WTMorgan Posted September 19, 2012 ID:598785 Share Posted September 19, 2012 When I run MBAM it finds three viruses: Security.Hijack , PUM.Hijack.Regedit , PUM.Security.Hijack. MBAM then says in order to remove these files must restart. After restart I then run MBAM again and all three viruses are back. Please help with removal. Thanks.DDS (Ver_2011-08-26.01) - NTFSx86Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_31Run by williamm at 8:43:48 on 2012-09-19Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3536.2157 [GMT -4:00].AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}AV: McAfee VirusScan Enterprise *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}SP: McAfee VirusScan Enterprise Antispyware Module *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}.============== Running Processes ===============.C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\svchost.exe -k RPCSSC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_450b431403c091e3\STacSV.exeC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\WUDFHost.exeC:\Windows\system32\svchost.exe -k NetworkServiceC:\Program Files\AVAST Software\Avast\AvastSvc.exeC:\Windows\System32\spoolsv.exeC:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exeC:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonationC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkC:\Program Files\Altiris\Dagent\AClient.exeC:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Cisco Systems\VPN Client\cvpnd.exeC:\Program Files\Intel\AMT\LMS.exeC:\Program Files\McAfee\SiteAdvisor Enterprise\McSACore.exeC:\Program Files\McAfee\Common Framework\FrameworkService.exeC:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\McAfee\VirusScan Enterprise\mfeann.exeC:\Windows\system32\mfevtps.exeC:\Windows\system32\conhost.exec:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exeC:\Windows\system32\rserver30\RServer3.exeC:\Program Files\McAfee\Common Framework\naPrdMgr.exeC:\Windows\system32\svchost.exe -k imgsvcC:\Program Files\SonicWALL\SonicWALL Global VPN Client\SWGVCSvc.exeC:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exeC:\Program Files\McAfee\SiteAdvisor Enterprise\saHookMain.exeC:\Windows\system32\conhost.exeC:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exeC:\Program Files\Common Files\McAfee\SystemCore\mcshield.exeC:\Program Files\Altiris\Dagent\dagent.exeC:\Windows\system32\wbem\wmiprvse.exec:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exec:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exeC:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exeC:\Windows\System32\svchost.exe -k secsvcsC:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestrictedC:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Windows\system32\taskhost.exeC:\Program Files\McAfee\Common Framework\UdaterUI.exeC:\Program Files\McAfee\Common Framework\McTray.exeC:\Program Files\DellTPad\Apoint.exeC:\Program Files\IDT\WDM\sttray.exeC:\Windows\System32\hkcmd.exeC:\Windows\System32\igfxpers.exeC:\Windows\system32\igfxsrvc.exeC:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exeC:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\WavXDocMgr.exeC:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exeC:\Program Files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exeC:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exeC:\Program Files\DellTPad\ApMsgFwd.exeC:\Program Files\Altiris\Dagent\dagentui.exeC:\Program Files\DellTPad\HidFind.exeC:\Program Files\DellTPad\Apntex.exeC:\Windows\system32\conhost.exeC:\Program Files\Common Files\Java\Java Update\jusched.exeC:\Program Files\Malwarebytes' Anti-Malware\mbam.exeC:\Program Files\AVAST Software\Avast\AvastUI.exeC:\Windows\system32\rserver30\FamItrfc.ExeC:\Windows\system32\rserver30\FamItrfc.ExeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exeC:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exeC:\Windows\system32\igfxext.exeC:\Windows\system32\SearchIndexer.exeC:\Program Files\Avaya\IP Office\Phone Manager\PhoneManager.exeC:\Program Files\Common Files\InstallShield\UpdateService\agent.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Common Files\Java\Java Update\jucheck.exeC:\Windows\system32\taskeng.exeC:\Windows\system32\SearchProtocolHost.exeC:\Windows\system32\SearchFilterHost.exeC:\Windows\system32\DllHost.exeC:\Windows\system32\conhost.exe.============== Pseudo HJT Report ===============.uStart Page = hxxp://mis00005/uDefault_Page_URL = hxxp://mis00005/uWindow Title = Windows Internet Explorer provided by Mount Vernon MillsuInternet Settings,ProxyServer = mvext02a:8080uInternet Settings,ProxyOverride = <local>BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No FileBHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dllBHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dllBHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No FileBHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dllBHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20120827092227.dllBHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dllBHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dllBHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dllBHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\program files\mcafee\siteadvisor enterprise\McIEPlg.dllBHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dllTB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dllTB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\program files\mcafee\siteadvisor enterprise\McIEPlg.dllTB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dlluRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"uRun: [iSUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduleruRun: [Obyksok] c:\users\williamm\appdata\roaming\itlys\uxel.exemRun: [Apoint] c:\program files\delltpad\Apoint.exemRun: [sysTrayApp] c:\program files\idt\wdm\sttray.exemRun: [igfxTray] c:\windows\system32\igfxtray.exemRun: [HotKeysCmds] c:\windows\system32\hkcmd.exemRun: [Persistence] c:\windows\system32\igfxpers.exemRun: [iAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exemRun: [picon] "c:\program files\common files\intel\privacy icon\PrivacyIconClient.exe" -startupmRun: [ChangeTPMAuth] c:\program files\wave systems corp\common\ChangeTPMAuth.exe /T:NTRU12mRun: [WavXMgr] c:\program files\wave systems corp\services manager\docmgr\bin\WavXDocMgr.exemRun: [DellControlPoint] "c:\program files\dell\dell controlpoint\Dell.ControlPoint.exe"mRun: [uSCService] c:\program files\dell\dell controlpoint\security manager\BcmDeviceAndTaskStatusService.exemRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"mRun: [Client Access Service] c:\program files\ibm\client access\cwbsvstr.exemRun: [DagentUI] c:\program files\altiris\dagent\dagentui.exemRun: [intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startupmRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscriptmRun: [shStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONEmRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKeymRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /noguiStartupFolder: c:\users\williamm\appdata\roaming\micros~1\windows\startm~1\programs\startup\phonem~1.lnk - c:\program files\avaya\ip office\phone manager\PhoneManager.exeStartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\dellco~1.lnk - c:\program files\dell\dell controlpoint\system manager\DCPSysMgr.exeStartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exeStartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{b0bf7057-6869-4e4b-920c-ea2a58da07f0}\Icon3E5562ED7.icouPolicies-explorer: DisablePersonalDirChange = 1 (0x1)uPolicies-explorer: NoWindowsUpdate = 1 (0x1)uPolicies-explorer: NoWelcomeScreen = 1 (0x1)uPolicies-explorer: NoDFSTab = 1 (0x1)uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)uPolicies-explorer: DisallowRun = 1 (0x1)uPolicies-disallowrun: 1 = regedit.exeuPolicies-disallowrun: 2 = regedt32.exeuPolicies-system: ConnectHomeDirToRoot = 0 (0x0)uPolicies-system: HideLogoffScripts = 1 (0x1)uPolicies-system: DisableRegistryTools = 1 (0x1)uPolicies-system: HideLogonScripts = 1 (0x1)uPolicies-system: HideLegacyLogonScripts = 1 (0x1)mPolicies-explorer: NoWelcomeScreen = 1 (0x1)mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)mPolicies-system: EnableLUA = 0 (0x0)mPolicies-system: EnableUIADesktopToggle = 0 (0x0)mPolicies-system: PromptOnSecureDesktop = 0 (0x0)mPolicies-system: SynchronousMachineGroupPolicy = 1 (0x1)mPolicies-system: SynchronousUserGroupPolicy = 1 (0x1)mPolicies-system: RunLogonScriptSync = 0 (0x0)mPolicies-system: HideShutdownScripts = 0 (0x0)mPolicies-system: MaxGPOScriptWait = 150 (0x96)IE: E&xport to Microsoft Excel - c:\progra~1\mif5ba~1\office11\EXCEL.EXE/3000IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dllIE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mif5ba~1\office11\REFIEBAR.DLLTrusted Zone: infor.com\eam.hostingTrusted Zone: infor.com\eam.hostingDPF: {0DE70C1A-5136-45F6-95DA-B81CCF0DA5B3} - hxxps://gosystemrs.fasttax.com/OCX/RIARSDocumentum.cabDPF: {13F71666-05F2-11D2-B2F6-00A0C9A08B64} - hxxps://gosystemrs.fasttax.com/OCX/comconv.cabDPF: {227F25BE-BCDC-11D0-BA80-0000F6181652} - hxxps://gosystemrs.fasttax.com/OCX/RSLoginModule.cabDPF: {2EC07293-4DF5-11D5-992B-0001020FC1FC} - hxxps://gosystemrs.fasttax.com/OCX/comconv.cabDPF: {455182EE-8F93-11D2-BA3C-00C04F7F6533} - hxxps://gosystemrs.fasttax.com/OCX/RSTabbedList.cabDPF: {4E330863-6A11-11D0-BFD8-006097237877} - hxxps://gosystemrs.fasttax.com/OCX/iftwclix.cabDPF: {7B640A40-EEC1-11D2-B526-00C04F8DEE99} - hxxps://gosystemrs.fasttax.com/OCX/WebAttachments.cabDPF: {82BFFC8C-B4BD-11D4-9908-000102053AFB} - hxxps://gosystemrs.fasttax.com/OCX/webnotifier.cabDPF: {86B092BC-7ABA-11D4-98E7-000102053AFB} - hxxps://gosystemrs.fasttax.com/OCX/Downloader.cabDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cabDPF: {973EA5BE-9ED6-11D3-AB1D-00C04F7468E4} - hxxps://gosystemrs.fasttax.com/OCX/DCParse.cabDPF: {97A90946-2984-11D3-AAE7-00C04F7468E4} - hxxps://gosystemrs.fasttax.com/OCX/frmsrc.cabDPF: {C945E31A-102E-4A0D-8854-D599D7AED5FA} - hxxps://gosystemrs.fasttax.com/OCX/vsflex8.cabDPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cabDPF: {D76D712E-4A96-11D3-BD95-D296DC2DD072} - hxxps://gosystemrs.fasttax.com/OCX/vsflex7.cabDPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cabDPF: {FB39A004-AB8F-402A-A14E-16AE22187426} - hxxp://mis00005/XMLReporting/cabs/mvm.cabTCP: DhcpNameServer = 10.10.3.10 10.10.61.12TCP: Interfaces\{D004F751-6758-40C7-B852-F4015FD9FA95}\7414D45434F434B435 : DhcpNameServer = 24.178.162.3 66.189.0.100 24.217.201.67TCP: Interfaces\{D4873FD4-7D53-4FAE-AAB3-5138817C5E01} : DhcpNameServer = 10.10.3.10 10.10.61.12TCP: Interfaces\{DE831789-34DA-4A70-9855-35928A7EB12E} : DhcpNameServer = 192.168.0.1TCP: Interfaces\{FDC89687-48FF-4818-BED7-890120E0FB12} : DhcpNameServer = 192.168.0.1Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\program files\mcafee\siteadvisor enterprise\McIEPlg.dllHandler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\intuit\quickbooks 2010\HelpAsyncPluggableProtocol.dllHandler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dllHandler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\program files\mcafee\siteadvisor enterprise\McIEPlg.dllNotify: igfxcui - igfxdev.dllSTS: FencesShlExt Class: {1984dd45-52cf-49cd-ab77-18f378fea264} - c:\program files\stardock\fences\FencesMenu.dllLSA: Authentication Packages = msv1_0 wvauthmASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12.================= FIREFOX ===================.FF - ProfilePath - c:\users\williamm\appdata\roaming\mozilla\firefox\profiles\33i9inzc.default\FF - prefs.js: browser.startup.homepage - hxxps://webmail.mvmills.comFF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dllFF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dllFF - plugin: c:\program files\google\update\1.3.21.115\npGoogleUpdate3.dllFF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dllFF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dllFF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dllFF - plugin: c:\program files\mozilla firefox\plugins\NPcol400.dllFF - plugin: c:\program files\mozilla firefox\plugins\NPcol500.dllFF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dllFF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dllFF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dllFF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dllFF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dllFF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_270.dll.---- FIREFOX POLICIES ----FF - user.js: network.cookie.cookieBehavior - 0FF - user.js: privacy.clearOnShutdown.cookies - falseFF - user.js: security.warn_viewing_mixed - falseFF - user.js: security.warn_viewing_mixed.show_once - falseFF - user.js: security.warn_submit_insecure - falseFF - user.js: security.warn_submit_insecure.show_once - false.============= SERVICES / DRIVERS ===============.R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2012-8-27 461864]R0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2012-8-27 164840]R1 raddrvv3;raddrvv3;c:\windows\system32\rserver30\raddrvv3.sys [2009-10-9 46304]R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-7-27 63960]R2 Altiris Deployment Agent;Altiris Deployment Agent;c:\program files\altiris\dagent\dagent.exe [2009-8-11 1246544]R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-9-18 58680]R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2012-9-18 44808]R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\dell\dell controlpoint\DCPButtonSvc.exe [2009-4-27 293968]R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostControlService.exe [2009-6-26 812392]R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostStorageService.exe [2009-6-26 26984]R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\dell\dell controlpoint\system manager\DCPSysMgrSvc.exe [2009-7-16 382752]R2 McAfee SiteAdvisor Enterprise Service;McAfee SiteAdvisor Enterprise Service;c:\program files\mcafee\siteadvisor enterprise\McSACore.exe [2011-10-24 165440]R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2011-11-15 132672]R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2012-8-27 166024]R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2011-9-14 209760]R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2012-8-27 148520]R2 RServer3;Radmin Server V3;c:\windows\system32\rserver30\rserver3.exe [2009-10-9 1242504]R2 SWGVCSvc;SonicWALL Global VPN Client Service;c:\program files\sonicwall\sonicwall global vpn client\SWGVCSvc.exe [2012-4-3 228824]R2 SWIPsec;SonicWALL IPsec Driver;c:\windows\system32\drivers\SWIPsec.sys [2012-9-11 84112]R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\common files\intel\privacy icon\uns\UNS.exe [2009-11-17 2058776]R3 atrsdfw;atrsdfw;c:\windows\system32\drivers\atrsdfw.sys [2009-12-8 9728]R3 cvusbdrv;Dell ControlVault;c:\windows\system32\drivers\cvusbdrv.sys [2009-11-17 33832]R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y6232.sys [2009-11-17 221912]R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2009-11-17 122368]R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-9-19 40776]R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2012-8-27 180072]R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2012-8-27 59288]R3 mirrorv3;mirrorv3;c:\windows\system32\drivers\rminiv3.sys [2009-10-9 3328]R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2009-11-17 4231680]S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-6-21 136176]S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [2010-1-21 100864]S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-6-21 136176]S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2009-10-26 25088]S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2012-8-27 87808]S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-4 113120]S3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\drivers\PTDUBus.sys [2010-4-29 54416]S3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\drivers\PTDUMdm.sys [2010-4-29 160272]S3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\drivers\PTDUVsp.sys [2010-4-29 160272]S3 PTDUWFLT;PTDUWWAN Filter Driver;c:\windows\system32\drivers\PTDUWFLT.sys [2010-4-29 11920]S3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\drivers\PTDUWWAN.sys [2010-4-29 113680]S3 rimspci;rimspci;c:\windows\system32\drivers\rimspe86.sys [2009-11-17 47104]S3 risdpcie;risdpcie;c:\windows\system32\drivers\risdpe86.sys [2009-11-17 49152]S3 rixdpcie;rixdpcie;c:\windows\system32\drivers\rixdpe86.sys [2009-11-17 38400]S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]S3 SWVNIC;SonicWALL Virtual Miniport;c:\windows\system32\drivers\SWVNIC.sys [2012-2-7 21016].=============== Created Last 30 ================.2012-09-19 12:09:51 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2012-09-18 14:45:21 58680 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys2012-09-18 14:44:51 41224 ----a-w- c:\windows\avastSS.scr2012-09-18 14:44:36 -------- d-----w- c:\programdata\AVAST Software2012-09-18 14:44:36 -------- d-----w- c:\program files\AVAST Software2012-09-11 20:38:08 -------- d-----w- c:\users\williamm\appdata\roaming\SonicWALL2012-09-11 20:35:13 -------- d-----w- c:\users\williamm\appdata\roaming\Stardock2012-09-11 20:35:12 -------- dc-h--w- c:\programdata\{A3A26C56-02C3-4F76-A033-12EE2FB52AE6}2012-09-11 20:35:11 -------- d-----w- c:\program files\Stardock2012-09-11 20:35:00 -------- d-----w- c:\users\williamm\appdata\local\PackageAware2012-09-11 20:34:32 84112 ----a-w- c:\windows\system32\drivers\SWIPsec.sys2012-09-11 20:33:52 -------- d-----w- c:\program files\SonicWALL2012-09-11 20:29:27 18268224 ----a-w- C:\GVCSetup32_4.7.3.0403_EN.exe2012-09-11 15:49:55 -------- d-----w- c:\program files\PDFBinder2012-08-27 16:01:55 185920 ----a-w- c:\program files\mozilla firefox\distribution\bundles\{b7082faa-cb62-4872-9106-e42dd88ede45}\components\McFFPlg.dll2012-08-27 14:51:46 7023536 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{6eea6482-ee7e-47a1-90b8-c713f4e4db4f}\mpengine.dll2012-08-27 13:22:27 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys2012-08-27 13:22:27 74848 ----a-w- c:\windows\system32\MfeOtlkAddin.dll2012-08-27 13:22:27 28504 ----a-w- c:\program files\mozilla firefox\ScriptFF.dll2012-08-27 13:22:26 87808 ----a-w- c:\windows\system32\drivers\mferkdet.sys2012-08-27 13:22:26 59288 ----a-w- c:\windows\system32\drivers\mfebopk.sys2012-08-27 13:22:25 180072 ----a-w- c:\windows\system32\drivers\mfeavfk.sys2012-08-27 13:22:25 119968 ----a-w- c:\windows\system32\drivers\mfeapfk.sys2012-08-27 13:22:23 461864 ----a-w- c:\windows\system32\drivers\mfehidk.sys2012-08-27 13:22:07 164840 ----a-w- c:\windows\system32\drivers\mfewfpk.sys2012-08-27 13:22:07 148520 ----a-w- c:\windows\system32\mfevtps.exe2012-08-24 12:34:16 -------- d-----w- c:\users\williamm\appdata\roaming\Malwarebytes.==================== Find3M ====================.2012-09-19 12:09:19 2401 ----a-w- c:\windows\system32\drivers\AlKernel.sys2012-09-07 21:04:46 22856 ----a-w- c:\windows\system32\drivers\mbam.sys2012-08-27 13:21:41 22816 ----a-w- c:\windows\system32\MFEOtlk.dll2012-08-16 14:22:16 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl2012-08-16 14:22:16 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe2012-08-14 19:42:51 5877184 ----a-w- c:\windows\FramePkg.exe.============= FINISH: 8:44:56.43 ===============Attach.txt Link to post Share on other sites More sharing options...
MrCharlie Posted September 19, 2012 ID:598791 Share Posted September 19, 2012 Welcome to the forum.Can you post the log from MB that shows the items in question.Then........Please remove any usb or external drives from the computer before you run this scan!Please download and run RogueKiller to your desktop.Quit all running programs.For Windows XP, double-click to start.For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.Click Scan to scan the system.When the scan completes > Close out the program > Don't Fix anything!Don't run any other options, they're not all bad!!!!!!!Post back the report which should be located on your desktop.MrC Link to post Share on other sites More sharing options...
WTMorgan Posted September 19, 2012 Author ID:598795 Share Posted September 19, 2012 I am running a quick scan with MBAM to post an updated log. I tried to download RogueKiller from the link you posted above, but McAfee Site Advisor is blocking the webpage and showing it as a threat. I read the thread in the pinned section about disabling anti viruses software and so far all I have found is how to turn off active virus scanning. What do you suggest? Also, when you say to quit all running programs. Do you mean to just close out of I.E. and any other programs that are currently open? Link to post Share on other sites More sharing options...
WTMorgan Posted September 19, 2012 Author ID:598799 Share Posted September 19, 2012 Update: I was able to download RogueKiller. I will post back once I have the logs you requested. Thanks Link to post Share on other sites More sharing options...
WTMorgan Posted September 19, 2012 Author ID:598803 Share Posted September 19, 2012 Malwarebytes Anti-Malware 1.65.0.1400www.malwarebytes.orgDatabaseversion: v2012.09.18.07Windows 7 x86 NTFSInternet Explorer 9.0.8112.16421williamm :: MIS00936 [administrator]9/19/2012 9:21:19 AMmbam-log-2012-09-19 (09-38-01).txtScan type: Quick scanScan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUMScan options disabled: P2PObjects scanned: 303574Time elapsed: 16 minute(s), 34 second(s)Memory Processes Detected: 0(No malicious items detected)Memory Modules Detected: 0(No malicious items detected)Registry Keys Detected: 0(No malicious items detected)Registry Values Detected: 2HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun|1 (Security.Hijack) -> Data: regedit.exe -> No action taken.HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun|2 (PUM.Security.Hijack) -> Data: regedt32.exe -> No action taken.Registry Data Items Detected: 1HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableRegistryTools (PUM.Hijack.Regedit) -> Bad: (1) Good: (0) -> No action taken.Folders Detected: 0(No malicious items detected)Files Detected: 0(No malicious items detected)(end)RogueKiller V8.0.4 [09/19/2012] by Tigzymail: tigzyRK<at>gmail<dot>comFeedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/Blog: http://tigzyrk.blogspot.comOperatingSystem: Windows 7 (6.1.7600 ) 32 bits versionStarted in : Normal modeUser : williamm [Admin rights]Mode : Scan -- Date : 09/19/2012 09:40:04¤¤¤ Bad processes : 0 ¤¤¤¤¤¤ Registry Entries : 11 ¤¤¤[RUN][sUSP PATH] HKCU\[...]\Run : Obyksok (C:\Users\williamm\AppData\Roaming\Itlys\uxel.exe) -> FOUND[RUN][sUSP PATH] HKUS\S-1-5-21-2064384965-857829418-339680022-36834[...]\Run : Obyksok (C:\Users\williamm\AppData\Roaming\Itlys\uxel.exe) -> FOUND[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (mvext02a:8080) -> FOUND[HJPOL] HKCU\[...]\System : DisableRegistryTools (1) -> FOUND[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> FOUND[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND¤¤¤ Particular Files / Folders: ¤¤¤¤¤¤ Driver : [LOADED] ¤¤¤¤¤¤ Infection : ¤¤¤¤¤¤ HOSTS File: ¤¤¤--> C:\Windows\system32\drivers\etc\hosts¤¤¤ MBR Check: ¤¤¤+++++ PhysicalDrive0: ST980313AS +++++--- User ---[MBR] d494292b87e1bf1e714dace98ec179e5[bSP] 2f1febd8e889e31a2d86d65efc33907b : MBR Code unknownPartition table:0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 80325 | Size: 760 Mo2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 1638630 | Size: 75516 MoUser = LL1 ... OK!User = LL2 ... OK!Finished : << RKreport[1].txt >>RKreport[1].txt Link to post Share on other sites More sharing options...
MrCharlie Posted September 19, 2012 ID:598806 Share Posted September 19, 2012 Run RogueKiller again and click ScanWhen the scan completes > click on the Registry tabPut a check next to all of these and uncheck the rest: (if found)¤¤¤ Registry Entries : 11 ¤¤¤[RUN][sUSP PATH] HKCU\[...]\Run : Obyksok (C:\Users\williamm\AppData\Roaming\Itlys\uxel.exe) -> FOUND[RUN][sUSP PATH] HKUS\S-1-5-21-2064384965-857829418-339680022-36834[...]\Run : Obyksok (C:\Users\williamm\AppData\Roaming\Itlys\uxel.exe) -> FOUND[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (mvext02a:8080) -> FOUND[HJPOL] HKCU\[...]\System : DisableRegistryTools (1) -> FOUND[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUNDNow click Delete on the right hand column under Options~~~~~~~~~~~~~~~~~~~~~~~~~~~~Delete this folder:You may have to enable hidden files to see it:http://www.howtogeek...-windows-vista/C:\Users\williamm\AppData\Roaming\Itlys~~~~~~~~~~~~~~~~~~~~~~~~~~~~Reboot and scan the system again with RogueKiller and post the new log, MrC Link to post Share on other sites More sharing options...
WTMorgan Posted September 19, 2012 Author ID:598814 Share Posted September 19, 2012 RogueKiller V8.0.4 [09/19/2012] by Tigzymail: tigzyRK<at>gmail<dot>comFeedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/Blog: http://tigzyrk.blogspot.comOperatingSystem: Windows 7 (6.1.7600 ) 32 bits versionStarted in : Normal modeUser : williamm [Admin rights]Mode : Scan -- Date : 09/19/2012 10:16:18¤¤¤ Bad processes : 0 ¤¤¤¤¤¤ Registry Entries : 7 ¤¤¤[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (hxxp://mvext02a:8080) -> FOUND[HJPOL] HKCU\[...]\System : DisableRegistryTools (1) -> FOUND[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> FOUND[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND¤¤¤ Particular Files / Folders: ¤¤¤¤¤¤ Driver : [LOADED] ¤¤¤¤¤¤ Infection : ¤¤¤¤¤¤ HOSTS File: ¤¤¤--> C:\Windows\system32\drivers\etc\hosts¤¤¤ MBR Check: ¤¤¤+++++ PhysicalDrive0: ST980313AS +++++--- User ---[MBR] d494292b87e1bf1e714dace98ec179e5[bSP] 2f1febd8e889e31a2d86d65efc33907b : MBR Code unknownPartition table:0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 80325 | Size: 760 Mo2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 1638630 | Size: 75516 MoUser = LL1 ... OK!User = LL2 ... OK!Finished : << RKreport[4].txt >>RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt Link to post Share on other sites More sharing options...
MrCharlie Posted September 19, 2012 ID:598816 Share Posted September 19, 2012 Please Update and run a Quick Scan with MBAM, post the report.Make sure that everything is checked, and click Remove Selected.~~~~~~~~~~~~~~~~~Reboot and run another quick scan and lets see what's left.MrC Link to post Share on other sites More sharing options...
WTMorgan Posted September 19, 2012 Author ID:598824 Share Posted September 19, 2012 Per your request above, I ran MBAM again. It found all three viruses again. I check to remove and reboot. Re-ran MBAM and it again found all three viruses. Malwarebytes Anti-Malware 1.65.0.1400www.malwarebytes.orgDatabaseversion: v2012.09.19.09Windows 7 x86 NTFSInternet Explorer 9.0.8112.16421williamm :: MIS00936 [administrator]9/19/2012 10:45:21 AMmbam-log-2012-09-19 (10-58-05).txtScan type: Quick scanScan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUMScan options disabled: P2PObjects scanned: 301808Time elapsed: 12 minute(s), 39 second(s)Memory Processes Detected: 0(No malicious items detected)Memory Modules Detected: 0(No malicious items detected)Registry Keys Detected: 0(No malicious items detected)Registry Values Detected: 2HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun|1 (Security.Hijack) -> Data: regedit.exe -> No action taken.HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun|2 (PUM.Security.Hijack) -> Data: regedt32.exe -> No action taken.Registry Data Items Detected: 1HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableRegistryTools (PUM.Hijack.Regedit) -> Bad: (1) Good: (0) -> No action taken.Folders Detected: 0(No malicious items detected)Files Detected: 0(No malicious items detected)(end) Link to post Share on other sites More sharing options...
MrCharlie Posted September 19, 2012 ID:598828 Share Posted September 19, 2012 Please download and unzip the attached findit.zip to your desktopDouble click on the findit.batlook.txt should be created, please copy and paste it back here.MrC Link to post Share on other sites More sharing options...
WTMorgan Posted September 19, 2012 Author ID:598835 Share Posted September 19, 2012 Thanks for all your help. When I double click the findit.bat file the black dos prompt opens up, but then a message box appears and says "Registry editing has been disabled by your administrator". This a company computer. I previously told IT about this problem and they worked on my computer and said they had fixed it, but the viruses still showed up in MBAM. Link to post Share on other sites More sharing options...
MrCharlie Posted September 19, 2012 ID:598846 Share Posted September 19, 2012 Please backup the registry first:http://www.geekstogo...ry-using-erunt/~~~~~~~~~~~~~~~~~Here's a couple of ways to enable it:http://www.mydigital...-administrator/Let me know, MrC Link to post Share on other sites More sharing options...
WTMorgan Posted September 19, 2012 Author ID:598897 Share Posted September 19, 2012 When I try run this command in "GPEdit.msc" I get a message that says this is restricte by policy. I guess I will pass my computer back to the IT department and let them have another try at removing these viruses. I just wanted to let you know so you can close the thread. Thank you again for all your help. This is a really great website! Link to post Share on other sites More sharing options...
MrCharlie Posted September 19, 2012 ID:598902 Share Posted September 19, 2012 OK, Good Luck.....MrC Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 20, 2012 ID:599286 Share Posted September 20, 2012 Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you. Link to post Share on other sites More sharing options...
Recommended Posts