Jump to content

Trojan.Agent infected my system


Recommended Posts

  • Replies 51
  • Created
  • Last Reply

Top Posters In This Topic

21:58:37.0094 1152 TDSS rootkit removing tool 2.8.15.0 Oct 31 2012 21:47:35

21:58:37.0562 1152 ============================================================

21:58:37.0562 1152 Current date / time: 2013/01/30 21:58:37.0562

21:58:37.0562 1152 SystemInfo:

21:58:37.0562 1152

21:58:37.0562 1152 OS Version: 6.1.7601 ServicePack: 1.0

21:58:37.0562 1152 Product type: Workstation

21:58:37.0562 1152 ComputerName: SANDY

21:58:37.0562 1152 UserName: Swimming12

21:58:37.0562 1152 Windows directory: C:\Windows

21:58:37.0562 1152 System windows directory: C:\Windows

21:58:37.0562 1152 Running under WOW64

21:58:37.0562 1152 Processor architecture: Intel x64

21:58:37.0562 1152 Number of processors: 4

21:58:37.0562 1152 Page size: 0x1000

21:58:37.0562 1152 Boot type: Normal boot

21:58:37.0562 1152 ============================================================

21:58:37.0640 1152 BG loaded

21:58:38.0046 1152 Drive \Device\Harddisk0\DR0 - Size: 0x7470C06000 (465.76 Gb), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040

21:58:38.0077 1152 ============================================================

21:58:38.0077 1152 \Device\Harddisk0\DR0:

21:58:38.0077 1152 MBR partitions:

21:58:38.0077 1152 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x32800, BlocksNum 0x1D4C000

21:58:38.0077 1152 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x1D7E800, BlocksNum 0x38607030

21:58:38.0077 1152 ============================================================

21:58:38.0186 1152 C: <-> \Device\Harddisk0\DR0\Partition2

21:58:38.0186 1152 ============================================================

21:58:38.0186 1152 Initialize success

21:58:38.0186 1152 ============================================================

Link to post
Share on other sites

Gringo,

Was having trouble with IE refreshing. I see the post now. Here is the TDS Killer log.

21:58:37.0094 1152 TDSS rootkit removing tool 2.8.15.0 Oct 31 2012 21:47:35

21:58:37.0562 1152 ============================================================

21:58:37.0562 1152 Current date / time: 2013/01/30 21:58:37.0562

21:58:37.0562 1152 SystemInfo:

21:58:37.0562 1152

21:58:37.0562 1152 OS Version: 6.1.7601 ServicePack: 1.0

21:58:37.0562 1152 Product type: Workstation

21:58:37.0562 1152 ComputerName: SANDY

21:58:37.0562 1152 UserName: Swimming12

21:58:37.0562 1152 Windows directory: C:\Windows

21:58:37.0562 1152 System windows directory: C:\Windows

21:58:37.0562 1152 Running under WOW64

21:58:37.0562 1152 Processor architecture: Intel x64

21:58:37.0562 1152 Number of processors: 4

21:58:37.0562 1152 Page size: 0x1000

21:58:37.0562 1152 Boot type: Normal boot

21:58:37.0562 1152 ============================================================

21:58:37.0640 1152 BG loaded

21:58:38.0046 1152 Drive \Device\Harddisk0\DR0 - Size: 0x7470C06000 (465.76 Gb), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040

21:58:38.0077 1152 ============================================================

21:58:38.0077 1152 \Device\Harddisk0\DR0:

21:58:38.0077 1152 MBR partitions:

21:58:38.0077 1152 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x32800, BlocksNum 0x1D4C000

21:58:38.0077 1152 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x1D7E800, BlocksNum 0x38607030

21:58:38.0077 1152 ============================================================

21:58:38.0186 1152 C: <-> \Device\Harddisk0\DR0\Partition2

21:58:38.0186 1152 ============================================================

21:58:38.0186 1152 Initialize success

21:58:38.0186 1152 ============================================================

22:05:38.0876 2804 Deinitialize success

Link to post
Share on other sites

  • Staff

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

 ClearJavaCache:: 

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

CFScriptB-4.gif

This will let ComboFix run again.

Restart if you have to.

Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  1. report from Combofix
  2. let me know of any problems you may have had
  3. How is the computer doing now after running the script?

Gringo

Link to post
Share on other sites

aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software

Run date: 2013-01-30 22:24:07

-----------------------------

22:24:07.505 OS Version: Windows x64 6.1.7601 Service Pack 1

22:24:07.505 Number of processors: 4 586 0x2A07

22:24:07.507 ComputerName: SANDY UserName:

22:24:08.782 Initialize success

22:24:21.046 AVAST engine defs: 13013000

22:24:43.431 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1

22:24:43.436 Disk 0 Vendor: TOSHIBA_ GS00 Size: 476940MB BusType: 3

22:24:43.462 Disk 0 MBR read successfully

22:24:43.468 Disk 0 MBR scan

22:24:43.478 Disk 0 Windows 7 default MBR code

22:24:43.496 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 100 MB offset 2048

22:24:43.513 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 15000 MB offset 206848

22:24:43.533 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 461838 MB offset 30926848

22:24:43.555 Disk 0 scanning C:\Windows\system32\drivers

22:24:52.987 Service scanning

22:25:28.714 Modules scanning

22:25:28.731 Disk 0 trace - called modules:

22:25:28.777 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys iaStor.sys hal.dll

22:25:28.791 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004706060]

22:25:28.802 3 CLASSPNP.SYS[fffff88001b8d43f] -> nt!IofCallDriver -> [0xfffffa8003707e40]

22:25:28.813 5 ACPI.sys[fffff88000f2b7a1] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa80040be050]

22:25:29.968 AVAST engine scan C:\Windows

22:25:32.691 AVAST engine scan C:\Windows\system32

22:28:19.052 AVAST engine scan C:\Windows\system32\drivers

22:28:29.030 AVAST engine scan C:\Users\Swimming12

22:29:51.327 AVAST engine scan C:\ProgramData

22:30:59.761 Scan finished successfully

22:32:48.244 Disk 0 MBR has been saved successfully to "C:\Users\Swimming12\Desktop\MBR.dat"

22:32:48.250 The log file has been saved successfully to "C:\Users\Swimming12\Desktop\aswMBR.txt"

Link to post
Share on other sites

ComboFix 13-01-30.04 - Swimming12 01/30/2013 22:38:17.2.4 - x64

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4003.2511 [GMT -6:00]

Running from: c:\users\Swimming12\Desktop\ComboFix.exe

Command switches used :: c:\users\Swimming12\Desktop\CFScript.txt.txt

AV: Lavasoft Ad-Aware *Disabled/Updated* {E0D97DD4-42BA-B3F2-A5A7-22E9ACE81FC7}

FW: Lavasoft Ad-Aware *Disabled* {D8E2FCF1-08D5-B2AA-8EF8-8BDC523B58BC}

SP: Lavasoft Ad-Aware *Disabled/Updated* {5BB89C30-6480-BC7C-9F17-199BD76F557A}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((( Files Created from 2012-12-28 to 2013-01-31 )))))))))))))))))))))))))))))))

.

.

2013-01-31 04:41 . 2013-01-31 04:41 -------- d-----w- c:\users\Default\AppData\Local\temp

2013-01-31 03:57 . 2013-01-31 03:57 -------- d-----w- C:\TDSSKiller_Quarantine

2013-01-31 03:39 . 2013-01-15 08:45 9161176 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{57261EBA-2FE8-4199-AF62-FBABA7AF1A3D}\mpengine.dll

2013-01-31 02:56 . 2013-01-31 02:56 -------- d-----w- c:\program files\CCleaner

2013-01-31 02:48 . 2009-12-30 17:21 31800 ----a-w- c:\windows\system32\drivers\revoflt.sys

2013-01-31 02:47 . 2013-01-31 02:47 -------- d-----w- c:\program files\VS Revo Group

2013-01-31 02:29 . 2013-01-31 02:29 -------- d-----w- c:\program files (x86)\Microsoft.NET

2013-01-30 13:59 . 2013-01-30 13:59 -------- d-----w- c:\program files (x86)\MSXML 4.0

2013-01-30 06:13 . 2013-01-31 04:09 -------- d-----w- c:\windows\SysWow64\Wat

2013-01-30 06:13 . 2013-01-31 04:09 -------- d-----w- c:\windows\system32\Wat

2013-01-30 06:11 . 2013-01-30 06:11 -------- d-----w- C:\_OTL

2013-01-30 02:05 . 2013-01-31 04:09 -------- d-----w- c:\programdata\WeCareReminder

2013-01-30 02:05 . 2013-01-30 02:05 -------- d-----w- c:\programdata\Symantec

2013-01-30 02:05 . 2013-01-31 04:09 -------- d-----w- c:\program files (x86)\Norton Security Scan

2013-01-30 02:05 . 2013-01-31 04:09 -------- d-----w- c:\programdata\Norton

2013-01-30 02:05 . 2013-01-30 02:05 -------- d-----w- c:\program files (x86)\NortonInstaller

2013-01-30 02:03 . 2013-01-31 04:09 -------- d-----w- c:\program files (x86)\DefaultTab

2013-01-30 02:02 . 2013-01-30 02:02 -------- d-----w- c:\programdata\APN

2013-01-22 04:58 . 2013-01-22 04:58 -------- d-----w- c:\programdata\Malwarebytes

2013-01-22 04:58 . 2013-01-22 04:58 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware

2013-01-22 04:58 . 2012-12-14 22:49 24176 ----a-w- c:\windows\system32\drivers\mbam.sys

2013-01-22 04:12 . 2012-12-17 12:43 38096 ----a-w- c:\windows\system32\drivers\gfiark.sys

2013-01-22 04:09 . 2013-01-22 04:09 -------- d-----w- c:\program files (x86)\GUM687.tmp

2013-01-22 04:07 . 2013-01-22 04:07 -------- d-----w- c:\program files\Google

2013-01-22 04:07 . 2013-01-22 04:08 -------- d-----w- c:\program files (x86)\Google

2013-01-22 04:06 . 2013-01-22 04:06 -------- d-----w- c:\program files (x86)\Common Files\Adobe

2013-01-22 03:07 . 2013-01-31 02:57 -------- d-----w- c:\windows\Panther

2013-01-22 03:06 . 2013-01-22 03:19 -------- d-----w- c:\programdata\Ad-Aware Antivirus

2013-01-22 02:44 . 2013-01-22 02:44 -------- d-----w- c:\programdata\Lavasoft

2013-01-22 02:44 . 2013-01-31 04:09 -------- d-----w- c:\program files (x86)\Ad-Aware Antivirus

2013-01-22 02:44 . 2013-01-22 02:44 14456 ----a-w- c:\windows\system32\drivers\gfibto.sys

2013-01-22 02:44 . 2012-09-20 11:40 47496 ----a-w- c:\windows\system32\sbbd.exe

2013-01-22 02:42 . 2013-01-22 02:42 -------- d-----w- c:\programdata\Ad-Aware Browsing Protection

2013-01-22 02:42 . 2013-01-22 02:42 -------- d-----w- c:\program files (x86)\Toolbar Cleaner

2013-01-22 02:33 . 2013-01-31 02:57 -------- d-----w- c:\programdata\Spybot - Search & Destroy

2013-01-22 02:33 . 2013-01-22 04:30 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy

2013-01-22 02:30 . 2013-01-22 02:30 -------- d-----w- c:\program files\SUPERAntiSpyware

2013-01-22 02:30 . 2013-01-22 02:30 -------- d-----w- c:\programdata\SUPERAntiSpyware.com

2013-01-22 02:28 . 2013-01-22 02:49 -------- d-----w- c:\program files (x86)\SpywareBlaster

2013-01-22 02:28 . 2010-01-11 00:40 118784 ----a-w- c:\windows\SysWow64\MSSTDFMT.DLL

2013-01-22 02:12 . 2013-01-31 04:09 -------- d-----w- c:\program files (x86)\7-Zip

2013-01-22 02:12 . 2013-01-22 02:14 -------- d-----w- c:\programdata\Strongvault Online Backup

2013-01-22 02:12 . 2013-01-22 02:12 -------- d-sh--w- c:\windows\SysWow64\AI_RecycleBin

2013-01-22 02:12 . 2013-01-22 02:12 -------- d-----w- c:\program files (x86)\Strongvault Online Backup

2013-01-22 02:12 . 2013-01-22 02:12 -------- d-----w- C:\AI_RecycleBin

2013-01-22 02:11 . 2013-01-31 03:06 -------- d-----w- c:\program files (x86)\Shop to Win 27

2013-01-22 02:10 . 2013-01-22 02:10 -------- d-----w- c:\programdata\Yahoo!

2013-01-22 02:10 . 2013-01-22 02:44 -------- d-----w- c:\programdata\Yahoo! Companion

2013-01-22 02:10 . 2013-01-22 02:10 -------- d-----w- c:\program files (x86)\Yahoo!

2013-01-22 02:06 . 2012-02-17 06:38 1031680 ----a-w- c:\windows\system32\rdpcore.dll

2013-01-22 02:06 . 2012-02-17 05:34 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll

2013-01-22 02:06 . 2012-02-17 04:58 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2013-01-22 02:06 . 2012-02-17 04:57 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys

2013-01-22 02:02 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll

2013-01-22 02:02 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe

2013-01-22 02:02 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll

2013-01-22 02:02 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll

2013-01-22 02:02 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll

2013-01-22 02:02 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll

2013-01-22 02:02 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll

2013-01-22 02:02 . 2012-06-02 21:19 186752 ----a-w- c:\windows\system32\wuwebv.dll

2013-01-22 02:02 . 2012-06-02 21:15 36864 ----a-w- c:\windows\system32\wuapp.exe

2013-01-22 01:50 . 2010-11-06 05:45 438808 ----a-w- c:\windows\system32\drivers\iaStor.sys

2013-01-22 01:49 . 2010-10-26 03:08 406632 ----a-w- c:\windows\system32\drivers\Rt64win7.sys

2013-01-22 01:49 . 2010-01-05 16:39 107552 ----a-w- c:\windows\system32\RTNUninst64.dll

2013-01-22 01:49 . 2009-12-03 09:27 74272 ----a-w- c:\windows\system32\RtNicProp64.dll

2013-01-22 01:49 . 2013-01-22 01:49 -------- d-----w- c:\program files (x86)\Realtek

2013-01-22 01:45 . 2013-01-22 01:45 -------- d-----w- c:\users\Public\Roaming

2013-01-22 01:45 . 2013-01-22 01:45 -------- d-----w- c:\users\Default\Roaming

2013-01-22 01:43 . 2013-01-22 01:57 -------- d-----w- c:\programdata\Intel

2013-01-22 01:43 . 2013-01-22 01:52 -------- d-----w- c:\program files\Common Files\Intel

2013-01-22 01:43 . 2013-01-22 01:43 -------- d-----w- c:\program files (x86)\Cisco

2013-01-22 01:43 . 2013-01-22 01:43 -------- d-----w- c:\program files\Intel

2013-01-22 01:42 . 2013-01-22 01:42 -------- d-----w- c:\program files (x86)\Renesas Electronics

2013-01-22 01:41 . 2010-10-06 02:50 8192 ----a-w- c:\windows\SysWow64\drivers\IntelMEFWVer.dll

2013-01-22 01:41 . 2010-10-06 02:50 8192 ----a-w- c:\windows\system32\drivers\IntelMEFWVer.dll

2013-01-22 01:41 . 2013-01-22 01:41 -------- d-----w- c:\program files (x86)\Common Files\postureAgent

2013-01-22 01:40 . 2010-09-21 15:59 56344 ----a-w- c:\windows\system32\drivers\HECIx64.sys

2013-01-22 01:39 . 2013-01-22 01:52 -------- d-----w- c:\program files (x86)\Intel

2013-01-22 01:39 . 2010-12-15 08:10 53248 ----a-r- c:\windows\SysWow64\CSVer.dll

2013-01-22 01:37 . 2010-10-14 17:56 390656 ----a-w- c:\windows\system32\imthx64.dll

2013-01-22 01:37 . 2010-09-30 15:17 732672 ----a-w- c:\windows\system32\imapo32.dll

2013-01-22 01:37 . 2011-01-24 17:57 4637184 ----a-w- c:\windows\system32\stlang64.dll

2013-01-22 01:37 . 2011-01-24 17:57 438784 ----a-w- c:\windows\system32\IDTNC64.cpl

2013-01-22 01:37 . 2011-01-21 00:15 449024 ----a-w- c:\windows\system32\slapoi64.dll

2013-01-22 01:37 . 2010-09-30 15:18 866304 ----a-w- c:\windows\system32\imapo64.dll

2013-01-22 01:36 . 2013-01-22 01:49 -------- d--h--w- c:\program files (x86)\InstallShield Installation Information

2013-01-22 01:33 . 2013-01-22 01:34 -------- d-----w- c:\windows\SysWow64\vmm32

2013-01-22 01:33 . 2013-01-22 01:33 -------- d-----w- c:\program files (x86)\Dell

2013-01-22 01:33 . 2013-01-31 02:34 -------- d-sh--w- c:\windows\Installer

2013-01-22 01:24 . 2013-01-31 02:21 -------- d-----w- c:\users\Swimming12

2013-01-21 21:02 . 2013-01-21 21:02 -------- d-----w- C:\$AVG

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files (x86)\Yahoo!\Companion\Installs\cpn0\yt.dll" [2012-06-11 1524056]

.

[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]

[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]

[HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]

[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]

.

[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{3E7C8B5A-96AB-438F-BF9B-782400655440}]

c:\users\Swimming12\AppData\Roaming\Qwiklinx\Qwiklinx.dll [bU]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-11-01 5629312]

"SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2013-01-22 39408]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"Ad-Aware Antivirus"="c:\program files (x86)\Ad-Aware Antivirus\AdAwareLauncher --windows-run" [X]

"NUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-11-17 113288]

"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-11-06 283160]

"Ad-Aware Browsing Protection"="c:\programdata\Ad-Aware Browsing Protection\adawarebp.exe" [2012-12-11 542104]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-18 946352]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ad-Aware Service]

@="Ad-Aware Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]

@="Service"

.

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R3 gfiark;gfiark;c:\windows\system32\drivers\gfiark.sys [2012-12-17 38096]

R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [2010-12-17 340240]

R3 Revoflt;Revoflt;c:\windows\system32\DRIVERS\revoflt.sys [2009-12-30 31800]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]

R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]

S0 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys [2013-01-22 14456]

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]

S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]

S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2012-07-11 140672]

S2 Ad-Aware Service;Ad-Aware Service;c:\program files (x86)\Ad-Aware Antivirus\AdAwareService.exe [2012-12-15 1236968]

S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe [2009-03-02 89600]

S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-11-06 13336]

S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-12-14 398184]

S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-12-14 682344]

S2 SBAMSvc;Ad-Aware;c:\program files (x86)\Ad-Aware Antivirus\SBAMSvc.exe [2012-09-20 3677000]

S2 sbapifs;sbapifs;c:\windows\system32\DRIVERS\sbapifs.sys [2012-09-13 82872]

S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]

S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-10-06 2655768]

S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-10-14 317440]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-12-14 24176]

S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [2010-12-10 80384]

S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [2010-12-10 181248]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2010-10-26 406632]

.

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - aswMBR

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]

2013-01-30 01:48 1607120 ----a-w- c:\program files (x86)\Google\Chrome\Application\24.0.1312.56\Installer\chrmstp.exe

.

Contents of the 'Scheduled Tasks' folder

.

2013-01-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-01-22 04:07]

.

2013-01-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-01-22 04:07]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2011-01-24 525312]

"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2010-12-17 1933584]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-04-19 168216]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-04-19 392472]

"Persistence"="c:\windows\system32\igfxpers.exe" [2011-04-19 416024]

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://www.google.com/

mLocal Page = c:\windows\SysWOW64\blank.htm

TCP: DhcpNameServer = 75.75.76.76 75.75.75.75

.

- - - - ORPHANS REMOVED - - - -

.

SafeBoot-32851603.sys

SafeBoot-61782764.sys

AddRemove-adawaretb - c:\program files (x86)\adawaretb\uninstall.exe

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2013-01-30 22:42:53

ComboFix-quarantined-files.txt 2013-01-31 04:42

ComboFix2.txt 2013-01-31 03:31

ComboFix3.txt 2012-12-18 03:58

ComboFix4.txt 2012-12-15 22:34

.

Pre-Run: 451,890,032,640 bytes free

Post-Run: 451,981,668,352 bytes free

.

- - End Of File - - 3B970F88445492C52F2117520FB7EA0A

Link to post
Share on other sites

  • Staff

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

 ClearJavaCache:: 

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

CFScriptB-4.gif

This will let ComboFix run again.

Restart if you have to.

Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  1. report from Combofix
  2. let me know of any problems you may have had
  3. How is the computer doing now after running the script?

Gringo

Link to post
Share on other sites

ComboFix 13-01-31.03 - Swimming12 01/31/2013 20:58:44.3.4 - x64

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4003.2173 [GMT -6:00]

Running from: c:\users\Swimming12\Desktop\ComboFix.exe

Command switches used :: c:\users\Swimming12\Desktop\CFScript.txt.txt

AV: Lavasoft Ad-Aware *Enabled/Updated* {E0D97DD4-42BA-B3F2-A5A7-22E9ACE81FC7}

FW: Lavasoft Ad-Aware *Disabled* {D8E2FCF1-08D5-B2AA-8EF8-8BDC523B58BC}

SP: Lavasoft Ad-Aware *Enabled/Updated* {5BB89C30-6480-BC7C-9F17-199BD76F557A}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\msxml4-KB954430-enu.LOG

c:\windows\msxml4-KB973688-enu.LOG

.

.

((((((((((((((((((((((((( Files Created from 2013-01-01 to 2013-02-01 )))))))))))))))))))))))))))))))

.

.

2013-02-01 03:02 . 2013-02-01 03:02 -------- d-----w- c:\users\Default\AppData\Local\temp

2013-01-31 05:31 . 2012-07-26 04:55 785512 ----a-w- c:\windows\system32\drivers\Wdf01000.sys

2013-01-31 05:31 . 2012-07-26 04:47 2560 ----a-w- c:\windows\system32\drivers\en-US\wdf01000.sys.mui

2013-01-31 05:31 . 2012-07-26 04:55 54376 ----a-w- c:\windows\system32\drivers\WdfLdr.sys

2013-01-31 05:31 . 2012-07-26 02:36 9728 ----a-w- c:\windows\system32\Wdfres.dll

2013-01-31 05:30 . 2012-12-16 23:31 67599240 ----a-w- c:\windows\system32\MRT.exe

2013-01-31 05:20 . 2012-12-16 17:11 46080 ----a-w- c:\windows\system32\atmlib.dll

2013-01-31 05:20 . 2012-12-16 14:45 367616 ----a-w- c:\windows\system32\atmfd.dll

2013-01-31 05:20 . 2012-12-16 14:13 295424 ----a-w- c:\windows\SysWow64\atmfd.dll

2013-01-31 05:20 . 2012-12-16 14:13 34304 ----a-w- c:\windows\SysWow64\atmlib.dll

2013-01-31 05:20 . 2010-09-30 10:41 100864 ----a-w- c:\windows\system32\fontsub.dll

2013-01-31 05:20 . 2010-09-30 06:47 70656 ----a-w- c:\windows\SysWow64\fontsub.dll

2013-01-31 05:19 . 2012-07-26 03:08 84992 ----a-w- c:\windows\system32\WUDFSvc.dll

2013-01-31 05:19 . 2012-07-26 03:08 194048 ----a-w- c:\windows\system32\WUDFPlatform.dll

2013-01-31 05:19 . 2012-07-26 02:26 87040 ----a-w- c:\windows\system32\drivers\WUDFPf.sys

2013-01-31 05:19 . 2012-07-26 02:26 198656 ----a-w- c:\windows\system32\drivers\WUDFRd.sys

2013-01-31 05:19 . 2012-07-26 03:08 229888 ----a-w- c:\windows\system32\WUDFHost.exe

2013-01-31 05:19 . 2012-07-26 03:08 744448 ----a-w- c:\windows\system32\WUDFx.dll

2013-01-31 05:19 . 2012-07-26 03:08 45056 ----a-w- c:\windows\system32\WUDFCoinstaller.dll

2013-01-31 05:17 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys

2013-01-31 05:17 . 2012-03-01 06:33 81408 ----a-w- c:\windows\system32\imagehlp.dll

2013-01-31 05:17 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll

2013-01-31 05:17 . 2012-03-01 05:33 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll

2013-01-31 05:17 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll

2013-01-31 03:57 . 2013-01-31 03:57 -------- d-----w- C:\TDSSKiller_Quarantine

2013-01-31 03:39 . 2013-01-15 08:45 9161176 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{57261EBA-2FE8-4199-AF62-FBABA7AF1A3D}\mpengine.dll

2013-01-31 02:56 . 2013-01-31 02:56 -------- d-----w- c:\program files\CCleaner

2013-01-31 02:50 . 2011-02-25 06:19 2871808 ----a-w- c:\windows\explorer.exe

2013-01-31 02:49 . 2011-07-09 02:46 288768 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys

2013-01-31 02:47 . 2012-05-01 05:40 209920 ----a-w- c:\windows\system32\profsvc.dll

2013-01-31 02:46 . 2012-12-07 13:20 441856 ----a-w- c:\windows\system32\Wpc.dll

2013-01-31 02:45 . 2012-08-11 00:56 715776 ----a-w- c:\windows\system32\kerberos.dll

2013-01-31 02:44 . 2011-05-24 11:42 404480 ----a-w- c:\windows\system32\umpnpmgr.dll

2013-01-31 02:34 . 2011-08-27 05:37 861696 ----a-w- c:\windows\system32\oleaut32.dll

2013-01-31 02:34 . 2011-08-27 05:37 331776 ----a-w- c:\windows\system32\oleacc.dll

2013-01-31 02:34 . 2011-08-27 04:26 571904 ----a-w- c:\windows\SysWow64\oleaut32.dll

2013-01-31 02:34 . 2011-08-27 04:26 233472 ----a-w- c:\windows\SysWow64\oleacc.dll

2013-01-31 02:34 . 2011-10-15 06:31 723456 ----a-w- c:\windows\system32\EncDec.dll

2013-01-31 02:34 . 2011-10-15 05:38 534528 ----a-w- c:\windows\SysWow64\EncDec.dll

2013-01-31 02:32 . 2012-06-02 05:41 184320 ----a-w- c:\windows\system32\cryptsvc.dll

2013-01-31 02:32 . 2012-06-02 05:41 140288 ----a-w- c:\windows\system32\cryptnet.dll

2013-01-31 02:32 . 2012-06-02 05:41 1464320 ----a-w- c:\windows\system32\crypt32.dll

2013-01-31 02:32 . 2012-06-02 04:36 140288 ----a-w- c:\windows\SysWow64\cryptsvc.dll

2013-01-31 02:32 . 2012-06-02 04:36 1159680 ----a-w- c:\windows\SysWow64\crypt32.dll

2013-01-31 02:32 . 2012-06-02 04:36 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll

2013-01-31 02:32 . 2011-11-19 14:58 77312 ----a-w- c:\windows\system32\packager.dll

2013-01-31 02:32 . 2011-11-19 14:01 67072 ----a-w- c:\windows\SysWow64\packager.dll

2013-01-31 02:29 . 2013-01-31 02:29 -------- d-----w- c:\program files (x86)\Microsoft.NET

2013-01-30 13:59 . 2013-01-30 13:59 -------- d-----w- c:\program files (x86)\MSXML 4.0

2013-01-30 06:13 . 2013-01-31 05:48 -------- d-----w- c:\windows\SysWow64\Wat

2013-01-30 06:13 . 2013-01-31 05:48 -------- d-----w- c:\windows\system32\Wat

2013-01-30 06:11 . 2013-01-30 06:11 -------- d-----w- C:\_OTL

2013-01-30 02:05 . 2013-01-31 04:09 -------- d-----w- c:\programdata\WeCareReminder

2013-01-30 02:05 . 2013-01-30 02:05 -------- d-----w- c:\programdata\Symantec

2013-01-30 02:05 . 2013-01-31 04:09 -------- d-----w- c:\program files (x86)\Norton Security Scan

2013-01-30 02:05 . 2013-01-31 04:09 -------- d-----w- c:\programdata\Norton

2013-01-30 02:05 . 2013-01-30 02:05 -------- d-----w- c:\program files (x86)\NortonInstaller

2013-01-30 02:03 . 2013-01-31 04:09 -------- d-----w- c:\program files (x86)\DefaultTab

2013-01-30 02:02 . 2013-01-30 02:02 -------- d-----w- c:\programdata\APN

2013-01-22 04:58 . 2013-01-22 04:58 -------- d-----w- c:\programdata\Malwarebytes

2013-01-22 04:58 . 2013-01-22 04:58 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware

2013-01-22 04:58 . 2012-12-14 22:49 24176 ----a-w- c:\windows\system32\drivers\mbam.sys

2013-01-22 04:12 . 2012-12-17 12:43 38096 ----a-w- c:\windows\system32\drivers\gfiark.sys

2013-01-22 04:09 . 2013-01-22 04:09 -------- d-----w- c:\program files (x86)\GUM687.tmp

2013-01-22 04:07 . 2013-01-22 04:07 -------- d-----w- c:\program files\Google

2013-01-22 04:07 . 2013-01-22 04:08 -------- d-----w- c:\program files (x86)\Google

2013-01-22 04:06 . 2013-01-22 04:06 -------- d-----w- c:\program files (x86)\Common Files\Adobe

2013-01-22 03:07 . 2013-01-31 02:57 -------- d-----w- c:\windows\Panther

2013-01-22 03:06 . 2013-01-22 03:19 -------- d-----w- c:\programdata\Ad-Aware Antivirus

2013-01-22 02:44 . 2013-01-22 02:44 -------- d-----w- c:\programdata\Lavasoft

2013-01-22 02:44 . 2013-01-31 04:09 -------- d-----w- c:\program files (x86)\Ad-Aware Antivirus

2013-01-22 02:44 . 2013-01-22 02:44 14456 ----a-w- c:\windows\system32\drivers\gfibto.sys

2013-01-22 02:44 . 2012-09-20 11:40 47496 ----a-w- c:\windows\system32\sbbd.exe

2013-01-22 02:42 . 2013-01-22 02:42 -------- d-----w- c:\programdata\Ad-Aware Browsing Protection

2013-01-22 02:42 . 2013-01-22 02:42 -------- d-----w- c:\program files (x86)\Toolbar Cleaner

2013-01-22 02:33 . 2013-01-31 02:57 -------- d-----w- c:\programdata\Spybot - Search & Destroy

2013-01-22 02:33 . 2013-01-22 04:30 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy

2013-01-22 02:30 . 2013-01-22 02:30 -------- d-----w- c:\program files\SUPERAntiSpyware

2013-01-22 02:30 . 2013-01-22 02:30 -------- d-----w- c:\programdata\SUPERAntiSpyware.com

2013-01-22 02:28 . 2013-01-22 02:49 -------- d-----w- c:\program files (x86)\SpywareBlaster

2013-01-22 02:28 . 2010-01-11 00:40 118784 ----a-w- c:\windows\SysWow64\MSSTDFMT.DLL

2013-01-22 02:12 . 2013-01-31 04:09 -------- d-----w- c:\program files (x86)\7-Zip

2013-01-22 02:12 . 2013-01-22 02:14 -------- d-----w- c:\programdata\Strongvault Online Backup

2013-01-22 02:12 . 2013-01-22 02:12 -------- d-sh--w- c:\windows\SysWow64\AI_RecycleBin

2013-01-22 02:12 . 2013-01-22 02:12 -------- d-----w- c:\program files (x86)\Strongvault Online Backup

2013-01-22 02:12 . 2013-01-22 02:12 -------- d-----w- C:\AI_RecycleBin

2013-01-22 02:11 . 2013-01-31 03:06 -------- d-----w- c:\program files (x86)\Shop to Win 27

2013-01-22 02:10 . 2013-01-22 02:10 -------- d-----w- c:\programdata\Yahoo!

2013-01-22 02:10 . 2013-01-22 02:44 -------- d-----w- c:\programdata\Yahoo! Companion

2013-01-22 02:10 . 2013-01-22 02:10 -------- d-----w- c:\program files (x86)\Yahoo!

2013-01-22 02:06 . 2012-02-17 06:38 1031680 ----a-w- c:\windows\system32\rdpcore.dll

2013-01-22 02:06 . 2012-02-17 05:34 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll

2013-01-22 02:06 . 2012-02-17 04:57 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys

2013-01-22 02:02 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll

2013-01-22 02:02 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe

2013-01-22 02:02 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll

2013-01-22 02:02 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll

2013-01-22 02:02 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll

2013-01-22 02:02 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll

2013-01-22 02:02 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll

2013-01-22 02:02 . 2012-06-02 21:19 186752 ----a-w- c:\windows\system32\wuwebv.dll

2013-01-22 02:02 . 2012-06-02 21:15 36864 ----a-w- c:\windows\system32\wuapp.exe

2013-01-22 01:50 . 2010-11-06 05:45 438808 ----a-w- c:\windows\system32\drivers\iaStor.sys

2013-01-22 01:49 . 2010-10-26 03:08 406632 ----a-w- c:\windows\system32\drivers\Rt64win7.sys

2013-01-22 01:49 . 2010-01-05 16:39 107552 ----a-w- c:\windows\system32\RTNUninst64.dll

2013-01-22 01:49 . 2009-12-03 09:27 74272 ----a-w- c:\windows\system32\RtNicProp64.dll

2013-01-22 01:49 . 2013-01-22 01:49 -------- d-----w- c:\program files (x86)\Realtek

2013-01-22 01:45 . 2013-01-22 01:45 -------- d-----w- c:\users\Public\Roaming

2013-01-22 01:45 . 2013-01-22 01:45 -------- d-----w- c:\users\Default\Roaming

2013-01-22 01:43 . 2013-01-22 01:57 -------- d-----w- c:\programdata\Intel

2013-01-22 01:43 . 2013-01-22 01:52 -------- d-----w- c:\program files\Common Files\Intel

2013-01-22 01:43 . 2013-01-22 01:43 -------- d-----w- c:\program files (x86)\Cisco

2013-01-22 01:43 . 2013-01-22 01:43 -------- d-----w- c:\program files\Intel

2013-01-22 01:42 . 2013-01-22 01:42 -------- d-----w- c:\program files (x86)\Renesas Electronics

2013-01-22 01:41 . 2010-10-06 02:50 8192 ----a-w- c:\windows\SysWow64\drivers\IntelMEFWVer.dll

2013-01-22 01:41 . 2010-10-06 02:50 8192 ----a-w- c:\windows\system32\drivers\IntelMEFWVer.dll

2013-01-22 01:41 . 2013-01-22 01:41 -------- d-----w- c:\program files (x86)\Common Files\postureAgent

2013-01-22 01:40 . 2010-09-21 15:59 56344 ----a-w- c:\windows\system32\drivers\HECIx64.sys

2013-01-22 01:39 . 2013-01-22 01:52 -------- d-----w- c:\program files (x86)\Intel

2013-01-22 01:39 . 2010-12-15 08:10 53248 ----a-r- c:\windows\SysWow64\CSVer.dll

2013-01-22 01:37 . 2010-10-14 17:56 390656 ----a-w- c:\windows\system32\imthx64.dll

2013-01-22 01:37 . 2010-09-30 15:17 732672 ----a-w- c:\windows\system32\imapo32.dll

2013-01-22 01:37 . 2011-01-24 17:57 4637184 ----a-w- c:\windows\system32\stlang64.dll

2013-01-22 01:37 . 2011-01-24 17:57 438784 ----a-w- c:\windows\system32\IDTNC64.cpl

2013-01-22 01:37 . 2011-01-21 00:15 449024 ----a-w- c:\windows\system32\slapoi64.dll

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-11-30 04:45 . 2013-01-31 02:45 44032 ----a-w- c:\windows\apppatch\acwow64.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files (x86)\Yahoo!\Companion\Installs\cpn0\yt.dll" [2012-06-11 1524056]

.

[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]

[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]

[HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]

[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{3E7C8B5A-96AB-438F-BF9B-782400655440}]

c:\users\Swimming12\AppData\Roaming\Qwiklinx\Qwiklinx.dll [bU]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-11-01 5629312]

"SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2013-01-22 39408]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"Ad-Aware Antivirus"="c:\program files (x86)\Ad-Aware Antivirus\AdAwareLauncher --windows-run" [X]

"NUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-11-17 113288]

"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-11-06 283160]

"Ad-Aware Browsing Protection"="c:\programdata\Ad-Aware Browsing Protection\adawarebp.exe" [2012-12-11 542104]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-18 946352]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ad-Aware Service]

@="Ad-Aware Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]

@="Service"

.

R3 gfiark;gfiark;c:\windows\system32\drivers\gfiark.sys [2012-12-17 38096]

R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [2010-12-17 340240]

R3 Revoflt;Revoflt;c:\windows\system32\DRIVERS\revoflt.sys [2009-12-30 31800]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]

R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2013-01-31 1255736]

S0 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys [2013-01-22 14456]

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]

S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]

S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2012-07-11 140672]

S2 Ad-Aware Service;Ad-Aware Service;c:\program files (x86)\Ad-Aware Antivirus\AdAwareService.exe [2012-12-15 1236968]

S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe [2009-03-02 89600]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-11-06 13336]

S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-12-14 398184]

S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-12-14 682344]

S2 SBAMSvc;Ad-Aware;c:\program files (x86)\Ad-Aware Antivirus\SBAMSvc.exe [2012-09-20 3677000]

S2 sbapifs;sbapifs;c:\windows\system32\DRIVERS\sbapifs.sys [2012-09-13 82872]

S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]

S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-10-06 2655768]

S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-10-14 317440]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-12-14 24176]

S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [2010-12-10 80384]

S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [2010-12-10 181248]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2010-10-26 406632]

.

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]

2013-01-30 01:48 1607120 ----a-w- c:\program files (x86)\Google\Chrome\Application\24.0.1312.56\Installer\chrmstp.exe

.

Contents of the 'Scheduled Tasks' folder

.

2013-02-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-01-22 04:07]

.

2013-01-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-01-22 04:07]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2011-01-24 525312]

"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2010-12-17 1933584]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-04-19 168216]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-04-19 392472]

"Persistence"="c:\windows\system32\igfxpers.exe" [2011-04-19 416024]

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://www.google.com/

mLocal Page = c:\windows\SysWOW64\blank.htm

TCP: DhcpNameServer = 75.75.76.76 75.75.75.75

.

- - - - ORPHANS REMOVED - - - -

.

AddRemove-adawaretb - c:\program files (x86)\adawaretb\uninstall.exe

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2013-01-31 21:05:08

ComboFix-quarantined-files.txt 2013-02-01 03:05

ComboFix2.txt 2013-01-31 04:42

ComboFix3.txt 2013-01-31 03:31

ComboFix4.txt 2012-12-18 03:58

ComboFix5.txt 2013-02-01 02:57

.

Pre-Run: 450,983,198,720 bytes free

Post-Run: 451,120,947,200 bytes free

.

- - End Of File - - B6482113CD19346842C9DD53CFA6A972

Link to post
Share on other sites

Gringo,

I ran Combofix one more time and posted the log above. MBAM doesn't seem to be picking up any more malicious software, but I am still having trouble with the computer restarting properly. Especially when I windows tries to update the system automatically. Also, when the computer hibernates, it doesn't wake-up properly. I have had to restart a couple of times.

Link to post
Share on other sites

  • Staff

Hello

I would like you to run this new tool and see if it finds anything.

Malwarebytes Anti-Rootkit

1.Download Malwarebytes Anti-Rootkit

2.Unzip the contents to a folder in a convenient location.

3.Open the folder where the contents were unzipped and run mbar.exe

4.Follow the instructions in the wizard to update and allow the program to scan your computer for threats.

5.Click on the Cleanup button to remove any threats and reboot if prompted to do so.

6.Wait while the system shuts down and the cleanup process is performed.

7.Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.

8.If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

  • •Internet access
    •Windows Update
    •Windows Firewall

9.If there are additional problems with your system, such as any of those listed above or other system issues, then run the 'fixdamage' tool included with Malwarebytes Anti-Rootkit and reboot.

10.Verify that your system is now functioning normally.

Gringo

Link to post
Share on other sites

  • Staff

 

 

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional

These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

  • Run HijackThis (rightclick and run as admin)
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
      O4 - HKCU\..\Run: [Messenger] "C:\Program Files (x86)\Strongvault Online Backup\ClientMessenger.exe"
      O4 - HKCU\..\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
      O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
      O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
      O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
      O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')

[*] Close all open windows and browsers/email, etc...

[*] Click on the "Fix Checked" button

[*] When completed, close the application.

  • NOTE**You can research each of those lines
>here< and see if you want to keep them or not
just copy the name between the brackets and paste into the search space
O4 - HKLM\..\Run: [IntelliPoint]

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start

    [*]When asked, allow the add/on to be installed

    • Click Start

    [*]Make sure that the option Remove found threats is unticked

    [*]Click on Advanced Settings, ensure the options

    • Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.

    [*]Click Scan

    [*]wait for the virus definitions to be downloaded

    [*]Wait for the scan to finish

When the scan is complete

  • If no threats were found
    • put a checkmark in "Uninstall application on close"
    • close program
    • report to me that nothing was found

  • If threats were found
    • click on "list of threats found"
    • click on "export to text file" and save it as ESET SCAN and save to the desktop
    • Click on back
    • put a checkmark in "Uninstall application on close"
    • click on finish
    • close program
    • copy and paste the report here

Gringo

 

 

 

Link to post
Share on other sites

  • Staff

Greetings

I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools

Gringo

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.