Solved Svchost outbound blocked by MBAM

Ryan Sam · Jun 16, 2012

Part 2

========== Files/Folders - Created Within 30 Days ==========

[2012/06/16 00:16:09 | 004,731,392 | ---- | C] (AVAST Software) -- C:\Users\Ryan\Desktop\aswMBR.exe
[2012/06/15 23:44:37 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2012/06/15 23:42:26 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2012/06/15 22:54:46 | 000,595,968 | ---- | C] (OldTimer Tools) -- C:\Users\Ryan\Desktop\OTL.exe
[2012/06/15 22:16:17 | 004,559,503 | R--- | C] (Swearware) -- C:\Users\Ryan\Desktop\ComboFix.exe
[2012/06/15 18:24:18 | 000,000,000 | ---D | C] -- C:\FRST
[2012/06/15 13:22:00 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2012/06/15 13:22:00 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2012/06/15 13:22:00 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2012/06/15 13:19:54 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/06/15 13:03:10 | 001,932,256 | ---- | C] (Symantec Corporation) -- C:\Users\Ryan\Desktop\FixTDSS.exe
[2012/06/15 12:00:40 | 000,083,968 | ---- | C] (Esage Lab) -- C:\Users\Ryan\Desktop\boot_cleaner.exe
[2012/06/14 18:55:13 | 002,127,960 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Ryan\Desktop\TDSSKiller.exe
[2012/06/05 22:11:40 | 000,000,000 | ---D | C] -- C:\Users\Ryan\AppData\Local\backburner
[2012/06/04 19:32:49 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
[2012/06/04 19:31:59 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight
[2012/06/04 19:31:58 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Silverlight
[2012/06/02 21:04:56 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ESET
[2012/06/01 16:12:39 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2012/06/01 16:00:11 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Security Client
[2012/06/01 16:00:09 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
[2012/05/31 23:52:51 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2012/05/31 11:25:47 | 000,000,000 | ---D | C] -- C:\Users\Ryan\AppData\Roaming\Malwarebytes
[2012/05/31 11:25:42 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/05/31 11:25:40 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012/05/31 11:25:39 | 000,024,904 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[4 C:\Windows\SysNative\*.tmp files -> C:\Windows\SysNative\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/06/16 11:59:45 | 000,000,512 | ---- | M] () -- C:\Users\Ryan\Desktop\MBR.dat
[2012/06/16 11:53:57 | 000,009,920 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/06/16 11:53:57 | 000,009,920 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/06/16 11:53:00 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2012/06/16 11:46:51 | 000,000,908 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/06/16 11:46:45 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/06/16 03:44:00 | 000,000,912 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/06/16 03:33:00 | 000,000,904 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2388485762-2462165164-2089254216-1001UA.job
[2012/06/15 23:45:45 | 000,045,056 | ---- | M] () -- C:\Windows\SysNative\acovcnt.exe
[2012/06/15 23:42:25 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
[2012/06/15 22:54:37 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\Ryan\Desktop\OTL.exe
[2012/06/15 22:15:59 | 004,559,503 | R--- | M] (Swearware) -- C:\Users\Ryan\Desktop\ComboFix.exe
[2012/06/15 15:15:16 | 002,127,960 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Ryan\Desktop\TDSSKiller.exe
[2012/06/15 13:33:00 | 000,000,852 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2388485762-2462165164-2089254216-1001Core.job
[2012/06/15 13:03:03 | 001,932,256 | ---- | M] (Symantec Corporation) -- C:\Users\Ryan\Desktop\FixTDSS.exe
[2012/06/15 12:02:31 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Users\Ryan\Desktop\aswMBR.exe
[2012/06/14 19:44:39 | 000,007,632 | ---- | M] () -- C:\Users\Ryan\AppData\Local\Resmon.ResmonCfg
[2012/06/13 23:01:02 | 004,968,552 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2012/06/13 22:57:17 | 000,797,284 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2012/06/13 22:57:17 | 000,662,658 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2012/06/13 22:57:17 | 000,122,454 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2012/06/01 22:57:58 | 000,000,219 | ---- | M] () -- C:\0
[2012/06/01 16:00:17 | 000,001,945 | ---- | M] () -- C:\Windows\epplauncher.mif
[2012/06/01 16:00:11 | 000,797,064 | ---- | M] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2012/05/31 23:59:36 | 000,001,002 | ---- | M] () -- C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mbam.exe - Shortcut.lnk
[2012/05/31 22:35:51 | 000,000,412 | ---- | M] () -- C:\Users\Ryan\AppData\Roaming\All CPU Meter_Settings.ini
[4 C:\Windows\SysNative\*.tmp files -> C:\Windows\SysNative\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/06/15 13:22:00 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012/06/15 13:22:00 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012/06/15 13:22:00 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012/06/15 13:22:00 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012/06/15 13:22:00 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2012/06/15 12:30:10 | 000,000,512 | ---- | C] () -- C:\Users\Ryan\Desktop\MBR.dat
[2012/06/08 09:30:32 | 000,001,002 | ---- | C] () -- C:\Users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mbam.exe - Shortcut.lnk
[2012/06/01 16:00:13 | 000,001,917 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
[2012/05/15 02:21:50 | 000,423,744 | ---- | C] () -- C:\Windows\SysWow64\nvStreaming.exe
[2012/04/29 18:11:51 | 000,004,608 | ---- | C] () -- C:\Windows\SysWow64\adesk_patcher64.exe
[2012/01/22 19:01:59 | 000,282,864 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrB.exe
[2012/01/22 19:01:58 | 000,076,888 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrA.exe
[2011/11/08 16:32:14 | 000,000,258 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2011/07/29 18:21:52 | 000,010,752 | ---- | C] () -- C:\Users\Ryan\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/06/22 15:01:43 | 000,000,412 | ---- | C] () -- C:\Users\Ryan\AppData\Roaming\All CPU Meter_Settings.ini
[2011/05/14 21:29:00 | 000,000,024 | ---- | C] () -- C:\Windows\ATKPF.ini
[2011/05/10 21:34:36 | 000,797,064 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2011/05/10 18:43:47 | 000,007,632 | ---- | C] () -- C:\Users\Ryan\AppData\Local\Resmon.ResmonCfg
[2011/04/16 22:27:35 | 000,001,200 | ---- | C] () -- C:\Windows\THXCfg_SP_APOIM.ini
[2011/04/16 22:27:35 | 000,001,099 | ---- | C] () -- C:\Windows\THXCfg_HP_APOIM.ini
[2011/04/16 22:27:35 | 000,001,099 | ---- | C] () -- C:\Windows\THXCfg_APOIM.ini
[2011/04/16 22:27:34 | 000,181,760 | ---- | C] () -- C:\Windows\SysWow64\APOMngr.DLL
[2011/04/16 22:27:34 | 000,073,728 | ---- | C] () -- C:\Windows\SysWow64\CmdRtr.DLL
[2011/04/16 22:14:37 | 000,008,192 | ---- | C] () -- C:\Windows\SysWow64\drivers\IntelMEFWVer.dll

========== LOP Check ==========

[2012/05/31 00:00:24 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\.minecraft
[2012/04/15 18:07:19 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\.Nitrous
[2011/11/23 12:10:28 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\Acapela Group
[2012/04/04 13:12:04 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\Acronis
[2011/12/03 00:28:17 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\Asus WebStorage
[2012/05/01 21:32:34 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\Autodesk
[2012/06/09 16:55:25 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\BitTorrent
[2011/05/15 17:06:23 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2011/09/25 19:40:40 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\GameRanger
[2011/08/05 12:45:56 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\gtk-2.0
[2012/02/04 16:36:39 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\ImgBurn
[2011/06/02 22:03:44 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\iPodder
[2011/05/13 23:36:34 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\ManyCam
[2012/01/02 23:33:20 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\minecraft
[2012/01/19 23:07:40 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\MoreTerra
[2011/07/26 21:32:28 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\MotioninJoy
[2011/11/02 22:33:05 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\Mount&Blade
[2011/11/03 12:24:16 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\Mount&Blade Warband
[2012/04/15 19:25:46 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\Notepad++
[2011/05/10 20:08:17 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\Nuance
[2012/01/22 16:36:38 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\Origin
[2011/06/02 22:27:16 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\Participatory Culture Foundation
[2011/08/05 12:52:56 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\PCF-VLC
[2012/05/22 22:57:29 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\Primal Pictures
[2011/12/17 23:37:31 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\RIFT
[2012/05/30 21:14:08 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\SHAPE Services
[2011/05/11 00:31:39 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
[2011/09/11 18:27:19 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\System
[2011/06/30 22:08:29 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\ToLTech
[2012/05/31 00:01:22 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\TS3Client
[2012/01/22 18:14:13 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\Uniblue
[2011/09/11 18:41:02 | 000,000,000 | -HSD | M] -- C:\Users\Ryan\AppData\Roaming\wyUpdate AU
[2012/03/22 22:22:53 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\Xilisoft
[2011/05/10 20:08:14 | 000,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\Zeon
[2012/06/15 23:42:20 | 000,032,626 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========

========== Alternate Data Streams ==========

@Alternate Data Stream - 114 bytes -> C:\ProgramData\Temp:A1EDB939

< End of report >

Ryan Sam · Jun 16, 2012

And my aswMBR

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-06-16 11:48:32
-----------------------------
11:48:32.489 OS Version: Windows x64 6.1.7601 Service Pack 1
11:48:32.489 Number of processors: 8 586 0x2A07
11:48:32.489 ComputerName: TERMINATOR UserName: Ryan
11:48:34.657 Initialize success
11:48:38.713 AVAST engine defs: 12061501
11:48:43.409 Disk 0 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
11:48:43.409 Disk 0 Vendor: ST975042 0002 Size: 715404MB BusType: 3
11:48:43.409 Disk 1 (boot) \Device\Harddisk1\DR1 -> \Device\Ide\IAAStorageDevice-2
11:48:43.424 Disk 1 Vendor: ST750LX0 SM12 Size: 715404MB BusType: 3
11:48:43.424 Disk 1 MBR read successfully
11:48:43.424 Disk 1 MBR scan
11:48:43.424 Disk 1 Windows 7 default MBR code
11:48:43.424 Disk 1 Partition 1 00 1B Hidd FAT32 MSDOS5.0 22004 MB offset 2048
11:48:43.440 Disk 1 Partition 2 80 (A) 07 HPFS/NTFS NTFS 693397 MB offset 45066240
11:48:43.471 Disk 1 scanning C:\Windows\system32\drivers
11:48:50.273 Service scanning
11:49:12.877 Modules scanning
11:49:12.877 Disk 1 trace - called modules:
11:49:12.877 ntoskrnl.exe CLASSPNP.SYS disk.sys vsflt61.sys ACPI.sys iaStor.sys hal.dll
11:49:13.205 1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0xfffffa800919e060]
11:49:13.205 3 CLASSPNP.SYS[fffff88001d9543f] -> nt!IofCallDriver -> [0xfffffa80074c2d90]
11:49:13.205 5 vsflt61.sys[fffff88000f5f0fd] -> nt!IofCallDriver -> [0xfffffa80071aad90]
11:49:13.220 7 ACPI.sys[fffff88000ee17a1] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-2[0xfffffa80071da050]
11:49:15.326 AVAST engine scan C:\Windows
11:49:21.613 AVAST engine scan C:\Windows\system32
11:52:23.494 AVAST engine scan C:\Windows\system32\drivers
11:52:33.213 AVAST engine scan C:\Users\Ryan
11:55:19.977 AVAST engine scan C:\ProgramData
11:56:37.727 Scan finished successfully
11:59:18.252 Disk 1 MBR has been saved successfully to "C:\Users\Ryan\Desktop\MBR.dat"
11:59:18.252 The log file has been saved successfully to "C:\Users\Ryan\Desktop\aswMBR.txt"
11:59:45.911 Disk 1 MBR has been saved successfully to "C:\Users\Ryan\Desktop\MBR.dat"
11:59:45.911 The log file has been saved successfully to "C:\Users\Ryan\Desktop\aswMBR.txt"

Broni · Jun 16, 2012

Good

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

Code:

:OTL
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No CLSID value found.
O2 - BHO: (no name) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - No CLSID value found.
O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4:64bit: - HKLM..\Run: [IntelTBRunOnce] wscript.exe //b //nologo "C:\Program Files\Intel\TurboBoost\RunTBGadgetOnce.vbs" File not found
O4 - HKU\S-1-5-21-2388485762-2462165164-2089254216-1004..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O8:64bit: - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000 File not found
O8:64bit: - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105 File not found
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000 File not found
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105 File not found
O16:64bit: - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.7.0/jinstall-1_7_0_03-windows-i586.cab (Reg Error: Key error.)
O16:64bit: - DPF: {CAFEEFAC-0017-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_03-windows-i586.cab (Reg Error: Key error.)
@Alternate Data Stream - 114 bytes -> C:\ProgramData\Temp:A1EDB939

:Commands
[purity]
[emptytemp]
[emptyjava]
[emptyflash]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
You will get a log that shows the results of the fix. Please post it.

==============================================================

1. Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

2. Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it.

Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
Accept any prompts.
Do NOT post JavaRa log.

===============================================================

Last scans...

1. Download Security Check from HERE, and save it to your Desktop.

Double-click SecurityCheck.exe
Follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.

Make sure the following options are checked:
- Internet Services
- Windows Firewall
- System Restore
- Security Center
- Windows Update
- Windows Defender
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.

3. Download Temp File Cleaner (TFC)

Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

4. Please run a free online scan with the ESET Online Scanner

Disable your antivirus program
Tick the box next to YES, I accept the Terms of Use
Click Start
Accept any security warnings from your browser.
Check Scan archives
Click Start
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
When the scan completes, click on List of found threats
Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
NOTE. If Eset won't find any threats, it won't produce any log.

Ryan Sam · Jun 16, 2012

Here is the FSS

Farbar Service Scanner Version: 09-06-2012
Ran by Ryan (administrator) on 16-06-2012 at 13:05:23
Running from "C:\Users\Ryan\Desktop"
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============

Firewall Disabled Policy:
==================

System Restore:
============

System Restore Disabled Policy:
========================

Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================

Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.

Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1

File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll
[2012-06-13 22:49] - [2012-04-24 00:37] - 0184320 ____A (Microsoft Corporation) 4F5414602E2544A4554D95517948B705

C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit

**** End of log ****

Ryan Sam · Jun 16, 2012

here is the security check

Results of screen317's Security Check version 0.99.24
Windows 7 x64 (UAC is enabled)
Internet Explorer 9
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
ESET Online Scanner v3
[size=1]WMI entry may not exist for antivirus; attempting automatic update.[/size]
```````````````````````````````
Anti-malware/Other Utilities Check:
JavaFX 2.1.1
Java(TM) 7 Update 5
Out of date Java installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Windows Defender MSMpEng.exe
Malwarebytes' Anti-Malware mbamservice.exe
Malwarebytes' Anti-Malware mbamgui.exe
Microsoft Security Essentials msseces.exe
``````````End of Log````````````

Ryan Sam · Jun 16, 2012

I just noticed in the last post it says java is out of date but the link you gave me says I am up to date.

And here is the OTL. ESET is scanning right now

All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
64bit-Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\\IntelTBRunOnce not found.
Registry value HKEY_USERS\S-1-5-21-2388485762-2462165164-2089254216-1004\Software\Microsoft\Windows\CurrentVersion\RunOnce\\mctadmin deleted successfully.
64bit-Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ deleted successfully.
64bit-Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ not found.
Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_USERS\S-1-5-21-2388485762-2462165164-2089254216-1004\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0017-0000-0003-ABCDEFFEDCBA}
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0017-0000-0003-ABCDEFFEDCBA}\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0003-ABCDEFFEDCBA}\ not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0017-0000-0003-ABCDEFFEDCBA}\ not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0003-ABCDEFFEDCBA}\ not found.
ADS C:\ProgramData\Temp:A1EDB939 deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 41620 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: Ryan
->Temp folder emptied: 26089 bytes
->Temporary Internet Files folder emptied: 102575477 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 121248073 bytes
->Flash cache emptied: 39880 bytes

User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 41620 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 200704 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 14587136 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 17054 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 56855888 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 282.00 mb

[EMPTYJAVA]

User: All Users

User: Default

User: Default User

User: Public

User: Ryan
->Java cache emptied: 0 bytes

User: UpdatusUser

Total Java Files Cleaned = 0.00 mb

[EMPTYFLASH]

User: All Users

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Public

User: Ryan
->Flash cache emptied: 0 bytes

User: UpdatusUser
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.49.0 log created on 06162012_125739

Files\Folders moved on Reboot...
C:\Users\Ryan\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

Registry entries deleted on Reboot...

Broni · Jun 16, 2012

I still need Eset scan.

Ryan Sam · Jun 16, 2012

Alright ill post it right when I get home. It was still running when I left

Broni · Jun 16, 2012

Ryan Sam · Jun 16, 2012

Here ya go

ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=f9944c990b7ace42830dcf87113e5243
# end=stopped
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-06-03 03:58:53
# local_time=2012-06-02 10:58:53 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=5893 16776574 100 94 32779120 90233188 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=473084
# found=0
# cleaned=0
# scan_time=6194
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=f9944c990b7ace42830dcf87113e5243
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-06-05 02:50:13
# local_time=2012-06-04 09:50:13 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=5893 16776574 100 94 32947388 90401456 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=572658
# found=0
# cleaned=0
# scan_time=6607
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=f9944c990b7ace42830dcf87113e5243
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-06-16 10:12:00
# local_time=2012-06-16 05:12:00 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=5893 16776574 100 94 33959579 91413647 0 0
# compatibility_mode=8192 67108863 100 0 259501 259501 0 0
# scanned=475005
# found=0
# cleaned=0
# scan_time=14522

Broni · Jun 16, 2012

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following:

Code:

:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[emptyjava]
[CLEARALLRESTOREPOINTS]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

Double-click OTL.exe to start the program.
Close all other programs apart from OTL as this step will require a reboot
On the OTL main screen, press the CLEANUP button
Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current.

4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. (Windows XP only) Run defrag at your convenience.

11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

13. Please, let me know, how your computer is doing.

Ryan Sam · Jun 17, 2012

Alright all my restore are cleared and my computer is running fine!

Broni · Jun 17, 2012

Way to go!!

Good luck and stay safe

Ryan Sam · Jun 17, 2012

Thanks for all your help! Have a good one

Broni · Jun 17, 2012

You're very welcome

It looks like we did better than at Malwarebytes site

Ryan Sam · Jun 17, 2012

Lol a lot better. They could not even find the virus. We did the first post

Broni · Jun 17, 2012

Solved Svchost outbound blocked by MBAM

Ryan Sam

Posts: 48 +0

Ryan Sam

Posts: 48 +0

Broni

Posts: 56,041 +516

Ryan Sam

Posts: 48 +0

Ryan Sam

Posts: 48 +0

Ryan Sam

Posts: 48 +0

Broni

Posts: 56,041 +516

Ryan Sam

Posts: 48 +0

Broni

Posts: 56,041 +516

Ryan Sam

Posts: 48 +0

Broni

Posts: 56,041 +516

Ryan Sam

Posts: 48 +0

Broni

Posts: 56,041 +516

Ryan Sam

Posts: 48 +0

Broni

Posts: 56,041 +516

Ryan Sam

Posts: 48 +0

Broni

Posts: 56,041 +516

Similar threads

Latest posts