Jump to content

Friendlysol

Members
  • Posts

    6
  • Joined

  • Last visited

Reputation

0 Neutral
  1. During the scan the computer blue screened, I attached the minidump. Please change the extension to .dmp Pearl_052512-38953-01.txt
  2. Malwarebytes Anti-Malware 1.61.0.1400 www.malwarebytes.org Database version: v2012.05.24.03 Windows 7 x86 NTFS Internet Explorer 8.0.7600.16385 pholmes :: FRONTDESK [administrator] 5/24/2012 11:14:06 AM mbam-log-2012-05-24 (11-14-06).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 328798 Time elapsed: 5 minute(s), 53 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end)
  3. ComboFix 12-05-23.01 - pholmes 05/23/2012 9:22.2.2 - x86 Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3069.1965 [GMT -5:00] Running from: \\ACSERV\RedirectedFolders\pholmes\Desktop\ComboFix.exe Command switches used :: \\ACSERV\RedirectedFolders\pholmes\Desktop\CFScript.exe.txt AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6} SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\windows\system32\setup.ini c:\windows\Tasks\At1.job c:\windows\Tasks\At10.job c:\windows\Tasks\At11.job c:\windows\Tasks\At12.job c:\windows\Tasks\At13.job c:\windows\Tasks\At14.job c:\windows\Tasks\At15.job c:\windows\Tasks\At16.job c:\windows\Tasks\At17.job c:\windows\Tasks\At18.job c:\windows\Tasks\At19.job c:\windows\Tasks\At2.job c:\windows\Tasks\At20.job c:\windows\Tasks\At21.job c:\windows\Tasks\At22.job c:\windows\Tasks\At23.job c:\windows\Tasks\At24.job c:\windows\Tasks\At25.job c:\windows\Tasks\At26.job c:\windows\Tasks\At27.job c:\windows\Tasks\At28.job c:\windows\Tasks\At29.job c:\windows\Tasks\At3.job c:\windows\Tasks\At30.job c:\windows\Tasks\At31.job c:\windows\Tasks\At32.job c:\windows\Tasks\At33.job c:\windows\Tasks\At34.job c:\windows\Tasks\At35.job c:\windows\Tasks\At36.job c:\windows\Tasks\At37.job c:\windows\Tasks\At38.job c:\windows\Tasks\At39.job c:\windows\Tasks\At4.job c:\windows\Tasks\At40.job c:\windows\Tasks\At41.job c:\windows\Tasks\At5.job c:\windows\Tasks\At6.job c:\windows\Tasks\At7.job c:\windows\Tasks\At8.job c:\windows\Tasks\At9.job . . ((((((((((((((((((((((((( Files Created from 2012-04-23 to 2012-05-23 ))))))))))))))))))))))))))))))) . . 2012-05-23 14:26 . 2012-05-23 14:26 -------- d-----w- c:\users\pearlholmes\AppData\Local\temp 2012-05-23 14:26 . 2012-05-23 14:26 -------- d-----w- c:\users\gabrielwong\AppData\Local\temp 2012-05-23 14:26 . 2012-05-23 14:26 -------- d-----w- c:\users\Default\AppData\Local\temp 2012-05-23 14:26 . 2012-05-23 14:26 -------- d-----w- c:\users\ACIUSER\AppData\Local\temp 2012-05-23 14:26 . 2012-05-23 14:26 -------- d-----w- c:\users\acepeda\AppData\Local\temp 2012-05-23 14:26 . 2012-05-23 14:26 -------- d-----w- c:\users\acadmin\AppData\Local\temp 2012-05-23 14:26 . 2012-05-23 14:26 -------- d-----w- c:\users\acadmin.ACADVISORYINC\AppData\Local\temp 2012-05-23 11:15 . 2012-05-08 16:40 6737808 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5441E7E5-CC01-4F68-849D-13F01B451013}\mpengine.dll 2012-05-22 23:57 . 2012-05-08 16:40 6737808 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll 2012-05-21 22:52 . 2012-05-21 22:52 201 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{2602A16B-EEF5-5554-E6A0-40DCEF2AEF4F}-tmp1ab5f2fd.bat 2012-05-21 16:49 . 2012-05-21 16:49 -------- d-----w- c:\users\pholmes\AppData\Roaming\Malwarebytes 2012-05-21 16:49 . 2012-05-21 16:49 -------- d-----w- c:\programdata\Malwarebytes 2012-05-21 16:49 . 2012-05-21 16:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2012-05-21 16:49 . 2012-04-04 20:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-05-21 16:40 . 2012-05-21 16:40 10063000 ----a-w- C:\mbam-setup-1.61.0.1400.exe 2012-05-21 15:45 . 2009-08-20 05:50 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll 2012-05-21 15:43 . 2012-03-26 15:00 112056 ----a-w- c:\windows\system32\acaptuser32.dll 2012-05-11 17:46 . 2009-06-05 15:19 626688 ----a-w- c:\windows\system32\softcoin.dll 2012-05-11 17:46 . 2009-06-05 15:19 425984 ----a-w- c:\windows\system32\gencoin.dll 2012-05-11 17:46 . 2009-10-07 04:19 401408 ----a-w- c:\windows\system32\lexlog.dll 2012-05-11 17:46 . 2009-10-07 04:19 847872 ----a-w- c:\windows\system32\lmabusb1.dll 2012-05-11 17:46 . 2009-10-07 04:19 643072 ----a-w- c:\windows\system32\lmabpmui.dll 2012-05-11 17:46 . 2009-10-07 04:19 479232 ----a-w- c:\windows\system32\lmabpar1.dll 2012-05-11 17:46 . 2009-10-07 04:19 339968 ----a-w- c:\windows\system32\lmabiesc.dll 2012-05-11 17:46 . 2009-10-07 04:19 1040384 ----a-w- c:\windows\system32\lmabserv.dll 2012-05-11 17:46 . 2009-10-07 04:19 569344 ----a-w- c:\windows\system32\lmablmpm.dll 2012-05-11 17:46 . 2009-10-07 04:19 450560 ----a-w- c:\windows\system32\lmabiobj.dll 2012-05-11 17:46 . 2009-10-07 04:19 364544 ----a-w- c:\windows\system32\lmabinpa.dll 2012-05-11 17:45 . 2009-10-07 04:19 905216 ----a-w- c:\windows\system32\lmabip1.dll 2012-05-11 17:45 . 2009-10-07 04:19 593920 ----a-w- c:\windows\system32\lmabcoms.exe 2012-05-11 17:45 . 2009-10-07 04:19 356352 ----a-w- c:\windows\system32\lmabhcp.dll 2012-05-11 17:45 . 2009-10-07 04:19 802816 ----a-w- c:\windows\system32\lmabcomc.dll 2012-05-11 17:45 . 2009-10-07 04:19 372736 ----a-w- c:\windows\system32\lmabcomm.dll 2012-05-11 17:45 . 2012-05-11 17:45 -------- d-----w- c:\program files\Lexmark 2012-05-08 09:59 . 2012-05-08 09:59 476960 ----a-w- c:\windows\system32\npdeployJava1.dll 2012-05-08 09:59 . 2012-05-08 09:59 -------- d-----w- c:\program files\Java . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-05-08 09:59 . 2011-01-06 11:25 472864 ----a-w- c:\windows\system32\deployJava1.dll 2012-05-07 16:23 . 2012-03-29 11:22 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2012-05-07 16:23 . 2011-05-14 10:25 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-03-21 01:44 . 2010-10-25 02:25 74112 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys 2012-03-21 01:44 . 2010-10-25 02:25 171064 ----a-w- c:\windows\system32\drivers\MpFilter.sys 2012-03-01 05:53 . 2012-04-11 08:01 19312 ----a-w- c:\windows\system32\drivers\fs_rec.sys 2012-03-01 05:49 . 2012-04-11 08:01 172544 ----a-w- c:\windows\system32\wintrust.dll 2012-03-01 05:45 . 2012-04-11 08:01 158720 ----a-w- c:\windows\system32\imagehlp.dll 2012-03-01 05:40 . 2012-04-11 08:01 5120 ----a-w- c:\windows\system32\wmi.dll 2012-02-28 05:40 . 2012-04-11 05:35 981504 ----a-w- c:\windows\system32\wininet.dll 2012-02-28 05:38 . 2012-04-11 05:35 44544 ----a-w- c:\windows\system32\licmgr10.dll 2012-02-28 04:31 . 2012-04-11 05:35 386048 ----a-w- c:\windows\system32\html.iec 2012-02-28 03:57 . 2012-04-11 05:35 1638912 ----a-w- c:\windows\system32\mshtml.tlb . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "googletalk"="c:\users\pholmes\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648] "FriendlySupport"="c:\windows\LTSvc\FriendlySupport.exe" [2011-11-26 933376] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-12-11 98304] "ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2009-06-15 307200] "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-08-18 7711264] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712] "Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2012-03-27 40376] "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2012-03-26 640440] "IndexTray"="c:\program files\Sharp\Sharpdesk\IndexTray.exe" [2008-05-27 106496] "SharpTray"="c:\program files\Sharp\Sharpdesk\SharpTray.exe" [2008-05-27 32768] "TypeRegChecker"="c:\program files\Sharp\Sharpdesk\TypeRegChecker.exe" [2008-05-27 57344] "FtpServer.exe"="c:\program files\Sharp\Sharpdesk\FtpServer.exe" [2008-05-26 704512] "RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-02-18 79192] "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200] "tvncontrol"="c:\windows\LTsvc\tvnserver.exe" [2012-05-22 819200] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "Microsoft Security Client"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200] . c:\users\pholmes\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680] . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Network Monitoring Tray.lnk - c:\windows\LTSvc\LTTray.exe [2012-4-9 1282888] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 0 (0x0) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) "PromptOnSecureDesktop"= 0 (0x0) "SoftwareSASGeneration"= 1 (0x1) . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\System32\acaptuser32.dll . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" . R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384] R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-07 257696] R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-21 74112] R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-26 214952] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-08-15 1343400] S0 stcvsm;StorageCraft Volume Snapshot Driver;c:\windows\system32\DRIVERS\stcvsm.sys [2010-12-13 193440] S1 sbmount;StorageCraft Image Mount Driver; [x] S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-12-11 172032] S2 LTService;Friendly Solutions Management;c:\windows\LTSVC\LTSVC.exe [2012-03-29 12542976] S2 LTSvcMon;Friendly Solutions Management CheckUp Util;c:\windows\LTSvc\LTSvcMon.exe [2012-04-06 96768] S2 ShadowProtectSvc;ShadowProtect Service;c:\program files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe [2010-12-13 3631648] S2 tvnserver;TightVNC Server;c:\windows\LTsvc\tvnserver.exe [2012-05-22 819200] S2 VSNAPVSS;StorageCraft Shadow Copy Provider;c:\windows\system32\vsnapvss.exe [2010-12-13 67616] S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atipmdag.sys [2009-12-11 5188096] S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2009-12-11 125440] S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776] . . --- Other Services/Drivers In Memory --- . *NewlyCreated* - WS2IFSL . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] GPSvcGroup REG_MULTI_SZ GPSvc . Contents of the 'Scheduled Tasks' folder . 2012-05-23 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-29 16:23] . . ------- Supplementary Scan ------- . uStart Page = hxxp://companyweb IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000 Trusted Zone: friendly-solutions.com\monitor2 TCP: Interfaces\{39FC164F-1670-4001-A59A-90B65FCFE771}: NameServer = 192.168.0.2,8.8.8.8 . . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . Completion time: 2012-05-23 09:28:13 ComboFix-quarantined-files.txt 2012-05-23 14:28 ComboFix2.txt 2012-05-22 22:43 . Pre-Run: 403,631,681,536 bytes free Post-Run: 403,565,809,664 bytes free . - - End Of File - - 8777E6AFC5402617C415E7FC418096D6
  4. Hello 1. Close any open browsers. 2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. 3. Open notepad and copy/paste the text in the quotebox below into it: AtJob:: JavaClearCache:: Save this as CFScript.txt, in the same location as ComboFix.exe http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif Refering to the picture above, drag CFScript into ComboFix.exe When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply. I did that and here are the results... log.txt
  5. ComboFix 12-05-22.02 - pholmes 05/22/2012 17:36:37.1.2 - x86 Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3069.1930 [GMT -5:00] Running from: \\ACSERV\RedirectedFolders\pholmes\Desktop\ComboFix.exe AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6} SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . C:\install.exe c:\programdata\2e5DomMFcQ6K81 c:\programdata\a9Ihd8FrwtLf9M c:\users\pholmes\g2mdlhlpx.exe c:\windows\system32\windows c:\windows\system32\windows.\system32\msvcm80.dll c:\windows\system32\windows.\system32\msvcp80.dll c:\windows\system32\windows.\system32\msvcr80.dll c:\windows\system32\windows.\winsxs\92rg91xw.1p4\msvcm80.dll c:\windows\system32\windows.\winsxs\92rg91xw.1p4\msvcp80.dll c:\windows\system32\windows.\winsxs\92rg91xw.1p4\msvcr80.dll c:\windows\system32\windows.\winsxs\b2rg91xw.1p4\msvcm80.dll c:\windows\system32\windows.\winsxs\b2rg91xw.1p4\msvcp80.dll c:\windows\system32\windows.\winsxs\b2rg91xw.1p4\msvcr80.dll c:\windows\system32\windows.\winsxs\b2rg91xw.1p4\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700.cat c:\windows\system32\windows.\winsxs\b2rg91xw.1p4\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700.manifest c:\windows\system32\windows.\winsxs\Manifests\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700.cat c:\windows\system32\windows.\winsxs\Manifests\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700.manifest c:\windows\system32\windows.\winsxs\Policies\uxgs54we.kj4\8.0.50727.762.cat c:\windows\system32\windows.\winsxs\Policies\uxgs54we.kj4\8.0.50727.762.policy c:\windows\system32\windows.\winsxs\vxgs54we.kj4\8.0.50727.762.cat c:\windows\system32\windows.\winsxs\vxgs54we.kj4\8.0.50727.762.policy c:\windows\system32\windows\system32\msvcm80.dll c:\windows\system32\windows\system32\msvcp80.dll c:\windows\system32\windows\system32\msvcr80.dll c:\windows\system32\windows\winsxs\92rg91xw.1p4\msvcm80.dll c:\windows\system32\windows\winsxs\92rg91xw.1p4\msvcp80.dll c:\windows\system32\windows\winsxs\92rg91xw.1p4\msvcr80.dll c:\windows\system32\windows\winsxs\b2rg91xw.1p4\msvcm80.dll c:\windows\system32\windows\winsxs\b2rg91xw.1p4\msvcp80.dll c:\windows\system32\windows\winsxs\b2rg91xw.1p4\msvcr80.dll c:\windows\system32\windows\winsxs\b2rg91xw.1p4\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700.cat c:\windows\system32\windows\winsxs\b2rg91xw.1p4\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700.manifest c:\windows\system32\windows\winsxs\Manifests\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700.cat c:\windows\system32\windows\winsxs\Manifests\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700.manifest c:\windows\system32\windows\winsxs\Policies\uxgs54we.kj4\8.0.50727.762.cat c:\windows\system32\windows\winsxs\Policies\uxgs54we.kj4\8.0.50727.762.policy c:\windows\system32\windows\winsxs\vxgs54we.kj4\8.0.50727.762.cat c:\windows\system32\windows\winsxs\vxgs54we.kj4\8.0.50727.762.policy . . ((((((((((((((((((((((((( Files Created from 2012-04-22 to 2012-05-22 ))))))))))))))))))))))))))))))) . . 2012-05-22 22:41 . 2012-05-22 22:41 -------- d-----w- c:\users\pearlholmes\AppData\Local\temp 2012-05-22 22:41 . 2012-05-22 22:41 -------- d-----w- c:\users\gabrielwong\AppData\Local\temp 2012-05-22 22:41 . 2012-05-22 22:41 -------- d-----w- c:\users\Default\AppData\Local\temp 2012-05-22 22:41 . 2012-05-22 22:41 -------- d-----w- c:\users\ACIUSER\AppData\Local\temp 2012-05-22 22:41 . 2012-05-22 22:41 -------- d-----w- c:\users\acepeda\AppData\Local\temp 2012-05-22 22:41 . 2012-05-22 22:41 -------- d-----w- c:\users\acadmin\AppData\Local\temp 2012-05-22 22:41 . 2012-05-22 22:41 -------- d-----w- c:\users\acadmin.ACADVISORYINC\AppData\Local\temp 2012-05-22 20:06 . 2012-05-08 16:40 6737808 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{60D5AC69-9DEF-4974-ACC9-0BFFC7D7B05F}\mpengine.dll 2012-05-21 22:52 . 2012-05-21 22:52 201 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{2602A16B-EEF5-5554-E6A0-40DCEF2AEF4F}-tmp1ab5f2fd.bat 2012-05-21 19:33 . 2012-05-08 16:40 6737808 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll 2012-05-21 16:49 . 2012-05-21 16:49 -------- d-----w- c:\users\pholmes\AppData\Roaming\Malwarebytes 2012-05-21 16:49 . 2012-05-21 16:49 -------- d-----w- c:\programdata\Malwarebytes 2012-05-21 16:49 . 2012-05-21 16:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2012-05-21 16:49 . 2012-04-04 20:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-05-21 16:40 . 2012-05-21 16:40 10063000 ----a-w- C:\mbam-setup-1.61.0.1400.exe 2012-05-21 15:45 . 2009-08-20 05:50 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll 2012-05-21 15:43 . 2012-03-26 15:00 112056 ----a-w- c:\windows\system32\acaptuser32.dll 2012-05-11 17:46 . 2009-06-05 15:19 626688 ----a-w- c:\windows\system32\softcoin.dll 2012-05-11 17:46 . 2009-06-05 15:19 425984 ----a-w- c:\windows\system32\gencoin.dll 2012-05-11 17:46 . 2009-10-07 04:19 401408 ----a-w- c:\windows\system32\lexlog.dll 2012-05-11 17:46 . 2009-10-07 04:19 847872 ----a-w- c:\windows\system32\lmabusb1.dll 2012-05-11 17:46 . 2009-10-07 04:19 643072 ----a-w- c:\windows\system32\lmabpmui.dll 2012-05-11 17:46 . 2009-10-07 04:19 479232 ----a-w- c:\windows\system32\lmabpar1.dll 2012-05-11 17:46 . 2009-10-07 04:19 339968 ----a-w- c:\windows\system32\lmabiesc.dll 2012-05-11 17:46 . 2009-10-07 04:19 1040384 ----a-w- c:\windows\system32\lmabserv.dll 2012-05-11 17:46 . 2009-10-07 04:19 569344 ----a-w- c:\windows\system32\lmablmpm.dll 2012-05-11 17:46 . 2009-10-07 04:19 450560 ----a-w- c:\windows\system32\lmabiobj.dll 2012-05-11 17:46 . 2009-10-07 04:19 364544 ----a-w- c:\windows\system32\lmabinpa.dll 2012-05-11 17:45 . 2009-10-07 04:19 905216 ----a-w- c:\windows\system32\lmabip1.dll 2012-05-11 17:45 . 2009-10-07 04:19 593920 ----a-w- c:\windows\system32\lmabcoms.exe 2012-05-11 17:45 . 2009-10-07 04:19 356352 ----a-w- c:\windows\system32\lmabhcp.dll 2012-05-11 17:45 . 2009-10-07 04:19 802816 ----a-w- c:\windows\system32\lmabcomc.dll 2012-05-11 17:45 . 2009-10-07 04:19 372736 ----a-w- c:\windows\system32\lmabcomm.dll 2012-05-11 17:45 . 2012-05-11 17:45 -------- d-----w- c:\program files\Lexmark 2012-05-08 09:59 . 2012-05-08 09:59 476960 ----a-w- c:\windows\system32\npdeployJava1.dll 2012-05-08 09:59 . 2012-05-08 09:59 -------- d-----w- c:\program files\Java . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-05-08 09:59 . 2011-01-06 11:25 472864 ----a-w- c:\windows\system32\deployJava1.dll 2012-05-07 16:23 . 2012-03-29 11:22 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2012-05-07 16:23 . 2011-05-14 10:25 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-03-21 01:44 . 2010-10-25 02:25 74112 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys 2012-03-21 01:44 . 2010-10-25 02:25 171064 ----a-w- c:\windows\system32\drivers\MpFilter.sys 2012-03-01 05:53 . 2012-04-11 08:01 19312 ----a-w- c:\windows\system32\drivers\fs_rec.sys 2012-03-01 05:49 . 2012-04-11 08:01 172544 ----a-w- c:\windows\system32\wintrust.dll 2012-03-01 05:45 . 2012-04-11 08:01 158720 ----a-w- c:\windows\system32\imagehlp.dll 2012-03-01 05:40 . 2012-04-11 08:01 5120 ----a-w- c:\windows\system32\wmi.dll 2012-02-28 05:40 . 2012-04-11 05:35 981504 ----a-w- c:\windows\system32\wininet.dll 2012-02-28 05:38 . 2012-04-11 05:35 44544 ----a-w- c:\windows\system32\licmgr10.dll 2012-02-28 04:31 . 2012-04-11 05:35 386048 ----a-w- c:\windows\system32\html.iec 2012-02-28 03:57 . 2012-04-11 05:35 1638912 ----a-w- c:\windows\system32\mshtml.tlb . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "googletalk"="c:\users\pholmes\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648] "FriendlySupport"="c:\windows\LTSvc\FriendlySupport.exe" [2011-11-26 933376] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-12-11 98304] "ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2009-06-15 307200] "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-08-18 7711264] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712] "Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2012-03-27 40376] "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2012-03-26 640440] "IndexTray"="c:\program files\Sharp\Sharpdesk\IndexTray.exe" [2008-05-27 106496] "SharpTray"="c:\program files\Sharp\Sharpdesk\SharpTray.exe" [2008-05-27 32768] "TypeRegChecker"="c:\program files\Sharp\Sharpdesk\TypeRegChecker.exe" [2008-05-27 57344] "FtpServer.exe"="c:\program files\Sharp\Sharpdesk\FtpServer.exe" [2008-05-26 704512] "RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-02-18 79192] "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "Microsoft Security Client"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200] . c:\users\pholmes\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680] . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Network Monitoring Tray.lnk - c:\windows\LTSvc\LTTray.exe [2012-4-9 1282888] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 0 (0x0) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) "PromptOnSecureDesktop"= 0 (0x0) "SoftwareSASGeneration"= 1 (0x1) . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\System32\acaptuser32.dll . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" . R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384] R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-07 257696] R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-21 74112] R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-26 214952] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-08-15 1343400] S0 stcvsm;StorageCraft Volume Snapshot Driver;c:\windows\system32\DRIVERS\stcvsm.sys [2010-12-13 193440] S1 MpKsl2d1a9030;MpKsl2d1a9030;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{60D5AC69-9DEF-4974-ACC9-0BFFC7D7B05F}\MpKsl2d1a9030.sys [2012-05-22 29904] S1 sbmount;StorageCraft Image Mount Driver; [x] S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-12-11 172032] S2 LTService;Friendly Solutions Management;c:\windows\LTSVC\LTSVC.exe [2012-03-29 12542976] S2 LTSvcMon;Friendly Solutions Management CheckUp Util;c:\windows\LTSvc\LTSvcMon.exe [2012-04-06 96768] S2 ShadowProtectSvc;ShadowProtect Service;c:\program files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe [2010-12-13 3631648] S2 VSNAPVSS;StorageCraft Shadow Copy Provider;c:\windows\system32\vsnapvss.exe [2010-12-13 67616] S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atipmdag.sys [2009-12-11 5188096] S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2009-12-11 125440] S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776] . . --- Other Services/Drivers In Memory --- . *NewlyCreated* - MPKSL2D1A9030 . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] GPSvcGroup REG_MULTI_SZ GPSvc . Contents of the 'Scheduled Tasks' folder . 2012-05-22 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-29 16:23] . 2010-08-06 c:\windows\Tasks\At1.job - c:\windows\system32\cleanmgr.exe [2009-07-13 01:14] . 2010-08-11 c:\windows\Tasks\At10.job - c:\windows\system32\cleanmgr.exe [2009-07-13 01:14] . 2010-08-26 c:\windows\Tasks\At11.job - c:\windows\system32\cleanmgr.exe [2009-07-13 01:14] . 2010-08-26 c:\windows\Tasks\At12.job - c:\windows\system32\cleanmgr.exe [2009-07-13 01:14] . 2010-09-10 c:\windows\Tasks\At13.job - c:\windows\system32\cleanmgr.exe [2009-07-13 01:14] . 2010-09-10 c:\windows\Tasks\At14.job - c:\windows\system32\cleanmgr.exe [2009-07-13 01:14] . 2010-10-03 c:\windows\Tasks\At15.job - c:\windows\system32\cleanmgr.exe [2009-07-13 01:14] . 2010-10-03 c:\windows\Tasks\At16.job - c:\windows\system32\cleanmgr.exe [2009-07-13 01:14] . 2010-10-04 c:\windows\Tasks\At17.job - c:\windows\system32\cleanmgr.exe [2009-07-13 01:14] . 2010-10-04 c:\windows\Tasks\At18.job - c:\windows\system32\cleanmgr.exe [2009-07-13 01:14] . 2010-12-04 c:\windows\Tasks\At19.job - c:\windows\system32\cleanmgr.exe [2009-07-13 01:14] . 2010-08-06 c:\windows\Tasks\At2.job - c:\windows\system32\cleanmgr.exe [2009-07-13 01:14] . 2010-12-05 c:\windows\Tasks\At20.job - c:\windows\system32\cleanmgr.exe [2009-07-13 01:14] . 2010-12-05 c:\windows\Tasks\At21.job - c:\windows\system32\cleanmgr.exe [2009-07-13 01:14] . 2010-12-06 c:\windows\Tasks\At22.job - c:\windows\system32\cleanmgr.exe [2009-07-13 01:14] . 2010-12-06 c:\windows\Tasks\At23.job - c:\windows\system32\cleanmgr.exe [2009-07-13 01:14] . 2011-02-02 c:\windows\Tasks\At24.job - c:\windows\system32\cleanmgr.exe [2009-07-13 01:14] . 2011-02-02 c:\windows\Tasks\At25.job - c:\windows\system32\cleanmgr.exe [2009-07-13 01:14] . 2011-02-03 c:\windows\Tasks\At26.job - c:\windows\system32\cleanmgr.exe [2009-07-13 01:14] . 2011-02-03 c:\windows\Tasks\At27.job - c:\windows\system32\cleanmgr.exe [2009-07-13 01:14] . 2011-03-16 c:\windows\Tasks\At28.job - c:\windows\system32\cleanmgr.exe [2009-07-13 01:14] . 2011-04-19 c:\windows\Tasks\At29.job - c:\windows\system32\cleanmgr.exe [2009-07-13 01:14] . 2010-08-07 c:\windows\Tasks\At3.job - c:\windows\system32\cleanmgr.exe [2009-07-13 01:14] . 2011-04-19 c:\windows\Tasks\At30.job - c:\windows\system32\cleanmgr.exe [2009-07-13 01:14] . 2011-04-23 c:\windows\Tasks\At31.job - c:\windows\system32\cleanmgr.exe [2009-07-13 01:14] . 2011-04-23 c:\windows\Tasks\At32.job - c:\windows\system32\cleanmgr.exe [2009-07-13 01:14] . 2011-04-24 c:\windows\Tasks\At33.job - c:\windows\system32\cleanmgr.exe [2009-07-13 01:14] . 2011-04-26 c:\windows\Tasks\At34.job - c:\windows\system32\cleanmgr.exe [2009-07-13 01:14] . 2011-05-18 c:\windows\Tasks\At35.job - c:\windows\system32\cleanmgr.exe [2009-07-13 01:14] . 2011-07-06 c:\windows\Tasks\At36.job - c:\windows\system32\cleanmgr.exe [2009-07-13 01:14] . 2011-07-14 c:\windows\Tasks\At37.job - c:\windows\system32\cleanmgr.exe [2009-07-13 01:14] . 2011-08-10 c:\windows\Tasks\At38.job - c:\windows\system32\cleanmgr.exe [2009-07-13 01:14] . 2011-08-10 c:\windows\Tasks\At39.job - c:\windows\system32\cleanmgr.exe [2009-07-13 01:14] . 2010-08-07 c:\windows\Tasks\At4.job - c:\windows\system32\cleanmgr.exe [2009-07-13 01:14] . 2011-09-12 c:\windows\Tasks\At40.job - c:\windows\system32\cleanmgr.exe [2009-07-13 01:14] . 2011-09-14 c:\windows\Tasks\At41.job - c:\windows\system32\cleanmgr.exe [2009-07-13 01:14] . 2010-08-08 c:\windows\Tasks\At5.job - c:\windows\system32\cleanmgr.exe [2009-07-13 01:14] . 2010-08-08 c:\windows\Tasks\At6.job - c:\windows\system32\cleanmgr.exe [2009-07-13 01:14] . 2010-08-09 c:\windows\Tasks\At7.job - c:\windows\system32\cleanmgr.exe [2009-07-13 01:14] . 2010-08-09 c:\windows\Tasks\At8.job - c:\windows\system32\cleanmgr.exe [2009-07-13 01:14] . 2010-08-11 c:\windows\Tasks\At9.job - c:\windows\system32\cleanmgr.exe [2009-07-13 01:14] . . ------- Supplementary Scan ------- . uStart Page = hxxp://companyweb IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000 Trusted Zone: friendly-solutions.com\monitor2 TCP: Interfaces\{39FC164F-1670-4001-A59A-90B65FCFE771}: NameServer = 192.168.0.2,8.8.8.8 . . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . Completion time: 2012-05-22 17:43:33 ComboFix-quarantined-files.txt 2012-05-22 22:43 . Pre-Run: 403,598,598,144 bytes free Post-Run: 403,439,104,000 bytes free . - - End Of File - - 9A072C39D08C92AD293FDC78AA8FC71E
  6. After restarting the computer to remove an infection, malwarebytes quickscan finds the same infection. Already attempted the following: 1. Booted computer into safe mode 2. Ran rkill and tdsskiller then malwarebytes DDS.txt Attach.txt Malwarebytes Anti-Malware 1.61.0.1400 www.malwarebytes.org Database version: v2012.05.22.03 Windows 7 x86 NTFS Internet Explorer 8.0.7600.16385 pholmes :: FRONTDESK [administrator] 5/22/2012 1:12:48 PM mbam-log-2012-05-22 (13-12-48).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 327674 Time elapsed: 6 minute(s), 49 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 1 HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|Load (Trojan.Ransom) -> Data: C:\Users\pholmes\LOCALS~1\Temp\mswtcy.com -> Delete on reboot. Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 8 C:\Users\pholmes\AppData\Local\Temp\012bb060.exe (Trojan.Zbot.DTGen) -> Quarantined and deleted successfully. C:\Users\pholmes\AppData\Local\Temp\013412bb.exe (Trojan.Zbot.DTGen) -> Quarantined and deleted successfully. C:\Users\pholmes\AppData\Local\Temp\013cbde8.exe (Trojan.Zbot.DTGen) -> Quarantined and deleted successfully. C:\Users\pholmes\AppData\Local\Temp\014d48d8.exe (Trojan.Zbot.DTGen) -> Quarantined and deleted successfully. C:\Users\pholmes\AppData\Local\Temp\0155a7d9.exe (Trojan.Zbot.DTGen) -> Quarantined and deleted successfully. C:\Users\pholmes\AppData\Local\Temp\01e3df21.exe (Trojan.Zbot.DTGen) -> Quarantined and deleted successfully. C:\Users\pholmes\AppData\Local\Temp\021e75b6.exe (Trojan.Zbot.DTGen) -> Quarantined and deleted successfully. C:\Users\pholmes\AppData\Local\Temp\0351896b.exe (Trojan.Zbot.DTGen) -> Quarantined and deleted successfully. (end)
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.