Jump to content


Recommended Posts

i was/am infected...previously followed directions at Daniweb (thats how i found Malwarebytes).....now i am not noticing any problems except when i visit a wordpress site i regularly visit at which time malware blocks a redirection to a malicious site .....prior to malware i got hijacked and the "windows secure kit 2012" pop up.....

previously ran - windows malicious software tool - ATF Cleaner - GMER and mbam.........and i think mbam fixed it...apparently there was nothing to report in GMER

not sure if i am still infected or if it is wordpress sites as i have read about.

note: I do not know what peer2peer is......i assumed i dont have any

note: I could not find anything specific to "script blockers" in my AV program or mbam...i disconnected from internet and turned microsoft security essentials real time protection off prior to DDS scan........included is the DDS logs, I appreciate your time and my goal is to get this clean and include mbam pro to my defenses...


DDS (Ver_2011-08-26.01) - NTFSAMD64

Internet Explorer: 9.0.8112.16421

Run by Owner at 22:45:11 on 2012-03-29

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2807.1243 [GMT -7:00]


AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}

SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}


============== Running Processes ===============




C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService


C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files (x86)\Launch Manager\dsiwmis.exe

C:\Program Files\Gateway\Gateway Power Management\ePowerSvc.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files (x86)\Gateway\Registration\GREGsvc.exe

C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe

C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe

C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe




C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Microsoft Security Client\msseces.exe




C:\Program Files\Windows Sidebar\sidebar.exe



C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files (x86)\Internet Explorer\IELowutil.exe

C:\Windows\System32\svchost.exe -k LocalServicePeerNet



C:\Program Files (x86)\Microsoft\BingBar\7.1.364.0\SeaPort.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\Microsoft\BingBar\7.1.364.0\BingApp.exe

C:\Program Files (x86)\Microsoft\BingBar\7.1.364.0\BingBar.exe

C:\Program Files (x86)\Microsoft\BingBar\7.1.364.0\BingSurrogate.exe

C:\Program Files (x86)\Microsoft\BingBar\7.1.364.0\BingSurrogate.exe

C:\Program Files (x86)\Microsoft\BingBar\7.1.364.0\BingSurrogate.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\Microsoft\BingBar\7.1.364.0\BingSurrogate.exe

C:\Windows\System32\svchost.exe -k swprv










============== Pseudo HJT Report ===============


uStart Page = hxxp://www.dealerconnect.com/

uDefault_Page_URL = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=nv55c&r=27360211m415l0474z1k5a4872j240

mDefault_Page_URL = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=nv55c&r=27360211m415l0474z1k5a4872j240

mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=nv55c&r=27360211m415l0474z1k5a4872j240

mWinlogon: Userinit=userinit.exe,


BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll

BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\Microsoft\BingBar\7.1.364.0\BingExt.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\7.1.364.0\BingExt.dll"

TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

uRun: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

uRun: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe

uRunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil11f_ActiveX.exe -update activex

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {E6F480FC-BD44-4CBA-B74A-89AF7842937D} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.4.21.0.cab

TCP: DhcpNameServer =

TCP: Interfaces\{7E90B3FA-26AB-4AED-8177-C20C1E7FB0F8} : DhcpNameServer =

TCP: Interfaces\{7E90B3FA-26AB-4AED-8177-C20C1E7FB0F8}\473757E616D696 : DhcpNameServer =

TCP: Interfaces\{7E90B3FA-26AB-4AED-8177-C20C1E7FB0F8}\86F63707964716C696479796E6E6 : DhcpNameServer =

TCP: Interfaces\{8192C47F-6A1B-475D-A522-A47F112D10F0} : DhcpNameServer =

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll


BHO-X64: AcroIEHelperStub - No File

BHO-X64: Google Dictionary Compression sdch - No File

BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO-X64: AcroIEHelperStub - No File

BHO-X64: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll

BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO-X64: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll

BHO-X64: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\Microsoft\BingBar\7.1.364.0\BingExt.dll

BHO-X64: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

TB-X64: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\7.1.364.0\BingExt.dll"

TB-X64: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

mRun-x64: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray


============= SERVICES / DRIVERS ===============


R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]

R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]

R2 DsiWMIService;Dritek WMI Service;C:\Program Files (x86)\Launch Manager\dsiwmis.exe [2010-7-23 321104]

R2 ePowerSvc;Acer ePower Service;C:\Program Files\Gateway\Gateway Power Management\ePowerSvc.exe [2010-10-19 868896]

R2 GREGService;GREGService;C:\Program Files (x86)\Gateway\Registration\GREGsvc.exe [2010-1-8 23584]

R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-7-22 13336]

R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-3-25 652360]

R2 NTI IScheduleSvc;NTI IScheduleSvc;C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe [2010-5-24 255744]

R2 UNS;Intel® Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-7-22 2320920]

R2 Updater Service;Updater Service;C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe [2010-7-22 243232]

R3 BBUpdate;BBUpdate;C:\Program Files (x86)\Microsoft\BingBar\7.1.364.0\SeaPort.EXE [2012-2-20 240408]

R3 HECIx64;Intel® Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]

R3 Impcd;Impcd;C:\Windows\system32\DRIVERS\Impcd.sys --> C:\Windows\system32\DRIVERS\Impcd.sys [?]

R3 IntcDAud;Intel® Display Audio;C:\Windows\system32\DRIVERS\IntcDAud.sys --> C:\Windows\system32\DRIVERS\IntcDAud.sys [?]

R3 k57nd60a;Broadcom NetLink Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\k57nd60a.sys --> C:\Windows\system32\DRIVERS\k57nd60a.sys [?]

R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]

R3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]

S2 BBSvc;BingBar Service;C:\Program Files (x86)\Microsoft\BingBar\7.1.364.0\BBSvc.EXE [2012-2-20 193816]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S3 fssfltr;fssfltr;C:\Windows\system32\DRIVERS\fssfltr.sys --> C:\Windows\system32\DRIVERS\fssfltr.sys [?]

S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2011-5-13 1492840]

S3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]

S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-4-27 288272]

S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\system32\Drivers\RtsUStor.sys --> C:\Windows\system32\Drivers\RtsUStor.sys [?]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]

S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]


=============== Created Last 30 ================


2012-03-30 05:36:46 8669240 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{5A0C40A5-A9F3-4C2D-9F1E-E11B7657E987}\mpengine.dll

2012-03-28 06:52:36 -------- d-----w- C:\Users\Owner\AppData\Local\{FD37CB66-1846-49B2-A905-B60264D1C051}

2012-03-28 06:52:25 -------- d-----w- C:\Users\Owner\AppData\Local\{7D6D9FF4-4073-467C-8537-A3364329FEF0}

2012-03-25 18:24:07 -------- d-----w- C:\Users\Owner\AppData\Local\{706B8181-BEC3-41FC-8388-705B936F5CED}

2012-03-25 18:23:56 -------- d-----w- C:\Users\Owner\AppData\Local\{C61A59F7-BEDC-479E-88BA-F3E5FECB9272}

2012-03-25 09:23:48 5679896 ----a-w- C:\ProgramData\Microsoft\BingBar\BBSvc\7.1.364.0oemBingBarSetup-Partner.EXE

2012-03-25 07:52:08 -------- d-----w- C:\Users\Owner\AppData\Roaming\Malwarebytes

2012-03-25 07:51:51 -------- d-----w- C:\ProgramData\Malwarebytes

2012-03-25 07:51:50 23152 ----a-w- C:\Windows\System32\drivers\mbam.sys

2012-03-25 07:51:50 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2012-03-22 08:02:56 -------- d-----w- C:\ProgramData\PC Tools

2012-03-14 02:08:23 5559152 ----a-w- C:\Windows\System32\ntoskrnl.exe

2012-03-14 02:08:22 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe

2012-03-14 02:08:21 3913584 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe

2012-03-14 01:10:53 3145728 ----a-w- C:\Windows\System32\win32k.sys

2012-03-14 01:10:52 1544192 ----a-w- C:\Windows\System32\DWrite.dll

2012-03-14 01:10:52 1077248 ----a-w- C:\Windows\SysWow64\DWrite.dll

2012-03-14 01:10:50 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe

2012-03-14 01:10:50 77312 ----a-w- C:\Windows\System32\rdpwsx.dll

2012-03-14 01:10:50 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll

2012-03-14 01:10:31 1031680 ----a-w- C:\Windows\System32\rdpcore.dll

2012-03-14 01:10:30 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll

2012-03-14 01:10:30 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys

2012-03-14 01:10:30 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys

2012-03-11 20:02:38 -------- d-----w- C:\Users\Owner\AppData\Local\{43373D7A-274A-4E54-A5F9-939F3207A269}


==================== Find3M ====================


2012-02-27 00:26:53 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll

2012-02-17 14:54:12 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2012-01-31 12:44:20 279656 ------w- C:\Windows\System32\MpSigStub.exe

2012-01-04 10:44:20 509952 ----a-w- C:\Windows\System32\ntshrui.dll

2012-01-04 08:58:41 442880 ----a-w- C:\Windows\SysWow64\ntshrui.dll


============= FINISH: 22:45:29.33 ===============

Link to post
Share on other sites


Logs will be closed if you haven't replied within 3 days

Please don't attach the scans / logs for these tools, use "copy/paste".

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Please run a new MBAM scan being sure to update before scanning.

Post the scan results

Also please describe how your computer behaves at the moment.

Please don't attach the scans / logs, use "copy/paste".

Link to post
Share on other sites

Thank you, here are the scan results and information

Malwarebytes Anti-Malware (Trial)


Database version: v2012.04.04.10

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Owner :: OWNER-PC [administrator]

Protection: Enabled

4/4/2012 6:33:31 PM

mbam-log-2012-04-04 (18-33-31).txt

Scan type: Full scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 309892

Time elapsed: 40 minute(s), 33 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)


.As far as behavior It seemed in the beginning i had some internet issues like slow loading and even a disconnect once, and it seems to have been better and only at times seems to slow, but i am thinking it could be when mbam is updating..(?)...or somethng is running?.....or isp?..

overall i am not experiencing any problems with programs or the system itself that i have noticed.....One concern is recieving a notice "mbam successfully blocked access to a potentially malicious site...(and gives an ip)"...this occurs each time i go to a specific WordPress site,(which i understand was the primary target for this virus)...it is like a go to the site and it allows me to view but tries to redirect me to another site and I get the message.....this also occured on two of maybe 20 visits at another major site that should, I would think always updated and secure as possible......I havent done much surfing because of this issue so I cant be more informative....

Thanks again

Link to post
Share on other sites

Lets did deeper and see what we find.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Download ComboFix from one of these locations:

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  • Double click on ComboFix.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
    Note: If you have XP SP3, use the XP SP2 package.
    If Vista or Windows 7, skip the Recovery Console part
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.


1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

.....was behaving great as i was revisiting web sites i have saved for later reference...then i opened one and IE hung for a few seconds and the page didnt load and IE closed...so i tried it again and it loaded and i immediately scrolled to the bottom of the page and learned it was a WordPress site, then closed it and deleted the shortcut...(this was not the same wordpress site i suspect is an infected site)......After that It seemed a bit slow, but I cant really say because it may all be in my head at this point..and theres nothing serious or obvious to report....

-Should I be safe from being reinfected now from the same virus? is mbam able to block it now if i happen to come across it again?

-Should i run combofix again just in case?

heres the log from prior to the incident described above..thank you

ComboFix 12-04-05.09 - Owner 04/05/2012 19:12:15.1.2 - x64

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2807.1507 [GMT -7:00]

Running from: c:\users\Owner\Desktop\ComboFix.exe

AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}

SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))






((((((((((((((((((((((((( Files Created from 2012-03-06 to 2012-04-06 )))))))))))))))))))))))))))))))



2012-04-06 02:17 . 2012-04-06 02:17 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-04-06 02:02 . 2012-03-14 03:27 8669240 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{490E6B90-D906-4E89-BB58-ABEFCEEFE218}\mpengine.dll

2012-03-31 03:36 . 2012-03-31 03:36 418464 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2012-03-31 03:31 . 2012-03-31 03:31 -------- d-----w- c:\users\Owner\AppData\Local\Adobe

2012-03-25 09:23 . 2012-03-25 09:23 5679896 ----a-w- c:\programdata\Microsoft\BingBar\BBSvc\7.1.364.0oemBingBarSetup-Partner.EXE

2012-03-25 07:52 . 2012-03-25 07:52 -------- d-----w- c:\users\Owner\AppData\Roaming\Malwarebytes

2012-03-25 07:51 . 2012-03-25 07:51 -------- d-----w- c:\programdata\Malwarebytes

2012-03-25 07:51 . 2012-03-25 07:51 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware

2012-03-25 07:51 . 2011-12-10 22:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-03-22 08:02 . 2012-03-22 08:02 -------- d-----w- c:\programdata\PC Tools

2012-03-14 02:08 . 2011-11-19 15:20 5559152 ----a-w- c:\windows\system32\ntoskrnl.exe

2012-03-14 02:08 . 2011-11-19 14:50 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe

2012-03-14 02:08 . 2011-11-19 14:50 3913584 ----a-w- c:\windows\SysWow64\ntoskrnl.exe

2012-03-14 01:10 . 2012-02-03 04:34 3145728 ----a-w- c:\windows\system32\win32k.sys

2012-03-14 01:10 . 2012-02-10 06:36 1544192 ----a-w- c:\windows\system32\DWrite.dll

2012-03-14 01:10 . 2012-02-10 05:38 1077248 ----a-w- c:\windows\SysWow64\DWrite.dll

2012-03-14 01:10 . 2012-01-25 06:38 77312 ----a-w- c:\windows\system32\rdpwsx.dll

2012-03-14 01:10 . 2012-01-25 06:38 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll

2012-03-14 01:10 . 2012-01-25 06:33 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe

2012-03-14 01:10 . 2012-02-17 06:38 1031680 ----a-w- c:\windows\system32\rdpcore.dll

2012-03-14 01:10 . 2012-02-17 05:34 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll

2012-03-14 01:10 . 2012-02-17 04:58 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2012-03-14 01:10 . 2012-02-17 04:57 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys




(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))


2012-03-31 03:36 . 2011-05-13 04:19 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-03-14 03:27 . 2011-03-14 03:46 8669240 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2012-02-27 00:41 . 2010-06-24 19:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll

2012-02-27 00:26 . 2011-04-04 04:01 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll

2012-02-11 15:39 . 2012-02-11 15:39 927800 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C6C8D3AF-6693-4B7D-939E-F0B84CF9D38D}\gapaengine.dll

2012-01-31 12:44 . 2011-02-12 17:43 279656 ------w- c:\windows\system32\MpSigStub.exe



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))



*Note* empty entries & legit default entries are not shown




"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]



"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]

"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]

"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]


c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Best Buy pc app.lnk - c:\programdata\Best Buy pc app\ClickOnceSetup.exe [2010-6-24 9216]



"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)


[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]




Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp





[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2012-01-04 06:51 37296 ----a-w- c:\program files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BackupManagerTray]

2010-05-25 00:22 258304 ----a-w- c:\program files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAStorIcon]

2010-04-13 16:57 284696 ----a-w- c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]

2010-06-22 06:34 968272 ----a-w- c:\program files (x86)\Launch Manager\LManager.exe


R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-31 253600]

R3 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\7.1.364.0\SeaPort.exe [2012-02-20 240408]

R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]

R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]

R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-28 288272]

R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]

R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]

S2 BBSvc;BingBar Service;c:\program files (x86)\Microsoft\BingBar\7.1.364.0\BBSvc.exe [2012-02-20 193816]

S2 DsiWMIService;Dritek WMI Service;c:\program files (x86)\Launch Manager\dsiwmis.exe [2010-06-22 321104]

S2 ePowerSvc;Acer ePower Service;c:\program files\Gateway\Gateway Power Management\ePowerSvc.exe [2010-06-11 868896]

S2 GREGService;GREGService;c:\program files (x86)\Gateway\Registration\GREGsvc.exe [2010-01-08 23584]

S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-04-13 13336]

S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-13 652360]

S2 NTI IScheduleSvc;NTI IScheduleSvc;c:\program files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe [2010-05-25 255744]

S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-03-18 2320920]

S2 Updater Service;Updater Service;c:\program files\Gateway\Gateway Updater\UpdaterService.exe [2010-01-28 243232]

S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]

S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [x]

S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [x]

S3 k57nd60a;Broadcom NetLink Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys [x]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]



--- Other Services/Drivers In Memory ---


*NewlyCreated* - WS2IFSL


Contents of the 'Scheduled Tasks' folder


2012-04-06 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-31 03:36]



--------- x86-64 -----------




"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-06-22 10920552]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 1436736]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-09-01 167704]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-09-01 392472]

"Persistence"="c:\windows\system32\igfxpers.exe" [2011-09-01 416024]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]



------- Supplementary Scan -------


uStart Page = hxxp://www.dealerconnect.com/

uLocal Page = c:\windows\system32\blank.htm

mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=nv55c&r=27360211m415l0474z1k5a4872j240

mLocal Page = c:\windows\SysWOW64\blank.htm

TCP: DhcpNameServer =


- - - - ORPHANS REMOVED - - - -


Toolbar-Locked - (no file)

Wow6432Node-HKCU-Run-RESTART_STICKY_NOTES - c:\windows\System32\StikyNot.exe

Toolbar-Locked - (no file)

HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe




--------------------- LOCKED REGISTRY KEYS ---------------------



@Denied: (2) (S-1-5-21-2051517410-3841790015-2386691627-1000)

@Denied: (2) (LocalSystem)




@Denied: (2) (S-1-5-21-2051517410-3841790015-2386691627-1000)

@Denied: (2) (LocalSystem)




@Denied: (A 2) (Everyone)














@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"













@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx, 1"












@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"










@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx, 1"












@Denied: (A 2) (Everyone)











@Denied: (Full) (Everyone)


------------------------ Other Running Processes ------------------------


c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe




Completion time: 2012-04-05 19:23:36 - machine was rebooted

ComboFix-quarantined-files.txt 2012-04-06 02:23


Pre-Run: 264,779,075,584 bytes free

Post-Run: 264,347,217,920 bytes free


- - End Of File - - C6C74C083A01496B47A1929F17D99222

Link to post
Share on other sites

Should I be safe from being reinfected now from the same virus? is mbam able to block it now if i happen to come across it again?
-Should i run combofix again just in case?

No program is going to stop 100% of everything bad.

You still need to be careful of sites you visit, emails you open or links you click on.

Good job thumbup.gif

The following will implement some cleanup procedures as well as reset System Restore points:

For XP:

  • Click START run
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.

For Vista / Windows 7

  • Click START Search
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.

Here's my usual all clean post

To be on the safe side, I would also change all my passwords.

This infection appears to have been cleaned, but as the malware could be configured to run any program a remote attacker requires, it's impossible to be 100% sure that any machine is clean.

Log looks good :D

  • Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week
    (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.
    Without a firewall your computer is succeptible to being hacked and taken over.
    I am very serious about this and see it happen almost every day with my clients.
    Simply using a Firewall in its default configuration can lower your risk greatly.

  • Securing Your Web Browser
    This paper will help you configure your web browser for safer internet surfing.
  • Using a secure browser plugin M86 SecureBrowsing makes it safe to search, surf and socialize online. This free browser plug-in displays security icons next to links on search engines and social networking sites like Facebook, Twitter and LinkedIn, so you'll know which pages are safe and which ones to avoid.
    •Free browser plug-in for Internet Explorer and Firefox
    •Real-time safety ratings
    •Ideal for Facebook, Twitter and LinkedIn
  • JAVA Click this link and click on the Free JAVA Download
  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.
    This will ensure your computer has always the latest security updates available installed on your computer.
    If there are new updates to install, install them immediately, reboot your computer, and revisit the site
    until there are no more critical updates.

Only run one Anti-Virus and Firewall program.

I would suggest you read:

PC Safety and Security--What Do I Need?.

How to Prevent Malware:

The full version of Malwarebytes' Anti-Malware could have helped protect your computer against this threat.

We use different ways of protecting your computer(s):

  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention

Save yourself the hassle and get protected.

Link to post
Share on other sites

PC seems to be running fine...Thanks for the expertise..

I just purchased mbam...You stated i should only use one AV program..i thought i read somewhere mbam is designed to work with AV?...(i could be wrong)..

so my question is should I turn off Microsoft security essentials? or even uninstall it?

and is windows firewall satisfactory?

thanks so much, cheers

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

This topic is now closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.