Jump to content

Infected Laptop


Recommended Posts

Hello - Our family laptop seems to have been bitten by the AV Security Suite bug. I followed instructions from bleepingcomputer - Booted Computer in Safe Mode, Ran RKill, Ran Malwarebytes Anti-Malware and I am still having issues. There is one file I cant seem to get rid of PUP.BitMiner, located in Windows\assembly\temp\kwrd.dll and the fan is constantly running. I have no idea if there are other issues or this is it? I have attached the two files per the instructions and I am hoping someone can help.

Also, I'd like to back up some files from the computer in the event of something catastrophic. Can this virus (or others) be transferred via image files (i.e. family photos).

Thanks Kindly.

DDS.txt

Attach.txt

Link to post
Share on other sites

Hello th3sp3ck! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/paste in your next reply.

Please post your log files in your reply.

Link to post
Share on other sites

Thank you! Here's my DDS log file:

.

DDS (Ver_2011-08-26.01) - NTFSAMD64 NETWORK

Internet Explorer: 8.0.7601.17514

Run by Andrea at 20:47:56 on 2011-11-15

Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.4063.2954 [GMT -6:00]

.

AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}

SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\Explorer.EXE

C:\Windows\system32\ctfmon.exe

C:\Windows\system32\DllHost.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Windows\System32\svchost.exe -k swprv

C:\Windows\SysWOW64\ping.exe

C:\Windows\system32\conhost.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\conhost.exe

C:\Windows\SysWOW64\cscript.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll

BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll

uRun: [Google Update] "C:\Users\Andrea\AppData\Local\Google\Update\GoogleUpdate.exe" /c

uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

uRun: [kExOVCtNHl.exe] C:\Users\Andrea\AppData\Local\Temp\kExOVCtNHl.exe

mRun: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui

mRun: [Monitor] "C:\Program Files (x86)\LeapFrog\LeapFrog Connect\Monitor.exe"

mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun: [RoxioNowMediaManagerApp] C:\Program Files (x86)\Roxio\RoxioNow Player\RNowShell.exe -start

mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun: [<NO NAME>]

mRun: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe"

mRun: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

mRunOnce: [GrpConv] grpconv -o

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MICROS~1.LNK - C:\Program Files (x86)\Microsoft Office\Office10\OSA.EXE

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\WINDOW~1.LNK - C:\Windows\Installer\{21E49794-7C13-4E84-8659-55BD378267D5}\WHSTrayApp.exe

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-explorer: HideSCAHealth = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office10\EXCEL.EXE/3000

IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

LSP: mswsock.dll

Trusted Zone: cinemanow.com

Trusted Zone: intuit.com\ttlc

DPF: {1D9EFA3B-4E85-41A8-9092-14012CD447C9} - hxxp://192.168.1.109/img/NetCamPlayerWeb.ocx

DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {C2B78FF1-6E5A-4854-AC24-E09A0E2411BA} - hxxp://static1.meetupstatic.com/applet/MeetUploader_200909.cab

DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 75.75.76.76 75.75.75.75 192.168.1.1

TCP: Interfaces\{81BA6BE1-9ED2-4942-BEE6-68D29F554F25} : DhcpNameServer = 68.87.77.134 68.87.72.134

TCP: Interfaces\{8CCA3A8A-BB66-427D-B4C8-A505FFC71732} : DhcpNameServer = 75.75.76.76 75.75.75.75 192.168.1.1

TCP: Interfaces\{8CCA3A8A-BB66-427D-B4C8-A505FFC71732}\051647963737562796564363027457563747 : DhcpNameServer = 192.168.4.1

TCP: Interfaces\{8CCA3A8A-BB66-427D-B4C8-A505FFC71732}\44C402E4564777F627B6 : DhcpNameServer = 10.0.1.1

TCP: Interfaces\{8CCA3A8A-BB66-427D-B4C8-A505FFC71732}\C696E6B6379737F53786F677 : DhcpNameServer = 68.87.77.134 68.87.72.134 192.168.1.1

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

SubSystems: Windows = basesrv,1 winsrv:UserServerDllInitialization,3 consrv:ConServerDllInitialization,2 sxssrv,4

BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO-X64: AcroIEHelperStub - No File

BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

BHO-X64: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

BHO-X64: SkypeIEPluginBHO - No File

BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll

BHO-X64: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll

BHO-X64: Ask Toolbar BHO - No File

BHO-X64: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

TB-X64: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll

mRun-x64: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui

mRun-x64: [Monitor] "C:\Program Files (x86)\LeapFrog\LeapFrog Connect\Monitor.exe"

mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun-x64: [RoxioNowMediaManagerApp] C:\Program Files (x86)\Roxio\RoxioNow Player\RNowShell.exe -start

mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun-x64: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun-x64: [(Default)]

mRun-x64: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe"

mRun-x64: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

mRunOnce-x64: [GrpConv] grpconv -o

.

============= SERVICES / DRIVERS ===============

.

R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]

R3 enecir;ENE CIR Receiver;C:\Windows\system32\DRIVERS\enecir.sys --> C:\Windows\system32\DRIVERS\enecir.sys [?]

R3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\system32\DRIVERS\NETw5s64.sys --> C:\Windows\system32\DRIVERS\NETw5s64.sys [?]

R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]

S1 aswSnx;aswSnx;C:\Windows\system32\drivers\aswSnx.sys --> C:\Windows\system32\drivers\aswSnx.sys [?]

S1 aswSP;aswSP;C:\Windows\system32\drivers\aswSP.sys --> C:\Windows\system32\drivers\aswSP.sys [?]

S2 AESTFilters;Andrea ST Filters Service;C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_ccf0dd3cb081af84\AESTSr64.exe [2010-2-12 89600]

S2 arXfrSvc;Windows Media Center TV Archive Transfer Service;C:\Program Files\Windows Home Server\Microsoft.HomeServer.Archive.TransferService.exe [2009-10-7 231272]

S2 aswFsBlk;aswFsBlk;C:\Windows\system32\drivers\aswFsBlk.sys --> C:\Windows\system32\drivers\aswFsBlk.sys [?]

S2 aswMonFlt;aswMonFlt;\??\C:\Windows\system32\drivers\aswMonFlt.sys --> C:\Windows\system32\drivers\aswMonFlt.sys [?]

S2 avast! Antivirus;avast! Antivirus;C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2011-9-11 44768]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S2 esClient;Windows Media Center Client Service;C:\Program Files\Windows Home Server\esClient.exe [2009-10-7 109928]

S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-3-11 135664]

S2 hpsrv;HP Service;C:\Windows\system32\Hpservice.exe --> C:\Windows\system32\Hpservice.exe [?]

S2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2010-11-12 366152]

S2 RoxioNow Service;RoxioNow Service;C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe [2010-10-20 400368]

S2 WHSConnector;Windows Home Server Connector Service;C:\Program Files\Windows Home Server\WHSConnector.exe [2009-10-7 489832]

S3 FlyUsb;FLY Fusion;C:\Windows\system32\DRIVERS\FlyUsb.sys --> C:\Windows\system32\DRIVERS\FlyUsb.sys [?]

S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-3-11 135664]

S3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]

S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\system32\DRIVERS\netw5v64.sys --> C:\Windows\system32\DRIVERS\netw5v64.sys [?]

S3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\system32\drivers\nvhda64v.sys --> C:\Windows\system32\drivers\nvhda64v.sys [?]

S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys --> C:\Windows\system32\drivers\rdpvideominiport.sys [?]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]

.

=============== Created Last 30 ================

.

2011-11-16 00:10:19 41272 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys

2011-11-15 02:28:43 -------- d-----w- C:\Program Files (x86)\Ask.com

2011-11-13 06:54:05 -------- d-----w- C:\ProgramData\Ask

2011-11-12 19:02:02 -------- d-----w- C:\Program Files (x86)\DA541

2011-11-12 19:01:21 -------- d-----w- C:\Program Files (x86)\LP

2011-11-12 18:54:09 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{CD4C9FD5-0F8B-4BFA-82A1-62B88267D178}\offreg.dll

2011-11-12 18:53:14 -------- d-----w- C:\Users\Andrea\AppData\Roaming\lnG4amH6s

2011-11-12 18:53:14 -------- d-----w- C:\Users\Andrea\AppData\Roaming\kL8gTZqhYwUrOtP

2011-11-12 18:45:08 -------- d-----w- C:\Users\Andrea\AppData\Roaming\DA541

2011-11-12 18:44:48 -------- d-----w- C:\Users\Andrea\AppData\Roaming\421DA

2011-11-12 18:44:34 -------- d-----we C:\Windows\system64

2011-11-12 18:44:31 -------- d-----w- C:\Users\Andrea\AppData\Roaming\NhhhTXXqjUCkIrz

2011-11-12 18:44:31 -------- d-----w- C:\Users\Andrea\AppData\Roaming\fNNyyxAA0uS2i

2011-11-12 18:44:26 -------- d-----w- C:\Users\Andrea\AppData\Roaming\hfffRZZ9hTXjUel

2011-11-12 18:44:25 -------- d-----w- C:\Users\Andrea\AppData\Roaming\ucccA11iv

2011-11-12 18:44:25 -------- d-----w- C:\Users\Andrea\AppData\Roaming\AsssQJJ7dEK8RZh

2011-11-11 09:10:58 8570192 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{CD4C9FD5-0F8B-4BFA-82A1-62B88267D178}\mpengine.dll

2011-11-09 08:20:49 886784 ----a-w- C:\Program Files\Common Files\System\wab32.dll

2011-11-09 08:20:49 708608 ----a-w- C:\Program Files (x86)\Common Files\System\wab32.dll

2011-11-09 08:20:48 1923952 ----a-w- C:\Windows\System32\drivers\tcpip.sys

2011-11-09 08:20:46 3144704 ----a-w- C:\Windows\System32\win32k.sys

2011-10-26 21:28:40 6144 ----a-w- C:\Program Files\Internet Explorer\iecompat.dll

2011-10-26 21:28:40 6144 ----a-w- C:\Program Files (x86)\Internet Explorer\iecompat.dll

.

==================== Find3M ====================

.

2011-11-12 18:44:45 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2011-10-03 11:06:03 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll

2011-10-01 03:25:37 1638912 ----a-w- C:\Windows\System32\mshtml.tlb

2011-10-01 02:42:56 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb

2011-09-06 20:45:29 41184 ----a-w- C:\Windows\avastSS.scr

2011-09-06 20:38:18 601944 ----a-w- C:\Windows\System32\drivers\aswSnx.sys

2011-09-06 20:36:30 65368 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys

2011-08-31 23:00:50 25416 ----a-w- C:\Windows\System32\drivers\mbam.sys

2011-08-27 05:37:49 861696 ----a-w- C:\Windows\System32\oleaut32.dll

2011-08-27 05:37:48 331776 ----a-w- C:\Windows\System32\oleacc.dll

2011-08-27 04:26:27 571904 ----a-w- C:\Windows\SysWow64\oleaut32.dll

2011-08-27 04:26:27 233472 ----a-w- C:\Windows\SysWow64\oleacc.dll

2011-08-20 05:37:58 1188864 ----a-w- C:\Windows\System32\wininet.dll

2011-08-20 04:31:05 981504 ----a-w- C:\Windows\SysWow64\wininet.dll

.

============= FINISH: 20:48:07.72 ===============

Link to post
Share on other sites

Oops. :unsure:

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft Windows 7 Ultimate

Boot Device: \Device\HarddiskVolume1

Install Date: 2/12/2010 10:51:23 AM

System Uptime: 11/15/2011 6:04:54 PM (2 hours ago)

.

Motherboard: Compal | | 30F8

Processor: Intel® Core2 Duo CPU P7450 @ 2.13GHz | CPU | 2128/1066mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 284 GiB total, 0.937 GiB free.

D: is FIXED (NTFS) - 14 GiB total, 2.083 GiB free.

E: is CDROM ()

.

==== Disabled Device Manager Items =============

.

Class GUID:

Description:

Device ID: USB\VID_138A&PID_0001\5&1479ABFB&0&2

Manufacturer:

Name:

PNP Device ID: USB\VID_138A&PID_0001\5&1479ABFB&0&2

Service:

.

Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}

Description: Windows Firewall Authorization Driver

Device ID: ROOT\LEGACY_MPSDRV\0000

Manufacturer:

Name: Windows Firewall Authorization Driver

PNP Device ID: ROOT\LEGACY_MPSDRV\0000

Service: mpsdrv

.

Class GUID:

Description: Base System Device

Device ID: PCI\VEN_197B&DEV_2382&SUBSYS_30F7103C&REV_00\4&17D1176A&0&00E4

Manufacturer:

Name: Base System Device

PNP Device ID: PCI\VEN_197B&DEV_2382&SUBSYS_30F7103C&REV_00\4&17D1176A&0&00E4

Service:

.

Class GUID:

Description: Base System Device

Device ID: PCI\VEN_197B&DEV_2383&SUBSYS_30F7103C&REV_00\4&17D1176A&0&03E4

Manufacturer:

Name: Base System Device

PNP Device ID: PCI\VEN_197B&DEV_2383&SUBSYS_30F7103C&REV_00\4&17D1176A&0&03E4

Service:

.

Class GUID: {4d36e97d-e325-11ce-bfc1-08002be10318}

Description: Consumer IR Devices

Device ID: ROOT\SYSTEM\0001

Manufacturer: Microsoft

Name: Consumer IR Devices

PNP Device ID: ROOT\SYSTEM\0001

Service: circlass

.

Class GUID:

Description: Base System Device

Device ID: PCI\VEN_197B&DEV_2384&SUBSYS_30F7103C&REV_00\4&17D1176A&0&04E4

Manufacturer:

Name: Base System Device

PNP Device ID: PCI\VEN_197B&DEV_2384&SUBSYS_30F7103C&REV_00\4&17D1176A&0&04E4

Service:

.

Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}

Description: Security Processor Loader Driver

Device ID: ROOT\LEGACY_SPLDR\0000

Manufacturer:

Name: Security Processor Loader Driver

PNP Device ID: ROOT\LEGACY_SPLDR\0000

Service: spldr

.

==== System Restore Points ===================

.

RP267: 8/26/2011 3:00:16 AM - Windows Update

RP268: 8/30/2011 6:39:48 PM - Windows Update

RP269: 9/6/2011 3:04:19 PM - Windows Update

RP270: 9/7/2011 3:00:17 AM - Windows Update

RP271: 9/11/2011 7:55:15 AM - Windows Update

RP273: 9/16/2011 1:40:35 AM - Windows Update

RP274: 9/17/2011 3:00:15 AM - Windows Update

RP275: 9/22/2011 3:00:21 AM - Windows Update

RP276: 9/29/2011 7:14:47 AM - Windows Update

RP277: 10/2/2011 3:00:27 AM - Windows Update

RP278: 10/8/2011 12:38:20 AM - Windows Update

RP279: 10/12/2011 12:46:06 AM - Windows Update

RP280: 10/15/2011 3:00:16 AM - Windows Update

RP281: 10/21/2011 9:43:26 PM - Windows Update

RP282: 10/25/2011 2:06:10 AM - Windows Update

RP283: 10/28/2011 5:49:48 PM - Windows Update

RP284: 10/30/2011 3:00:26 AM - Windows Update

RP285: 11/4/2011 3:10:28 PM - Windows Update

RP286: 11/9/2011 2:17:37 AM - Windows Update

RP287: 11/12/2011 9:51:44 AM - Windows Update

RP288: 11/12/2011 7:34:08 PM - HPSF Restore Point

RP289: 11/13/2011 12:52:26 AM - Installed Java 6 Update 29

RP290: 11/13/2011 12:53:42 AM - Installed Java Runtime Environment

.

==== Installed Programs ======================

.

.

AAC Decoder

Acrobat.com

ActiveCheck component for HP Active Support Library

Adobe AIR

Adobe Flash Player 10 Plugin

Adobe Flash Player 11 ActiveX

Adobe Reader 9.4.6

Apple Application Support

Apple Software Update

Ask Toolbar

AutoUpdate

avast! Free Antivirus

Compatibility Pack for the 2007 Office system

DivX Codec

DivX Converter

DivX Plus DirectShow Filters

DivX Plus Media Foundation Components

DivX Plus Web Player

DivX Version Checker

EditPlus 3

FileZilla Client 3.5.1

Google Talk Plugin

Google Toolbar for Internet Explorer

Google Update Helper

H.264 Decoder

HP Customer Experience Enhancements

HP Support Assistant

HPAsset component for HP Active Support Library

IDT Audio

iSEEK AnswerWorks English Runtime

Java Auto Updater

Java 6 Update 29

LeapFrog Connect

LeapFrog Tag Junior Plugin

Logitech Harmony Remote Software 7

Malwarebytes' Anti-Malware version 1.51.2.1300

Microsoft Office XP Small Business

Microsoft Silverlight

Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

MKV Splitter

NVIDIA PhysX

QuickTime

Realtek Ethernet Controller Driver For Windows Vista and Later

Remote Control USB Driver

RoxioNow Player

Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Skype Toolbars

Skype™ 5.3

System Requirements Lab

TurboTax 2009

TurboTax 2009 WinPerFedFormset

TurboTax 2009 WinPerReleaseEngine

TurboTax 2009 WinPerTaxSupport

TurboTax 2009 wmniper

TurboTax 2009 wrapper

TurboTax 2010

TurboTax 2010 WinPerFedFormset

TurboTax 2010 WinPerReleaseEngine

TurboTax 2010 WinPerTaxSupport

TurboTax 2010 wmniper

TurboTax 2010 wrapper

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Use the entry named LeapFrog Connect to uninstall (LeapFrog Tag Junior Plugin)

VC80CRTRedist - 8.0.50727.4053

VLC media player 1.1.7

Win7codecs

.

==== Event Viewer Messages From Past Week ========

.

11/15/2011 6:10:18 PM, Error: Microsoft-Windows-DNS-Client [1012] - There was an error while attempting to read the local hosts file.

11/15/2011 6:07:23 PM, Error: Service Control Manager [7001] - The PnP-X IP Bus Enumerator service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.

11/15/2011 6:05:59 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}

11/15/2011 6:05:59 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

11/15/2011 6:05:57 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

11/15/2011 6:05:51 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}

11/15/2011 6:05:25 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service TermService with arguments "" in order to run the server: {F9A874B6-F8A8-4D73-B5A8-AB610816828B}

11/15/2011 6:05:23 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: aswSnx aswSP discache spldr Wanarpv6

11/15/2011 6:05:21 PM, Error: Service Control Manager [7001] - The Windows Firewall service depends on the Windows Firewall Authorization Driver service which failed to start because of the following error: Cannot create a file when that file already exists.

11/15/2011 6:05:21 PM, Error: Service Control Manager [7001] - The Media Center Extender Service service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.

11/15/2011 6:05:21 PM, Error: Service Control Manager [7000] - The Windows Firewall Authorization Driver service failed to start due to the following error: Cannot create a file when that file already exists.

11/14/2011 8:27:10 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the LeapFrog Connect Device Service service to connect.

11/13/2011 12:56:11 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Spooler service.

11/12/2011 1:03:09 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {D3DCB472-7261-43CE-924B-0704BD730D5F}

11/12/2011 1:03:09 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}

11/12/2011 1:01:45 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}

.

==== End Of File ===========================

Link to post
Share on other sites

Step 1

I see the Ask Toolbar in your log.

I strongly recommend you remove Ask Toolbar from your computer because:

  • It promotes its toolbars on sites targeted at kids.
  • It promotes its toolbars through ads that appear to be part of other companies' sites.
  • It promotes its toolbars through other companies' spyware.
  • It is Installed without any disclosure whatsoever and without any consent from the user whatsoever.
  • It Solicits installations via "deceptive door openers" that do not accurately describe the offer; failing to affirmatively show a license agreement; linking to a EULA via an off-screen link.
  • It makes confusing changes to user's browsers -- increasing Ask's revenues while taking users to pages they didn't intend to visit.

You can read more about Ask.com here

To remove it:

Click Start-->-Control Panel-->Programs and Features

Click on the program name AskBarDis to highlight it

From the menu at the top, select Uninstall or Remove.

Please reboot the computer.

Step 2

Now it's time to clean the cache of Java, because of malware. Malware that could be found in this cache directory are not associated with the Java that was downloaded and installed on the system. A cache directory is aa temporary storage location. When the browser runs an applet or application, Java stores files into its cache directory for better performance.

Click Start => Control Panel.

Double-click the Java icon in the control panel. The Java Control Panel appears.

plugin_cache1.jpg

Click Settings under Temporary Internet Files. The Temporary Files Settings dialog box appears.

plugin_cache2.jpg

Click Delete Files. The Delete Temporary Files dialog box appears.

plugin_cache3.jpg

Click OK on Delete Temporary Files window. Note: This deletes all the Downloaded Applications and Applets from the cache.

Click OK on Temporary Files Settings window. Note: If you want to delete a specific application and applet from the cache, click on View Application and View Applet options respectively.

Step 3

Please follow the instructions for ComboFix here:

www.bleepingcomputer.com/combofix/how-to-use-combofix#use

Post the log.txt when you are ready.

Link to post
Share on other sites

Here's the ComboFix Report:

ComboFix 11-11-17.03 - Andrea 11/17/2011 14:36:28.1.2 - x64 NETWORK

Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.4063.3380 [GMT -6:00]

Running from: c:\users\Andrea\Desktop\ComboFix.exe

AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}

SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\program files (x86)\LP

c:\program files (x86)\LP\9994\6345.tmp

c:\program files (x86)\LP\9994\C689.tmp

c:\users\Andrea\AppData\Local\Temp\kExOVCtNHl.exe

c:\users\Andrea\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AV Security 2012

c:\users\Andrea\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AV Security 2012\AV Security 2012.lnk

c:\windows\system32\consrv.dll

c:\windows\System64

.

.

((((((((((((((((((((((((( Files Created from 2011-10-17 to 2011-11-17 )))))))))))))))))))))))))))))))

.

.

2011-11-17 20:42 . 2011-11-17 20:42 -------- d-----w- c:\users\Mcx1-JULIAN\AppData\Local\temp

2011-11-17 20:42 . 2011-11-17 20:42 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-11-13 06:54 . 2011-11-13 06:54 -------- d-----w- c:\programdata\Ask

2011-11-12 19:02 . 2011-11-15 04:18 -------- d-----w- c:\program files (x86)\DA541

2011-11-12 18:54 . 2011-11-12 18:54 69000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{CD4C9FD5-0F8B-4BFA-82A1-62B88267D178}\offreg.dll

2011-11-12 18:53 . 2011-11-12 18:53 -------- d-----w- c:\users\Andrea\AppData\Roaming\kL8gTZqhYwUrOtP

2011-11-12 18:53 . 2011-11-12 18:53 -------- d-----w- c:\users\Andrea\AppData\Roaming\lnG4amH6s

2011-11-12 18:45 . 2011-11-15 04:18 -------- d-----w- c:\users\Andrea\AppData\Roaming\DA541

2011-11-12 18:44 . 2011-11-15 04:18 -------- d-----w- c:\users\Andrea\AppData\Roaming\421DA

2011-11-12 18:44 . 2011-11-12 18:44 -------- d-----w- c:\users\Andrea\AppData\Roaming\fNNyyxAA0uS2i

2011-11-12 18:44 . 2011-11-12 18:44 -------- d-----w- c:\users\Andrea\AppData\Roaming\NhhhTXXqjUCkIrz

2011-11-12 18:44 . 2011-11-12 18:44 -------- d-----w- c:\users\Andrea\AppData\Roaming\hfffRZZ9hTXjUel

2011-11-12 18:44 . 2011-11-12 21:38 -------- d-----w- c:\users\Andrea\AppData\Roaming\AsssQJJ7dEK8RZh

2011-11-12 18:44 . 2011-11-12 18:44 -------- d-----w- c:\users\Andrea\AppData\Roaming\ucccA11iv

2011-11-11 09:10 . 2011-10-07 04:16 8570192 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{CD4C9FD5-0F8B-4BFA-82A1-62B88267D178}\mpengine.dll

2011-11-09 08:20 . 2011-10-01 05:45 886784 ----a-w- c:\program files\Common Files\System\wab32.dll

2011-11-09 08:20 . 2011-10-01 04:37 708608 ----a-w- c:\program files (x86)\Common Files\System\wab32.dll

2011-11-09 08:20 . 2011-09-29 16:29 1923952 ----a-w- c:\windows\system32\drivers\tcpip.sys

2011-11-09 08:20 . 2011-09-29 04:03 3144704 ----a-w- c:\windows\system32\win32k.sys

2011-10-26 21:28 . 2011-08-13 05:27 6144 ----a-w- c:\program files\Internet Explorer\iecompat.dll

2011-10-26 21:28 . 2011-08-13 04:18 6144 ----a-w- c:\program files (x86)\Internet Explorer\iecompat.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-11-12 18:44 . 2011-06-21 13:06 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2011-10-03 11:06 . 2010-11-13 22:11 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll

2011-10-01 03:25 . 2011-10-12 05:51 1638912 ----a-w- c:\windows\system32\mshtml.tlb

2011-10-01 02:42 . 2011-10-12 05:51 1638912 ----a-w- c:\windows\SysWow64\mshtml.tlb

2011-09-06 20:45 . 2010-10-06 13:06 41184 ----a-w- c:\windows\avastSS.scr

2011-09-06 20:45 . 2010-03-22 13:21 199304 ----a-w- c:\windows\SysWow64\aswBoot.exe

2011-09-06 20:45 . 2011-01-23 13:03 254400 ----a-w- c:\windows\system32\aswBoot.exe

2011-09-06 20:38 . 2011-09-11 12:53 601944 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2011-09-06 20:38 . 2010-03-22 13:22 301912 ----a-w- c:\windows\system32\drivers\aswSP.sys

2011-09-06 20:36 . 2010-03-22 13:22 42328 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2011-09-06 20:36 . 2010-03-22 13:22 65368 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys

2011-09-06 20:36 . 2010-03-22 13:22 24408 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2011-08-31 23:00 . 2010-11-13 02:09 25416 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-27 05:37 . 2011-10-12 05:51 861696 ----a-w- c:\windows\system32\oleaut32.dll

2011-08-27 05:37 . 2011-10-12 05:51 331776 ----a-w- c:\windows\system32\oleacc.dll

2011-08-27 04:26 . 2011-10-12 05:51 571904 ----a-w- c:\windows\SysWow64\oleaut32.dll

2011-08-27 04:26 . 2011-10-12 05:51 233472 ----a-w- c:\windows\SysWow64\oleacc.dll

2011-08-20 05:37 . 2011-10-12 05:51 1188864 ----a-w- c:\windows\system32\wininet.dll

2011-08-20 04:31 . 2011-10-12 05:51 981504 ----a-w- c:\windows\SysWow64\wininet.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-03-11 39408]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"Monitor"="c:\program files (x86)\LeapFrog\LeapFrog Connect\Monitor.exe" [2010-09-28 185688]

"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"RoxioNowMediaManagerApp"="c:\program files (x86)\Roxio\RoxioNow Player\RNowShell.exe" [2010-10-21 2646000]

"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]

"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-03-07 421160]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files (x86)\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

Windows Home Server.lnk - c:\windows\Installer\{21E49794-7C13-4E84-8659-55BD378267D5}\WHSTrayApp.exe [2010-2-12 666984]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"HideSCAHealth"= 1 (0x1)

.

R2 arXfrSvc;Windows Media Center TV Archive Transfer Service;c:\program files\Windows Home Server\Microsoft.HomeServer.Archive.TransferService.exe [2009-10-07 231272]

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-03-12 135664]

R3 FlyUsb;FLY Fusion;c:\windows\system32\DRIVERS\FlyUsb.sys [x]

R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-03-12 135664]

R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [x]

R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]

R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]

R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]

R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]

S1 aswSnx;aswSnx; [x]

S1 aswSP;aswSP; [x]

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]

S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_ccf0dd3cb081af84\AESTSr64.exe [2009-03-03 89600]

S2 aswFsBlk;aswFsBlk; [x]

S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]

S2 esClient;Windows Media Center Client Service;c:\program files\Windows Home Server\esClient.exe [2009-10-07 109928]

S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [x]

S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]

S2 RoxioNow Service;RoxioNow Service;c:\program files (x86)\Roxio\RoxioNow Player\RNowSvc.exe [2010-10-21 400368]

S2 WHSConnector;Windows Home Server Connector Service;c:\program files\Windows Home Server\WHSConnector.exe [2009-10-07 489832]

S3 enecir;ENE CIR Receiver;c:\windows\system32\DRIVERS\enecir.sys [x]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]

S3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETw5s64.sys [x]

S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]

.

.

Contents of the 'Scheduled Tasks' folder

.

2011-11-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-03-12 02:04]

.

2011-11-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-03-12 02:04]

.

2011-11-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2778794153-1029177052-2984632812-1001Core.job

- c:\users\Andrea\AppData\Local\Google\Update\GoogleUpdate.exe [2010-02-28 17:04]

.

2011-11-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2778794153-1029177052-2984632812-1001UA.job

- c:\users\Andrea\AppData\Local\Google\Update\GoogleUpdate.exe [2010-02-28 17:04]

.

2011-11-17 c:\windows\Tasks\HPCeeScheduleForAndrea.job

- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2009-10-07 10:22]

.

.

--------- x86-64 -----------

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]

@="{472083B0-C522-11CF-8763-00608CC02F24}"

[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]

2011-09-06 20:45 134384 ----a-w- c:\program files\Alwil Software\Avast5\ashShA64.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2009-07-22 450048]

"combofix"="c:\combofix\CF21642.3XE" [2010-11-20 345088]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"LoadAppInit_DLLs"=0x0

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://www.google.com/

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office10\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html

Trusted Zone: cinemanow.com

Trusted Zone: intuit.com\ttlc

TCP: DhcpNameServer = 75.75.76.76 75.75.75.75 192.168.1.1

DPF: {1D9EFA3B-4E85-41A8-9092-14012CD447C9} - hxxp://192.168.1.109/img/NetCamPlayerWeb.ocx

DPF: {C2B78FF1-6E5A-4854-AC24-E09A0E2411BA} - hxxp://static1.meetupstatic.com/applet/MeetUploader_200909.cab

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.10"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Alwil Software\Avast5\AvastSvc.exe

c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files (x86)\Bonjour\mDNSResponder.exe

c:\program files (x86)\LeapFrog\LeapFrog Connect\CommandService.exe

c:\program files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe

.

**************************************************************************

.

Completion time: 2011-11-17 14:50:37 - machine was rebooted

ComboFix-quarantined-files.txt 2011-11-17 20:50

.

Pre-Run: 938,098,688 bytes free

Post-Run: 930,521,088 bytes free

.

- - End Of File - - 9837E4A612857F949807271345EA6276

Link to post
Share on other sites

Open Notepad and copy and paste the text in the code box below into it:

Folder::
c:\programdata\Ask
c:\program files (x86)\DA541
c:\users\Andrea\AppData\Roaming\kL8gTZqhYwUrOtP
c:\users\Andrea\AppData\Roaming\lnG4amH6s
c:\users\Andrea\AppData\Roaming\DA541
c:\users\Andrea\AppData\Roaming\421DA
c:\users\Andrea\AppData\Roaming\fNNyyxAA0uS2i
c:\users\Andrea\AppData\Roaming\NhhhTXXqjUCkIrz
c:\users\Andrea\AppData\Roaming\hfffRZZ9hTXjUel
c:\users\Andrea\AppData\Roaming\AsssQJJ7dEK8RZh
c:\users\Andrea\AppData\Roaming\ucccA11iv

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

In your next post here, please include ComboFix.txt and let me know how are things there.

Link to post
Share on other sites

Here's the ComboFix text. As best as I can tell things seem better. Am I truly virus free? Besides not allowing my 3 year old to click ad banners, anything else you suggest for avoiding such issues in the future?

ComboFix 11-11-18.01 - Andrea 11/18/2011 7:03.2.2 - x64

Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.4063.2759 [GMT -6:00]

Running from: c:\users\Andrea\Desktop\ComboFix.exe

Command switches used :: c:\users\Andrea\Desktop\CFScript.txt

AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}

SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\program files (x86)\DA541

c:\programdata\Ask

c:\users\Andrea\AppData\Roaming\421DA

c:\users\Andrea\AppData\Roaming\421DA\A541.21D

c:\users\Andrea\AppData\Roaming\AsssQJJ7dEK8RZh

c:\users\Andrea\AppData\Roaming\DA541

c:\users\Andrea\AppData\Roaming\fNNyyxAA0uS2i

c:\users\Andrea\AppData\Roaming\fNNyyxAA0uS2i\AV Security 2012.ico

c:\users\Andrea\AppData\Roaming\hfffRZZ9hTXjUel

c:\users\Andrea\AppData\Roaming\kL8gTZqhYwUrOtP

c:\users\Andrea\AppData\Roaming\kL8gTZqhYwUrOtP\AV Security 2012.ico

c:\users\Andrea\AppData\Roaming\lnG4amH6s

c:\users\Andrea\AppData\Roaming\NhhhTXXqjUCkIrz

c:\users\Andrea\AppData\Roaming\ucccA11iv

.

.

((((((((((((((((((((((((( Files Created from 2011-10-18 to 2011-11-18 )))))))))))))))))))))))))))))))

.

.

2011-11-18 13:09 . 2011-11-18 13:09 -------- d-----w- c:\users\Mcx1-JULIAN\AppData\Local\temp

2011-11-18 13:09 . 2011-11-18 13:09 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-11-12 18:54 . 2011-11-12 18:54 69000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{CD4C9FD5-0F8B-4BFA-82A1-62B88267D178}\offreg.dll

2011-11-11 09:10 . 2011-10-07 04:16 8570192 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{CD4C9FD5-0F8B-4BFA-82A1-62B88267D178}\mpengine.dll

2011-11-09 08:20 . 2011-10-01 05:45 886784 ----a-w- c:\program files\Common Files\System\wab32.dll

2011-11-09 08:20 . 2011-10-01 04:37 708608 ----a-w- c:\program files (x86)\Common Files\System\wab32.dll

2011-11-09 08:20 . 2011-09-29 16:29 1923952 ----a-w- c:\windows\system32\drivers\tcpip.sys

2011-11-09 08:20 . 2011-09-29 04:03 3144704 ----a-w- c:\windows\system32\win32k.sys

2011-10-26 21:28 . 2011-08-13 05:27 6144 ----a-w- c:\program files\Internet Explorer\iecompat.dll

2011-10-26 21:28 . 2011-08-13 04:18 6144 ----a-w- c:\program files (x86)\Internet Explorer\iecompat.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-11-12 18:44 . 2011-06-21 13:06 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2011-10-03 11:06 . 2010-11-13 22:11 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll

2011-10-01 03:25 . 2011-10-12 05:51 1638912 ----a-w- c:\windows\system32\mshtml.tlb

2011-10-01 02:42 . 2011-10-12 05:51 1638912 ----a-w- c:\windows\SysWow64\mshtml.tlb

2011-09-06 20:45 . 2010-10-06 13:06 41184 ----a-w- c:\windows\avastSS.scr

2011-09-06 20:45 . 2010-03-22 13:21 199304 ----a-w- c:\windows\SysWow64\aswBoot.exe

2011-09-06 20:45 . 2011-01-23 13:03 254400 ----a-w- c:\windows\system32\aswBoot.exe

2011-09-06 20:38 . 2011-09-11 12:53 601944 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2011-09-06 20:38 . 2010-03-22 13:22 301912 ----a-w- c:\windows\system32\drivers\aswSP.sys

2011-09-06 20:36 . 2010-03-22 13:22 42328 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2011-09-06 20:36 . 2010-03-22 13:22 65368 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys

2011-09-06 20:36 . 2010-03-22 13:22 24408 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2011-08-31 23:00 . 2010-11-13 02:09 25416 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-27 05:37 . 2011-10-12 05:51 861696 ----a-w- c:\windows\system32\oleaut32.dll

2011-08-27 05:37 . 2011-10-12 05:51 331776 ----a-w- c:\windows\system32\oleacc.dll

2011-08-27 04:26 . 2011-10-12 05:51 571904 ----a-w- c:\windows\SysWow64\oleaut32.dll

2011-08-27 04:26 . 2011-10-12 05:51 233472 ----a-w- c:\windows\SysWow64\oleacc.dll

.

.

((((((((((((((((((((((((((((( SnapShot@2011-11-17_20.45.29 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-02-12 18:54 . 2011-11-17 21:29 33812 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin

- 2009-07-14 05:10 . 2011-11-17 02:59 48318 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin

+ 2009-07-14 05:10 . 2011-11-17 21:29 48318 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin

+ 2010-02-12 18:49 . 2011-11-17 21:29 12986 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2778794153-1029177052-2984632812-1001_UserData.bin

+ 2010-02-12 16:47 . 2011-11-17 22:03 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

- 2010-02-12 16:47 . 2011-11-17 20:28 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

- 2010-02-12 16:47 . 2011-11-17 20:28 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

+ 2010-02-12 16:47 . 2011-11-17 22:03 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

- 2009-07-14 04:54 . 2011-11-17 20:28 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

+ 2009-07-14 04:54 . 2011-11-17 22:03 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

- 2010-02-12 16:53 . 2011-11-17 03:00 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

+ 2010-02-12 16:53 . 2011-11-17 21:07 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

+ 2010-02-12 16:53 . 2011-11-17 21:07 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

- 2010-02-12 16:53 . 2011-11-17 03:00 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

+ 2010-02-12 16:53 . 2011-11-17 21:07 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

- 2010-02-12 16:53 . 2011-11-17 03:00 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

- 2010-02-12 18:13 . 2011-11-17 02:58 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

+ 2010-02-12 18:13 . 2011-11-18 13:06 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

+ 2010-02-12 18:13 . 2011-11-18 13:06 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

- 2010-02-12 18:13 . 2011-11-17 02:58 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

+ 2010-02-24 09:18 . 2011-11-17 20:53 3032 c:\windows\system32\wdi\ERCQueuedResolutions.dat

+ 2011-11-17 21:04 . 2011-11-17 21:04 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat

- 2011-11-17 20:43 . 2011-11-17 20:43 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat

+ 2011-11-17 21:04 . 2011-11-17 21:04 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat

- 2011-11-17 20:43 . 2011-11-17 20:43 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat

- 2009-07-14 04:54 . 2011-11-17 20:44 327680 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

+ 2009-07-14 04:54 . 2011-11-18 12:55 327680 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

+ 2010-02-12 21:16 . 2011-11-18 12:54 288910 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin

+ 2009-07-14 02:36 . 2011-11-18 12:55 624412 c:\windows\system32\perfh009.dat

+ 2009-07-14 02:36 . 2011-11-18 12:55 106756 c:\windows\system32\perfc009.dat

- 2009-07-14 05:01 . 2011-11-17 03:13 323092 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat

+ 2009-07-14 05:01 . 2011-11-17 20:53 323092 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat

+ 2009-07-14 04:54 . 2011-11-18 12:55 3899392 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

- 2009-07-14 04:54 . 2011-11-17 20:44 3899392 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

- 2009-07-14 04:54 . 2011-11-17 20:44 1277952 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

+ 2009-07-14 04:54 . 2011-11-18 12:55 1277952 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-03-11 39408]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"Monitor"="c:\program files (x86)\LeapFrog\LeapFrog Connect\Monitor.exe" [2010-09-28 185688]

"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"RoxioNowMediaManagerApp"="c:\program files (x86)\Roxio\RoxioNow Player\RNowShell.exe" [2010-10-21 2646000]

"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]

"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-03-07 421160]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files (x86)\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

Windows Home Server.lnk - c:\windows\Installer\{21E49794-7C13-4E84-8659-55BD378267D5}\WHSTrayApp.exe [2010-2-12 666984]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"HideSCAHealth"= 1 (0x1)

.

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-03-12 135664]

R3 FlyUsb;FLY Fusion;c:\windows\system32\DRIVERS\FlyUsb.sys [x]

R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-03-12 135664]

R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [x]

R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]

R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]

R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]

R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]

S1 aswSnx;aswSnx; [x]

S1 aswSP;aswSP; [x]

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]

S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_ccf0dd3cb081af84\AESTSr64.exe [2009-03-03 89600]

S2 arXfrSvc;Windows Media Center TV Archive Transfer Service;c:\program files\Windows Home Server\Microsoft.HomeServer.Archive.TransferService.exe [2009-10-07 231272]

S2 aswFsBlk;aswFsBlk; [x]

S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]

S2 esClient;Windows Media Center Client Service;c:\program files\Windows Home Server\esClient.exe [2009-10-07 109928]

S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [x]

S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]

S2 RoxioNow Service;RoxioNow Service;c:\program files (x86)\Roxio\RoxioNow Player\RNowSvc.exe [2010-10-21 400368]

S2 WHSConnector;Windows Home Server Connector Service;c:\program files\Windows Home Server\WHSConnector.exe [2009-10-07 489832]

S3 enecir;ENE CIR Receiver;c:\windows\system32\DRIVERS\enecir.sys [x]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]

S3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETw5s64.sys [x]

S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]

.

.

Contents of the 'Scheduled Tasks' folder

.

2011-11-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-03-12 02:04]

.

2011-11-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-03-12 02:04]

.

2011-11-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2778794153-1029177052-2984632812-1001Core.job

- c:\users\Andrea\AppData\Local\Google\Update\GoogleUpdate.exe [2010-02-28 17:04]

.

2011-11-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2778794153-1029177052-2984632812-1001UA.job

- c:\users\Andrea\AppData\Local\Google\Update\GoogleUpdate.exe [2010-02-28 17:04]

.

2011-11-18 c:\windows\Tasks\HPCeeScheduleForAndrea.job

- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2009-10-07 10:22]

.

.

--------- x86-64 -----------

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]

@="{472083B0-C522-11CF-8763-00608CC02F24}"

[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]

2011-09-06 20:45 134384 ----a-w- c:\program files\Alwil Software\Avast5\ashShA64.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2009-07-22 450048]

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://www.google.com/

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office10\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html

Trusted Zone: cinemanow.com

Trusted Zone: intuit.com\ttlc

TCP: DhcpNameServer = 75.75.76.76 75.75.75.75 192.168.1.1

DPF: {1D9EFA3B-4E85-41A8-9092-14012CD447C9} - hxxp://192.168.1.109/img/NetCamPlayerWeb.ocx

DPF: {C2B78FF1-6E5A-4854-AC24-E09A0E2411BA} - hxxp://static1.meetupstatic.com/applet/MeetUploader_200909.cab

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.10"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2011-11-18 07:11:13

ComboFix-quarantined-files.txt 2011-11-18 13:11

ComboFix2.txt 2011-11-17 20:50

.

Pre-Run: 994,103,296 bytes free

Post-Run: 1,190,191,104 bytes free

.

- - End Of File - - 18AFC7C118BC529104634124CA230955

Link to post
Share on other sites

Am I truly virus free?

Ahead a few additional scans, which will clarify this question.

Besides not allowing my 3 year old to click ad banners, anything else you suggest for avoiding such issues in the future?

When we complete here, I will give you some malware preventions tips.

Now:

  • Launch Malwarebytes' Anti-Malware
  • Go to Update" tab and select Check for Updates.
  • Go to Scanner tab and select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.

Next:

  1. Please run a free online scan with the ESET Online Scanner
    Note: You will need to use Internet Explorer for this scan
  2. Tick the box next to YES, I accept the Terms of Use
  3. Click Start
  4. When asked, allow the ActiveX control to install
  5. Click Start
  6. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  7. Click Scan (This scan can take several hours, so please be patient)
  8. Once the scan is completed, you may close the window
  9. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  10. Copy and paste that log as a reply to this topic

Post these log files in your next reply.

Link to post
Share on other sites

I was having some difficutly finding the ESET log but I think what I posted is it.

MBAM log:

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 8191

Windows 6.1.7601 Service Pack 1

Internet Explorer 8.0.7601.17514

11/18/2011 6:23:14 PM

mbam-log-2011-11-18 (18-23-14).txt

Scan type: Quick scan

Objects scanned: 184063

Time elapsed: 2 minute(s), 28 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

ESET Log File:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner64.ocx - registred OK

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.7600.16385 (win7_rtm.090713-1255)

# OnlineScanner.ocx=1.0.0.6583

# api_version=3.0.2

# EOSSerial=214eb013b2eab34aa40f28a00c7dd4d8

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-11-19 02:42:14

# local_time=2011-11-18 08:42:14 (-0600, Central Standard Time)

# country="United States"

# lang=1033

# osver=6.1.7601 NT Service Pack 1

# compatibility_mode=768 16777215 100 0 51476852 51476852 0 0

# compatibility_mode=5893 16776574 66 94 0 73205970 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=463213

# found=2

# cleaned=2

# scan_time=8014

C:\Program Files (x86)\Win7codecs\Tools\Settings32.exe Win32/Packed.Autoit.C.Gen application (deleted - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Windows\System32\consrv.dll.vir Win64/Sirefef.E trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

Link to post
Share on other sites

I have good news for you => You're system is clean! :thumbsup:

Here are some tips to prevent future malware problems:

You need to ensure that you have the latest version of: Adobe Reader. Before you download and install the latest version is important to uninstall the old one, so for this purpose: Click Start => Control Panel => Add or Remove Programs highlight them and click on Remove button. Next, click on the program to download it:

Slowly and carefully install the application and then restart your computer.

Let the cleaning tools we use. First get rid of ComboFix:

Go to Start => Run... and copy & paste next command in the field:

ComboFix /uninstall

Then hit Enter button.

This procedure will do the following:

  • Uninstall ComboFix
  • Delete its related folders and files
  • Reset your clock settings
  • Hide file extensions
  • Hide the system/hidden files
  • Resets System Restore again

Note: Make sure there's a space between ComboFix and /uninstall

At this stage, you don't need the online scanner, so:

To remove the ESET Online Scanner components from your computer, start the Add or Remove Programs applet from Control Panel, select the ESET Online Scanner entry and click Remove. A restart may be required to complete uninstallation.

Please manually delete DDS.

Some quick tips:

  1. Firewall - Your Windows OS has a built-in firewall, but it is weak and in no way good for the current requirements for optimal security, so I recommend you choose a suitable firewall on my advice below. A firewall will protect you from attacks coming from the global network. Without a firewall your computer is susceptible to being hacked and taken over. Here some good free firewall solutions:

[*]Alternative browser - Due to the large market share of Internet Explorer, it is a top target of the writers of malware, so we recommend using an alternative browser. There are many better alternatives to Internet Explorer regarding security, features and speed such as:

[*]Program updates - Updating the software is really important for the productivity, but also for their security. Here is an application that will help in checking the new versions and updates for your programs. It is called FileHippo Update Checker and you can download it from here.

[*]Clear old system restore points - Once your system is infected as a result there will be infected restore points that need to be cleaned.

  1. Open Start => All Programs => Accessories => System tools => Disk Cleanup.
  2. In the Drop down box that appears select your main drive e.g. C:\
  3. Click OK.
  4. The System will do some calculation and display a dialogue box with TABS.
  5. Select the More Options tab.
  6. At the bottom will be a system restore box with a CLEANUP button. Click on it.
  7. Accept the Warning and select OK again, the program will close and you are done.

[*]Create a new system restore point - Now that everything is fine, it is necessary to create a new restore point to restore your system to an earlier stage in case you get a problem. Do the following:

  1. Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.
  2. In the System Restore dialog box, click Create a restore point, and then click Next.
  3. Type a description for your restore point, such as "After Cleanup", then click Create.

Safe surfing! ;)

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.