Sign in to follow this  
Followers 0
cunfused

cannot remove malware

52 posts in this topic

Ok, so I followed your directions but when I dragged CFScript.txt into ComboFix.exe, ComboFix said that it was outdated and asked if it should run a reduced scan.

I may have messed up here but I figured the only way to update ComboFix since there is no internet connection on that computer was to delete then re-install it.

When I did this it automatically ran a full scan and created a log. The next step I was going to do was drag CFScript.txt into ComboFix like you asked but I can't find it.. Thinking ComboFix deleted it during the system scan.

So I tried following your instructions again thinking that now ComboFix is surely up to date, but when I try to drag CFScript.txt into ComboFix it says that this is a illegal operation on the registry.

Here is the log from the accidental full scan I hope it is helpful-

ComboFix 12-03-16.05 - Rebekah 03/16/2012 20:31:03.3.4 - x86

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3502.2535 [GMT -7:00]

Running from: C:\ComboFix.exe

Command switches used :: c:\users\Rebekah\Desktop\CFScript.txt

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

.

--------------- FCopy ---------------

.

c:\windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17603_none_d9f97e05bca8003a\afd.sys --> c:\windows\System32\drivers\afd.sys

.

((((((((((((((((((((((((( Files Created from 2012-02-17 to 2012-03-17 )))))))))))))))))))))))))))))))

.

.

2012-03-11 04:55 . 2012-03-11 04:55 -------- d-----w- c:\program files\ESET

2012-03-11 04:00 . 2012-03-11 04:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-03-11 04:00 . 2011-12-10 23:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-03-10 13:32 . 2012-03-17 03:38 -------- d-----w- c:\users\Rebekah\AppData\Local\temp

2012-03-07 15:55 . 2010-11-20 08:42 78336 ----a-w- c:\windows\system32\drivers\dfsc.sys

2012-03-03 01:39 . 2012-03-03 01:39 -------- d-----w- c:\users\Benny\AppData\Local\Mozilla

2012-03-01 08:20 . 2012-03-01 08:20 -------- d-----w- c:\users\Benny\AppData\Roaming\Malwarebytes

2012-03-01 06:22 . 2012-03-01 06:22 -------- d-----w- c:\users\Rebekah\AppData\Roaming\Malwarebytes

2012-03-01 06:22 . 2012-03-01 06:22 -------- d-----w- c:\programdata\Malwarebytes

2012-02-29 09:17 . 2012-03-04 04:17 -------- d-----w- C:\TDSSKiller_Quarantine

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-03-04 04:18 . 2011-06-16 00:41 338944 ----a-w- c:\windows\system32\drivers\afd.sys

2012-03-03 03:09 . 2011-09-04 07:39 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-02-29 09:23 . 2011-03-26 22:51 108544 ----a-w- c:\windows\system32\drivers\cdrom.sys

2012-02-03 05:20 . 2011-01-28 10:35 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore-2\Microsoft.MediaCenter.Sports.UI.dll

2012-02-03 05:19 . 2011-02-15 05:58 4283672 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll

2012-02-03 05:19 . 2011-01-28 10:35 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll

2012-02-16 14:40 . 2012-03-03 01:38 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-03-09 26100520]

"PMSpeed"="c:\program files\NewSoft\Presto! PageManager 8 for EP\PMSpeed.EXE" [2008-12-09 55120]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-07-02 7596576]

"MGSysCtrl"="c:\program files\System Control Manager\MGSysCtrl.exe" [2009-08-05 2072576]

"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-27 30040]

"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2009-04-07 673616]

"FUFAXSTM"="c:\program files\Epson Software\FAX Utility\FUFAXSTM.exe" [2009-06-05 843776]

"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2008-05-24 26448]

"LTCM Client"="c:\program files\LTCM Client\ltcmClient.exe" [2009-08-05 1596096]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 136216]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 171032]

"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 170520]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-06 421888]

"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil11e_ActiveX.exe" [2011-11-21 247968]

.

c:\users\Benny\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

.

c:\users\Rebekah\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

PHOTOfunSTUDIO 6.0.lnk - c:\program files\Common Files\Panasonic\PHOTOfunSTUDIO AutoStart\AutoStartupService.exe [2011-11-25 174064]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp wsauth

.

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-07-05 136176]

R3 EUCR;EUCR;c:\windows\system32\DRIVERS\EUCR6SK.SYS [2009-12-05 82128]

R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-07-05 136176]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-07 1343400]

R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 51040]

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]

S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]

S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 20992]

S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-13 652360]

S2 Micro Star SCM;Micro Star SCM;c:\program files\System Control Manager\MSIService.exe [2009-07-09 160768]

S2 wsnm;VMware View Client;c:\program files\VMware\VMware View\Client\bin\wsnm.exe [2011-02-19 494192]

S2 wsnm_usbctrl;VMware View USB Control;c:\program files\VMware\VMware View\Client\bin\wsnm_usbctrl.exe [2011-02-19 793200]

S3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;c:\windows\system32\DRIVERS\ArcSoftKsUFilter.sys [2009-05-26 17408]

S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2009-10-26 125696]

S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2009-10-30 209920]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-10 20464]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2010-06-23 275048]

S3 vmwvusb;VMware View Generic USB Driver;c:\windows\system32\Drivers\vmwvusb.sys [2011-02-19 39984]

S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

Akamai REG_MULTI_SZ Akamai

NecUsbSevice REG_MULTI_SZ NecUsb

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

NICM

EUSBMSD

spcflt

yukonwxp

GameConsoleService

z525mdfl

PTproct

.

Contents of the 'Scheduled Tasks' folder

.

2012-03-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-07-05 19:32]

.

2012-03-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-07-05 19:32]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://msi.msn.com

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

FF - ProfilePath -

.

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Akamai]

"ServiceDll"="c:\program files\common files\akamai/netsession_win_7de0ed9.dll"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'lsass.exe'(544)

c:\windows\system32\wsauth.DLL

.

Completion time: 2012-03-16 20:39:47

ComboFix-quarantined-files.txt 2012-03-17 03:39

ComboFix2.txt 2012-03-10 13:32

ComboFix3.txt 2012-03-07 16:17

.

Pre-Run: 68,640,759,808 bytes free

Post-Run: 68,580,175,872 bytes free

.

- - End Of File - - B05579510DFDAEEF218E6042AE80F79B

Share this post


Link to post
Share on other sites

Please post a new fresh log from Farbar Service Scanner.

Share this post


Link to post
Share on other sites

New FSS Log-

Farbar Service Scanner Version: 01-03-2012

Ran by Rebekah (administrator) on 17-03-2012 at 18:20:58

Running from "C:\Users\Rebekah\Desktop"

Microsoft Windows 7 Home Premium Service Pack 1 (X86)

Boot Mode: Normal

****************************************************************

Internet Services:

============

Connection Status:

==============

Localhost is accessible.

There is no connection to network.

Google IP is accessible.

Yahoo IP is accessible.

Windows Firewall:

=============

Firewall Disabled Policy:

==================

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall"=DWORD:0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]

"EnableFirewall"=DWORD:0

System Restore:

============

System Restore Disabled Policy:

========================

Action Center:

============

Windows Update:

============

wuauserv Service is not running. Checking service configuration:

The start type of wuauserv service is OK.

The ImagePath of wuauserv service is OK.

The ServiceDll of wuauserv service is OK.

BITS Service is not running. Checking service configuration:

The start type of BITS service is OK.

The ImagePath of BITS service is OK.

The ServiceDll of BITS service is OK.

File Check:

========

C:\windows\system32\nsisvc.dll => MD5 is legit

C:\windows\system32\Drivers\nsiproxy.sys => MD5 is legit

C:\windows\system32\dhcpcore.dll => MD5 is legit

C:\windows\system32\Drivers\afd.sys

[2011-06-15 17:41] - [2012-03-03 21:18] - 0338944 ____A () 8FC69A5AA8A9FECC7F18A3ADDAA3AB7E

C:\windows\system32\Drivers\tdx.sys => MD5 is legit

C:\windows\system32\Drivers\tcpip.sys => MD5 is legit

C:\windows\system32\dnsrslvr.dll => MD5 is legit

C:\windows\system32\mpssvc.dll => MD5 is legit

C:\windows\system32\bfe.dll => MD5 is legit

C:\windows\system32\Drivers\mpsdrv.sys => MD5 is legit

C:\windows\system32\SDRSVC.dll => MD5 is legit

C:\windows\system32\vssvc.exe => MD5 is legit

C:\windows\system32\wscsvc.dll => MD5 is legit

C:\windows\system32\wbem\WMIsvc.dll => MD5 is legit

C:\windows\system32\wuaueng.dll => MD5 is legit

C:\windows\system32\qmgr.dll => MD5 is legit

C:\windows\system32\es.dll => MD5 is legit

C:\windows\system32\cryptsvc.dll => MD5 is legit

C:\windows\system32\svchost.exe => MD5 is legit

C:\windows\system32\rpcss.dll => MD5 is legit

**** End of log ****

Share this post


Link to post
Share on other sites

Delete your copy of ComboFix, download a new fresh one and then:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

FCopy::
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17514_none_d9efac7dbcaf385b\afd.sys | C:\windows\system32\Drivers\afd.sys

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Share this post


Link to post
Share on other sites

Internet is Working! Awesome. I haven't tried to open a browser or do anything.

LOG-

ComboFix 12-03-16.05 - Rebekah 03/18/2012 2:25.4.4 - x86

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3502.2643 [GMT -7:00]

Running from: C:\ComboFix.exe

Command switches used :: c:\users\Rebekah\Desktop\CFScript.txt

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

.

--------------- FCopy ---------------

.

c:\windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17514_none_d9efac7dbcaf385b\afd.sys --> c:\windows\system32\Drivers\afd.sys

.

((((((((((((((((((((((((( Files Created from 2012-02-18 to 2012-03-18 )))))))))))))))))))))))))))))))

.

.

2012-03-18 09:33 . 2012-03-18 09:33 -------- d-----w- c:\users\Mcx1-REBEKAHS-LAPTOP\AppData\Local\temp

2012-03-18 09:33 . 2012-03-18 09:33 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-03-18 09:33 . 2012-03-18 09:33 -------- d-----w- c:\users\Benny\AppData\Local\temp

2012-03-11 04:55 . 2012-03-11 04:55 -------- d-----w- c:\program files\ESET

2012-03-11 04:00 . 2012-03-11 04:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-03-11 04:00 . 2011-12-10 23:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-03-10 13:32 . 2012-03-18 09:35 -------- d-----w- c:\users\Rebekah\AppData\Local\temp

2012-03-07 15:55 . 2010-11-20 08:42 78336 ----a-w- c:\windows\system32\drivers\dfsc.sys

2012-03-03 01:39 . 2012-03-03 01:39 -------- d-----w- c:\users\Benny\AppData\Local\Mozilla

2012-03-01 08:20 . 2012-03-01 08:20 -------- d-----w- c:\users\Benny\AppData\Roaming\Malwarebytes

2012-03-01 06:22 . 2012-03-01 06:22 -------- d-----w- c:\users\Rebekah\AppData\Roaming\Malwarebytes

2012-03-01 06:22 . 2012-03-01 06:22 -------- d-----w- c:\programdata\Malwarebytes

2012-02-29 09:17 . 2012-03-04 04:17 -------- d-----w- C:\TDSSKiller_Quarantine

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-03-03 03:09 . 2011-09-04 07:39 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-02-29 09:23 . 2011-03-26 22:51 108544 ----a-w- c:\windows\system32\drivers\cdrom.sys

2012-02-03 05:20 . 2011-01-28 10:35 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore-2\Microsoft.MediaCenter.Sports.UI.dll

2012-02-03 05:19 . 2011-02-15 05:58 4283672 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll

2012-02-03 05:19 . 2011-01-28 10:35 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll

2012-01-14 03:35 . 2012-02-16 04:10 2343424 ----a-w- c:\windows\system32\win32k.sys

2012-01-04 08:58 . 2012-02-16 04:10 442880 ----a-w- c:\windows\system32\ntshrui.dll

2011-12-30 05:27 . 2012-02-16 04:10 478720 ----a-w- c:\windows\system32\timedate.cpl

2012-02-16 14:40 . 2012-03-03 01:38 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-03-09 26100520]

"PMSpeed"="c:\program files\NewSoft\Presto! PageManager 8 for EP\PMSpeed.EXE" [2008-12-09 55120]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-07-02 7596576]

"MGSysCtrl"="c:\program files\System Control Manager\MGSysCtrl.exe" [2009-08-05 2072576]

"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-27 30040]

"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2009-04-07 673616]

"FUFAXSTM"="c:\program files\Epson Software\FAX Utility\FUFAXSTM.exe" [2009-06-05 843776]

"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2008-05-24 26448]

"LTCM Client"="c:\program files\LTCM Client\ltcmClient.exe" [2009-08-05 1596096]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 136216]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 171032]

"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 170520]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-06 421888]

"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil11e_ActiveX.exe" [2011-11-21 247968]

.

c:\users\Benny\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

.

c:\users\Rebekah\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

PHOTOfunSTUDIO 6.0.lnk - c:\program files\Common Files\Panasonic\PHOTOfunSTUDIO AutoStart\AutoStartupService.exe [2011-11-25 174064]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp wsauth

.

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-07-05 136176]

R3 EUCR;EUCR;c:\windows\system32\DRIVERS\EUCR6SK.SYS [2009-12-05 82128]

R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-07-05 136176]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-07 1343400]

R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 51040]

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]

S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]

S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 20992]

S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-13 652360]

S2 Micro Star SCM;Micro Star SCM;c:\program files\System Control Manager\MSIService.exe [2009-07-09 160768]

S2 wsnm;VMware View Client;c:\program files\VMware\VMware View\Client\bin\wsnm.exe [2011-02-19 494192]

S2 wsnm_usbctrl;VMware View USB Control;c:\program files\VMware\VMware View\Client\bin\wsnm_usbctrl.exe [2011-02-19 793200]

S3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;c:\windows\system32\DRIVERS\ArcSoftKsUFilter.sys [2009-05-26 17408]

S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2009-10-26 125696]

S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2009-10-30 209920]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-10 20464]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2010-06-23 275048]

S3 vmwvusb;VMware View Generic USB Driver;c:\windows\system32\Drivers\vmwvusb.sys [2011-02-19 39984]

S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

Akamai REG_MULTI_SZ Akamai

NecUsbSevice REG_MULTI_SZ NecUsb

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

NICM

EUSBMSD

spcflt

yukonwxp

GameConsoleService

z525mdfl

PTproct

.

Contents of the 'Scheduled Tasks' folder

.

2012-03-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-07-05 19:32]

.

2012-03-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-07-05 19:32]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://msi.msn.com

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 75.75.75.75 75.75.76.76

FF - ProfilePath -

.

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Akamai]

"ServiceDll"="c:\program files\common files\akamai/netsession_win_7de0ed9.dll"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'lsass.exe'(544)

c:\windows\system32\wsauth.DLL

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\EPSON\EBAPI\eEBSVC.exe

c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Intel\Intel® Management Engine Components\LMS\LMS.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

c:\windows\system32\WUDFHost.exe

c:\windows\system32\taskhost.exe

c:\windows\system32\conhost.exe

c:\program files\AVG\AVG PC Tuneup 2011\BoostSpeed.exe

c:\windows\system32\sppsvc.exe

c:\program files\Windows Media Player\wmpnetwk.exe

.

**************************************************************************

.

Completion time: 2012-03-18 02:38:38 - machine was rebooted

ComboFix-quarantined-files.txt 2012-03-18 09:38

ComboFix2.txt 2012-03-17 03:39

ComboFix3.txt 2012-03-10 13:32

ComboFix4.txt 2012-03-07 16:17

.

Pre-Run: 68,500,701,184 bytes free

Post-Run: 68,222,197,760 bytes free

.

- - End Of File - - F498AA6143E1A303C1EA657E93C464B2

Share this post


Link to post
Share on other sites

That is really awesome! huh... :)

How are things running now? Open Google, see how are things there.

Share this post


Link to post
Share on other sites

I assume trurn firewalls, malwarebytes on. Any suggestions on anti-virus programs or anything else

Share this post


Link to post
Share on other sites

so far no commercials. everything running smoothly. your lucky your on the other side of the world cause you would be getting a big hug.

Can you provide me any links to torturials that can show me what I need to do to avoid these problems in the future?

Share this post


Link to post
Share on other sites

Absolutely. :)

Please uninstall ComboFix:

www.bleepingcomputer.com/combofix/how-to-use-combofix#uninstall

Next, uninstall ESET Online Scanner and then manually delete DDS, TDSSKiller, Farbar Service Scanner and SystemLook.

Everything you need to know is here:

http://forums.malwarebytes.org/index.php?showtopic=104379&pid=515983&st=0entry515983

Safe surfing! :)

Share this post


Link to post
Share on other sites

Sorry last question, Do you need the Uninstall Log? Is AVG anti-virus good or should I go with something else?

Share this post


Link to post
Share on other sites

No, I don't need it. It is a good free choice too.

Share this post


Link to post
Share on other sites

Computer just said that it is not running genuine windows ?? Windows directs me to their website to download Windows Activation Update, I download the program and ran it but it can't finish.

Says "Update installation failed. Error information -0x80096001"

Advice?

Share this post


Link to post
Share on other sites

AVG Resident Sheild Alert-

File Name- c:\Windows\System32\config\systemprofile\AppData\Roaming\Adobe\sp.DLL

Threat Name- Trojan horse Proxy.ASMH

When I try to remove the threat AVG says "Object does not exist or is inaccessible."

I followed the theat to it location and deleted it and now I am running a Malwarebytes quick scan

Share this post


Link to post
Share on other sites

New Threat

c:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\windows\Temporary Internet Files\Contents.IES\4QB7PQ74\in[1].htm

Also says "Object does not exist or is inaccessible"

Malwarbytes Scan Log-

Malwarebytes Anti-Malware 1.60.1.1000

www.malwarebytes.org

Database version: v2012.03.18.03

Windows 7 Service Pack 1 x86 NTFS

Internet Explorer 8.0.7601.17514

Rebekah :: REBEKAHS-LAPTOP [administrator]

Protection: Enabled

3/18/2012 3:35:27 PM

mbam-log-2012-03-18 (16-06-17).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 229316

Time elapsed: 21 minute(s), 15 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 1

C:\Windows\System32\config\systemprofile\AppData\Roaming\Adobe\sp.DLL (Trojan.Proxy) -> No action taken.

(end)

Share this post


Link to post
Share on other sites

Update your Malwarebytes' Anti-Malware, perform a new quick scan and remove this one:

C:\Windows\System32\config\systemprofile\AppData\Roaming\Adobe\sp.DLL (Trojan.Proxy) -> No action taken.

Next:

Please download and run this tool:

http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/

This will take care for:

c:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\windows\Temporary Internet Files\Contents.IES\4QB7PQ74\in[1].htm

Next, update your AVG and perform a full system scan.

Let me know how are things then.

Share this post


Link to post
Share on other sites

everything seems to be ok other than being prompted that I am not running genuine windows.

when I try to resolve the issue the operation fails. Says "Update installation failed. Error information -0x80096001"

Share this post


Link to post
Share on other sites

Something weird happened the other day.

The computer starting cashing, then went to a blue screen and said something about a crash dump??

Share this post


Link to post
Share on other sites

Download BlueScreenView

No installation required.

Double click on BlueScreenView.exe file to run the program.

When scanning is done, go Edit>Select All.

Go File>Save Selected Items, and save the report as BSOD.txt.

Open BSOD.txt in Notepad, copy all content, and paste it into your next reply.

Share this post


Link to post
Share on other sites

Blue Screen View did not find anything. Attemps to fix the update failures as well as validating my copy of windows has not been successful.

I also got a warning when I logged into my Gmail account that it may have been hacked a big red bar at the top of my email account said that my email had been accessed remotely. listed sources and asked if it was me not to worry. I couldn't recognize any of the sources so I changed my password.

Still no commercials which is a plus.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.