View Full Version : Please help, Rogue Secruity Program - win 7 home security 2011
Paranoidpotato
2011-04-18, 00:08
A couple of week ago my computer got infected with a program call win 7 home security 2011, it disabled firefox and chrome, and I am unable to run any scans to diagnose what is actually happening.
Please help at the soonest convenience.
:snwelcome:
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.
This infection will not allow you to download any removal tools from the infected computer or run any programs to remove it, it lew of me typing all the instructions see if you can follow this one from BC, let me know if you cant and I will break it down and help you. Once you get Malwarebytes to remove this pest post the log please as there may be more to remove
http://www.bleepingcomputer.com/virus-removal/remove-win-7-internet-security-2011
Paranoidpotato
2011-04-20, 07:28
Apologies for the late post, Here is the Malwarebytes log.
__
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 6401
Windows 6.1.7600
Internet Explorer 8.0.7600.16385
4/19/2011 11:23:21 PM
mbam-log-2011-04-19 (23-23-21).txt
Scan type: Full scan (C:\|D:\|Q:\|)
Objects scanned: 330306
Time elapsed: 31 minute(s), 1 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 28
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\Users\ryan nakai\AppData\Local\pjm.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\ryan nakai\AppData\Local\rog.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\ryan nakai\AppData\Local\sqb.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\ryan nakai\AppData\Local\Temp\0.2739298318671154.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\ryan nakai\AppData\LocalLow\Sun\Java\deployment\cache\6.0\13\4f9f18cd-24604301 (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\ryan nakai\AppData\LocalLow\Sun\Java\deployment\cache\6.0\13\5ca3dccd-7fc42843 (Rogue.Agent) -> Quarantined and deleted successfully.
c:\Users\ryan nakai\AppData\LocalLow\Sun\Java\deployment\cache\6.0\14\1f668cce-6f210c23 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\ryan nakai\AppData\LocalLow\Sun\Java\deployment\cache\6.0\21\20b47915-238b5add (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\Users\ryan nakai\AppData\LocalLow\Sun\Java\deployment\cache\6.0\23\288d3797-116c2b5e (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\ryan nakai\AppData\LocalLow\Sun\Java\deployment\cache\6.0\26\3cfc999a-30c53fe2 (Rogue.Agent) -> Quarantined and deleted successfully.
c:\Users\ryan nakai\AppData\LocalLow\Sun\Java\deployment\cache\6.0\31\6bf3c11f-4ee2f35b (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\ryan nakai\AppData\LocalLow\Sun\Java\deployment\cache\6.0\34\7333eb62-6364a495 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\ryan nakai\AppData\LocalLow\Sun\Java\deployment\cache\6.0\35\4e2bf823-65d80c51 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\ryan nakai\AppData\LocalLow\Sun\Java\deployment\cache\6.0\35\9eb3ee3-68536023 (Rogue.Agent) -> Quarantined and deleted successfully.
c:\Users\ryan nakai\AppData\LocalLow\Sun\Java\deployment\cache\6.0\37\3f5ab6e5-23c61636 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\ryan nakai\AppData\LocalLow\Sun\Java\deployment\cache\6.0\37\5517da65-63e78d43 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\ryan nakai\AppData\LocalLow\Sun\Java\deployment\cache\6.0\38\4950f2e6-3376e0a5 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\ryan nakai\AppData\LocalLow\Sun\Java\deployment\cache\6.0\43\71c712b-7d7bcd29 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\ryan nakai\AppData\LocalLow\Sun\Java\deployment\cache\6.0\46\3b816a6e-5740f644 (Rogue.Agent) -> Quarantined and deleted successfully.
c:\Users\ryan nakai\AppData\LocalLow\Sun\Java\deployment\cache\6.0\52\5c1732b4-57604862 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\ryan nakai\AppData\LocalLow\Sun\Java\deployment\cache\6.0\53\2f534435-71025c3f (Rogue.Agent) -> Quarantined and deleted successfully.
c:\Users\ryan nakai\AppData\LocalLow\Sun\Java\deployment\cache\6.0\6\2de5d206-6c0c96f8 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\ryan nakai\AppData\LocalLow\Sun\Java\deployment\cache\6.0\6\4133ba46-493627a4 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\ryan nakai\AppData\LocalLow\Sun\Java\deployment\cache\6.0\6\59530d06-6cfb53c9 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\ryan nakai\AppData\LocalLow\Sun\Java\deployment\cache\6.0\60\69d6447c-6661a4b7 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\ryan nakai\AppData\LocalLow\Sun\Java\deployment\cache\6.0\60\cd1d23c-5a78f4e2 (Rogue.Agent) -> Quarantined and deleted successfully.
c:\Users\ryan nakai\AppData\Roaming\camstudioportablebackup.reg (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
c:\Users\ryan nakai\downloads\eXplorer.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
Great :bigthumb:
Where the instructions easy for you to follow? Bleeping Computer is a great site and on top of keeping us all informed about the newer threats.
With this garbage there may be more to remove
Download DDS from one of the links below to your desktop
Link 1 (http://download.bleepingcomputer.com/sUBs/dds.scr)
Link 2 (http://download.bleepingcomputer.com/sUBs/dds.com)
Double click the tool to run it.
A black Screen will open, just read the contents and do nothing.
When the tool finishes, it will open 2 reports, DDS.txt and attach.txt
Copy/Paste the contents of 'DDS.txt' into your post.
'attach.txt' should be zipped using Windows native zip utility and attached to your post. Compress and uncompress files (zip files) (http://windows.microsoft.com/en-us/windows-vista/Compress-and-uncompress-files-zip-files)
Paranoidpotato
2011-04-20, 15:22
DDS log
__
.
DDS (Ver_11-03-05.01) - NTFS_AMD64
Run by Ryan Nakai at 7:15:29.79 on Wed 04/20/2011
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_23
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.8191.6977 [GMT -6:00]
.
AV: Norton Internet Security *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
FW: Norton Internet Security *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
c:\PROGRA~2\mcafee\SITEAD~1\mcsacore.exe
C:\Program Files (x86)\Norton Internet Security\Engine\18.0.0.128\ccSvcHst.exe
C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe
C:\Program Files (x86)\PDF Complete\pdfsvc.exe
C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\atieclxx.exe
C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS\A5E82D02\18.0.0.128\InstStub.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
C:\Users\Ryan Nakai\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Users\Ryan Nakai\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ryan Nakai\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ryan Nakai\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ryan Nakai\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Windows\system32\DllHost.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\DllHost.exe
C:\Users\Ryan Nakai\Downloads\dds.scr
C:\Windows\system32\conhost.exe
.
============== Pseudo HJT Report ===============
.
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
uRun: [HPAdvisorDock] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\DOCK\HPAdvisorDock.exe
uRun: [Google Update] "C:\Users\Ryan Nakai\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
mRun: [PDF Complete] C:\Program Files (x86)\PDF Complete\pdfsty.exe
mRun: [HP Software Update] c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [Norton Online Backup] C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe
mRun: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
StartupFolder: C:\Users\RYANNA~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\OPENOF~1.LNK - C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MCAFEE~1.LNK - C:\Program Files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SNAPFI~1.LNK - C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe
uPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\McAfee\SITEAD~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\McAfee\SITEAD~1\McIEPlg.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~2\mcafee\SITEAD~1\x64\mcieplg.dll
TB-X64: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~2\mcafee\SITEAD~1\x64\mcieplg.dll
mRun-x64: [hpsysdrv] c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe
mRun-x64: [SmartMenu] C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe /background
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\RYANNA~1\AppData\Roaming\Mozilla\Firefox\Profiles\ofoqk13c.default\
FF - prefs.js: browser.search.selectedEngine - YouTube Video Search
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - component: C:\Program Files (x86)\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60129.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\Default\AppData\Local\HuluDesktop\instances\0.9.13.1\nphdplg.dll
FF - plugin: C:\Users\Ryan Nakai\AppData\Local\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\System32\drivers\vwififlt.sys [2009-7-13 59904]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2011-3-3 203264]
R2 CinemaNow Service;CinemaNow Service;C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemaNowSvc.exe [2010-6-12 400368]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2010-2-28 821664]
R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2010-10-14 92216]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;C:\PROGRA~2\mcafee\SITEAD~1\mcsacore.exe [2011-4-19 101048]
R2 NIS;Norton Internet Security;C:\Program Files (x86)\Norton Internet Security\Engine\18.0.0.128\ccSvcHst.exe [2010-9-10 126904]
R2 NOBU;Norton Online Backup;C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [2010-6-1 2804568]
R2 pdfcDispatcher;PDF Document Manager;C:\Program Files (x86)\PDF Complete\pdfsvc.exe [2010-9-10 635416]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2010-4-24 483688]
R3 amdkmdag;amdkmdag;C:\Windows\System32\drivers\atikmdag.sys [2011-3-3 7767552]
R3 amdkmdap;amdkmdap;C:\Windows\System32\drivers\atikmpag.sys [2011-3-3 279040]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\Windows\System32\drivers\AtihdW76.sys [2011-3-3 116752]
R3 netr28x;Ralink 802.11n Extensible Wireless Driver;C:\Windows\System32\drivers\netr28x.sys [2010-9-10 852256]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2010-9-10 346144]
R3 Sftfs;Sftfs;C:\Windows\System32\drivers\Sftfslh.sys [2010-4-24 721768]
R3 Sftplay;Sftplay;C:\Windows\System32\drivers\Sftplaylh.sys [2010-4-24 269672]
R3 Sftredir;Sftredir;C:\Windows\System32\drivers\Sftredirlh.sys [2010-4-24 25960]
R3 Sftvol;Sftvol;C:\Windows\System32\drivers\Sftvollh.sys [2010-4-24 22376]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2010-4-24 209768]
R3 usbfilter;AMD USB Filter Driver;C:\Windows\System32\drivers\usbfilter.sys [2010-9-10 38456]
S2 CLKMSVC10_C6F09094;CyberLink Product - 2010/09/10 17:59:38;C:\Program Files (x86)\Hewlett-Packard\Media\DVD\Kernel\HDDVD\NavFilter\kmsvc.exe [2010-9-10 245232]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 BBSvc;Bing Bar Update Service;C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-2-28 183560]
S3 McComponentHostService;McAfee Security Scan Component Host Service;C:\Program Files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 UsbGps;LGE CDMA USB GPS NMEA Port;C:\Windows\System32\drivers\lgx64gps.sys [2011-1-9 27136]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-12-28 1255736]
.
=============== Created Last 30 ================
.
2011-04-20 04:46:51 976896 ----a-w- C:\Windows\System32\inetcomm.dll
2011-04-01 16:15:57 -------- d-sh--w- C:\found.000
2011-04-01 15:43:47 8424784 ----a-w- C:\PROGRA~3\Microsoft\Windows Defender\Definition Updates\{7BB8E032-3A87-4FAD-957E-82C1105A8438}\mpengine.dll
2011-03-26 04:49:25 781272 ----a-w- C:\Program Files (x86)\Mozilla Firefox\mozsqlite3.dll
2011-03-26 04:49:25 728024 ----a-w- C:\Program Files (x86)\Mozilla Firefox\libGLESv2.dll
2011-03-26 04:49:25 1975768 ----a-w- C:\Program Files (x86)\Mozilla Firefox\D3DCompiler_42.dll
2011-03-26 04:49:25 1893336 ----a-w- C:\Program Files (x86)\Mozilla Firefox\d3dx9_42.dll
2011-03-26 04:49:25 1874904 ----a-w- C:\Program Files (x86)\Mozilla Firefox\mozjs.dll
2011-03-26 04:49:25 15832 ----a-w- C:\Program Files (x86)\Mozilla Firefox\mozalloc.dll
2011-03-26 04:49:25 142296 ----a-w- C:\Program Files (x86)\Mozilla Firefox\libEGL.dll
2011-03-26 04:49:25 142296 ----a-w- C:\Program Files (x86)\Mozilla Firefox\components\browsercomps.dll
.
==================== Find3M ====================
.
2011-03-11 06:19:26 1395712 ----a-w- C:\Windows\System32\mfc42.dll
2011-03-11 06:19:26 1359872 ----a-w- C:\Windows\System32\mfc42u.dll
2011-03-11 05:40:24 1164288 ----a-w- C:\Windows\SysWow64\mfc42u.dll
2011-03-11 05:40:24 1137664 ----a-w- C:\Windows\SysWow64\mfc42.dll
2011-03-08 05:38:13 740864 ----a-w- C:\Windows\SysWow64\inetcomm.dll
2011-03-03 06:17:10 182272 ----a-w- C:\Windows\System32\dnsrslvr.dll
2011-03-03 06:14:38 30208 ----a-w- C:\Windows\System32\dnscacheugc.exe
2011-03-03 05:27:30 28672 ----a-w- C:\Windows\SysWow64\dnscacheugc.exe
2011-03-03 03:58:32 3133440 ----a-w- C:\Windows\System32\win32k.sys
2011-02-24 06:30:00 476160 ----a-w- C:\Windows\System32\XpsGdiConverter.dll
2011-02-24 06:29:15 1197056 ----a-w- C:\Windows\System32\wininet.dll
2011-02-24 06:24:57 57856 ----a-w- C:\Windows\System32\licmgr10.dll
2011-02-24 05:32:52 288256 ----a-w- C:\Windows\SysWow64\XpsGdiConverter.dll
2011-02-24 05:32:44 981504 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-02-24 05:30:16 44544 ----a-w- C:\Windows\SysWow64\licmgr10.dll
2011-02-24 05:05:13 482816 ----a-w- C:\Windows\System32\html.iec
2011-02-24 04:24:04 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2011-02-24 04:23:48 386048 ----a-w- C:\Windows\SysWow64\html.iec
2011-02-24 03:50:26 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-02-23 05:16:28 461312 ----a-w- C:\Windows\System32\drivers\srv.sys
2011-02-23 05:16:01 401920 ----a-w- C:\Windows\System32\drivers\srv2.sys
2011-02-23 05:15:50 161792 ----a-w- C:\Windows\System32\drivers\srvnet.sys
2011-02-23 05:15:27 157696 ----a-w- C:\Windows\System32\drivers\mrxsmb.sys
2011-02-23 05:15:14 286720 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys
2011-02-23 05:15:13 126464 ----a-w- C:\Windows\System32\drivers\mrxsmb20.sys
2011-02-23 05:15:06 90624 ----a-w- C:\Windows\System32\drivers\bowser.sys
2011-02-19 06:37:44 1135104 ----a-w- C:\Windows\System32\FntCache.dll
2011-02-19 06:37:10 1540608 ----a-w- C:\Windows\System32\DWrite.dll
2011-02-19 06:36:49 902656 ----a-w- C:\Windows\System32\d2d1.dll
2011-02-19 06:36:13 46080 ----a-w- C:\Windows\System32\atmlib.dll
2011-02-19 05:32:48 1074176 ----a-w- C:\Windows\SysWow64\DWrite.dll
2011-02-19 05:32:35 739840 ----a-w- C:\Windows\SysWow64\d2d1.dll
2011-02-19 05:32:08 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
2011-02-19 04:13:39 367104 ----a-w- C:\Windows\System32\atmfd.dll
2011-02-19 03:37:02 294912 ----a-w- C:\Windows\SysWow64\atmfd.dll
2011-02-18 06:37:05 612352 ----a-w- C:\Windows\System32\vbscript.dll
2011-02-18 05:36:26 428032 ----a-w- C:\Windows\SysWow64\vbscript.dll
2011-02-12 06:14:41 267776 ----a-w- C:\Windows\System32\FXSCOVER.exe
2011-02-05 12:41:43 556928 ----a-w- C:\Windows\System32\winresume.efi
2011-02-05 12:41:35 640896 ----a-w- C:\Windows\System32\winload.efi
2011-02-05 12:41:24 20352 ----a-w- C:\Windows\System32\kdusb.dll
2011-02-05 12:41:24 19328 ----a-w- C:\Windows\System32\kd1394.dll
2011-02-05 12:41:23 17792 ----a-w- C:\Windows\System32\kdcom.dll
2011-02-05 12:39:21 603976 ----a-w- C:\Windows\System32\winload.exe
2011-02-05 12:39:21 518160 ----a-w- C:\Windows\System32\winresume.exe
2011-02-03 00:11:20 270720 ------w- C:\Windows\System32\MpSigStub.exe
2011-01-26 06:53:10 982912 ----a-w- C:\Windows\System32\drivers\dxgkrnl.sys
2011-01-26 06:53:10 265088 ----a-w- C:\Windows\System32\drivers\dxgmms1.sys
2011-01-26 06:31:20 144384 ----a-w- C:\Windows\System32\cdd.dll
.
============= FINISH: 7:15:51.75 ===============
It looks like Symantec is your main Antivirus program but I am seeing some entries for McAfee, have you tried to uninstall McAfee at one time ? If you did it may have been a borked uninstall, you may want to run this removal tool. More than one AV can really suck up system resources and cause all kinds of issues.
http://majorgeeks.com/McAfee_Consumer_Product_Removal_Tool_d5420.html
http://service.mcafee.com/FAQDocument.aspx?id=TS100507
ESET Online Scanner
I'd like us to scan your machine with ESET OnlineScan
*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.
Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan)
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png button.
Accept any security warnings from your browser.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png
Make sure that the option "Remove found threats" is Unchecked
Push the Start button.
ESET will then download updates for itself, install itself, and begin
scanning your computer. Please be patient as this can take some time.
When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as
ESETScan. Include the contents of this report in your next reply.
Push the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png button.
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png
Please make sure you include the following items in your next post:
The log that was produced after running ESET Online Scanner.
Paranoidpotato
2011-04-20, 17:25
eset scan log
__
C:\Users\Ryan Nakai\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\1\27e8c01-766c1216 a variant of Java/TrojanDownloader.OpenStream.NBF trojan
C:\Users\Ryan Nakai\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\14\2d85064e-3517c84f a variant of Java/TrojanDownloader.OpenStream.NBF trojan
C:\Users\Ryan Nakai\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\14\55a2d3ce-307cc400 a variant of Java/TrojanDownloader.OpenStream.NBF trojan
C:\Users\Ryan Nakai\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\21\4b89915-5d1a7a2d a variant of Java/TrojanDownloader.OpenStream.NBF trojan
C:\Users\Ryan Nakai\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\22\530c4f16-7fe93814 multiple threats
C:\Users\Ryan Nakai\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\25\2b854b99-64091453 a variant of Java/TrojanDownloader.OpenStream.NBF trojan
C:\Users\Ryan Nakai\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27\1131b71b-56f1ccd2 a variant of Java/TrojanDownloader.OpenStream.NBF trojan
C:\Users\Ryan Nakai\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\3\d6429c3-1d2fffed a variant of Java/TrojanDownloader.OpenStream.NBF trojan
C:\Users\Ryan Nakai\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\eee2921-7d56b2d9 multiple threats
C:\Users\Ryan Nakai\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\37\3e85f8e5-7dd5a9de a variant of Java/TrojanDownloader.OpenStream.NBF trojan
C:\Users\Ryan Nakai\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\465f12ac-36a398e4 multiple threats
C:\Users\Ryan Nakai\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\629cc8ec-680fba94 multiple threats
C:\Users\Ryan Nakai\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\48\6dd632b0-10030286 multiple threats
C:\Users\Ryan Nakai\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\729a4e73-1df92cb7 a variant of Java/TrojanDownloader.OpenStream.NBG trojan
C:\Users\Ryan Nakai\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\57\121b07f9-4743c91a multiple threats
C:\Users\Ryan Nakai\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\57\18396c39-6a1ecafb a variant of Java/TrojanDownloader.OpenStream.NBF trojan
C:\Users\Ryan Nakai\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\57\458317b9-228159a5 Java/TrojanDownloader.OpenStream.AF trojan
C:\Users\Ryan Nakai\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\52a2a7ba-7b2b4861 a variant of Java/TrojanDownloader.OpenStream.NBF trojan
C:\Users\Ryan Nakai\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\63\4a5bb93f-4c0b4afa multiple threats
C:\Users\Ryan Nakai\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\7\77bb66c7-48060ee2 multiple threats
Hey,
Your Java Cache is infected, lets run this other cleaner
Download TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop
Close any open windows.
Double click the TFC icon to run the program
TFC will close all open programs itself in order to run,
Click the Start button to begin the process.
Allow TFC to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically reboot your machine,
if it doesn't, manually reboot to ensure a complete clean
Then do this, your version of Java may be different but its all basically the same
1. Click Start > Settings > Control Panel.
2. Double-click the Java Plug-in icon in the control panel.
3. Click the Cache tab.
4. Click Clear A confirmation dialog box appears.
5. Click Yes to confirm.
6. Click Apply.
How are things running now ?
Paranoidpotato
2011-04-20, 18:43
things are running much better now!
Did you clear the cache ?
Paranoidpotato
2011-04-20, 19:05
Yes, I did.
:bigthumb:
How are things running now, we can dig deeper if you feel you still have malware issues
Paranoidpotato
2011-04-21, 04:18
One more scan just to be safe
Paranoidpotato
2011-04-21, 06:38
Things are running great! I've check the scans and it's clear.
Thank you so much for your help! :bigthumb:
__
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 6401
Windows 6.1.7600
Internet Explorer 8.0.7600.16385
4/20/2011 10:00:58 PM
mbam-log-2011-04-20 (22-00-58).txt
Scan type: Full scan (C:\|D:\|Q:\|)
Objects scanned: 322858
Time elapsed: 27 minute(s), 15 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Good Morning,
With all the garbage that was removed, lets run this tool and make sure there is no more
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RC1.png
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/RC2-1.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
Paranoidpotato
2011-04-21, 16:23
Here is the combofix log
__
ComboFix 11-04-20.04 - Ryan Nakai 04/21/2011 8:16.1.6 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.8191.6757 [GMT -6:00]
Running from: c:\users\Ryan Nakai\Desktop\ComboFix.exe
AV: Norton Internet Security *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
FW: Norton Internet Security *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
SP: Norton Internet Security *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Install.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-03-21 to 2011-04-21 )))))))))))))))))))))))))))))))
.
.
2011-04-21 14:19 . 2011-04-21 14:19 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-04-20 16:42 . 2011-04-20 16:42 -------- d-----w- c:\program files (x86)\Common Files\Java
2011-04-20 14:06 . 2011-04-20 14:06 -------- d-----w- c:\program files (x86)\ESET
2011-04-20 14:00 . 2011-04-20 14:00 -------- d-s---w- c:\windows\SysWow64\Microsoft
2011-04-20 04:46 . 2011-03-08 06:14 976896 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-01 16:15 . 2011-04-01 16:15 -------- d-----w- C:\found.000
2011-04-01 15:43 . 2011-03-15 05:17 8424784 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{7BB8E032-3A87-4FAD-957E-82C1105A8438}\mpengine.dll
2011-03-26 04:49 . 2011-03-18 17:53 142296 ----a-w- c:\program files (x86)\Mozilla Firefox\components\browsercomps.dll
2011-03-26 04:49 . 2011-03-18 17:53 781272 ----a-w- c:\program files (x86)\Mozilla Firefox\mozsqlite3.dll
2011-03-26 04:49 . 2011-03-18 17:53 1874904 ----a-w- c:\program files (x86)\Mozilla Firefox\mozjs.dll
2011-03-26 04:49 . 2011-03-18 17:53 15832 ----a-w- c:\program files (x86)\Mozilla Firefox\mozalloc.dll
2011-03-26 04:49 . 2011-03-18 17:53 728024 ----a-w- c:\program files (x86)\Mozilla Firefox\libGLESv2.dll
2011-03-26 04:49 . 2011-03-18 17:53 142296 ----a-w- c:\program files (x86)\Mozilla Firefox\libEGL.dll
2011-03-26 04:49 . 2011-03-18 17:53 1893336 ----a-w- c:\program files (x86)\Mozilla Firefox\d3dx9_42.dll
2011-03-26 04:49 . 2011-03-18 17:53 1975768 ----a-w- c:\program files (x86)\Mozilla Firefox\D3DCompiler_42.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-10 14:32 . 2010-06-24 18:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-03-03 14:25 . 2011-03-03 14:26 116752 ----a-w- c:\windows\system32\drivers\AtihdW76.sys
2011-03-03 14:25 . 2011-03-03 14:26 5210112 ----a-w- c:\windows\system32\atiumd64.dll
2011-03-03 14:25 . 2011-03-03 14:26 3147264 ----a-w- c:\windows\system32\atiumd6a.dll
2011-03-03 14:25 . 2011-03-03 14:26 30208 ----a-w- c:\windows\SysWow64\atiuxpag.dll
2011-03-03 14:25 . 2010-09-11 01:38 57344 ----a-w- c:\windows\system32\coinst.dll
2011-03-03 14:25 . 2010-09-11 01:38 4057088 ----a-w- c:\windows\SysWow64\atiumdag.dll
2011-03-03 14:25 . 2010-09-11 01:38 39424 ----a-w- c:\windows\system32\atiuxp64.dll
2011-03-03 14:25 . 2010-09-11 01:38 3392512 ----a-w- c:\windows\SysWow64\atiumdva.dll
2011-03-03 14:25 . 2011-03-03 14:26 7767552 ----a-w- c:\windows\system32\drivers\atikmdag.sys
2011-03-03 14:25 . 2011-03-03 14:26 5425664 ----a-w- c:\windows\system32\aticaldd64.dll
2011-03-03 14:25 . 2011-03-03 14:26 53760 ----a-w- c:\windows\system32\atimpc64.dll
2011-03-03 14:25 . 2011-03-03 14:26 53760 ----a-w- c:\windows\system32\amdpcom64.dll
2011-03-03 14:25 . 2011-03-03 14:26 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2011-03-03 14:25 . 2011-03-03 14:26 52736 ----a-w- c:\windows\SysWow64\atimpc32.dll
2011-03-03 14:25 . 2011-03-03 14:26 52736 ----a-w- c:\windows\SysWow64\amdpcom32.dll
2011-03-03 14:25 . 2011-03-03 14:26 51200 ----a-w- c:\windows\system32\aticalrt64.dll
2011-03-03 14:25 . 2011-03-03 14:26 462336 ----a-w- c:\windows\system32\atieclxx.exe
2011-03-03 14:25 . 2011-03-03 14:26 46080 ----a-w- c:\windows\SysWow64\aticalrt.dll
2011-03-03 14:25 . 2011-03-03 14:26 450560 ----a-w- c:\windows\system32\ATIDEMGX.dll
2011-03-03 14:25 . 2011-03-03 14:26 44544 ----a-w- c:\windows\system32\aticalcl64.dll
2011-03-03 14:25 . 2011-03-03 14:26 44032 ----a-w- c:\windows\SysWow64\aticalcl.dll
2011-03-03 14:25 . 2011-03-03 14:26 4375552 ----a-w- c:\windows\SysWow64\aticaldd.dll
2011-03-03 14:25 . 2011-03-03 14:26 421376 ----a-w- c:\windows\system32\atipdl64.dll
2011-03-03 14:25 . 2011-03-03 14:26 3914240 ----a-w- c:\windows\SysWow64\atidxx32.dll
2011-03-03 14:25 . 2011-03-03 14:26 37376 ----a-w- c:\windows\system32\atiu9p64.dll
2011-03-03 14:25 . 2011-03-03 14:26 356352 ----a-w- c:\windows\SysWow64\atipdlxx.dll
2011-03-03 14:25 . 2011-03-03 14:26 338432 ----a-w- c:\windows\system32\atiadlxx.dll
2011-03-03 14:25 . 2011-03-03 14:26 279040 ----a-w- c:\windows\system32\drivers\atikmpag.sys
2011-03-03 14:25 . 2011-03-03 14:26 241664 ----a-w- c:\windows\SysWow64\atiadlxy.dll
2011-03-03 14:25 . 2011-03-03 14:26 21504 ----a-w- c:\windows\system32\atig6txx.dll
2011-03-03 14:25 . 2011-03-03 14:26 20736512 ----a-w- c:\windows\system32\atio6axx.dll
2011-03-03 14:25 . 2011-03-03 14:26 203264 ----a-w- c:\windows\system32\atiesrxx.exe
2011-03-03 14:25 . 2011-03-03 14:26 19968 ----a-w- c:\windows\SysWow64\atigktxx.dll
2011-03-03 14:25 . 2011-03-03 14:26 15830016 ----a-w- c:\windows\SysWow64\atioglxx.dll
2011-03-03 14:25 . 2011-03-03 14:26 14848 ----a-w- c:\windows\system32\atig6pxx.dll
2011-03-03 14:25 . 2011-03-03 14:26 143360 ----a-w- c:\windows\system32\atiapfxx.exe
2011-03-03 14:25 . 2011-03-03 14:26 12800 ----a-w- c:\windows\SysWow64\atiglpxx.dll
2011-03-03 14:25 . 2011-03-03 14:26 12800 ----a-w- c:\windows\system32\atiglpxx.dll
2011-03-03 14:25 . 2011-03-03 14:26 12288 ----a-w- c:\windows\system32\atimuixx.dll
2011-03-03 14:25 . 2011-03-03 14:26 120320 ----a-w- c:\windows\system32\atitmm64.dll
2011-03-03 14:25 . 2010-09-11 01:38 616960 ----a-w- c:\windows\system32\aticfx64.dll
2011-03-03 14:25 . 2010-09-11 01:38 528384 ----a-w- c:\windows\SysWow64\aticfx32.dll
2011-03-03 14:25 . 2010-09-11 01:38 4602880 ----a-w- c:\windows\system32\atidxx64.dll
2011-03-03 14:25 . 2010-09-11 01:38 28160 ----a-w- c:\windows\SysWow64\atiu9pag.dll
2011-02-19 06:37 . 2011-03-09 14:40 1135104 ----a-w- c:\windows\system32\FntCache.dll
2011-02-19 06:37 . 2011-03-09 14:40 1540608 ----a-w- c:\windows\system32\DWrite.dll
2011-02-19 06:36 . 2011-03-09 14:40 902656 ----a-w- c:\windows\system32\d2d1.dll
2011-02-19 05:32 . 2011-03-09 14:40 1074176 ----a-w- c:\windows\SysWow64\DWrite.dll
2011-02-19 05:32 . 2011-03-09 14:40 739840 ----a-w- c:\windows\SysWow64\d2d1.dll
2011-02-03 03:40 . 2010-12-27 22:53 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2011-02-03 00:11 . 2010-12-27 19:47 270720 ------w- c:\windows\system32\MpSigStub.exe
2011-01-26 06:53 . 2011-02-09 15:12 982912 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2011-01-26 06:53 . 2011-02-09 15:12 265088 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2011-01-26 06:31 . 2011-02-09 15:12 144384 ----a-w- c:\windows\system32\cdd.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPAdvisorDock"="c:\program files (x86)\Hewlett-Packard\HP Advisor\DOCK\HPAdvisorDock.exe" [2010-09-28 1715768]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"PDF Complete"="c:\program files (x86)\PDF Complete\pdfsty.exe" [2009-10-14 563736]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"Norton Online Backup"="c:\program files (x86)\Symantec\Norton Online Backup\NOBuClient.exe" [2010-06-01 1155928]
"Microsoft Default Manager"="c:\program files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-11-12 288088]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-09-08 98304]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
c:\users\Ryan Nakai\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Snapfish PictureMover.lnk - c:\program files (x86)\PictureMover\Bin\PictureMover.exe [2010-6-17 1040952]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 CLKMSVC10_C6F09094;CyberLink Product - 2010/09/10 17:59;c:\program files (x86)\Hewlett-Packard\Media\DVD\Kernel\HDDVD\NavFilter\kmsvc.exe [2010-06-30 245232]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-03-01 183560]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 UsbGps;LGE CDMA USB GPS NMEA Port;c:\windows\system32\DRIVERS\lgx64gps.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 CinemaNow Service;CinemaNow Service;c:\program files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe [2010-06-13 400368]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-02-28 821664]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2010-10-15 92216]
S2 NIS;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\18.0.0.128\ccSvcHst.exe [2010-05-23 126904]
S2 NOBU;Norton Online Backup;c:\program files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe SERVICE [x]
S2 pdfcDispatcher;PDF Document Manager;c:\program files (x86)\PDF Complete\pdfsvc.exe [2009-10-14 635416]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2010-04-24 483688]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
S3 netr28x;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\DRIVERS\netr28x.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2010-04-24 209768]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - CLKMDRV10_C6F09094
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2468213838-283831516-345433170-1000Core.job
- c:\users\Ryan Nakai\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-05 05:08]
.
2011-04-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2468213838-283831516-345433170-1000UA.job
- c:\users\Ryan Nakai\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-05 05:08]
.
2011-04-20 c:\windows\Tasks\HPCeeScheduleForRyan Nakai.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-01-05 10:53]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe" [2008-11-20 62768]
"SmartMenu"="c:\program files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [2010-01-18 568888]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
FF - ProfilePath - c:\users\Ryan Nakai\AppData\Roaming\Mozilla\Firefox\Profiles\ofoqk13c.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
AddRemove-{08DB3902-2CE0-474D-BCE3-0177766CE9F1} - c:\program files (x86)\InstallShield Installation Information\{08DB3902-2CE0-474D-BCE3-0177766CE9F1}\setup.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NIS]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\18.0.0.128\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files (x86)\Norton Internet Security\Engine\18.0.0.128\diMaster.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\pdfcDispatcher]
"ImagePath"="c:\program files (x86)\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2468213838-283831516-345433170-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-2468213838-283831516-345433170-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10d.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10d.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-04-21 08:20:46
ComboFix-quarantined-files.txt 2011-04-21 14:20
.
Pre-Run: 908,045,099,008 bytes free
Post-Run: 907,690,958,848 bytes free
.
- - End Of File - - B4996C8216F8596988C3691062619DAE
Looking good :bigthumb: Any problems ?
Paranoidpotato
2011-04-21, 18:19
No problems at all.
Just a question, which program should I keep from this session?
Great.
I would keep Malwarebytes and ATF Cleaner, run them about once a week. If you upgrade to the Pro Version of Malwarebytes it will include a protection module that will block you from assessing bad sites, but your call if you want to do that .
The OTL clean up feature will not remove MBAM and ATF Cleaner
Open OTL and click on CleanUp and it will remove programs we have used and there backups from your system
How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Safe Surfn
Ken
Paranoidpotato
2011-04-21, 19:34
What is OTL?
Sorry, you can use this one instead.
Now to remove most of the tools that we have used in fixing your machine:
Make sure you have an Internet Connection.
Download OTC (http://oldtimer.geekstogo.com/OTC.exe) to your desktop and run it
A list of tool components used in the cleanup of malware will be downloaded.
If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
Click Yes to begin the cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.
Paranoidpotato
2011-04-22, 06:04
Done, thank you so much for your help.
Keep being awesome! and you can close this thread.