TechSpot

Malwarebytes will not install - access denied

By sjbells
Jan 3, 2012
  1. My PC is infected with a virus. I have run several fixes but nothing has worked. I have run combofix as instructed in other messages but to no avail. Help Please.

    ComboFix 11-12-31.03 - SJB 01/01/2012 12:18:25.2.4 - x64
    Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.12286.9748 [GMT -5:00]
    Running from: c:\users\SJB.FBRANH\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
    SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-12-01 to 2012-01-01 )))))))))))))))))))))))))))))))
    .
    .
    2012-01-01 17:22 . 2012-01-01 17:22 69000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C72DDE5F-5BA1-4B4C-92D6-BCC6D28889E0}\offreg.dll
    2012-01-01 17:21 . 2012-01-01 17:21 -------- d-----w- c:\users\SJB\AppData\Local\temp
    2012-01-01 17:21 . 2012-01-01 17:21 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-01-01 17:21 . 2012-01-01 17:21 -------- d-----w- c:\users\Administrator\AppData\Local\temp
    2012-01-01 16:43 . 2012-01-01 16:43 -------- d-----w- c:\users\SJB.FBRANH\AppData\Roaming\SUPERAntiSpyware.com
    2012-01-01 16:43 . 2012-01-01 16:47 -------- d-----w- c:\program files\SUPERAntiSpyware
    2012-01-01 16:43 . 2012-01-01 16:43 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2012-01-01 16:37 . 2011-11-21 11:40 8822856 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C72DDE5F-5BA1-4B4C-92D6-BCC6D28889E0}\mpengine.dll
    2012-01-01 16:17 . 2012-01-01 16:17 -------- d-----w- c:\program files (x86)\FileASSASSIN
    2012-01-01 15:51 . 2012-01-01 15:51 -------- d-----w- c:\windows\system32\Macromed
    2011-12-31 17:35 . 2011-12-31 17:35 -------- d--h--w- c:\windows\Sun
    2011-12-14 17:23 . 2011-11-24 04:52 3145216 ----a-w- c:\windows\system32\win32k.sys
    2011-12-14 17:23 . 2011-10-15 06:31 723456 ----a-w- c:\windows\system32\EncDec.dll
    2011-12-14 17:23 . 2011-10-15 05:38 534528 ----a-w- c:\windows\SysWow64\EncDec.dll
    2011-12-14 17:23 . 2011-11-05 05:32 2048 ----a-w- c:\windows\system32\tzres.dll
    2011-12-14 17:23 . 2011-11-05 04:26 2048 ----a-w- c:\windows\SysWow64\tzres.dll
    2011-12-05 20:24 . 2011-12-05 20:31 -------- d--h--w- c:\programdata\AutodeskRendering
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-12-10 20:24 . 2011-05-05 20:16 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-12-07 12:56 . 2011-06-15 11:48 414368 ---ha-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2011-11-21 11:40 . 2011-05-09 12:18 8822856 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2011-10-11 12:20 . 2011-10-11 12:20 917840 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{AFEB5076-8844-4EFF-B2FE-9FBB6F8E8AF9}\gapaengine.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-01-01_16.29.38 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-11-21 03:09 . 2012-01-01 16:48 35262 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2009-07-14 05:10 . 2012-01-01 16:48 35046 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
    - 2011-05-05 20:55 . 2012-01-01 16:10 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2011-05-05 20:55 . 2012-01-01 17:08 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2011-05-05 20:55 . 2012-01-01 17:08 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2011-05-05 20:55 . 2012-01-01 16:10 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2011-05-06 12:08 . 2012-01-01 16:48 5020 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-4089952224-1957405234-155898677-1118_UserData.bin
    + 2012-01-01 17:22 . 2012-01-01 17:22 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2012-01-01 17:22 . 2012-01-01 17:22 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2012-01-01 16:29 . 2012-01-01 16:29 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2009-07-14 02:36 . 2012-01-01 15:31 665350 c:\windows\system32\perfh009.dat
    + 2009-07-14 02:36 . 2012-01-01 16:53 665350 c:\windows\system32\perfh009.dat
    - 2009-07-14 02:36 . 2012-01-01 15:31 123118 c:\windows\system32\perfc009.dat
    + 2009-07-14 02:36 . 2012-01-01 16:53 123118 c:\windows\system32\perfc009.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SansaDispatch"="c:\users\SJB.FBRANH\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe" [2011-05-09 79872]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-01-01 5486464]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
    "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-07-05 421888]
    .
    c:\users\SJB.FBRANH\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office14\ONENOTEM.EXE [2011-9-2 227712]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Driver performer.lnk - c:\users\SJB.FBRANH\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EM8A187H\DriverPerformer_16i[1].exe [N/A]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 EC_NLM;ENERCALC NLM;c:\program files (x86)\ENERCALC_6_NLM\ENERCALC_NetworkLicenseManager.exe [x]
    R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [x]
    R3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2011-06-09 1431888]
    R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 288272]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
    R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
    S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
    S2 Autodesk Content Service;Autodesk Content Service;c:\program files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe [2011-02-02 18656]
    S3 PrivacyProtectorMP;PrivacyProtectorMP;c:\windows\system32\DRIVERS\PPFlt.sys [x]
    .
    .
    .
    --------- x86-64 -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "BbPrintMonitor"="c:\program files\Common Files\Bluebeam Software\Brewery\V45\Printer Support\BBPrint.exe" [2010-11-30 201376]
    "BbInstallUser"="c:\program files\Bluebeam Software\Pushbutton PDF\Bluebeam Admin User.exe" [2011-03-07 38560]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 1436736]
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://google.com/
    mLocal Page = c:\windows\SysWOW64\blank.htm
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
    TCP: DhcpNameServer = 192.168.5.52 208.67.222.222 208.67.222.220 192.168.0.10
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
    @Denied: (A) (Everyone)
    "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
    @Denied: (A) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
    "Key"="ActionsPane3"
    "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\SysWOW64\astsrv.exe
    .
    **************************************************************************
    .
    Completion time: 2012-01-01 12:23:36 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-01-01 17:23
    ComboFix2.txt 2012-01-01 16:30
    .
    Pre-Run: 59,727,474,688 bytes free
    Post-Run: 59,754,385,408 bytes free
    .
    - - End Of File - - F80F6E93A2B35ED0F48BE64D6550EA94


    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows 7 Professional
    Windows Information: Service Pack 1 (build 7601), 64-bit
    Base Board Manufacturer: Dell Inc.
    BIOS Manufacturer: Dell Inc.
    System Manufacturer: Dell Inc.
    System Product Name: Precision WorkStation T3500
    Logical Drives Mask: 0x00e80dfc

    Kernel Drivers (total 188):
    0x02808000 \SystemRoot\system32\ntoskrnl.exe
    0x02DF1000 \SystemRoot\system32\hal.dll
    0x00BC5000 \SystemRoot\system32\kdcom.dll
    0x00CF0000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
    0x00D3F000 \SystemRoot\system32\PSHED.dll
    0x00D53000 \SystemRoot\system32\CLFS.SYS
    0x00C00000 \SystemRoot\system32\CI.dll
    0x00EFF000 \SystemRoot\system32\drivers\Wdf01000.sys
    0x00FA3000 \SystemRoot\system32\drivers\WDFLDR.SYS
    0x00E00000 \SystemRoot\system32\drivers\ACPI.sys
    0x00E57000 \SystemRoot\system32\drivers\WMILIB.SYS
    0x00E60000 \SystemRoot\system32\drivers\msisadrv.sys
    0x00E6A000 \SystemRoot\system32\drivers\pci.sys
    0x00E9D000 \SystemRoot\system32\drivers\vdrvroot.sys
    0x00EAA000 \SystemRoot\System32\drivers\partmgr.sys
    0x00EBF000 \SystemRoot\system32\drivers\volmgr.sys
    0x010FD000 \SystemRoot\System32\drivers\volmgrx.sys
    0x01159000 \SystemRoot\System32\drivers\mountmgr.sys
    0x01173000 \SystemRoot\system32\drivers\atapi.sys
    0x0117C000 \SystemRoot\system32\drivers\ataport.SYS
    0x011A6000 \SystemRoot\system32\drivers\msahci.sys
    0x011B1000 \SystemRoot\system32\drivers\PCIIDEX.SYS
    0x011C1000 \SystemRoot\system32\drivers\amdxata.sys
    0x01000000 \SystemRoot\system32\drivers\fltmgr.sys
    0x0104C000 \SystemRoot\system32\drivers\fileinfo.sys
    0x01248000 \SystemRoot\System32\Drivers\Ntfs.sys
    0x01060000 \SystemRoot\System32\Drivers\msrpc.sys
    0x01200000 \SystemRoot\System32\Drivers\ksecdd.sys
    0x01422000 \SystemRoot\System32\Drivers\cng.sys
    0x01494000 \SystemRoot\System32\drivers\pcw.sys
    0x014A5000 \SystemRoot\System32\Drivers\Fs_Rec.sys
    0x014AF000 \SystemRoot\system32\drivers\ndis.sys
    0x0165B000 \SystemRoot\system32\drivers\NETIO.SYS
    0x016BB000 \SystemRoot\System32\Drivers\ksecpkg.sys
    0x018FE000 \SystemRoot\System32\drivers\tcpip.sys
    0x01B02000 \SystemRoot\System32\drivers\fwpkclnt.sys
    0x01B4C000 \SystemRoot\system32\drivers\vmstorfl.sys
    0x01B5C000 \SystemRoot\system32\drivers\volsnap.sys
    0x01BA8000 \SystemRoot\System32\Drivers\spldr.sys
    0x01BB0000 \SystemRoot\System32\drivers\rdyboost.sys
    0x01BEA000 \SystemRoot\System32\Drivers\mup.sys
    0x01800000 \SystemRoot\System32\drivers\hwpolicy.sys
    0x01809000 \SystemRoot\System32\DRIVERS\fvevol.sys
    0x01843000 \SystemRoot\system32\drivers\disk.sys
    0x01859000 \SystemRoot\system32\drivers\CLASSPNP.SYS
    0x018C1000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0x016E6000 \SystemRoot\system32\DRIVERS\MpFilter.sys
    0x018EB000 \SystemRoot\System32\Drivers\Null.SYS
    0x018F4000 \SystemRoot\System32\Drivers\Beep.SYS
    0x01717000 \SystemRoot\System32\drivers\vga.sys
    0x01725000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
    0x0174A000 \SystemRoot\System32\drivers\watchdog.sys
    0x0175A000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0x01763000 \SystemRoot\system32\drivers\rdpencdd.sys
    0x0176C000 \SystemRoot\system32\drivers\rdprefmp.sys
    0x01775000 \SystemRoot\System32\Drivers\Msfs.SYS
    0x01780000 \SystemRoot\System32\Drivers\Npfs.SYS
    0x01791000 \SystemRoot\system32\DRIVERS\tdx.sys
    0x017B3000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0x02E12000 \SystemRoot\system32\drivers\afd.sys
    0x02E9B000 \SystemRoot\System32\DRIVERS\netbt.sys
    0x02EE0000 \SystemRoot\system32\DRIVERS\wfplwf.sys
    0x02EE9000 \SystemRoot\system32\DRIVERS\pacer.sys
    0x02F0F000 \SystemRoot\system32\DRIVERS\netbios.sys
    0x02F1E000 \SystemRoot\system32\DRIVERS\serial.sys
    0x02F3B000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0x02F56000 \SystemRoot\system32\DRIVERS\termdd.sys
    0x02F6A000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0x02FBB000 \SystemRoot\system32\drivers\nsiproxy.sys
    0x02FC7000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0x02FD2000 \SystemRoot\System32\drivers\discache.sys
    0x03CF8000 \SystemRoot\system32\drivers\csc.sys
    0x03D7B000 \SystemRoot\System32\Drivers\dfsc.sys
    0x03D99000 \SystemRoot\system32\DRIVERS\blbdrive.sys
    0x03DAA000 \SystemRoot\system32\DRIVERS\tunnel.sys
    0x03DD0000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
    0x03DD9000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0x0F259000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
    0x0FEB6000 \SystemRoot\System32\Drivers\nvBridge.kmd
    0x0FEB8000 \SystemRoot\System32\drivers\dxgkrnl.sys
    0x0FFAC000 \SystemRoot\System32\drivers\dxgmms1.sys
    0x0FFF2000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0x0F200000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0x03DEF000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0x03C00000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0x03C24000 \SystemRoot\system32\DRIVERS\b57nd60a.sys
    0x03C6C000 \SystemRoot\system32\DRIVERS\parport.sys
    0x03C89000 \SystemRoot\system32\DRIVERS\serenum.sys
    0x03C95000 \SystemRoot\system32\DRIVERS\CompositeBus.sys
    0x03CA5000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
    0x03CBB000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0x03CDF000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0x017C0000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0x02FE1000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0x01600000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0x01621000 \SystemRoot\system32\DRIVERS\rassstp.sys
    0x03CEB000 \SystemRoot\system32\DRIVERS\PPFlt.sys
    0x02E00000 \SystemRoot\system32\DRIVERS\rdpbus.sys
    0x0163B000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0x0164A000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0x0F256000 \SystemRoot\system32\DRIVERS\swenum.sys
    0x015A2000 \SystemRoot\system32\DRIVERS\ks.sys
    0x015E5000 \SystemRoot\system32\DRIVERS\umbus.sys
    0x04435000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0x0448F000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0x044A4000 \SystemRoot\system32\drivers\HdAudio.sys
    0x04500000 \SystemRoot\system32\drivers\portcls.sys
    0x0453D000 \SystemRoot\system32\drivers\drmk.sys
    0x0455F000 \SystemRoot\system32\drivers\ksthunk.sys
    0x00020000 \SystemRoot\System32\win32k.sys
    0x04565000 \SystemRoot\System32\drivers\Dxapi.sys
    0x04571000 \SystemRoot\System32\Drivers\crashdmp.sys
    0x0457F000 \SystemRoot\System32\Drivers\dump_dumpata.sys
    0x0458B000 \SystemRoot\System32\Drivers\dump_msahci.sys
    0x04596000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
    0x045A9000 \SystemRoot\system32\DRIVERS\hidusb.sys
    0x045B7000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    0x045D0000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0x045D9000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0x045DB000 \SystemRoot\system32\DRIVERS\mouhid.sys
    0x045E8000 \SystemRoot\system32\DRIVERS\monitor.sys
    0x04400000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
    0x00410000 \SystemRoot\System32\TSDDD.dll
    0x00620000 \SystemRoot\System32\cdd.dll
    0x01889000 \SystemRoot\system32\DRIVERS\usbccgp.sys
    0x0441B000 \SystemRoot\system32\DRIVERS\kbdhid.sys
    0x0121B000 \SystemRoot\system32\drivers\luafv.sys
    0x01400000 \SystemRoot\system32\drivers\WudfPf.sys
    0x018A6000 \SystemRoot\system32\DRIVERS\lltdio.sys
    0x010BE000 \SystemRoot\system32\DRIVERS\rspndr.sys
    0x00FB2000 \SystemRoot\System32\Drivers\fastfat.SYS
    0x0524F000 \SystemRoot\system32\drivers\HTTP.sys
    0x05318000 \SystemRoot\system32\DRIVERS\cdfs.sys
    0x05335000 \SystemRoot\system32\DRIVERS\bowser.sys
    0x05353000 \SystemRoot\System32\drivers\mpsdrv.sys
    0x0536B000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0x05398000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    0x05200000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    0x05879000 \SystemRoot\system32\drivers\peauth.sys
    0x0591F000 \SystemRoot\System32\Drivers\secdrv.SYS
    0x0592A000 \SystemRoot\System32\DRIVERS\srvnet.sys
    0x0595B000 \SystemRoot\System32\drivers\tcpipreg.sys
    0x0596D000 \SystemRoot\System32\DRIVERS\srv2.sys
    0x05A26000 \SystemRoot\System32\DRIVERS\srv.sys
    0x05ABE000 \SystemRoot\system32\DRIVERS\MpNWMon.sys
    0x05ACE000 \SystemRoot\system32\DRIVERS\NisDrvWFP.sys
    0x05AE6000 \SystemRoot\system32\DRIVERS\WUDFRd.sys
    0x05B88000 \SystemRoot\system32\DRIVERS\asyncmac.sys
    0x77AA0000 \Windows\System32\ntdll.dll
    0x47910000 \Windows\System32\smss.exe
    0xFFDC0000 \Windows\System32\apisetschema.dll
    0xFFCF0000 \Windows\System32\autochk.exe
    0x77C70000 \Windows\System32\normaliz.dll
    0x77C60000 \Windows\System32\psapi.dll
    0xFFD10000 \Windows\System32\msvcrt.dll
    0xFFCB0000 \Windows\System32\Wldap32.dll
    0xFFA50000 \Windows\System32\iertutil.dll
    0xFFA40000 \Windows\System32\nsi.dll
    0xFF9D0000 \Windows\System32\gdi32.dll
    0xFF8F0000 \Windows\System32\advapi32.dll
    0xFF8E0000 \Windows\System32\lpk.dll
    0x77980000 \Windows\System32\kernel32.dll
    0xFF810000 \Windows\System32\usp10.dll
    0xFF790000 \Windows\System32\difxapi.dll
    0xFF6B0000 \Windows\System32\oleaut32.dll
    0xFF660000 \Windows\System32\ws2_32.dll
    0xFF5C0000 \Windows\System32\comdlg32.dll
    0xFE830000 \Windows\System32\shell32.dll
    0xFE650000 \Windows\System32\setupapi.dll
    0xFE5B0000 \Windows\System32\clbcatq.dll
    0xFE430000 \Windows\System32\urlmon.dll
    0xFE410000 \Windows\System32\imagehlp.dll
    0xFE3E0000 \Windows\System32\imm32.dll
    0xFE1D0000 \Windows\System32\ole32.dll
    0xFE1B0000 \Windows\System32\sechost.dll
    0xFE080000 \Windows\System32\rpcrt4.dll
    0xFE000000 \Windows\System32\shlwapi.dll
    0xFDEF0000 \Windows\System32\msctf.dll
    0xFDDC0000 \Windows\System32\wininet.dll
    0x77880000 \Windows\System32\user32.dll
    0xFDD80000 \Windows\System32\wintrust.dll
    0xFDC10000 \Windows\System32\crypt32.dll
    0xFDBD0000 \Windows\System32\cfgmgr32.dll
    0xFDBB0000 \Windows\System32\devobj.dll
    0xFDB40000 \Windows\System32\KernelBase.dll
    0xFDAA0000 \Windows\System32\comctl32.dll
    0xFDA90000 \Windows\System32\msasn1.dll
    0x75F40000 \Windows\SysWOW64\normaliz.dll

    Processes (total 50):
    0 System Idle Process
    4 System
    268 C:\Windows\System32\smss.exe
    364 csrss.exe
    432 C:\Windows\System32\wininit.exe
    440 csrss.exe
    496 C:\Windows\System32\services.exe
    504 C:\Windows\System32\lsass.exe
    512 C:\Windows\System32\lsm.exe
    608 C:\Windows\System32\svchost.exe
    672 C:\Windows\System32\winlogon.exe
    724 C:\Windows\System32\svchost.exe
    796 C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    876 C:\Windows\System32\svchost.exe
    916 C:\Windows\System32\svchost.exe
    944 C:\Windows\System32\svchost.exe
    508 C:\Windows\System32\svchost.exe
    1084 C:\Windows\System32\svchost.exe
    1284 C:\Windows\System32\spoolsv.exe
    1344 C:\Windows\System32\svchost.exe
    1476 C:\Windows\SysWOW64\ASTSRV.EXE
    1516 C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe
    1612 C:\Windows\System32\svchost.exe
    1648 C:\Windows\System32\svchost.exe
    1704 C:\Windows\System32\svchost.exe
    1764 C:\Windows\System32\svchost.exe
    2072 C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
    2268 WUDFHost.exe
    2828 C:\Windows\System32\SearchIndexer.exe
    1232 C:\Windows\System32\dwm.exe
    1108 C:\Windows\explorer.exe
    1316 C:\Program Files\Common Files\Bluebeam Software\Brewery\V45\Printer Support\BBPrint.exe
    1632 C:\Program Files\Microsoft Security Client\msseces.exe
    2200 C:\Users\SJB.FBRANH\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe
    1992 C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    1980 C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
    1304 C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
    3556 C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    3152 C:\Program Files (x86)\Windows Media Player\wmplayer.exe
    2736 C:\Windows\System32\audiodg.exe
    4948 C:\Program Files\Internet Explorer\iexplore.exe
    4168 C:\Program Files\Internet Explorer\iexplore.exe
    1312 C:\Windows\splwow64.exe
    4900 C:\Windows\System32\SearchProtocolHost.exe
    3780 C:\Windows\System32\SearchFilterHost.exe
    4252 C:\Program Files\Internet Explorer\iexplore.exe
    4832 MpCmdRun.exe
    1772 C:\Users\SJB.FBRANH\Desktop\MBRCheck.exe
    3568 C:\Windows\System32\conhost.exe
    3376 C:\Windows\System32\dllhost.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`06500000 (NTFS)
    \\.\D: --> \\.\PhysicalDrive1 at offset 0x00000000`02738a00 (NTFS)

    PhysicalDrive0 Model Number: KINGSTONSVP100S2128G, Rev: CJRA0202
    PhysicalDrive1 Model Number: ST3250318AS, Rev: CC45

    Size Device Name MBR Status
    --------------------------------------------
    119 GB \\.\PhysicalDrive0 Windows 7 MBR code detected
    SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79
    232 GB \\.\PhysicalDrive1 Dell Inspiron MBR code detected
    SHA1: AE3E0A945D44C8EA304A19A8F50F69065C34344B


    Done!
     
  2. sjbells

    sjbells TS Rookie Topic Starter

    oops, sorry

    I just read the announcement at the top of the page telling me to not run any of these powerful programs unless told to. I apologize, I should have started at the top of this forum.
     
  3. sjbells

    sjbells TS Rookie Topic Starter

    Completeing the steps for the logs.

    again I apologize for not doing this in the correct order. I have now done the "UPDATED 5-step..." process. Here are my results.

    1. I have Microsoft Security Essentials running and had it running before the problem started.

    2. I cannot get Malwarebytes to install, that is part of my problem.

    3. I downloaded and ran GMER and let the initial scan take place. I then saved the log but the log is empty. Am I supposed to do a Scan after the initial scan when it starts?

    4. I downloaded the DDS.scr but when i double click on the file it opens up in a text box? I must have done something wrong.

    5. seems as if I have nothing to post.
     
  4. Broni

    Broni Malware Annihilator Posts: 52,895   +344

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ==============================================================

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.
     
  5. sjbells

    sjbells TS Rookie Topic Starter

    post log

    Thank you for your help.

    I ran the aswMBR, below is the log file.

    aswMBR version 0.9.9.1124 Copyright(c) 2011 AVAST Software
    Run date: 2012-01-03 13:10:55
    -----------------------------
    13:10:55.457 OS Version: Windows x64 6.1.7601 Service Pack 1
    13:10:55.457 Number of processors: 4 586 0x1A05
    13:10:55.457 ComputerName: FBRAT3500-SJB-2 UserName: SJB
    13:10:55.707 Initialize success
    13:24:30.596 AVAST engine defs: 12010300
    13:27:33.532 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1
    13:27:33.532 Disk 0 Vendor: KINGSTON_SVP100S2128G CJRA0202 Size: 122104MB BusType: 11
    13:27:33.532 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T0L0-0
    13:27:33.532 Disk 1 Vendor: ST3250318AS CC45 Size: 238418MB BusType: 11
    13:27:33.532 Disk 0 MBR read successfully
    13:27:33.532 Disk 0 MBR scan
    13:27:33.532 Disk 0 Windows 7 default MBR code
    13:27:33.547 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
    13:27:33.563 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 122002 MB offset 206848
    13:27:33.594 Service scanning
    13:27:33.875 Service MpNWMon C:\Windows\system32\DRIVERS\MpNWMon.sys **LOCKED** 32
    13:27:34.483 Modules scanning
    13:27:34.483 Disk 0 trace - called modules:
    13:27:34.483 ntoskrnl.exe CLASSPNP.SYS disk.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys
    13:27:34.483 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8009f86060]
    13:27:34.483 3 CLASSPNP.SYS[fffff8800161743f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-1[0xfffffa8009d69060]
    13:27:34.717 AVAST engine scan C:\Windows
    13:27:36.402 AVAST engine scan C:\Windows\system32
    13:28:43.540 AVAST engine scan C:\Windows\system32\drivers
    13:28:47.502 AVAST engine scan C:\Users\SJB.FBRANH
    13:29:11.182 AVAST engine scan C:\ProgramData
    13:29:30.166 Scan finished successfully
    13:29:59.835 Disk 0 MBR has been saved successfully to "C:\Users\SJB.FBRANH\Desktop\MBR.dat"
    13:29:59.882 The log file has been saved successfully to "C:\Users\SJB.FBRANH\Desktop\aswMBR.txt"
     
  6. Broni

    Broni Malware Annihilator Posts: 52,895   +344

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.

    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode (How to...)

    2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  7. sjbells

    sjbells TS Rookie Topic Starter

    Combo fix run

    Combofix was run without any problems. Here is the text file it created:

    ComboFix 12-01-03.04 - SJB 01/03/2012 13:53:14.4.4 - x64
    Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.12286.10463 [GMT -5:00]
    Running from: c:\users\SJB.FBRANH\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
    SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-12-03 to 2012-01-03 )))))))))))))))))))))))))))))))
    .
    .
    2012-01-03 18:55 . 2012-01-03 18:55 69000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A2B692B6-E5A2-4AE8-8631-1A6178F33993}\offreg.dll
    2012-01-03 18:55 . 2012-01-03 18:55 -------- d-----w- c:\users\SJB\AppData\Local\temp
    2012-01-03 18:55 . 2012-01-03 18:55 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-01-03 18:55 . 2012-01-03 18:55 -------- d-----w- c:\users\Administrator\AppData\Local\temp
    2012-01-03 15:10 . 2011-11-21 11:40 8822856 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A2B692B6-E5A2-4AE8-8631-1A6178F33993}\mpengine.dll
    2012-01-01 16:43 . 2012-01-01 16:43 -------- d-----w- c:\users\SJB.FBRANH\AppData\Roaming\SUPERAntiSpyware.com
    2012-01-01 16:43 . 2012-01-01 16:47 -------- d-----w- c:\program files\SUPERAntiSpyware
    2012-01-01 16:43 . 2012-01-01 16:43 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2012-01-01 16:17 . 2012-01-01 16:17 -------- d-----w- c:\program files (x86)\FileASSASSIN
    2012-01-01 15:51 . 2012-01-01 15:51 -------- d-----w- c:\windows\system32\Macromed
    2011-12-31 17:35 . 2011-12-31 17:35 -------- d--h--w- c:\windows\Sun
    2011-12-14 17:23 . 2011-11-24 04:52 3145216 ----a-w- c:\windows\system32\win32k.sys
    2011-12-14 17:23 . 2011-10-15 06:31 723456 ----a-w- c:\windows\system32\EncDec.dll
    2011-12-14 17:23 . 2011-10-15 05:38 534528 ----a-w- c:\windows\SysWow64\EncDec.dll
    2011-12-14 17:23 . 2011-11-05 05:32 2048 ----a-w- c:\windows\system32\tzres.dll
    2011-12-14 17:23 . 2011-11-05 04:26 2048 ----a-w- c:\windows\SysWow64\tzres.dll
    2011-12-05 20:24 . 2011-12-05 20:31 -------- d--h--w- c:\programdata\AutodeskRendering
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-12-10 20:24 . 2011-05-05 20:16 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-12-07 12:56 . 2011-06-15 11:48 414368 ---ha-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2011-11-21 11:40 . 2011-05-09 12:18 8822856 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2011-10-11 12:20 . 2011-10-11 12:20 917840 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{AFEB5076-8844-4EFF-B2FE-9FBB6F8E8AF9}\gapaengine.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-01-01_16.29.38 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-11-21 03:09 . 2012-01-03 13:48 36052 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2009-07-14 05:10 . 2012-01-03 13:48 35174 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
    - 2011-05-05 21:23 . 2012-01-01 16:20 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2011-05-05 21:23 . 2012-01-03 18:17 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2011-05-05 21:23 . 2012-01-01 16:20 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2011-05-05 21:23 . 2012-01-03 18:17 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2009-07-14 04:54 . 2012-01-03 18:17 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2009-07-14 04:54 . 2012-01-01 16:20 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2011-05-05 20:55 . 2012-01-03 18:01 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2011-05-05 20:55 . 2012-01-01 16:10 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2011-05-05 20:55 . 2012-01-03 18:01 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2011-05-05 20:55 . 2012-01-01 16:10 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2011-05-06 12:08 . 2012-01-03 13:48 5020 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-4089952224-1957405234-155898677-1118_UserData.bin
    + 2012-01-03 18:55 . 2012-01-03 18:55 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2012-01-03 18:55 . 2012-01-03 18:55 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2012-01-01 16:29 . 2012-01-01 16:29 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2009-07-14 02:36 . 2012-01-03 12:48 665350 c:\windows\system32\perfh009.dat
    - 2009-07-14 02:36 . 2012-01-01 15:31 665350 c:\windows\system32\perfh009.dat
    + 2009-07-14 02:36 . 2012-01-03 12:48 123118 c:\windows\system32\perfc009.dat
    - 2009-07-14 02:36 . 2012-01-01 15:31 123118 c:\windows\system32\perfc009.dat
    - 2011-05-05 20:08 . 2011-12-31 17:41 1854824 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
    + 2011-05-05 20:08 . 2012-01-03 13:45 1854824 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SansaDispatch"="c:\users\SJB.FBRANH\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe" [2011-05-09 79872]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-01-01 5486464]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
    "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-07-05 421888]
    .
    c:\users\SJB.FBRANH\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office14\ONENOTEM.EXE [2011-9-2 227712]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Driver performer.lnk - c:\users\SJB.FBRANH\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EM8A187H\DriverPerformer_16i[1].exe [N/A]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 EC_NLM;ENERCALC NLM;c:\program files (x86)\ENERCALC_6_NLM\ENERCALC_NetworkLicenseManager.exe [x]
    R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [x]
    R3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2011-06-09 1431888]
    R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 288272]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
    R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
    S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
    S2 Autodesk Content Service;Autodesk Content Service;c:\program files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe [2011-02-02 18656]
    S3 PrivacyProtectorMP;PrivacyProtectorMP;c:\windows\system32\DRIVERS\PPFlt.sys [x]
    .
    .
    .
    --------- x86-64 -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "BbPrintMonitor"="c:\program files\Common Files\Bluebeam Software\Brewery\V45\Printer Support\BBPrint.exe" [2010-11-30 201376]
    "BbInstallUser"="c:\program files\Bluebeam Software\Pushbutton PDF\Bluebeam Admin User.exe" [2011-03-07 38560]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 1436736]
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://google.com/
    mLocal Page = c:\windows\SysWOW64\blank.htm
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
    TCP: DhcpNameServer = 192.168.5.52 208.67.222.222 208.67.222.220 192.168.0.10
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
    @Denied: (A) (Everyone)
    "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
    @Denied: (A) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
    "Key"="ActionsPane3"
    "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\SysWOW64\astsrv.exe
    .
    **************************************************************************
    .
    Completion time: 2012-01-03 13:57:23 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-01-03 18:57
    ComboFix2.txt 2012-01-03 13:47
    ComboFix3.txt 2012-01-01 17:23
    ComboFix4.txt 2012-01-01 16:30
    .
    Pre-Run: 59,353,796,608 bytes free
    Post-Run: 59,392,933,888 bytes free
    .
    - - End Of File - - CF3A83FC7934EBD9228EB2F8B2CD1300
     
  8. Broni

    Broni Malware Annihilator Posts: 52,895   +344

    Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders, UN-check Hide protected operating system files.
    NOTE. Make sure to reverse the above changes, when done with this step.
    Upload following files to http://www.virustotal.com/ for security check:
    - c:\windows\system32\DRIVERS\PPFlt.sys
    IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.
    Post scan results.
     
  9. sjbells

    sjbells TS Rookie Topic Starter

    Scan of file

    I scanned the file, here are the results:

    Antivirus Version Last Update Result
    AhnLab-V3 2012.01.03.00 2012.01.03 -
    AntiVir 7.11.20.135 2012.01.03 -
    Antiy-AVL 2.0.3.7 2012.01.03 -
    Avast 6.0.1289.0 2012.01.03 -
    AVG 10.0.0.1190 2012.01.03 -
    BitDefender 7.2 2012.01.03 -
    ByteHero 1.0.0.1 2011.12.31 -
    CAT-QuickHeal 12.00 2012.01.03 -
    ClamAV 0.97.3.0 2012.01.03 -
    Commtouch 5.3.2.6 2012.01.03 -
    Comodo 11181 2012.01.03 -
    DrWeb 5.0.2.03300 2012.01.03 -
    Emsisoft 5.1.0.11 2012.01.03 -
    eSafe 7.0.17.0 2012.01.03 -
    eTrust-Vet 37.0.9660 2012.01.03 -
    F-Prot 4.6.5.141 2012.01.03 -
    F-Secure 9.0.16440.0 2012.01.03 -
    Fortinet 4.3.388.0 2012.01.03 -
    GData 22 2012.01.03 -
    Ikarus T3.1.1.109.0 2011.12.31 -
    Jiangmin 13.0.900 2012.01.03 -
    K7AntiVirus 9.123.5849 2012.01.03 -
    Kaspersky 9.0.0.837 2012.01.03 -
    McAfee 5.400.0.1158 2012.01.03 -
    McAfee-GW-Edition 2010.1E 2012.01.03 -
    Microsoft 1.7903 2012.01.03 -
    NOD32 6765 2012.01.03 -
    Norman 6.07.13 2012.01.03 -
    nProtect 2012-01-03.01 2012.01.03 -
    Panda 10.0.3.5 2012.01.03 -
    PCTools 8.0.0.5 2012.01.03 -
    Prevx 3.0 2012.01.03 -
    Rising 23.90.05.01 2011.12.31 -
    Sophos 4.72.0 2012.01.03 -
    SUPERAntiSpyware 4.40.0.1006 2012.01.03 -
    Symantec 20111.2.0.82 2012.01.03 -
    TheHacker 6.7.0.1.371 2012.01.03 -
    TrendMicro 9.500.0.1008 2012.01.03 -
    TrendMicro-HouseCall 9.500.0.1008 2012.01.03 -
    VBA32 3.12.16.4 2012.01.03 -
    VIPRE 11345 2012.01.03 -
    ViRobot 2012.1.3.4861 2012.01.03 -
    VirusBuster 14.1.148.0 2012.01.03 -
    Additional informationShow all
    MD5 : d3b7f88deee78771874c053c62d15ec2
    SHA1 : 7b274c5810812e214d4567bd520a3b80e3b91878
    SHA256: c2d5c31462462fd00b311fab055cfbf91964e731497901fd9b37d6df1ed0ca38
    ssdeep: 384:9Dt7w7T6Y9925sa6AvF8L4F3ZsbdlGUJ90H3hb5Qz0ZLa4sYJLca6jPAWTeMZq:xqHP2sOv
    +GpiIe9CRli0ZLvLFm8
    File size : 30496 bytes
    First seen: 2012-01-03 19:35:50
    Last seen : 2012-01-03 19:35:50
    TrID:
    Generic Win/DOS Executable (49.9%)
    DOS Executable Generic (49.8%)
    Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
    sigcheck:
    publisher....: n/a
    copyright....: n/a
    product......: n/a
    description..: n/a
    original name: n/a
    internal name: n/a
    file version.: n/a
    comments.....: n/a
    signers......: EMBT Sp. z o.o.
    VeriSign Class 3 Code Signing 2010 CA
    VeriSign Class 3 Public Primary Certification Authority - G5
    signing date.: 14:28 25/05/2011
    verified.....: -

    PEInfo: PE structure information

    [[ basic data ]]
    entrypointaddress: 0x8414
    timedatestamp....: 0x4DDD03B1 (Wed May 25 13:27:13 2011)
    machinetype......: 0x8664 (AMD64)

    [[ 5 section(s) ]]
    name, viradd, virsiz, rawdsiz, ntropy, md5
    .text, 0x1000, 0x36D9, 0x3800, 6.08, 3e7a5d85e5f0497546104fa1450a9d11
    .rdata, 0x5000, 0x544, 0x600, 4.03, 87f380215657e724d75dfe647c6340ad
    .data, 0x6000, 0x1B4, 0x200, 0.36, 827cc56e43daa330391d6df48f2cc088
    .pdata, 0x7000, 0x240, 0x400, 2.60, 7cba37e8f458e50e66b3f7f2a2178541
    INIT, 0x8000, 0xD16, 0xE00, 5.39, 4fcdd967e2fc6845364efdf18ce66ed6

    [[ 2 import(s) ]]
    ntoskrnl.exe: KeBugCheckEx, ZwClose, ZwSetSecurityObject, ZwOpenFile, RtlCreateSecurityDescriptor, ExFreePoolWithTag, ExAllocatePoolWithTag, MmMapLockedPagesSpecifyCache, IoReleaseCancelSpinLock, IoFreeMdl, KeReleaseSpinLockFromDpcLevel, KeAcquireSpinLockAtDpcLevel, DbgPrint, IofCompleteRequest, RtlInitUnicodeString, KeReleaseSpinLock, KeAcquireSpinLockRaiseToDpc, __C_specific_handler
    NDIS.SYS: NdisMRegisterUnloadHandler, NdisUnchainBufferAtFront, NdisAllocateBuffer, NdisFreeBufferPool, NdisAllocatePacketPool, NdisAllocateBufferPool, NdisReEnumerateProtocolBindings, NdisIMNotifyPnPEvent, NdisIMGetCurrentPacketStack, NdisDprAllocatePacket, NdisGetReceivedPacket, NdisDprFreePacket, NdisIMCopySendCompletePerPacketInfo, NdisDeregisterProtocol, NdisFreeMemory, NdisIMDeInitializeDeviceInstance, NdisIMCancelInitializeDeviceInstance, NdisCloseConfiguration, NdisIMGetDeviceContext, NdisMSetAttributesEx, NdisSetEvent, NdisAllocatePacket, NdisFreePacket, NdisRequest, NdisMIndicateStatus, NdisMIndicateStatusComplete, NdisReturnPackets, NdisResetEvent, NdisCloseAdapter, NdisWaitEvent, NdisCancelSendPackets, NdisFreePacketPool, NdisInitializeWrapper, NdisIMRegisterLayeredMiniport, NdisIMInitializeDeviceInstanceEx, NdisRegisterProtocol, NdisIMDeregisterLayeredMiniport, NdisIMAssociateMiniport, NdisTerminateWrapper, NdisMSleep, NdisMRegisterDevice, NdisMDeregisterDevice, NdisOpenProtocolConfiguration, NdisReadConfiguration, NdisAllocateMemoryWithTag, NdisInitializeEvent, NdisAllocatePacketPoolEx, NdisOpenAdapter

    ExifTool:
    file metadata
    CodeSize: 17920
    EntryPoint: 0x8414
    FileSize: 30 kB
    FileType: Win64 EXE
    ImageVersion: 6.1
    InitializedDataSize: 3072
    LinkerVersion: 9.0
    MIMEType: application/octet-stream
    MachineType: AMD AMD64
    OSVersion: 6.1
    PEType: PE32+
    Subsystem: Native
    SubsystemVersion: 6.1
    TimeStamp: 2011:05:25 15:27:13+02:00
    UninitializedDataSize: 0



    VT Community
     
  10. Broni

    Broni Malware Annihilator Posts: 52,895   +344

  11. sjbells

    sjbells TS Rookie Topic Starter

    Thank you

    I started a thread as recommended. Thank you for your time and help.
     
  12. Broni

    Broni Malware Annihilator Posts: 52,895   +344

    You're very welcome [​IMG]
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...