Potential Malware [Archive] - Safer-Networking Forums

jonhorn

2011-10-01, 20:15

I rebooted my computer a few days ago and on reboot, my computer screen said in the bottom right hand corner that I did not have a genuine copy of Microsoft Windows. I ran a Kaspersky scan, but didn't find anything until a day or so later, when it identified the file "05640001.vbn" but was unable to remove it. I also tried to update Windows using the Windows updater, but it was not able to complete all of the updates. After searching a few forums, I guessed I may have some malware. The DDS log is below.

Thanks in advance for the help.

Jonathan

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 7.0.6002.18005
Run by Jonathan at 12:59:31 on 2011-10-01
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3932.1708 [GMT -4:00]
.
AV: Kaspersky Internet Security *Enabled/Updated* {2EAA32A5-1EE1-1B22-95DA-337730C6E984}
SP: Kaspersky Internet Security *Enabled/Updated* {95CBD341-38DB-14AC-AF6A-08054B41A339}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Kaspersky Internet Security *Enabled* {1691B380-548E-1A7A-BE85-9A42CE15AEFF}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\SysWOW64\ASTSRV.EXE
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe
C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files (x86)\Flip Video\FlipShare\FlipShareService.exe
C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\Nitro PDF\Professional\6.0\NitroPDFDriverServicex64.exe
C:\Program Files (x86)\O2Micro Flash Memory Card Driver\o2flash.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
C:\Program Files (x86)\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
C:\Program Files (x86)\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio64.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\TOSHIBA\SmartFaceV\SmartFaceVWatchSrv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\wuauclt.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Windows\System32\wpcumi.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Users\Jonathan\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\ItSecMng.exe
C:\Program Files (x86)\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files (x86)\Toshiba\TOSHIBA Service Station\TSS.exe
C:\Program Files (x86)\CyberLink\PowerCinema for TOSHIBA\PCMAgent.exe
C:\Program Files (x86)\CyberLink\PowerCinema for TOSHIBA\Kernel\CLML\CLMLSvc.exe
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files (x86)\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe
C:\Program Files (x86)\Toshiba\ConfigFree\CFSwMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\SoftwareDistribution\Download\Install\CheckSURPackage.EXE
c:\3ac23f34efc711ea691bda\checksurlauncher.exe
c:\3ac23f34efc711ea691bda\CheckSUR.exe
C:\Program Files (x86)\Internet Explorer\ieuser.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\x64\klwtblfs.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10w_ActiveX.exe
C:\Windows\system32\taskeng.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\ievkbd.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\klwtbbho.dll
uRun: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
uRun: [Sidebar] "C:\Program Files\Windows Sidebar\Sidebar.exe" /autorun
uRun: [Google Update] "C:\Users\Jonathan\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
mRun: [NDSTray.exe] NDSTray.exe
mRun: [cfFncEnabler.exe] cfFncEnabler.exe
mRun: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TSS.exe" /hide
mRun: [PCMAgent] "C:\Program Files (x86)\CyberLink\PowerCinema for TOSHIBA\PCMAgent.exe"
mRun: [CLMLServer] "C:\Program Files (x86)\CyberLink\PowerCinema for TOSHIBA\Kernel\CLML\CLMLSvc.exe"
mRun: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe" /start
mRun: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun: [BlackBerryAutoUpdate] C:\Program Files (x86)\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [AVP] "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\DESKTO~1.LNK - C:\Program Files (x86)\Research In Motion\BlackBerry\DesktopMgr.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\HPDIGI~1.LNK - C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Anti-Banner - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\ievkbd.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\klwtbbho.dll
LSP: C:\Windows\system32\wpclsp.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{71E95C00-FC1A-4446-9506-3CD43F200427} : DhcpNameServer = 209.18.47.61 209.18.47.62
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
mASetup: {30906580-7637-43C1-89A2-F045E24B1DA3} - rundll32.exe "C:\Program Files (x86)\SNL Financial\SNLxl\InstallXLAddinRegKey.dll",DllInstallXLAddinRegKeys /i
BHO-X64: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
BHO-X64: IEVkbdBHO Class: {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\ievkbd.dll
BHO-X64: IEVkbdBHO - No File
BHO-X64: SSVHelper Class: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: FilterBHO Class: {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\klwtbbho.dll
BHO-X64: link filter bho - No File
mRun-x64: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
mRun-x64: [NDSTray.exe] NDSTray.exe
mRun-x64: [cfFncEnabler.exe] cfFncEnabler.exe
mRun-x64: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TSS.exe" /hide
mRun-x64: [PCMAgent] "C:\Program Files (x86)\CyberLink\PowerCinema for TOSHIBA\PCMAgent.exe"
mRun-x64: [CLMLServer] "C:\Program Files (x86)\CyberLink\PowerCinema for TOSHIBA\Kernel\CLML\CLMLSvc.exe"
mRun-x64: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe" /start
mRun-x64: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun-x64: [BlackBerryAutoUpdate] C:\Program Files (x86)\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [AVP] "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe"
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
.
============= SERVICES / DRIVERS ===============
.
R0 tos_sps64;TOSHIBA tos_sps64 Service;C:\Windows\system32\DRIVERS\tos_sps64.sys --> C:\Windows\system32\DRIVERS\tos_sps64.sys [?]
R1 kl2;kl2;C:\Windows\system32\DRIVERS\kl2.sys --> C:\Windows\system32\DRIVERS\kl2.sys [?]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;C:\Windows\system32\DRIVERS\klim6.sys --> C:\Windows\system32\DRIVERS\klim6.sys [?]
R2 AVP;Kaspersky Anti-Virus Service;C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe -r --> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe -r [?]
R2 ConfigFree Gadget Service;ConfigFree Gadget Service;C:\Program Files (x86)\Toshiba\ConfigFree\CFProcSRVC.exe [2008-6-27 36864]
R2 ConfigFree Service;ConfigFree Service;C:\Program Files (x86)\Toshiba\ConfigFree\CFSvcs.exe [2008-7-10 40960]
R2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;C:\Program Files\Common Files\Nitro PDF\Professional\6.0\NitroPDFDriverServicex64.exe [2009-9-15 324928]
R2 TMachInfo;TMachInfo;C:\Program Files (x86)\Toshiba\TOSHIBA Service Station\TMachInfo.exe [2008-8-20 46392]
R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2007-12-3 175104]
R3 CAXHWAZL;CAXHWAZL;C:\Windows\system32\DRIVERS\CAXHWAZL.sys --> C:\Windows\system32\DRIVERS\CAXHWAZL.sys [?]
R3 NETw5v64;Intel(R) Wireless WiFi Link Adapter Driver for Windows Vista 64 Bit ;C:\Windows\system32\DRIVERS\NETw5v64.sys --> C:\Windows\system32\DRIVERS\NETw5v64.sys [?]
R3 O2MDRDR;O2MDRDR;C:\Windows\system32\DRIVERS\o2mdx64.sys --> C:\Windows\system32\DRIVERS\o2mdx64.sys [?]
R3 O2SDRDR;O2SDRDR;C:\Windows\system32\DRIVERS\o2sdx64.sys --> C:\Windows\system32\DRIVERS\o2sdx64.sys [?]
R3 QIOMem;Generic IO & Memory Access;C:\Windows\system32\DRIVERS\QIOMem.sys --> C:\Windows\system32\DRIVERS\QIOMem.sys [?]
R3 SmartFaceVWatchSrv;SmartFaceVWatchSrv;C:\Program Files\TOSHIBA\SmartFaceV\SmartFaceVWatchSrv.exe [2008-4-24 84992]
R3 yukonx64;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x64.sys --> C:\Windows\system32\DRIVERS\yk60x64.sys [?]
S2 gupdate1c9f5048eee0e50;Google Update Service (gupdate1c9f5048eee0e50);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2009-6-24 133104]
S3 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-12-3 89920]
S3 FontCache;Windows Font Cache Service;C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2009-6-24 133104]
S3 klmouflt;Kaspersky Lab KLMOUFLT;C:\Windows\system32\DRIVERS\klmouflt.sys --> C:\Windows\system32\DRIVERS\klmouflt.sys [?]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S4 KR10I64;KR10I64;C:\Windows\system32\drivers\kr10i64.sys --> C:\Windows\system32\drivers\kr10i64.sys [?]
S4 KR10N64;KR10N64;C:\Windows\system32\drivers\kr10n64.sys --> C:\Windows\system32\drivers\kr10n64.sys [?]
.
=============== Created Last 30 ================
.
2011-10-01 16:27:25 -------- d-----w- C:\3ac23f34efc711ea691bda
2011-10-01 11:40:55 5632 ----a-w- C:\Windows\SysWow64\ctrestrt.exe
2011-10-01 00:54:27 -------- d-----w- C:\Windows\CheckSur
2011-09-18 01:37:50 404640 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
.
==================== Find3M ====================
.
2011-10-01 11:40:47 44544 ----a-w- C:\Windows\SysWow64\agremove.exe
2011-10-01 11:38:06 17408 ----a-w- C:\Windows\SysWow64\rpcnetp.dll
2011-10-01 11:36:23 17408 ----a-w- C:\Windows\SysWow64\rpcnetp.exe
2011-10-01 11:36:23 17408 ----a-w- C:\Windows\System32\rpcnetp.exe
.
============= FINISH: 13:01:41.79 ===============

ken545

2011-10-04, 02:05

:snwelcome:

Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.

Nothing jumping out at me except for the file you posted about

Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan
http://public.avast.com/~gmerek/aswMBR1.png

On completion of the scan click save log, save it to your desktop and post in your next reply
http://public.avast.com/~gmerek/aswMBR2.png

Please download Malwarebytes from Here (http://www.malwarebytes.org/mbam-download.php) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://i24.photobucket.com/albums/c30/ken545/MBAMCapture.jpg
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report please

jonhorn

2011-10-05, 04:31

Thanks, Ken.

Every time I restart, I seem to get a new error message. Also, I noticed in the aswMBR log there were certain items "locked." I'm curious whether something could be behind those locked areas and whether I can unlock them? The Malwarebytes program did find a startup hijacking program and deleted it, which may explain why there are new errors on each startup.

The logs are posted below.

aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-10-04 20:35:55
-----------------------------
20:35:55.813 OS Version: Windows x64 6.0.6002 Service Pack 2
20:35:55.813 Number of processors: 2 586 0x170A
20:35:55.813 ComputerName: JONATHAN-PC UserName: Jonathan
20:35:57.731 Initialize success
20:36:36.549 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
20:36:36.549 Disk 0 Vendor: Hitachi_ FB4O Size: 305245MB BusType: 3
20:36:36.565 Disk 0 MBR read successfully
20:36:36.565 Disk 0 MBR scan
20:36:36.565 Disk 0 Windows VISTA default MBR code
20:36:36.581 Service scanning
20:36:39.576 Service kl1 C:\Windows\system32\DRIVERS\kl1.sys **LOCKED** 5
20:36:39.654 Service kl2 C:\Windows\system32\DRIVERS\kl2.sys **LOCKED** 5
20:36:39.747 Service KLIM6 C:\Windows\system32\DRIVERS\klim6.sys **LOCKED** 5
20:36:39.857 Service klmouflt C:\Windows\system32\DRIVERS\klmouflt.sys **LOCKED** 5
20:36:44.381 Modules scanning
20:36:44.427 Disk 0 trace - called modules:
20:36:44.443 ntoskrnl.exe CLASSPNP.SYS disk.sys acpi.sys iaStor.sys hal.dll
20:36:44.459 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004d0c790]
20:36:44.474 3 CLASSPNP.SYS[fffffa6000fcec33] -> nt!IofCallDriver -> [0xfffffa8004b7b9b0]
20:36:44.474 5 acpi.sys[fffffa60008f7fde] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8004b83050]
20:36:44.490 Scan finished successfully
20:37:41.253 Disk 0 MBR has been saved successfully to "C:\Users\Jonathan\Desktop\MBR.dat"
20:37:41.268

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7870

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

10/4/2011 9:16:24 PM
mbam-log-2011-10-04 (21-16-24).txt

Scan type: Quick scan
Objects scanned: 232261
Time elapsed: 31 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
The log file has been saved successfully to "C:\Users\Jonathan\Desktop\aswMBR.txt"

ken545

2011-10-05, 11:04

Good Morning,

aswMBR checks for a rootkit type infection and it found none, those locked files are related to Kaspersky and are fine also.

What Malwarebytes removed, It's basically just Malwarebytes' detecting a change to the settings of the Start Menu in Windows that may or maynot have been changed by malware.

What errors are you getting on startup ?

ESET Online Scanner
I'd like us to scan your machine with ESET OnlineScan

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan)
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop.

Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png button.
Accept any security warnings from your browser.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png
Make sure that the option "Remove found threats" is Unchecked
Push the Start button.
ESET will then download updates for itself, install itself, and begin
scanning your computer. Please be patient as this can take some time.
When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as
ESETScan. Include the contents of this report in your next reply.
Push the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png button.
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png
Please make sure you include the following items in your next post:
The log that was produced after running ESET Online Scanner.

jonhorn

2011-10-06, 14:23

On a recent restart, Kaspersky found Trojan.Win32.Agent.hvge.

It looks like ESET found a trojan as well. The text file output is:

F:\Dell\_RESTORE\TEMP\A0199696.CPY probably a variant of Win32/Agent.GZCOMKY trojan
F:\Dell\_RESTORE\TEMP\A0199736.CPY probably a variant of Win32/Agent.GZCOMKY trojan

ken545

2011-10-06, 14:27

Good Morning,

Lets do this

Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.

Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

jonhorn

2011-10-07, 04:04

The Combofix log is below:

ComboFix 11-10-06.04 - Jonathan 10/06/2011 20:17:20.1.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3932.1794 [GMT -4:00]
Running from: c:\users\Jonathan\Desktop\ComboFix.exe
AV: Kaspersky Internet Security *Disabled/Updated* {2EAA32A5-1EE1-1B22-95DA-337730C6E984}
FW: Kaspersky Internet Security *Disabled* {1691B380-548E-1A7A-BE85-9A42CE15AEFF}
SP: Kaspersky Internet Security *Disabled/Updated* {95CBD341-38DB-14AC-AF6A-08054B41A339}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\google\common\google updater\googleupdaterservice.exe
c:\users\Jonathan\Documents\hijackthis.log
c:\users\Jonathan\g2mdlhlpx.exe
c:\windows\security\Database\tmp.edb
c:\windows\system32\Thumbs.db
c:\windows\SysWow64\comct332.ocx
.
.
((((((((((((((((((((((((( Files Created from 2011-09-07 to 2011-10-07 )))))))))))))))))))))))))))))))
.
.
2011-10-07 00:50 . 2011-10-07 00:50 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-10-07 00:50 . 2011-10-07 00:50 -------- d-----w- c:\users\Mary Catherine\AppData\Local\temp
2011-10-07 00:50 . 2011-10-07 00:50 -------- d-----w- c:\users\Andria\AppData\Local\temp
2011-10-06 00:43 . 2011-10-06 00:43 -------- d-----w- c:\program files (x86)\ESET
2011-10-05 00:43 . 2011-10-05 00:43 -------- d-----w- c:\users\Jonathan\AppData\Roaming\Malwarebytes
2011-10-05 00:42 . 2011-10-05 00:42 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-10-05 00:42 . 2011-08-31 21:00 25416 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-01 00:54 . 2011-10-01 00:54 -------- d-----w- c:\windows\CheckSur
2011-09-18 01:37 . 2011-09-18 01:37 404640 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-05 01:38 . 2010-01-08 01:45 44544 ----a-w- c:\windows\SysWow64\agremove.exe
2011-10-05 01:20 . 2011-08-01 17:36 17408 ----a-w- c:\windows\SysWow64\rpcnetp.dll
2011-10-05 01:20 . 2011-08-01 17:35 17408 ----a-w- c:\windows\SysWow64\rpcnetp.exe
2011-10-05 01:20 . 2009-12-25 12:43 17408 ----a-w- c:\windows\system32\rpcnetp.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2008-04-24 432640]
"Sidebar"="c:\program files\Windows Sidebar\Sidebar.exe" [2009-04-11 1555968]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"ITSecMng"="c:\program files (x86)\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-09-28 75136]
"NDSTray.exe"="NDSTray.exe" [BU]
"ToshibaServiceStation"="c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TSS.exe" [2008-08-04 1242424]
"PCMAgent"="c:\program files (x86)\CyberLink\PowerCinema for TOSHIBA\PCMAgent.exe" [2007-12-14 143360]
"CLMLServer"="c:\program files (x86)\CyberLink\PowerCinema for TOSHIBA\Kernel\CLML\CLMLSvc.exe" [2008-07-11 188416]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2008-07-31 417792]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"BlackBerryAutoUpdate"="c:\program files (x86)\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-05-14 623888]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-06-07 421160]
"AVP"="c:\program files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe" [2011-04-25 202296]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Desktop Manager.lnk - c:\program files (x86)\Research In Motion\BlackBerry\DesktopMgr.exe [2009-5-13 1701136]
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
S2 ConfigFree Gadget Service;ConfigFree Gadget Service;c:\program files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe [2008-06-28 36864]
S2 ConfigFree Service;ConfigFree Service;c:\program files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe [2008-07-11 40960]
S3 CAXHWAZL;CAXHWAZL;c:\windows\system32\DRIVERS\CAXHWAZL.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{30906580-7637-43C1-89A2-F045E24B1DA3}]
2009-05-27 21:09 77824 ----a-w- c:\program files (x86)\SNL Financial\SNLxl\InstallXLAddinRegKey.dll
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-06-24 19:47]
.
2011-10-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-06-24 19:47]
.
2011-10-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3271773104-3920608979-1219791600-1000Core.job
- c:\users\Jonathan\AppData\Local\Google\Update\GoogleUpdate.exe [2009-04-21 23:59]
.
2011-10-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3271773104-3920608979-1219791600-1000UA.job
- c:\users\Jonathan\AppData\Local\Google\Update\GoogleUpdate.exe [2009-04-21 23:59]
.
2011-10-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3271773104-3920608979-1219791600-1003Core.job
- c:\users\Andria\AppData\Local\Google\Update\GoogleUpdate.exe [2010-11-26 19:18]
.
2011-10-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3271773104-3920608979-1219791600-1003UA.job
- c:\users\Andria\AppData\Local\Google\Update\GoogleUpdate.exe [2010-11-26 19:18]
.
2011-10-02 c:\windows\Tasks\User_Feed_Synchronization-{FE73DE95-7866-4C0B-B56B-796D0320C3B3}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:50]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-26 151064]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-26 209432]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-26 181784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-11-30 1216808]
"WPCUMI"="c:\windows\system32\WpcUmi.exe" [2006-11-02 182784]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
mLocal Page = %SystemRoot%\system32\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Add to Anti-Banner - c:\program files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\wpclsp.dll
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-WMPNSCFG - c:\program files (x86)\Windows Media Player\WMPNSCFG.exe
Wow6432Node-HKLM-Run-cfFncEnabler.exe - cfFncEnabler.exe
Wow6432Node-HKLM-Run-SunJavaUpdateSched - c:\program files (x86)\Java\jre6\bin\jusched.exe
HKLM-Run-TPwrMain - c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE
HKLM-Run-HSON - c:\program files (x86)\TOSHIBA\TBS\HSON.exe
HKLM-Run-SmoothView - c:\program files (x86)\Toshiba\SmoothView\SmoothView.exe
HKLM-Run-00TCrdMain - c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe
HKLM-Run-Windows Defender - c:\program files (x86)\Windows Defender\MSASCui.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10w_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10w_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10w.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10w.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10w.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10w.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-10-06 20:58:44
ComboFix-quarantined-files.txt 2011-10-07 00:58
.
Pre-Run: 134,273,777,664 bytes free
Post-Run: 135,377,428,480 bytes free
.
Current=1 Default=1 Failed=0 LastKnownGood=1 Sets=1,2,3,4,5,6,7,8,9,10,11,12,13,14
- - End Of File - - DAA9B76C999D85C24F11FE28CFB05033

ken545

2011-10-07, 14:18

Good Morning,

Combofix didn't remove anything earthshattering, but lets check those two files and see if there ok or a false positive. It looks like there part of the Dell restore feature and may be ok

You need to enable windows to show all files and folders, instructions Here (http://www.bleepingcomputer.com/tutorials/tutorial62.html)

Go to VirusTotal (http://www.virustotal.com/) and submit these files for analysis, just use the BROWSE feature and then Send File , you will get a report back, post the report into this thread for me to see. If the site says this file has already been checked, have them check it again

F:\Dell\_RESTORE\TEMP\A0199696.CPY
F:\Dell\_RESTORE\TEMP\A0199736.CPY

If the site is busy you can try this one
http://virusscan.jotti.org/en

jonhorn

2011-10-08, 03:04

The two scan results are below:

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name: A0199736.CPY
Submission date: 2011-10-07 23:47:24 (UTC)
Current status: queued (#637) queued analysing finished

Result: 14/ 43 (32.6%)
VT Community

not reviewed
Safety score: -

Compact Print results
Antivirus Version Last Update Result
AhnLab-V3 2011.10.07.03 2011.10.07 Malware/Win32.Generic
AntiVir 7.11.15.169 2011.10.07 TR/Prorat.AE
Antiy-AVL 2.0.3.7 2011.10.07 -
Avast 6.0.1289.0 2011.10.07 -
AVG 10.0.0.1190 2011.10.07 BackDoor.Generic9.FVO
BitDefender 7.2 2011.10.08 -
ByteHero 1.0.0.1 2011.09.23 -
CAT-QuickHeal 11.00 2011.10.07 -
ClamAV 0.97.0.0 2011.10.07 -
Commtouch 5.3.2.6 2011.10.07 -
Comodo 10378 2011.10.07 UnclassifiedMalware
DrWeb 5.0.2.03300 2011.10.08 -
Emsisoft 5.1.0.11 2011.10.07 Virus.Win32.Trojan!IK
eSafe 7.0.17.0 2011.10.06 -
eTrust-Vet 36.1.8605 2011.10.07 -
F-Prot 4.6.2.117 2011.10.07 -
F-Secure 9.0.16440.0 2011.10.08 -
Fortinet 4.3.370.0 2011.10.07 -
GData 22 2011.10.08 -
Ikarus T3.1.1.107.0 2011.10.07 Virus.Win32.Trojan
Jiangmin 13.0.900 2011.10.07 Backdoor/Agent.bqpa
K7AntiVirus 9.115.5253 2011.10.07 -
Kaspersky 9.0.0.837 2011.10.07 -
McAfee 5.400.0.1158 2011.10.08 BackDoor-AVW
McAfee-GW-Edition 2010.1D 2011.10.07 BackDoor-AVW
Microsoft 1.7702 2011.10.07 -
NOD32 6525 2011.10.08 probably a variant of Win32/Agent.GZCOMKY
Norman 6.07.11 2011.10.07 W32/Prorat.CBJ
nProtect 2011-10-07.01 2011.10.07 -
Panda 10.0.3.5 2011.10.07 Bck/Prorat.HT
PCTools 8.0.0.5 2011.10.08 -
Prevx 3.0 2011.10.08 -
Rising 23.77.04.01 2011.09.30 -
Sophos 4.70.0 2011.10.08 -
SUPERAntiSpyware 4.40.0.1006 2011.10.08 -
Symantec 20111.2.0.82 2011.10.08 WS.Reputation.1
TheHacker 6.7.0.1.318 2011.10.08 -
TrendMicro 9.500.0.1008 2011.10.07 -
TrendMicro-HouseCall 9.500.0.1008 2011.10.08 -
VBA32 3.12.16.4 2011.10.07 -
VIPRE 10694 2011.10.08 Trojan.Win32.Generic!BT
ViRobot 2011.10.7.4707 2011.10.07 -
VirusBuster 14.1.1.0 2011.10.07 -
Additional informationShow all
MD5 : ca5d849d1f871410bf9c169e31efd207
SHA1 : 4ac183f4f1e8515bb1a1fcecfd6d8094dc6ddd68
SHA256: 8820e030dfa116f712b52f194e1d9e3b31e53b8ce375072f2743dfbf8597ddf4
ssdeep: 1536:jkeU3wBMj1bWLSZ0HcBIrwADfn1gdoE/J/n63wPEQG9gpp:LU3w6ZWL/8zADfymE/J/n63
wPO9gT
File size : 128832 bytes
First seen: 2006-08-04 17:23:06
Last seen : 2011-10-07 23:47:24
TrID:
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
sigcheck:
publisher....: Eastman Kodak Company
copyright....: Copyright (C) Eastman Kodak Co. 2000
product......: Kodak DC File System Driver (Win32)
description..: Kodak DC Ring 3 Conduit (Win32)
original name: DcFsSvc.exe
internal name: DcFsSvc.exe
file version.: 1.1.2600.0
comments.....:
signers......: -
signing date.: -
verified.....: Unsigned

PEiD: Armadillo v1.71
PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x16EAE
timedatestamp....: 0x3A3501C3 (Mon Dec 11 16:33:07 2000)
machinetype......: 0x14c (I386)

[[ 5 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.rdata, 0x1000, 0x3D2D, 0x3E00, 3.25, f6ad914326643aad678d4f2f5002e153
.data, 0x5000, 0x138A0, 0x13800, 5.88, 31dc26048643e0489e29588f7c36b726
.idata, 0x19000, 0x19F8, 0x1A00, 4.61, f507e1c62e0b9607c566779060e0727c
.rsrc, 0x1B000, 0x276C, 0x2800, 3.41, 28cdefb24cc7a1a4e1df38f978961347
.reloc, 0x1E000, 0x153F, 0x1600, 5.95, 269d541712200c413d56744d1f6a789b

[[ 10 import(s) ]]
ole32.dll: StringFromCLSID, CoTaskMemFree, CoTaskMemAlloc
OLEAUT32.dll: -, -, -, -, -, -, -, -
COMCTL32.dll: InitCommonControlsEx, ImageList_Create, ImageList_ReplaceIcon
VERSION.dll: GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA
KERNEL32.dll: ReadFile, SetEvent, ReleaseSemaphore, CreateSemaphoreA, DeviceIoControl, WaitForSingleObject, GetLastError, CompareFileTime, FindClose, FindFirstFileA, GetTimeFormatA, GetDateFormatA, VirtualQuery, ResetEvent, FileTimeToSystemTime, GetProcAddress, LoadLibraryA, HeapAlloc, GetProcessHeap, VirtualFree, VirtualAlloc, GetCurrentThreadId, FindNextFileA, Sleep, GetVersion, DefineDosDeviceW, InitializeCriticalSection, CreateEventA, EnterCriticalSection, GetCommModemStatus, ClearCommError, DeleteFileA, GetWindowsDirectoryA, SetLastError, GetCurrentProcessId, UnmapViewOfFile, MapViewOfFile, CreateFileMappingA, OpenFileMappingA, MultiByteToWideChar, lstrlenA, FormatMessageA, LocalFree, GetStringTypeExA, lstrlenW, WideCharToMultiByte, GetSystemDefaultLangID, SizeofResource, FindResourceExA, LoadResource, LockResource, CreateFileA, SetFilePointer, WriteFile, CloseHandle, OutputDebugStringA, LeaveCriticalSection, GetModuleFileNameA, FreeLibrary
USER32.dll: GetDC, GetIconInfo, wvsprintfA, LoadStringA, SetTimer, KillTimer, DispatchMessageA, TranslateMessage, PeekMessageA, MsgWaitForMultipleObjects, DestroyWindow, DefWindowProcA, CreateWindowExA, RegisterClassExA, GetClassInfoExA, wsprintfA, GetDlgItem, SetWindowTextA, GetWindowTextA, GetWindowTextLengthA, SendMessageA, FindWindowA, EnumWindows, GetClassNameA, SendMessageTimeoutA, GetWindowRect, GetSystemMetrics, SetWindowPos, GetClientRect, ShowWindow, AdjustWindowRectEx, SystemParametersInfoA, ReleaseDC, GetDesktopWindow, DrawTextA
GDI32.dll: DeleteObject, GetDIBits, CreateDIBSection
ADVAPI32.dll: RegCloseKey, InitializeSecurityDescriptor, SetSecurityDescriptorDacl, RegDeleteKeyA, SetServiceStatus, RegCreateKeyExA, RegQueryValueExA, CreateServiceA, RegCreateKeyA, RegisterServiceCtrlHandlerA, StartServiceCtrlDispatcherA, RegisterEventSourceA, ReportEventA, DeleteService, RegOpenKeyExA, OpenServiceA, OpenSCManagerA, RegEnumKeyA, RegSetValueExA, RegDeleteValueA, RegEnumValueA, DeregisterEventSource, CloseServiceHandle
SHELL32.dll: ShellExecuteA, SHGetPathFromIDListA
MSVCRT.dll: _onexit, __3@YAXPAX@Z, strcat, __dllonexit, _controlfp, _purecall, __CxxFrameHandler, _terminate@@YAXXZ, __1type_info@@UAE@XZ, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, __p___initenv, exit, _XcptFilter, _exit, _CxxThrowException, wcslen, _raw_name@type_info@@QBEPBDXZ, sprintf, vsprintf, _stricmp, printf, strncpy, malloc, free, memcmp, _beginthreadex, _except_handler3, _mbslwr, _mbsupr, _mbsicmp, _mbsninc, _mbsstr, memmove, memset, _mbschr, strcpy, wcsncpy, memcpy, _mbscmp, _mbsrev, _mbsnccnt, _mbsnbcnt, __2@YAPAXI@Z, _mbsnbcpy, _EH_prolog, strlen

[[ 2 export(s) ]]
__0_Lockit@std@@QAE@XZ, __1_Lockit@std@@QAE@XZ

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name: A0199696.CPY
Submission date: 2011-10-07 23:51:21 (UTC)
Current status: queued queued analysing finished

Result: 15/ 43 (34.9%)
VT Community

not reviewed
Safety score: -

Compact Print results
Antivirus Version Last Update Result
AhnLab-V3 2011.10.07.03 2011.10.07 Malware/Win32.Generic
AntiVir 7.11.15.169 2011.10.07 TR/Prorat.AE
Antiy-AVL 2.0.3.7 2011.10.07 -
Avast 6.0.1289.0 2011.10.07 -
AVG 10.0.0.1190 2011.10.07 BackDoor.Generic9.FVO
BitDefender 7.2 2011.10.08 -
ByteHero 1.0.0.1 2011.09.23 -
CAT-QuickHeal 11.00 2011.10.07 -
ClamAV 0.97.0.0 2011.10.07 -
Commtouch 5.3.2.6 2011.10.07 -
Comodo 10378 2011.10.07 UnclassifiedMalware
DrWeb 5.0.2.03300 2011.10.08 -
Emsisoft 5.1.0.11 2011.10.07 Virus.Win32.Trojan!IK
eSafe 7.0.17.0 2011.10.06 -
eTrust-Vet 36.1.8605 2011.10.07 -
F-Prot 4.6.2.117 2011.10.07 -
F-Secure 9.0.16440.0 2011.10.08 -
Fortinet 4.3.370.0 2011.10.07 -
GData 22 2011.10.08 -
Ikarus T3.1.1.107.0 2011.10.07 Virus.Win32.Trojan
Jiangmin 13.0.900 2011.10.07 Backdoor/Agent.bqpa
K7AntiVirus 9.115.5253 2011.10.07 -
Kaspersky 9.0.0.837 2011.10.07 -
McAfee 5.400.0.1158 2011.10.08 BackDoor-AVW
McAfee-GW-Edition 2010.1D 2011.10.07 BackDoor-AVW
Microsoft 1.7702 2011.10.07 -
NOD32 6525 2011.10.08 probably a variant of Win32/Agent.GZCOMKY
Norman 6.07.11 2011.10.07 W32/Prorat.CBJ
nProtect 2011-10-07.01 2011.10.07 -
Panda 10.0.3.5 2011.10.07 Bck/Prorat.HT
PCTools 8.0.0.5 2011.10.08 -
Prevx 3.0 2011.10.08 -
Rising 23.77.04.01 2011.09.30 Trojan.Win32.Generic.122C6CF8
Sophos 4.70.0 2011.10.08 -
SUPERAntiSpyware 4.40.0.1006 2011.10.08 -
Symantec 20111.2.0.82 2011.10.08 WS.Reputation.1
TheHacker 6.7.0.1.318 2011.10.08 -
TrendMicro 9.500.0.1008 2011.10.07 -
TrendMicro-HouseCall 9.500.0.1008 2011.10.08 -
VBA32 3.12.16.4 2011.10.07 -
VIPRE 10694 2011.10.08 Trojan.Win32.Generic!BT
ViRobot 2011.10.7.4707 2011.10.07 -
VirusBuster 14.1.1.0 2011.10.07 -
Additional informationShow all
MD5 : ca5d849d1f871410bf9c169e31efd207
SHA1 : 4ac183f4f1e8515bb1a1fcecfd6d8094dc6ddd68
SHA256: 8820e030dfa116f712b52f194e1d9e3b31e53b8ce375072f2743dfbf8597ddf4
ssdeep: 1536:jkeU3wBMj1bWLSZ0HcBIrwADfn1gdoE/J/n63wPEQG9gpp:LU3w6ZWL/8zADfymE/J/n63
wPO9gT
File size : 128832 bytes
First seen: 2006-08-04 17:23:06
Last seen : 2011-10-07 23:51:21
TrID:
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
sigcheck:
publisher....: Eastman Kodak Company
copyright....: Copyright (C) Eastman Kodak Co. 2000
product......: Kodak DC File System Driver (Win32)
description..: Kodak DC Ring 3 Conduit (Win32)
original name: DcFsSvc.exe
internal name: DcFsSvc.exe
file version.: 1.1.2600.0
comments.....:
signers......: -
signing date.: -
verified.....: Unsigned

PEiD: Armadillo v1.71
PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x16EAE
timedatestamp....: 0x3A3501C3 (Mon Dec 11 16:33:07 2000)
machinetype......: 0x14c (I386)

[[ 5 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.rdata, 0x1000, 0x3D2D, 0x3E00, 3.25, f6ad914326643aad678d4f2f5002e153
.data, 0x5000, 0x138A0, 0x13800, 5.88, 31dc26048643e0489e29588f7c36b726
.idata, 0x19000, 0x19F8, 0x1A00, 4.61, f507e1c62e0b9607c566779060e0727c
.rsrc, 0x1B000, 0x276C, 0x2800, 3.41, 28cdefb24cc7a1a4e1df38f978961347
.reloc, 0x1E000, 0x153F, 0x1600, 5.95, 269d541712200c413d56744d1f6a789b

[[ 10 import(s) ]]
ole32.dll: StringFromCLSID, CoTaskMemFree, CoTaskMemAlloc
OLEAUT32.dll: -, -, -, -, -, -, -, -
COMCTL32.dll: InitCommonControlsEx, ImageList_Create, ImageList_ReplaceIcon
VERSION.dll: GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA
KERNEL32.dll: ReadFile, SetEvent, ReleaseSemaphore, CreateSemaphoreA, DeviceIoControl, WaitForSingleObject, GetLastError, CompareFileTime, FindClose, FindFirstFileA, GetTimeFormatA, GetDateFormatA, VirtualQuery, ResetEvent, FileTimeToSystemTime, GetProcAddress, LoadLibraryA, HeapAlloc, GetProcessHeap, VirtualFree, VirtualAlloc, GetCurrentThreadId, FindNextFileA, Sleep, GetVersion, DefineDosDeviceW, InitializeCriticalSection, CreateEventA, EnterCriticalSection, GetCommModemStatus, ClearCommError, DeleteFileA, GetWindowsDirectoryA, SetLastError, GetCurrentProcessId, UnmapViewOfFile, MapViewOfFile, CreateFileMappingA, OpenFileMappingA, MultiByteToWideChar, lstrlenA, FormatMessageA, LocalFree, GetStringTypeExA, lstrlenW, WideCharToMultiByte, GetSystemDefaultLangID, SizeofResource, FindResourceExA, LoadResource, LockResource, CreateFileA, SetFilePointer, WriteFile, CloseHandle, OutputDebugStringA, LeaveCriticalSection, GetModuleFileNameA, FreeLibrary
USER32.dll: GetDC, GetIconInfo, wvsprintfA, LoadStringA, SetTimer, KillTimer, DispatchMessageA, TranslateMessage, PeekMessageA, MsgWaitForMultipleObjects, DestroyWindow, DefWindowProcA, CreateWindowExA, RegisterClassExA, GetClassInfoExA, wsprintfA, GetDlgItem, SetWindowTextA, GetWindowTextA, GetWindowTextLengthA, SendMessageA, FindWindowA, EnumWindows, GetClassNameA, SendMessageTimeoutA, GetWindowRect, GetSystemMetrics, SetWindowPos, GetClientRect, ShowWindow, AdjustWindowRectEx, SystemParametersInfoA, ReleaseDC, GetDesktopWindow, DrawTextA
GDI32.dll: DeleteObject, GetDIBits, CreateDIBSection
ADVAPI32.dll: RegCloseKey, InitializeSecurityDescriptor, SetSecurityDescriptorDacl, RegDeleteKeyA, SetServiceStatus, RegCreateKeyExA, RegQueryValueExA, CreateServiceA, RegCreateKeyA, RegisterServiceCtrlHandlerA, StartServiceCtrlDispatcherA, RegisterEventSourceA, ReportEventA, DeleteService, RegOpenKeyExA, OpenServiceA, OpenSCManagerA, RegEnumKeyA, RegSetValueExA, RegDeleteValueA, RegEnumValueA, DeregisterEventSource, CloseServiceHandle
SHELL32.dll: ShellExecuteA, SHGetPathFromIDListA
MSVCRT.dll: _onexit, __3@YAXPAX@Z, strcat, __dllonexit, _controlfp, _purecall, __CxxFrameHandler, _terminate@@YAXXZ, __1type_info@@UAE@XZ, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, __p___initenv, exit, _XcptFilter, _exit, _CxxThrowException, wcslen, _raw_name@type_info@@QBEPBDXZ, sprintf, vsprintf, _stricmp, printf, strncpy, malloc, free, memcmp, _beginthreadex, _except_handler3, _mbslwr, _mbsupr, _mbsicmp, _mbsninc, _mbsstr, memmove, memset, _mbschr, strcpy, wcsncpy, memcpy, _mbscmp, _mbsrev, _mbsnccnt, _mbsnbcnt, __2@YAPAXI@Z, _mbsnbcpy, _EH_prolog, strlen

[[ 2 export(s) ]]
__0_Lockit@std@@QAE@XZ, __1_Lockit@std@@QAE@XZ

ken545

2011-10-08, 03:24

Hi,

Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::

File::
F:\Dell\_RESTORE\TEMP\A0199696.CPY
F:\Dell\_RESTORE\TEMP\A0199736.CPY

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://i24.photobucket.com/albums/c30/ken545/CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

jonhorn

2011-10-08, 22:28

The log is below:

ComboFix 11-10-06.04 - Jonathan 10/08/2011 8:10.2.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3932.1708 [GMT -4:00]
Running from: c:\users\Jonathan\Desktop\ComboFix.exe
Command switches used :: c:\users\Jonathan\Desktop\CFScript.txt
AV: Kaspersky Internet Security *Disabled/Updated* {2EAA32A5-1EE1-1B22-95DA-337730C6E984}
FW: Kaspersky Internet Security *Disabled* {1691B380-548E-1A7A-BE85-9A42CE15AEFF}
SP: Kaspersky Internet Security *Disabled/Updated* {95CBD341-38DB-14AC-AF6A-08054B41A339}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"f:\dell\_RESTORE\TEMP\A0199696.CPY"
"f:\dell\_RESTORE\TEMP\A0199736.CPY"
.
.
((((((((((((((((((((((((( Files Created from 2011-09-08 to 2011-10-08 )))))))))))))))))))))))))))))))
.
.
2011-10-08 13:15 . 2011-10-08 13:15 -------- d-----w- c:\users\Mary Catherine\AppData\Local\temp
2011-10-08 13:15 . 2011-10-08 13:15 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-10-08 13:15 . 2011-10-08 13:15 -------- d-----w- c:\users\Andria\AppData\Local\temp
2011-10-06 00:43 . 2011-10-06 00:43 -------- d-----w- c:\program files (x86)\ESET
2011-10-05 00:43 . 2011-10-05 00:43 -------- d-----w- c:\users\Jonathan\AppData\Roaming\Malwarebytes
2011-10-05 00:42 . 2011-10-05 00:42 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-10-05 00:42 . 2011-08-31 21:00 25416 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-01 00:54 . 2011-10-01 00:54 -------- d-----w- c:\windows\CheckSur
2011-09-18 01:37 . 2011-09-18 01:37 404640 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-05 01:38 . 2010-01-08 01:45 44544 ----a-w- c:\windows\SysWow64\agremove.exe
2011-10-05 01:20 . 2011-08-01 17:36 17408 ----a-w- c:\windows\SysWow64\rpcnetp.dll
2011-10-05 01:20 . 2011-08-01 17:35 17408 ----a-w- c:\windows\SysWow64\rpcnetp.exe
2011-10-05 01:20 . 2009-12-25 12:43 17408 ----a-w- c:\windows\system32\rpcnetp.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2011-10-07_00.53.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-21 21:08 . 2011-10-07 01:03 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-04-21 21:08 . 2011-10-06 00:39 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-04-21 21:08 . 2011-10-07 01:03 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-04-21 21:08 . 2011-10-06 00:39 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-04-21 21:08 . 2011-10-07 01:03 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-04-21 21:08 . 2011-10-06 00:39 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-05-19 18:17 . 2011-10-08 11:43 598438 c:\windows\system32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2008-04-24 432640]
"Sidebar"="c:\program files\Windows Sidebar\Sidebar.exe" [2009-04-11 1555968]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"ITSecMng"="c:\program files (x86)\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-09-28 75136]
"NDSTray.exe"="NDSTray.exe" [BU]
"ToshibaServiceStation"="c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TSS.exe" [2008-08-04 1242424]
"PCMAgent"="c:\program files (x86)\CyberLink\PowerCinema for TOSHIBA\PCMAgent.exe" [2007-12-14 143360]
"CLMLServer"="c:\program files (x86)\CyberLink\PowerCinema for TOSHIBA\Kernel\CLML\CLMLSvc.exe" [2008-07-11 188416]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2008-07-31 417792]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"BlackBerryAutoUpdate"="c:\program files (x86)\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-05-14 623888]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-06-07 421160]
"AVP"="c:\program files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe" [2011-04-25 202296]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Desktop Manager.lnk - c:\program files (x86)\Research In Motion\BlackBerry\DesktopMgr.exe [2009-5-13 1701136]
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
S2 ConfigFree Gadget Service;ConfigFree Gadget Service;c:\program files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe [2008-06-28 36864]
S2 ConfigFree Service;ConfigFree Service;c:\program files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe [2008-07-11 40960]
S3 CAXHWAZL;CAXHWAZL;c:\windows\system32\DRIVERS\CAXHWAZL.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{30906580-7637-43C1-89A2-F045E24B1DA3}]
2009-05-27 21:09 77824 ----a-w- c:\program files (x86)\SNL Financial\SNLxl\InstallXLAddinRegKey.dll
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-06-24 19:47]
.
2011-10-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-06-24 19:47]
.
2011-10-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3271773104-3920608979-1219791600-1000Core.job
- c:\users\Jonathan\AppData\Local\Google\Update\GoogleUpdate.exe [2009-04-21 23:59]
.
2011-10-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3271773104-3920608979-1219791600-1000UA.job
- c:\users\Jonathan\AppData\Local\Google\Update\GoogleUpdate.exe [2009-04-21 23:59]
.
2011-10-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3271773104-3920608979-1219791600-1003Core.job
- c:\users\Andria\AppData\Local\Google\Update\GoogleUpdate.exe [2010-11-26 19:18]
.
2011-10-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3271773104-3920608979-1219791600-1003UA.job
- c:\users\Andria\AppData\Local\Google\Update\GoogleUpdate.exe [2010-11-26 19:18]
.
2011-10-02 c:\windows\Tasks\User_Feed_Synchronization-{FE73DE95-7866-4C0B-B56B-796D0320C3B3}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:50]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-26 151064]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-26 209432]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-26 181784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-11-30 1216808]
"TPwrMain"="c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE" [BU]
"HSON"="c:\program files (x86)\TOSHIBA\TBS\HSON.exe" [BU]
"SmoothView"="c:\program files (x86)\Toshiba\SmoothView\SmoothView.exe" [BU]
"00TCrdMain"="c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe" [BU]
"WPCUMI"="c:\windows\system32\WpcUmi.exe" [2006-11-02 182784]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
mLocal Page = %SystemRoot%\system32\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Add to Anti-Banner - c:\program files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\wpclsp.dll
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10w_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10w_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10w.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10w.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10w.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10w.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-10-08 09:24:38
ComboFix-quarantined-files.txt 2011-10-08 13:24
ComboFix2.txt 2011-10-07 00:58
.
Pre-Run: 134,813,290,496 bytes free
Post-Run: 133,893,054,464 bytes free
.
Current=1 Default=1 Failed=0 LastKnownGood=1 Sets=1,2,3,4,5,6,7,8,9,10,11,12,13,14
- - End Of File - - 3C2225167AC0A770F396C74E936A29E6

ken545

2011-10-08, 22:38

Looking good, how are things running now ?

ken545

2011-10-13, 14:24

Due to inactivity, this thread will now be closed.

If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a new DDS log with a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.