Jump to content

MWBS cannot remove Trojan.Dropper.BCminer

mlww2usa
 Share

Recommended Posts

mlww2usa

mlww2usa

Posted
Posted

Hello,

I was a recent reciepient of this wonderful little bugger. I have tried to wipe out with Malewarebytes and used Microsoft AV no luck. I have noticed that after this hit I no longer have control of MS Firewall or Windows Defender. Looks like it damaged or removed the services. Appreciate any help!!!

I have attached the logs below for DDS and Malewarebytes......

Malwarebytes Anti-Malware 1.61.0.1400

www.malwarebytes.org

Database version: v2012.06.02.06

Windows 7 x64 NTFS

Internet Explorer 9.0.8112.16421

Matt :: MATT-PC [administrator]

6/2/2012 8:39:10 PM

mbam-log-2012-06-02 (20-39-10).txt

Scan type: Full scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 548326

Time elapsed: 1 hour(s), 5 minute(s), 27 second(s)

Memory Processes Detected: 1

C:\Users\Matt\AppData\Local\hlqxfs.exe (Trojan.Agent) -> 3064 -> Delete on reboot.

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 4

C:\Users\Matt\AppData\Local\hlqxfs.exe (Trojan.Agent) -> Delete on reboot.

C:\Program Files (x86)\Bethesda Softworks\Star Trek Legacy\BatchFilesUU.exe (Adware.Onlinegames) -> Quarantined and deleted successfully.

C:\Program Files (x86)\FREEzeFlip\bin\1.0.4.0\LaunchHelp.dll (Adware.Seekmo) -> Quarantined and deleted successfully.

C:\Windows\Installer\{24c91c19-2c95-4982-c16d-d1be8ce9f70a}\U\00000008.@ (Trojan.Dropper.BCMiner) -> Quarantined and deleted successfully.

(end)

DDS.TXT

.

DDS (Ver_2011-08-26.01) - NTFSAMD64

Internet Explorer: 9.0.8112.16421

Run by Matt at 11:45:33 on 2012-06-03

.

============== Running Processes ===============

.

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.swagbucks.com/?cmd=home

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~1\Office12\GR469A~1.DLL

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

uRun: [indxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020

uRun: [steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent

mRun: [RemoteControl] "C:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe"

mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"

mRun: [NBKeyScan] "C:\Program Files (x86)\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

mRun: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

mRun: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\HPPSC2~1.LNK - C:\Program Files (x86)\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\HPODDT~1.LNK - C:\Program Files (x86)\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorUser = 0 (0x0)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL

LSP: mswsock.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

TCP: DhcpNameServer = 10.0.0.1

TCP: Interfaces\{014E09BE-D95D-44E9-B97C-5D5C861EDB87} : DhcpNameServer = 10.0.0.1

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~2\MICROS~1\Office12\GRA32A~1.DLL

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~1\Office12\GR469A~1.DLL

BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO-X64: AcroIEHelperStub - No File

BHO-X64: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll

BHO-X64: Increase performance and video formats for your HTML5 <video> - No File

BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~1\Office12\GR469A~1.DLL

BHO-X64: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

mRun-x64: [RemoteControl] "C:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe"

mRun-x64: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"

mRun-x64: [NBKeyScan] "C:\Program Files (x86)\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

mRun-x64: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

mRun-x64: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW

mRun-x64: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~2\MICROS~1\Office12\GR469A~1.DLL

.

============= SERVICES / DRIVERS ===============

.

.

=============== Created Last 30 ================

.

2012-06-03 03:01:48 927800 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{11016DAD-196D-4DC1-B2DD-B6B4D4499279}\gapaengine.dll

2012-06-03 03:01:45 8955792 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{48B45165-E834-4CBC-BBC0-0D675C8E0CC5}\mpengine.dll

2012-06-03 02:56:23 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client

2012-06-03 02:56:18 -------- d-----w- C:\Program Files\Microsoft Security Client

2012-06-03 02:56:00 374664 ----a-w- C:\Windows\System32\drivers\netio.sys

2012-06-02 16:40:38 419488 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe

2012-06-01 18:05:40 -------- d-----w- C:\Users\Matt\AppData\Roaming\wargaming.net

2012-06-01 18:05:28 -------- d--h--w- C:\Windows\msdownld.tmp

2012-06-01 18:05:28 -------- d-----w- C:\Windows\SysWow64\directx

2012-06-01 18:05:27 -------- d-----w- C:\Games

2012-05-30 00:49:09 8955792 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{ACA6B8E3-B2BB-48CF-9857-F089CFDB2ECE}\mpengine.dll

2012-05-25 20:27:08 281032 ----a-w- C:\Windows\SysWow64\PnkBstrB.xtr

2012-05-25 20:24:37 -------- d-----w- C:\Users\Matt\AppData\Local\PunkBuster

2012-05-25 20:24:37 -------- d-----w- C:\Users\Matt\AppData\Local\CrashRpt

2012-05-25 20:23:41 -------- d-----w- C:\Program Files (x86)\Microsoft Chart Controls

2012-05-19 22:58:37 5504880 ----a-w- C:\Windows\System32\ntoskrnl.exe

2012-05-19 22:58:36 3958128 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe

2012-05-19 22:58:36 3902320 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe

2012-05-19 22:58:35 3143680 ----a-w- C:\Windows\System32\win32k.sys

2012-05-19 22:58:34 936960 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\ink\journal.dll

2012-05-19 22:58:34 1732096 ----a-w- C:\Program Files\Windows Journal\NBDoc.DLL

2012-05-19 22:58:34 1402880 ----a-w- C:\Program Files\Windows Journal\JNWDRV.dll

2012-05-19 22:58:34 1393664 ----a-w- C:\Program Files\Windows Journal\JNTFiltr.dll

2012-05-19 22:58:34 1367552 ----a-w- C:\Program Files\Common Files\Microsoft Shared\ink\journal.dll

2012-05-19 22:58:33 1895280 ----a-w- C:\Windows\System32\drivers\tcpip.sys

2012-05-14 02:24:46 739840 ----a-w- C:\Windows\SysWow64\d2d1.dll

2012-05-14 02:24:46 1541120 ----a-w- C:\Windows\System32\DWrite.dll

2012-05-14 02:24:45 902656 ----a-w- C:\Windows\System32\d2d1.dll

2012-05-14 02:24:45 320512 ----a-w- C:\Windows\System32\d3d10_1core.dll

2012-05-14 02:24:45 218624 ----a-w- C:\Windows\SysWow64\d3d10_1core.dll

2012-05-14 02:24:45 197120 ----a-w- C:\Windows\System32\d3d10_1.dll

2012-05-14 02:24:45 1837568 ----a-w- C:\Windows\System32\d3d10warp.dll

2012-05-14 02:24:45 161792 ----a-w- C:\Windows\SysWow64\d3d10_1.dll

2012-05-14 02:24:45 1170944 ----a-w- C:\Windows\SysWow64\d3d10warp.dll

2012-05-14 02:24:45 1074176 ----a-w- C:\Windows\SysWow64\DWrite.dll

2012-05-11 01:26:36 75632 ----a-w- C:\Windows\System32\drivers\partmgr.sys

.

==================== Find3M ====================

.

2012-06-02 16:40:38 70304 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2012-05-28 18:07:54 281032 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe

2012-05-28 01:49:43 281032 ----a-w- C:\Windows\SysWow64\PnkBstrB.ex0

2012-05-27 19:18:20 76888 ----a-w- C:\Windows\SysWow64\PnkBstrA.exe

2012-04-04 19:56:40 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys

2012-03-21 00:44:12 98688 ----a-w- C:\Windows\System32\drivers\NisDrvWFP.sys

2012-03-21 00:44:12 203888 ----a-w- C:\Windows\System32\drivers\MpFilter.sys

.

============= FINISH: 11:46:08.37 ===============

Attach.TXT

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

.

==== Disk Partitions =========================

.

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

No restore point in system.

.

==== Installed Programs ======================

.

1ClickDownload

Activision®

Adobe Flash Player 10 Plugin

Adobe Reader 9.5.1

Agricultural Simulator 2011

Amazon MP3 Downloader 1.0.10

Apple Application Support

Apple Software Update

ARMA 2: Free

AviSynth 2.5

CCleaner

Coupon Printer for Windows

DivX Setup

DVDFab 6.0.7.0 (18/09/2009)

Empire: Total War

Enigma: Rising Tide International GOLD Edition

Hearts of Iron 2

HP Photo and Imaging 2.0 - All-in-One

HP Photo and Imaging 2.0 - All-in-One Drivers

HP Photo and Imaging 2.0 - hp psc 2170 series

hp psc 2170 series

ImgBurn

IsoBuster 2.8.5

Java Auto Updater

Java 6 Update 29

John Tiller's Campaign Series

Malwarebytes Anti-Malware version 1.61.0.1400

Medieval II: Total War

Medieval II: Total War Kingdoms

Microsoft Chart Controls for Microsoft .NET Framework 3.5 (KB2500170)

Microsoft Office Access MUI (English) 2007

Microsoft Office Access Setup Metadata MUI (English) 2007

Microsoft Office Enterprise 2007

Microsoft Office Excel MUI (English) 2007

Microsoft Office Groove MUI (English) 2007

Microsoft Office Groove Setup Metadata MUI (English) 2007

Microsoft Office InfoPath MUI (English) 2007

Microsoft Office OneNote MUI (English) 2007

Microsoft Office Outlook MUI (English) 2007

Microsoft Office PowerPoint MUI (English) 2007

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proofing (English) 2007

Microsoft Office Publisher MUI (English) 2007

Microsoft Office Shared MUI (English) 2007

Microsoft Office Shared Setup Metadata MUI (English) 2007

Microsoft Office Word MUI (English) 2007

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

MKVtoolnix 5.0.1

Mount & Blade: With Fire and Sword

MSVC80_x86

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

Napoleon: Total War

Naval War: Arctic Circle Demo

Nero 8

neroxml

NVIDIA 3D Vision Controller Driver

NVIDIA PhysX

NVIDIA Stereoscopic 3D Driver

PC Connectivity Solution

PowerDirector Express

PowerDVD

PowerProducer

PT Boats: Knights of The Sea

PunkBuster Services

QuickPar 0.9

QuickTime

Realtek High Definition Audio Driver

Red Orchestra 2: Heroes of Stalingrad

Roblox

Rome: Total War - Alexander

Rome: Total War Gold Edition

Safari

Security Update for 2007 Microsoft Office System (KB951550)

Security Update for 2007 Microsoft Office System (KB951944)

Sniper Elite V2 Demo

SpeedFan (remove only)

SPORE™

Star Trek Legacy

Star Trek Online

Steam

The Operational Art of War: Century of Warfare

Tom Clancy's Splinter Cell

Total War: SHOGUN 2

Transformers - War for Cybertron

Universal Extractor 1.6

VC80CRTRedist - 8.0.50727.6195

VCRedistSetup

Veetle TV 0.9.18

Videora Xbox 360 Converter 6

VLC media player 1.0.1

Wargame: European Escalation

Win7codecs

Wolfenstein

World of Warplanes

Xvid 1.1.3 final uninstall

YouTube Downloader App 3.00

.

==== End Of File ===========================

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

Hello mlww2usa and :welcome:! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

  • If you are a paying customer, you have the privilege to contact the help desk at support@malwarebytes.org or here (http://helpdesk.malwarebytes.org/home). If you choose this option to get help, please let me know.
  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.

Step 1

  • Launch Malwarebytes' Anti-Malware
  • Go to Update tab and select Check for Updates. If an update is found, it will download and install the latest version.
  • Go to Scanner tab and select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.

Step 2

Download aswMBR.exe ( 1.8mB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan

aswMBR2-1.gif

On completion of the scan click save log, save it to your desktop and post in your next reply

aswMBR2.png

Step 3

Please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update

    [*]Press "Scan".

    [*]It will create a log (FSS.txt) in the same directory the tool is run.

    [*]Please copy and paste the log to your reply.

In your next reply, post the following log files:

  • Malwarebytes' Anti-Malware log
  • aswMBR log
  • Farbar Service Scanner log
  • a new fresh DDS log file

Link to post
Share on other sites
mlww2usa

mlww2usa

Posted
  • Author
Posted

HI Maniac,

Thank you for taking the time to help! I havew noticed the latest MalewareBytes report shows the file is no longer listed in the report. Not sure if you can see any other issues in the logs but my Firewall still does not seem to be working. I have uploaded all the logs you requested below.....

Malwarebytes Anti-Malware (Trial) 1.61.0.1400

www.malwarebytes.org

Database version: v2012.06.04.09

Windows 7 x64 NTFS

Internet Explorer 9.0.8112.16421

Matt :: MATT-PC [administrator]

Protection: Enabled

6/4/2012 8:12:30 PM

mbam-log-2012-06-04 (20-12-30).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 213695

Time elapsed: 3 minute(s), 27 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software

Run date: 2012-06-04 20:19:07

-----------------------------

20:19:07.340 OS Version: Windows x64 6.1.7600

20:19:07.340 Number of processors: 4 586 0x1707

20:19:07.340 ComputerName: MATT-PC UserName: Matt

20:19:08.885 Initialize success

20:19:22.925 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1

20:19:22.941 Disk 0 Vendor: SAMSUNG_ 1AA0 Size: 610480MB BusType: 8

20:19:22.941 Disk 0 MBR read successfully

20:19:22.956 Disk 0 MBR scan

20:19:22.956 Disk 0 Windows 7 default MBR code

20:19:22.956 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 597032 MB offset 63

20:19:22.972 Disk 0 scanning C:\Windows\system32\drivers

20:19:27.683 Service scanning

20:19:37.480 Modules scanning

20:19:37.480 Disk 0 trace - called modules:

20:19:37.496 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll

20:19:37.496 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800530d060]

20:19:37.496 3 CLASSPNP.SYS[fffff88000dbb43f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8004ca9050]

20:19:37.496 Scan finished successfully

20:19:52.409 Disk 0 MBR has been saved successfully to "C:\Users\Matt\Desktop\Maleware fix\MBR.dat"

20:19:52.409 The log file has been saved successfully to "C:\Users\Matt\Desktop\Maleware fix\aswMBR.txt"

FARBAR

Farbar Service Scanner Version: 05-06-2012

Ran by Matt (administrator) on 04-06-2012 at 20:21:03

Running from "C:\Users\Matt\Desktop\Maleware fix"

Windows 7 Ultimate (X64)

Boot Mode: Normal

****************************************************************

Internet Services:

============

Connection Status:

==============

Localhost is accessible.

LAN connected.

Google IP is accessible.

Google.com is accessible.

Yahoo IP is accessible.

Yahoo.com is accessible.

Windows Firewall:

=============

mpsdrv Service is not running. Checking service configuration:

The start type of mpsdrv service is OK.

The ImagePath of mpsdrv service is OK.

MpsSvc Service is not running. Checking service configuration:

Checking Start type: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.

Checking ImagePath: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.

Checking ServiceDll: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.

bfe Service is not running. Checking service configuration:

Checking Start type: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.

Checking ImagePath: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.

Checking ServiceDll: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.

Firewall Disabled Policy:

==================

System Restore:

============

System Restore Disabled Policy:

========================

Action Center:

============

wscsvc Service is not running. Checking service configuration:

Checking Start type: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.

Checking ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.

Checking ServiceDll: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.

Windows Update:

============

Windows Autoupdate Disabled Policy:

============================

File Check:

========

C:\Windows\System32\nsisvc.dll => MD5 is legit

C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit

C:\Windows\System32\dhcpcore.dll => MD5 is legit

C:\Windows\System32\drivers\afd.sys

[2012-02-14 16:07] - [2011-12-27 23:59] - 0499200 ____A (Microsoft Corporation) DB9D6C6B2CD95A9CA414D045B627422E

C:\Windows\System32\drivers\tdx.sys => MD5 is legit

C:\Windows\System32\Drivers\tcpip.sys

[2012-05-19 18:58] - [2012-03-30 07:09] - 1895280 ____A (Microsoft Corporation) 624C5B3AA4C99B3184BB922D9ECE3FF0

C:\Windows\System32\dnsrslvr.dll => MD5 is legit

C:\Windows\System32\mpssvc.dll

[2009-07-13 20:09] - [2009-07-13 21:41] - 0824832 ____A (Microsoft Corporation) AECAB449567D1846DAD63ECE49E893E3

C:\Windows\System32\bfe.dll => MD5 is legit

C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit

C:\Windows\System32\SDRSVC.dll

[2009-07-13 19:36] - [2009-07-13 21:41] - 0170496 ____A (Microsoft Corporation) 765A27C3279CE11D14CB9E4F5869FCA5

C:\Windows\System32\vssvc.exe => MD5 is legit

C:\Windows\System32\wscsvc.dll => MD5 is legit

C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit

C:\Windows\System32\wuaueng.dll

[2009-07-13 20:36] - [2009-07-13 21:41] - 2418176 ____A (Microsoft Corporation) 38340204A2D0228F1E87740FC5E554A7

C:\Windows\System32\qmgr.dll => MD5 is legit

C:\Windows\System32\es.dll => MD5 is legit

C:\Windows\System32\cryptsvc.dll => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\rpcss.dll => MD5 is legit

**** End of log ****

DDS LOG

.

DDS (Ver_2011-08-26.01) - NTFSAMD64

Internet Explorer: 9.0.8112.16421

Run by Matt at 20:22:27 on 2012-06-04

.

============== Running Processes ===============

.

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.swagbucks.com/?cmd=home

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~1\Office12\GR469A~1.DLL

BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

uRun: [indxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020

uRun: [steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent

mRun: [RemoteControl] "C:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe"

mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"

mRun: [NBKeyScan] "C:\Program Files (x86)\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

mRun: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

mRun: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\HPPSC2~1.LNK - C:\Program Files (x86)\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\HPODDT~1.LNK - C:\Program Files (x86)\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorUser = 0 (0x0)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL

LSP: mswsock.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

TCP: DhcpNameServer = 10.0.0.1

TCP: Interfaces\{014E09BE-D95D-44E9-B97C-5D5C861EDB87} : DhcpNameServer = 10.0.0.1

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~2\MICROS~1\Office12\GRA32A~1.DLL

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~1\Office12\GR469A~1.DLL

BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO-X64: AcroIEHelperStub - No File

BHO-X64: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll

BHO-X64: Increase performance and video formats for your HTML5 <video> - No File

BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~1\Office12\GR469A~1.DLL

BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

mRun-x64: [RemoteControl] "C:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe"

mRun-x64: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"

mRun-x64: [NBKeyScan] "C:\Program Files (x86)\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

mRun-x64: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

mRun-x64: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW

mRun-x64: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~2\MICROS~1\Office12\GR469A~1.DLL

.

============= SERVICES / DRIVERS ===============

.

.

=============== Created Last 30 ================

.

2012-06-05 00:08:43 8955792 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{999A393D-51C6-4F3A-87B1-217E0C4CE940}\mpengine.dll

2012-06-03 16:19:25 8955792 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2012-06-03 03:01:48 927800 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{11016DAD-196D-4DC1-B2DD-B6B4D4499279}\gapaengine.dll

2012-06-03 02:56:23 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client

2012-06-03 02:56:18 -------- d-----w- C:\Program Files\Microsoft Security Client

2012-06-03 02:56:00 374664 ----a-w- C:\Windows\System32\drivers\netio.sys

2012-06-02 16:40:38 419488 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe

2012-06-01 18:05:40 -------- d-----w- C:\Users\Matt\AppData\Roaming\wargaming.net

2012-06-01 18:05:28 -------- d--h--w- C:\Windows\msdownld.tmp

2012-06-01 18:05:28 -------- d-----w- C:\Windows\SysWow64\directx

2012-06-01 18:05:27 -------- d-----w- C:\Games

2012-05-30 00:49:09 8955792 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{ACA6B8E3-B2BB-48CF-9857-F089CFDB2ECE}\mpengine.dll

2012-05-25 20:27:08 281032 ----a-w- C:\Windows\SysWow64\PnkBstrB.xtr

2012-05-25 20:24:37 -------- d-----w- C:\Users\Matt\AppData\Local\PunkBuster

2012-05-25 20:24:37 -------- d-----w- C:\Users\Matt\AppData\Local\CrashRpt

2012-05-25 20:23:41 -------- d-----w- C:\Program Files (x86)\Microsoft Chart Controls

2012-05-19 22:58:37 5504880 ----a-w- C:\Windows\System32\ntoskrnl.exe

2012-05-19 22:58:36 3958128 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe

2012-05-19 22:58:36 3902320 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe

2012-05-19 22:58:35 3143680 ----a-w- C:\Windows\System32\win32k.sys

2012-05-19 22:58:34 936960 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\ink\journal.dll

2012-05-19 22:58:34 1732096 ----a-w- C:\Program Files\Windows Journal\NBDoc.DLL

2012-05-19 22:58:34 1402880 ----a-w- C:\Program Files\Windows Journal\JNWDRV.dll

2012-05-19 22:58:34 1393664 ----a-w- C:\Program Files\Windows Journal\JNTFiltr.dll

2012-05-19 22:58:34 1367552 ----a-w- C:\Program Files\Common Files\Microsoft Shared\ink\journal.dll

2012-05-19 22:58:33 1895280 ----a-w- C:\Windows\System32\drivers\tcpip.sys

2012-05-14 02:24:46 739840 ----a-w- C:\Windows\SysWow64\d2d1.dll

2012-05-14 02:24:46 1541120 ----a-w- C:\Windows\System32\DWrite.dll

2012-05-14 02:24:45 902656 ----a-w- C:\Windows\System32\d2d1.dll

2012-05-14 02:24:45 320512 ----a-w- C:\Windows\System32\d3d10_1core.dll

2012-05-14 02:24:45 218624 ----a-w- C:\Windows\SysWow64\d3d10_1core.dll

2012-05-14 02:24:45 197120 ----a-w- C:\Windows\System32\d3d10_1.dll

2012-05-14 02:24:45 1837568 ----a-w- C:\Windows\System32\d3d10warp.dll

2012-05-14 02:24:45 161792 ----a-w- C:\Windows\SysWow64\d3d10_1.dll

2012-05-14 02:24:45 1170944 ----a-w- C:\Windows\SysWow64\d3d10warp.dll

2012-05-14 02:24:45 1074176 ----a-w- C:\Windows\SysWow64\DWrite.dll

2012-05-11 01:26:36 75632 ----a-w- C:\Windows\System32\drivers\partmgr.sys

.

==================== Find3M ====================

.

2012-06-02 16:40:38 70304 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2012-05-28 18:07:54 281032 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe

2012-05-28 01:49:43 281032 ----a-w- C:\Windows\SysWow64\PnkBstrB.ex0

2012-05-27 19:18:20 76888 ----a-w- C:\Windows\SysWow64\PnkBstrA.exe

2012-04-04 19:56:40 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys

2012-03-21 00:44:12 98688 ----a-w- C:\Windows\System32\drivers\NisDrvWFP.sys

2012-03-21 00:44:12 203888 ----a-w- C:\Windows\System32\drivers\MpFilter.sys

.

============= FINISH: 20:23:15.38 ===============

Attach.zip

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

Step 1

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Step 2

I will need a new fresh Farbar Service Scanner log. Run it and then:

  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update

    [*]Press "Scan".

    [*]It will create a log (FSS.txt) in the same directory the tool is run.

    [*]Please copy and paste the log to your reply.

In your next reply, post the following log files:

  • Farbar Service Scanner log
  • ComboFix log

Link to post
Share on other sites
mlww2usa

mlww2usa

Posted
  • Author
Posted

Maniac,

I was able to run both programs without issue logs provided below......

ComboFix 12-06-05.03 - Matt 06/05/2012 19:06:32.1.4 - x64

Running from: c:\users\Matt\Desktop\Maleware fix\ComboFix.exe

* Created a new restore point

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\hpoddt01.exe.lnk

c:\users\Matt\AppData\Roaming\inst.exe

c:\windows\SysWow64\avisynth.dll

c:\windows\SysWow64\devil.dll

.

.

((((((((((((((((((((((((( Files Created from 2012-05-05 to 2012-06-05 )))))))))))))))))))))))))))))))

.

.

2012-06-05 23:13 . 2012-06-05 23:13 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-06-05 00:08 . 2012-05-08 14:02 8955792 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{999A393D-51C6-4F3A-87B1-217E0C4CE940}\mpengine.dll

2012-06-03 16:19 . 2012-05-08 14:02 8955792 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2012-06-03 03:01 . 2012-06-03 03:01 927800 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{11016DAD-196D-4DC1-B2DD-B6B4D4499279}\gapaengine.dll

2012-06-03 02:56 . 2012-06-03 02:56 -------- d-----w- c:\program files (x86)\Microsoft Security Client

2012-06-03 02:56 . 2012-06-03 02:56 -------- d-----w- c:\program files\Microsoft Security Client

2012-06-03 02:56 . 2010-04-09 11:06 374664 ----a-w- c:\windows\system32\drivers\netio.sys

2012-06-02 16:40 . 2012-06-02 16:40 419488 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2012-06-02 16:40 . 2012-06-02 16:40 -------- d-----w- c:\windows\system32\Macromed

2012-06-01 18:05 . 2012-06-01 19:51 -------- d-----w- c:\users\Matt\AppData\Roaming\wargaming.net

2012-06-01 18:05 . 2012-06-01 18:05 -------- d--h--w- c:\windows\msdownld.tmp

2012-06-01 18:05 . 2012-06-01 18:05 -------- d-----w- C:\Games

2012-05-30 00:49 . 2012-05-08 17:02 8955792 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{ACA6B8E3-B2BB-48CF-9857-F089CFDB2ECE}\mpengine.dll

2012-05-25 20:27 . 2012-05-28 18:07 281032 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr

2012-05-25 20:24 . 2012-05-25 20:24 -------- d-----w- c:\users\Matt\AppData\Local\PunkBuster

2012-05-25 20:24 . 2012-05-25 20:24 -------- d-----w- c:\users\Matt\AppData\Local\CrashRpt

2012-05-25 20:23 . 2012-05-25 20:23 -------- d-----w- c:\program files (x86)\Microsoft Chart Controls

2012-05-19 22:58 . 2012-04-02 05:34 5504880 ----a-w- c:\windows\system32\ntoskrnl.exe

2012-05-19 22:58 . 2012-04-02 04:46 3958128 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe

2012-05-19 22:58 . 2012-04-02 04:46 3902320 ----a-w- c:\windows\SysWow64\ntoskrnl.exe

2012-05-19 22:58 . 2012-04-02 03:01 3143680 ----a-w- c:\windows\system32\win32k.sys

2012-05-19 22:58 . 2012-04-02 05:26 1732096 ----a-w- c:\program files\Windows Journal\NBDoc.DLL

2012-05-19 22:58 . 2012-04-02 05:24 1367552 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\journal.dll

2012-05-19 22:58 . 2012-04-02 05:24 1402880 ----a-w- c:\program files\Windows Journal\JNWDRV.dll

2012-05-19 22:58 . 2012-04-02 05:24 1393664 ----a-w- c:\program files\Windows Journal\JNTFiltr.dll

2012-05-19 22:58 . 2012-04-02 04:40 936960 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\ink\journal.dll

2012-05-19 22:58 . 2012-03-30 11:09 1895280 ----a-w- c:\windows\system32\drivers\tcpip.sys

2012-05-14 02:24 . 2012-03-03 06:29 1541120 ----a-w- c:\windows\system32\DWrite.dll

2012-05-14 02:24 . 2012-03-03 05:40 739840 ----a-w- c:\windows\SysWow64\d2d1.dll

2012-05-14 02:24 . 2012-03-03 06:29 320512 ----a-w- c:\windows\system32\d3d10_1core.dll

2012-05-14 02:24 . 2012-03-03 06:29 197120 ----a-w- c:\windows\system32\d3d10_1.dll

2012-05-14 02:24 . 2012-03-03 06:29 1837568 ----a-w- c:\windows\system32\d3d10warp.dll

2012-05-14 02:24 . 2012-03-03 06:29 902656 ----a-w- c:\windows\system32\d2d1.dll

2012-05-14 02:24 . 2012-03-03 05:40 1074176 ----a-w- c:\windows\SysWow64\DWrite.dll

2012-05-14 02:24 . 2012-03-03 05:40 1170944 ----a-w- c:\windows\SysWow64\d3d10warp.dll

2012-05-14 02:24 . 2012-03-03 05:40 218624 ----a-w- c:\windows\SysWow64\d3d10_1core.dll

2012-05-14 02:24 . 2012-03-03 05:40 161792 ----a-w- c:\windows\SysWow64\d3d10_1.dll

2012-05-11 01:26 . 2012-03-17 07:55 75632 ----a-w- c:\windows\system32\drivers\partmgr.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-06-02 16:40 . 2011-06-19 20:07 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-05-28 18:07 . 2012-02-20 19:39 281032 ----a-w- c:\windows\SysWow64\PnkBstrB.exe

2012-05-28 01:49 . 2012-02-20 19:39 281032 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0

2012-05-27 19:18 . 2012-02-20 19:39 76888 ----a-w- c:\windows\SysWow64\PnkBstrA.exe

2012-04-04 19:56 . 2010-03-08 23:17 24904 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-03-21 00:44 . 2012-03-21 00:44 98688 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys

2012-03-21 00:44 . 2012-03-21 00:44 203888 ----a-w- c:\windows\system32\drivers\MpFilter.sys

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 1828136]

"Steam"="c:\program files (x86)\Steam\Steam.exe" [2011-11-25 1242448]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"RemoteControl"="c:\program files (x86)\CyberLink\PowerDVD\PDVDServ.exe" [2004-06-29 32768]

"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]

"NBKeyScan"="c:\program files (x86)\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]

"AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]

"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]

"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]

"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]

"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]

"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-03-27 421736]

"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

hp psc 2000 Series.lnk - c:\program files (x86)\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2004-6-16 323646]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 0 (0x0)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]

"aux2"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

R3 BVRPMPR5a64;BVRPMPR5a64 NDIS Protocol Driver;c:\windows\system32\drivers\BVRPMPR5a64.SYS [x]

R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-26 291696]

R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]

S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]

S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-04-04 654408]

S2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]

S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-05-21 378472]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]

S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]

S3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [x]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - IPNAT

*NewlyCreated* - NISDRV

*NewlyCreated* - WS2IFSL

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdcBase.exe" [2007-05-31 660360]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 1271168]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"LoadAppInit_DLLs"=0x0

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://www.swagbucks.com/?cmd=home

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 10.0.0.1

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-2622963059-1466397820-2052336788-1000\Software\SecuROM\License information*]

"datasecu"=hex:5c,2c,9e,39,d6,ed,17,10,56,ab,bb,cb,73,ae,20,54,9b,55,64,fa,02,

e5,e9,ee,98,a2,dd,88,7e,4d,99,7a,87,6e,8d,1b,8f,52,90,62,72,59,40,9f,68,6d,\

"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Windows CE Services]

"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files (x86)\Nero\Nero8\Nero BackItUp\NBService.exe

c:\windows\SysWOW64\IoctlSvc.exe

c:\windows\SysWOW64\PnkBstrA.exe

c:\program files (x86)\Common Files\Nero\Lib\NMIndexingService.exe

.

**************************************************************************

.

Completion time: 2012-06-05 19:21:39 - machine was rebooted

ComboFix-quarantined-files.txt 2012-06-05 23:21

.

Pre-Run: 370,953,732,096 bytes free

Post-Run: 370,838,028,288 bytes free

.

- - End Of File - - 617797EB13A2DA9C23B21B9733794A2E

Farbar Service Scanner Version: 05-06-2012

Ran by Matt (administrator) on 05-06-2012 at 19:26:25

Running from "C:\Users\Matt\Desktop\Maleware fix"

Windows 7 Ultimate (X64)

Boot Mode: Normal

****************************************************************

Internet Services:

============

Connection Status:

==============

Localhost is accessible.

LAN connected.

Google IP is accessible.

Google.com is accessible.

Yahoo IP is accessible.

Yahoo.com is accessible.

Windows Firewall:

=============

Firewall Disabled Policy:

==================

System Restore:

============

System Restore Disabled Policy:

========================

Action Center:

============

Windows Update:

============

Windows Autoupdate Disabled Policy:

============================

Windows Defender:

==============

WinDefend Service is not running. Checking service configuration:

The start type of WinDefend service is OK.

The ImagePath of WinDefend service is OK.

The ServiceDll of WinDefend service is OK.

File Check:

========

C:\Windows\System32\nsisvc.dll => MD5 is legit

C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit

C:\Windows\System32\dhcpcore.dll => MD5 is legit

C:\Windows\System32\drivers\afd.sys

[2012-02-14 16:07] - [2011-12-27 23:59] - 0499200 ____A (Microsoft Corporation) DB9D6C6B2CD95A9CA414D045B627422E

C:\Windows\System32\drivers\tdx.sys => MD5 is legit

C:\Windows\System32\Drivers\tcpip.sys

[2012-05-19 18:58] - [2012-03-30 07:09] - 1895280 ____A (Microsoft Corporation) 624C5B3AA4C99B3184BB922D9ECE3FF0

C:\Windows\System32\dnsrslvr.dll => MD5 is legit

C:\Windows\System32\mpssvc.dll

[2009-07-13 20:09] - [2009-07-13 21:41] - 0824832 ____A (Microsoft Corporation) AECAB449567D1846DAD63ECE49E893E3

C:\Windows\System32\bfe.dll => MD5 is legit

C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit

C:\Windows\System32\SDRSVC.dll

[2009-07-13 19:36] - [2009-07-13 21:41] - 0170496 ____A (Microsoft Corporation) 765A27C3279CE11D14CB9E4F5869FCA5

C:\Windows\System32\vssvc.exe => MD5 is legit

C:\Windows\System32\wscsvc.dll => MD5 is legit

C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit

C:\Windows\System32\wuaueng.dll

[2009-07-13 20:36] - [2009-07-13 21:41] - 2418176 ____A (Microsoft Corporation) 38340204A2D0228F1E87740FC5E554A7

C:\Windows\System32\qmgr.dll => MD5 is legit

C:\Windows\System32\es.dll => MD5 is legit

C:\Windows\System32\cryptsvc.dll => MD5 is legit

C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\rpcss.dll => MD5 is legit

**** End of log ****

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

Please run Farbar Service Scanner.

Type the following in the edit box after "Search:".

afd.sys

Click Search Files button and post the log (FSS.txt) it makes to your reply. Do the same for the following files:

tcpip.sys

mpssvc.dll

SDRSVC.dll

wuaueng.dll

Link to post
Share on other sites
mlww2usa

mlww2usa

Posted
  • Author
Posted

Maniac,

Here are the additional FARBAR logs....

Farbar Service Scanner Version: 05-06-2012

Ran by Matt (administrator) on 06-06-2012 at 19:59:54

Microsoft Windows 7 Ultimate (X64)

************************************************

======== Search: "afd.sys" =========

C:\Windows\System32\drivers\afd.sys

[2012-02-14 16:07] - [2011-12-27 23:59] - 0499200 ____A (Microsoft Corporation) DB9D6C6B2CD95A9CA414D045B627422E

C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.21887_none_364f3a028e605345\afd.sys

[2012-02-14 16:07] - [2011-12-28 00:01] - 0498176 ____A (Microsoft Corporation) 36A14FD1A23F57046361733B792CA8DB

C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.21712_none_3695e61e8e2c13d4\afd.sys

[2011-06-18 19:55] - [2011-04-24 23:09] - 0499200 ____A (Microsoft Corporation) F4AD06143EAC303F55D0E86C40802976

C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17752_none_35e10b89752ee0f5\afd.sys

[2012-02-14 16:07] - [2011-12-27 23:59] - 0498688 ____A (Microsoft Corporation) 1C7857B62DE5994A75B054A9FD4C3825

C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17603_none_3618198975057170\afd.sys

[2011-06-18 19:55] - [2011-04-24 22:34] - 0499200 ____A (Microsoft Corporation) D5B031C308A409A0A576BFF4CF083D30

C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7600.21115_none_34b263fe91032456\afd.sys

[2012-02-14 16:07] - [2011-12-28 00:01] - 0499200 ____A (Microsoft Corporation) CCA39961E76B491DDF44B1E90FC8971D

C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7600.20951_none_3483491e9126fe55\afd.sys

[2011-06-18 19:55] - [2011-04-24 22:44] - 0499712 ____A (Microsoft Corporation) FBFF8B7C9D116229E9208A0D1CAEB49B

C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7600.16937_none_34154fcd77f3bbda\afd.sys

[2012-02-14 16:07] - [2011-12-27 23:59] - 0499200 ____A (Microsoft Corporation) DB9D6C6B2CD95A9CA414D045B627422E

C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7600.16802_none_3430bc3977dfec2d\afd.sys

[2011-06-18 19:55] - [2011-04-24 22:44] - 0499712 ____A (Microsoft Corporation) 6EF20DDF3172E97D69F596FB90602F29

C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7600.16385_none_33dd3439781e25f7\afd.sys

[2009-07-13 19:21] - [2009-07-13 19:21] - 0500224 ____A (Microsoft Corporation) B9384E03479D2506BC924C16A3DB87BC

====== End Of Search ======

Farbar Service Scanner Version: 05-06-2012

Ran by Matt (administrator) on 06-06-2012 at 20:06:26

Microsoft Windows 7 Ultimate (X64)

************************************************

======== Search: "mpssvc.dll" =========

C:\Windows\System32\MPSSVC.dll

[2009-07-13 20:09] - [2009-07-13 21:41] - 0824832 ____A (Microsoft Corporation) AECAB449567D1846DAD63ECE49E893E3

C:\Windows\winsxs\amd64_networking-mpssvc-svc_31bf3856ad364e35_6.1.7600.16385_none_f6092d1fe18dc440\MPSSVC.dll

[2009-07-13 20:09] - [2009-07-13 21:41] - 0824832 ____A (Microsoft Corporation) AECAB449567D1846DAD63ECE49E893E3

====== End Of Search ======

Farbar Service Scanner Version: 05-06-2012

Ran by Matt (administrator) on 06-06-2012 at 20:07:08

Microsoft Windows 7 Ultimate (X64)

************************************************

======== Search: "SDRSVC.dll" =========

C:\Windows\System32\sdrsvc.dll

[2009-07-13 19:36] - [2009-07-13 21:41] - 0170496 ____A (Microsoft Corporation) 765A27C3279CE11D14CB9E4F5869FCA5

C:\Windows\winsxs\amd64_microsoft-windows-safedocs-main_31bf3856ad364e35_6.1.7600.16385_none_80feadf380799a73\sdrsvc.dll

[2009-07-13 19:36] - [2009-07-13 21:41] - 0170496 ____A (Microsoft Corporation) 765A27C3279CE11D14CB9E4F5869FCA5

====== End Of Search ======

Farbar Service Scanner Version: 05-06-2012

Ran by Matt (administrator) on 06-06-2012 at 20:05:10

Microsoft Windows 7 Ultimate (X64)

************************************************

======== Search: "tcpip.sys" =========

C:\Windows\System32\drivers\tcpip.sys

[2012-05-19 18:58] - [2012-03-30 07:09] - 1895280 ____A (Microsoft Corporation) 624C5B3AA4C99B3184BB922D9ECE3FF0

C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7601.21954_none_11a27a8e9643d23a\tcpip.sys

[2012-05-19 18:58] - [2012-03-30 06:26] - 1901424 ____A (Microsoft Corporation) 885B202006EE17AE99B9FBCEC9AF88C9

C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7601.21828_none_11c6e9949627e69c\tcpip.sys

[2011-11-16 23:07] - [2011-09-29 13:41] - 1912176 ____A (Microsoft Corporation) 3810F06A4D74A7D62641EE73D6B3C660

C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7601.21754_none_11a276c29643d7ec\tcpip.sys

[2011-08-09 19:20] - [2011-06-21 02:20] - 1914752 ____A (Microsoft Corporation) A0EB71E0DC047C7CC95CD6AB4036296E

C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7601.21712_none_11cbb5de9625357a\tcpip.sys

[2011-06-18 19:55] - [2011-04-25 02:16] - 1927552 ____A (Microsoft Corporation) B77977AEB2FF159D01DB08A309989C5F

C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7601.17802_none_114ceccb7cff740d\tcpip.sys

[2012-05-19 18:58] - [2012-03-30 07:35] - 1918320 ____A (Microsoft Corporation) ACB82BDA8F46C84F465C1AFA517DC4B9

C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7601.17697_none_10f09b257d43f3eb\tcpip.sys

[2011-11-16 23:07] - [2011-09-29 12:29] - 1923952 ____A (Microsoft Corporation) FC62769E7BFF2896035AEED399108162

C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7601.17638_none_11327af77d12659c\tcpip.sys

[2011-08-09 19:20] - [2011-06-21 02:34] - 1923968 ____A (Microsoft Corporation) F0E98C00A09FDF791525829A1D14240F

C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7601.17603_none_114de9497cfe9316\tcpip.sys

[2011-06-18 19:55] - [2011-04-25 01:33] - 1923968 ____A (Microsoft Corporation) 92CE29D95AC9DD2D0EE9061D551BA250

C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7600.21178_none_0faa5514992a39a7\tcpip.sys

[2012-05-19 18:58] - [2012-03-30 06:19] - 1877872 ____A (Microsoft Corporation) 5EFD096DEF47F8B88EF591DA92143440

C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7600.21060_none_0fad20ca992955d7\tcpip.sys

[2011-11-16 23:07] - [2011-09-29 12:17] - 1886064 ____A (Microsoft Corporation) AC3E29880DB5659532A1AA3439304A43

C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7600.20992_none_0f8ed978993fa916\tcpip.sys

[2011-08-09 19:20] - [2011-06-21 02:16] - 1888128 ____A (Microsoft Corporation) 5279D4DD69C7C71524B8E7A5746D15CC

C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7600.20951_none_0fb918de99201ffb\tcpip.sys

[2011-06-18 19:55] - [2011-04-25 01:28] - 1893248 ____A (Microsoft Corporation) 1F748D5439B65E0BEBD92F65048F030D

C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7600.20733_none_0fd0b57e990e2079\tcpip.sys

[2010-08-15 20:55] - [2010-06-14 02:39] - 1889152 ____A (Microsoft Corporation) 542C6767C68C9D6AAACA59436B0D15C2

C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7600.20687_none_0f9ea52499331463\tcpip.sys

[2012-06-02 22:56] - [2010-04-09 03:56] - 1892232 ____A (Microsoft Corporation) A9C0F786AC1F736891D05CE0A1D29DEB

C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7600.20496_none_0f92d122993c1caf\tcpip.sys

[2009-08-20 19:20] - [2009-08-20 19:20] - 1898584 ____A (Microsoft Corporation) 6DECEB05E65970699E24F0E6BB9D6DD8

C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7600.16986_none_0f140fa780164fde\tcpip.sys

[2012-05-19 18:58] - [2012-03-30 07:09] - 1895280 ____A (Microsoft Corporation) 624C5B3AA4C99B3184BB922D9ECE3FF0

C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7600.16889_none_0f170e9f80139ebc\tcpip.sys

[2011-11-16 23:07] - [2011-09-29 12:24] - 1897328 ____A (Microsoft Corporation) F18F56EFC0BFB9C87BA01C37B27F4DA5

C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7600.16839_none_0f4d1e3b7feb1307\tcpip.sys

[2011-08-09 19:20] - [2011-06-21 02:27] - 1896832 ____A (Microsoft Corporation) B9D87C7707F058AC652A398CD28DE14B

C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7600.16802_none_0f668bf97fd90dd3\tcpip.sys

[2011-06-18 19:55] - [2011-04-25 01:32] - 1896832 ____A (Microsoft Corporation) 61DC720BB065D607D5823F13D2A64321

C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7600.16610_none_0f59b7ad7fe2fcc8\tcpip.sys

[2010-08-15 20:55] - [2010-06-14 02:37] - 1896832 ____A (Microsoft Corporation) 90A2D722CF64D911879D6C4A4F802A4D

C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7600.16569_none_0f2ca8c580036f65\tcpip.sys

[2012-06-02 22:56] - [2010-04-09 07:06] - 1898376 ____A (Microsoft Corporation) 7FC877A25796D8ADF539E64703FCA7E1

C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7600.16400_none_0f6483cd7fdae689\tcpip.sys

[2009-08-20 19:20] - [2009-08-20 19:20] - 1898568 ____A (Microsoft Corporation) BDD634B4C9CE26884812E29DDC5AF5B8

C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7600.16385_none_0f1303f98017479d\tcpip.sys

[2009-07-13 19:25] - [2009-07-13 21:45] - 1898576 ____A (Microsoft Corporation) 912107716BAB424C7870E8E6AF5E07E1

C:\Windows\ERDNT\cache64\tcpip.sys

[2012-06-05 19:20] - [2012-03-30 07:09] - 1895280 ____A (Microsoft Corporation) 624C5B3AA4C99B3184BB922D9ECE3FF0

====== End Of Search ======

Farbar Service Scanner Version: 05-06-2012

Ran by Matt (administrator) on 06-06-2012 at 20:07:52

Microsoft Windows 7 Ultimate (X64)

************************************************

======== Search: "wuaueng.dll" =========

C:\Windows\System32\wuaueng.dll

[2009-07-13 20:36] - [2009-07-13 21:41] - 2418176 ____A (Microsoft Corporation) 38340204A2D0228F1E87740FC5E554A7

C:\Windows\winsxs\amd64_microsoft-windows-w..wsupdateclient-core_31bf3856ad364e35_7.3.7600.16385_none_8ca5655e8bc7dae9\wuaueng.dll

[2009-07-13 20:36] - [2009-07-13 21:41] - 2418176 ____A (Microsoft Corporation) 38340204A2D0228F1E87740FC5E554A7

====== End Of Search ======

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

Good to know that! :)

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

FCopy::
C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17752_none_35e10b89752ee0f5\afd.sys | C:\Windows\System32\drivers\afd.sys
C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7600.16385_none_0f1303f98017479d\tcpip.sys | C:\Windows\System32\drivers\tcpip.sys

JavaClearCache::

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Link to post
Share on other sites
mlww2usa

mlww2usa

Posted
  • Author
Posted

Maniac,

I took your text values and added to notepad and dropped the txt file onto Combofix.

Here is the latest Combofix log as requested.....

ComboFix 12-06-05.03 - Matt 06/07/2012 20:25:49.2.4 - x64

Microsoft Windows 7 Ultimate 6.1.7600.0.1252.44.1033.18.4095.2818 [GMT -4:00]

Running from: c:\users\Matt\Desktop\Maleware fix\ComboFix.exe

Command switches used :: c:\users\Matt\Desktop\Maleware fix\CFScript.txt

AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}

SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

.

--------------- FCopy ---------------

.

c:\windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17752_none_35e10b89752ee0f5\afd.sys --> c:\windows\System32\drivers\afd.sys

c:\windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7600.16385_none_0f1303f98017479d\tcpip.sys --> c:\windows\System32\drivers\tcpip.sys

.

((((((((((((((((((((((((( Files Created from 2012-05-08 to 2012-06-08 )))))))))))))))))))))))))))))))

.

.

2012-06-08 00:33 . 2012-06-08 00:33 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-06-08 00:25 . 2011-12-28 03:59 498688 ----a-w- c:\windows\SysWow64\drivers\afd.sys

2012-06-08 00:25 . 2009-07-14 01:45 1898576 ----a-w- c:\windows\SysWow64\drivers\tcpip.sys

2012-06-07 14:56 . 2012-05-08 14:02 8955792 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{FF415FE9-174C-4BCF-AB87-540B85CC26D2}\mpengine.dll

2012-06-06 00:20 . 2012-05-08 14:02 8955792 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2012-06-03 03:01 . 2012-06-03 03:01 927800 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{11016DAD-196D-4DC1-B2DD-B6B4D4499279}\gapaengine.dll

2012-06-03 02:56 . 2012-06-03 02:56 -------- d-----w- c:\program files (x86)\Microsoft Security Client

2012-06-03 02:56 . 2012-06-03 02:56 -------- d-----w- c:\program files\Microsoft Security Client

2012-06-03 02:56 . 2010-04-09 11:06 374664 ----a-w- c:\windows\system32\drivers\netio.sys

2012-06-02 16:40 . 2012-06-02 16:40 419488 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2012-06-02 16:40 . 2012-06-02 16:40 -------- d-----w- c:\windows\system32\Macromed

2012-06-01 18:05 . 2012-06-01 19:51 -------- d-----w- c:\users\Matt\AppData\Roaming\wargaming.net

2012-06-01 18:05 . 2012-06-01 18:05 -------- d--h--w- c:\windows\msdownld.tmp

2012-06-01 18:05 . 2012-06-01 18:05 -------- d-----w- C:\Games

2012-05-30 00:49 . 2012-05-08 17:02 8955792 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{ACA6B8E3-B2BB-48CF-9857-F089CFDB2ECE}\mpengine.dll

2012-05-25 20:27 . 2012-05-28 18:07 281032 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr

2012-05-25 20:24 . 2012-05-25 20:24 -------- d-----w- c:\users\Matt\AppData\Local\PunkBuster

2012-05-25 20:24 . 2012-05-25 20:24 -------- d-----w- c:\users\Matt\AppData\Local\CrashRpt

2012-05-25 20:23 . 2012-05-25 20:23 -------- d-----w- c:\program files (x86)\Microsoft Chart Controls

2012-05-19 22:58 . 2012-04-02 05:34 5504880 ----a-w- c:\windows\system32\ntoskrnl.exe

2012-05-19 22:58 . 2012-04-02 04:46 3958128 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe

2012-05-19 22:58 . 2012-04-02 04:46 3902320 ----a-w- c:\windows\SysWow64\ntoskrnl.exe

2012-05-19 22:58 . 2012-04-02 03:01 3143680 ----a-w- c:\windows\system32\win32k.sys

2012-05-19 22:58 . 2012-04-02 05:26 1732096 ----a-w- c:\program files\Windows Journal\NBDoc.DLL

2012-05-19 22:58 . 2012-04-02 05:24 1367552 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\journal.dll

2012-05-19 22:58 . 2012-04-02 05:24 1402880 ----a-w- c:\program files\Windows Journal\JNWDRV.dll

2012-05-19 22:58 . 2012-04-02 05:24 1393664 ----a-w- c:\program files\Windows Journal\JNTFiltr.dll

2012-05-19 22:58 . 2012-04-02 04:40 936960 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\ink\journal.dll

2012-05-19 22:58 . 2012-03-30 11:09 1895280 ----a-w- c:\windows\system32\drivers\tcpip.sys

2012-05-14 02:24 . 2012-03-03 06:29 1541120 ----a-w- c:\windows\system32\DWrite.dll

2012-05-14 02:24 . 2012-03-03 05:40 739840 ----a-w- c:\windows\SysWow64\d2d1.dll

2012-05-14 02:24 . 2012-03-03 06:29 320512 ----a-w- c:\windows\system32\d3d10_1core.dll

2012-05-14 02:24 . 2012-03-03 06:29 197120 ----a-w- c:\windows\system32\d3d10_1.dll

2012-05-14 02:24 . 2012-03-03 06:29 1837568 ----a-w- c:\windows\system32\d3d10warp.dll

2012-05-14 02:24 . 2012-03-03 06:29 902656 ----a-w- c:\windows\system32\d2d1.dll

2012-05-14 02:24 . 2012-03-03 05:40 1074176 ----a-w- c:\windows\SysWow64\DWrite.dll

2012-05-14 02:24 . 2012-03-03 05:40 1170944 ----a-w- c:\windows\SysWow64\d3d10warp.dll

2012-05-14 02:24 . 2012-03-03 05:40 218624 ----a-w- c:\windows\SysWow64\d3d10_1core.dll

2012-05-14 02:24 . 2012-03-03 05:40 161792 ----a-w- c:\windows\SysWow64\d3d10_1.dll

2012-05-11 01:26 . 2012-03-17 07:55 75632 ----a-w- c:\windows\system32\drivers\partmgr.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-06-02 16:40 . 2011-06-19 20:07 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-05-28 18:07 . 2012-02-20 19:39 281032 ----a-w- c:\windows\SysWow64\PnkBstrB.exe

2012-05-28 01:49 . 2012-02-20 19:39 281032 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0

2012-05-27 19:18 . 2012-02-20 19:39 76888 ----a-w- c:\windows\SysWow64\PnkBstrA.exe

2012-04-04 19:56 . 2010-03-08 23:17 24904 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-03-21 00:44 . 2012-03-21 00:44 98688 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys

2012-03-21 00:44 . 2012-03-21 00:44 203888 ----a-w- c:\windows\system32\drivers\MpFilter.sys

.

.

((((((((((((((((((((((((((((( SnapShot@2012-06-05_23.15.17 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-02-27 02:31 . 2012-06-08 00:37 40448 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin

+ 2009-07-14 05:10 . 2012-06-08 00:37 29392 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin

+ 2010-02-27 02:11 . 2012-06-08 00:37 18902 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2622963059-1466397820-2052336788-1000_UserData.bin

- 2010-02-26 20:59 . 2012-06-05 16:53 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

+ 2010-02-26 20:59 . 2012-06-06 20:41 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

- 2010-02-26 20:59 . 2012-06-05 16:53 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

+ 2010-02-26 20:59 . 2012-06-06 20:41 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

+ 2009-07-14 04:54 . 2012-06-06 20:41 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

- 2009-07-14 04:54 . 2012-06-05 16:53 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

+ 2009-07-14 04:46 . 2012-06-06 00:20 72456 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat

- 2010-02-27 03:47 . 2012-06-04 02:41 35088 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe

+ 2010-02-27 03:47 . 2012-06-07 00:44 35088 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe

- 2010-02-27 03:47 . 2012-06-04 02:41 18704 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe

+ 2010-02-27 03:47 . 2012-06-07 00:44 18704 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe

+ 2010-02-27 03:47 . 2012-06-07 00:44 20240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe

- 2010-02-27 03:47 . 2012-06-04 02:41 20240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe

+ 2012-06-08 00:35 . 2012-06-08 00:35 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat

- 2012-06-05 23:14 . 2012-06-05 23:14 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat

- 2012-06-05 23:14 . 2012-06-05 23:14 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat

+ 2012-06-08 00:35 . 2012-06-08 00:35 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat

- 2009-07-14 02:36 . 2012-06-03 03:06 626340 c:\windows\system32\perfh009.dat

+ 2009-07-14 02:36 . 2012-06-08 00:31 626340 c:\windows\system32\perfh009.dat

+ 2009-07-14 02:36 . 2012-06-08 00:31 110352 c:\windows\system32\perfc009.dat

- 2009-07-14 02:36 . 2012-06-03 03:06 110352 c:\windows\system32\perfc009.dat

- 2009-07-14 05:01 . 2012-06-05 23:14 388316 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat

+ 2009-07-14 05:01 . 2012-06-08 00:34 388316 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat

- 2010-02-27 03:47 . 2012-06-04 02:41 888080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe

+ 2010-02-27 03:47 . 2012-06-07 00:44 888080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe

+ 2010-02-27 03:47 . 2012-06-07 00:44 272648 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe

- 2010-02-27 03:47 . 2012-06-04 02:41 272648 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe

- 2010-02-27 03:47 . 2012-06-04 02:41 922384 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe

+ 2010-02-27 03:47 . 2012-06-07 00:44 922384 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe

+ 2010-02-27 03:47 . 2012-06-07 00:44 845584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe

- 2010-02-27 03:47 . 2012-06-04 02:41 845584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe

+ 2010-02-27 03:47 . 2012-06-07 00:44 217864 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe

- 2010-02-27 03:47 . 2012-06-04 02:41 217864 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe

- 2010-02-27 03:47 . 2012-06-04 02:41 184080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe

+ 2010-02-27 03:47 . 2012-06-07 00:44 184080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe

+ 2010-02-27 03:47 . 2012-06-07 00:44 159504 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe

- 2010-02-27 03:47 . 2012-06-04 02:41 159504 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe

+ 2012-04-30 18:38 . 2012-04-30 18:38 5011456 c:\windows\Installer\2e768b.msp

- 2010-02-27 03:47 . 2012-06-04 02:41 1172240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe

+ 2010-02-27 03:47 . 2012-06-07 00:44 1172240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe

- 2010-02-27 03:47 . 2012-06-04 02:41 1165584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe

+ 2010-02-27 03:47 . 2012-06-07 00:44 1165584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe

+ 2009-07-14 02:34 . 2012-06-08 00:21 10485760 c:\windows\system32\SMI\Store\Machine\schema.dat

- 2009-07-14 02:34 . 2012-06-05 23:10 10485760 c:\windows\system32\SMI\Store\Machine\schema.dat

+ 2011-04-10 22:47 . 2012-06-08 00:34 33764040 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2622963059-1466397820-2052336788-1000-12288.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 1828136]

"Steam"="c:\program files (x86)\Steam\Steam.exe" [2011-11-25 1242448]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"RemoteControl"="c:\program files (x86)\CyberLink\PowerDVD\PDVDServ.exe" [2004-06-29 32768]

"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]

"NBKeyScan"="c:\program files (x86)\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]

"AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]

"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]

"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]

"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]

"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]

"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-03-27 421736]

"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

hp psc 2000 Series.lnk - c:\program files (x86)\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2004-6-16 323646]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 0 (0x0)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]

"aux2"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

R3 BVRPMPR5a64;BVRPMPR5a64 NDIS Protocol Driver;c:\windows\system32\drivers\BVRPMPR5a64.SYS [x]

R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-26 291696]

R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]

S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]

S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-04-04 654408]

S2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]

S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-05-21 378472]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]

S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]

S3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [x]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]

.

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdcBase.exe" [2007-05-31 660360]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 1271168]

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://www.swagbucks.com/?cmd=home

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 10.0.0.1

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-2622963059-1466397820-2052336788-1000\Software\SecuROM\License information*]

"datasecu"=hex:5c,2c,9e,39,d6,ed,17,10,56,ab,bb,cb,73,ae,20,54,9b,55,64,fa,02,

e5,e9,ee,98,a2,dd,88,7e,4d,99,7a,87,6e,8d,1b,8f,52,90,62,72,59,40,9f,68,6d,\

"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Windows CE Services]

"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files (x86)\Nero\Nero8\Nero BackItUp\NBService.exe

c:\windows\SysWOW64\IoctlSvc.exe

c:\windows\SysWOW64\PnkBstrA.exe

c:\program files (x86)\Common Files\Nero\Lib\NMIndexingService.exe

.

**************************************************************************

.

Completion time: 2012-06-07 20:42:17 - machine was rebooted

ComboFix-quarantined-files.txt 2012-06-08 00:42

.

Pre-Run: 371,687,411,712 bytes free

Post-Run: 371,520,974,848 bytes free

.

- - End Of File - - 9A2CEBFC8526BBD0A14A64EC78AFADE2

Link to post
Share on other sites
mlww2usa

mlww2usa

Posted
  • Author
Posted

Maniac,

The system is running much better then it was last weekend. I have confirmed that Malewarebytes no longer can find the trojan and I have also installed MS security essentials for additional AV help. It looks like everything is cleared up as the Firewall is now back and I can configure as needed.

I think we are good to go if you agree.......

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.