[Inactive] Another case of System Check malware

bdawkins94 · Feb 2, 2012

Ready for next round

Did any of that help? Should I re-install McAfee S-a-a-S or something else?

Bobbye · Feb 2, 2012

For any of the scan you are instructed to disable the security, you are also told to re-enable it when the scan is finished.

It would be helpful if you told me what problem have been resolved and what, if any, remain.
=========================================
OTL Custom Scan Fixes

Run OTL

Copy the contents of the Code box and paste in the Custom Scans/Fixes box at the bottom:

Code:

:OTL
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;127.0.0.1:9421
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:59616
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..extensions.enabledItems: grwatcher@ajnasz.hu:1.4.1
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}:6.0.26
FF - prefs.js..network.proxy.http_port: 59616
FF - prefs.js..network.proxy.no_proxies_on: "*.local"
[2010/12/20 12:15:25 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2011/03/14 08:24:35 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
[2011/07/10 15:08:23 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Reg Error: Value error.) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: CabCCT https://ondemand.apptix.net/codebase/ActCtrl_Apptix.cab (Reg Error: Key error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{49A738B7-03B3-47B9-9727-51289FA76CED}: DhcpNameServer = 10.232.53.29
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
[2012/01/26 20:50:55 | 000,000,306 | ---- | C] () -- C:\Windows\myClean.bat

:Reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
helpfile [open] -- Reg Error: Key error.
regfile [merge] -- Reg Error: Key error.
txtfile [edit] -- Reg Error: Key error.
Folder [explore] -- Reg Error: Value error.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found

:Files

:Commands
[purity]
[emptyflash]
[emptyjava]
[resethosts]
[CreateRestorePoint]
[Reboot]

Then click the Run Fix button at the top
Let the program run uninterrupted, reboot the PC when it is done
Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

bdawkins94 · Feb 4, 2012

Errors

I ran this code in OTL but it keeps hanging with this line showing:

Processing Registry data helpfile [open]--Reg Key error...

Not sure what to do.

Thanks,
Brent

bdawkins94 · Feb 4, 2012

ComboFix Results

Something weird popped up "a system check" type window so I killed it using task mgr and it did not come back. I ran ComboFix so I could show you any recent files that have been on my machine a few look concerning.

I hope this helps. Thanks.

=======================

ComboFix 12-01-26.01 - Brent 02/04/2012 18:40:19.4.2 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3539.2390 [GMT -5:00]
Running from: c:\users\Brent\Desktop\ComboFix.exe
FW: McAfee® Security-as-a-Service *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
* Created a new restore point
.
- REDUCED FUNCTIONALITY MODE -
.
.
((((((((((((((((((((((((( Files Created from 2012-01-04 to 2012-02-04 )))))))))))))))))))))))))))))))
.
.
2012-02-04 23:41 . 2012-02-04 23:41 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-04 20:57 . 2012-02-04 20:57 -------- d-----w- C:\_OTL
2012-02-04 20:23 . 2012-02-04 20:23 323072 ----a-w- c:\users\Brent\AppData\Local\bgogcmym.exe
2012-02-04 20:23 . 2012-02-04 20:23 323072 ----a-w- c:\users\Brent\AppData\Local\utmcwk.exe
2012-02-02 00:33 . 2012-02-02 17:19 60304 ----a-w- c:\users\Brent\g2mdlhlpx.exe
2012-01-27 15:48 . 2012-02-04 23:42 -------- d-----w- c:\users\Brent\AppData\Local\temp
2012-01-27 15:47 . 2011-04-25 03:24 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2012-01-27 14:25 . 2012-01-27 14:25 -------- d-----w- c:\programdata\McAfee
2012-01-27 13:53 . 2009-07-13 23:11 80896 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2012-01-25 19:53 . 2012-01-25 19:53 -------- d-----w- c:\users\Brent\AppData\Roaming\Malwarebytes
2012-01-25 19:53 . 2012-01-25 19:53 -------- d-----w- c:\programdata\Malwarebytes
2012-01-25 19:52 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-25 19:52 . 2012-01-25 19:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-25 19:50 . 2012-01-25 19:50 135781 ----a-w- C:\mbam-setup-1.60.0.1800.exe
2012-01-17 15:23 . 2011-11-17 05:34 224768 ----a-w- c:\windows\system32\schannel.dll
2012-01-17 15:23 . 2011-11-17 05:41 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-01-17 15:23 . 2011-11-17 05:32 1038848 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-17 15:23 . 2011-11-17 05:39 369352 ----a-w- c:\windows\system32\drivers\cng.sys
2012-01-17 15:23 . 2011-11-17 05:41 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-17 15:23 . 2011-11-17 05:29 22528 ----a-w- c:\windows\system32\lsass.exe
2012-01-17 15:23 . 2011-11-17 05:35 314880 ----a-w- c:\windows\system32\webio.dll
2012-01-17 15:23 . 2011-11-17 05:34 100352 ----a-w- c:\windows\system32\sspicli.dll
2012-01-17 15:23 . 2011-11-17 05:34 22016 ----a-w- c:\windows\system32\secur32.dll
2012-01-17 15:23 . 2011-11-17 05:34 15872 ----a-w- c:\windows\system32\sspisrv.dll
2012-01-16 15:07 . 2009-08-20 04:50 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll
2012-01-16 15:01 . 2012-01-03 13:22 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2012-01-11 19:59 . 2011-11-17 05:38 1288472 ----a-w- c:\windows\system32\ntdll.dll
2012-01-11 19:59 . 2011-11-19 14:01 67072 ----a-w- c:\windows\system32\packager.dll
2012-01-11 19:58 . 2011-10-26 04:32 1328128 ----a-w- c:\windows\system32\quartz.dll
2012-01-11 19:58 . 2011-10-26 04:32 514560 ----a-w- c:\windows\system32\qdvd.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-31 01:45 . 2009-12-05 17:16 0 ----a-w- c:\users\Brent\AppData\Local\WavXMapDrive.bat
2011-12-19 18:46 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
2011-11-24 04:25 . 2011-12-19 02:47 2342912 ----a-w- c:\windows\system32\win32k.sys
2011-11-15 16:53 . 2011-05-15 19:45 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-02-18 15:35 . 2011-02-18 15:35 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Brent\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Brent\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Brent\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
@="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
[HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
2009-06-12 00:41 49152 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
@="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
[HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
2009-06-12 00:41 49152 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-12-09 39408]
"GoToMeeting"="c:\program files\Citrix\GoToMeeting\723\g2mstart.exe" [2011-05-31 39816]
"{E8951905-B0E2-46E3-8881-5C20EAE8B00B}"="c:\windows\system32\msiexec.exe" [2010-11-20 73216]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-10-13 17351304]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-10-02 160328]
"Akamai NetSession Interface"="c:\users\Brent\AppData\Local\Akamai\netsession_win.exe" [2011-12-23 3334432]
"WorkForce 610(Network)"="c:\windows\system32\spool\DRIVERS\W32X86\3\E_FATIFJA.EXE" [2009-01-26 199680]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-06-19 249856]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-08-03 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-08-03 174104]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-08-03 151064]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-08-07 186904]
"Broadcom Wireless Manager UI"="c:\program files\Dell\Dell Wireless WLAN Card\WLTRAY.exe" [2009-08-05 4562944]
"ChangeTPMAuth"="c:\program files\Wave Systems Corp\Common\ChangeTPMAuth.exe" [2009-06-03 184320]
"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2009-07-27 134656]
"DellControlPoint"="c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [2009-06-12 656384]
"USCService"="c:\program files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe" [2009-08-14 15872]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2012-01-04 40376]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2012-01-03 640440]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-06-25 140520]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-12-09 122880]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"FUFAXSTM"="c:\program files\Epson Software\FAX Utility\FUFAXSTM.exe" [2009-02-06 843776]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2008-07-21 169312]
"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2009-01-12 669520]
"LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2010-05-07 165208]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2010-04-05 495708]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2011-02-18 30192]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-27 207424]
"ArcSoft MediaImpression Monitor"="c:\program files\Kodak\MediaImpression\ArcMonitor.exe" [2010-12-15 80448]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-10-02 160328]
.
c:\users\Brent\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Brent\AppData\Roaming\Dropbox\bin\Dropbox.exe [2011-12-5 24242056]
Yammer.lnk - c:\program files\Yammer\Yammer.exe [2011-10-15 142336]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-7-1 795936]
Dell ControlPoint System Manager.lnk - c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe [2009-7-16 1245472]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2009-11-25 50688]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.1.121\SSScheduler.exe [2010-9-3 255536]
Network Monitoring Tray.lnk - c:\windows\LTSvc\LTTray.exe [2011-11-15 1126728]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~3\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 135664]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2009-07-03 29472]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2011-02-18 30192]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 135664]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.1.121\McCHSvc.exe [2010-09-03 227232]
R3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\DRIVERS\NwUsbCdFil.sys [2009-06-15 20480]
R3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\DRIVERS\nwusbser2.sys [2009-06-03 174720]
R3 rimspci;rimspci;c:\windows\system32\DRIVERS\rimspe86.sys [2009-07-02 47104]
R3 risdpcie;risdpcie;c:\windows\system32\DRIVERS\risdpe86.sys [2009-07-01 49152]
R3 rixdpcie;rixdpcie;c:\windows\system32\DRIVERS\rixdpe86.sys [2009-07-04 38400]
R3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [2009-03-20 32408]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-02-28 1343400]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_d511891fb5bff1e2\aestsrv.exe [2010-04-05 81920]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 20992]
S2 ATService;AuthenTec Fingerprint Service;c:\program files\Fingerprint Sensor\AtService.exe [2009-05-15 1803512]
S2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\Dell\Dell ControlPoint\DCPButtonSvc.exe [2009-04-27 293968]
S2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe [2009-07-16 382752]
S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [2009-07-14 20992]
S2 LTService;TechGuides Monitoring Service;c:\windows\LTSVC\LTSVC.exe [2011-11-15 8713032]
S2 LTSvcMon;TechGuides Monitoring Service CheckUp Util;c:\windows\LTSvc\LTSvcMon.exe [2011-11-15 98120]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-12-24 652872]
S2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2009-10-09 493248]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2009-05-26 122368]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-10 20464]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HsfXAudioService REG_MULTI_SZ HsfXAudioService
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 15:07]
.
2012-02-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 15:07]
.
2012-02-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3248735208-1846752271-3406580854-1003Core.job
- c:\users\Brent\AppData\Local\Google\Update\GoogleUpdate.exe [2011-05-18 23:59]
.
2012-02-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3248735208-1846752271-3406580854-1003UA.job
- c:\users\Brent\AppData\Local\Google\Update\GoogleUpdate.exe [2011-05-18 23:59]
.
.
------- Supplementary Scan -------
.
uStart Page = https://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Trusted Zone: tgelite.com\labtech
TCP: DhcpNameServer = 192.168.1.1
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://vpn1.appliedsystems.com/CACHE/stc/1/binaries/vpnweb.cab
FF - ProfilePath - c:\users\Brent\AppData\Roaming\Mozilla\Firefox\Profiles\bwy2t5l6.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/webhp?sourceid=navclient&ie=UTF-8
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port -
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\users\Brent\AppData\Roaming\Move Networks
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_e286960.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(532)
c:\windows\system32\wvauth.DLL
.
- - - - - - - > 'Explorer.exe'(336)
c:\users\Brent\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
c:\program files\WIDCOMM\Bluetooth Software\btmmhook.dll
.
Completion time: 2012-02-04 18:44:03
ComboFix-quarantined-files.txt 2012-02-04 23:44
ComboFix2.txt 2012-01-31 01:58
ComboFix3.txt 2012-01-27 19:03
ComboFix4.txt 2012-01-27 16:03
.
Pre-Run: 80,890,531,840 bytes free
Post-Run: 80,738,213,888 bytes free
.
- - End Of File - - A7211E20B0CF5DA0A9986BD5E9034FEA

Bobbye · Feb 7, 2012

Combofix ran in Reduced Functionality Mode. Did you get a screen like this when you ran it the last time?

From Microsoft:

Reduced Functionality Mode> Win 7
Once activated, a client must reactivate every six months. Despite what you may have read elsewhere, there's no reduced functionality mode in Windows 7. If the activation key expires, the desktop background simply goes black and a notification balloon states that the operating system isn't genuine.

So something must need to be reactivated. There is still malware on the system, but we need to find the activation problem and fix it before trying to run more script in Combofix.

Please run the MGA Diagnostics tool

You will be prompted to either “Run” or “Save” the tool. Choose to “Run” the tool and follow the on-screen prompts.

You will receive an Internet Explorer-Security Warning dialog box for the Windows Genuine Advantage Diagnostic Tool>

You must choose to Run this tool when prompted.

Once you are presented with the Diagnostics tool choose Continue to run the diagnostic report.

If the RESOLVE button is available after running the diagnostics, please click RESOLVE to allow the diagnostic tool to attempt a repair.

After running the MGA Diagnostic tool, click on the Windows tab and then click on Copy

Please return to this thread and Paste the results here for review.

------------------------------------------
This tool will is to look on the computer itself, in the documentation you received with the computer or with your retail purchase of Windows to see if you have a Certificate of Authenticity (COA). If you have one, tell us about the COA. Tell us:

1. What edition of Windows XP is it for, Home, Pro, or Media Center, or another version of Windows?
2. Does it read "OEM Software" or "OEM Product" in black lettering?
3. Or, does it have the computer manufacturer's name in black lettering?
4. DO NOT post the Product Key.

NOTE: The data collected with the Genuine Diagnostics Tool does NOT contain any information that can personally identify you and can be fully reviewed, by you, before being posted.

bdawkins94 · Feb 8, 2012

MGA Results

Bobbye,

It seems like everything is fine but that Combofix ran in reduced functionality mode. That only happened after ComboFix asked my to update it to a newer version.

I did not get a RESOLVE option when running MGA.

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->

Validation Code: 0x8004FE21
Cached Online Validation Code: 0x0
Windows Product Key: *****-*****-M3DJT-4J3WC-733WD
Windows Product Key Hash: xo+ajVSpae7/4VoZjS7m6JL0f3A=
Windows Product ID: 00371-OEM-8992671-00524
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 6.1.7601.2.00010100.1.0.048
ID: {BCFBE0DD-A489-4614-9D97-B355ABC201FE}(1)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Professional
Architecture: 0x00000000
Build lab: 7601.win7sp1_gdr.111025-1505
TTS Error:
Validation Diagnostic:
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: 2.0.48.0
OGAExec.exe Signed By: Microsoft
OGAAddin.dll Signed By: Microsoft

OGA Data-->
Office Status: 100 Genuine
Microsoft Office Project Standard 2007 - 100 Genuine
Microsoft Office Visio Standard 2007 - 100 Genuine
2007 Microsoft Office system - 100 Genuine
OGA Version: Registered, 2.0.48.0
Signed By: Microsoft
Office Diagnostics: 77F760FE-153-80070002_7E90FEE8-175-80070002_025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005_70AFE6BE-656-80070057_E2AD56EA-815-80070057

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Internet Explorer\iexplore.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{BCFBE0DD-A489-4614-9D97-B355ABC201FE}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-733WD</PKey><PID>00371-OEM-8992671-00524</PID><PIDType>2</PIDType><SID>S-1-5-21-3248735208-1846752271-3406580854</SID><SYSTEM><Manufacturer>Dell Inc.</Manufacturer><Model>Latitude E5400 </Model></SYSTEM><BIOS><Manufacturer>Dell Inc.</Manufacturer><Version>A14</Version><SMBIOSVersion major="2" minor="4"/><Date>20090927000000.000000+000</Date></BIOS><HWID>4A423907018400FA</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>DELL </OEMID><OEMTableID>M09 </OEMTableID></OEM><GANotification><File Name="OGAAddin.dll" Version="2.0.48.0"/></GANotification></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{90120000-003A-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Project Standard 2007</Name><Ver>12</Ver><Val>AD79E08D327B586</Val><Hash>TmRGgM1zpAJALyd9ca1G9mqfztQ=</Hash><Pid>89402-707-9054253-63015</Pid><PidType>14</PidType></Product><Product GUID="{90120000-0053-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Visio Standard 2007</Name><Ver>12</Ver><Val>AD79E08D327B586</Val><Hash>TmRGgM1zpAJALyd9ca1G9mqfztQ=</Hash><Pid>89406-707-9054253-63540</Pid><PidType>14</PidType></Product><Product GUID="{91120000-0031-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>2007 Microsoft Office system</Name><Ver>12</Ver><Val>71D10E2BF933DB0</Val><Hash>B9URD1hiEMmjgSYnbet26DZMIj4=</Hash><Pid>89451-OEM-6672867-84009</Pid><PidType>4</PidType></Product></Products><Applications><App Id="15" Version="12" Result="100"/><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="19" Version="12" Result="100"/><App Id="1A" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/><App Id="3A" Version="12" Result="100"/><App Id="53" Version="12" Result="100"/></Applications></Office></Software></GenuineResults>

Spsys.log Content: 0x80070002

Licensing Data-->
Software licensing service version: 6.1.7601.17514

Name: Windows(R) 7, Professional edition
Description: Windows Operating System - Windows(R) 7, OEM_SLP channel
Activation ID: 50e329f7-a5fa-46b2-85fd-f224e5da7764
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 00371-00178-926-700524-02-1033-7600.0000-3292009
Installation ID: 015930606480651762980015012256915050612576053524054872
Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
Partial Product Key: 733WD
License Status: Licensed
Remaining Windows rearm count: 4
Trusted time: 2/8/2012 5:32:17 PM

Windows Activation Technologies-->
HrOffline: 0x8004FE21
HrOnline: N/A
HealthStatus: 0x000000000003EFFF
Event Time Stamp: N/A
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Registered, Version: 7.1.7600.16395
HealthStatus Bitmask Output:
Tampered File: %systemroot%\system32\wat\watadminsvc.exe
Tampered File: %systemroot%\system32\wat\watweb.dll
Tampered File: %systemroot%\system32\wat\npwatweb.dll
Tampered File: %systemroot%\system32\wat\watux.exe
Tampered File: %systemroot%\system32\sppobjs.dll
Tampered File: %systemroot%\system32\sppc.dll|sppc.dll.mui
Tampered File: %systemroot%\system32\sppcext.dll|sppcext.dll.mui
Tampered File: %systemroot%\system32\sppwinob.dll
Tampered File: %systemroot%\system32\slc.dll|slc.dll.mui
Tampered File: %systemroot%\system32\slcext.dll|slcext.dll.mui
Tampered File: %systemroot%\system32\sppuinotify.dll|sppuinotify.dll.mui
Tampered File: %systemroot%\system32\slui.exe|slui.exe.mui|COM Registration
Tampered File: %systemroot%\system32\sppcomapi.dll|sppcomapi.dll.mui
Tampered File: %systemroot%\system32\sppcommdlg.dll|sppcommdlg.dll.mui
Tampered File: %systemroot%\system32\sppsvc.exe|sppsvc.exe.mui
Tampered File: %systemroot%\system32\drivers\spsys.sys
Tampered File: %systemroot%\system32\drivers\spldr.sys

HWID Data-->
HWID Hash Current: MAAAAAEAAgABAAIAAAABAAAAAgABAAEA6GFsP8wTgMlaC3zjnDf2BRJ9zAw6mCqF

OEM Activation 1.0 Data-->
N/A

OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes
Windows marker version: 0x20001
OEMID and OEMTableID Consistent: yes
BIOS Information:
ACPI Table Name OEMID Value OEMTableID Value
APIC DELL M09
FACP DELL M09
HPET DELL M09
MCFG DELL M09
____ DELL M09
ASF! DELL M09
TCPA
SLIC DELL M09
SSDT PmRef CpuPm

bdawkins94 · Feb 8, 2012

MGA Questions

1. What edition of Windows XP is it for, Home, Pro, or Media Center, or another version of Windows? Win 7 Pro

2. Does it read "OEM Software" or "OEM Product" in black lettering? yes, and it does have an OEM product number and it is a fully validated Win 7

3. Or, does it have the computer manufacturer's name in black lettering? DELL with service tag key on bottom of labtop

4. DO NOT post the Product Key. - ok

Bobbye · Feb 11, 2012

There is some confusion here:

Remaining Windows rearm count: 4" A Rearm is the ability for a user to extend the Activation grace period and all version of Vista and Windows 7 get three 3 rearms, not 4.

The "tampered files" definitely indicate a problem. One of the tampered files:
Tampered File: %systemroot%\system32\wat\watadminsvc.exe is the Windows Activation Technologies Service.

Clearly you can see that the tampered files have been 'tweaked:For instance:
Tampered File: %systemroot%\system32\sppcext.dll|sppcext.dll.mui

The process above is for the Software Protection Platform Client Extension Dll
But the process has been 'tampered' or 'tweaked' to make it mui' which is Multilingual User Interface So when Microsoft checks the system, it's not recognizing the OS that matches the particular numbers given to the system to identify it.

And you're not going to get a Resolve until or unless the Activation number is used and the files are put back to their original state.

Another one of the files:
Tampered File: %systemroot%\system32\slui.exe|slui.exe.mui|COM Registration
slui.exe is for the Windows Activation Client> it's changed to slui.exe.mui.

The system can't actually find the correct file to run the Activation.

I'm giving you a very non-technical description. I would like to warn you however, if you want to search this matter out for yourself, be sure you have a good site advisor. I use WOT> Web of Trust which rates sites as red, yellow and green and that mean just what the traffic lights do. You are safe with the site giving the green rating. When you start searching for things that are wrong, there are endless sites offering to 'fix' it for you or give you the download you need. (NOT!). They will all be rated in red and most of the sites in this kind of search are red.

You may want to arm yourself with the
Web of Trust-(WOT) add-on.
=============================================
You might be able to replace the files using the SFC:

System File Checker

Click on the Start button

Type CMD.EXEin the Search box

Right-click on the only file that is found> Select Run as Administrator

The Elevated Command Prompt window should pop up

At the Command prompt type SFC /SCANNOW (note space)

Then Enter.

Wait for the scan to finish - make a note of any error messages -

Reboot when finished.

Have you Win 7 OS CD handy.

Run another MGADiag report, and post the results.

TechSpot

[Inactive] Another case of System Check malware

bdawkins94 Newcomer, in training

Bobbye Helper on the Fringe

bdawkins94 Newcomer, in training

bdawkins94 Newcomer, in training

Bobbye Helper on the Fringe

bdawkins94 Newcomer, in training

bdawkins94 Newcomer, in training

Bobbye Helper on the Fringe