Jump to content

for MrC


Recommended Posts

Lets see, we had ran several scans starting with RogueKiller, ListParts64, tdsskiller, and finally ComboFix. You had informed me that all previous scans were clear. I had removed a few trojans prior to posting and "might" have gotten them all. To help jog your memory you also wanted me to delete some P2P software "utorrent". Anyways I had just finished runing combofix. I do have the logs from the previous scans saved to a drive if you need them just ask.

Here is the log.

ComboFix 12-10-31.03 - BB 11/01/2012 15:53:06.1.4 - x64

Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.16237.14101 [GMT -4:00]

Running from: c:\users\BB\Desktop\ComboFix.exe

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892}

FW: McAfee Firewall *Disabled* {959DA8E2-3527-57D1-4915-924367AD4FE9}

SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

.

((((((((((((((((((((((((( Files Created from 2012-10-01 to 2012-11-01 )))))))))))))))))))))))))))))))

.

.

2012-11-01 19:55 . 2012-11-01 19:55 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-10-29 03:43 . 2012-10-29 03:43 -------- d-----w- c:\program files (x86)\VideoLAN

2012-10-29 03:39 . 2012-10-29 03:39 -------- d-----w- c:\program files (x86)\Hobbyist Software

2012-10-29 01:34 . 2012-10-29 01:34 -------- d-----w- c:\program files\GIGABYTE

2012-10-29 01:34 . 2012-03-08 13:53 22128 ----a-w- c:\windows\system32\drivers\AppleCharger.sys

2012-10-29 01:34 . 2010-04-06 20:30 31272 ----a-w- c:\windows\system32\AppleChargerSrv.exe

2012-10-28 04:22 . 2012-10-28 04:22 -------- d-----w- c:\program files (x86)\Google

2012-10-27 05:43 . 2012-10-27 05:43 -------- d-----w- c:\program files\Microsoft Silverlight

2012-10-27 05:43 . 2012-10-27 05:43 -------- d-----w- c:\program files (x86)\Microsoft Silverlight

2012-10-27 04:04 . 2010-07-08 08:32 22792 ----a-w- c:\windows\system32\drivers\SaiMini.sys

2012-10-27 04:03 . 2012-10-27 04:03 -------- d-----w- c:\program files\Saitek

2012-10-27 04:03 . 2012-10-27 04:03 -------- d-----w- c:\programdata\Saitek

2012-10-26 15:19 . 2012-10-26 15:19 -------- d-----w- C:\Brother

2012-10-26 15:19 . 2012-10-26 15:19 -------- d-----w- c:\program files (x86)\Browny02

2012-10-26 15:19 . 2010-08-03 00:57 217088 ----a-w- c:\windows\SysWow64\NSSearch.dll

2012-10-26 15:19 . 2010-03-15 23:56 2560 ----a-w- c:\windows\SysWow64\BrDctF2S.dll

2012-10-26 15:19 . 2010-03-15 23:45 73728 ----a-w- c:\windows\SysWow64\BrDctF2.dll

2012-10-26 15:19 . 2007-12-14 02:16 5120 ----a-w- c:\windows\SysWow64\BrDctF2L.dll

2012-10-26 15:19 . 2010-02-05 15:42 180224 ------w- c:\windows\SysWow64\BroSNMP.dll

2012-10-26 07:13 . 2012-10-26 07:13 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help

2012-10-26 07:01 . 2012-10-26 07:13 -------- d-----w- c:\program files (x86)\Microsoft Works

2012-10-26 07:01 . 2012-10-26 07:01 -------- d-----w- c:\windows\PCHEALTH

2012-10-26 06:58 . 2012-10-26 06:58 -------- d-----w- c:\program files\Microsoft Office

2012-10-26 06:58 . 2012-10-26 06:58 -------- d-----w- c:\program files (x86)\Microsoft Visual Studio 8

2012-10-26 06:36 . 2012-10-26 06:36 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%

2012-10-26 03:42 . 2012-10-26 03:42 -------- d-----w- c:\program files (x86)\Common Files\Adobe

2012-10-26 03:24 . 2012-10-27 03:51 -------- d-----w- c:\programdata\Microsoft Help

2012-10-25 22:31 . 2012-10-25 22:31 -------- d-----w- c:\program files (x86)\Conduit

2012-10-24 19:03 . 2012-10-24 19:03 -------- d-----w- c:\programdata\Malwarebytes

2012-10-24 19:03 . 2012-09-29 23:54 25928 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-10-24 19:03 . 2012-10-24 19:03 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware

2012-10-24 09:10 . 2012-10-24 09:10 -------- d-----w- c:\windows\system32\appmgmt

2012-10-24 07:45 . 2012-10-24 07:45 -------- d-----w- c:\programdata\Apple

2012-10-24 05:13 . 2012-10-24 09:10 -------- d-----w- c:\programdata\Skype

2012-10-23 19:01 . 2011-09-14 10:16 32360 ----a-w- c:\windows\system32\drivers\ndisrd.sys

2012-10-22 21:46 . 2012-10-31 20:51 281520 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr

2012-10-22 21:41 . 2012-10-22 21:41 -------- d-----w- c:\program files (x86)\Battlelog Web Plugins

2012-10-22 21:39 . 2012-10-24 20:33 -------- d-----w- c:\programdata\EA Logs

2012-10-22 21:39 . 2012-10-22 21:39 -------- d-----w- c:\programdata\EA Core

2012-10-22 19:10 . 2012-10-30 06:45 25640 ----a-w- c:\windows\etdrv.sys

2012-10-22 19:09 . 2012-10-30 06:43 30528 ----a-w- c:\windows\GVTDrv64.sys

2012-10-22 19:08 . 2012-10-22 19:08 -------- d--h--w- c:\program files (x86)\Common Files\EAInstaller

2012-10-22 19:08 . 2012-10-31 20:51 281520 ----a-w- c:\windows\SysWow64\PnkBstrB.exe

2012-10-22 19:08 . 2012-10-31 20:51 280904 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0

2012-10-22 19:07 . 2012-10-24 20:37 76888 ----a-w- c:\windows\SysWow64\PnkBstrA.exe

2012-10-22 19:07 . 2008-10-15 10:22 5631312 ----a-w- c:\windows\system32\D3DX9_40.dll

2012-10-22 19:07 . 2008-10-15 10:22 519000 ----a-w- c:\windows\system32\d3dx10_40.dll

2012-10-22 19:07 . 2008-10-15 10:22 452440 ----a-w- c:\windows\SysWow64\d3dx10_40.dll

2012-10-22 19:07 . 2008-10-15 10:22 4379984 ----a-w- c:\windows\SysWow64\D3DX9_40.dll

2012-10-22 19:07 . 2008-10-15 10:22 2605920 ----a-w- c:\windows\system32\D3DCompiler_40.dll

2012-10-22 19:07 . 2008-10-15 10:22 2036576 ----a-w- c:\windows\SysWow64\D3DCompiler_40.dll

2012-10-22 18:18 . 2012-10-22 21:39 -------- d-----w- c:\programdata\Electronic Arts

2012-10-22 18:18 . 2012-10-22 18:21 -------- d-----w- c:\program files (x86)\Origin Games

2012-10-22 18:18 . 2012-10-22 18:21 -------- d-----w- c:\programdata\Origin

2012-10-22 18:18 . 2012-10-27 16:04 -------- d-----w- c:\program files (x86)\Origin

2012-10-22 18:07 . 2012-10-26 15:19 -------- d-----w- c:\program files (x86)\Brother

2012-10-22 18:06 . 2012-10-22 18:11 -------- d-----w- c:\programdata\Brother

2012-10-22 18:03 . 2012-10-29 01:34 -------- d-----w- c:\program files (x86)\GIGABYTE

2012-10-22 18:03 . 2012-10-30 06:45 25640 ----a-w- c:\windows\gdrv.sys

2012-10-22 17:53 . 2012-10-22 17:53 -------- d-----w- c:\program files\7-Zip

2012-10-22 17:38 . 2012-10-31 22:58 -------- d-----w- c:\program files (x86)\EVGA Precision X

2012-10-22 09:52 . 2012-10-22 09:52 -------- d-sh--w- c:\windows\system32\%APPDATA%

2012-10-22 09:50 . 2012-10-22 17:33 -------- d-----w- c:\program files (x86)\Razer

2012-10-22 09:50 . 2012-10-22 09:50 -------- d-----w- c:\programdata\Razer

2012-10-22 09:45 . 2008-10-27 14:04 518480 ----a-w- c:\windows\system32\XAudio2_3.dll

2012-10-22 09:32 . 2012-10-22 09:32 -------- d-----w- c:\program files (x86)\SystemRequirementsLab

2012-10-22 09:32 . 2012-10-22 09:32 -------- d-----w- c:\program files (x86)\Common Files\Java

2012-10-22 09:31 . 2012-10-22 09:31 821736 ----a-w- c:\windows\SysWow64\npDeployJava1.dll

2012-10-22 09:31 . 2012-10-22 09:31 746984 ----a-w- c:\windows\SysWow64\deployJava1.dll

2012-10-22 09:31 . 2012-10-22 09:31 95208 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll

2012-10-22 09:31 . 2012-10-22 09:31 -------- d-----w- c:\program files (x86)\Java

2012-10-22 09:08 . 2012-10-22 09:08 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-10-22 09:08 . 2012-10-22 09:08 696760 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2012-10-22 09:08 . 2012-10-22 09:08 -------- d-----w- c:\windows\SysWow64\Macromed

2012-10-22 09:08 . 2012-10-22 09:08 -------- d-----w- c:\windows\system32\Macromed

2012-10-22 06:52 . 2012-10-22 02:57 -------- d-----w- c:\windows\Panther

2012-10-22 06:43 . 2012-10-30 20:30 -------- d-----w- c:\windows\Downloaded Program Files

2012-10-22 05:16 . 2012-10-22 05:21 -------- d-----w- c:\program files (x86)\Samsung SSD Magician

2012-10-22 05:16 . 2012-10-22 05:16 -------- d-----w- c:\programdata\Samsung

2012-10-22 05:09 . 2012-04-20 20:40 196440 ----a-w- c:\windows\system32\drivers\HipShieldK.sys

2012-10-22 05:09 . 2012-09-14 20:26 73096 ----a-w- c:\windows\system32\drivers\McPvDrv.sys

2012-10-22 05:09 . 2012-10-22 05:09 -------- d-----w- c:\program files (x86)\Common Files\McAfee

2012-10-22 05:09 . 2012-07-17 18:51 10288 ----a-w- c:\windows\system32\drivers\mfeclnk.sys

2012-10-22 05:09 . 2012-07-17 18:55 69672 ----a-w- c:\windows\system32\drivers\cfwids.sys

2012-10-22 05:09 . 2012-07-17 18:51 106112 ----a-w- c:\windows\system32\drivers\mferkdet.sys

2012-10-22 05:09 . 2012-07-17 18:49 513456 ----a-w- c:\windows\system32\drivers\mfefirek.sys

2012-10-22 05:09 . 2012-07-17 18:48 300392 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2012-10-22 05:09 . 2012-10-22 05:09 -------- d-----w- c:\program files\Common Files\McAfee

2012-10-22 05:09 . 2012-10-22 05:09 -------- d-----w- c:\program files\McAfee

2012-10-22 05:09 . 2012-10-22 23:31 -------- d-----w- c:\program files (x86)\McAfee

2012-10-22 05:01 . 2012-07-17 18:52 177144 ----a-w- c:\windows\system32\mfevtps.exe

2012-10-22 05:01 . 2012-10-24 09:00 -------- d-----w- c:\programdata\McAfee

2012-10-22 04:45 . 2012-10-24 19:01 -------- d-----w- c:\programdata\Spybot - Search & Destroy

2012-10-22 04:42 . 2012-10-28 02:51 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service

2012-10-22 04:17 . 2012-10-26 07:01 -------- d-----w- c:\program files (x86)\Microsoft.NET

2012-10-22 04:07 . 2012-10-22 04:07 -------- d-----w- c:\windows\SysWow64\Wat

2012-10-22 04:07 . 2012-10-22 04:07 -------- d-----w- c:\windows\system32\Wat

2012-10-22 04:06 . 2012-05-04 11:00 366592 ----a-w- c:\windows\system32\qdvd.dll

2012-10-22 04:06 . 2012-05-04 09:59 514560 ----a-w- c:\windows\SysWow64\qdvd.dll

2012-10-22 04:00 . 2012-09-28 04:18 65309168 ----a-w- c:\windows\system32\MRT.exe

2012-10-22 03:49 . 2012-10-17 06:31 9291768 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{DBCDE71F-3EB4-4583-B021-127C4A23CFC5}\mpengine.dll

2012-10-22 03:48 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys

2012-10-22 03:48 . 2012-03-01 06:33 81408 ----a-w- c:\windows\system32\imagehlp.dll

2012-10-22 03:48 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll

2012-10-22 03:48 . 2012-03-01 05:33 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll

2012-10-22 03:48 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll

2012-10-22 03:46 . 2011-10-15 06:31 723456 ----a-w- c:\windows\system32\EncDec.dll

2012-10-22 03:46 . 2011-10-15 05:38 534528 ----a-w- c:\windows\SysWow64\EncDec.dll

2012-10-22 03:39 . 2012-10-22 03:39 -------- d-----w- c:\programdata\Intel

2012-10-22 03:33 . 2012-02-17 06:38 1031680 ----a-w- c:\windows\system32\rdpcore.dll

2012-10-22 03:33 . 2012-02-17 05:34 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll

2012-10-22 03:33 . 2012-02-17 04:57 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys

2012-10-22 03:32 . 2012-11-01 15:10 -------- d-----w- c:\programdata\NVIDIA

2012-10-22 03:32 . 2012-10-22 04:07 -------- d-----w- c:\users\UpdatusUser

2012-10-22 03:32 . 2012-10-02 19:51 3536817 ----a-w- c:\windows\system32\nvcoproc.bin

2012-10-22 03:32 . 2012-10-02 19:51 3293544 ----a-w- c:\windows\system32\nvsvc64.dll

2012-10-22 03:32 . 2012-10-02 19:51 6200680 ----a-w- c:\windows\system32\nvcpl.dll

2012-10-22 03:32 . 2012-10-02 19:50 891240 ----a-w- c:\windows\system32\nvvsvc.exe

2012-10-22 03:32 . 2012-10-02 19:50 63336 ----a-w- c:\windows\system32\nvshext.dll

2012-10-22 03:32 . 2012-10-02 19:50 2557800 ----a-w- c:\windows\system32\nvsvcr.dll

2012-10-22 03:32 . 2012-10-02 19:50 118120 ----a-w- c:\windows\system32\nvmctray.dll

2012-10-22 03:32 . 2012-10-22 03:32 -------- d-----w- c:\programdata\NVIDIA Corporation

2012-10-22 03:32 . 2012-10-22 03:32 -------- d-----w- c:\program files (x86)\NVIDIA Corporation

2012-10-22 03:26 . 2012-08-07 07:09 88832 ----a-w- c:\windows\system32\drivers\EtronXHCI.sys

2012-10-22 03:26 . 2012-08-07 07:09 65152 ----a-w- c:\windows\system32\drivers\EtronHub3.sys

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-10-02 17:15 . 2012-10-02 17:15 430952 ----a-w- c:\windows\SysWow64\nvStreaming.exe

2012-09-12 08:33 . 2012-09-12 08:33 2782848 ----a-w- c:\windows\system32\drivers\kinonivd.sys

2012-09-12 08:33 . 2012-09-12 08:33 23040 ----a-w- c:\windows\system32\drivers\kinonivad.sys

2012-08-20 17:38 . 2012-10-22 03:47 44032 ----a-w- c:\windows\apppatch\acwow64.dll

2012-08-17 07:01 . 2012-08-17 07:01 112640 ----a-w- c:\windows\system32\drivers\rzudd.sys

2012-08-17 07:01 . 2012-08-17 07:01 22016 ----a-w- c:\windows\system32\drivers\rzendpt.sys

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"EADM"="c:\program files (x86)\Origin\Origin.exe" [2012-10-27 3389080]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"Dolby Home Theater v4"="c:\program files (x86)\Dolby Home Theater v4\pcee4.exe" [2012-04-23 507744]

"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2012-09-12 1535112]

"Razer Synapse"="c:\program files (x86)\Razer\Synapse\RzSynapse.exe" [2012-10-11 336304]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-09-24 926896]

"GrooveMonitor"="s:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]

"BrStsMon00"="c:\program files (x86)\Browny02\Brother\BrStMonW.exe" [2010-06-10 2621440]

.

c:\users\BB\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

EVGA Precision X.lnk - c:\program files (x86)\EVGA Precision X\EVGAPrecision.exe [2012-10-17 553800]

Samsung SSD Magician.lnk - c:\program files (x86)\Samsung SSD Magician\Samsung SSD Magician.exe [2012-10-22 2056192]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]

"LoadAppInit_DLLs"=0 (0x0)

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-10-28 116648]

R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-09-29 676936]

R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-10-22 250808]

R3 ALSysIO;ALSysIO;c:\users\BB\AppData\Local\Temp\ALSysIO64.sys [x]

R3 AppleChargerSrv;AppleChargerSrv;c:\windows\system32\AppleChargerSrv.exe [2010-04-06 31272]

R3 BrYNSvc;BrYNSvc;c:\program files (x86)\Browny02\BrYNSvc.exe [2010-01-25 245760]

R3 cphs;Intel® Content Protection HECI Service;c:\windows\SysWow64\IntelCpHeciSvc.exe [2012-10-10 277024]

R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168]

R3 etdrv;etdrv;c:\windows\etdrv.sys [2012-10-30 25640]

R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-10-28 116648]

R3 GVTDrv64;GVTDrv64;c:\windows\GVTDrv64.sys [2012-10-30 30528]

R3 HipShieldK;McAfee Inc. HipShieldK;c:\windows\system32\drivers\HipShieldK.sys [2012-04-20 196440]

R3 KINONI_Wave;Kinoni Audio Source;c:\windows\system32\drivers\kinonivad.sys [2012-09-12 23040]

R3 kinonivd;Kinoni Video Source;c:\windows\system32\DRIVERS\kinonivd.sys [2012-09-12 2782848]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-09-29 25928]

R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2012-07-17 106112]

R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-10-27 115168]

R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-08-23 19456]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2012-08-23 57856]

R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2012-08-23 30208]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-10-22 1255736]

S0 iaStorA;iaStorA;c:\windows\system32\DRIVERS\iaStorA.sys [2012-08-16 645952]

S0 iaStorF;iaStorF;c:\windows\system32\DRIVERS\iaStorF.sys [2012-08-16 27456]

S0 McPvDrv;McPvDrv Driver;c:\windows\system32\drivers\McPvDrv.sys [2012-09-14 73096]

S0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2012-07-17 335784]

S1 AppleCharger;AppleCharger;c:\windows\system32\DRIVERS\AppleCharger.sys [2012-03-08 22128]

S1 ndisrd;WinpkFilter LightWeight Filter;c:\windows\system32\DRIVERS\ndisrd.sys [2011-09-14 32360]

S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-09-24 65192]

S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-09-29 399432]

S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2012-08-31 201304]

S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2012-08-31 201304]

S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2012-08-31 201304]

S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2012-07-17 218320]

S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2012-07-17 177144]

S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-10-02 1258856]

S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-10-02 382824]

S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-08-08 2656536]

S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2012-07-17 69672]

S3 EtronHub3;Etron USB 3.0 Extensible Hub Driver;c:\windows\system32\Drivers\EtronHub3.sys [2012-08-07 65152]

S3 EtronXHCI;Etron USB 3.0 Extensible Host Controller Driver;c:\windows\system32\Drivers\EtronXHCI.sys [2012-08-07 88832]

S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2011-12-06 331264]

S3 MEIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2010-10-19 56344]

S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2012-07-17 513456]

S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [2012-07-03 189288]

S3 RTCore64;RTCore64;c:\program files (x86)\EVGA Precision X\RTCore64.sys [2012-10-17 15176]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-09-29 646248]

S3 rzendpt;rzendpt;c:\windows\system32\DRIVERS\rzendpt.sys [2012-08-17 22016]

S3 rzudd;Razer Mouse Driver;c:\windows\system32\DRIVERS\rzudd.sys [2012-08-17 112640]

S3 SaiK0836;SaiK0836;c:\windows\system32\DRIVERS\SaiK0836.sys [2010-06-17 172040]

.

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - mfeavfk01

.

Contents of the 'Scheduled Tasks' folder

.

2012-11-01 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-10-22 09:08]

.

2012-11-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-10-28 04:22]

.

2012-11-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-10-28 04:22]

.

2012-11-01 c:\windows\Tasks\RtlLanOptimizerVistaStart.job

- c:\program files (x86)\Realtek\LanOptimizer\LanOptimizer.exe [2012-10-23 08:05]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2012-06-11 12503184]

"RtHDVBg_Dolby"="c:\program files\Realtek\Audio\HDA\RAVBg64.exe" [2012-06-13 1212560]

"ProfilerU"="c:\program files\Saitek\SD6\Software\ProfilerU.exe" [2010-07-07 310272]

"SaiMfd"="c:\program files\Saitek\SD6\Software\SaiMfd.exe" [2010-07-07 158208]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-10-10 171040]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-10-10 399392]

"Persistence"="c:\windows\system32\igfxpers.exe" [2012-10-10 441888]

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT3220468

mLocal Page = c:\windows\SysWOW64\blank.htm

IE: E&xport to Microsoft Excel - s:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.1.1

FF - ProfilePath - c:\users\BB\AppData\Roaming\Mozilla\Firefox\Profiles\n2dawz11.default\

FF - prefs.js: browser.startup.homepage - www.google.com

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=

FF - ExtSQL: 2012-10-22 01:12; {4ED1F68A-5463-4931-9384-8FFF5ED91D92}; c:\program files (x86)\McAfee\SiteAdvisor

FF - ExtSQL: 2012-10-23 10:53; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\users\BB\AppData\Roaming\Mozilla\Firefox\Profiles\n2dawz11.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi

FF - ExtSQL: 2012-10-23 10:53; {3d7eb24f-2740-49df-8937-200b1cc08f8a}; c:\users\BB\AppData\Roaming\Mozilla\Firefox\Profiles\n2dawz11.default\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}.xpi

FF - ExtSQL: 2012-10-23 10:56; {AE93811A-5C9A-4d34-8462-F7B864FC4696}; c:\users\BB\AppData\Roaming\Mozilla\Firefox\Profiles\n2dawz11.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}.xpi

.

- - - - ORPHANS REMOVED - - - -

.

URLSearchHooks-{7473b6bd-4691-4744-a82b-7854eb3d70b6} - (no file)

Wow6432Node-HKLM-Run-<NO NAME> - (no file)

SafeBoot-17430523.sys

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*]

@="?????????????????? v1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*\CLSID]

@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*]

@="?????????????????? v2"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*\CLSID]

@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]

"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2012-11-01 15:56:18

ComboFix-quarantined-files.txt 2012-11-01 19:56

.

Pre-Run: 174,193,786,880 bytes free

Post-Run: 174,075,535,360 bytes free

.

- - End Of File - - 4F8BCC5566C9521FCC797FF0AF8DF590

Link to post
Share on other sites

OK, I remember now.

ComboFix log looks OK but I do see some adware, so lets get that:

Please download AdwCleaner from here and save it on your Desktop.

  • Close all open programs and internet browsers.
  • Right-click on adwcleaner.exe and select Run As Administrator to launch the application. (XP just double click to run)
  • Click on Delete.
  • Confirm each time with Ok if asked.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[s1].txt as well.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Then............

Please Update and run a Quick Scan with Malwarebytes Anti-Malware, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

Link to post
Share on other sites

Alright here is the AdwCleaner log:

# AdwCleaner v2.006 - Logfile created 11/02/2012 at 11:46:20

# Updated 30/10/2012 by Xplode

# Operating system : Windows 7 Professional Service Pack 1 (64 bits)

# User : BB - BB-PC

# Boot Mode : Normal

# Running from : C:\Users\BB\Desktop\adwcleaner.exe

# Option [Delete]

***** [services] *****

***** [Files / Folders] *****

File Deleted : C:\Users\BB\AppData\Roaming\Mozilla\Firefox\Profiles\n2dawz11.default\searchplugins\Conduit.xml

Folder Deleted : C:\Program Files (x86)\Conduit

Folder Deleted : C:\Users\BB\AppData\Local\Conduit

Folder Deleted : C:\Users\BB\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejpbbhjlbipncjklfjjaedaieimbmdda

Folder Deleted : C:\Users\BB\AppData\LocalLow\Conduit

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software

Key Deleted : HKCU\Software\Conduit

Key Deleted : HKCU\Software\Google\Chrome\Extensions\ejpbbhjlbipncjklfjjaedaieimbmdda

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\incredibar.com

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\incredibar.com

Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3220468

Key Deleted : HKLM\Software\Conduit

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\incredibar.com

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\incredibar.com

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\ejpbbhjlbipncjklfjjaedaieimbmdda

***** [internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://search.conduit.com?SearchSource=10&ctid=CT3220468 --> hxxp://www.google.com

-\\ Mozilla Firefox v16.0.2 (en-US)

Profile name : default

File : C:\Users\BB\AppData\Roaming\Mozilla\Firefox\Profiles\n2dawz11.default\prefs.js

Deleted : user_pref("Smartbar.ConduitHomepagesList", "hxxp://search.conduit.com/?ctid=CT3220468&SearchSource=1[...]

Deleted : user_pref("Smartbar.ConduitSearchEngineList", "uTorrentControl_v2 Customized Web Search");

Deleted : user_pref("Smartbar.ConduitSearchUrlList", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3220468[...]

Deleted : user_pref("Smartbar.keywordURLSelectedCTID", "CT3220468");

-\\ Google Chrome v [unable to get version]

File : C:\Users\BB\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[s1].txt - [2647 octets] - [02/11/2012 11:46:20]

########## EOF - C:\AdwCleaner[s1].txt - [2707 octets] ##########

Here is mbam log:

Malwarebytes Anti-Malware (Trial) 1.65.1.1000

www.malwarebytes.org

Database version: v2012.11.02.08

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

BB :: BB-PC [administrator]

Protection: Enabled

11/2/2012 11:56:50 AM

mbam-log-2012-11-02 (11-56-50).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P

Scan options disabled:

Objects scanned: 224127

Time elapsed: 27 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

My pc is doing fine; havent had any more lockups\freezing sence we started. Again thank you for all the help I do appreciate it. I suppose my PC is safe enough and I can quit using Character Map to type-in my passwords.

Link to post
Share on other sites

Great thumbsup.gif

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

MrC

Link to post
Share on other sites

I had to reboot for this to work. Here it is:

Results of screen317's Security Check version 0.99.54

Windows 7 Service Pack 1 x64 (UAC is enabled)

Internet Explorer 9

``````````````Antivirus/Firewall Check:``````````````

Windows Security Center service is not running! This report may not be accurate!

Windows Firewall Enabled!

McAfee Anti-Virus and Anti-Spyware

WMI entry may not exist for antivirus; attempting automatic update.

`````````Anti-malware/Other Utilities Check:`````````

Malwarebytes Anti-Malware version 1.65.1.1000

Java 7 Update 9

Adobe Flash Player 11.4.402.287

Mozilla Firefox (16.0.2)

Google Chrome 22.0.1229.96

````````Process Check: objlist.exe by Laurent````````

Malwarebytes Anti-Malware mbamservice.exe

Malwarebytes Anti-Malware mbamgui.exe

Malwarebytes' Anti-Malware mbamscheduler.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C:

````````````````````End of Log``````````````````````

Link to post
Share on other sites

What would you recomend for firewall and antivirus service?

Windows firewall is OK with on W7 but if you want to try a different one I like PC Tools Firewall Plus:

http://www.softpedia...wall-Plus.shtml

For an anti-virus:

avast:

http://www.avast.com...ivirus-download

or

Microsoft Security Essentials:

http://windows.micro...ntials-download

The rest looks OK.

~~~~~~~~~~~~~~~~~~~~~~~~

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall)

---------------------------------

Please download OTL from one of the links below: (you may already have OTL on the system)

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

http://www.itxassoci...T-Tools/OTL.exe

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any other programs or logs you can manually delete.

IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST, etc....

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

Link to post
Share on other sites

Hey Mr Charlie sorry to bother you again. I was having trouble deleting combofix so I did as you suggested and renamed it uninstall.exe and double clicked it. However this didn't uninstall combofix it ran it threw the scan process again which was blocked by mcafee. If I remember correctly it got to completed stage 2 before mcafee quarantined a file and it stoped. I closed the dos window and rebooted and was finally sucessfull with the uninstall. I did everything else as you suggested and pc is working fine. Is this anything to worry about?

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.