Jump to content

computer slow and internet not stable


Recommended Posts

There are two security system running with anti-virus component, ZoneAlarm and Microsoft Security Essentials. One of those must be UNinstalled ASAP. Let me know which one you have removed....

Next,

Please download RogueKiller from here http://tigzy.geekstogo.com/Tools/RogueKiller.exe or here http://www.sur-la-toile.com/RogueKiller/RogueKiller.exe and save Direct to your Desktop.

  • Quit all running programs
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
  • Wait until Prescan has finished...
  • The following EULA will appear, please select accept
    RKLicence.png
  • Ensure MBR scan, Check faked and AntiRootkit are checked
  • Select Scan
    RK1A.png
  • When the scan completes select Report, copy and paste that to your reply.
    RK2A.png
  • The log should be found in RKreport[?].txt on your Desktop
  • Exit/Close RogueKiller

Next,

Download Security Check by screen317 from either of the following:

http://screen317.spywareinfoforum.org/SecurityCheck.exe or http://screen317.changelog.fr/SecurityCheck.exe

Save it to your Desktop.

Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.

A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Post those two logs...

Kevin

Link to post
Share on other sites

Hi Kevin, thanks for the quick reply! I uninstalled ZoneAlarm. Here are the two logs you requested.

RogueKiller V8.4.2 [Jan 6 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : Danny [Admin rights]

Mode : Scan -- Date : 01/07/2013 19:58:57

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 10 ¤¤¤

[DNS] HKLM\[...]\ControlSet001\Services\Tcpip\Interfaces\{A68A86A7-BD7D-486F-8848-DB39D2699D9A} : NameServer (10.206.65.68 10.206.65.68) -> FOUND

[DNS] HKLM\[...]\ControlSet002\Services\Tcpip\Interfaces\{A68A86A7-BD7D-486F-8848-DB39D2699D9A} : NameServer (10.206.65.68 10.206.65.68) -> FOUND

[HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND

[HJPOL] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND

[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND

[HJ] HKLM\[...]\Wow6432Node\System : ConsentPromptBehaviorAdmin (0) -> FOUND

[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND

[HJ] HKLM\[...]\Wow6432Node\System : EnableLUA (0) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\windows\system32\drivers\etc\hosts

127.0.0.1 www.007guard.com

127.0.0.1 007guard.com

127.0.0.1 008i.com

127.0.0.1 www.008k.com

127.0.0.1 008k.com

127.0.0.1 www.00hq.com

127.0.0.1 00hq.com

127.0.0.1 010402.com

127.0.0.1 www.032439.com

127.0.0.1 032439.com

127.0.0.1 www.0scan.com

127.0.0.1 0scan.com

127.0.0.1 1000gratisproben.com

127.0.0.1 www.1000gratisproben.com

127.0.0.1 1001namen.com

127.0.0.1 www.1001namen.com

127.0.0.1 100888290cs.com

127.0.0.1 www.100888290cs.com

127.0.0.1 www.100sexlinks.com

127.0.0.1 100sexlinks.com

[...]

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST9320325AS +++++

--- User ---

[MBR] 68a27d6ba8269fd5273739bd622c9300

[bSP] bd71ecee3ed635930c5c9c48d76fe1d5 : Windows 7/8 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 200 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 411648 | Size: 258962 Mo

2 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 530768192 | Size: 30972 Mo

3 - [XXXXXX] COMPAQ (0x12) [VISIBLE] Offset (sectors): 594198848 | Size: 15109 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1]_S_01072013_02d1958.txt >>

RKreport[1]_S_01072013_02d1958.txt

_____________________________________________________________________

Results of screen317's Security Check version 0.99.56

Windows 7 Service Pack 1 x64 (UAC is disabled!)

Internet Explorer 8 Out of date!

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

Microsoft Security Essentials

Antivirus up to date!

`````````Anti-malware/Other Utilities Check:`````````

Ad-Aware

MVPS Hosts File

Spybot - Search & Destroy

Malwarebytes Anti-Malware version 1.70.0.1100

CCleaner

JavaFX 2.1.1

Java 6 Update 31

Java 7 Update 10

Java version out of Date!

Adobe Flash Player 11.5.502.135

Adobe Reader 9 Adobe Reader out of Date!

Mozilla Firefox 13.0.1 Firefox out of Date!

Google Chrome 20.0.1132.57

Google Chrome 21.0.1180.60

Google Chrome 22.0.1229.79

Google Chrome 23.0.1271.97

````````Process Check: objlist.exe by Laurent````````

Microsoft Security Essentials MSMpEng.exe

Microsoft Security Essentials msseces.exe

Ad-Aware AAWService.exe

Ad-Aware AAWTray.exe

Malwarebytes Anti-Malware mbamservice.exe

Malwarebytes Anti-Malware mbamgui.exe

Malwarebytes' Anti-Malware mbamscheduler.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 4%

````````````````````End of Log``````````````````````

Link to post
Share on other sites

Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from the following link :-

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

  • Ensure that Combofix is saved directly to the Desktop <--- Very important
  • Disable all security programs as they will have a negative effect on Combofix, instructions available here http://www.bleepingcomputer.com/forums/topic114351.html if required. Be aware the list may not have all programs listed, if you need more help please ask.
  • Close any open browsers and any other programs you might have running
  • Double click the combofix.gif icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)
  • Instructions for running Combofix available here http://www.bleepingcomputer.com/combofix/how-to-use-combofix if required.
  • If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
  • When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read here http://thespykiller.co.uk/index.php?page=20 why disabling autoruns is recommended.

*EXTRA NOTES*

  • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
  • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
  • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

Kevin

Link to post
Share on other sites

When I run the RogueKiller program earlier I received a warning about not deleting some items it had found when I exited the program. Is that okay, or should I have deleted the things it found? Sorry, should've mentioned it earlier.

Here's the combofix log:

ComboFix 13-01-08.01 - Danny 01/08/2013 18:31:38.1.2 - x64

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4029.2464 [GMT -5:00]

Running from: c:\users\Danny\Desktop\ComboFix.exe

AV: Microsoft Security Essentials *Disabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}

SP: Microsoft Security Essentials *Disabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

C:\install.exe

c:\users\Administrator\AppData\Local\assembly\tmp

c:\users\Danny\AppData\Local\assembly\tmp

c:\users\Default\AppData\Local\assembly\tmp

.

.

((((((((((((((((((((((((( Files Created from 2012-12-08 to 2013-01-08 )))))))))))))))))))))))))))))))

.

.

2013-01-08 23:42 . 2013-01-08 23:42 -------- d-----w- c:\users\Default\AppData\Local\temp

2013-01-08 23:42 . 2013-01-08 23:42 -------- d-----w- c:\users\Administrator\AppData\Local\temp

2013-01-08 23:05 . 2012-11-19 06:01 9125352 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{BA3B8BEA-2A9E-451F-890C-7BB8A7DAA98A}\mpengine.dll

2013-01-08 00:51 . 2013-01-08 00:51 -------- d-----w- c:\program files (x86)\Common Files\Java

2013-01-08 00:49 . 2013-01-08 00:49 95184 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll

2013-01-07 01:48 . 2012-10-23 11:04 972264 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B33A1BB8-21C3-4970-9A75-3BF6801F8299}\gapaengine.dll

2013-01-07 01:47 . 2012-11-19 06:01 9125352 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2013-01-07 00:48 . 2013-01-07 00:48 -------- d-----w- c:\users\Danny\AppData\Local\Programs

2013-01-06 21:33 . 2013-01-06 21:33 -------- d-----w- c:\program files (x86)\GUM8323.tmp

2013-01-06 21:33 . 2013-01-06 21:33 4096000 ----a-w- c:\program files (x86)\GUT8334.tmp

2013-01-06 21:15 . 2012-07-26 04:55 785512 ----a-w- c:\windows\system32\drivers\Wdf01000.sys

2013-01-06 21:15 . 2012-07-26 04:55 54376 ----a-w- c:\windows\system32\drivers\WdfLdr.sys

2013-01-06 21:15 . 2012-07-26 04:47 2560 ----a-w- c:\windows\system32\drivers\en-US\wdf01000.sys.mui

2013-01-06 21:15 . 2012-07-26 02:36 9728 ----a-w- c:\windows\system32\Wdfres.dll

2013-01-06 21:03 . 2012-12-16 17:11 46080 ----a-w- c:\windows\system32\atmlib.dll

2013-01-06 21:03 . 2012-12-16 14:13 34304 ----a-w- c:\windows\SysWow64\atmlib.dll

2013-01-06 21:03 . 2012-12-16 14:45 367616 ----a-w- c:\windows\system32\atmfd.dll

2013-01-06 21:03 . 2012-12-16 14:13 295424 ----a-w- c:\windows\SysWow64\atmfd.dll

2013-01-06 21:02 . 2012-07-26 02:26 87040 ----a-w- c:\windows\system32\drivers\WUDFPf.sys

2013-01-06 21:02 . 2012-07-26 02:26 198656 ----a-w- c:\windows\system32\drivers\WUDFRd.sys

2013-01-06 21:02 . 2012-07-26 03:08 84992 ----a-w- c:\windows\system32\WUDFSvc.dll

2013-01-06 21:02 . 2012-07-26 03:08 194048 ----a-w- c:\windows\system32\WUDFPlatform.dll

2013-01-06 21:01 . 2012-07-26 03:08 229888 ----a-w- c:\windows\system32\WUDFHost.exe

2013-01-06 21:01 . 2012-07-26 03:08 744448 ----a-w- c:\windows\system32\WUDFx.dll

2013-01-06 21:01 . 2012-07-26 03:08 45056 ----a-w- c:\windows\system32\WUDFCoinstaller.dll

2013-01-06 20:55 . 2013-01-06 20:55 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%

2013-01-05 23:42 . 2012-08-31 18:19 1659760 ----a-w- c:\windows\system32\drivers\ntfs.sys

2013-01-05 23:42 . 2012-10-09 18:17 55296 ----a-w- c:\windows\system32\dhcpcsvc6.dll

2013-01-05 23:42 . 2012-10-09 18:17 226816 ----a-w- c:\windows\system32\dhcpcore6.dll

2013-01-05 23:42 . 2012-10-09 17:40 44032 ----a-w- c:\windows\SysWow64\dhcpcsvc6.dll

2013-01-05 23:42 . 2012-10-09 17:40 193536 ----a-w- c:\windows\SysWow64\dhcpcore6.dll

2013-01-05 23:42 . 2012-11-09 05:45 2048 ----a-w- c:\windows\system32\tzres.dll

2013-01-05 23:42 . 2012-11-09 04:42 2048 ----a-w- c:\windows\SysWow64\tzres.dll

2013-01-05 23:39 . 2012-08-02 17:58 574464 ----a-w- c:\windows\system32\d3d10level9.dll

2013-01-05 23:38 . 2012-10-04 17:38 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll

2013-01-05 23:37 . 2012-11-02 05:59 478208 ----a-w- c:\windows\system32\dpnet.dll

2013-01-05 23:37 . 2012-11-02 05:11 376832 ----a-w- c:\windows\SysWow64\dpnet.dll

2013-01-05 23:37 . 2012-08-24 18:05 220160 ----a-w- c:\windows\system32\wintrust.dll

2013-01-05 23:37 . 2012-08-24 16:57 172544 ----a-w- c:\windows\SysWow64\wintrust.dll

2013-01-05 23:37 . 2012-08-21 21:01 245760 ----a-w- c:\windows\system32\OxpsConverter.exe

2013-01-05 23:37 . 2012-08-11 00:56 715776 ----a-w- c:\windows\system32\kerberos.dll

2013-01-05 23:37 . 2012-08-10 23:56 542208 ----a-w- c:\windows\SysWow64\kerberos.dll

2013-01-05 23:37 . 2012-07-06 20:07 552960 ----a-w- c:\windows\system32\drivers\bthport.sys

2013-01-05 23:37 . 2012-06-16 05:15 911360 ----a-w- c:\windows\system32\jscript.dll

2013-01-05 23:37 . 2012-06-16 05:16 609792 ----a-w- c:\windows\system32\vbscript.dll

2013-01-05 23:37 . 2012-06-16 04:26 428032 ----a-w- c:\windows\SysWow64\vbscript.dll

2013-01-05 23:36 . 2012-09-25 22:47 78336 ----a-w- c:\windows\SysWow64\synceng.dll

2013-01-05 23:36 . 2012-09-25 22:46 95744 ----a-w- c:\windows\system32\synceng.dll

2013-01-05 23:36 . 2012-07-04 22:13 59392 ----a-w- c:\windows\system32\browcli.dll

2013-01-05 23:36 . 2012-07-04 22:13 136704 ----a-w- c:\windows\system32\browser.dll

2013-01-05 23:36 . 2012-07-04 22:16 73216 ----a-w- c:\windows\system32\netapi32.dll

2013-01-05 23:36 . 2012-07-04 21:14 41984 ----a-w- c:\windows\SysWow64\browcli.dll

2013-01-05 23:36 . 2012-05-05 08:36 503808 ----a-w- c:\windows\system32\srcore.dll

2013-01-05 23:36 . 2012-05-05 07:46 43008 ----a-w- c:\windows\SysWow64\srclient.dll

2013-01-05 23:34 . 2012-02-11 06:43 751104 ----a-w- c:\windows\system32\win32spl.dll

2013-01-05 23:34 . 2012-02-11 06:36 559104 ----a-w- c:\windows\system32\spoolsv.exe

2013-01-05 23:34 . 2012-02-11 06:36 67072 ----a-w- c:\windows\splwow64.exe

2013-01-05 23:34 . 2012-02-11 05:43 492032 ----a-w- c:\windows\SysWow64\win32spl.dll

2013-01-05 23:31 . 2012-06-02 05:41 1464320 ----a-w- c:\windows\system32\crypt32.dll

2013-01-05 23:31 . 2012-06-02 04:36 1159680 ----a-w- c:\windows\SysWow64\crypt32.dll

2013-01-05 23:31 . 2012-06-02 05:41 184320 ----a-w- c:\windows\system32\cryptsvc.dll

2013-01-05 23:31 . 2012-06-02 05:41 140288 ----a-w- c:\windows\system32\cryptnet.dll

2013-01-05 23:31 . 2012-06-02 04:36 140288 ----a-w- c:\windows\SysWow64\cryptsvc.dll

2013-01-05 23:31 . 2012-06-02 04:36 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll

2013-01-05 23:11 . 2012-05-14 05:26 956928 ----a-w- c:\windows\system32\localspl.dll

2013-01-05 23:06 . 2013-01-05 23:06 -------- d-----w- c:\program files (x86)\GUMEAEA.tmp

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-01-08 00:49 . 2012-07-02 02:35 859072 ----a-w- c:\windows\SysWow64\npDeployJava1.dll

2013-01-08 00:49 . 2010-07-10 20:21 779704 ----a-w- c:\windows\SysWow64\deployJava1.dll

2013-01-06 00:54 . 2012-05-30 06:17 697272 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2013-01-06 00:54 . 2011-06-29 02:35 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-12-14 21:49 . 2012-07-02 03:30 24176 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-11-28 20:58 . 2009-10-28 11:17 67413224 ----a-w- c:\windows\system32\MRT.exe

2012-10-23 11:04 . 2011-03-26 17:22 972264 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll

2012-10-16 08:38 . 2013-01-05 23:36 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll

2012-10-16 08:38 . 2013-01-05 23:36 350208 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll

2012-10-16 07:39 . 2013-01-05 23:36 561664 ----a-w- c:\windows\apppatch\AcLayers.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Facebook Update"="c:\users\Danny\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-07-11 138096]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"VeriFaceManager"="c:\program files (x86)\Lenovo\VeriFace\PManage.exe" [2009-10-15 3122440]

"UpdateP2GShortCut"="c:\program files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-12-03 218408]

"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2010-03-05 1135912]

"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]

"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-07-31 38872]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-11 919008]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]

"aux1"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"="0"

"UpdatesDisableNotify"="0"

.

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-12-14 398184]

R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-12-14 682344]

R2 ReadyComm.DirectRouter;ReadyComm.DirectRouter;c:\windows\System32\IgrsSvcs.exe [x]

R2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2012-12-13 3290896]

R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-06-07 160944]

R3 Bridge0;Bridge0;c:\windows\system32\drivers\WDBridge.sys [2009-07-16 79376]

R3 k57nd60a;Broadcom NetLink Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys [2009-06-10 270848]

R3 Lenovo ReadyComm AppSvc;Lenovo ReadyComm AppSvc;c:\program files\Lenovo\ReadyComm\AppSvc.exe [2009-07-28 414984]

R3 Lenovo ReadyComm ConnSvc;Lenovo ReadyComm ConnSvc;c:\program files\Lenovo\ReadyComm\ConnSvc.exe [2009-07-28 472328]

R3 massfilter;MBB Mass Storage Filter Driver;c:\windows\system32\DRIVERS\massfilter.sys [2010-08-11 11776]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-12-14 24176]

R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-08-31 128456]

R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-09-13 368896]

R3 PS_MDP;ReadyComm Presentation Space Helper Service;c:\windows\System32\IgrsSvcs.exe [x]

R3 Revoflt;Revoflt;c:\windows\system32\DRIVERS\revoflt.sys [2009-12-30 31800]

R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\System32\Drivers\RtsUStor.sys [2009-06-26 219136]

R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-01 1255736]

R3 WinRing0_1_2_0;WinRing0_1_2_0;d:\test\ECECECEC\WinRing0x64.sys [x]

R3 wsvd;wsvd;c:\windows\system32\DRIVERS\wsvd.sys [2009-07-21 121840]

R3 ZTEusbvoice;ZTE VoUSB Port;c:\windows\system32\DRIVERS\ZTEusbvoice.sys [2010-08-11 121344]

R3 ZTEusbwwan;ZTE MBN Miniport;c:\windows\system32\DRIVERS\ZTEusbwwan.sys [2010-08-11 235520]

S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-07-06 69152]

S1 funfrm;funfrm; [x]

S2 aksdf;aksdf;c:\windows\system32\drivers\aksdf.sys [2009-09-21 71040]

S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]

S2 FcsSas;Microsoft Forefront Client Security State Assessment Service;c:\program files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe [2007-04-06 77216]

S2 hasplms;Sentinel HASP License Manager;c:\windows\system32\hasplms.exe -run [x]

S2 IGRS;IGRS;c:\program files (x86)\Lenovo\ReadyComm\common\IGRS.exe [2009-07-14 38152]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files (x86)\Lavasoft\Ad-Aware\AAWService.exe [2013-01-06 1737728]

S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]

S3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\DRIVERS\AcpiVpc.sys [2009-05-19 26128]

S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2010-03-15 145408]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files (x86)\Lavasoft\Ad-Aware\KernExplorer64.sys [2012-07-02 17152]

S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [2009-05-14 5435904]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-08-20 239616]

S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2011-10-01 764264]

S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2011-10-01 268648]

S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2011-10-01 25960]

S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2011-10-01 22376]

S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]

S3 vodafone_K380x-z_dc_enum;vodafone_K380x-z_dc_enum;c:\windows\system32\DRIVERS\vodafone_K380x-z_dc_enum.sys [2010-05-20 75776]

S3 wdmirror;wdmirror;c:\windows\system32\DRIVERS\WDMirror.sys [2009-07-16 11280]

.

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]

IgrsSvcs REG_MULTI_SZ ReadyComm.DirectRouter PS_MDP

<NO NAME> REG_SZ

.

Contents of the 'Scheduled Tasks' folder

.

2013-01-08 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-30 00:54]

.

2013-01-08 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1563464669-3591048527-644845245-1003Core.job

- c:\users\Danny\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-09-01 22:52]

.

2013-01-08 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1563464669-3591048527-644845245-1003UA.job

- c:\users\Danny\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-09-01 22:52]

.

2013-01-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-06-15 03:02]

.

2013-01-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-06-15 03:02]

.

2013-01-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1563464669-3591048527-644845245-1003Core.job

- c:\users\Danny\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-25 18:48]

.

2013-01-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1563464669-3591048527-644845245-1003UA.job

- c:\users\Danny\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-25 18:48]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VeriFace Enc]

@="{771C7324-DA80-49D3-8017-753B0AF60951}"

[HKEY_CLASSES_ROOT\CLSID\{771C7324-DA80-49D3-8017-753B0AF60951}]

2009-10-15 08:06 1502720 ----a-w- c:\windows\System32\IcnOvrly.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-08-07 186904]

"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-08-05 8060960]

"EnergyUtility"="c:\program files (x86)\Lenovo\Energy Management\utility.exe" [2009-09-01 4366704]

"Energy Management"="c:\program files (x86)\Lenovo\Energy Management\Energy Management.exe" [2009-08-19 5825536]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 161304]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 386584]

"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 415256]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-13 1289704]

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://www.google.com/

mStart Page = hxxp://lenovo.live.com/

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = <local>

IE: E&xport to Microsoft Excel - c:\progra~2\MIF5BA~1\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~2\MIF5BA~1\Office14\ONBttnIE.dll/105

Trusted Zone: lenovo.com\consumersupport

Trusted Zone: lenovo.com.cn\edrivers

Trusted Zone: lenovo.com.cn\support4

Trusted Zone: lenovo.com.cn\think

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{A68A86A7-BD7D-486F-8848-DB39D2699D9A}: NameServer = 10.206.65.68 10.206.65.68

DPF: {9E2CD2C3-4DDA-4473-B904-B8E6D0DBAB86} - hxxp://consumersupport.lenovo.com/smartdownloading/cab/npdueng.cab

DPF: {FDECE629-C65D-46DA-A77F-244600A0E5F9} - hxxps://management.pna.utexas.edu/idengineswpa/tools/xc_loader_activex.ocx

FF - ProfilePath - c:\users\Danny\AppData\Roaming\Mozilla\Firefox\Profiles\hqq0x3ua.default\

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

SafeBoot-mcmscsvc

SafeBoot-MCODS

Toolbar-Locked - (no file)

HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_135_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_135_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_135.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_135.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_135.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_135.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]

@Denied: (A) (Everyone)

"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]

@Denied: (A) (Everyone)

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]

"Key"="ActionsPane3"

"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2013-01-08 18:49:08

ComboFix-quarantined-files.txt 2013-01-08 23:49

.

Pre-Run: 110,652,239,872 bytes free

Post-Run: 110,334,693,376 bytes free

.

- - End Of File - - E47EBA45F9857598332D0DE5F1458D92

Link to post
Share on other sites

Re-run RogueKiller, Run Scan, Next:

Hit the Delete tab, save report Next:

Hit the DNSFix tab, save report. Exit and close RogueKiller.

Next,

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the Codebox below into it:


ClearJavaCache::
Folder::
c:\windows\SysWow64\%APPDATA%
c:\program files (x86)\GUM8323.tmp
c:\program files (x86)\GUMEAEA.tmp
File::
c:\program files (x86)\GUT8334.tmp
Driver::
funfrm

Save this as CFScript.txt, and as Type: All Files (*.*) in the same location as ComboFix.exe

CF3.jpg

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Next,

Run Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page http://www.eset.com/home/products/online-scanner/ to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    Click Start
  • When asked, allow the add/on to be installed
    Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings, ensure the options
  • Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
    Click Scan
  • wait for the virus definitions to be downloaded
  • Wait for the scan to finish

When the scan is complete

  • If no threats were found
  • put a checkmark in "Uninstall application on close"
  • close program
  • report to me that nothing was found

If threats were found

  • click on "list of threats found"
  • click on "export to text file" and save it as ESET SCAN and save to the desktop
  • Click on back
  • put a checkmark in "Uninstall application on close"
  • click on finish

close program

copy and paste the report here

Post hose logs, give update on current issues...

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.