Jump to content

Need help with malware removal. Keeps coming back after reboot


Recommended Posts

Here is the log of my last malwarebytes scan. The same ones keep coming back after rebooting machine after removal.

 

Any help would be greatly appreciated, thank you so much.

 

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.11.06.06

Windows 7 x64 NTFS
Internet Explorer 8.0.7600.16385
lguser :: US-SO10-NA1004F [administrator]

11/6/2013 1:11:41 PM
MBAM-log-2013-11-06 (13-14-18).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 250717
Time elapsed: 2 minute(s), 28 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKLM\System\CurrentControlSet\Services\Protect (Rootkit.Agent) -> No action taken.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 24
c:\program files\wirar\winrar.exe (Backdoor.Bifrose) -> No action taken.
c:\program files (x86)\wirar\winrar.exe (Backdoor.Bifrose) -> No action taken.
c:\winrar.exe (Trojan.Agent) -> No action taken.
c:\windows\system32\help\winrar.exe (Backdoor.Bifrose) -> No action taken.
c:\windows\syswow64\help\winrar.exe (Backdoor.Bifrose) -> No action taken.
c:\windows\system32\systems\winrar.exe (Backdoor.Bot) -> No action taken.
c:\windows\syswow64\systems\winrar.exe (Backdoor.Bot) -> No action taken.
c:\windows\winrara\winrar.exe (Backdoor.Bot) -> No action taken.
c:\windows\winrar\winrar.exe (Trojan.Agent) -> No action taken.
c:\programdata\two\winrar.exe (Trojan.Agent) -> No action taken.
c:\users\addc_client\appdata\roaming\two\winrar.exe (Trojan.Agent) -> No action taken.
c:\users\lguser.us-so10-na1004f\appdata\roaming\two\winrar.exe (Trojan.Agent) -> No action taken.
c:\users\lguser\appdata\roaming\two\winrar.exe (Trojan.Agent) -> No action taken.
c:\windows\serviceprofiles\localservice\appdata\roaming\two\winrar.exe (Trojan.Agent) -> No action taken.
c:\windows\serviceprofiles\networkservice\appdata\roaming\two\winrar.exe (Trojan.Agent) -> No action taken.
c:\windows\system32\config\systemprofile\appdata\roaming\two\winrar.exe (Trojan.Agent) -> No action taken.
c:\windows\installdir\winrar.exe (Backdoor.Agent) -> No action taken.
c:\programdata\dataprotect\winrar.exe (Trojan.Agent) -> No action taken.
c:\users\addc_client\appdata\roaming\dataprotect\winrar.exe (Trojan.Agent) -> No action taken.
c:\users\lguser.us-so10-na1004f\appdata\roaming\dataprotect\winrar.exe (Trojan.Agent) -> No action taken.
c:\users\lguser\appdata\roaming\dataprotect\winrar.exe (Trojan.Agent) -> No action taken.
c:\windows\serviceprofiles\localservice\appdata\roaming\dataprotect\winrar.exe (Trojan.Agent) -> No action taken.
c:\windows\serviceprofiles\networkservice\appdata\roaming\dataprotect\winrar.exe (Trojan.Agent) -> No action taken.
c:\windows\system32\config\systemprofile\appdata\roaming\dataprotect\winrar.exe (Trojan.Agent) -> No action taken.

(end)

Link to post
Share on other sites

Welcome to the forum, please start HERE

Post back the 2 logs here.....DDS.txt and Attach.txt

(please don't put logs in code or quotes and use the default font)

General P2P/Piracy Warning:

1. If you're using Peer 2 Peer software such uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

2. If you have illegal/cracked software, cracks, keygens, custom (Adobe) host file, etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Failure to remove such software will result in your topic being closed and no further assistance being provided.

<====><====><====><====><====><====><====><====>

Next................

Please download and run RogueKiller 32 bit to your desktop.

RogueKiller<---use this one for 64 bit systems

Which system am I using?

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

(please don't put logs in code or quotes and use the default font)

MrC

Note:

Please read all of my instructions completely including these.

Make sure system restore is turned on and running

Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>The removal of malware isn't instantaneous, please be patient.

<+>When we are done, I'll give to instructions on how to cleanup all the tools and logs

<+>Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 24 hours, please send me a PM)

Link to post
Share on other sites

Thank you for your quick reply. Here are the two logs.

 

DDS.txt

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 8.0.7600.16385
Run by lguser at 14:13:11 on 2013-11-06
Microsoft Windows 7 Enterprise   6.1.7600.0.1252.1.1033.18.3958.2440 [GMT -5:00]
.
AV: Symantec Endpoint Protection *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Symantec Endpoint Protection *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\WWCNT\WWCSERVICE.EXE
c:\Program Files (x86)\LGEAD\ADAgentService.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files (x86)\QUALCOMM\QDLService2k\QDLService2kDell.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Windows\system32\svchost.exe -k regsvc
C:\Program Files (x86)\Dell\Dell WWAN\WMCore\mini_WMCore.exe
C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\WWCNT\WWCNT.EXE
C:\WWCNT\SYSTEM\PMonitor.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\mmc.exe
C:\Program Files (x86)\Common Files\Symantec Shared\COH\coh64.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.

BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
mRun: [bCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
mRun: [ccApp] "C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe"
mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
Trusted Zone: lge.com
Trusted Zone: lge.com


















TCP: NameServer = 136.166.10.50 136.166.10.51 156.147.135.181
TCP: Interfaces\{BA528336-9254-48B0-BC12-3ED346FF6842} : DHCPNameServer = 136.166.10.51 136.166.10.50 156.147.135.181
TCP: Interfaces\{CF6265DA-F4D4-4487-81E3-A4E21AD6B742} : DHCPNameServer = 136.166.10.50 136.166.10.51 156.147.135.181
TCP: Interfaces\{CF6265DA-F4D4-4487-81E3-A4E21AD6B742}\C474F51447C616E64716 : DHCPNameServer = 136.166.10.50 136.166.10.51 156.147.135.181
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\30.0.1599.101\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.9012.1008\swg64.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-Run: [intelPROSet] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel PROSet/Wireless
x64-Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
x64-Run: [igfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
x64-SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
.
============= SERVICES / DRIVERS ===============
.
R0 FileHook;SAFASOFT File System Filter;C:\Windows\System32\drivers\filehook.sys [2012-11-20 66336]
R0 sfcdex;Waterwall SFCDEX Filter;C:\Windows\System32\drivers\SFCDEX.sys [2011-3-14 23552]
R1 sfkbd;Waterwall Keyboard Filter;C:\Windows\System32\drivers\SFKbd.sys [2011-10-6 14624]
R1 sfmouse;Waterwall Mouse Filter;C:\Windows\System32\drivers\SFMouse.sys [2011-10-6 15136]
R1 SFRes;SAFASOFT Resource Driver;C:\Windows\System32\drivers\SFRes.sys [2011-8-18 47392]
R1 wwdevctl;wwdevctl;C:\Windows\System32\drivers\wwdevctl.sys [2012-10-30 22304]
R1 wwInjDrv;wwInjDrv;C:\Windows\System32\drivers\wwInjDrv64.sys [2012-11-7 59168]
R1 wwndisf;Waterwall NDIS LightWeight Filter;C:\Windows\System32\drivers\wwndisf.sys [2011-8-1 25376]
R1 wwreg;Waterwall Registry Filter;C:\Windows\System32\drivers\WWReg.sys [2011-9-16 14112]
R2 ADAgent;ADAgentService;C:\Program Files (x86)\LGEAD\ADAgentService.exe [2008-8-13 586752]
R2 Credential Vault Host Control Service;Credential Vault Host Control Service;C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [2012-10-24 1043912]
R2 Credential Vault Host Storage;Credential Vault Host Storage;C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [2012-10-24 36808]
R2 QDLService2kDell;Qualcomm Gobi 2000 Download Service (Dell);C:\Program Files (x86)\QUALCOMM\QDLService2k\QDLService2kDell.exe [2010-6-25 331512]
R2 risdpcie;risdpcie;C:\Windows\System32\drivers\risdpe64.sys [2013-8-8 81920]
R2 WMCoreService;Mobile Broadband Service;C:\Program Files (x86)\Dell\Dell WWAN\WMCore\mini_WMCore.exe servicemode --> C:\Program Files (x86)\Dell\Dell WWAN\WMCore\mini_WMCore.exe servicemode [?]
R2 WWC;Ww Client Agent;C:\WWCnt\WwcService.exe [2011-4-19 323584]
R2 ZeroConfigService;Intel® PROSet/Wireless Zero Configuration Service;C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [2013-4-18 3388144]
R3 cvusbdrv;Dell ControlVault;C:\Windows\System32\drivers\cvusbdrv.sys [2012-10-24 47752]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;C:\Windows\System32\drivers\e1k62x64.sys [2013-8-7 301232]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2013-10-4 140376]
R3 Impcd;Impcd;C:\Windows\System32\drivers\Impcd.sys [2013-8-8 158976]
R3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2013-8-8 317440]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 Symantec AntiVirus;Symantec Endpoint Protection;C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe [2013-2-13 1839888]
S3 Acceler;Accelerometer Service;C:\Windows\System32\drivers\accelern.sys [2013-8-7 27760]
S3 FDDec;SAFASOFT Encrypt Mobile Driver;C:\Windows\System32\drivers\fddec.sys [2011-8-30 43296]
S3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [2013-4-18 273136]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
S3 wwhook;Waterwall PH Driver;C:\Windows\System32\drivers\Wwhook.sys [2010-11-18 14944]
.
=============== Created Last 30 ================
.
2013-11-06 18:10:46 -------- d-sh--w- C:\$RECYCLE.BIN
2013-11-06 15:37:49 90624 ----a-w- C:\RegDACL.exe
2013-11-06 15:31:26 -------- d-----w- C:\Program Files\Registrar Registry Manager
2013-11-06 15:27:09 387776 ----a-w- C:\PsExec.exe
2013-11-06 14:13:51 -------- d-----w- C:\Users\lguser\AppData\Roaming\Malwarebytes
2013-11-06 14:13:39 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
2013-11-06 14:13:39 -------- d-----w- C:\ProgramData\Malwarebytes
2013-11-06 14:13:38 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-11-06 14:13:28 -------- d-----w- C:\Users\lguser\AppData\Local\Programs
2013-10-09 12:41:18 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-10-09 12:41:18 692616 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-10-08 19:47:27 -------- d-----w- C:\Users\lguser\AppData\Roaming\GDMITempDirectory
2013-10-08 19:42:27 -------- d-----w- C:\Users\lguser\AppData\Local\Apps
2013-10-08 19:42:26 -------- d-----w- C:\Users\lguser\AppData\Local\Deployment
2013-10-07 20:53:20 -------- d-----w- C:\Users\lguser\AppData\Local\Adobe
.
==================== Find3M  ====================
.
2013-10-04 18:46:20 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2013-10-04 17:55:48 44544 ----a-w- C:\Windows\SysWow64\agremove.exe
2013-10-04 17:34:57 17920 ----a-w- C:\Windows\System32\rpcnetp.exe
2013-08-09 12:02:16 32752 ----a-w- C:\Windows\SysWow64\instw64.exe
2013-08-09 11:55:14 438680 ----a-w- C:\Windows\SysWow64\FindProg.ocx
2013-08-08 21:49:18 512512 ----a-w- C:\Windows\LGEAD.MSI
2013-08-08 21:12:06 173616 ----a-w- C:\Windows\System32\drivers\SYMEVENT64x86.SYS
.
============= FINISH: 14:13:33.68 ===============
 

 

 

 

Attach.exe

 

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Enterprise
Boot Device: \Device\HarddiskVolume1
Install Date: 8/7/2013 3:38:04 PM
System Uptime: 11/6/2013 12:48:49 PM (2 hours ago)
.
Motherboard: Dell Inc. |  | 0T6M8G
Processor: Intel® Core i5 CPU       M 520  @ 2.40GHz | CPU 1 | 2400/533mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 233 GiB total, 206.116 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID:
Description:
Device ID: ACPI\SMO8800\1
Manufacturer:
Name:
PNP Device ID: ACPI\SMO8800\1
Service:
.
==== System Restore Points ===================
.
RP20: 11/6/2013 1:10:46 PM - ComboFix created restore point
.
==== Installed Programs ======================
.
Adobe Flash Player 11 ActiveX
Adobe Reader XI (11.0.05)
Citrix Program Neighborhood
Dell ControlVault Host Components Installer 64 bit
Dell Custom Help
Dell Touchpad
Dell Wireless HSPA Mini-Card Drivers
Google Chrome
Google Toolbar for Internet Explorer
Google Update Helper
Intel® Network Connections Drivers
Intel® Processor Graphics
Intel® PROSet/Wireless WiFi Software Driver
Intel® PROSet/Wireless Software
Intel® PROSet/Wireless WiFi Software
Java Auto Updater
Java 6 Update 26
LG ActiveDirectory Service
LiveUpdate 3.3 (Symantec Corporation)
Malwarebytes Anti-Malware version 1.75.0.1300
Microsoft .NET Framework 4 Client Profile
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Groove MUI (English) 2010
Microsoft Office InfoPath MUI (English) 2010
Microsoft Office Office 64-bit Components 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Professional Plus 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared 64-bit MUI (English) 2010
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Word MUI (English) 2010
Qualcomm Gobi 2000 Package for Dell
Registrar Registry Manager 7.52
RICOH Media Driver ver.2.11.01.02
Security Update for Microsoft Excel 2010 (KB2597166) 32-Bit Edition
Security Update for Microsoft InfoPath 2010 (KB2553322) 32-Bit Edition
Security Update for Microsoft InfoPath 2010 (KB2553431) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2553371) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2553447) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2598243) 32-Bit Edition
Security Update for Microsoft Visio Viewer 2010 (KB2597981) 32-Bit Edition
Symantec Endpoint Protection
Update for Microsoft Office 2010 (KB2598242) 32-Bit Edition
Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition
Update for Microsoft Office 2010 (KB2825640) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2589345) 32-Bit Edition
Waterwall Client WIN7 for x64
.
==== Event Viewer Messages From Past Week ========
.
11/6/2013 9:45:15 AM, Error: Microsoft-Windows-Security-Kerberos [4]  - The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server kn-rd10-dc10$. The target name used was cifs/LGE.NET. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (LGE.NET) is different from the client domain (LGE.NET), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
11/6/2013 9:43:14 AM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001]  - The computer has rebooted from a bugcheck.  The bugcheck was: 0x0000000a (0x0000000201022c58, 0x0000000000000002, 0x0000000000000000, 0xfffff800023166d4). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 110613-21496-01.
11/6/2013 9:39:53 AM, Error: Microsoft-Windows-Security-Kerberos [4]  - The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/ta-mf10-dc12.lge.net. The target name used was cifs/LGE.NET. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (LGE.NET) is different from the client domain (LGE.NET), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
11/6/2013 9:22:34 AM, Error: Microsoft-Windows-Security-Kerberos [4]  - The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server aichq10-dc14$. The target name used was cifs/LGE.NET. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (LGE.NET) is different from the client domain (LGE.NET), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
11/6/2013 2:12:47 PM, Error: Service Control Manager [7032]  - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Symantec Management Client service, but this action failed with the following error:  The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
11/6/2013 2:12:46 PM, Error: Service Control Manager [7031]  - The Symantec Management Client service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 1000 milliseconds: Restart the service.
11/6/2013 12:50:13 PM, Error: NETLOGON [3210]  - This computer could not authenticate with \\AICHQ10-DC14.LGE.NET, a Windows domain controller for domain LGE, and therefore this computer might deny logon requests. This inability to authenticate might be caused by another computer on the same network using the same name or the password for this computer account is not recognized. If this message appears again, contact your system administrator.
11/6/2013 12:49:32 PM, Error: Microsoft-Windows-GroupPolicy [1129]  - The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.
11/6/2013 12:49:25 PM, Error: NETLOGON [3210]  - This computer could not authenticate with \\AICHQ10-DC13.LGE.NET, a Windows domain controller for domain LGE, and therefore this computer might deny logon requests. This inability to authenticate might be caused by another computer on the same network using the same name or the password for this computer account is not recognized. If this message appears again, contact your system administrator.
11/6/2013 12:49:19 PM, Error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  Protect safandrv
11/6/2013 12:49:12 PM, Error: NETLOGON [5719]  - This computer was not able to set up a secure session with a domain controller in domain LGE due to the following:  There are currently no logon servers available to service the logon request.  This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.   ADDITIONAL INFO  If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.
11/6/2013 12:48:09 PM, Error: Microsoft-Windows-Security-Kerberos [4]  - The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/sh-mf10-dc10.lge.net. The target name used was cifs/LGE.NET. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (LGE.NET) is different from the client domain (LGE.NET), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
11/6/2013 11:46:03 AM, Error: Microsoft-Windows-Security-Kerberos [4]  - The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server gr-rd10-dc11$. The target name used was cifs/LGE.NET. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (LGE.NET) is different from the client domain (LGE.NET), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
11/6/2013 11:46:02 AM, Error: Microsoft-Windows-Security-Kerberos [4]  - The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server tu-so10-dc10$. The target name used was cifs/LGE.NET. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (LGE.NET) is different from the client domain (LGE.NET), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
11/6/2013 11:43:37 AM, Error: Microsoft-Windows-Security-Kerberos [4]  - The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server chjmf10-dc10$. The target name used was cifs/LGE.NET. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (LGE.NET) is different from the client domain (LGE.NET), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
11/6/2013 11:43:36 AM, Error: Microsoft-Windows-Security-Kerberos [4]  - The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server si-rd10-dc13$. The target name used was cifs/LGE.NET. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (LGE.NET) is different from the client domain (LGE.NET), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
11/6/2013 11:42:14 AM, Error: Microsoft-Windows-Security-Kerberos [4]  - The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server sa-so10-dc11$. The target name used was cifs/LGE.NET. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (LGE.NET) is different from the client domain (LGE.NET), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
11/6/2013 11:42:08 AM, Error: Microsoft-Windows-Security-Kerberos [4]  - The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server ptkmf10-dc12$. The target name used was cifs/LGE.NET. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (LGE.NET) is different from the client domain (LGE.NET), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
11/6/2013 11:41:51 AM, Error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  safandrv
11/6/2013 11:40:31 AM, Error: Service Control Manager [7030]  - The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.
11/6/2013 11:39:46 AM, Error: Application Popup [1060]  - \??\C:\ComboFix\catchme.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
11/6/2013 11:33:40 AM, Error: Service Control Manager [7031]  - The Symantec Settings Manager service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 100 milliseconds: Restart the service.
11/6/2013 11:33:40 AM, Error: Service Control Manager [7031]  - The Symantec Event Manager service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 200 milliseconds: Restart the service.
11/6/2013 11:33:25 AM, Error: Service Control Manager [7034]  - The Symantec Endpoint Protection service terminated unexpectedly.  It has done this 4 time(s).
11/6/2013 11:33:17 AM, Error: Service Control Manager [7034]  - The Symantec Management Client service terminated unexpectedly.  It has done this 3 time(s).
11/6/2013 11:33:15 AM, Error: Service Control Manager [7032]  - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Symantec Settings Manager service, but this action failed with the following error:  An instance of the service is already running.
11/6/2013 11:33:15 AM, Error: Service Control Manager [7032]  - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Symantec Event Manager service, but this action failed with the following error:  An instance of the service is already running.
11/6/2013 11:33:13 AM, Error: Service Control Manager [7031]  - The Symantec Management Client service terminated unexpectedly.  It has done this 2 time(s).  The following corrective action will be taken in 1000 milliseconds: Restart the service.
11/6/2013 11:33:12 AM, Error: Service Control Manager [7034]  - The Symantec Endpoint Protection service terminated unexpectedly.  It has done this 3 time(s).
11/6/2013 11:32:44 AM, Error: Service Control Manager [7032]  - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Symantec Endpoint Protection service, but this action failed with the following error:  An instance of the service is already running.
11/6/2013 11:32:34 AM, Error: Service Control Manager [7031]  - The Symantec Endpoint Protection service terminated unexpectedly.  It has done this 2 time(s).  The following corrective action will be taken in 10000 milliseconds: Restart the service.
11/6/2013 11:32:23 AM, Error: Service Control Manager [7031]  - The Symantec Endpoint Protection service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 10000 milliseconds: Restart the service.
11/6/2013 11:16:27 AM, Error: Microsoft-Windows-Security-Kerberos [4]  - The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server cwnmf10-dc12$. The target name used was cifs/LGE.NET. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (LGE.NET) is different from the client domain (LGE.NET), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
11/6/2013 11:02:17 AM, Error: Microsoft-Windows-Security-Kerberos [4]  - The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server schrd10-dc10$. The target name used was cifs/LGE.NET. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (LGE.NET) is different from the client domain (LGE.NET), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
11/6/2013 11:00:35 AM, Error: Microsoft-Windows-Security-Kerberos [4]  - The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server lgeadpmse1q$. The target name used was cifs/LGE.NET. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (LGE.NET) is different from the client domain (LGE.NET), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
11/6/2013 10:56:46 AM, Error: Microsoft-Windows-Security-Kerberos [4]  - The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/il-mf10-dc12.lge.net. The target name used was cifs/LGE.NET. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (LGE.NET) is different from the client domain (LGE.NET), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
11/6/2013 10:56:22 AM, Error: NetBT [4321]  - The name "US-SO10-NA1004F:0" could not be registered on the interface with IP address 10.192.109.135. The computer with the IP address 10.192.109.81 did not allow the name to be claimed by this computer.
11/6/2013 10:53:33 AM, Error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  protect safandrv
11/6/2013 10:23:33 AM, Error: Microsoft-Windows-Security-Kerberos [4]  - The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/lgeeuadcal1q.lge.net. The target name used was cifs/LGE.NET. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (LGE.NET) is different from the client domain (LGE.NET), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
11/6/2013 1:27:24 PM, Error: Microsoft-Windows-Security-Kerberos [4]  - The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server cichq10-dc15$. The target name used was cifs/LGE.NET. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (LGE.NET) is different from the client domain (LGE.NET), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
11/6/2013 1:08:40 PM, Error: Service Control Manager [7000]  - The safandrv service failed to start due to the following error:  The system cannot find the file specified.
11/6/2013 1:08:35 PM, Error: Microsoft-Windows-Security-Kerberos [4]  - The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server ks-mf10-dc11$. The target name used was cifs/LGE.NET. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (LGE.NET) is different from the client domain (LGE.NET), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
11/6/2013 1:08:35 PM, Error: Microsoft-Windows-GroupPolicy [1058]  - The processing of Group Policy failed. Windows attempted to read the file \\LGE.NET\SysVol\LGE.NET\Policies\{7B57367C-2FA1-4A3F-9C5B-1E1F3168D4C0}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:  a) Name Resolution/Network Connectivity to the current domain controller.  b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).  c) The Distributed File System (DFS) client has been disabled.
11/5/2013 2:32:33 PM, Error: Microsoft-Windows-Security-Kerberos [4]  - The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/ci-so10-dc11.lge.net. The target name used was cifs/LGE.NET. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (LGE.NET) is different from the client domain (LGE.NET), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
11/4/2013 4:35:03 PM, Error: Microsoft-Windows-Security-Kerberos [4]  - The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server rs-mf10-dc11$. The target name used was cifs/LGE.NET. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (LGE.NET) is different from the client domain (LGE.NET), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
11/1/2013 9:09:54 AM, Error: Microsoft-Windows-Security-Kerberos [4]  - The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server cwnmf10-dc13$. The target name used was cifs/LGE.NET. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (LGE.NET) is different from the client domain (LGE.NET), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
10/31/2013 9:04:22 AM, Error: Microsoft-Windows-Security-Kerberos [4]  - The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/fs-so10-dc10.lge.net. The target name used was cifs/LGE.NET. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (LGE.NET) is different from the client domain (LGE.NET), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
10/31/2013 3:27:32 PM, Error: Microsoft-Windows-Security-Kerberos [4]  - The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server hlbrd10-dc12$. The target name used was cifs/LGE.NET. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (LGE.NET) is different from the client domain (LGE.NET), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
10/31/2013 3:27:17 PM, Error: NETLOGON [5719]  - This computer was not able to set up a secure session with a domain controller in domain LGE due to the following:  The RPC server is unavailable.  This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.   ADDITIONAL INFO  If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.
10/31/2013 10:39:02 AM, Error: Microsoft-Windows-Security-Kerberos [4]  - The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server nd-mf10-dc11$. The target name used was cifs/LGE.NET. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (LGE.NET) is different from the client domain (LGE.NET), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
10/30/2013 9:21:00 AM, Error: Disk [11]  - The driver detected a controller error on \Device\Harddisk1\DR1.
10/30/2013 9:19:29 AM, Error: Microsoft-Windows-Security-Kerberos [4]  - The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/az-mf10-dc10.lge.net. The target name used was cifs/LGE.NET. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (LGE.NET) is different from the client domain (LGE.NET), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
10/30/2013 8:29:55 AM, Error: Microsoft-Windows-Security-Kerberos [4]  - The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/lgeadpmse2q.lge.net. The target name used was cifs/LGE.NET. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (LGE.NET) is different from the client domain (LGE.NET), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
10/30/2013 8:04:26 AM, Error: Microsoft-Windows-Security-Kerberos [4]  - The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server in-mf10-dc11$. The target name used was cifs/LGE.NET. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (LGE.NET) is different from the client domain (LGE.NET), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
10/30/2013 8:04:18 AM, Error: Microsoft-Windows-Security-Kerberos [4]  - The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server si-rd10-dc14$. The target name used was cifs/LGE.NET. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (LGE.NET) is different from the client domain (LGE.NET), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
10/30/2013 10:47:39 AM, Error: Microsoft-Windows-Security-Kerberos [4]  - The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server ptkmf10-dc13$. The target name used was cifs/LGE.NET. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (LGE.NET) is different from the client domain (LGE.NET), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
.
==== End Of File ===========================
 

Link to post
Share on other sites

Roguekiller

 

 

RogueKiller V8.7.6 _x64_ [Oct 28 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7600 ) 64 bits version
Started in : Normal mode
User : lguser [Admin rights]
Mode : Scan -- Date : 11/06/2013 14:24:54
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 10 ¤¤¤
[HJ POL][PUM] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : EnableLUA (0) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1       localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ SCSI) ST9250410ASG +++++
--- User ---
[MBR] badef214783ba1828e6b1bbb476da889
[bSP] ec35e67ef5482204920c27e13a05195f : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 283 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 581632 | Size: 238190 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_11062013_142454.txt >>

 

 

Link to post
Share on other sites

OK..lets run some scans:

Download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt
To attach a log if needed:

Bottom right corner of this page.

reply1.jpg

New window that comes up.

replyer1.jpg

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder.

Just run fixdamage.exe.

Verify that they are now functioning normally.

MrC

Link to post
Share on other sites

See if you can do this:

Download aswMBR to your desktop.

http://public.avast.com/~gmerek/aswMBR.exe

Double click the aswMBR.exe to run it.

If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".

Click the "Scan" button to start scan.

On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

Please zip it up and attach it to your next post.

MrC

Link to post
Share on other sites

Hi I couldn't find the option to attach a file to this reply but here is the log from the scan.

 

Thank you.

 

 

 

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-11-07 14:21:38
-----------------------------
14:21:38.428    OS Version: Windows x64 6.1.7600
14:21:38.428    Number of processors: 4 586 0x2505
14:21:38.428    ComputerName: US-SO10-NA1004F  UserName: lguser
14:21:40.284    Initialize success
14:49:32.778    AVAST engine defs: 13110601
14:55:11.299    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
14:55:11.299    Disk 0 Vendor: ST925041 0004 Size: 238475MB BusType: 8
14:55:11.392    Disk 0 MBR read successfully
14:55:11.408    Disk 0 MBR scan
14:55:11.408    Disk 0 Windows 7 default MBR code
14:55:11.408    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS          283 MB offset 2048
14:55:11.424    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       238190 MB offset 581632
14:55:11.486    Disk 0 scanning C:\Windows\system32\drivers
14:55:22.078    Service scanning
14:55:44.839    Modules scanning
14:55:44.839    Disk 0 trace - called modules:
14:55:44.870    ntoskrnl.exe CLASSPNP.SYS disk.sys sfcdex.sys iaStorV.sys hal.dll
14:55:44.870    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004128060]
14:55:44.886    3 CLASSPNP.SYS[fffff8800145143f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8004061050]
14:55:45.619    AVAST engine scan C:\Windows
14:55:47.600    AVAST engine scan C:\Windows\system32
14:59:01.758    AVAST engine scan C:\Windows\system32\drivers
14:59:15.392    AVAST engine scan C:\Users\lguser
15:00:27.979    AVAST engine scan C:\ProgramData
15:01:09.179    Scan finished successfully
15:01:41.409    Disk 0 MBR has been saved successfully to "C:\Users\lguser\Desktop\MBR.dat"
15:01:41.424    The log file has been saved successfully to "C:\Users\lguser\Desktop\aswMBR.txt"

 

Link to post
Share on other sites

Please read the directions carefully so you don't end up deleting something that is good!!

If in doubt about an entry....please ask or choose Skip!!!!

Don't Delete anything unless instructed to!

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

If a suspicious object is detected, the default action will be Skip, click on Continue

Please note that TDSSKiller can be run in safe mode if needed.

Please download the latest version of TDSSKiller from HERE and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    image000q.png

  • Put a checkmark beside loaded modules.

    2012081514h0118.png

  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.

    clip.jpg

  • Click the Start Scan button.

    19695967.jpg

  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.

    67776163.jpg

    Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

    If in doubt about an entry....please ask or choose Skip

  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.

    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

    62117367.jpg

    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here. There may be 3 logs > so post or attach all of them.
  • Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

Here's a summary of what to do if you would like to print it out:

If in doubt about an entry....please ask or choose Skip

Don't Delete anything unless instructed to!

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

~~~~~~~~~~~~~~~~~~~~

You can attach the logs if they're too long:

Bottom right corner of this page.

reply1.jpg

New window that comes up.

replyer1.jpg

MrC

Link to post
Share on other sites

Good...CLEAN.

Next......

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please make sure you click download buttons that look like this, not "sponsored ad links":

bleep-crop.jpg

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

Good morning. Here is the log from combofix.

 

ComboFix 13-11-07.01 - lguser 11/08/2013   8:05.2.4 - x64
Microsoft Windows 7 Enterprise   6.1.7600.0.1252.1.1033.18.3958.2617 [GMT -5:00]
Running from: c:\users\lguser\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Symantec Endpoint Protection *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_Protect
.
.
(((((((((((((((((((((((((   Files Created from 2013-10-08 to 2013-11-08  )))))))))))))))))))))))))))))))
.
.
2013-11-08 13:10 . 2013-11-08 13:10 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-11-08 13:10 . 2013-11-08 13:10 -------- d-----w- c:\users\addc_Client\AppData\Local\temp
2013-11-06 22:03 . 2013-11-06 22:03 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2013-11-06 22:03 . 2013-11-07 18:11 116440 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2013-11-06 22:01 . 2013-11-06 22:01 91352 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2013-11-06 15:37 . 2013-11-06 15:37 90624 ----a-w- C:\RegDACL.exe
2013-11-06 15:31 . 2013-11-06 15:31 -------- d-----w- c:\program files\Registrar Registry Manager
2013-11-06 15:27 . 2013-11-06 15:26 387776 ----a-w- C:\PsExec.exe
2013-11-06 15:23 . 2013-11-06 15:24 -------- d-----w- c:\users\lguser.US-SO10-NA1004F
2013-11-06 14:13 . 2013-11-06 14:13 -------- d-----w- c:\users\lguser\AppData\Roaming\Malwarebytes
2013-11-06 14:13 . 2013-11-06 14:13 -------- d-----w- c:\programdata\Malwarebytes
2013-11-06 14:13 . 2013-04-04 19:50 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-11-06 14:13 . 2013-11-06 14:13 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2013-11-06 14:13 . 2013-11-06 14:13 -------- d-----w- c:\users\lguser\AppData\Local\Programs
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-11-07 21:42 . 2013-11-07 21:45 128645 ----a-w- C:\tdss.zip
2013-10-09 12:41 . 2013-10-09 12:41 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-10-09 12:41 . 2013-10-09 12:41 692616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-10-04 18:46 . 2013-10-04 18:46 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2013-10-04 17:55 . 2013-10-04 17:55 44544 ----a-w- c:\windows\SysWow64\agremove.exe
2013-10-04 17:34 . 2013-08-07 22:32 17920 ----a-w- c:\windows\system32\rpcnetp.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"ccApp"="c:\program files (x86)\Common Files\Symantec Shared\ccApp.exe" [2013-02-14 115624]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-09-05 958576]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2543426832-1914326140-3112152631-453973\Scripts\Logoff\0\0]
"Script"=offInsert.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2543426832-1914326140-3112152631-453973\Scripts\Logon\0\0]
"Script"=RemoveUsersShare_Win7.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2543426832-1914326140-3112152631-453973\Scripts\Logon\1\0]
"Script"=ie8session_disable_reg.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2543426832-1914326140-3112152631-453973\Scripts\Logon\2\0]
"Script"=AgentUnInstall.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2543426832-1914326140-3112152631-453973\Scripts\Logon\3\0]
"Script"=DNSSearch.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2543426832-1914326140-3112152631-453973\Scripts\Logon\4\0]
"Script"=ipid.vbe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2543426832-1914326140-3112152631-453973\Scripts\Logon\5\0]
"Script"=ie.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2543426832-1914326140-3112152631-453973\Scripts\Logon\6\0]
"Script"=logon.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2543426832-1914326140-3112152631-453973\Scripts\Logon\7\0]
"Script"=setdns.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2543426832-1914326140-3112152631-453973\Scripts\Logon\8\0]
"Script"=OLSecurity.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2543426832-1914326140-3112152631-453973\Scripts\Logon\9\0]
"Script"=OLArchiving.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2543426832-1914326140-3112152631-453973\Scripts\Logon\a\0]
"Script"=setIEIntranet.bat
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\fddec.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\filehook.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SFCDEX.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SFKbd.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SFMouse.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sfres.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WWC]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WwHook.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wwndisf.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
R1 safandrv;safandrv;c:\windows\system32\drivers\safandrv.sys;c:\windows\SYSNATIVE\drivers\safandrv.sys [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\accelern.sys;c:\windows\SYSNATIVE\DRIVERS\accelern.sys [x]
R3 FDDec;SAFASOFT Encrypt Mobile Driver; [x]
R3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys;c:\windows\SYSNATIVE\drivers\mbamchameleon.sys [x]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys;c:\windows\SYSNATIVE\drivers\MBAMSwissArmy.sys [x]
R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [x]
R3 wwhook;Waterwall PH Driver; [x]
S0 FileHook;SAFASOFT File System Filter; [x]
S0 sfcdex;Waterwall SFCDEX Filter; [x]
S1 sfkbd;Waterwall Keyboard Filter; [x]
S1 sfmouse;Waterwall Mouse Filter; [x]
S1 SFRes;SAFASOFT Resource Driver; [x]
S1 wwdevctl;wwdevctl;c:\windows\system32\drivers\wwdevctl.sys;c:\windows\SYSNATIVE\drivers\wwdevctl.sys [x]
S1 wwInjDrv;wwInjDrv;c:\windows\system32\Drivers\wwInjDrv64.SYS;c:\windows\SYSNATIVE\Drivers\wwInjDrv64.SYS [x]
S1 wwndisf;Waterwall NDIS LightWeight Filter;c:\windows\system32\DRIVERS\wwndisf.sys;c:\windows\SYSNATIVE\DRIVERS\wwndisf.sys [x]
S1 wwreg;Waterwall Registry Filter; [x]
S2 ADAgent;ADAgentService;c:\program files (x86)\LGEAD\ADAgentService.exe;c:\program files (x86)\LGEAD\ADAgentService.exe [x]
S2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [x]
S2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [x]
S2 QDLService2kDell;Qualcomm Gobi 2000 Download Service (Dell);c:\program files (x86)\QUALCOMM\QDLService2k\QDLService2kDell.exe;c:\program files (x86)\QUALCOMM\QDLService2k\QDLService2kDell.exe [x]
S2 risdpcie;risdpcie;c:\windows\system32\DRIVERS\risdpe64.sys;c:\windows\SYSNATIVE\DRIVERS\risdpe64.sys [x]
S2 WMCoreService;Mobile Broadband Service;c:\program files (x86)\Dell\Dell WWAN\WMCore\mini_WMCore.exe servicemode;c:\program files (x86)\Dell\Dell WWAN\WMCore\mini_WMCore.exe servicemode [x]
S2 WWC;Ww Client Agent;c:\wwcnt\WWCSERVICE.EXE;c:\wwcnt\WWCSERVICE.EXE [x]
S2 ZeroConfigService;Intel® PROSet/Wireless Zero Configuration Service;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe [x]
S3 cvusbdrv;Dell ControlVault;c:\windows\system32\Drivers\cvusbdrv.sys;c:\windows\SYSNATIVE\Drivers\cvusbdrv.sys [x]
S3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k62x64.sys;c:\windows\SYSNATIVE\DRIVERS\e1k62x64.sys [x]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys;c:\windows\SYSNATIVE\DRIVERS\Impcd.sys [x]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-10-28 15:12 1185744 ----a-w- c:\program files (x86)\Google\Chrome\Application\30.0.1599.101\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-11-08 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-10-09 12:41]
.
2013-11-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-08-07 20:46]
.
2013-11-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-08-07 20:46]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelPROSet"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2013-04-18 4791024]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2013-02-21 698712]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2013-02-08 168944]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2013-02-08 394224]
"Persistence"="c:\windows\system32\igfxpers.exe" [2013-02-08 418800]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm

mLocal Page = c:\windows\system32\blank.htm
Trusted Zone: lge.com
TCP: DhcpNameServer = 136.166.10.50 136.166.10.51 156.147.135.181















.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
SafeBoot-25847725.sys
SafeBoot-PROTECT.sys
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_117_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_117_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\program files (x86)\Dell\Dell WWAN\WMCore\mini_WMCore.exe
c:\wwcnt\SYSTEM\PMonitor.exe
.
**************************************************************************
.
Completion time: 2013-11-08  08:22:41 - machine was rebooted
ComboFix-quarantined-files.txt  2013-11-08 13:22
ComboFix2.txt  2013-11-06 16:44
.
Pre-Run: 220,540,555,264 bytes free
Post-Run: 220,150,325,248 bytes free
.
- - End Of File - - AAF1E273B67F1E91E2913A13650048BC
A36C5E4F47E84449FF07ED3517B43A31
 

Link to post
Share on other sites

Looks Good.....

Lets clean out any adware now: (this will require a reboot so save all your work)

Please download AdwCleaner by Xplode and save to your Desktop.

Make sure you click on download buttons that look like this, not "sponsored ad links":

bleep-crop.jpg

  • Double click on AdwCleaner.exe to run the tool.

    Vista/Windows 7/8 users right-click and select Run As Administrator

  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • When it's done you'll see: Pending: Please uncheck elements you don't want removed.
  • Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • Look over the log especially under Files/Folders for any program you want to save.
  • If there's a program you may want to save, just uncheck it from AdwCleaner.
  • If you're not sure, post the log for review. (all items found are adware/spyware/foistware)
  • If you're ready to clean it all up.....click the Clean button.
  • After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
  • Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
  • To restore an item that has been deleted:
  • Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.
Then..................

Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.

Please Update and run a Quick Scan with Malwarebytes Anti-Malware, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

Link to post
Share on other sites

Adwcleaner log.

 

 

# AdwCleaner v3.011 - Report created 08/11/2013 at 12:53:03
# Updated 03/11/2013 by Xplode
# Operating System : Windows 7 Enterprise  (64 bits)
# Username : lguser - US-SO10-NA1004F
# Running from : C:\Users\lguser\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.7600.16968

-\\ Google Chrome v30.0.1599.101

[ File : C:\Users\lguser\AppData\Local\Google\Chrome\User Data\Default\preferences ]

[ File : C:\Users\lguser.US-SO10-NA1004F\AppData\Local\Google\Chrome\User Data\Default\preferences ]

*************************

AdwCleaner[R0].txt - [1070 octets] - [08/11/2013 12:51:10]
AdwCleaner[s0].txt - [999 octets] - [08/11/2013 12:53:03]

########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [1058 octets] ##########

Link to post
Share on other sites

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.11.06.06

Windows 7 x64 NTFS
Internet Explorer 8.0.7600.16385
lguser :: US-SO10-NA1004F [administrator]

11/8/2013 12:57:36 PM
mbam-log-2013-11-08 (12-57-36).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 251135
Time elapsed: 2 minute(s), 50 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKLM\System\CurrentControlSet\Services\Protect (Rootkit.Agent) -> Delete on reboot.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 24
c:\program files\wirar\winrar.exe (Backdoor.Bifrose) -> Delete on reboot.
c:\program files (x86)\wirar\winrar.exe (Backdoor.Bifrose) -> Delete on reboot.
c:\winrar.exe (Trojan.Agent) -> Delete on reboot.
c:\windows\system32\help\winrar.exe (Backdoor.Bifrose) -> Delete on reboot.
c:\windows\syswow64\help\winrar.exe (Backdoor.Bifrose) -> Delete on reboot.
c:\windows\system32\systems\winrar.exe (Backdoor.Bot) -> Delete on reboot.
c:\windows\syswow64\systems\winrar.exe (Backdoor.Bot) -> Delete on reboot.
c:\windows\winrara\winrar.exe (Backdoor.Bot) -> Delete on reboot.
c:\windows\winrar\winrar.exe (Trojan.Agent) -> Delete on reboot.
c:\programdata\two\winrar.exe (Trojan.Agent) -> Delete on reboot.
c:\users\addc_client\appdata\roaming\two\winrar.exe (Trojan.Agent) -> Delete on reboot.
c:\users\lguser.us-so10-na1004f\appdata\roaming\two\winrar.exe (Trojan.Agent) -> Delete on reboot.
c:\users\lguser\appdata\roaming\two\winrar.exe (Trojan.Agent) -> Delete on reboot.
c:\windows\serviceprofiles\localservice\appdata\roaming\two\winrar.exe (Trojan.Agent) -> Delete on reboot.
c:\windows\serviceprofiles\networkservice\appdata\roaming\two\winrar.exe (Trojan.Agent) -> Delete on reboot.
c:\windows\system32\config\systemprofile\appdata\roaming\two\winrar.exe (Trojan.Agent) -> Delete on reboot.
c:\windows\installdir\winrar.exe (Backdoor.Agent) -> Delete on reboot.
c:\programdata\dataprotect\winrar.exe (Trojan.Agent) -> Delete on reboot.
c:\users\addc_client\appdata\roaming\dataprotect\winrar.exe (Trojan.Agent) -> Delete on reboot.
c:\users\lguser.us-so10-na1004f\appdata\roaming\dataprotect\winrar.exe (Trojan.Agent) -> Delete on reboot.
c:\users\lguser\appdata\roaming\dataprotect\winrar.exe (Trojan.Agent) -> Delete on reboot.
c:\windows\serviceprofiles\localservice\appdata\roaming\dataprotect\winrar.exe (Trojan.Agent) -> Delete on reboot.
c:\windows\serviceprofiles\networkservice\appdata\roaming\dataprotect\winrar.exe (Trojan.Agent) -> Delete on reboot.
c:\windows\system32\config\systemprofile\appdata\roaming\dataprotect\winrar.exe (Trojan.Agent) -> Delete on reboot.

(end)

Link to post
Share on other sites

Thanks for all your help so far.

 

The same 25 or so came up again, after reboot I tried again and same as well.

 

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.11.06.06

Windows 7 x64 NTFS
Internet Explorer 8.0.7600.16385
lguser :: US-SO10-NA1004F [administrator]

11/8/2013 1:38:29 PM
mbam-log-2013-11-08 (13-38-29).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 251109
Time elapsed: 2 minute(s), 26 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKLM\System\CurrentControlSet\Services\Protect (Rootkit.Agent) -> Delete on reboot.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 24
c:\program files\wirar\winrar.exe (Backdoor.Bifrose) -> Delete on reboot.
c:\program files (x86)\wirar\winrar.exe (Backdoor.Bifrose) -> Delete on reboot.
c:\winrar.exe (Trojan.Agent) -> Delete on reboot.
c:\windows\system32\help\winrar.exe (Backdoor.Bifrose) -> Delete on reboot.
c:\windows\syswow64\help\winrar.exe (Backdoor.Bifrose) -> Delete on reboot.
c:\windows\system32\systems\winrar.exe (Backdoor.Bot) -> Delete on reboot.
c:\windows\syswow64\systems\winrar.exe (Backdoor.Bot) -> Delete on reboot.
c:\windows\winrara\winrar.exe (Backdoor.Bot) -> Delete on reboot.
c:\windows\winrar\winrar.exe (Trojan.Agent) -> Delete on reboot.
c:\programdata\two\winrar.exe (Trojan.Agent) -> Delete on reboot.
c:\users\addc_client\appdata\roaming\two\winrar.exe (Trojan.Agent) -> Delete on reboot.
c:\users\lguser.us-so10-na1004f\appdata\roaming\two\winrar.exe (Trojan.Agent) -> Delete on reboot.
c:\users\lguser\appdata\roaming\two\winrar.exe (Trojan.Agent) -> Delete on reboot.
c:\windows\serviceprofiles\localservice\appdata\roaming\two\winrar.exe (Trojan.Agent) -> Delete on reboot.
c:\windows\serviceprofiles\networkservice\appdata\roaming\two\winrar.exe (Trojan.Agent) -> Delete on reboot.
c:\windows\system32\config\systemprofile\appdata\roaming\two\winrar.exe (Trojan.Agent) -> Delete on reboot.
c:\windows\installdir\winrar.exe (Backdoor.Agent) -> Delete on reboot.
c:\programdata\dataprotect\winrar.exe (Trojan.Agent) -> Delete on reboot.
c:\users\addc_client\appdata\roaming\dataprotect\winrar.exe (Trojan.Agent) -> Delete on reboot.
c:\users\lguser.us-so10-na1004f\appdata\roaming\dataprotect\winrar.exe (Trojan.Agent) -> Delete on reboot.
c:\users\lguser\appdata\roaming\dataprotect\winrar.exe (Trojan.Agent) -> Delete on reboot.
c:\windows\serviceprofiles\localservice\appdata\roaming\dataprotect\winrar.exe (Trojan.Agent) -> Delete on reboot.
c:\windows\serviceprofiles\networkservice\appdata\roaming\dataprotect\winrar.exe (Trojan.Agent) -> Delete on reboot.
c:\windows\system32\config\systemprofile\appdata\roaming\dataprotect\winrar.exe (Trojan.Agent) -> Delete on reboot.

(end)

Link to post
Share on other sites

Hi, thanks again for your help and prompt replies.

 

I'm not sure what service I am to delete.

 

From malwarebytes log, it lists a whole bunch of files and folders that do not exist but there is a registry key that keeps showing up again after i delete it.

 

HKLM\System\CurrentControlSet\Services\Protect (Rootkit.Agent) -> No action taken.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.