Jump to content

Ping.exe


Recommended Posts

I have the same ping.exe problem many others appear to have. I've run MBAM, ESET online scan and TDSSKiller. They've found infections but the ping.exe keeps coming back in Task Manager. DDS logs attached. Thanks in advance for your help.

Also, why would i get this virus if i only use my computer for research/facebook/and typing (I never download anything).

Link to post
Share on other sites

Hello ihavebigproblem and welcome to Malwarebytes! :welcome:

I apologize for the delay.

I am D-FRED-BROWN and I will be helping you. :)

Please print or save this topic: it will make it easier for you to follow the instructions and complete all of the necessary steps.

-------------

Please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore

    [*]Press "Scan".

    [*]It will create a log (FSS.txt) in the same directory the tool is run.

    [*]Please copy and paste the log to your reply.

-------------

Please download to your Desktop:

  • TDSSKiller.zip from here and extract it (right click on it => "Extract here").

>>> TDSSKiller: Double-click on TDSSKiller.exe to run the application.

  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue tdsskiller2.png
  • If a suspicious file is detected, the default action will be Skip, click on Continue tdsskiller3.png
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

In your next reply, please include the following (you may need to use two posts to get it all in):

  • TDSSKiller_log.txt
how the PC is running now?
-------------
Please download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
***IMPORTANT: save ComboFix to your Desktop***
* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Please go here to see a list of programs that should be disabled.
**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall**
Please include the C:\ComboFix.txt in your next reply for further review.
Also, please let me know if any problems still remain.
-------------
Please print out these instructions or copy them to a Notepad file for an easier reading and download MBRCheck by a_d_13 to your Desktop from one of these locations:
http://ad13.geekstogo.com/MBRCheck.exe
http://download.bleepingcomputer.com/rootrepeal/MBRCheck.exe
http://www.kernelmode.info/MBRCheck.exe
Close all opened programs/ windows and double-click on MBRCheck.exe.
It will produce a log file saved automatically on your Desktop as "MBRCheck_[Date]_[Time].txt".
Press the "Enter" key to close the MBRCheck window and post the contents of the log file.
-------------
In your next reply, please include:
  • TDSSKiller report
  • C:\ComboFix.txt
  • MBRCheck report

How is your computer running now?

Link to post
Share on other sites

combo fix

ComboFix 12-01-03.07 - andrew 01/03/2012 17:19:07.2.2 - x64

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4095.3229 [GMT -8:00]

Running from: c:\users\andrew\Desktop\ComboFix-W7.exe

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

---- Previous Run -------

.

C:\Install.exe

c:\programdata\285dxn11c275cb60k7klv7v873031b68m6214

c:\programdata\Tarma Installer\{DA00D550-BB91-4A26-AAE5-9172D626CAAE}\_Setup.dll

c:\programdata\Tarma Installer\{DA00D550-BB91-4A26-AAE5-9172D626CAAE}\_Setupx.dll

c:\programdata\Tarma Installer\{DA00D550-BB91-4A26-AAE5-9172D626CAAE}\Setup.dat

c:\programdata\Tarma Installer\{DA00D550-BB91-4A26-AAE5-9172D626CAAE}\Setup.exe

c:\programdata\Tarma Installer\{DA00D550-BB91-4A26-AAE5-9172D626CAAE}\Setup.ico

c:\users\andrew\AppData\Local\Temp\~CA14.tmp

c:\users\andrew\AppData\Roaming\Microsoft\Windows\Templates\285dxn11c275cb60k7klv7v873031b68m6214

c:\windows\assembly\temp\@

c:\windows\assembly\temp\bckfg.tmp

c:\windows\assembly\temp\cfg.ini

c:\windows\assembly\temp\keywords

c:\windows\assembly\temp\kwrd.dll

c:\windows\system32\consrv.dll

.

.

((((((((((((((((((((((((( Files Created from 2011-12-04 to 2012-01-04 )))))))))))))))))))))))))))))))

.

.

2012-01-04 01:22 . 2012-01-04 01:22 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp

2012-01-04 01:22 . 2012-01-04 01:22 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-01-04 00:57 . 2012-01-04 00:57 -------- d-----w- C:\ComboFix-W7

2012-01-04 00:54 . 2012-01-04 00:54 -------- d-----w- c:\programdata\WeCareReminder

2012-01-03 14:12 . 2012-01-03 14:12 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%

2012-01-02 12:25 . 2012-01-02 12:25 388096 ----a-r- c:\users\andrew\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2012-01-02 12:25 . 2012-01-02 12:25 -------- d-----w- c:\program files (x86)\Trend Micro

2012-01-02 04:59 . 2012-01-02 04:59 -------- d-----w- c:\program files (x86)\Microsoft

2012-01-02 04:59 . 2009-09-05 01:44 69464 ----a-w- c:\windows\SysWow64\XAPOFX1_3.dll

2012-01-02 04:59 . 2009-09-05 01:44 515416 ----a-w- c:\windows\SysWow64\XAudio2_5.dll

2012-01-02 04:59 . 2009-09-05 01:29 453456 ----a-w- c:\windows\SysWow64\d3dx10_42.dll

2012-01-02 04:59 . 2009-09-05 01:29 523088 ----a-w- c:\windows\system32\d3dx10_42.dll

2012-01-02 04:59 . 2006-11-29 21:06 4398360 ----a-w- c:\windows\system32\d3dx9_32.dll

2012-01-02 04:59 . 2006-11-29 21:06 3426072 ----a-w- c:\windows\SysWow64\d3dx9_32.dll

2012-01-02 04:58 . 2012-01-02 04:58 -------- d-----w- c:\users\andrew\AppData\Local\Windows Live

2012-01-02 04:58 . 2012-01-02 04:58 -------- d-----w- c:\program files (x86)\Common Files\Windows Live

2011-12-18 00:16 . 2011-12-18 00:16 -------- d-----w- c:\windows\system32\Macromed

2011-12-11 06:41 . 2011-12-17 08:15 -------- d-----w- c:\program files\Microsoft Xbox 360 Accessories

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-12-18 12:40 . 2011-08-28 08:21 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2011-12-10 23:24 . 2011-08-28 22:55 23152 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-11-26 04:34 . 2011-11-26 04:34 158056 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10139.bin

2011-10-09 04:18 . 2011-08-29 08:31 7808 ----a-w- c:\windows\system32\drivers\hidusbf.sys

.

.

((((((((((((((((((((((((((((( SnapShot@2012-01-04_01.13.59 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-07-14 05:10 . 2012-01-04 01:15 33650 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin

- 2009-07-14 05:10 . 2012-01-03 23:20 33650 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin

+ 2009-07-14 04:46 . 2012-01-04 01:18 94000 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat

+ 2011-08-28 08:15 . 2012-01-04 01:15 9190 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1496710961-1331745258-44813692-1000_UserData.bin

+ 2011-11-13 11:40 . 2012-01-04 01:17 2950 c:\windows\SoftwareDistribution\PostRebootEventCache\{42B21AB5-5A24-43CF-B5AC-D22F5E2F3AA8}.bin

- 2011-11-13 11:40 . 2011-11-13 20:04 2950 c:\windows\SoftwareDistribution\PostRebootEventCache\{42B21AB5-5A24-43CF-B5AC-D22F5E2F3AA8}.bin

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

.

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R2 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]

R3 hidusbf;USB Mouse Rate Adjuster Lower Filter by SweetLow;c:\windows\system32\DRIVERS\hidusbf.sys [x]

R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2010-01-22 30963576]

R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]

R4 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]

R4 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]

R4 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-08-03 2255464]

R4 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-08-03 379496]

S2 Bigfoot Networks Killer Service;Bigfoot Networks Killer Service;c:\program files\Bigfoot Networks\Killer Network Manager\BFNService.exe [2010-05-10 573952]

S3 BfEdge7x64;Bigfoot Networks Killer Ethernet Service;c:\windows\system32\DRIVERS\Edge7x64.sys [x]

S3 BFN7x64;Bigfoot Networks Killer Gaming Service;c:\windows\system32\DRIVERS\Xeno7x64.sys [x]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]

.

.

.

--------- x86-64 -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"LoadAppInit_DLLs"=0x0

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

mLocal Page = c:\windows\SYSTEM32\blank.htm

LSP: %SYSTEMROOT%\system32\BfLLR.dll

TCP: DhcpNameServer = 192.168.1.1

FF - ProfilePath - c:\users\andrew\AppData\Roaming\Mozilla\Firefox\Profiles\toq6xa2q.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&SearchSource=3&q={searchTerms}

FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/

FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&q=

.

- - - - ORPHANS REMOVED - - - -

.

WebBrowser-{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - (no file)

HKLM-Run-combofix - c:\combofix-w74334c\CF30366.3XE

.

.

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE]

"ImagePath"="NADA"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.10"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]

@Denied: (A) (Everyone)

"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]

@Denied: (A) (Everyone)

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]

"Key"="ActionsPane3"

"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2012-01-03 17:23:54

ComboFix-quarantined-files.txt 2012-01-04 01:23

.

Pre-Run: 66,902,667,264 bytes free

Post-Run: 66,851,495,936 bytes free

.

- - End Of File - - 94156EA13B89EBFB70B930B702664B7B

FSS Report

Farbar Service Scanner

Ran by andrew (administrator) on 03-01-2012 at 17:24:12

Microsoft Windows 7 Home Premium Service Pack 1 (X64)

Boot Mode: Normal

****************************************************************

Internet Services:

============

Connection Status:

==============

Localhost is accessible.

LAN connected.

Google IP is accessible.

Yahoo IP is accessible.

Windows Firewall:

=============

MpsSvc Service is not running. Checking service configuration:

Checking Start type: Attention! Unable to open MpsSvc registry key. The service key does not exist.

Checking ImagePath: Attention! Unable to open MpsSvc registry key. The service key does not exist.

Checking ServiceDll: Attention! Unable to open MpsSvc registry key. The service key does not exist.

bfe Service is not running. Checking service configuration:

The start type of bfe service is set to Demand. The default start type is Auto.

The ImagePath of bfe: "NADA".

Checking ServiceDll: Attention! Unable to open bfe registry key. The service key does not exist.

mpsdrv Service is not running. Checking service configuration:

The start type of mpsdrv service is OK.

The ImagePath of mpsdrv service is OK.

Firewall Disabled Policy:

==================

System Restore:

============

SDRSVC Service is not running. Checking service configuration:

The start type of SDRSVC service is set to Disabled. The default start type is 3.

The ImagePath of SDRSVC service is OK.

The ServiceDll of SDRSVC service is OK.

VSS Service is not running. Checking service configuration:

The start type of VSS service is OK.

The ImagePath of VSS service is OK.

System Restore Disabled Policy:

========================

File Check:

========

C:\Windows\System32\nsisvc.dll => MD5 is legit

C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit

C:\Windows\System32\dhcpcore.dll => MD5 is legit

C:\Windows\System32\drivers\afd.sys => MD5 is legit

C:\Windows\System32\drivers\tdx.sys => MD5 is legit

C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit

C:\Windows\System32\dnsrslvr.dll => MD5 is legit

C:\Windows\System32\mpssvc.dll => MD5 is legit

C:\Windows\System32\bfe.dll => MD5 is legit

C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit

C:\Windows\System32\SDRSVC.dll => MD5 is legit

C:\Windows\System32\vssvc.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\rpcss.dll => MD5 is legit

**** End of log ****

The Killer report was clean,

every time i try to do a mb scan it always has something, and as of this second i do not see ping.exe but it will probably come back

And thank you so much =) happy holidays

Link to post
Share on other sites

Also

just noticed these

END USER LICENSE AGREEMENT

Kaspersky Lab ZAO (the “Rightholder”) is an owner of all rights, whether exclusive or otherwise to the Software.

By using the Software You consent to be bound by the terms and conditions of this agreement.

The Rightholder hereby grants You a non-exclusive perpetual license to store, load, install, execute, and display (to “use”) the free of charge Software that will substantially perform within the scope of functionality set forth on http://support.kaspersky.com/viruses. The Software should be used as an auxiliary tool for removing threats from Your computer as described on http://support.kaspersky.com/viruses. The Rightholder doesn’t guarantee complete removal of threats and fixing issues caused by these threats.

No technical support for the Software is available.

You shall not emulate, modify, decompile, or reverse engineer the Software or disassemble or create derivative works based on the Software or any portion thereof with the sole exception of a non-waivable right granted to You by applicable legislation.

THE SOFTWARE IS PROVIDED "AS IS" AND THE RIGHTHOLDER MAKES NO REPRESENTATION AND GIVES NO WARRANTY AS TO ITS USE OR PERFORMANCE. EXCEPT FOR ANY WARRANTY, CONDITION, REPRESENTATION OR TERM THE EXTENT TO WHICH CANNOT BE EXCLUDED OR LIMITED BY APPLICABLE LAW THE RIGHTHOLDER AND ITS PARTNERS MAKE NO WARRANTY, CONDITION, REPRESENTATION, OR TERM (EXPRESS OR IMPLIED, WHETHER BY STATUTE, COMMON LAW, CUSTOM, USAGE OR OTHERWISE) AS TO ANY MATTER INCLUDING, WITHOUT LIMITATION, NONINFRINGEMENT OF THIRD PARTY RIGHTS, MERCHANTABILITY, SATISFACTORY QUALITY, INTEGRATION, OR APPLICABILITY FOR A PARTICULAR PURPOSE. YOU ASSUME ALL FAULTS, AND THE ENTIRE RISK AS TO PERFORMANCE AND RESPONSIBILITY FOR SELECTING THE SOFTWARE TO ACHIEVE YOUR INTENDED RESULTS, AND FOR THE INSTALLATION OF, USE OF, AND RESULTS OBTAINED FROM THE SOFTWARE. WITHOUT LIMITING THE FOREGOING PROVISIONS, THE RIGHTHOLDER MAKES NO REPRESENTATION AND GIVES NO WARRANTY THAT THE SOFTWARE WILL BE ERROR-FREE OR FREE FROM INTERRUPTIONS OR OTHER FAILURES OR THAT THE SOFTWARE WILL MEET ANY OR ALL YOUR REQUIREMENTS WHETHER OR NOT DICLOSED TO THE RIGHTHOLDER.

© 1997-2011 Kaspersky Lab ZAO. All Rights Reserved.

and the MRB report

MBRCheck, version 1.2.3

© 2010, AD

Command-line:

Windows Version: Windows 7 Home Premium Edition

Windows Information: Service Pack 1 (build 7601), 64-bit

Base Board Manufacturer: Dell Inc.

BIOS Manufacturer: Dell Inc.

System Manufacturer: Dell Inc.

System Product Name: Studio 540

Logical Drives Mask: 0x000000fc

Kernel Drivers (total 184):

0x02E68000 \SystemRoot\system32\ntoskrnl.exe

0x02E1F000 \SystemRoot\system32\hal.dll

0x00B9F000 \SystemRoot\system32\kdcom.dll

0x00C2E000 \SystemRoot\system32\mcupdate_GenuineIntel.dll

0x00C7D000 \SystemRoot\system32\PSHED.dll

0x00C91000 \SystemRoot\system32\CLFS.SYS

0x00CEF000 \SystemRoot\system32\CI.dll

0x00EC9000 \SystemRoot\system32\drivers\Wdf01000.sys

0x00F6D000 \SystemRoot\system32\drivers\WDFLDR.SYS

0x00F7C000 \SystemRoot\system32\drivers\ACPI.sys

0x00FD3000 \SystemRoot\system32\drivers\WMILIB.SYS

0x00FDC000 \SystemRoot\system32\drivers\msisadrv.sys

0x00E00000 \SystemRoot\system32\drivers\pci.sys

0x00E33000 \SystemRoot\system32\drivers\vdrvroot.sys

0x00E40000 \SystemRoot\System32\drivers\partmgr.sys

0x00E55000 \SystemRoot\system32\drivers\volmgr.sys

0x00E6A000 \SystemRoot\System32\drivers\volmgrx.sys

0x00FE6000 \SystemRoot\system32\drivers\pciide.sys

0x00FED000 \SystemRoot\system32\drivers\PCIIDEX.SYS

0x00DAF000 \SystemRoot\System32\drivers\mountmgr.sys

0x00DC9000 \SystemRoot\system32\drivers\atapi.sys

0x00DD2000 \SystemRoot\system32\drivers\ataport.SYS

0x00C00000 \SystemRoot\system32\drivers\amdxata.sys

0x01083000 \SystemRoot\system32\drivers\fltmgr.sys

0x010CF000 \SystemRoot\system32\drivers\fileinfo.sys

0x01225000 \SystemRoot\System32\Drivers\Ntfs.sys

0x010E3000 \SystemRoot\System32\Drivers\msrpc.sys

0x013C8000 \SystemRoot\System32\Drivers\ksecdd.sys

0x01141000 \SystemRoot\System32\Drivers\cng.sys

0x013E3000 \SystemRoot\System32\drivers\pcw.sys

0x013F4000 \SystemRoot\System32\Drivers\Fs_Rec.sys

0x0147E000 \SystemRoot\system32\drivers\ndis.sys

0x01571000 \SystemRoot\system32\drivers\NETIO.SYS

0x015D1000 \SystemRoot\System32\Drivers\ksecpkg.sys

0x016D0000 \SystemRoot\System32\drivers\tcpip.sys

0x018D4000 \SystemRoot\System32\drivers\fwpkclnt.sys

0x0191E000 \SystemRoot\system32\drivers\volsnap.sys

0x0196A000 \SystemRoot\System32\Drivers\spldr.sys

0x01972000 \SystemRoot\System32\drivers\rdyboost.sys

0x019AC000 \SystemRoot\System32\Drivers\mup.sys

0x019BE000 \SystemRoot\System32\drivers\hwpolicy.sys

0x01600000 \SystemRoot\System32\DRIVERS\fvevol.sys

0x0163A000 \SystemRoot\system32\DRIVERS\disk.sys

0x01650000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS

0x019C7000 \SystemRoot\system32\DRIVERS\cdrom.sys

0x019F1000 \SystemRoot\System32\Drivers\Null.SYS

0x016B6000 \SystemRoot\System32\Drivers\Beep.SYS

0x016BD000 \SystemRoot\System32\drivers\vga.sys

0x01400000 \SystemRoot\System32\drivers\VIDEOPRT.SYS

0x01425000 \SystemRoot\System32\drivers\watchdog.sys

0x01435000 \SystemRoot\System32\DRIVERS\RDPCDD.sys

0x0143E000 \SystemRoot\system32\drivers\rdpencdd.sys

0x01447000 \SystemRoot\system32\drivers\rdprefmp.sys

0x01450000 \SystemRoot\System32\Drivers\Msfs.SYS

0x0145B000 \SystemRoot\System32\Drivers\Npfs.SYS

0x01200000 \SystemRoot\system32\DRIVERS\tdx.sys

0x0146C000 \SystemRoot\system32\DRIVERS\TDI.SYS

0x02C55000 \SystemRoot\system32\drivers\afd.sys

0x02CDE000 \SystemRoot\System32\DRIVERS\netbt.sys

0x02D23000 \SystemRoot\system32\drivers\ws2ifsl.sys

0x02D2E000 \SystemRoot\system32\DRIVERS\wfplwf.sys

0x02D37000 \SystemRoot\system32\DRIVERS\pacer.sys

0x02D5D000 \SystemRoot\system32\DRIVERS\netbios.sys

0x02D6C000 \SystemRoot\system32\DRIVERS\wanarp.sys

0x02D87000 \SystemRoot\system32\drivers\termdd.sys

0x02D9B000 \SystemRoot\system32\DRIVERS\rdbss.sys

0x02DEC000 \SystemRoot\system32\drivers\nsiproxy.sys

0x02C00000 \SystemRoot\system32\drivers\mssmbios.sys

0x02C0B000 \SystemRoot\System32\drivers\discache.sys

0x02C1A000 \SystemRoot\System32\Drivers\dfsc.sys

0x02C38000 \SystemRoot\system32\DRIVERS\blbdrive.sys

0x011B3000 \SystemRoot\system32\DRIVERS\tunnel.sys

0x011D9000 \SystemRoot\system32\DRIVERS\intelppm.sys

0x0F043000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys

0x0FCA7000 \SystemRoot\System32\Drivers\nvBridge.kmd

0x0FCAC000 \SystemRoot\System32\drivers\dxgkrnl.sys

0x0FDA0000 \SystemRoot\System32\drivers\dxgmms1.sys

0x0F000000 \SystemRoot\system32\drivers\HDAudBus.sys

0x0F024000 \SystemRoot\system32\DRIVERS\usbuhci.sys

0x01000000 \SystemRoot\system32\DRIVERS\USBPORT.SYS

0x0F031000 \SystemRoot\system32\DRIVERS\usbehci.sys

0x01056000 \SystemRoot\system32\DRIVERS\Xeno7x64.sys

0x03AD9000 \SystemRoot\system32\drivers\1394ohci.sys

0x03B17000 \SystemRoot\system32\DRIVERS\Rt64win7.sys

0x03B9C000 \SystemRoot\system32\drivers\CompositeBus.sys

0x03BAC000 \SystemRoot\system32\DRIVERS\msiscsi.sys

0x03A00000 \SystemRoot\system32\DRIVERS\storport.sys

0x03A63000 \SystemRoot\system32\DRIVERS\AgileVpn.sys

0x03A79000 \SystemRoot\system32\DRIVERS\rasl2tp.sys

0x03A9D000 \SystemRoot\system32\DRIVERS\ndistapi.sys

0x03AA9000 \SystemRoot\system32\DRIVERS\ndiswan.sys

0x00C0B000 \SystemRoot\system32\DRIVERS\raspppoe.sys

0x03E38000 \SystemRoot\system32\DRIVERS\raspptp.sys

0x03E59000 \SystemRoot\system32\DRIVERS\rassstp.sys

0x03E73000 \SystemRoot\system32\DRIVERS\kbdclass.sys

0x03E82000 \SystemRoot\system32\DRIVERS\mouclass.sys

0x03E91000 \SystemRoot\system32\drivers\swenum.sys

0x03E93000 \SystemRoot\system32\drivers\ks.sys

0x03ED6000 \SystemRoot\system32\drivers\umbus.sys

0x03EE8000 \SystemRoot\system32\DRIVERS\usbhub.sys

0x03F42000 \SystemRoot\system32\DRIVERS\Edge7x64.sys

0x03F4C000 \SystemRoot\System32\Drivers\NDProxy.SYS

0x03F61000 \SystemRoot\system32\drivers\HdAudio.sys

0x03FBD000 \SystemRoot\system32\drivers\portcls.sys

0x03E00000 \SystemRoot\system32\drivers\drmk.sys

0x03E22000 \SystemRoot\system32\drivers\ksthunk.sys

0x01680000 \SystemRoot\system32\DRIVERS\cdfs.sys

0x0666E000 \SystemRoot\system32\DRIVERS\usbccgp.sys

0x0668B000 \SystemRoot\system32\DRIVERS\USBD.SYS

0x0668D000 \SystemRoot\system32\DRIVERS\hidusb.sys

0x0669B000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS

0x066B4000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS

0x066BD000 \SystemRoot\system32\DRIVERS\mouhid.sys

0x066CA000 \SystemRoot\system32\drivers\USBSTOR.SYS

0x066E5000 \SystemRoot\System32\Drivers\crashdmp.sys

0x066F3000 \SystemRoot\System32\Drivers\dump_dumpata.sys

0x066FF000 \SystemRoot\System32\Drivers\dump_atapi.sys

0x06708000 \SystemRoot\System32\Drivers\dump_dumpfve.sys

0x0671B000 \SystemRoot\system32\drivers\usbaudio.sys

0x06736000 \SystemRoot\system32\DRIVERS\kbdhid.sys

0x000E0000 \SystemRoot\System32\win32k.sys

0x06744000 \SystemRoot\System32\drivers\Dxapi.sys

0x06750000 \SystemRoot\system32\DRIVERS\monitor.sys

0x004E0000 \SystemRoot\System32\TSDDD.dll

0x00790000 \SystemRoot\System32\cdd.dll

0x0675E000 \SystemRoot\system32\drivers\luafv.sys

0x06781000 \SystemRoot\system32\drivers\appid.sys

0x06796000 \SystemRoot\system32\DRIVERS\lltdio.sys

0x067AB000 \SystemRoot\system32\DRIVERS\rspndr.sys

0x06C77000 \SystemRoot\system32\drivers\HTTP.sys

0x06D40000 \SystemRoot\System32\DRIVERS\srvnet.sys

0x06D71000 \SystemRoot\system32\DRIVERS\bowser.sys

0x06D8F000 \SystemRoot\system32\DRIVERS\mrxsmb.sys

0x06C00000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys

0x06C4E000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys

0x06600000 \SystemRoot\System32\DRIVERS\srv2.sys

0x06EDE000 \SystemRoot\System32\DRIVERS\srv.sys

0x06E00000 \SystemRoot\system32\drivers\peauth.sys

0x06EA6000 \SystemRoot\System32\Drivers\secdrv.SYS

0x06EB1000 \SystemRoot\System32\drivers\tcpipreg.sys

0x06FA7000 \SystemRoot\system32\drivers\WudfPf.sys

0x06FC8000 \SystemRoot\system32\DRIVERS\WUDFRd.sys

0x07AB6000 \??\C:\Windows\system32\Drivers\PROCEXP113.SYS

0x07ABE000 \SystemRoot\system32\drivers\90681841.sys

0x77C20000 \Windows\System32\ntdll.dll

0x47B60000 \Windows\System32\smss.exe

0xFFF40000 \Windows\System32\apisetschema.dll

0xFF7D0000 \Windows\System32\autochk.exe

0xFFF10000 \Windows\System32\sechost.dll

0xFFEE0000 \Windows\System32\imm32.dll

0xFFDD0000 \Windows\System32\msctf.dll

0x77DF0000 \Windows\System32\psapi.dll

0xFFD60000 \Windows\System32\gdi32.dll

0xFFC90000 \Windows\System32\usp10.dll

0xFFB60000 \Windows\System32\rpcrt4.dll

0xFFAE0000 \Windows\System32\shlwapi.dll

0x77AC0000 \Windows\System32\wininet.dll

0xFFAD0000 \Windows\System32\lpk.dll

0x779C0000 \Windows\System32\user32.dll

0xFFA50000 \Windows\System32\difxapi.dll

0x777B0000 \Windows\System32\iertutil.dll

0x77DE0000 \Windows\System32\normaliz.dll

0xFFA00000 \Windows\System32\ws2_32.dll

0x77690000 \Windows\System32\kernel32.dll

0xFF9F0000 \Windows\System32\nsi.dll

0xFF950000 \Windows\System32\clbcatq.dll

0xFF8F0000 \Windows\System32\Wldap32.dll

0xFF710000 \Windows\System32\setupapi.dll

0x77540000 \Windows\System32\urlmon.dll

0xFE980000 \Windows\System32\shell32.dll

0xFE8E0000 \Windows\System32\comdlg32.dll

0xFE800000 \Windows\System32\oleaut32.dll

0xFE720000 \Windows\System32\advapi32.dll

0xFE680000 \Windows\System32\msvcrt.dll

0xFE660000 \Windows\System32\imagehlp.dll

0xFE450000 \Windows\System32\ole32.dll

0xFE2E0000 \Windows\System32\crypt32.dll

0xFE240000 \Windows\System32\comctl32.dll

0xFE200000 \Windows\System32\cfgmgr32.dll

0xFE1C0000 \Windows\System32\wintrust.dll

0xFE150000 \Windows\System32\KernelBase.dll

0xFE130000 \Windows\System32\devobj.dll

0xFE120000 \Windows\System32\msasn1.dll

0x76F00000 \Windows\SysWOW64\normaliz.dll

Processes (total 32):

0 System Idle Process

4 System

260 C:\Windows\System32\smss.exe

344 csrss.exe

404 csrss.exe

412 C:\Windows\System32\wininit.exe

460 C:\Windows\System32\winlogon.exe

508 C:\Windows\System32\services.exe

516 C:\Windows\System32\lsass.exe

524 C:\Windows\System32\lsm.exe

624 C:\Windows\System32\svchost.exe

704 C:\Windows\System32\svchost.exe

808 C:\Windows\System32\svchost.exe

840 C:\Windows\System32\svchost.exe

868 C:\Windows\System32\svchost.exe

972 C:\Windows\System32\svchost.exe

112 C:\Windows\System32\svchost.exe

288 C:\Windows\System32\svchost.exe

1084 C:\Windows\System32\spoolsv.exe

1280 C:\Program Files\Bigfoot Networks\Killer Network Manager\BFNService.exe

1376 C:\Windows\System32\svchost.exe

1456 C:\Windows\System32\taskhost.exe

1580 C:\Windows\System32\dwm.exe

1592 C:\Windows\explorer.exe

1600 C:\Windows\System32\Locator.exe

1948 WUDFHost.exe

2372 C:\Users\andrew\Desktop\FSS.exe

620 C:\Windows\SysWOW64\notepad.exe

2780 C:\Program Files (x86)\Mozilla Firefox\firefox.exe

2404 C:\Users\andrew\Desktop\TDSSKiller.exe

2004 C:\Users\andrew\Downloads\MBRCheck.exe

804 C:\Windows\System32\conhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: ST3120026AS, Rev: 8.05

Size Device Name MBR Status

--------------------------------------------

111 GB \\.\PhysicalDrive0 Windows 7 MBR code detected

SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79

Done!

Link to post
Share on other sites

END USER LICENSE AGREEMENT

Kaspersky Lab ZAO (the “Rightholder”) is an owner of all rights, whether exclusive or otherwise to the Software.

By using the Software You consent to be bound by the terms and conditions of this agreement.

The Rightholder hereby grants You a non-exclusive perpetual license to store, load, install, execute, and display (to “use”) the free of charge Software that will substantially perform within the scope of functionality set forth on http://support.kaspersky.com/viruses. The Software should be used as an auxiliary tool for removing threats from Your computer as described on http://support.kaspersky.com/viruses. The Rightholder doesn’t guarantee complete removal of threats and fixing issues caused by these threats.

No technical support for the Software is available.

You shall not emulate, modify, decompile, or reverse engineer the Software or disassemble or create derivative works based on the Software or any portion thereof with the sole exception of a non-waivable right granted to You by applicable legislation.

THE SOFTWARE IS PROVIDED "AS IS" AND THE RIGHTHOLDER MAKES NO REPRESENTATION AND GIVES NO WARRANTY AS TO ITS USE OR PERFORMANCE. EXCEPT FOR ANY WARRANTY, CONDITION, REPRESENTATION OR TERM THE EXTENT TO WHICH CANNOT BE EXCLUDED OR LIMITED BY APPLICABLE LAW THE RIGHTHOLDER AND ITS PARTNERS MAKE NO WARRANTY, CONDITION, REPRESENTATION, OR TERM (EXPRESS OR IMPLIED, WHETHER BY STATUTE, COMMON LAW, CUSTOM, USAGE OR OTHERWISE) AS TO ANY MATTER INCLUDING, WITHOUT LIMITATION, NONINFRINGEMENT OF THIRD PARTY RIGHTS, MERCHANTABILITY, SATISFACTORY QUALITY, INTEGRATION, OR APPLICABILITY FOR A PARTICULAR PURPOSE. YOU ASSUME ALL FAULTS, AND THE ENTIRE RISK AS TO PERFORMANCE AND RESPONSIBILITY FOR SELECTING THE SOFTWARE TO ACHIEVE YOUR INTENDED RESULTS, AND FOR THE INSTALLATION OF, USE OF, AND RESULTS OBTAINED FROM THE SOFTWARE. WITHOUT LIMITING THE FOREGOING PROVISIONS, THE RIGHTHOLDER MAKES NO REPRESENTATION AND GIVES NO WARRANTY THAT THE SOFTWARE WILL BE ERROR-FREE OR FREE FROM INTERRUPTIONS OR OTHER FAILURES OR THAT THE SOFTWARE WILL MEET ANY OR ALL YOUR REQUIREMENTS WHETHER OR NOT DICLOSED TO THE RIGHTHOLDER.

© 1997-2011 Kaspersky Lab ZAO. All Rights Reserved.

Don't worry about that, its just a disclaimer ;)

Go ahead and reboot, then run Farbar Service Scanner once more and post the new log it creates.

And thank you so much =) happy holidays

Same to you! :)

Link to post
Share on other sites

So i restarted my computer and so far there is no ping.exe but it has only been 2 minutes but i did run a mb scan right before restarting and the combofix came up as a virus (i know it's not a threat) but also something known as kwrd.dll also appeared

Malwarebytes Anti-Malware 1.60.0.1800

www.malwarebytes.org

Database version: v2012.01.01.03

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

andrew :: ANDREW-PC [administrator]

1/4/2012 6:58:43 AM

mbam-log-2012-01-04 (06-58-43).txt

Scan type: Full scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 316649

Time elapsed: 35 minute(s), 14 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 2

C:\Qoobox\Quarantine\C\Windows\assembly\temp\kwrd.dll.vir (PUP.BitMiner) -> Quarantined and deleted successfully.

C:\Users\andrew\Desktop\cnet2_ComboFix_exe.exe (PUP.Adware.Downloader) -> Quarantined and deleted successfully.

(end)

Link to post
Share on other sites

We've got a little more fixing to do regarding your internet connection services ;) :

Please download RestoreBFE.exe.exe from: http://download.bleepingcomputer.com/sUBs/MiniFixes/RestoreBFE.exe

Double click on the downloaded file. It should only take a few seconds to run.

When complete, it will say .. "Done! Please check if BFE service is running now"

Next, please run Farbar Service Scanner once again, and post the log that it creates ;).

Link to post
Share on other sites

Farbar Service Scanner

Ran by andrew (administrator) on 04-01-2012 at 18:25:13

Microsoft Windows 7 Home Premium Service Pack 1 (X64)

Boot Mode: Normal

****************************************************************

Internet Services:

============

Connection Status:

==============

Localhost is accessible.

LAN connected.

Google IP is accessible.

Yahoo IP is accessible.

Windows Firewall:

=============

MpsSvc Service is not running. Checking service configuration:

Checking Start type: Attention! Unable to open MpsSvc registry key. The service key does not exist.

Checking ImagePath: Attention! Unable to open MpsSvc registry key. The service key does not exist.

Checking ServiceDll: Attention! Unable to open MpsSvc registry key. The service key does not exist.

bfe Service is not running. Checking service configuration:

The start type of bfe service is OK.

The ImagePath of bfe service is OK.

The ServiceDll of bfe service is OK.

mpsdrv Service is not running. Checking service configuration:

The start type of mpsdrv service is OK.

The ImagePath of mpsdrv service is OK.

Firewall Disabled Policy:

==================

System Restore:

============

SDRSVC Service is not running. Checking service configuration:

The start type of SDRSVC service is set to Disabled. The default start type is 3.

The ImagePath of SDRSVC service is OK.

The ServiceDll of SDRSVC service is OK.

VSS Service is not running. Checking service configuration:

The start type of VSS service is OK.

The ImagePath of VSS service is OK.

System Restore Disabled Policy:

========================

File Check:

========

C:\Windows\System32\nsisvc.dll => MD5 is legit

C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit

C:\Windows\System32\dhcpcore.dll => MD5 is legit

C:\Windows\System32\drivers\afd.sys => MD5 is legit

C:\Windows\System32\drivers\tdx.sys => MD5 is legit

C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit

C:\Windows\System32\dnsrslvr.dll => MD5 is legit

C:\Windows\System32\mpssvc.dll => MD5 is legit

C:\Windows\System32\bfe.dll => MD5 is legit

C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit

C:\Windows\System32\SDRSVC.dll => MD5 is legit

C:\Windows\System32\vssvc.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\rpcss.dll => MD5 is legit

**** End of log ****

Link to post
Share on other sites

We've got some more work to do regarding those internet connection services.

First, let's make a backup in case anything goes awry.

BackupYour Registry with ERUNT

  • Please go here, scroll down to ERUNT, and download.
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.

Click Erunt.exe to backup your Registry to the folder of your choice.

Note: To restore your Registry, go to the folder and start ERDNT.exe

-----------

I have attached two files that you will need to download and save to your Desktop. Once they are downloaded and AFTER you have ran ERUNT, right-click on each one, one at a time, and select Extract All. Once you have extracted the file, please right click on the .reg file and select Merge. Allow the merge to complete and then reboot. Perform the same steps for the other .reg file. If you have ANY questions please ask before taking any steps.

-----------

Now run Farbar Service Scanner again and post the new log. ;)

BFE.zip

MpsSvc.zip

Link to post
Share on other sites

Farbar Service Scanner

Ran by andrew (administrator) on 05-01-2012 at 03:37:15

Microsoft Windows 7 Home Premium Service Pack 1 (X64)

Boot Mode: Normal

****************************************************************

Internet Services:

============

Connection Status:

==============

Localhost is accessible.

LAN connected.

Google IP is accessible.

Yahoo IP is accessible.

Windows Firewall:

=============

Firewall Disabled Policy:

==================

System Restore:

============

SDRSVC Service is not running. Checking service configuration:

The start type of SDRSVC service is set to Disabled. The default start type is 3.

The ImagePath of SDRSVC service is OK.

The ServiceDll of SDRSVC service is OK.

VSS Service is not running. Checking service configuration:

The start type of VSS service is OK.

The ImagePath of VSS service is OK.

System Restore Disabled Policy:

========================

File Check:

========

C:\Windows\System32\nsisvc.dll => MD5 is legit

C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit

C:\Windows\System32\dhcpcore.dll => MD5 is legit

C:\Windows\System32\drivers\afd.sys => MD5 is legit

C:\Windows\System32\drivers\tdx.sys => MD5 is legit

C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit

C:\Windows\System32\dnsrslvr.dll => MD5 is legit

C:\Windows\System32\mpssvc.dll => MD5 is legit

C:\Windows\System32\bfe.dll => MD5 is legit

C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit

C:\Windows\System32\SDRSVC.dll => MD5 is legit

C:\Windows\System32\vssvc.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\rpcss.dll => MD5 is legit

**** End of log ****

Link to post
Share on other sites

MB scan before sleeping,

Malwarebytes Anti-Malware 1.60.0.1800

www.malwarebytes.org

Database version: v2012.01.05.01

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

andrew :: ANDREW-PC [administrator]

1/5/2012 5:50:02 AM

mbam-log-2012-01-05 (05-50-02).txt

Scan type: Full scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 315888

Time elapsed: 36 minute(s), 55 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 1

HKCR\.exe\shell\open\command| (Hijack.ExeFile) -> Data: "C:\Users\andrew\AppData\Local\bjw.exe" -a "%1" %* -> Quarantined and deleted successfully.

Registry Data Items Detected: 4

HKCR\.exe| (Hijacked.exeFile) -> Bad: (NLK) Good: (exefile) -> Quarantined and repaired successfully.

HKLM\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command| (Hijack.StartMenuInternet) -> Bad: ("C:\Users\andrew\AppData\Local\bjw.exe" -a "firefox.exe") Good: (firefox.exe) -> Quarantined and repaired successfully.

HKLM\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command| (Hijack.StartMenuInternet) -> Bad: ("C:\Users\andrew\AppData\Local\bjw.exe" -a "firefox.exe -safe-mode") Good: (firefox.exe -safe-mode) -> Quarantined and repaired successfully.

HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command| (Hijack.StartMenuInternet) -> Bad: ("C:\Users\andrew\AppData\Local\bjw.exe" -a "C:\Program Files (x86)\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and repaired successfully.

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Link to post
Share on other sites

I combo fixed and deleted it

ComboFix 12-01-03.07 - andrew 01/05/2012 14:14:08.3.2 - x64

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4095.2949 [GMT -8:00]

Running from: c:\users\andrew\Desktop\ComboFix-W7.exe

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\users\andrew\AppData\Local\bjw.exe

.

.

((((((((((((((((((((((((( Files Created from 2011-12-05 to 2012-01-05 )))))))))))))))))))))))))))))))

.

.

2012-01-05 22:18 . 2012-01-05 22:18 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp

2012-01-05 22:18 . 2012-01-05 22:18 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-01-04 00:57 . 2012-01-04 00:57 -------- d-----w- C:\ComboFix-W7

2012-01-04 00:54 . 2012-01-04 22:04 -------- d-----w- c:\programdata\WeCareReminder

2012-01-03 14:12 . 2012-01-03 14:12 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%

2012-01-02 12:25 . 2012-01-02 12:25 388096 ----a-r- c:\users\andrew\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2012-01-02 12:25 . 2012-01-02 12:25 -------- d-----w- c:\program files (x86)\Trend Micro

2012-01-02 04:59 . 2012-01-02 04:59 -------- d-----w- c:\program files (x86)\Microsoft

2012-01-02 04:59 . 2009-09-05 01:44 69464 ----a-w- c:\windows\SysWow64\XAPOFX1_3.dll

2012-01-02 04:59 . 2009-09-05 01:44 515416 ----a-w- c:\windows\SysWow64\XAudio2_5.dll

2012-01-02 04:59 . 2009-09-05 01:29 453456 ----a-w- c:\windows\SysWow64\d3dx10_42.dll

2012-01-02 04:59 . 2009-09-05 01:29 523088 ----a-w- c:\windows\system32\d3dx10_42.dll

2012-01-02 04:59 . 2006-11-29 21:06 4398360 ----a-w- c:\windows\system32\d3dx9_32.dll

2012-01-02 04:59 . 2006-11-29 21:06 3426072 ----a-w- c:\windows\SysWow64\d3dx9_32.dll

2012-01-02 04:58 . 2012-01-02 04:58 -------- d-----w- c:\users\andrew\AppData\Local\Windows Live

2012-01-02 04:58 . 2012-01-02 04:58 -------- d-----w- c:\program files (x86)\Common Files\Windows Live

2011-12-18 00:16 . 2011-12-18 00:16 -------- d-----w- c:\windows\system32\Macromed

2011-12-11 06:41 . 2011-12-17 08:15 -------- d-----w- c:\program files\Microsoft Xbox 360 Accessories

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-12-18 12:40 . 2011-08-28 08:21 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2011-12-10 23:24 . 2011-08-28 22:55 23152 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-11-26 04:34 . 2011-11-26 04:34 158056 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10139.bin

2011-10-09 04:18 . 2011-08-29 08:31 7808 ----a-w- c:\windows\system32\drivers\hidusbf.sys

.

.

((((((((((((((((((((((((((((( SnapShot@2012-01-04_01.13.59 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-08-28 10:20 . 2012-01-05 22:07 29832 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin

- 2009-07-14 05:10 . 2012-01-03 23:20 33650 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin

+ 2009-07-14 05:10 . 2012-01-05 22:07 33650 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin

+ 2009-07-14 04:46 . 2012-01-04 01:18 94000 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat

+ 2011-08-28 08:15 . 2012-01-05 22:07 9544 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1496710961-1331745258-44813692-1000_UserData.bin

- 2012-01-03 23:08 . 2012-01-04 01:13 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat

+ 2012-01-05 22:05 . 2012-01-05 22:05 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat

+ 2012-01-05 22:05 . 2012-01-05 22:05 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat

- 2012-01-03 23:08 . 2012-01-04 01:13 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat

+ 2011-08-29 19:54 . 2012-01-05 22:03 322158 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_FastS4.bin

+ 2009-07-14 02:36 . 2012-01-05 22:12 626844 c:\windows\system32\perfh009.dat

- 2009-07-14 02:36 . 2012-01-03 23:13 626844 c:\windows\system32\perfh009.dat

+ 2009-07-14 02:36 . 2012-01-05 22:12 107160 c:\windows\system32\perfc009.dat

- 2009-07-14 02:36 . 2012-01-03 23:13 107160 c:\windows\system32\perfc009.dat

+ 2009-07-14 05:01 . 2012-01-05 22:04 385004 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat

- 2009-07-14 05:01 . 2012-01-03 22:13 385004 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat

+ 2012-01-05 11:18 . 2005-10-20 20:02 163328 c:\windows\ERDNT\1-5-2012\ERDNT.EXE

+ 2012-01-05 11:18 . 2012-01-05 11:18 2535424 c:\windows\ERDNT\1-5-2012\Users\00000002\UsrClass.dat

+ 2012-01-05 11:18 . 2012-01-05 11:18 2527232 c:\windows\ERDNT\1-5-2012\Users\00000001\ntuser.dat

+ 2011-08-28 10:17 . 2012-01-05 22:04 31390426 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1496710961-1331745258-44813692-1000-12288.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Steam"="c:\program files (x86)\Steam\steam.exe" [2011-11-15 1242448]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

.

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R2 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]

R3 hidusbf;USB Mouse Rate Adjuster Lower Filter by SweetLow;c:\windows\system32\DRIVERS\hidusbf.sys [x]

R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2010-01-22 30963576]

R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]

R4 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]

R4 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]

R4 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-08-03 2255464]

R4 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-08-03 379496]

S2 Bigfoot Networks Killer Service;Bigfoot Networks Killer Service;c:\program files\Bigfoot Networks\Killer Network Manager\BFNService.exe [2010-05-10 573952]

S3 BfEdge7x64;Bigfoot Networks Killer Ethernet Service;c:\windows\system32\DRIVERS\Edge7x64.sys [x]

S3 BFN7x64;Bigfoot Networks Killer Gaming Service;c:\windows\system32\DRIVERS\Xeno7x64.sys [x]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]

.

.

.

--------- x86-64 -----------

.

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

mLocal Page = c:\windows\SYSTEM32\blank.htm

LSP: %SYSTEMROOT%\system32\BfLLR.dll

TCP: DhcpNameServer = 192.168.1.1

FF - ProfilePath - c:\users\andrew\AppData\Roaming\Mozilla\Firefox\Profiles\toq6xa2q.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&SearchSource=3&q={searchTerms}

FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/

FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&q=

.

- - - - ORPHANS REMOVED - - - -

.

WebBrowser-{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - (no file)

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.10"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]

@Denied: (A) (Everyone)

"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]

@Denied: (A) (Everyone)

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]

"Key"="ActionsPane3"

"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2012-01-05 14:19:55

ComboFix-quarantined-files.txt 2012-01-05 22:19

ComboFix2.txt 2012-01-04 01:23

.

Pre-Run: 68,169,846,784 bytes free

Post-Run: 68,121,849,856 bytes free

.

- - End Of File - - 342F84EE63F5D7E7B891BC7216718E68

Link to post
Share on other sites

It seems that the way I got the virus was through watching tv shows on these websites, watch.series.com, fastpass.ms, and globolister. Is there any program that you would recommend to act as a firewall while I watch tv shows so I no longer have such problems? I'm also I professional counter-strike player and it would be important that the firewall wouldn't interfere with my game play by randomly taking up memory. And thanks for staying with me this far.

Link to post
Share on other sites

That's the log file after taking those steps, at this point what exactly is the problem?

We just corrected some entries that corresponded to Windows Firewall... should those have remained the way they were, Windows Firewall would remain broken and unusable...

Are you able to access Windows Firewall now? Please let me know :).

It seems that the way I got the virus was through watching tv shows on these websites, watch.series.com, fastpass.ms, and globolister. Is there any program that you would recommend to act as a firewall while I watch tv shows so I no longer have such problems? I'm also I professional counter-strike player and it would be important that the firewall wouldn't interfere with my game play by randomly taking up memory. And thanks for staying with me this far.

Indeed, those types of websites are a fast-track to infection.

As we wrap all of this up, I will provide you some information on how to better secure your computer. Within that are a number of firewall recommendations ;). Basically, you should be able to manually configure them to fit your needs, and to ensure that they don't interfere with anything... most are rather flexible!

Before the next step, let's run an online scan to see if there's anything we may have missed:

Please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats is Unchecked and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Link to post
Share on other sites

ESETSmartInstaller@High as downloader log:

all ok

# version=7

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6583

# api_version=3.0.2

# EOSSerial=e87df170ae17544d83985bd350a1e2a4

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2012-01-06 12:12:21

# local_time=2012-01-05 04:12:21 (-0800, Pacific Standard Time)

# country="United States"

# lang=1033

# osver=6.1.7601 NT Service Pack 1

# compatibility_mode=512 16777215 100 0 0 0 0 0

# compatibility_mode=5893 16776574 66 94 10363290 77348592 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=132302

# found=13

# cleaned=13

# scan_time=3599

C:\Qoobox\Quarantine\C\ProgramData\Tarma Installer\{DA00D550-BB91-4A26-AAE5-9172D626CAAE}\_Setupx.dll.vir a variant of Win32/Adware.Yontoo.B application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Users\andrew\AppData\Local\bjw.exe.vir a variant of Win32/Kryptik.YMJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Windows\System32\consrv.dll.vir Win64/Sirefef.G trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{B2E5E167-C433-4350-B095-11E1187D5051}\RP212\A0046092.exe probably a variant of Win32/Agent.NQCQPIO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Users\andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\3aa4da42-193c7b80 a variant of Java/Agent.DZ trojan (deleted - quarantined) 00000000000000000000000000000000 C

C:\Users\andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\22\18db83d6-21baf92e a variant of Java/TrojanDownloader.OpenConnection.AQ trojan (deleted - quarantined) 00000000000000000000000000000000 C

C:\Users\andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\38\4d809ea6-6805f0cb a variant of Java/Agent.DZ trojan (deleted - quarantined) 00000000000000000000000000000000 C

C:\Users\andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\e5a51ab-7b814f24 a variant of Java/Agent.DZ trojan (deleted - quarantined) 00000000000000000000000000000000 C

C:\Users\andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\5\14dbed45-1f29f12f a variant of Java/Agent.DP trojan (deleted - quarantined) 00000000000000000000000000000000 C

C:\Users\andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\33ce1c73-2e22eb91 a variant of Win32/Kryptik.YMJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Users\andrew\Downloads\cnet_ccsetup310_exe.exe a variant of Win32/InstallCore.D application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Users\andrew\Downloads\cnet_wrar401_exe.exe a variant of Win32/InstallCore.D application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Windows\assembly\temp\U\80000032.@ probably a variant of Win32/Olmarik.AVQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

ughhhhhhh

Link to post
Share on other sites

also, I have purposely edited my services if you were wondering why some may look distorted.

Cheers for letting me know about that :).

Much of what ESET detected was mainly old files that were quarantined by ComboFix; nothing to worry about ;).

As for the entries in the Java cache, this should take care of them:

Please do the following:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KILLALL::

ClearJavaCache::

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I shall require in your next reply.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Please include the newly-created C:\ComboFix.txt in your next reply, and let me know how things are running now ;)

---------

After that, let's see what programs need updating:

Please download Security Check by screen317 from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Link to post
Share on other sites

Combofix log

ComboFix 12-01-05.02 - andrew 01/05/2012 16:37:12.4.2 - x64

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4095.2638 [GMT -8:00]

Running from: c:\users\andrew\Desktop\ComboFix-W7.exe

Command switches used :: c:\users\andrew\Desktop\CFScript.txt.txt

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((( Files Created from 2011-12-06 to 2012-01-06 )))))))))))))))))))))))))))))))

.

.

2012-01-06 00:40 . 2012-01-06 00:40 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp

2012-01-06 00:40 . 2012-01-06 00:40 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-01-05 23:11 . 2012-01-05 23:11 -------- d-----w- c:\program files (x86)\ESET

2012-01-04 00:57 . 2012-01-06 00:32 -------- d-----w- C:\ComboFix-W7

2012-01-04 00:54 . 2012-01-04 22:04 -------- d-----w- c:\programdata\WeCareReminder

2012-01-03 14:12 . 2012-01-03 14:12 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%

2012-01-02 12:25 . 2012-01-02 12:25 388096 ----a-r- c:\users\andrew\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2012-01-02 12:25 . 2012-01-02 12:25 -------- d-----w- c:\program files (x86)\Trend Micro

2012-01-02 04:59 . 2012-01-02 04:59 -------- d-----w- c:\program files (x86)\Microsoft

2012-01-02 04:59 . 2009-09-05 01:44 69464 ----a-w- c:\windows\SysWow64\XAPOFX1_3.dll

2012-01-02 04:59 . 2009-09-05 01:44 515416 ----a-w- c:\windows\SysWow64\XAudio2_5.dll

2012-01-02 04:59 . 2009-09-05 01:29 453456 ----a-w- c:\windows\SysWow64\d3dx10_42.dll

2012-01-02 04:59 . 2009-09-05 01:29 523088 ----a-w- c:\windows\system32\d3dx10_42.dll

2012-01-02 04:59 . 2006-11-29 21:06 4398360 ----a-w- c:\windows\system32\d3dx9_32.dll

2012-01-02 04:59 . 2006-11-29 21:06 3426072 ----a-w- c:\windows\SysWow64\d3dx9_32.dll

2012-01-02 04:58 . 2012-01-02 04:58 -------- d-----w- c:\users\andrew\AppData\Local\Windows Live

2012-01-02 04:58 . 2012-01-02 04:58 -------- d-----w- c:\program files (x86)\Common Files\Windows Live

2011-12-18 00:16 . 2011-12-18 00:16 -------- d-----w- c:\windows\system32\Macromed

2011-12-11 06:41 . 2011-12-17 08:15 -------- d-----w- c:\program files\Microsoft Xbox 360 Accessories

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-12-18 12:40 . 2011-08-28 08:21 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2011-12-10 23:24 . 2011-08-28 22:55 23152 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-11-26 04:34 . 2011-11-26 04:34 158056 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10139.bin

2011-10-09 04:18 . 2011-08-29 08:31 7808 ----a-w- c:\windows\system32\drivers\hidusbf.sys

.

.

((((((((((((((((((((((((((((( SnapShot@2012-01-04_01.13.59 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-08-28 10:20 . 2012-01-06 00:44 30168 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin

- 2009-07-14 05:10 . 2012-01-03 23:20 33650 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin

+ 2009-07-14 05:10 . 2012-01-06 00:44 33650 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin

+ 2009-07-14 04:46 . 2012-01-04 01:18 94000 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat

+ 2011-08-28 08:15 . 2012-01-06 00:44 9702 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1496710961-1331745258-44813692-1000_UserData.bin

- 2012-01-03 23:08 . 2012-01-04 01:13 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat

+ 2012-01-06 00:42 . 2012-01-06 00:42 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat

+ 2012-01-06 00:42 . 2012-01-06 00:42 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat

- 2012-01-03 23:08 . 2012-01-04 01:13 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat

+ 2011-08-29 19:54 . 2012-01-05 22:03 322158 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_FastS4.bin

+ 2009-07-14 02:36 . 2012-01-05 22:12 626844 c:\windows\system32\perfh009.dat

- 2009-07-14 02:36 . 2012-01-03 23:13 626844 c:\windows\system32\perfh009.dat

+ 2009-07-14 02:36 . 2012-01-05 22:12 107160 c:\windows\system32\perfc009.dat

- 2009-07-14 02:36 . 2012-01-03 23:13 107160 c:\windows\system32\perfc009.dat

+ 2009-07-14 05:01 . 2012-01-06 00:40 385004 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat

- 2009-07-14 05:01 . 2012-01-03 22:13 385004 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat

+ 2012-01-05 11:18 . 2005-10-20 20:02 163328 c:\windows\ERDNT\1-5-2012\ERDNT.EXE

+ 2012-01-05 11:18 . 2012-01-05 11:18 2535424 c:\windows\ERDNT\1-5-2012\Users\00000002\UsrClass.dat

+ 2012-01-05 11:18 . 2012-01-05 11:18 2527232 c:\windows\ERDNT\1-5-2012\Users\00000001\ntuser.dat

+ 2011-08-28 10:17 . 2012-01-06 00:40 31407356 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1496710961-1331745258-44813692-1000-12288.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Steam"="c:\program files (x86)\Steam\steam.exe" [2011-11-15 1242448]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

.

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R2 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]

R3 hidusbf;USB Mouse Rate Adjuster Lower Filter by SweetLow;c:\windows\system32\DRIVERS\hidusbf.sys [x]

R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2010-01-22 30963576]

R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]

R4 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]

R4 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]

R4 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-08-03 2255464]

R4 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-08-03 379496]

S2 Bigfoot Networks Killer Service;Bigfoot Networks Killer Service;c:\program files\Bigfoot Networks\Killer Network Manager\BFNService.exe [2010-05-10 573952]

S3 BfEdge7x64;Bigfoot Networks Killer Ethernet Service;c:\windows\system32\DRIVERS\Edge7x64.sys [x]

S3 BFN7x64;Bigfoot Networks Killer Gaming Service;c:\windows\system32\DRIVERS\Xeno7x64.sys [x]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]

.

.

.

--------- x86-64 -----------

.

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

mLocal Page = c:\windows\SYSTEM32\blank.htm

LSP: %SYSTEMROOT%\system32\BfLLR.dll

TCP: DhcpNameServer = 192.168.1.1

FF - ProfilePath - c:\users\andrew\AppData\Roaming\Mozilla\Firefox\Profiles\toq6xa2q.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&SearchSource=3&q={searchTerms}

FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/

FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&q=

.

- - - - ORPHANS REMOVED - - - -

.

WebBrowser-{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - (no file)

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.10"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]

@Denied: (A) (Everyone)

"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]

@Denied: (A) (Everyone)

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]

"Key"="ActionsPane3"

"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2012-01-05 16:47:22 - machine was rebooted

ComboFix-quarantined-files.txt 2012-01-06 00:47

ComboFix2.txt 2012-01-05 22:19

ComboFix3.txt 2012-01-04 01:23

.

Pre-Run: 67,760,193,536 bytes free

Post-Run: 67,703,160,832 bytes free

.

- - End Of File - - E200F5F2FAE27F0DA53409B23AFABD8E

Check up log

Results of screen317's Security Check version 0.99.30

Windows 7 x64 (UAC is disabled!)

Internet Explorer 9

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

ESET Online Scanner v3

WMI entry may not exist for antivirus; attempting automatic update.

```````````````````````````````

Anti-malware/Other Utilities Check:

Java 6 Update 27

Java version out of date!

Adobe Flash Player 11.0.1.152

Adobe Reader X (10.1.1)

Mozilla Firefox 8.0.1 Firefox out of Date!

````````````````````````````````

Process Check:

objlist.exe by Laurent

``````````End of Log````````````

Link to post
Share on other sites

Sorry for the delay.

Your logs are looking good ;).

Before we move on to the next step, please update the following programs. (Using outdated applications leaves you extremely vulnerable to getting infected again.)

---------

I see you have User Accounts Control (UAC) disabled.

This is an important security feature which helps prevent malware and other unwanted software from being installed on your computer.

I strongly suggest you keep it enabled. See this link for instructions on how to enable it: http://windows.microsoft.com/en-US/windows-vista/Turn-User-Account-Control-on-or-off

---------

Java is out of date and older versions contain vulnerabilities. Please update to the newest version.

Download the newest version from here http://www.oracle.com/technetwork/java/javase/downloads/index.html.

It's important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.

Go to Start > Control Panel and open Add or Remove Programs.

Search in the list for all previous installed versions of Java. (J2SE Runtime Environment).

They will have this icon next to them: javaicon.gif

Select each in turn and click Remove.

Once old versions are gone, please install the newest version.

---------

Firefox is out of date. Using an outdated version of a web browser leaves you extremely vulnerable to malware!

Please visit Mozilla site and update it to the latest version.

---------

Please let me know how the updates went, as failed updates may indicate additional malware ;).

Link to post
Share on other sites

I have turned UAC on, and I have updated both programs successfully, I also did a few additional scans last night and everything is still "clean". I was told to get windows essentials because that's supposedly the best anti-virus (free) that I could get and it's good. I have yet to install it but I would love to be able to still watch my tv shows without getting infected and also be able to continuously protecting myself as programs update and downloads occur. Thanks btw, I've never played counter-strike so smoothly, it is as if I've been playing with a faulty system since the beginning.

Link to post
Share on other sites

have turned UAC on, and I have updated both programs successfully, I also did a few additional scans last night and everything is still "clean".

Glad to hear the updates went well! :)

I was told to get windows essentials because that's supposedly the best anti-virus (free) that I could get and it's good.

MSE is a good program. You may also want to browse some of the programs I will be including in the post below. Personally, I am a big fan of Avast! Free Edition.

Thanks btw, I've never played counter-strike so smoothly, it is as if I've been playing with a faulty system since the beginning.

That is great to hear! :)

---------

I will now provide you with some suggestions for security software, but first, let's remove ComboFix ;):

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

-------------

Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future. :)

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates or get into the habit of checking Windows Update regularly. They usually have security updates every month. You can set Windows to notify you of Updates so that you can choose, but only do this if you believe you are able to understand which ones are needed. This is a crucial security measure.

It is really dangerous to go online without an antivirus. Without one, you are extremely likely to get infected and the consequences could be even worse next time. All of the following are excellent free antiviruses. Be sure to only install one.

avast!.

AntiVir

AVG

Please consider installing and running some of the following programs; they are either free or have free versions of commercial programs:

Spybot-Search & Destroy

A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features if you don't have the resident part of another anti-spyware program running.

SpywareBlaster

A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.

SpywareGuard

A tutorial on using SpywareGuard for real-time protection against spyware and hijackers may be found here.

Please, consider maintaining a firewall with HIPS (Host Intrusion Prevention Systems). Firewalls are extremely important and are the first part of your computer's defense. HIPS stops malware by monitoring its behavior and it's very important, too.

A firewall is a software program or piece of hardware that helps screen out hackers, viruses, and worms that try to reach your computer over the Internet.

If you are using the Windows Firewall please note that it doesn't monitor or block outbound traffic and is therefore less effective than other free alternatives.

These firewalls are good and do have free versions available

A tutorial on understanding and using firewalls may be found here.

If you use Internet Explorer, it is a good idea to use IE-Spyad for ZonedOut which provides protections against malicious websites. (Requires 2 downloads)

Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster and IE-Spyad can be run with any of them.

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

A similar category of programs is now called "scareware." Scareware programs are active infections that will pop-up on your computer and tell you that you are infected. If you look closely, it will usually have a name that looks like it might be legitimate, but it is NOT one of the programs you installed. It tells you to click and install it right away. If you click on any part of it, including the 'X' to close it, you may actually help it infect your computer further. Keeping protection updated and running resident protection can help prevent these infections. If it happens anyway, get offline as quickly as you can. Pull the internet connection cable or shut down the computer if you have to. Contact someone to help by using another computer if possible. These programs are also sometimes called 'rogues', but they are different than the older version of rogues mentioned above.

Please consider using an alternate browser. Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScripts, can make it even more secure. Opera is another good option.

If you are interested, Firefox may be downloaded from here

Opera is available here: http://www.opera.com/download/

For much more useful information, please also read Tony Klein's excellent article: How did I get infected in the first place

Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help. :)

Link to post
Share on other sites

Well I have installed avast and Microsoft security essentials and will continue to do scans and be aware of the extra scans you have given me. I will regularly scan every time I shut down and also scan for needed program updates like we did. I was wondering if I could now go on those websites like watch.series and fastpass to watch tv shows and movies without risk?

Link to post
Share on other sites

Well I have installed avast and Microsoft security essentials and will continue to do scans and be aware of the extra scans you have given me. I will regularly scan every time I shut down and also scan for needed program updates like we did.

Running two antivirus programs in resident mode will actually leave you at a greater risk of getting infected- they can conflict, which is dangerous. I would suggest you choose one (you can leave the other disabled, but scan when you need to) ;).

I was wondering if I could now go on those websites like watch.series and fastpass to watch tv shows and movies without risk?

You should be able to, however it will always be risky. I would recommend you take a look at NoScript plugin for Firefox http://noscript.net/ for safer browsing. You may also want to take a look at one of the recommended firewalls I have linked you to.

Let me know if you have any further questions, I'd be happy to answer them. :)

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.