Solved Another Sirefef victim

Status
Not open for further replies.

jamiefairlie

Posts: 6   +0
Hi, it seems I'm another Sirefef victim. I've followed the instructions (Boot to System Recovery Options and run FRST then Search for Services.exe) and have pasted the output below . Thanks for your help.

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 12-09-2012
Ran by SYSTEM at 12-09-2012 22:33:34
Running from F:\
Windows 7 Ultimate (X86) OS Language: English(US)
The current controlset is ControlSet001
==================== Registry (Whitelisted) ===================
HKLM\...\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation)
HKLM\...\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe" [74752 2010-07-12] (Nullsoft, Inc.)
HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35760 2010-09-23] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [932288 2010-09-20] (Adobe Systems Incorporated)
HKLM\...\Run: [VX3000] C:\Windows\vVX3000.exe [762736 2010-05-20] (Microsoft Corporation)
HKLM\...\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe" [119152 2010-05-20] (Microsoft Corporation)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [249064 2010-10-29] (Sun Microsystems, Inc.)
HKLM\...\Run: [lxddmon.exe] "C:\Program Files\Lexmark 2500 Series\lxddmon.exe" [291496 2009-04-27] ()
HKLM\...\Run: [lxddamon] "C:\Program Files\Lexmark 2500 Series\lxddamon.exe" [25256 2009-04-27] ()
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-26] (Microsoft Corporation)
HKU\Ed\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2010-10-17] (Google Inc.)
HKU\Ed\...\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /minimized /regrun [17418928 2012-07-13] (Skype Technologies S.A.)
Tcpip\Parameters: [DhcpNameServer] 64.59.144.19 64.59.150.135
Startup: C:\Users\All Users\Start Menu\Programs\Startup\VPN Client.lnk
ShortcutTarget: VPN Client.lnk -> C:\Windows\Installer\{270FE6A0-E893-421C-809E-5B9111C2D4EC}\Icon3E5562ED7.ico ()
==================== Services ================================
2 CVPND; "C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe" [1504304 2006-10-06] (Cisco Systems, Inc.)
2 lxddCATSCustConnectService; C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxddserv.exe [99248 2007-05-25] (Lexmark International, Inc.)
2 lxdd_device; C:\Windows\system32\lxddcoms.exe -service [537520 2007-05-25] ( )
2 nvUpdatusService; C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2253120 2011-10-15] (NVIDIA Corporation)
2 MsMpSvc; "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [x]
3 NisSrv; "c:\Program Files\Microsoft Security Client\NisSrv.exe" [x]
==================== Drivers =================================
3 CVirtA; C:\Windows\System32\DRIVERS\CVirtA.sys [5315 2005-05-17] (Cisco Systems, Inc.)
2 CVPNDRVA; \??\C:\Windows\system32\Drivers\CVPNDRVA.sys [305787 2006-10-06] (Cisco Systems, Inc.)
3 DNE; C:\Windows\System32\DRIVERS\dne2000.sys [126864 2006-10-02] (Deterministic Networks, Inc.)
0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)
3 Synth3dVsc; C:\Windows\System32\drivers\synth3dvsc.sys [x]
3 tsusbhub; C:\Windows\System32\drivers\tsusbhub.sys [x]
3 VGPU; C:\Windows\System32\drivers\rdvgkmd.sys [x]
==================== NetSvcs (Whitelisted) =================

============ One Month Created Files and Folders ==============
2012-09-12 22:33 - 2012-09-12 22:33 - 00000000 ____D C:\FRST
2012-09-12 21:25 - 2012-09-12 20:29 - 04749988 ___RA (Swearware) C:\Users\Ed\Desktop\ComboFix.exe
2012-09-12 21:25 - 2012-09-12 19:54 - 01632160 ____A (Bleeping Computer, LLC) C:\Users\Ed\Desktop\rkill.exe
2012-09-12 21:25 - 2012-09-12 19:17 - 00903834 ____A (Farbar) C:\Users\Ed\Desktop\FRST.exe
2012-09-12 21:24 - 2012-09-12 21:24 - 00000621 ____A C:\Users\Ed\Desktop\ComboFix - Shortcut.lnk
2012-09-12 21:24 - 2012-09-12 21:24 - 00000596 ____A C:\Users\Ed\Desktop\rkill - Shortcut.lnk
2012-09-12 21:24 - 2012-09-12 21:24 - 00000589 ____A C:\Users\Ed\Desktop\FRST - Shortcut.lnk
2012-09-12 20:51 - 2012-09-12 20:51 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-09-12 20:45 - 2012-09-12 20:45 - 00000332 ____A C:\Start_.cmd
2012-09-12 20:45 - 2012-09-12 20:45 - 00000000 ____D C:\ComboFix
2012-09-12 20:44 - 2012-09-12 21:10 - 00000000 ____D C:\Qoobox
2012-09-12 20:43 - 2012-09-12 21:10 - 00000000 ___SD C:\32788R22FWJFW
2012-09-12 20:43 - 2012-09-12 21:09 - 00000000 ____D C:\Windows\erdnt
2012-09-12 20:41 - 2012-09-12 20:41 - 00139104 ____A C:\Windows\Minidump\091212-20779-01.dmp
2012-09-12 20:41 - 2012-09-12 20:41 - 00000000 ____D C:\Windows\Minidump
2012-09-12 19:59 - 2012-09-12 21:10 - 00002836 ____A C:\Users\Ed\Desktop\Rkill.txt
2012-09-11 20:24 - 2012-09-11 20:25 - 00000000 ____D C:\Users\Ed\AppData\Local\{C87B86D2-1D73-4658-96D6-7D0B49FF49E2}
2012-09-11 08:23 - 2012-09-11 08:24 - 00000000 ____D C:\Users\Ed\AppData\Local\{12C0C3B2-B167-4347-B64E-E10D7C3D6193}
2012-09-11 07:01 - 2012-09-11 07:01 - 00000249 ____A C:\Users\Ed\Desktop\Reset_and_Clear_Print_Spooler_Queue.bat
2012-09-10 20:21 - 2012-09-10 20:23 - 00000000 ____D C:\Users\Ed\AppData\Local\{60DECF96-9876-437C-A454-FC106DDE610B}
2012-09-10 08:20 - 2012-09-10 08:21 - 00000000 ____D C:\Users\Ed\AppData\Local\{49265433-F11A-446D-A626-9D2B0DBA5C65}
2012-09-09 20:54 - 2012-09-12 06:22 - 00000000 ____D C:\Users\Ed\Desktop\stick dump
2012-09-09 20:18 - 2012-09-09 20:20 - 00000000 ____D C:\Users\Ed\AppData\Local\{4BAD108A-9D06-407C-AB01-AB07E91F6CA0}
2012-09-09 16:21 - 2012-09-09 16:21 - 00002262 ____A C:\Users\Ed\Desktop\ripped cds - Shortcut.lnk
2012-09-09 16:21 - 2012-09-09 16:21 - 00000000 ____D C:\Users\Ed\Desktop\ripped cds
2012-09-09 08:16 - 2012-09-09 08:18 - 00000000 ____D C:\Users\Ed\AppData\Local\{19BE1D50-1A09-43AA-AB70-29ED87C7D728}
2012-09-08 08:13 - 2012-09-08 20:16 - 00000000 ____D C:\Users\Ed\AppData\Local\{55710E8B-7731-4DFE-BAC7-41CBEF6121C2}
2012-08-19 11:52 - 2012-08-19 11:52 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-08-18 11:25 - 2012-08-18 11:25 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2012-08-18 10:01 - 2012-08-18 10:02 - 00000000 ____D C:\Users\Ed\AppData\Local\{71A085F3-455E-40FE-8138-53577C326D02}
2012-08-17 22:00 - 2012-08-17 22:00 - 00000000 ____D C:\Users\Ed\AppData\Local\{9250A0FF-BF06-4A2D-9839-2FA071B18256}
2012-08-17 09:59 - 2012-08-17 10:00 - 00000000 ____D C:\Users\Ed\AppData\Local\{8EDD5CEB-6190-4D49-A2CB-FDE10791D076}
2012-08-16 21:58 - 2012-08-16 21:58 - 00000000 ____D C:\Users\Ed\AppData\Local\{8445152D-8BE0-4816-8BD0-E12870A221C1}
2012-08-16 09:56 - 2012-08-16 09:57 - 00000000 ____D C:\Users\Ed\AppData\Local\{84038A28-1D02-40E3-9858-13F4085691DB}
2012-08-16 09:55 - 2012-08-18 22:03 - 00000000 ____D C:\Users\Ed\AppData\Local\{DE771767-9528-4D82-9385-BA1658674E74}
2012-08-16 02:06 - 2012-06-28 16:52 - 12317184 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-08-16 02:06 - 2012-06-28 16:27 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-08-16 02:06 - 2012-06-28 16:16 - 01800704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-08-16 02:06 - 2012-06-28 16:09 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-08-16 02:06 - 2012-06-28 16:09 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-08-16 02:06 - 2012-06-28 16:08 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-08-16 02:06 - 2012-06-28 16:07 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-08-16 02:06 - 2012-06-28 16:06 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-08-16 02:06 - 2012-06-28 16:04 - 00717824 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-08-16 02:06 - 2012-06-28 16:04 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-08-16 02:06 - 2012-06-28 16:01 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-08-16 02:06 - 2012-06-28 16:01 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-08-16 02:06 - 2012-06-28 16:00 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-08-16 02:06 - 2012-06-28 15:57 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-08-15 21:54 - 2012-08-15 21:55 - 00000000 ____D C:\Users\Ed\AppData\Local\{554D9C41-45D5-4274-A7D6-C834DC440A15}
2012-08-15 21:54 - 2012-08-15 21:54 - 00000000 ____D C:\Users\Ed\AppData\Local\{C4A930C1-A7C6-46E0-B8AB-BAEB9BDE3A02}
2012-08-15 09:53 - 2012-08-15 09:53 - 00000000 ____D C:\Users\Ed\AppData\Local\{BB8C3B84-2F1F-42CC-9FB0-959FB059DFAF}
2012-08-15 09:51 - 2012-08-15 09:53 - 00000000 ____D C:\Users\Ed\AppData\Local\{19CD7B34-313B-474E-B5C6-995CAC5AAF9A}
2012-08-15 04:09 - 2012-07-18 09:47 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-08-15 04:09 - 2012-07-04 13:16 - 00057344 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll
2012-08-15 04:09 - 2012-07-04 13:14 - 00102912 ____A (Microsoft Corporation) C:\Windows\System32\browser.dll
2012-08-15 04:09 - 2012-07-04 13:14 - 00041984 ____A (Microsoft Corporation) C:\Windows\System32\browcli.dll
2012-08-15 04:09 - 2012-05-13 20:33 - 00769024 ____A (Microsoft Corporation) C:\Windows\System32\localspl.dll
2012-08-15 04:09 - 2012-05-04 23:46 - 00400896 ____A (Microsoft Corporation) C:\Windows\System32\srcore.dll
2012-08-15 04:09 - 2012-02-10 21:43 - 00492032 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll
2012-08-15 04:09 - 2012-02-10 21:37 - 00317440 ____A (Microsoft Corporation) C:\Windows\System32\spoolsv.exe
2012-08-14 21:51 - 2012-08-14 21:51 - 00000000 ____D C:\Users\Ed\AppData\Local\{9AE428ED-B3B0-4BCD-B143-03AFD51599D6}
2012-08-14 21:51 - 2012-08-14 21:51 - 00000000 ____D C:\Users\Ed\AppData\Local\{1A604F21-A22C-4666-ADA8-D2E14C6DC4EE}
2012-08-14 09:49 - 2012-08-14 09:50 - 00000000 ____D C:\Users\Ed\AppData\Local\{4BF539D8-3749-4905-9E55-8C1A2D5F83C7}
2012-08-14 09:48 - 2012-08-14 09:49 - 00000000 ____D C:\Users\Ed\AppData\Local\{92F5D29E-4B5C-479F-A964-4EDF855093A5}
2012-08-13 21:47 - 2012-08-13 21:48 - 00000000 ____D C:\Users\Ed\AppData\Local\{491ECC7E-A6A7-4A5A-A72E-B5055EB7D39D}
2012-08-13 21:46 - 2012-08-13 21:47 - 00000000 ____D C:\Users\Ed\AppData\Local\{B846F75B-F08D-4C6E-97C6-D2760C98AC36}
2012-08-13 18:39 - 2012-08-13 18:40 - 00000000 ____D C:\Users\Ed\Desktop\behaviours
2012-08-13 09:45 - 2012-08-13 09:46 - 00000000 ____D C:\Users\Ed\AppData\Local\{29F7AC6D-B43B-4C2A-B644-7D134770BA57}
2012-08-13 09:43 - 2012-08-13 09:45 - 00000000 ____D C:\Users\Ed\AppData\Local\{7725E018-75D2-479F-99BA-5AA6E929B7F2}
============ 3 Months Modified Files ========================
2012-09-12 21:24 - 2012-09-12 21:24 - 00000621 ____A C:\Users\Ed\Desktop\ComboFix - Shortcut.lnk
2012-09-12 21:24 - 2012-09-12 21:24 - 00000596 ____A C:\Users\Ed\Desktop\rkill - Shortcut.lnk
2012-09-12 21:24 - 2012-09-12 21:24 - 00000589 ____A C:\Users\Ed\Desktop\FRST - Shortcut.lnk
2012-09-12 21:24 - 2009-07-13 15:11 - 00259072 ____A (Microsoft Corporation) C:\Windows\System32\services.exe
2012-09-12 21:23 - 2010-10-17 09:19 - 00000874 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-09-12 21:22 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-09-12 21:22 - 2009-07-13 20:39 - 00033305 ____A C:\Windows\setupact.log
2012-09-12 21:10 - 2012-09-12 19:59 - 00002836 ____A C:\Users\Ed\Desktop\Rkill.txt
2012-09-12 20:52 - 2012-07-11 21:07 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-09-12 20:52 - 2010-08-16 16:03 - 02013417 ____A C:\Windows\WindowsUpdate.log
2012-09-12 20:51 - 2011-01-30 12:51 - 00001945 ____A C:\Windows\epplauncher.mif
2012-09-12 20:51 - 2010-08-16 22:38 - 00738640 ____A C:\Windows\System32\PerfStringBackup.INI
2012-09-12 20:49 - 2009-07-13 20:34 - 00017168 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-09-12 20:49 - 2009-07-13 20:34 - 00017168 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-09-12 20:45 - 2012-09-12 20:45 - 00000332 ____A C:\Start_.cmd
2012-09-12 20:41 - 2012-09-12 20:41 - 00139104 ____A C:\Windows\Minidump\091212-20779-01.dmp
2012-09-12 20:29 - 2012-09-12 21:25 - 04749988 ___RA (Swearware) C:\Users\Ed\Desktop\ComboFix.exe
2012-09-12 19:54 - 2012-09-12 21:25 - 01632160 ____A (Bleeping Computer, LLC) C:\Users\Ed\Desktop\rkill.exe
2012-09-12 19:17 - 2012-09-12 21:25 - 00903834 ____A (Farbar) C:\Users\Ed\Desktop\FRST.exe
2012-09-12 08:16 - 2010-10-17 09:19 - 00000878 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-09-11 07:01 - 2012-09-11 07:01 - 00000249 ____A C:\Users\Ed\Desktop\Reset_and_Clear_Print_Spooler_Queue.bat
2012-09-09 16:21 - 2012-09-09 16:21 - 00002262 ____A C:\Users\Ed\Desktop\ripped cds - Shortcut.lnk
2012-08-19 11:48 - 2012-07-11 21:07 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-08-19 11:48 - 2011-10-30 15:23 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-08-18 11:25 - 2012-08-18 11:25 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2012-08-16 02:38 - 2009-07-13 20:33 - 00409752 ____A C:\Windows\System32\FNTCACHE.DAT
2012-08-16 02:37 - 2010-08-16 21:31 - 00097580 ____A C:\Windows\PFRO.log
2012-08-16 02:12 - 2010-08-16 20:13 - 59884088 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-08-12 10:28 - 2012-08-12 10:27 - 00013191 ____A C:\M1319.log
2012-08-08 15:49 - 2012-08-08 15:47 - 00001594 ____A C:\Windows\VPNInstall.MIF
2012-08-08 15:32 - 2012-03-12 21:25 - 00010046 ____A C:\Users\Ed\Desktop\Rental Property Transactions.xlsx
2012-07-24 20:22 - 2012-07-24 20:22 - 00001823 ____A C:\Users\Ed\Desktop\ed cd drive (ED-MAIN) - Shortcut.lnk
2012-07-24 20:06 - 2010-08-16 21:40 - 00001802 ____A C:\Users\Public\Desktop\Vuze.lnk
2012-07-23 20:12 - 2012-07-23 20:12 - 00001811 ____A C:\Users\Ed\Desktop\dvd drive (ED-MAIN) - Shortcut.lnk
2012-07-22 21:50 - 2012-07-22 21:50 - 00002006 ____A C:\Users\Ed\Desktop\accomodata silver 500g (MEDIA) - Shortcut.lnk
2012-07-22 21:50 - 2012-07-22 21:50 - 00001876 ____A C:\Users\Ed\Desktop\h (Media) - Shortcut.lnk
2012-07-22 21:50 - 2012-07-22 21:50 - 00001780 ____A C:\Users\Ed\Desktop\g (Media) - Shortcut.lnk
2012-07-18 09:47 - 2012-08-15 04:09 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-11 02:17 - 2009-07-13 18:04 - 00000478 ____A C:\Windows\win.ini
2012-07-04 13:16 - 2012-08-15 04:09 - 00057344 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll
2012-07-04 13:14 - 2012-08-15 04:09 - 00102912 ____A (Microsoft Corporation) C:\Windows\System32\browser.dll
2012-07-04 13:14 - 2012-08-15 04:09 - 00041984 ____A (Microsoft Corporation) C:\Windows\System32\browcli.dll
2012-06-28 16:52 - 2012-08-16 02:06 - 12317184 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-28 16:27 - 2012-08-16 02:06 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-28 16:16 - 2012-08-16 02:06 - 01800704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-28 16:09 - 2012-08-16 02:06 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-28 16:09 - 2012-08-16 02:06 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-28 16:08 - 2012-08-16 02:06 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-28 16:07 - 2012-08-16 02:06 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-28 16:06 - 2012-08-16 02:06 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-28 16:04 - 2012-08-16 02:06 - 00717824 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-28 16:04 - 2012-08-16 02:06 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-28 16:01 - 2012-08-16 02:06 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-28 16:01 - 2012-08-16 02:06 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-28 16:00 - 2012-08-16 02:06 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-28 15:57 - 2012-08-16 02:06 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-17 20:52 - 2012-04-05 21:03 - 00002357 ____A C:\Users\Ed\Desktop\000 new arrivals - Shortcut.lnk
2012-06-17 20:52 - 2012-02-25 10:19 - 00002319 ____A C:\Users\Ed\Desktop\000 radio to keep - Shortcut (2).lnk
2012-06-17 20:52 - 2012-02-25 10:03 - 00002256 ____A C:\Users\Ed\Desktop\000 Live - Shortcut.lnk
2012-06-17 20:52 - 2011-06-05 18:26 - 00001762 ____A C:\Users\Ed\Desktop\yoga - Shortcut.lnk
2012-06-17 20:52 - 2011-06-05 17:05 - 00002172 ____A C:\Users\Ed\Desktop\Music to store - Shortcut.lnk
2012-06-17 20:52 - 2011-06-05 17:05 - 00002166 ____A C:\Users\Ed\Desktop\Public Videos - Shortcut.lnk
2012-06-17 20:52 - 2011-06-05 17:05 - 00002129 ____A C:\Users\Ed\Desktop\Public Music - Shortcut.lnk

ZeroAccess:
C:\Windows\Installer\{9838b74c-83bf-812d-73dc-c532d0013103}
C:\Windows\Installer\{9838b74c-83bf-812d-73dc-c532d0013103}\@
C:\Windows\Installer\{9838b74c-83bf-812d-73dc-c532d0013103}\L
C:\Windows\Installer\{9838b74c-83bf-812d-73dc-c532d0013103}\n
C:\Windows\Installer\{9838b74c-83bf-812d-73dc-c532d0013103}\U
C:\Windows\Installer\{9838b74c-83bf-812d-73dc-c532d0013103}\L\00000004.@
C:\Windows\Installer\{9838b74c-83bf-812d-73dc-c532d0013103}\L\201d3dde
C:\Windows\Installer\{9838b74c-83bf-812d-73dc-c532d0013103}\U\00000004.@
C:\Windows\Installer\{9838b74c-83bf-812d-73dc-c532d0013103}\U\00000008.@
C:\Windows\Installer\{9838b74c-83bf-812d-73dc-c532d0013103}\U\000000cb.@
C:\Windows\Installer\{9838b74c-83bf-812d-73dc-c532d0013103}\U\80000000.@
C:\Windows\Installer\{9838b74c-83bf-812d-73dc-c532d0013103}\U\80000032.@
ZeroAccess:
C:\Users\Ed\AppData\Local\{9838b74c-83bf-812d-73dc-c532d0013103}
C:\Users\Ed\AppData\Local\{9838b74c-83bf-812d-73dc-c532d0013103}\L
C:\Users\Ed\AppData\Local\{9838b74c-83bf-812d-73dc-c532d0013103}\U
ZeroAccess:
C:\Windows\assembly\GAC\Desktop.ini
==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe A302BBFF2A7278C0E239EE5D471D86A9 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== EXE ASSOCIATION =====================
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
==================== Restore Points =========================
Restore point made on: 2012-09-12 09:09:31
==================== Memory info ===========================
Percentage of memory in use: 22%
Total physical RAM: 1791.18 MB
Available physical RAM: 1384.85 MB
Total Pagefile: 1791.18 MB
Available Pagefile: 1393.85 MB
Total Virtual: 2047.88 MB
Available Virtual: 1952.73 MB
==================== Partitions ============================
1 Drive c: (Acer) (Fixed) (Total:131.95 GB) (Free:22.04 GB) NTFS
2 Drive e: (PQSERVICE) (Fixed) (Total:17 GB) (Free:7.34 GB) NTFS
3 Drive f: (Lexar) (Removable) (Total:14.91 GB) (Free:14.86 GB) FAT32
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
5 Drive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 149 GB 0 B
Disk 1 Online 14 GB 0 B
Partitions of Disk 0:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Recovery 17 GB 1024 KB
Partition 2 Primary 100 MB 17 GB
Partition 3 Primary 131 GB 17 GB
==================================================================================
Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 E PQSERVICE NTFS Partition 17 GB Healthy Hidden
==================================================================================
Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 0 Y SYSTEM RESE NTFS Partition 100 MB Healthy
==================================================================================
Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C Acer NTFS Partition 131 GB Healthy
==================================================================================
Partitions of Disk 1:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 14 GB 64 KB
==================================================================================
Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F Lexar FAT32 Removable 14 GB Healthy
==================================================================================
Last Boot: 2012-09-07 16:30
==================== End Of Log =============================


-----------------------------------------------------------------------------------------
Farbar Recovery Scan Tool (x86) Version: 12-09-2012
Ran by SYSTEM at 2012-09-12 22:36:15
Running from F:\
================== Search: "services.exe" ===================
C:\Windows.old\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB
C:\Windows.old\Windows\System32\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe
[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6
C:\Windows\System32\services.exe
[2009-07-13 15:11] - [2012-09-12 21:24] - 0259072 ____A (Microsoft Corporation) A302BBFF2A7278C0E239EE5D471D86A9
=== End Of Search ===
 
Hello, and welcome to TechSpot.


rulesx.png
Please see here for the board rules and other FAQ.

Please feel free to introduce yourself, after you follow the steps below to get started.

Information
  • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
  • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
  • If you have already asked for help somewhere, please post the link to the topic you were helped.
  • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
  • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.
FRST Fixlist

Please run the following:

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
2012-09-12 20:45 - 2012-09-12 20:45 - 00000332 ____A C:\Start_.cmd
C:\Windows\Installer\{9838b74c-83bf-812d-73dc-c532d0013103}
C:\Users\Ed\AppData\Local\{9838b74c-83bf-812d-73dc-c532d0013103}
C:\Windows\assembly\GAC\Desktop.ini
Replace: C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe C:\Windows\System32\services.exe
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now, please enter System Recovery Options then select Command Prompt.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Now restart, let it boot normally and tell me how it went.
 
No change - here's the script output:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 12-09-2012
Ran by SYSTEM at 2012-09-13 08:43:43 Run:1
Running from F:\
==============================================
Could not find C:\Windows\System32\services.exe.
Could not find C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe.
==== End of Fixlog ====
 
FRST Fixlist

Download the attached file, please. Save it on your flash drive to replace the current fixlist.txt. Make sure it maintains its current name fixlist.txt.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now, please enter System Recovery Options then select Command Prompt.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Now restart, let it boot normally and tell me how it went.
 

Attachments

  • fixlist.txt
    415 bytes · Views: 2
Hi, it ran and here's the log:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 12-09-2012
Ran by SYSTEM at 2012-09-14 19:41:53 Run:2
Running from F:\
==============================================
C:\Start_.cmd moved successfully.
C:\Windows\Installer\{9838b74c-83bf-812d-73dc-c532d0013103} moved successfully.
C:\Users\Ed\AppData\Local\{9838b74c-83bf-812d-73dc-c532d0013103} moved successfully.
C:\Windows\assembly\GAC\Desktop.ini moved successfully.
C:\Windows\System32\services.exe moved successfully.
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe copied successfully to C:\Windows\System32\services.exe
==== End of Fixlog ====
 
ComboFix

Please download ComboFix
combofix.gif
by sUBs
From BleepingComputer.com

Please save the file to your Desktop, but rename it first to svchost.exe

Important information about ComboFix

Before the download:
  • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
  • It is important to rename ComboFix before the download.
  • Please do not rename ComboFix to other names, but only the one indicated.
After the download:
  • Close any open browsers.
  • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
  • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
Running ComboFix:
  • Double click on svchost.exe & follow the prompts.
  • It will attempt to install the Recovery Console:
  • When ComboFix finishes, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" in your next reply.
Troubleshooting ComboFix

Safe Mode:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")

Re-downloading:

If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.
 
Combofix ran and here is the log:

ComboFix 12-09-14.03 - Ed 09/15/2012 18:26:27.1.4 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.2.1033.18.1791.919 [GMT -7:00]
Running from: c:\users\Ed\Desktop\svchost.exe.exe
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\SPL32D6.tmp
.
.
((((((((((((((((((((((((( Files Created from 2012-08-16 to 2012-09-16 )))))))))))))))))))))))))))))))
.
.
2012-09-15 10:24 . 2012-09-16 01:44 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{235BD34A-59C5-4971-8DDB-4F0B5554893C}\offreg.dll
2012-09-15 10:24 . 2012-09-15 10:24 29904 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{235BD34A-59C5-4971-8DDB-4F0B5554893C}\MpKsl3f4879e9.sys
2012-09-15 02:55 . 2012-08-28 08:50 7022536 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{235BD34A-59C5-4971-8DDB-4F0B5554893C}\mpengine.dll
2012-09-15 02:51 . 2012-08-22 17:16 712048 ----a-w- c:\windows\system32\drivers\ndis.sys
2012-09-15 02:51 . 2012-07-04 19:45 33280 ----a-w- c:\windows\system32\drivers\RNDISMP.sys
2012-09-15 02:51 . 2012-08-22 17:16 1292144 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-09-15 02:51 . 2012-08-22 17:16 240496 ----a-w- c:\windows\system32\drivers\netio.sys
2012-09-15 02:51 . 2012-08-22 17:16 187760 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2012-09-15 02:51 . 2012-08-02 16:57 490496 ----a-w- c:\windows\system32\d3d10level9.dll
2012-09-13 06:33 . 2012-09-13 06:33 -------- d-----w- C:\FRST
2012-09-13 04:53 . 2012-02-09 21:17 713784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8730C9A5-A1CD-49CF-9ED5-A269A32E56F9}\gapaengine.dll
2012-09-13 04:53 . 2012-08-28 08:50 7022536 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-09-13 04:51 . 2012-09-13 04:51 -------- d-----w- c:\program files\Microsoft Security Client
2012-09-13 04:45 . 2012-09-16 01:19 -------- d-----w- C:\ComboFix
2012-08-19 19:52 . 2012-08-19 19:52 -------- d-sh--w- c:\windows\system32\%APPDATA%
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-19 19:48 . 2012-07-12 05:07 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-19 19:48 . 2011-10-30 23:23 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-18 17:47 . 2012-08-15 12:09 2345984 ----a-w- c:\windows\system32\win32k.sys
2012-07-08 17:59 . 2011-10-02 03:32 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore-2\Microsoft.MediaCenter.Sports.UI.dll
2012-07-08 17:57 . 2011-11-09 19:40 48648 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\Markup.dll
2012-07-08 17:57 . 2011-06-24 17:37 573776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
2012-07-04 21:14 . 2012-08-15 12:09 102912 ----a-w- c:\windows\system32\browser.dll
2012-07-04 21:14 . 2012-08-15 12:09 41984 ----a-w- c:\windows\system32\browcli.dll
2012-06-29 00:16 . 2012-08-16 10:06 1800704 ----a-w- c:\windows\system32\jscript9.dll
2012-06-29 00:09 . 2012-08-16 10:06 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-06-29 00:08 . 2012-08-16 10:06 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-06-29 00:04 . 2012-08-16 10:06 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-06-29 00:00 . 2012-08-16 10:06 2382848 ----a-w- c:\windows\system32\mshtml.tlb
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-10-17 39408]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2012-07-13 17418928]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-27 30040]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2010-07-12 74752]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"VX3000"="c:\windows\vVX3000.exe" [2010-05-20 762736]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2010-05-20 119152]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"lxddmon.exe"="c:\program files\Lexmark 2500 Series\lxddmon.exe" [2009-04-27 291496]
"lxddamon"="c:\program files\Lexmark 2500 Series\lxddamon.exe" [2009-04-27 25256]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-27 931200]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
VPN Client.lnk - c:\windows\Installer\{270FE6A0-E893-421C-809E-5B9111C2D4EC}\Icon3E5562ED7.ico [2012-8-8 6144]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [x]
R2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxddserv.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [x]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S1 MpKsl3f4879e9;MpKsl3f4879e9;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{235BD34A-59C5-4971-8DDB-4F0B5554893C}\MpKsl3f4879e9.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe [x]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [x]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]
S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\Drivers\nx6000.sys [x]
S3 netr28;Ralink 802.11n Wireless Driver for Windows Vista;c:\windows\system32\DRIVERS\netr28.sys [x]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-16 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-12 19:48]
.
2012-09-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-17 17:18]
.
2012-09-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-17 17:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.uknova.com/wsgi/torrent/find?torrentspage=0
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 64.59.144.19 64.59.150.135
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{ba14329e-9550-4989-b3f2-9732e92d17cc} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
[HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]
"value"="?\09\06\18\0f;8\1b"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\program files\NVIDIA Corporation\Display\nvxdsync.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\windows\system32\taskhost.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\conhost.exe
c:\windows\System32\rundll32.exe
c:\program files\NVIDIA Corporation\Display\nvtray.exe
c:\windows\system32\DllHost.exe
c:\windows\system32\sppsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2012-09-15 18:53:42 - machine was rebooted
ComboFix-quarantined-files.txt 2012-09-16 01:53
.
Pre-Run: 22,678,167,552 bytes free
Post-Run: 23,778,885,632 bytes free
.
- - End Of File - - C2EAFED5B92568C2F43E6AC166DE9932
 
ComboFix Script

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the codebox below into it:
    ClearJavaCache::
  • Save this as CFScript.txt, in the same location as ComboFix.exe

    CFScriptB-4.gif
  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.


AdwCleaner Scan
Please download AdwCleaner by Xplode onto your Desktop.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • A logfile will automatically open after the scan has finished.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.
 
Combofix output:

ComboFix 12-09-14.03 - Ed 09/16/2012 9:49.2.4 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.2.1033.18.1791.1046 [GMT -7:00]
Running from: c:\users\Ed\Desktop\svchost.exe.exe
Command switches used :: c:\users\Ed\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-08-16 to 2012-09-16 )))))))))))))))))))))))))))))))
.
.
2012-09-16 17:04 . 2012-09-16 17:04 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-09-16 17:04 . 2012-09-16 17:04 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-09-16 09:31 . 2012-09-16 09:31 29904 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A7DAC7A8-C191-44FB-B285-9E16DE7FD0F2}\MpKsl565e8101.sys
2012-09-16 09:31 . 2012-09-16 09:31 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A7DAC7A8-C191-44FB-B285-9E16DE7FD0F2}\offreg.dll
2012-09-16 09:28 . 2012-08-28 08:50 7022536 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A7DAC7A8-C191-44FB-B285-9E16DE7FD0F2}\mpengine.dll
2012-09-16 05:51 . 2012-08-28 08:50 7022536 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-08-19 19:52 . 2012-08-19 19:52 -------- d-sh--w- c:\windows\system32\%APPDATA%
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-16 06:34 . 2011-04-17 17:43 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2012-08-19 19:48 . 2012-07-12 05:07 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-19 19:48 . 2011-10-30 23:23 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-18 17:47 . 2012-08-15 12:09 2345984 ----a-w- c:\windows\system32\win32k.sys
2012-07-08 17:59 . 2011-10-02 03:32 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore-2\Microsoft.MediaCenter.Sports.UI.dll
2012-07-08 17:57 . 2011-11-09 19:40 48648 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\Markup.dll
2012-07-08 17:57 . 2011-06-24 17:37 573776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
2012-07-04 21:14 . 2012-08-15 12:09 102912 ----a-w- c:\windows\system32\browser.dll
2012-07-04 21:14 . 2012-08-15 12:09 41984 ----a-w- c:\windows\system32\browcli.dll
2012-06-29 00:16 . 2012-08-16 10:06 1800704 ----a-w- c:\windows\system32\jscript9.dll
2012-06-29 00:09 . 2012-08-16 10:06 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-06-29 00:08 . 2012-08-16 10:06 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-06-29 00:04 . 2012-08-16 10:06 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-06-29 00:00 . 2012-08-16 10:06 2382848 ----a-w- c:\windows\system32\mshtml.tlb
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-10-17 39408]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2012-07-13 17418928]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-27 30040]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2010-07-12 74752]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"VX3000"="c:\windows\vVX3000.exe" [2010-05-20 762736]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2010-05-20 119152]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"lxddmon.exe"="c:\program files\Lexmark 2500 Series\lxddmon.exe" [2009-04-27 291496]
"lxddamon"="c:\program files\Lexmark 2500 Series\lxddamon.exe" [2009-04-27 25256]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-27 931200]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
VPN Client.lnk - c:\windows\Installer\{270FE6A0-E893-421C-809E-5B9111C2D4EC}\Icon3E5562ED7.ico [2012-8-8 6144]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [x]
R2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxddserv.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [x]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S1 MpKsl565e8101;MpKsl565e8101;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A7DAC7A8-C191-44FB-B285-9E16DE7FD0F2}\MpKsl565e8101.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe [x]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [x]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]
S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\Drivers\nx6000.sys [x]
S3 netr28;Ralink 802.11n Wireless Driver for Windows Vista;c:\windows\system32\DRIVERS\netr28.sys [x]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL565E8101
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-16 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-12 19:48]
.
2012-09-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-17 17:18]
.
2012-09-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-17 17:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.uknova.com/wsgi/torrent/find?torrentspage=0
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 64.59.144.19 64.59.150.135
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
[HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]
"value"="?\09\06\18\0f;8\1b"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-09-16 10:11:12
ComboFix-quarantined-files.txt 2012-09-16 17:11
ComboFix2.txt 2012-09-16 01:53
.
Pre-Run: 23,351,582,720 bytes free
Post-Run: 23,348,797,440 bytes free
.
- - End Of File - - DB9263630E71E9DDB0157E5292867063

adwcleaner output:

# AdwCleaner v2.001 - Logfile created 09/16/2012 at 10:31:06
# Updated 09/09/2012 by Xplode
# Operating system : Windows 7 Ultimate Service Pack 1 (32 bits)
# User : Ed - ED-ACER-WIN7
# Boot Mode : Normal
# Running from : C:\Users\Ed\Desktop\adwcleaner.exe
# Option [Delete]

***** [Services] *****

***** [Files / Folders] *****
Folder Deleted : C:\Users\Ed\AppData\Local\Conduit
Folder Deleted : C:\Users\Ed\AppData\LocalLow\Conduit
***** [Registry] *****
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKLM\SOFTWARE\Classes\Conduit.Engine
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2504091
Key Deleted : HKLM\Software\Conduit
***** [Internet Browsers] *****
-\\ Internet Explorer v9.0.8112.16421
Restored : [HKCU\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-21-3340880509-3061400694-4199755230-1003\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
*************************
AdwCleaner[S1].txt - [1346 octets] - [16/09/2012 10:31:06]
########## EOF - C:\AdwCleaner[S1].txt - [1406 octets] ##########
 
ESET Online Scan

Please run a free online scan with the ESET Online Scanner
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install, or it will ask to download an installer. Please do so an install it.
  • Click Start or wait for the scanner to load.
  • Make sure that the options Remove found threats and the option Scan unwanted applications are checked.
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, there are a couple of things to keep in mind:
  • 1. If NO threats were found, allow the scanner to Uninstall on close and then close the Window.
  • 2. If threats WERE detected, click on List of Threats Found, Export to Text File...save it as ESET-Scan-Log.txt. Click the back button/link, put a checkmark to Uninstall Application on Close and then close the window.
  • Open the logfile from wherever you saved it
  • Copy and paste the contents in your next reply.


Any more issues?

We need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

Many of the things to note for us would be:

  • Slow computer
  • Error messages
  • Fake antivirus alerts or the icon in the system tray
  • svchost.exe running at 100%
  • System crashes or blue screen of death
 
Great, ran ESET and no threats were found.

Looks like I'm clear as there seems to be no other symptoms to report.

Many, many thanks for excellent help.
 
Great! Let's finish up here, if you want to prevent these types of threats in the future...

Clean up System Restore

Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

To manually create a new Restore Point
  • Go to Control Panel and select System and Maintenance
  • Select System
  • On the left select Advanced System Settings and accept the warning if you get one
  • Select System Protection Tab
  • Select Create at the bottom
  • Type in a name I.e. Clean
  • Select Create
Now we can purge the infected ones
  • Go back to the System and Maintenance page
  • Select Performance Information and Tools
  • On the left select Open Disk Cleanup
  • Select Files from all users and accept the warning if you get one
  • In the drop down box select your main drive I.e. C
  • For a few moments the system will make some calculations:
    diskcleanup1.png
  • Select the More Options tab
    moreoptions.png
  • In the System Restore and Shadow Backups select Clean up
    moreoptions2.png
  • Select Delete on the pop up
  • Select OK
  • Select Delete

Run OTC to remove our tools

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:
  • Save it to your Desktop.
  • Double click OTC.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.
Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Purge old temporary files

Download CCleaner Slim and save it to your Desktop - Alternate download link

When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
Follow the prompts to install the program.

* Double-click the CCleaner shortcut on the desktop to start the program.
* Click on the Options block on the left, then choose Cookies.
* Under Cookies to Delete, highlight any cookies you would like to retain permanently
* Click the right arrow > to move them to the Cookies to Keep window.
* Go into Options > Advanced & uncheck Only delete files in Windows Temp folders older than 48 hours
* Click Cleaner on the left then Run Cleaner on the right to run the program.
* Important: Make sure that ALL browser windows are closed before selecting Run Cleaner

Caution: Only use the Registry feature if you are very familiar with the registry.
Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.

Security Check

Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
 
Status
Not open for further replies.
Back