13 to your Desktop from one of these locations:http://ad13.geekstogo.com/MBRCheck.exehttp://download.bleepingcomputer.com/rootrepeal/MBRCheck.exehttp://www.kernelmode.info/MBRCheck.exeClose all opened programs/ windows and double-click on MBRCheck.exe.It will produce a log file saved automatically on your Desktop as "MBRCheck_[Date]_[Time].txt".Press the "Enter" key to close the MBRCheck window and post the contents of the log file.-------------In your next reply, please include:TDSSKiller reportC:\ComboFix.txtMBRCheck reportHow is your computer running now? Link to post Share on other sites More sharing options...
ihavebigproblem Posted January 3, 2012 Author ID:513049 Share Posted January 3, 2012 combo fixComboFix 12-01-03.07 - andrew 01/03/2012 17:19:07.2.2 - x64Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4095.3229 [GMT -8:00]Running from: c:\users\andrew\Desktop\ComboFix-W7.exeSP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}..((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))..---- Previous Run -------.C:\Install.exec:\programdata\285dxn11c275cb60k7klv7v873031b68m6214c:\programdata\Tarma Installer\{DA00D550-BB91-4A26-AAE5-9172D626CAAE}\_Setup.dllc:\programdata\Tarma Installer\{DA00D550-BB91-4A26-AAE5-9172D626CAAE}\_Setupx.dllc:\programdata\Tarma Installer\{DA00D550-BB91-4A26-AAE5-9172D626CAAE}\Setup.datc:\programdata\Tarma Installer\{DA00D550-BB91-4A26-AAE5-9172D626CAAE}\Setup.exec:\programdata\Tarma Installer\{DA00D550-BB91-4A26-AAE5-9172D626CAAE}\Setup.icoc:\users\andrew\AppData\Local\Temp\~CA14.tmpc:\users\andrew\AppData\Roaming\Microsoft\Windows\Templates\285dxn11c275cb60k7klv7v873031b68m6214c:\windows\assembly\temp\@c:\windows\assembly\temp\bckfg.tmpc:\windows\assembly\temp\cfg.inic:\windows\assembly\temp\keywordsc:\windows\assembly\temp\kwrd.dllc:\windows\system32\consrv.dll..((((((((((((((((((((((((( Files Created from 2011-12-04 to 2012-01-04 )))))))))))))))))))))))))))))))..2012-01-04 01:22 . 2012-01-04 01:22 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp2012-01-04 01:22 . 2012-01-04 01:22 -------- d-----w- c:\users\Default\AppData\Local\temp2012-01-04 00:57 . 2012-01-04 00:57 -------- d-----w- C:\ComboFix-W72012-01-04 00:54 . 2012-01-04 00:54 -------- d-----w- c:\programdata\WeCareReminder2012-01-03 14:12 . 2012-01-03 14:12 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%2012-01-02 12:25 . 2012-01-02 12:25 388096 ----a-r- c:\users\andrew\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe2012-01-02 12:25 . 2012-01-02 12:25 -------- d-----w- c:\program files (x86)\Trend Micro2012-01-02 04:59 . 2012-01-02 04:59 -------- d-----w- c:\program files (x86)\Microsoft2012-01-02 04:59 . 2009-09-05 01:44 69464 ----a-w- c:\windows\SysWow64\XAPOFX1_3.dll2012-01-02 04:59 . 2009-09-05 01:44 515416 ----a-w- c:\windows\SysWow64\XAudio2_5.dll2012-01-02 04:59 . 2009-09-05 01:29 453456 ----a-w- c:\windows\SysWow64\d3dx10_42.dll2012-01-02 04:59 . 2009-09-05 01:29 523088 ----a-w- c:\windows\system32\d3dx10_42.dll2012-01-02 04:59 . 2006-11-29 21:06 4398360 ----a-w- c:\windows\system32\d3dx9_32.dll2012-01-02 04:59 . 2006-11-29 21:06 3426072 ----a-w- c:\windows\SysWow64\d3dx9_32.dll2012-01-02 04:58 . 2012-01-02 04:58 -------- d-----w- c:\users\andrew\AppData\Local\Windows Live2012-01-02 04:58 . 2012-01-02 04:58 -------- d-----w- c:\program files (x86)\Common Files\Windows Live2011-12-18 00:16 . 2011-12-18 00:16 -------- d-----w- c:\windows\system32\Macromed2011-12-11 06:41 . 2011-12-17 08:15 -------- d-----w- c:\program files\Microsoft Xbox 360 Accessories...(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2011-12-18 12:40 . 2011-08-28 08:21 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl2011-12-10 23:24 . 2011-08-28 22:55 23152 ----a-w- c:\windows\system32\drivers\mbam.sys2011-11-26 04:34 . 2011-11-26 04:34 158056 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10139.bin2011-10-09 04:18 . 2011-08-29 08:31 7808 ----a-w- c:\windows\system32\drivers\hidusbf.sys..((((((((((((((((((((((((((((( SnapShot@2012-01-04_01.13.59 ))))))))))))))))))))))))))))))))))))))))).+ 2009-07-14 05:10 . 2012-01-04 01:15 33650 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin- 2009-07-14 05:10 . 2012-01-03 23:20 33650 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin+ 2009-07-14 04:46 . 2012-01-04 01:18 94000 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat+ 2011-08-28 08:15 . 2012-01-04 01:15 9190 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1496710961-1331745258-44813692-1000_UserData.bin+ 2011-11-13 11:40 . 2012-01-04 01:17 2950 c:\windows\SoftwareDistribution\PostRebootEventCache\{42B21AB5-5A24-43CF-B5AC-D22F5E2F3AA8}.bin- 2011-11-13 11:40 . 2011-11-13 20:04 2950 c:\windows\SoftwareDistribution\PostRebootEventCache\{42B21AB5-5A24-43CF-B5AC-D22F5E2F3AA8}.bin.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]"ConsentPromptBehaviorAdmin"= 0 (0x0)"ConsentPromptBehaviorUser"= 3 (0x3)"EnableLUA"= 0 (0x0)"EnableUIADesktopToggle"= 0 (0x0)"PromptOnSecureDesktop"= 0 (0x0).R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]R2 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]R3 hidusbf;USB Mouse Rate Adjuster Lower Filter by SweetLow;c:\windows\system32\DRIVERS\hidusbf.sys [x]R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2010-01-22 30963576]R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]R4 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]R4 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]R4 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-08-03 2255464]R4 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-08-03 379496]S2 Bigfoot Networks Killer Service;Bigfoot Networks Killer Service;c:\program files\Bigfoot Networks\Killer Network Manager\BFNService.exe [2010-05-10 573952]S3 BfEdge7x64;Bigfoot Networks Killer Ethernet Service;c:\windows\system32\DRIVERS\Edge7x64.sys [x]S3 BFN7x64;Bigfoot Networks Killer Gaming Service;c:\windows\system32\DRIVERS\Xeno7x64.sys [x]S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]...--------- x86-64 -----------..[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]"LoadAppInit_DLLs"=0x0.------- Supplementary Scan -------.uLocal Page = c:\windows\system32\blank.htmmLocal Page = c:\windows\SYSTEM32\blank.htmLSP: %SYSTEMROOT%\system32\BfLLR.dllTCP: DhcpNameServer = 192.168.1.1FF - ProfilePath - c:\users\andrew\AppData\Roaming\Mozilla\Firefox\Profiles\toq6xa2q.default\FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&SearchSource=3&q={searchTerms}FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&q=.- - - - ORPHANS REMOVED - - - -.WebBrowser-{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - (no file)HKLM-Run-combofix - c:\combofix-w74334c\CF30366.3XE...[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE]"ImagePath"="NADA".--------------------- LOCKED REGISTRY KEYS ---------------------.[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]@Denied: (A 2) (Everyone)@="FlashBroker""LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]"Enabled"=dword:00000001.[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]@Denied: (A 2) (Everyone)@="Shockwave Flash Object".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx""ThreadingModel"="Apartment".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]@="0".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]@="ShockwaveFlash.ShockwaveFlash.10".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]@="{D27CDB6B-AE6D-11cf-96B8-444553540000}".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]@="1.0".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]@="ShockwaveFlash.ShockwaveFlash".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]@Denied: (A 2) (Everyone)@="Macromedia Flash Factory Object".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx""ThreadingModel"="Apartment".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]@="FlashFactory.FlashFactory.1".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]@="{D27CDB6B-AE6D-11cf-96B8-444553540000}".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]@="1.0".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]@="FlashFactory.FlashFactory".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]@Denied: (A 2) (Everyone)@="IFlashBroker4".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]@="{00020424-0000-0000-C000-000000000046}".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}""Version"="1.0".[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]@Denied: (A) (Everyone)"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}".[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]@Denied: (A) (Everyone).[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]"Key"="ActionsPane3""Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd".[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]@Denied: (Full) (Everyone).Completion time: 2012-01-03 17:23:54ComboFix-quarantined-files.txt 2012-01-04 01:23.Pre-Run: 66,902,667,264 bytes freePost-Run: 66,851,495,936 bytes free.- - End Of File - - 94156EA13B89EBFB70B930B702664B7BFSS ReportFarbar Service Scanner Ran by andrew (administrator) on 03-01-2012 at 17:24:12Microsoft Windows 7 Home Premium Service Pack 1 (X64)Boot Mode: Normal****************************************************************Internet Services:============Connection Status:==============Localhost is accessible.LAN connected.Google IP is accessible.Yahoo IP is accessible.Windows Firewall:=============MpsSvc Service is not running. Checking service configuration:Checking Start type: Attention! Unable to open MpsSvc registry key. The service key does not exist.Checking ImagePath: Attention! Unable to open MpsSvc registry key. The service key does not exist.Checking ServiceDll: Attention! Unable to open MpsSvc registry key. The service key does not exist.bfe Service is not running. Checking service configuration:The start type of bfe service is set to Demand. The default start type is Auto.The ImagePath of bfe: "NADA".Checking ServiceDll: Attention! Unable to open bfe registry key. The service key does not exist.mpsdrv Service is not running. Checking service configuration:The start type of mpsdrv service is OK.The ImagePath of mpsdrv service is OK.Firewall Disabled Policy: ==================System Restore:============SDRSVC Service is not running. Checking service configuration:The start type of SDRSVC service is set to Disabled. The default start type is 3.The ImagePath of SDRSVC service is OK.The ServiceDll of SDRSVC service is OK.VSS Service is not running. Checking service configuration:The start type of VSS service is OK.The ImagePath of VSS service is OK.System Restore Disabled Policy: ========================File Check:========C:\Windows\System32\nsisvc.dll => MD5 is legitC:\Windows\System32\drivers\nsiproxy.sys => MD5 is legitC:\Windows\System32\dhcpcore.dll => MD5 is legitC:\Windows\System32\drivers\afd.sys => MD5 is legitC:\Windows\System32\drivers\tdx.sys => MD5 is legitC:\Windows\System32\Drivers\tcpip.sys => MD5 is legitC:\Windows\System32\dnsrslvr.dll => MD5 is legitC:\Windows\System32\mpssvc.dll => MD5 is legitC:\Windows\System32\bfe.dll => MD5 is legitC:\Windows\System32\drivers\mpsdrv.sys => MD5 is legitC:\Windows\System32\SDRSVC.dll => MD5 is legitC:\Windows\System32\vssvc.exe => MD5 is legitC:\Windows\System32\svchost.exe => MD5 is legitC:\Windows\System32\rpcss.dll => MD5 is legit**** End of log ****The Killer report was clean,every time i try to do a mb scan it always has something, and as of this second i do not see ping.exe but it will probably come backAnd thank you so much =) happy holidays Link to post Share on other sites More sharing options...
ihavebigproblem Posted January 3, 2012 Author ID:513062 Share Posted January 3, 2012 Alsojust noticed theseEND USER LICENSE AGREEMENTKaspersky Lab ZAO (the “Rightholder”) is an owner of all rights, whether exclusive or otherwise to the Software.By using the Software You consent to be bound by the terms and conditions of this agreement.The Rightholder hereby grants You a non-exclusive perpetual license to store, load, install, execute, and display (to “use”) the free of charge Software that will substantially perform within the scope of functionality set forth on http://support.kaspersky.com/viruses. The Software should be used as an auxiliary tool for removing threats from Your computer as described on http://support.kaspersky.com/viruses. The Rightholder doesn’t guarantee complete removal of threats and fixing issues caused by these threats.No technical support for the Software is available.You shall not emulate, modify, decompile, or reverse engineer the Software or disassemble or create derivative works based on the Software or any portion thereof with the sole exception of a non-waivable right granted to You by applicable legislation.THE SOFTWARE IS PROVIDED "AS IS" AND THE RIGHTHOLDER MAKES NO REPRESENTATION AND GIVES NO WARRANTY AS TO ITS USE OR PERFORMANCE. EXCEPT FOR ANY WARRANTY, CONDITION, REPRESENTATION OR TERM THE EXTENT TO WHICH CANNOT BE EXCLUDED OR LIMITED BY APPLICABLE LAW THE RIGHTHOLDER AND ITS PARTNERS MAKE NO WARRANTY, CONDITION, REPRESENTATION, OR TERM (EXPRESS OR IMPLIED, WHETHER BY STATUTE, COMMON LAW, CUSTOM, USAGE OR OTHERWISE) AS TO ANY MATTER INCLUDING, WITHOUT LIMITATION, NONINFRINGEMENT OF THIRD PARTY RIGHTS, MERCHANTABILITY, SATISFACTORY QUALITY, INTEGRATION, OR APPLICABILITY FOR A PARTICULAR PURPOSE. YOU ASSUME ALL FAULTS, AND THE ENTIRE RISK AS TO PERFORMANCE AND RESPONSIBILITY FOR SELECTING THE SOFTWARE TO ACHIEVE YOUR INTENDED RESULTS, AND FOR THE INSTALLATION OF, USE OF, AND RESULTS OBTAINED FROM THE SOFTWARE. WITHOUT LIMITING THE FOREGOING PROVISIONS, THE RIGHTHOLDER MAKES NO REPRESENTATION AND GIVES NO WARRANTY THAT THE SOFTWARE WILL BE ERROR-FREE OR FREE FROM INTERRUPTIONS OR OTHER FAILURES OR THAT THE SOFTWARE WILL MEET ANY OR ALL YOUR REQUIREMENTS WHETHER OR NOT DICLOSED TO THE RIGHTHOLDER.© 1997-2011 Kaspersky Lab ZAO. All Rights Reserved.and the MRB reportMBRCheck, version 1.2.3© 2010, ADCommand-line: Windows Version: Windows 7 Home Premium EditionWindows Information: Service Pack 1 (build 7601), 64-bitBase Board Manufacturer: Dell Inc.BIOS Manufacturer: Dell Inc.System Manufacturer: Dell Inc.System Product Name: Studio 540Logical Drives Mask: 0x000000fcKernel Drivers (total 184): 0x02E68000 \SystemRoot\system32\ntoskrnl.exe 0x02E1F000 \SystemRoot\system32\hal.dll 0x00B9F000 \SystemRoot\system32\kdcom.dll 0x00C2E000 \SystemRoot\system32\mcupdate_GenuineIntel.dll 0x00C7D000 \SystemRoot\system32\PSHED.dll 0x00C91000 \SystemRoot\system32\CLFS.SYS 0x00CEF000 \SystemRoot\system32\CI.dll 0x00EC9000 \SystemRoot\system32\drivers\Wdf01000.sys 0x00F6D000 \SystemRoot\system32\drivers\WDFLDR.SYS 0x00F7C000 \SystemRoot\system32\drivers\ACPI.sys 0x00FD3000 \SystemRoot\system32\drivers\WMILIB.SYS 0x00FDC000 \SystemRoot\system32\drivers\msisadrv.sys 0x00E00000 \SystemRoot\system32\drivers\pci.sys 0x00E33000 \SystemRoot\system32\drivers\vdrvroot.sys 0x00E40000 \SystemRoot\System32\drivers\partmgr.sys 0x00E55000 \SystemRoot\system32\drivers\volmgr.sys 0x00E6A000 \SystemRoot\System32\drivers\volmgrx.sys 0x00FE6000 \SystemRoot\system32\drivers\pciide.sys 0x00FED000 \SystemRoot\system32\drivers\PCIIDEX.SYS 0x00DAF000 \SystemRoot\System32\drivers\mountmgr.sys 0x00DC9000 \SystemRoot\system32\drivers\atapi.sys 0x00DD2000 \SystemRoot\system32\drivers\ataport.SYS 0x00C00000 \SystemRoot\system32\drivers\amdxata.sys 0x01083000 \SystemRoot\system32\drivers\fltmgr.sys 0x010CF000 \SystemRoot\system32\drivers\fileinfo.sys 0x01225000 \SystemRoot\System32\Drivers\Ntfs.sys 0x010E3000 \SystemRoot\System32\Drivers\msrpc.sys 0x013C8000 \SystemRoot\System32\Drivers\ksecdd.sys 0x01141000 \SystemRoot\System32\Drivers\cng.sys 0x013E3000 \SystemRoot\System32\drivers\pcw.sys 0x013F4000 \SystemRoot\System32\Drivers\Fs_Rec.sys 0x0147E000 \SystemRoot\system32\drivers\ndis.sys 0x01571000 \SystemRoot\system32\drivers\NETIO.SYS 0x015D1000 \SystemRoot\System32\Drivers\ksecpkg.sys 0x016D0000 \SystemRoot\System32\drivers\tcpip.sys 0x018D4000 \SystemRoot\System32\drivers\fwpkclnt.sys 0x0191E000 \SystemRoot\system32\drivers\volsnap.sys 0x0196A000 \SystemRoot\System32\Drivers\spldr.sys 0x01972000 \SystemRoot\System32\drivers\rdyboost.sys 0x019AC000 \SystemRoot\System32\Drivers\mup.sys 0x019BE000 \SystemRoot\System32\drivers\hwpolicy.sys 0x01600000 \SystemRoot\System32\DRIVERS\fvevol.sys 0x0163A000 \SystemRoot\system32\DRIVERS\disk.sys 0x01650000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS 0x019C7000 \SystemRoot\system32\DRIVERS\cdrom.sys 0x019F1000 \SystemRoot\System32\Drivers\Null.SYS 0x016B6000 \SystemRoot\System32\Drivers\Beep.SYS 0x016BD000 \SystemRoot\System32\drivers\vga.sys 0x01400000 \SystemRoot\System32\drivers\VIDEOPRT.SYS 0x01425000 \SystemRoot\System32\drivers\watchdog.sys 0x01435000 \SystemRoot\System32\DRIVERS\RDPCDD.sys 0x0143E000 \SystemRoot\system32\drivers\rdpencdd.sys 0x01447000 \SystemRoot\system32\drivers\rdprefmp.sys 0x01450000 \SystemRoot\System32\Drivers\Msfs.SYS 0x0145B000 \SystemRoot\System32\Drivers\Npfs.SYS 0x01200000 \SystemRoot\system32\DRIVERS\tdx.sys 0x0146C000 \SystemRoot\system32\DRIVERS\TDI.SYS 0x02C55000 \SystemRoot\system32\drivers\afd.sys 0x02CDE000 \SystemRoot\System32\DRIVERS\netbt.sys 0x02D23000 \SystemRoot\system32\drivers\ws2ifsl.sys 0x02D2E000 \SystemRoot\system32\DRIVERS\wfplwf.sys 0x02D37000 \SystemRoot\system32\DRIVERS\pacer.sys 0x02D5D000 \SystemRoot\system32\DRIVERS\netbios.sys 0x02D6C000 \SystemRoot\system32\DRIVERS\wanarp.sys 0x02D87000 \SystemRoot\system32\drivers\termdd.sys 0x02D9B000 \SystemRoot\system32\DRIVERS\rdbss.sys 0x02DEC000 \SystemRoot\system32\drivers\nsiproxy.sys 0x02C00000 \SystemRoot\system32\drivers\mssmbios.sys 0x02C0B000 \SystemRoot\System32\drivers\discache.sys 0x02C1A000 \SystemRoot\System32\Drivers\dfsc.sys 0x02C38000 \SystemRoot\system32\DRIVERS\blbdrive.sys 0x011B3000 \SystemRoot\system32\DRIVERS\tunnel.sys 0x011D9000 \SystemRoot\system32\DRIVERS\intelppm.sys 0x0F043000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys 0x0FCA7000 \SystemRoot\System32\Drivers\nvBridge.kmd 0x0FCAC000 \SystemRoot\System32\drivers\dxgkrnl.sys 0x0FDA0000 \SystemRoot\System32\drivers\dxgmms1.sys 0x0F000000 \SystemRoot\system32\drivers\HDAudBus.sys 0x0F024000 \SystemRoot\system32\DRIVERS\usbuhci.sys 0x01000000 \SystemRoot\system32\DRIVERS\USBPORT.SYS 0x0F031000 \SystemRoot\system32\DRIVERS\usbehci.sys 0x01056000 \SystemRoot\system32\DRIVERS\Xeno7x64.sys 0x03AD9000 \SystemRoot\system32\drivers\1394ohci.sys 0x03B17000 \SystemRoot\system32\DRIVERS\Rt64win7.sys 0x03B9C000 \SystemRoot\system32\drivers\CompositeBus.sys 0x03BAC000 \SystemRoot\system32\DRIVERS\msiscsi.sys 0x03A00000 \SystemRoot\system32\DRIVERS\storport.sys 0x03A63000 \SystemRoot\system32\DRIVERS\AgileVpn.sys 0x03A79000 \SystemRoot\system32\DRIVERS\rasl2tp.sys 0x03A9D000 \SystemRoot\system32\DRIVERS\ndistapi.sys 0x03AA9000 \SystemRoot\system32\DRIVERS\ndiswan.sys 0x00C0B000 \SystemRoot\system32\DRIVERS\raspppoe.sys 0x03E38000 \SystemRoot\system32\DRIVERS\raspptp.sys 0x03E59000 \SystemRoot\system32\DRIVERS\rassstp.sys 0x03E73000 \SystemRoot\system32\DRIVERS\kbdclass.sys 0x03E82000 \SystemRoot\system32\DRIVERS\mouclass.sys 0x03E91000 \SystemRoot\system32\drivers\swenum.sys 0x03E93000 \SystemRoot\system32\drivers\ks.sys 0x03ED6000 \SystemRoot\system32\drivers\umbus.sys 0x03EE8000 \SystemRoot\system32\DRIVERS\usbhub.sys 0x03F42000 \SystemRoot\system32\DRIVERS\Edge7x64.sys 0x03F4C000 \SystemRoot\System32\Drivers\NDProxy.SYS 0x03F61000 \SystemRoot\system32\drivers\HdAudio.sys 0x03FBD000 \SystemRoot\system32\drivers\portcls.sys 0x03E00000 \SystemRoot\system32\drivers\drmk.sys 0x03E22000 \SystemRoot\system32\drivers\ksthunk.sys 0x01680000 \SystemRoot\system32\DRIVERS\cdfs.sys 0x0666E000 \SystemRoot\system32\DRIVERS\usbccgp.sys 0x0668B000 \SystemRoot\system32\DRIVERS\USBD.SYS 0x0668D000 \SystemRoot\system32\DRIVERS\hidusb.sys 0x0669B000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS 0x066B4000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS 0x066BD000 \SystemRoot\system32\DRIVERS\mouhid.sys 0x066CA000 \SystemRoot\system32\drivers\USBSTOR.SYS 0x066E5000 \SystemRoot\System32\Drivers\crashdmp.sys 0x066F3000 \SystemRoot\System32\Drivers\dump_dumpata.sys 0x066FF000 \SystemRoot\System32\Drivers\dump_atapi.sys 0x06708000 \SystemRoot\System32\Drivers\dump_dumpfve.sys 0x0671B000 \SystemRoot\system32\drivers\usbaudio.sys 0x06736000 \SystemRoot\system32\DRIVERS\kbdhid.sys 0x000E0000 \SystemRoot\System32\win32k.sys 0x06744000 \SystemRoot\System32\drivers\Dxapi.sys 0x06750000 \SystemRoot\system32\DRIVERS\monitor.sys 0x004E0000 \SystemRoot\System32\TSDDD.dll 0x00790000 \SystemRoot\System32\cdd.dll 0x0675E000 \SystemRoot\system32\drivers\luafv.sys 0x06781000 \SystemRoot\system32\drivers\appid.sys 0x06796000 \SystemRoot\system32\DRIVERS\lltdio.sys 0x067AB000 \SystemRoot\system32\DRIVERS\rspndr.sys 0x06C77000 \SystemRoot\system32\drivers\HTTP.sys 0x06D40000 \SystemRoot\System32\DRIVERS\srvnet.sys 0x06D71000 \SystemRoot\system32\DRIVERS\bowser.sys 0x06D8F000 \SystemRoot\system32\DRIVERS\mrxsmb.sys 0x06C00000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys 0x06C4E000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys 0x06600000 \SystemRoot\System32\DRIVERS\srv2.sys 0x06EDE000 \SystemRoot\System32\DRIVERS\srv.sys 0x06E00000 \SystemRoot\system32\drivers\peauth.sys 0x06EA6000 \SystemRoot\System32\Drivers\secdrv.SYS 0x06EB1000 \SystemRoot\System32\drivers\tcpipreg.sys 0x06FA7000 \SystemRoot\system32\drivers\WudfPf.sys 0x06FC8000 \SystemRoot\system32\DRIVERS\WUDFRd.sys 0x07AB6000 \??\C:\Windows\system32\Drivers\PROCEXP113.SYS 0x07ABE000 \SystemRoot\system32\drivers\90681841.sys 0x77C20000 \Windows\System32\ntdll.dll 0x47B60000 \Windows\System32\smss.exe 0xFFF40000 \Windows\System32\apisetschema.dll 0xFF7D0000 \Windows\System32\autochk.exe 0xFFF10000 \Windows\System32\sechost.dll 0xFFEE0000 \Windows\System32\imm32.dll 0xFFDD0000 \Windows\System32\msctf.dll 0x77DF0000 \Windows\System32\psapi.dll 0xFFD60000 \Windows\System32\gdi32.dll 0xFFC90000 \Windows\System32\usp10.dll 0xFFB60000 \Windows\System32\rpcrt4.dll 0xFFAE0000 \Windows\System32\shlwapi.dll 0x77AC0000 \Windows\System32\wininet.dll 0xFFAD0000 \Windows\System32\lpk.dll 0x779C0000 \Windows\System32\user32.dll 0xFFA50000 \Windows\System32\difxapi.dll 0x777B0000 \Windows\System32\iertutil.dll 0x77DE0000 \Windows\System32\normaliz.dll 0xFFA00000 \Windows\System32\ws2_32.dll 0x77690000 \Windows\System32\kernel32.dll 0xFF9F0000 \Windows\System32\nsi.dll 0xFF950000 \Windows\System32\clbcatq.dll 0xFF8F0000 \Windows\System32\Wldap32.dll 0xFF710000 \Windows\System32\setupapi.dll 0x77540000 \Windows\System32\urlmon.dll 0xFE980000 \Windows\System32\shell32.dll 0xFE8E0000 \Windows\System32\comdlg32.dll 0xFE800000 \Windows\System32\oleaut32.dll 0xFE720000 \Windows\System32\advapi32.dll 0xFE680000 \Windows\System32\msvcrt.dll 0xFE660000 \Windows\System32\imagehlp.dll 0xFE450000 \Windows\System32\ole32.dll 0xFE2E0000 \Windows\System32\crypt32.dll 0xFE240000 \Windows\System32\comctl32.dll 0xFE200000 \Windows\System32\cfgmgr32.dll 0xFE1C0000 \Windows\System32\wintrust.dll 0xFE150000 \Windows\System32\KernelBase.dll 0xFE130000 \Windows\System32\devobj.dll 0xFE120000 \Windows\System32\msasn1.dll 0x76F00000 \Windows\SysWOW64\normaliz.dllProcesses (total 32): 0 System Idle Process 4 System 260 C:\Windows\System32\smss.exe 344 csrss.exe 404 csrss.exe 412 C:\Windows\System32\wininit.exe 460 C:\Windows\System32\winlogon.exe 508 C:\Windows\System32\services.exe 516 C:\Windows\System32\lsass.exe 524 C:\Windows\System32\lsm.exe 624 C:\Windows\System32\svchost.exe 704 C:\Windows\System32\svchost.exe 808 C:\Windows\System32\svchost.exe 840 C:\Windows\System32\svchost.exe 868 C:\Windows\System32\svchost.exe 972 C:\Windows\System32\svchost.exe 112 C:\Windows\System32\svchost.exe 288 C:\Windows\System32\svchost.exe 1084 C:\Windows\System32\spoolsv.exe 1280 C:\Program Files\Bigfoot Networks\Killer Network Manager\BFNService.exe 1376 C:\Windows\System32\svchost.exe 1456 C:\Windows\System32\taskhost.exe 1580 C:\Windows\System32\dwm.exe 1592 C:\Windows\explorer.exe 1600 C:\Windows\System32\Locator.exe 1948 WUDFHost.exe 2372 C:\Users\andrew\Desktop\FSS.exe 620 C:\Windows\SysWOW64\notepad.exe 2780 C:\Program Files (x86)\Mozilla Firefox\firefox.exe 2404 C:\Users\andrew\Desktop\TDSSKiller.exe 2004 C:\Users\andrew\Downloads\MBRCheck.exe 804 C:\Windows\System32\conhost.exe\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)PhysicalDrive0 Model Number: ST3120026AS, Rev: 8.05 Size Device Name MBR Status -------------------------------------------- 111 GB \\.\PhysicalDrive0 Windows 7 MBR code detected SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79Done! Link to post Share on other sites More sharing options...
D-FRED-BROWN Posted January 4, 2012 ID:513109 Share Posted January 4, 2012 END USER LICENSE AGREEMENTKaspersky Lab ZAO (the “Rightholder”) is an owner of all rights, whether exclusive or otherwise to the Software.By using the Software You consent to be bound by the terms and conditions of this agreement.The Rightholder hereby grants You a non-exclusive perpetual license to store, load, install, execute, and display (to “use”) the free of charge Software that will substantially perform within the scope of functionality set forth on http://support.kaspersky.com/viruses. The Software should be used as an auxiliary tool for removing threats from Your computer as described on http://support.kaspersky.com/viruses. The Rightholder doesn’t guarantee complete removal of threats and fixing issues caused by these threats.No technical support for the Software is available.You shall not emulate, modify, decompile, or reverse engineer the Software or disassemble or create derivative works based on the Software or any portion thereof with the sole exception of a non-waivable right granted to You by applicable legislation.THE SOFTWARE IS PROVIDED "AS IS" AND THE RIGHTHOLDER MAKES NO REPRESENTATION AND GIVES NO WARRANTY AS TO ITS USE OR PERFORMANCE. EXCEPT FOR ANY WARRANTY, CONDITION, REPRESENTATION OR TERM THE EXTENT TO WHICH CANNOT BE EXCLUDED OR LIMITED BY APPLICABLE LAW THE RIGHTHOLDER AND ITS PARTNERS MAKE NO WARRANTY, CONDITION, REPRESENTATION, OR TERM (EXPRESS OR IMPLIED, WHETHER BY STATUTE, COMMON LAW, CUSTOM, USAGE OR OTHERWISE) AS TO ANY MATTER INCLUDING, WITHOUT LIMITATION, NONINFRINGEMENT OF THIRD PARTY RIGHTS, MERCHANTABILITY, SATISFACTORY QUALITY, INTEGRATION, OR APPLICABILITY FOR A PARTICULAR PURPOSE. YOU ASSUME ALL FAULTS, AND THE ENTIRE RISK AS TO PERFORMANCE AND RESPONSIBILITY FOR SELECTING THE SOFTWARE TO ACHIEVE YOUR INTENDED RESULTS, AND FOR THE INSTALLATION OF, USE OF, AND RESULTS OBTAINED FROM THE SOFTWARE. WITHOUT LIMITING THE FOREGOING PROVISIONS, THE RIGHTHOLDER MAKES NO REPRESENTATION AND GIVES NO WARRANTY THAT THE SOFTWARE WILL BE ERROR-FREE OR FREE FROM INTERRUPTIONS OR OTHER FAILURES OR THAT THE SOFTWARE WILL MEET ANY OR ALL YOUR REQUIREMENTS WHETHER OR NOT DICLOSED TO THE RIGHTHOLDER.© 1997-2011 Kaspersky Lab ZAO. All Rights Reserved.Don't worry about that, its just a disclaimer Go ahead and reboot, then run Farbar Service Scanner once more and post the new log it creates.And thank you so much =) happy holidays Same to you! Link to post Share on other sites More sharing options...
ihavebigproblem Posted January 4, 2012 Author ID:513343 Share Posted January 4, 2012 So i restarted my computer and so far there is no ping.exe but it has only been 2 minutes but i did run a mb scan right before restarting and the combofix came up as a virus (i know it's not a threat) but also something known as kwrd.dll also appearedMalwarebytes Anti-Malware 1.60.0.1800www.malwarebytes.orgDatabase version: v2012.01.01.03Windows 7 Service Pack 1 x64 NTFSInternet Explorer 9.0.8112.16421andrew :: ANDREW-PC [administrator]1/4/2012 6:58:43 AMmbam-log-2012-01-04 (06-58-43).txtScan type: Full scanScan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUMScan options disabled: P2PObjects scanned: 316649Time elapsed: 35 minute(s), 14 second(s)Memory Processes Detected: 0(No malicious items detected)Memory Modules Detected: 0(No malicious items detected)Registry Keys Detected: 0(No malicious items detected)Registry Values Detected: 0(No malicious items detected)Registry Data Items Detected: 0(No malicious items detected)Folders Detected: 0(No malicious items detected)Files Detected: 2C:\Qoobox\Quarantine\C\Windows\assembly\temp\kwrd.dll.vir (PUP.BitMiner) -> Quarantined and deleted successfully.C:\Users\andrew\Desktop\cnet2_ComboFix_exe.exe (PUP.Adware.Downloader) -> Quarantined and deleted successfully.(end) Link to post Share on other sites More sharing options...
ihavebigproblem Posted January 4, 2012 Author ID:513357 Share Posted January 4, 2012 Ping.exe to my knowledge is fully gone, thanks =) Link to post Share on other sites More sharing options...
D-FRED-BROWN Posted January 4, 2012 ID:513371 Share Posted January 4, 2012 We've got a little more fixing to do regarding your internet connection services :Please download RestoreBFE.exe.exe from: http://download.bleepingcomputer.com/sUBs/MiniFixes/RestoreBFE.exe Double click on the downloaded file. It should only take a few seconds to run. When complete, it will say .. "Done! Please check if BFE service is running now"Next, please run Farbar Service Scanner once again, and post the log that it creates . Link to post Share on other sites More sharing options...
ihavebigproblem Posted January 4, 2012 Author ID:513431 Share Posted January 4, 2012 Farbar Service Scanner Ran by andrew (administrator) on 04-01-2012 at 18:25:13Microsoft Windows 7 Home Premium Service Pack 1 (X64)Boot Mode: Normal****************************************************************Internet Services:============Connection Status:==============Localhost is accessible.LAN connected.Google IP is accessible.Yahoo IP is accessible.Windows Firewall:=============MpsSvc Service is not running. Checking service configuration:Checking Start type: Attention! Unable to open MpsSvc registry key. The service key does not exist.Checking ImagePath: Attention! Unable to open MpsSvc registry key. The service key does not exist.Checking ServiceDll: Attention! Unable to open MpsSvc registry key. The service key does not exist.bfe Service is not running. Checking service configuration:The start type of bfe service is OK.The ImagePath of bfe service is OK.The ServiceDll of bfe service is OK.mpsdrv Service is not running. Checking service configuration:The start type of mpsdrv service is OK.The ImagePath of mpsdrv service is OK.Firewall Disabled Policy: ==================System Restore:============SDRSVC Service is not running. Checking service configuration:The start type of SDRSVC service is set to Disabled. The default start type is 3.The ImagePath of SDRSVC service is OK.The ServiceDll of SDRSVC service is OK.VSS Service is not running. Checking service configuration:The start type of VSS service is OK.The ImagePath of VSS service is OK.System Restore Disabled Policy: ========================File Check:========C:\Windows\System32\nsisvc.dll => MD5 is legitC:\Windows\System32\drivers\nsiproxy.sys => MD5 is legitC:\Windows\System32\dhcpcore.dll => MD5 is legitC:\Windows\System32\drivers\afd.sys => MD5 is legitC:\Windows\System32\drivers\tdx.sys => MD5 is legitC:\Windows\System32\Drivers\tcpip.sys => MD5 is legitC:\Windows\System32\dnsrslvr.dll => MD5 is legitC:\Windows\System32\mpssvc.dll => MD5 is legitC:\Windows\System32\bfe.dll => MD5 is legitC:\Windows\System32\drivers\mpsdrv.sys => MD5 is legitC:\Windows\System32\SDRSVC.dll => MD5 is legitC:\Windows\System32\vssvc.exe => MD5 is legitC:\Windows\System32\svchost.exe => MD5 is legitC:\Windows\System32\rpcss.dll => MD5 is legit**** End of log **** Link to post Share on other sites More sharing options...
D-FRED-BROWN Posted January 5, 2012 ID:513510 Share Posted January 5, 2012 We've got some more work to do regarding those internet connection services.First, let's make a backup in case anything goes awry.BackupYour Registry with ERUNTPlease go here, scroll down to ERUNT, and download.For version with the Installer:Use the setup program to install ERUNT on your computerFor the zipped version:Unzip all the files into a folder of your choice.Click Erunt.exe to backup your Registry to the folder of your choice.Note: To restore your Registry, go to the folder and start ERDNT.exe-----------I have attached two files that you will need to download and save to your Desktop. Once they are downloaded and AFTER you have ran ERUNT, right-click on each one, one at a time, and select Extract All. Once you have extracted the file, please right click on the .reg file and select Merge. Allow the merge to complete and then reboot. Perform the same steps for the other .reg file. If you have ANY questions please ask before taking any steps. -----------Now run Farbar Service Scanner again and post the new log. BFE.zipMpsSvc.zip Link to post Share on other sites More sharing options...
ihavebigproblem Posted January 5, 2012 Author ID:513599 Share Posted January 5, 2012 Farbar Service Scanner Ran by andrew (administrator) on 05-01-2012 at 03:37:15Microsoft Windows 7 Home Premium Service Pack 1 (X64)Boot Mode: Normal****************************************************************Internet Services:============Connection Status:==============Localhost is accessible.LAN connected.Google IP is accessible.Yahoo IP is accessible.Windows Firewall:=============Firewall Disabled Policy: ==================System Restore:============SDRSVC Service is not running. Checking service configuration:The start type of SDRSVC service is set to Disabled. The default start type is 3.The ImagePath of SDRSVC service is OK.The ServiceDll of SDRSVC service is OK.VSS Service is not running. Checking service configuration:The start type of VSS service is OK.The ImagePath of VSS service is OK.System Restore Disabled Policy: ========================File Check:========C:\Windows\System32\nsisvc.dll => MD5 is legitC:\Windows\System32\drivers\nsiproxy.sys => MD5 is legitC:\Windows\System32\dhcpcore.dll => MD5 is legitC:\Windows\System32\drivers\afd.sys => MD5 is legitC:\Windows\System32\drivers\tdx.sys => MD5 is legitC:\Windows\System32\Drivers\tcpip.sys => MD5 is legitC:\Windows\System32\dnsrslvr.dll => MD5 is legitC:\Windows\System32\mpssvc.dll => MD5 is legitC:\Windows\System32\bfe.dll => MD5 is legitC:\Windows\System32\drivers\mpsdrv.sys => MD5 is legitC:\Windows\System32\SDRSVC.dll => MD5 is legitC:\Windows\System32\vssvc.exe => MD5 is legitC:\Windows\System32\svchost.exe => MD5 is legitC:\Windows\System32\rpcss.dll => MD5 is legit**** End of log **** Link to post Share on other sites More sharing options...
ihavebigproblem Posted January 5, 2012 Author ID:513600 Share Posted January 5, 2012 That's the log file after taking those steps, at this point what exactly is the problem? Link to post Share on other sites More sharing options...
ihavebigproblem Posted January 5, 2012 Author ID:513771 Share Posted January 5, 2012 MB scan before sleeping, Malwarebytes Anti-Malware 1.60.0.1800www.malwarebytes.orgDatabase version: v2012.01.05.01Windows 7 Service Pack 1 x64 NTFSInternet Explorer 9.0.8112.16421andrew :: ANDREW-PC [administrator]1/5/2012 5:50:02 AMmbam-log-2012-01-05 (05-50-02).txtScan type: Full scanScan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUMScan options disabled: P2PObjects scanned: 315888Time elapsed: 36 minute(s), 55 second(s)Memory Processes Detected: 0(No malicious items detected)Memory Modules Detected: 0(No malicious items detected)Registry Keys Detected: 0(No malicious items detected)Registry Values Detected: 1HKCR\.exe\shell\open\command| (Hijack.ExeFile) -> Data: "C:\Users\andrew\AppData\Local\bjw.exe" -a "%1" %* -> Quarantined and deleted successfully.Registry Data Items Detected: 4HKCR\.exe| (Hijacked.exeFile) -> Bad: (NLK) Good: (exefile) -> Quarantined and repaired successfully.HKLM\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command| (Hijack.StartMenuInternet) -> Bad: ("C:\Users\andrew\AppData\Local\bjw.exe" -a "firefox.exe") Good: (firefox.exe) -> Quarantined and repaired successfully.HKLM\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command| (Hijack.StartMenuInternet) -> Bad: ("C:\Users\andrew\AppData\Local\bjw.exe" -a "firefox.exe -safe-mode") Good: (firefox.exe -safe-mode) -> Quarantined and repaired successfully.HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command| (Hijack.StartMenuInternet) -> Bad: ("C:\Users\andrew\AppData\Local\bjw.exe" -a "C:\Program Files (x86)\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and repaired successfully.Folders Detected: 0(No malicious items detected)Files Detected: 0(No malicious items detected)(end) Link to post Share on other sites More sharing options...
ihavebigproblem Posted January 5, 2012 Author ID:513774 Share Posted January 5, 2012 I combo fixed and deleted it ComboFix 12-01-03.07 - andrew 01/05/2012 14:14:08.3.2 - x64Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4095.2949 [GMT -8:00]Running from: c:\users\andrew\Desktop\ComboFix-W7.exeSP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}..((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))..c:\users\andrew\AppData\Local\bjw.exe..((((((((((((((((((((((((( Files Created from 2011-12-05 to 2012-01-05 )))))))))))))))))))))))))))))))..2012-01-05 22:18 . 2012-01-05 22:18 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp2012-01-05 22:18 . 2012-01-05 22:18 -------- d-----w- c:\users\Default\AppData\Local\temp2012-01-04 00:57 . 2012-01-04 00:57 -------- d-----w- C:\ComboFix-W72012-01-04 00:54 . 2012-01-04 22:04 -------- d-----w- c:\programdata\WeCareReminder2012-01-03 14:12 . 2012-01-03 14:12 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%2012-01-02 12:25 . 2012-01-02 12:25 388096 ----a-r- c:\users\andrew\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe2012-01-02 12:25 . 2012-01-02 12:25 -------- d-----w- c:\program files (x86)\Trend Micro2012-01-02 04:59 . 2012-01-02 04:59 -------- d-----w- c:\program files (x86)\Microsoft2012-01-02 04:59 . 2009-09-05 01:44 69464 ----a-w- c:\windows\SysWow64\XAPOFX1_3.dll2012-01-02 04:59 . 2009-09-05 01:44 515416 ----a-w- c:\windows\SysWow64\XAudio2_5.dll2012-01-02 04:59 . 2009-09-05 01:29 453456 ----a-w- c:\windows\SysWow64\d3dx10_42.dll2012-01-02 04:59 . 2009-09-05 01:29 523088 ----a-w- c:\windows\system32\d3dx10_42.dll2012-01-02 04:59 . 2006-11-29 21:06 4398360 ----a-w- c:\windows\system32\d3dx9_32.dll2012-01-02 04:59 . 2006-11-29 21:06 3426072 ----a-w- c:\windows\SysWow64\d3dx9_32.dll2012-01-02 04:58 . 2012-01-02 04:58 -------- d-----w- c:\users\andrew\AppData\Local\Windows Live2012-01-02 04:58 . 2012-01-02 04:58 -------- d-----w- c:\program files (x86)\Common Files\Windows Live2011-12-18 00:16 . 2011-12-18 00:16 -------- d-----w- c:\windows\system32\Macromed2011-12-11 06:41 . 2011-12-17 08:15 -------- d-----w- c:\program files\Microsoft Xbox 360 Accessories...(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2011-12-18 12:40 . 2011-08-28 08:21 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl2011-12-10 23:24 . 2011-08-28 22:55 23152 ----a-w- c:\windows\system32\drivers\mbam.sys2011-11-26 04:34 . 2011-11-26 04:34 158056 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10139.bin2011-10-09 04:18 . 2011-08-29 08:31 7808 ----a-w- c:\windows\system32\drivers\hidusbf.sys..((((((((((((((((((((((((((((( SnapShot@2012-01-04_01.13.59 ))))))))))))))))))))))))))))))))))))))))).+ 2011-08-28 10:20 . 2012-01-05 22:07 29832 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin- 2009-07-14 05:10 . 2012-01-03 23:20 33650 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin+ 2009-07-14 05:10 . 2012-01-05 22:07 33650 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin+ 2009-07-14 04:46 . 2012-01-04 01:18 94000 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat+ 2011-08-28 08:15 . 2012-01-05 22:07 9544 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1496710961-1331745258-44813692-1000_UserData.bin- 2012-01-03 23:08 . 2012-01-04 01:13 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat+ 2012-01-05 22:05 . 2012-01-05 22:05 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat+ 2012-01-05 22:05 . 2012-01-05 22:05 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat- 2012-01-03 23:08 . 2012-01-04 01:13 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat+ 2011-08-29 19:54 . 2012-01-05 22:03 322158 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_FastS4.bin+ 2009-07-14 02:36 . 2012-01-05 22:12 626844 c:\windows\system32\perfh009.dat- 2009-07-14 02:36 . 2012-01-03 23:13 626844 c:\windows\system32\perfh009.dat+ 2009-07-14 02:36 . 2012-01-05 22:12 107160 c:\windows\system32\perfc009.dat- 2009-07-14 02:36 . 2012-01-03 23:13 107160 c:\windows\system32\perfc009.dat+ 2009-07-14 05:01 . 2012-01-05 22:04 385004 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat- 2009-07-14 05:01 . 2012-01-03 22:13 385004 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat+ 2012-01-05 11:18 . 2005-10-20 20:02 163328 c:\windows\ERDNT\1-5-2012\ERDNT.EXE+ 2012-01-05 11:18 . 2012-01-05 11:18 2535424 c:\windows\ERDNT\1-5-2012\Users\00000002\UsrClass.dat+ 2012-01-05 11:18 . 2012-01-05 11:18 2527232 c:\windows\ERDNT\1-5-2012\Users\00000001\ntuser.dat+ 2011-08-28 10:17 . 2012-01-05 22:04 31390426 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1496710961-1331745258-44813692-1000-12288.dat.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4.[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Steam"="c:\program files (x86)\Steam\steam.exe" [2011-11-15 1242448].[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]"ConsentPromptBehaviorAdmin"= 0 (0x0)"ConsentPromptBehaviorUser"= 3 (0x3)"EnableLUA"= 0 (0x0)"EnableUIADesktopToggle"= 0 (0x0)"PromptOnSecureDesktop"= 0 (0x0).R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]R2 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]R3 hidusbf;USB Mouse Rate Adjuster Lower Filter by SweetLow;c:\windows\system32\DRIVERS\hidusbf.sys [x]R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2010-01-22 30963576]R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]R4 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]R4 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]R4 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-08-03 2255464]R4 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-08-03 379496]S2 Bigfoot Networks Killer Service;Bigfoot Networks Killer Service;c:\program files\Bigfoot Networks\Killer Network Manager\BFNService.exe [2010-05-10 573952]S3 BfEdge7x64;Bigfoot Networks Killer Ethernet Service;c:\windows\system32\DRIVERS\Edge7x64.sys [x]S3 BFN7x64;Bigfoot Networks Killer Gaming Service;c:\windows\system32\DRIVERS\Xeno7x64.sys [x]S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]...--------- x86-64 -----------..------- Supplementary Scan -------.uLocal Page = c:\windows\system32\blank.htmmLocal Page = c:\windows\SYSTEM32\blank.htmLSP: %SYSTEMROOT%\system32\BfLLR.dllTCP: DhcpNameServer = 192.168.1.1FF - ProfilePath - c:\users\andrew\AppData\Roaming\Mozilla\Firefox\Profiles\toq6xa2q.default\FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&SearchSource=3&q={searchTerms}FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&q=.- - - - ORPHANS REMOVED - - - -.WebBrowser-{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - (no file)...--------------------- LOCKED REGISTRY KEYS ---------------------.[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]@Denied: (A 2) (Everyone)@="FlashBroker""LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]"Enabled"=dword:00000001.[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]@Denied: (A 2) (Everyone)@="Shockwave Flash Object".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx""ThreadingModel"="Apartment".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]@="0".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]@="ShockwaveFlash.ShockwaveFlash.10".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]@="{D27CDB6B-AE6D-11cf-96B8-444553540000}".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]@="1.0".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]@="ShockwaveFlash.ShockwaveFlash".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]@Denied: (A 2) (Everyone)@="Macromedia Flash Factory Object".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx""ThreadingModel"="Apartment".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]@="FlashFactory.FlashFactory.1".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]@="{D27CDB6B-AE6D-11cf-96B8-444553540000}".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]@="1.0".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]@="FlashFactory.FlashFactory".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]@Denied: (A 2) (Everyone)@="IFlashBroker4".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]@="{00020424-0000-0000-C000-000000000046}".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}""Version"="1.0".[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]@Denied: (A) (Everyone)"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}".[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]@Denied: (A) (Everyone).[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]"Key"="ActionsPane3""Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd".[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]@Denied: (Full) (Everyone).Completion time: 2012-01-05 14:19:55ComboFix-quarantined-files.txt 2012-01-05 22:19ComboFix2.txt 2012-01-04 01:23.Pre-Run: 68,169,846,784 bytes freePost-Run: 68,121,849,856 bytes free.- - End Of File - - 342F84EE63F5D7E7B891BC7216718E68 Link to post Share on other sites More sharing options...
ihavebigproblem Posted January 5, 2012 Author ID:513775 Share Posted January 5, 2012 It seems that the way I got the virus was through watching tv shows on these websites, watch.series.com, fastpass.ms, and globolister. Is there any program that you would recommend to act as a firewall while I watch tv shows so I no longer have such problems? I'm also I professional counter-strike player and it would be important that the firewall wouldn't interfere with my game play by randomly taking up memory. And thanks for staying with me this far. Link to post Share on other sites More sharing options...
D-FRED-BROWN Posted January 5, 2012 ID:513784 Share Posted January 5, 2012 That's the log file after taking those steps, at this point what exactly is the problem? We just corrected some entries that corresponded to Windows Firewall... should those have remained the way they were, Windows Firewall would remain broken and unusable...Are you able to access Windows Firewall now? Please let me know .It seems that the way I got the virus was through watching tv shows on these websites, watch.series.com, fastpass.ms, and globolister. Is there any program that you would recommend to act as a firewall while I watch tv shows so I no longer have such problems? I'm also I professional counter-strike player and it would be important that the firewall wouldn't interfere with my game play by randomly taking up memory. And thanks for staying with me this far. Indeed, those types of websites are a fast-track to infection. As we wrap all of this up, I will provide you some information on how to better secure your computer. Within that are a number of firewall recommendations . Basically, you should be able to manually configure them to fit your needs, and to ensure that they don't interfere with anything... most are rather flexible!Before the next step, let's run an online scan to see if there's anything we may have missed:Please run a free online scan with the ESET Online ScannerNote: You will need to use Internet Explorer for this scan.Tick the box next to YES, I accept the Terms of Use.Click StartWhen asked, allow the ActiveX control to installClick StartMake sure that the options Remove found threats is Unchecked and the option Scan unwanted applications is checkedClick ScanWait for the scan to finishUse Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txtCopy and paste that log as a reply to this topic Link to post Share on other sites More sharing options...
ihavebigproblem Posted January 5, 2012 Author ID:513816 Share Posted January 5, 2012 ESETSmartInstaller@High as downloader log:all ok# version=7# OnlineScannerApp.exe=1.0.0.1# OnlineScanner.ocx=1.0.0.6583# api_version=3.0.2# EOSSerial=e87df170ae17544d83985bd350a1e2a4# end=finished# remove_checked=true# archives_checked=true# unwanted_checked=true# unsafe_checked=false# antistealth_checked=true# utc_time=2012-01-06 12:12:21# local_time=2012-01-05 04:12:21 (-0800, Pacific Standard Time)# country="United States"# lang=1033# osver=6.1.7601 NT Service Pack 1# compatibility_mode=512 16777215 100 0 0 0 0 0# compatibility_mode=5893 16776574 66 94 10363290 77348592 0 0# compatibility_mode=8192 67108863 100 0 0 0 0 0# scanned=132302# found=13# cleaned=13# scan_time=3599C:\Qoobox\Quarantine\C\ProgramData\Tarma Installer\{DA00D550-BB91-4A26-AAE5-9172D626CAAE}\_Setupx.dll.vir a variant of Win32/Adware.Yontoo.B application (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\Qoobox\Quarantine\C\Users\andrew\AppData\Local\bjw.exe.vir a variant of Win32/Kryptik.YMJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\Qoobox\Quarantine\C\Windows\System32\consrv.dll.vir Win64/Sirefef.G trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\System Volume Information\_restore{B2E5E167-C433-4350-B095-11E1187D5051}\RP212\A0046092.exe probably a variant of Win32/Agent.NQCQPIO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\Users\andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\3aa4da42-193c7b80 a variant of Java/Agent.DZ trojan (deleted - quarantined) 00000000000000000000000000000000 CC:\Users\andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\22\18db83d6-21baf92e a variant of Java/TrojanDownloader.OpenConnection.AQ trojan (deleted - quarantined) 00000000000000000000000000000000 CC:\Users\andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\38\4d809ea6-6805f0cb a variant of Java/Agent.DZ trojan (deleted - quarantined) 00000000000000000000000000000000 CC:\Users\andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\e5a51ab-7b814f24 a variant of Java/Agent.DZ trojan (deleted - quarantined) 00000000000000000000000000000000 CC:\Users\andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\5\14dbed45-1f29f12f a variant of Java/Agent.DP trojan (deleted - quarantined) 00000000000000000000000000000000 CC:\Users\andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\33ce1c73-2e22eb91 a variant of Win32/Kryptik.YMJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\Users\andrew\Downloads\cnet_ccsetup310_exe.exe a variant of Win32/InstallCore.D application (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\Users\andrew\Downloads\cnet_wrar401_exe.exe a variant of Win32/InstallCore.D application (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\Windows\assembly\temp\U\80000032.@ probably a variant of Win32/Olmarik.AVQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 Cughhhhhhh Link to post Share on other sites More sharing options...
ihavebigproblem Posted January 5, 2012 Author ID:513817 Share Posted January 5, 2012 also, I have purposely edited my services if you were wondering why some may look distorted. Link to post Share on other sites More sharing options...
D-FRED-BROWN Posted January 5, 2012 ID:513822 Share Posted January 5, 2012 also, I have purposely edited my services if you were wondering why some may look distorted. Cheers for letting me know about that .Much of what ESET detected was mainly old files that were quarantined by ComboFix; nothing to worry about .As for the entries in the Java cache, this should take care of them:Please do the following:1. Close any open browsers.2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. 3. Open notepad and copy/paste the text in the quotebox below into it:KILLALL::ClearJavaCache::Save this as CFScript.txt, in the same location as ComboFix.exeRefering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I shall require in your next reply.Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.Please include the newly-created C:\ComboFix.txt in your next reply, and let me know how things are running now ---------After that, let's see what programs need updating:Please download Security Check by screen317 from here or here.Save it to your Desktop.Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.A Notepad document should open automatically called checkup.txt; please post the contents of that document. Link to post Share on other sites More sharing options...
ihavebigproblem Posted January 5, 2012 Author ID:513834 Share Posted January 5, 2012 Combofix logComboFix 12-01-05.02 - andrew 01/05/2012 16:37:12.4.2 - x64Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4095.2638 [GMT -8:00]Running from: c:\users\andrew\Desktop\ComboFix-W7.exeCommand switches used :: c:\users\andrew\Desktop\CFScript.txt.txtSP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}..((((((((((((((((((((((((( Files Created from 2011-12-06 to 2012-01-06 )))))))))))))))))))))))))))))))..2012-01-06 00:40 . 2012-01-06 00:40 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp2012-01-06 00:40 . 2012-01-06 00:40 -------- d-----w- c:\users\Default\AppData\Local\temp2012-01-05 23:11 . 2012-01-05 23:11 -------- d-----w- c:\program files (x86)\ESET2012-01-04 00:57 . 2012-01-06 00:32 -------- d-----w- C:\ComboFix-W72012-01-04 00:54 . 2012-01-04 22:04 -------- d-----w- c:\programdata\WeCareReminder2012-01-03 14:12 . 2012-01-03 14:12 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%2012-01-02 12:25 . 2012-01-02 12:25 388096 ----a-r- c:\users\andrew\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe2012-01-02 12:25 . 2012-01-02 12:25 -------- d-----w- c:\program files (x86)\Trend Micro2012-01-02 04:59 . 2012-01-02 04:59 -------- d-----w- c:\program files (x86)\Microsoft2012-01-02 04:59 . 2009-09-05 01:44 69464 ----a-w- c:\windows\SysWow64\XAPOFX1_3.dll2012-01-02 04:59 . 2009-09-05 01:44 515416 ----a-w- c:\windows\SysWow64\XAudio2_5.dll2012-01-02 04:59 . 2009-09-05 01:29 453456 ----a-w- c:\windows\SysWow64\d3dx10_42.dll2012-01-02 04:59 . 2009-09-05 01:29 523088 ----a-w- c:\windows\system32\d3dx10_42.dll2012-01-02 04:59 . 2006-11-29 21:06 4398360 ----a-w- c:\windows\system32\d3dx9_32.dll2012-01-02 04:59 . 2006-11-29 21:06 3426072 ----a-w- c:\windows\SysWow64\d3dx9_32.dll2012-01-02 04:58 . 2012-01-02 04:58 -------- d-----w- c:\users\andrew\AppData\Local\Windows Live2012-01-02 04:58 . 2012-01-02 04:58 -------- d-----w- c:\program files (x86)\Common Files\Windows Live2011-12-18 00:16 . 2011-12-18 00:16 -------- d-----w- c:\windows\system32\Macromed2011-12-11 06:41 . 2011-12-17 08:15 -------- d-----w- c:\program files\Microsoft Xbox 360 Accessories...(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2011-12-18 12:40 . 2011-08-28 08:21 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl2011-12-10 23:24 . 2011-08-28 22:55 23152 ----a-w- c:\windows\system32\drivers\mbam.sys2011-11-26 04:34 . 2011-11-26 04:34 158056 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10139.bin2011-10-09 04:18 . 2011-08-29 08:31 7808 ----a-w- c:\windows\system32\drivers\hidusbf.sys..((((((((((((((((((((((((((((( SnapShot@2012-01-04_01.13.59 ))))))))))))))))))))))))))))))))))))))))).+ 2011-08-28 10:20 . 2012-01-06 00:44 30168 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin- 2009-07-14 05:10 . 2012-01-03 23:20 33650 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin+ 2009-07-14 05:10 . 2012-01-06 00:44 33650 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin+ 2009-07-14 04:46 . 2012-01-04 01:18 94000 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat+ 2011-08-28 08:15 . 2012-01-06 00:44 9702 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1496710961-1331745258-44813692-1000_UserData.bin- 2012-01-03 23:08 . 2012-01-04 01:13 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat+ 2012-01-06 00:42 . 2012-01-06 00:42 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat+ 2012-01-06 00:42 . 2012-01-06 00:42 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat- 2012-01-03 23:08 . 2012-01-04 01:13 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat+ 2011-08-29 19:54 . 2012-01-05 22:03 322158 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_FastS4.bin+ 2009-07-14 02:36 . 2012-01-05 22:12 626844 c:\windows\system32\perfh009.dat- 2009-07-14 02:36 . 2012-01-03 23:13 626844 c:\windows\system32\perfh009.dat+ 2009-07-14 02:36 . 2012-01-05 22:12 107160 c:\windows\system32\perfc009.dat- 2009-07-14 02:36 . 2012-01-03 23:13 107160 c:\windows\system32\perfc009.dat+ 2009-07-14 05:01 . 2012-01-06 00:40 385004 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat- 2009-07-14 05:01 . 2012-01-03 22:13 385004 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat+ 2012-01-05 11:18 . 2005-10-20 20:02 163328 c:\windows\ERDNT\1-5-2012\ERDNT.EXE+ 2012-01-05 11:18 . 2012-01-05 11:18 2535424 c:\windows\ERDNT\1-5-2012\Users\00000002\UsrClass.dat+ 2012-01-05 11:18 . 2012-01-05 11:18 2527232 c:\windows\ERDNT\1-5-2012\Users\00000001\ntuser.dat+ 2011-08-28 10:17 . 2012-01-06 00:40 31407356 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1496710961-1331745258-44813692-1000-12288.dat.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4.[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Steam"="c:\program files (x86)\Steam\steam.exe" [2011-11-15 1242448].[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]"ConsentPromptBehaviorAdmin"= 0 (0x0)"ConsentPromptBehaviorUser"= 3 (0x3)"EnableLUA"= 0 (0x0)"EnableUIADesktopToggle"= 0 (0x0)"PromptOnSecureDesktop"= 0 (0x0).R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]R2 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]R3 hidusbf;USB Mouse Rate Adjuster Lower Filter by SweetLow;c:\windows\system32\DRIVERS\hidusbf.sys [x]R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2010-01-22 30963576]R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]R4 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]R4 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]R4 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-08-03 2255464]R4 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-08-03 379496]S2 Bigfoot Networks Killer Service;Bigfoot Networks Killer Service;c:\program files\Bigfoot Networks\Killer Network Manager\BFNService.exe [2010-05-10 573952]S3 BfEdge7x64;Bigfoot Networks Killer Ethernet Service;c:\windows\system32\DRIVERS\Edge7x64.sys [x]S3 BFN7x64;Bigfoot Networks Killer Gaming Service;c:\windows\system32\DRIVERS\Xeno7x64.sys [x]S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]...--------- x86-64 -----------..------- Supplementary Scan -------.uLocal Page = c:\windows\system32\blank.htmmLocal Page = c:\windows\SYSTEM32\blank.htmLSP: %SYSTEMROOT%\system32\BfLLR.dllTCP: DhcpNameServer = 192.168.1.1FF - ProfilePath - c:\users\andrew\AppData\Roaming\Mozilla\Firefox\Profiles\toq6xa2q.default\FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&SearchSource=3&q={searchTerms}FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&q=.- - - - ORPHANS REMOVED - - - -.WebBrowser-{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - (no file)...--------------------- LOCKED REGISTRY KEYS ---------------------.[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]@Denied: (A 2) (Everyone)@="FlashBroker""LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]"Enabled"=dword:00000001.[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]@Denied: (A 2) (Everyone)@="Shockwave Flash Object".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx""ThreadingModel"="Apartment".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]@="0".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]@="ShockwaveFlash.ShockwaveFlash.10".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]@="{D27CDB6B-AE6D-11cf-96B8-444553540000}".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]@="1.0".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]@="ShockwaveFlash.ShockwaveFlash".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]@Denied: (A 2) (Everyone)@="Macromedia Flash Factory Object".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx""ThreadingModel"="Apartment".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]@="FlashFactory.FlashFactory.1".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]@="{D27CDB6B-AE6D-11cf-96B8-444553540000}".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]@="1.0".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]@="FlashFactory.FlashFactory".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]@Denied: (A 2) (Everyone)@="IFlashBroker4".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]@="{00020424-0000-0000-C000-000000000046}".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}""Version"="1.0".[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]@Denied: (A) (Everyone)"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}".[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]@Denied: (A) (Everyone).[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]"Key"="ActionsPane3""Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd".[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]@Denied: (Full) (Everyone).Completion time: 2012-01-05 16:47:22 - machine was rebootedComboFix-quarantined-files.txt 2012-01-06 00:47ComboFix2.txt 2012-01-05 22:19ComboFix3.txt 2012-01-04 01:23.Pre-Run: 67,760,193,536 bytes freePost-Run: 67,703,160,832 bytes free.- - End Of File - - E200F5F2FAE27F0DA53409B23AFABD8ECheck up log Results of screen317's Security Check version 0.99.30 Windows 7 x64 (UAC is disabled!) Internet Explorer 9 `````````````````````````````` Antivirus/Firewall Check: Windows Firewall Enabled! ESET Online Scanner v3 WMI entry may not exist for antivirus; attempting automatic update. ``````````````````````````````` Anti-malware/Other Utilities Check: Java 6 Update 27 Java version out of date! Adobe Flash Player 11.0.1.152 Adobe Reader X (10.1.1) Mozilla Firefox 8.0.1 Firefox out of Date! ```````````````````````````````` Process Check: objlist.exe by Laurent ``````````End of Log```````````` Link to post Share on other sites More sharing options...
D-FRED-BROWN Posted January 6, 2012 ID:513964 Share Posted January 6, 2012 Sorry for the delay.Your logs are looking good . Before we move on to the next step, please update the following programs. (Using outdated applications leaves you extremely vulnerable to getting infected again.)---------I see you have User Accounts Control (UAC) disabled. This is an important security feature which helps prevent malware and other unwanted software from being installed on your computer.I strongly suggest you keep it enabled. See this link for instructions on how to enable it: http://windows.microsoft.com/en-US/windows-vista/Turn-User-Account-Control-on-or-off ---------Java is out of date and older versions contain vulnerabilities. Please update to the newest version.Download the newest version from here http://www.oracle.com/technetwork/java/javase/downloads/index.html.It's important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.Go to Start > Control Panel and open Add or Remove Programs.Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). They will have this icon next to them: Select each in turn and click Remove.Once old versions are gone, please install the newest version.---------Firefox is out of date. Using an outdated version of a web browser leaves you extremely vulnerable to malware! Please visit Mozilla site and update it to the latest version. ---------Please let me know how the updates went, as failed updates may indicate additional malware . Link to post Share on other sites More sharing options...
ihavebigproblem Posted January 6, 2012 Author ID:514258 Share Posted January 6, 2012 I have turned UAC on, and I have updated both programs successfully, I also did a few additional scans last night and everything is still "clean". I was told to get windows essentials because that's supposedly the best anti-virus (free) that I could get and it's good. I have yet to install it but I would love to be able to still watch my tv shows without getting infected and also be able to continuously protecting myself as programs update and downloads occur. Thanks btw, I've never played counter-strike so smoothly, it is as if I've been playing with a faulty system since the beginning. Link to post Share on other sites More sharing options...
D-FRED-BROWN Posted January 6, 2012 ID:514274 Share Posted January 6, 2012 have turned UAC on, and I have updated both programs successfully, I also did a few additional scans last night and everything is still "clean".Glad to hear the updates went well! I was told to get windows essentials because that's supposedly the best anti-virus (free) that I could get and it's good. MSE is a good program. You may also want to browse some of the programs I will be including in the post below. Personally, I am a big fan of Avast! Free Edition. Thanks btw, I've never played counter-strike so smoothly, it is as if I've been playing with a faulty system since the beginning. That is great to hear! ---------I will now provide you with some suggestions for security software, but first, let's remove ComboFix :The following will implement some cleanup procedures as well as reset System Restore points:Click Start > Run and copy/paste the following bolded text into the Run box and click OK:ComboFix /Uninstall -------------Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future. Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates or get into the habit of checking Windows Update regularly. They usually have security updates every month. You can set Windows to notify you of Updates so that you can choose, but only do this if you believe you are able to understand which ones are needed. This is a crucial security measure.It is really dangerous to go online without an antivirus. Without one, you are extremely likely to get infected and the consequences could be even worse next time. All of the following are excellent free antiviruses. Be sure to only install one.avast!.AntiVirAVGPlease consider installing and running some of the following programs; they are either free or have free versions of commercial programs:Spybot-Search & DestroyA tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features if you don't have the resident part of another anti-spyware program running.SpywareBlasterA tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.SpywareGuardA tutorial on using SpywareGuard for real-time protection against spyware and hijackers may be found here.Please, consider maintaining a firewall with HIPS (Host Intrusion Prevention Systems). Firewalls are extremely important and are the first part of your computer's defense. HIPS stops malware by monitoring its behavior and it's very important, too. A firewall is a software program or piece of hardware that helps screen out hackers, viruses, and worms that try to reach your computer over the Internet.If you are using the Windows Firewall please note that it doesn't monitor or block outbound traffic and is therefore less effective than other free alternatives.These firewalls are good and do have free versions available Outpost Firewall Free Online Armor FirewallA tutorial on understanding and using firewalls may be found here.If you use Internet Explorer, it is a good idea to use IE-Spyad for ZonedOut which provides protections against malicious websites. (Requires 2 downloads)Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster and IE-Spyad can be run with any of them. Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:http://www.spywarewarrior.com/rogue_anti-spyware.htmA similar category of programs is now called "scareware." Scareware programs are active infections that will pop-up on your computer and tell you that you are infected. If you look closely, it will usually have a name that looks like it might be legitimate, but it is NOT one of the programs you installed. It tells you to click and install it right away. If you click on any part of it, including the 'X' to close it, you may actually help it infect your computer further. Keeping protection updated and running resident protection can help prevent these infections. If it happens anyway, get offline as quickly as you can. Pull the internet connection cable or shut down the computer if you have to. Contact someone to help by using another computer if possible. These programs are also sometimes called 'rogues', but they are different than the older version of rogues mentioned above.Please consider using an alternate browser. Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScripts, can make it even more secure. Opera is another good option.If you are interested, Firefox may be downloaded from hereOpera is available here: http://www.opera.com/download/For much more useful information, please also read Tony Klein's excellent article: How did I get infected in the first placeHopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help. Link to post Share on other sites More sharing options...
ihavebigproblem Posted January 6, 2012 Author ID:514333 Share Posted January 6, 2012 Well I have installed avast and Microsoft security essentials and will continue to do scans and be aware of the extra scans you have given me. I will regularly scan every time I shut down and also scan for needed program updates like we did. I was wondering if I could now go on those websites like watch.series and fastpass to watch tv shows and movies without risk? Link to post Share on other sites More sharing options...
D-FRED-BROWN Posted January 6, 2012 ID:514346 Share Posted January 6, 2012 Well I have installed avast and Microsoft security essentials and will continue to do scans and be aware of the extra scans you have given me. I will regularly scan every time I shut down and also scan for needed program updates like we did. Running two antivirus programs in resident mode will actually leave you at a greater risk of getting infected- they can conflict, which is dangerous. I would suggest you choose one (you can leave the other disabled, but scan when you need to) . I was wondering if I could now go on those websites like watch.series and fastpass to watch tv shows and movies without risk? You should be able to, however it will always be risky. I would recommend you take a look at NoScript plugin for Firefox http://noscript.net/ for safer browsing. You may also want to take a look at one of the recommended firewalls I have linked you to. Let me know if you have any further questions, I'd be happy to answer them. Link to post Share on other sites More sharing options...
Recommended Posts