-
Obvious Infection - requesting help
I'm in possession of my brother's laptop which has been suffering browser redirects, popups, slow browsing, and spoof-programs. I am attempting to clean the problems for him.
As a preface I attempted to scan and "fix" the issues with Ad-Aware Free, Norton, Malwarebyte's Anti-Malware, and WinPatrol. I'm mentioning this because the FAQ recommended listing any attempts to clean before posting here.
I backed up my registry with ERUNT.
DDS Log:
.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Brook at 12:50:41 on 2011-12-21
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.5611.4203 [GMT -6:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\IDT\WDM\STacSV64.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\Hpservice.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k WbioSvcGroup
C:\Program Files\IDT\WDM\AESTSr64.exe
C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\SysWOW64\ezSharedSvcHost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe
C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe
C:\Windows\system32\Dwm.exe
C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\IDT\WDM\sttray64.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Users\Brook\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Brook\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Brook\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Brook\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Brook\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.iminent.com/?appId=BD461244-FBB9-48B6-AA2B-9A9D36311D6F
uInternet Settings,ProxyServer = http=127.0.0.1:58404
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files (x86)\adawaretb\adawareDx.dll
BHO: TrueSuite Website Log On: {8590886e-ec8c-43c1-a32c-e4c2b0b6395b} - C:\Program Files (x86)\HP SimplePass 2011\IEBHO.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files (x86)\adawaretb\adawareDx.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: {977AE9CC-AF83-45E8-9E03-E2798216E2D5} - No File
uRun: [Google Update] "C:\Users\Brook\AppData\Local\Google\Update\GoogleUpdate.exe" /c
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
StartupFolder: C:\Users\Brook\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ERUNTA~1.LNK - C:\Program Files (x86)\ERUNT\AUTOBACK.EXE
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: EnableShellExecuteHooks = 1 (0x1)
mPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
TCP: DhcpNameServer = 192.168.137.13
TCP: Interfaces\{6B840670-1293-4244-B948-6537F25A11EE} : DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{B633A733-BA5F-4F7B-9C8F-3C4444F8AA94} : DhcpNameServer = 192.168.137.13
TCP: Interfaces\{B633A733-BA5F-4F7B-9C8F-3C4444F8AA94}\8686F6E6F62737 : DhcpNameServer = 4.2.2.2 12.127.16.68 12.127.16.67
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SubSystems: Windows = basesrv,1 winsrv:UserServerDllInitialization,3 consrv:ConServerDllInitialization,2 sxssrv,4
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files (x86)\adawaretb\adawareDx.dll
BHO-X64: Ad-Aware Security Toolbar - No File
BHO-X64: TrueSuite Website Log On: {8590886E-EC8C-43C1-A32C-E4C2B0B6395B} - C:\Program Files (x86)\HP SimplePass 2011\IEBHO.dll
BHO-X64: TSBHO Class - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files (x86)\adawaretb\adawareDx.dll
TB-X64: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB-X64: {977AE9CC-AF83-45E8-9E03-E2798216E2D5} - No File
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
.
============= SERVICES / DRIVERS ===============
.
R0 amd_sata;amd_sata;C:\Windows\system32\DRIVERS\amd_sata.sys --> C:\Windows\system32\DRIVERS\amd_sata.sys [?]
R0 amd_xata;amd_xata;C:\Windows\system32\DRIVERS\amd_xata.sys --> C:\Windows\system32\DRIVERS\amd_xata.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AESTFilters;Andrea ST Filters Service;C:\Program Files\IDT\WDM\AESTSr64.exe [2011-11-20 89600]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-4-2 365568]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2010-10-20 821664]
R2 ezSharedSvc;Easybits Services for Windows;C:\Windows\System32\ezSharedSvcHost.exe [2011-4-28 514232]
R2 FPLService;TrueSuiteService;C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe [2011-2-17 265544]
R2 HPAuto;HP Auto;C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe [2011-2-16 682040]
R2 HPClientSvc;HP Client Services;C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe [2010-10-11 346168]
R2 hpsrv;HP Service;C:\Windows\system32\Hpservice.exe --> C:\Windows\system32\Hpservice.exe [?]
R2 IconMan_R;IconMan_R;C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [2011-6-8 2375168]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2010-9-14 508264]
R3 amdhub30;AMD USB 3.0 Hub Driver;C:\Windows\system32\DRIVERS\amdhub30.sys --> C:\Windows\system32\DRIVERS\amdhub30.sys [?]
R3 amdiox64;AMD IO Driver;C:\Windows\system32\DRIVERS\amdiox64.sys --> C:\Windows\system32\DRIVERS\amdiox64.sys [?]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 amdxhc;AMD USB 3.0 Host Controller Driver;C:\Windows\system32\DRIVERS\amdxhc.sys --> C:\Windows\system32\DRIVERS\amdxhc.sys [?]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]
R3 netr28x;Ralink 802.11n Extensible Wireless Driver;C:\Windows\system32\DRIVERS\netr28x.sys --> C:\Windows\system32\DRIVERS\netr28x.sys [?]
R3 RSPCIESTOR;Realtek PCIE CardReader Driver;C:\Windows\system32\DRIVERS\RtsPStor.sys --> C:\Windows\system32\DRIVERS\RtsPStor.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
R3 Sftfs;Sftfs;C:\Windows\system32\DRIVERS\Sftfslh.sys --> C:\Windows\system32\DRIVERS\Sftfslh.sys [?]
R3 Sftplay;Sftplay;C:\Windows\system32\DRIVERS\Sftplaylh.sys --> C:\Windows\system32\DRIVERS\Sftplaylh.sys [?]
R3 Sftredir;Sftredir;C:\Windows\system32\DRIVERS\Sftredirlh.sys --> C:\Windows\system32\DRIVERS\Sftredirlh.sys [?]
R3 Sftvol;Sftvol;C:\Windows\system32\DRIVERS\Sftvollh.sys --> C:\Windows\system32\DRIVERS\Sftvollh.sys [?]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2010-9-14 219496]
R3 usbfilter;AMD USB Filter Driver;C:\Windows\system32\DRIVERS\usbfilter.sys --> C:\Windows\system32\DRIVERS\usbfilter.sys [?]
RUnknown SymIRON;SymIRON; [x]
RUnknown SymNetS;SymNetS; [x]
S2 AdvancedSystemCareService5;Advanced SystemCare Service 5;C:\Program Files (x86)\IObit\Advanced SystemCare 5\ASCService.exe [2011-12-17 494424]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;C:\Program Files (x86)\Lavasoft\Ad-Aware\kernexplorer64.sys [2011-12-17 17152]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\system32\DRIVERS\VSTAZL6.SYS --> C:\Windows\system32\DRIVERS\VSTAZL6.SYS [?]
S3 SrvHsfV92;SrvHsfV92;C:\Windows\system32\DRIVERS\VSTDPV6.SYS --> C:\Windows\system32\DRIVERS\VSTDPV6.SYS [?]
S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\system32\DRIVERS\VSTCNXT6.SYS --> C:\Windows\system32\DRIVERS\VSTCNXT6.SYS [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
SUnknown EraserUtilRebootDrv;EraserUtilRebootDrv; [x]
.
=============== Created Last 30 ================
.
2011-12-19 03:46:47 -------- d-----w- C:\ProgramData\{83C3B2FD-37EA-4C06-A228-E9B5E32FF0B1}
2011-12-19 03:01:35 -------- d-sh--w- C:\Windows\SysWow64\AI_RecycleBin
2011-12-19 03:01:32 -------- d-----w- C:\Program Files (x86)\Fliptoast
2011-12-19 03:01:24 -------- d-----w- C:\Users\Brook\AppData\Local\Adobe
2011-12-19 03:00:51 -------- d-----w- C:\Users\Brook\Tracing
2011-12-19 02:59:49 -------- d-----w- C:\Users\Brook\AppData\Local\PackageAware
2011-12-19 02:59:22 -------- d-----w- C:\Users\Brook\AppData\Local\WeatherBug
2011-12-19 02:59:21 -------- d-----w- C:\Users\Brook\AppData\Roaming\WeatherBug
2011-12-19 02:59:19 18944 ----a-r- C:\Users\Brook\AppData\Roaming\Microsoft\Installer\{8F018A9E-56DE-4A79-A5EF-25F413F1D538}\IconBB6A16301.exe
2011-12-19 02:53:58 -------- d-----w- C:\Program Files (x86)\Shop To Win
2011-12-19 01:01:24 -------- d-----w- C:\Users\Brook\AppData\Roaming\Tific
2011-12-19 01:01:23 -------- d-----w- C:\Users\Brook\AppData\Local\Symantec
2011-12-19 01:00:35 -------- d-----w- C:\Program Files (x86)\Norton AntiVirus
2011-12-18 21:33:15 -------- d-----w- C:\ProgramData\WeCareReminder
2011-12-18 21:16:45 -------- d-----w- C:\Program Files\Microsoft Security Client
2011-12-18 20:29:21 -------- d-----w- C:\Program Files (x86)\PC Tools
2011-12-18 20:25:23 -------- d-----w- C:\Users\Brook\AppData\Roaming\TestApp
2011-12-18 20:25:23 -------- d-----w- C:\ProgramData\PC Tools
2011-12-17 19:45:40 -------- d-----w- C:\Users\Brook\AppData\Local\ElevatedDiagnostics
2011-12-17 19:30:47 22872 ----a-w- C:\Windows\System32\RegistryDefragBootTime.exe
2011-12-17 19:23:16 -------- d-----w- C:\ProgramData\IObit
2011-12-17 19:02:09 -------- d-----w- C:\Users\Brook\AppData\Roaming\IObit
2011-12-17 19:02:02 -------- d-----w- C:\Program Files (x86)\IObit
2011-12-17 18:53:29 -------- d-----w- C:\Users\Brook\AppData\Roaming\WinPatrol
2011-12-17 18:53:26 -------- d-----w- C:\Program Files (x86)\BillP Studios
2011-12-17 18:53:25 -------- d-----w- C:\ProgramData\InstallMate
2011-12-17 18:14:23 -------- d-----w- C:\Users\Brook\AppData\Roaming\Malwarebytes
2011-12-17 18:14:17 -------- d-----w- C:\ProgramData\Malwarebytes
2011-12-17 18:14:14 25416 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-12-17 18:14:14 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-12-17 17:00:14 333908 ---ha-w- C:\aaw7boot.cmd
2011-12-17 16:45:16 55384 ----a-w- C:\Windows\System32\drivers\SBREDrv.sys
2011-12-17 16:43:05 -------- d-----w- C:\Program Files\CCleaner
2011-12-17 16:34:34 -------- d-----w- C:\Program Files (x86)\Toolbar Cleaner
2011-12-17 16:34:16 -------- d-----w- C:\Program Files (x86)\Lavasoft
2011-12-16 02:56:09 -------- d-----w- C:\Program Files\Microsoft Xbox 360 Accessories
2011-12-16 01:55:05 -------- d-----w- C:\Program Files (x86)\Common Files\Steam
2011-12-16 01:55:04 -------- d-----w- C:\Program Files (x86)\Steam
2011-12-16 00:59:59 -------- d-----w- C:\Users\Brook\AppData\Local\AresXZ
2011-12-16 00:57:05 -------- d-----w- C:\Users\Brook\AppData\Roaming\LimeRunner
2011-12-16 00:55:47 43520 ----a-w- C:\Windows\System32\csrsrv.dll
2011-12-16 00:55:46 3145216 ----a-w- C:\Windows\System32\win32k.sys
2011-12-16 00:55:44 723456 ----a-w- C:\Windows\System32\EncDec.dll
2011-12-16 00:55:44 534528 ----a-w- C:\Windows\SysWow64\EncDec.dll
2011-12-16 00:55:42 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2011-12-16 00:55:42 2048 ----a-w- C:\Windows\System32\tzres.dll
2011-12-14 03:17:02 127 ----a-w- C:\Users\Brook\AppData\Roaming\Microsoft\CC81\bl404151_64.bat
2011-12-11 01:51:42 -------- d-----w- C:\Users\Brook\AppData\Local\Facebook
2011-12-09 05:07:35 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-12-09 03:51:23 -------- d-----w- C:\Program Files (x86)\LP
2011-12-07 05:22:17 -------- d-sh--w- C:\Windows\System32\%APPDATA%
2011-12-07 01:23:49 -------- d-----w- C:\Users\Brook\AppData\Roaming\D45A0
2011-12-07 01:23:49 -------- d-----w- C:\Users\Brook\AppData\Roaming\101D4
2011-12-07 01:23:18 -------- d-----w- C:\Users\Brook\AppData\Roaming\CF715
2011-12-07 01:22:47 -------- d-----w- C:\Users\Brook\AppData\Roaming\459CF
2011-12-07 01:22:37 -------- d-sh--w- C:\Users\Brook\AppData\Local\784b8e91
2011-12-06 11:51:04 8822856 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{07A44B09-CB55-473A-BD04-3B27DA102EE0}\mpengine.dll
.
==================== Find3M ====================
.
2011-12-16 20:01:13 280904 ----a-w- C:\Windows\SysWow64\PnkBstrB.xtr
2011-12-16 20:01:13 280904 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe
2011-12-12 04:26:46 280904 ----a-w- C:\Windows\SysWow64\PnkBstrB.ex0
2011-11-11 05:08:10 75136 ----a-w- C:\Windows\SysWow64\PnkBstrA.exe
2011-11-04 01:53:39 2309120 ----a-w- C:\Windows\System32\jscript9.dll
2011-11-04 01:44:47 1390080 ----a-w- C:\Windows\System32\wininet.dll
2011-11-04 01:44:21 1493504 ----a-w- C:\Windows\System32\inetcpl.cpl
2011-11-04 01:34:43 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2011-11-03 22:47:42 1798144 ----a-w- C:\Windows\SysWow64\jscript9.dll
2011-11-03 22:40:21 1427456 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2011-11-03 22:39:47 1127424 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-11-03 22:31:57 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-10-03 11:06:03 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2011-09-29 16:29:28 1923952 ----a-w- C:\Windows\System32\drivers\tcpip.sys
.
============= FINISH: 12:51:25.96 ===============
W3i.IQ5.fraud: [SBI $5ADC6E84] Program directory (Directory, nothing done)
C:\Windows\System32\AI_RecycleBin\
WebTrends live: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)
DoubleClick: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)
DoubleClick: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)
FastClick: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)
Zedo: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)
Zedo: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)
Zedo: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)
Zedo: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)
MediaPlex: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)
MediaPlex: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)
FastClick: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)
BurstMedia: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)
--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---
2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-01-26 TeaTimer.exe (1.6.4.26)
2011-12-21 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-01-26 advcheck.dll (1.6.2.15)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2011-03-18 Includes\Adware.sbi (*)
2011-12-13 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2010-12-14 Includes\Dialer.sbi (*)
2011-11-29 Includes\DialerC.sbi (*)
2011-02-24 Includes\HeavyDuty.sbi (*)
2011-03-29 Includes\Hijackers.sbi (*)
2011-10-04 Includes\HijackersC.sbi (*)
2010-09-15 Includes\iPhone.sbi (*)
2010-12-14 Includes\Keyloggers.sbi (*)
2011-09-27 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2011-12-07 Includes\Malware.sbi (*)
2011-12-20 Includes\MalwareC.sbi (*)
2011-02-24 Includes\PUPS.sbi (*)
2011-10-11 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2011-02-24 Includes\Security.sbi (*)
2011-12-13 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2011-10-18 Includes\Spyware.sbi (*)
2011-10-18 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2011-09-28 Includes\Trojans.sbi (*)
2011-12-12 Includes\TrojansC-02.sbi (*)
2011-12-19 Includes\TrojansC-03.sbi (*)
2011-12-20 Includes\TrojansC-04.sbi (*)
2011-12-20 Includes\TrojansC-05.sbi (*)
2011-12-12 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
-
-
i will post the log later today.
-
aswMBR version 0.9.9.1120 Copyright(c) 2011 AVAST Software
Run date: 2011-12-25 08:15:17
-----------------------------
08:15:17.825 OS Version: Windows x64 6.1.7601 Service Pack 1
08:15:17.825 Number of processors: 4 586 0x100
08:15:17.825 ComputerName: BROOK-HP UserName: Brook
08:15:21.538 Initialize success
08:16:22.348 AVAST engine defs: 11122500
08:16:27.699 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000066
08:16:27.699 Disk 0 Vendor: ST964032 0002 Size: 610480MB BusType: 11
08:16:29.727 Disk 0 MBR read successfully
08:16:29.743 Disk 0 MBR scan
08:16:29.743 Disk 0 Windows 7 default MBR code
08:16:29.758 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 199 MB offset 2048
08:16:29.774 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 595243 MB offset 409600
08:16:29.821 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 14933 MB offset 1219467264
08:16:29.883 Disk 0 Partition 4 00 0C FAT32 LBA MSDOS5.0 103 MB offset 1250050048
08:16:29.899 Service scanning
08:16:33.478 Modules scanning
08:16:33.478 Disk 0 trace - called modules:
08:16:33.587 ntoskrnl.exe CLASSPNP.SYS disk.sys hpdskflt.sys amd_xata.sys storport.sys hal.dll amd_sata.sys
08:16:34.102 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80062b5060]
08:16:34.118 3 CLASSPNP.SYS[fffff8800160143f] -> nt!IofCallDriver -> [0xfffffa800611eb10]
08:16:34.118 5 hpdskflt.sys[fffff88001999361] -> nt!IofCallDriver -> [0xfffffa8005d3f940]
08:16:34.133 7 amd_xata.sys[fffff880010918f7] -> nt!IofCallDriver -> \Device\00000066[0xfffffa8006024060]
08:16:40.950 AVAST engine scan C:\Windows
08:17:11.651 AVAST engine scan C:\Windows\system32
08:17:31.463 File: C:\Windows\system32\consrv.dll **INFECTED** Win32:Malware-gen
08:20:25.528 AVAST engine scan C:\Windows\system32\drivers
08:20:57.945 AVAST engine scan C:\Users\Brook
08:20:58.148 File: C:\Users\Brook\AppData\Local\784b8e91\U\800000cb.@ **INFECTED** Win32:Malware-gen
08:22:39.891 AVAST engine scan C:\ProgramData
08:23:18.704 Scan finished successfully
16:23:46.627 Disk 0 MBR has been saved successfully to "C:\Users\Brook\Desktop\MBR.dat"
16:23:46.627 The log file has been saved successfully to "C:\Users\Brook\Desktop\aswMBRlog.txt"
-
Yep, Zero Access it is
Download ComboFix from one of these locations:
Link 1
Link 2
* IMPORTANT !!! Save ComboFix.exe to your Desktop
- Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
- See this Link for programs that need to be disabled and instruction on how to disable them.
- Remember to re-enable them when we're done.
- Double click on ComboFix.exe & follow the prompts.
- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
-
ComboFix 11-12-26.03 - Brook 12/26/2011 19:52:30.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.5611.4158 [GMT -6:00]
Running from: c:\users\Brook\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\LP
c:\program files (x86)\Shop to Win
c:\program files (x86)\Shop to Win\Test.htm
c:\users\Brook\AppData\Local\784b8e91\U
c:\users\Brook\AppData\Local\784b8e91\U\80000000.@
c:\users\Brook\AppData\Local\784b8e91\U\800000cb.@
c:\users\Brook\AppData\Local\784b8e91\U\800000cf.@
c:\windows\assembly\tmp\U
c:\windows\assembly\tmp\U\00000001.@
c:\windows\assembly\tmp\U\000000c0.@
c:\windows\assembly\tmp\U\000000cb.@
c:\windows\assembly\tmp\U\000000cf.@
c:\windows\assembly\tmp\U\80000000.@
c:\windows\assembly\tmp\U\800000c0.@
c:\windows\assembly\tmp\U\800000cb.@
c:\windows\assembly\tmp\U\800000cf.@
c:\windows\system32\consrv.dll
c:\windows\system32\java.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-11-27 to 2011-12-27 )))))))))))))))))))))))))))))))
.
.
2011-12-27 01:56 . 2011-12-27 01:56 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-12-21 18:59 . 2011-12-21 20:04 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
2011-12-21 18:59 . 2011-12-21 19:13 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-12-21 18:47 . 2011-12-21 18:47 -------- d-----w- c:\program files (x86)\ERUNT
2011-12-19 03:46 . 2011-12-19 03:46 -------- d-----w- c:\programdata\{83C3B2FD-37EA-4C06-A228-E9B5E32FF0B1}
2011-12-19 03:01 . 2011-12-19 03:41 -------- d-----w- c:\program files (x86)\Fliptoast
2011-12-19 03:01 . 2011-12-19 03:01 -------- d-----w- c:\users\Brook\AppData\Local\Adobe
2011-12-19 03:00 . 2011-12-19 03:00 -------- d-----w- c:\users\Brook\Tracing
2011-12-19 02:59 . 2011-12-19 02:59 -------- d-----w- c:\users\Brook\AppData\Local\PackageAware
2011-12-19 02:59 . 2011-12-19 02:59 -------- d-----w- c:\users\Brook\AppData\Local\WeatherBug
2011-12-19 02:59 . 2011-12-19 02:59 -------- d-----w- c:\users\Brook\AppData\Roaming\WeatherBug
2011-12-19 02:59 . 2011-12-19 02:59 18944 ----a-r- c:\users\Brook\AppData\Roaming\Microsoft\Installer\{8F018A9E-56DE-4A79-A5EF-25F413F1D538}\IconBB6A16301.exe
2011-12-19 01:01 . 2011-12-19 01:01 -------- d-----w- c:\users\Brook\AppData\Roaming\Tific
2011-12-19 01:01 . 2011-12-19 01:01 -------- d-----w- c:\users\Brook\AppData\Local\Symantec
2011-12-18 21:33 . 2011-12-18 23:44 -------- d-----w- c:\programdata\WeCareReminder
2011-12-18 21:16 . 2011-12-18 23:44 -------- d-----w- c:\program files\Microsoft Security Client
2011-12-18 20:29 . 2011-12-18 21:34 -------- d-----w- c:\program files (x86)\PC Tools
2011-12-18 20:25 . 2011-12-18 21:24 -------- d-----w- c:\programdata\PC Tools
2011-12-18 20:25 . 2011-12-18 20:25 -------- d-----w- c:\users\Brook\AppData\Roaming\TestApp
2011-12-17 19:45 . 2011-12-17 19:45 -------- d-----w- c:\users\Brook\AppData\Local\ElevatedDiagnostics
2011-12-17 19:30 . 2011-10-20 05:10 22872 ----a-w- c:\windows\system32\RegistryDefragBootTime.exe
2011-12-17 19:23 . 2011-12-17 19:23 -------- d-----w- c:\programdata\IObit
2011-12-17 19:02 . 2011-12-17 19:40 -------- d-----w- c:\users\Brook\AppData\Roaming\IObit
2011-12-17 19:02 . 2011-12-17 19:02 -------- d-----w- c:\program files (x86)\IObit
2011-12-17 18:53 . 2011-12-17 18:53 -------- d-----w- c:\users\Brook\AppData\Roaming\WinPatrol
2011-12-17 18:53 . 2011-12-17 18:53 -------- d-----w- c:\program files (x86)\BillP Studios
2011-12-17 18:53 . 2011-12-17 18:53 -------- d-----w- c:\programdata\InstallMate
2011-12-17 18:14 . 2011-12-17 18:14 -------- d-----w- c:\users\Brook\AppData\Roaming\Malwarebytes
2011-12-17 18:14 . 2011-12-17 18:14 -------- d-----w- c:\programdata\Malwarebytes
2011-12-17 18:14 . 2011-12-17 18:14 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-12-17 18:14 . 2011-08-31 23:00 25416 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-17 17:00 . 2011-12-17 18:17 333908 ---ha-w- C:\aaw7boot.cmd
2011-12-17 16:45 . 2011-12-17 16:45 55384 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-12-17 16:43 . 2011-12-17 16:43 -------- d-----w- c:\program files\CCleaner
2011-12-17 16:34 . 2011-12-17 16:34 -------- d-----w- c:\program files (x86)\Toolbar Cleaner
2011-12-17 16:34 . 2011-12-17 18:21 -------- d-----w- c:\programdata\Lavasoft
2011-12-17 16:34 . 2011-12-17 16:34 -------- d-----w- c:\program files (x86)\Lavasoft
2011-12-16 02:56 . 2011-12-16 02:56 -------- d-----w- c:\program files\Microsoft Xbox 360 Accessories
2011-12-16 01:55 . 2011-12-16 02:59 -------- d-----w- c:\program files (x86)\Common Files\Steam
2011-12-16 01:55 . 2011-12-19 20:09 -------- d-----w- c:\program files (x86)\Steam
2011-12-16 00:59 . 2011-12-16 00:59 -------- d-----w- c:\users\Brook\AppData\Local\AresXZ
2011-12-16 00:57 . 2011-12-17 00:49 -------- d-----w- c:\users\Brook\AppData\Roaming\LimeRunner
2011-12-16 00:55 . 2011-10-26 05:21 43520 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-16 00:55 . 2011-11-24 04:52 3145216 ----a-w- c:\windows\system32\win32k.sys
2011-12-16 00:55 . 2011-10-15 06:31 723456 ----a-w- c:\windows\system32\EncDec.dll
2011-12-16 00:55 . 2011-10-15 05:38 534528 ----a-w- c:\windows\SysWow64\EncDec.dll
2011-12-16 00:55 . 2011-11-05 05:32 2048 ----a-w- c:\windows\system32\tzres.dll
2011-12-16 00:55 . 2011-11-05 04:26 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2011-12-14 03:17 . 2011-12-14 03:17 127 ----a-w- c:\users\Brook\AppData\Roaming\Microsoft\CC81\bl404151_64.bat
2011-12-11 01:51 . 2011-12-11 01:52 -------- d-----w- c:\users\Brook\AppData\Local\Facebook
2011-12-09 05:07 . 2011-12-09 05:07 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-12-09 03:39 . 2011-12-09 03:39 -------- d-----w- c:\program files (x86)\Common Files\Java
2011-12-07 05:24 . 2011-12-07 05:24 -------- d-----w- c:\windows\system32\Macromed
2011-12-07 05:22 . 2011-12-07 05:22 -------- d-sh--w- c:\windows\system32\%APPDATA%
2011-12-07 01:23 . 2011-12-19 03:32 -------- d-----w- c:\users\Brook\AppData\Roaming\D45A0
2011-12-07 01:23 . 2011-12-19 03:32 -------- d-----w- c:\users\Brook\AppData\Roaming\101D4
2011-12-07 01:23 . 2011-12-17 17:00 -------- d-----w- c:\users\Brook\AppData\Roaming\CF715
2011-12-07 01:22 . 2011-12-07 01:22 -------- d-----w- c:\users\Brook\AppData\Roaming\459CF
2011-12-07 01:22 . 2011-12-27 01:56 -------- d-sh--w- c:\users\Brook\AppData\Local\784b8e91
2011-12-06 11:51 . 2011-11-21 11:40 8822856 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{07A44B09-CB55-473A-BD04-3B27DA102EE0}\mpengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-16 20:01 . 2011-11-11 05:11 280904 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr
2011-12-16 20:01 . 2011-11-11 04:57 280904 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
2011-12-12 04:26 . 2011-11-11 04:57 280904 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0
2011-11-11 05:08 . 2011-11-11 04:57 75136 ----a-w- c:\windows\SysWow64\PnkBstrA.exe
2011-11-10 20:22 . 2010-06-24 18:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-10-03 11:06 . 2011-04-29 00:39 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2011-09-29 16:29 . 2011-11-11 03:15 1923952 ----a-w- c:\windows\system32\drivers\tcpip.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-04-02 336384]
.
c:\users\Brook\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files (x86)\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files (x86)\IObit\Advanced SystemCare 5\ASCService.exe [2011-12-17 494424]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 clwvd;CyberLink WebCam Virtual Driver;c:\windows\system32\DRIVERS\clwvd.sys [x]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files (x86)\Lavasoft\Ad-Aware\KernExplorer64.sys [2011-12-17 17152]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 amd_sata;amd_sata;c:\windows\system32\DRIVERS\amd_sata.sys [x]
S0 amd_xata;amd_xata;c:\windows\system32\DRIVERS\amd_xata.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe [2009-03-03 89600]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-04-02 365568]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-10-20 821664]
S2 FPLService;TrueSuiteService;c:\program files (x86)\HP SimplePass 2011\TrueSuiteService.exe [2011-02-18 265544]
S2 HPAuto;HP Auto;c:\program files\Hewlett-Packard\HP Auto\HPAuto.exe [2011-02-17 682040]
S2 HPClientSvc;HP Client Services;c:\program files\Hewlett-Packard\HP Client Services\HPClientServices.exe [2010-10-11 346168]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [x]
S2 IconMan_R;IconMan_R;c:\program files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [2011-03-08 2375168]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2010-09-14 508264]
S3 amdhub30;AMD USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\amdhub30.sys [x]
S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys [x]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 amdxhc;AMD USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\amdxhc.sys [x]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
S3 netr28x;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\DRIVERS\netr28x.sys [x]
S3 RSPCIESTOR;Realtek PCIE CardReader Driver;c:\windows\system32\DRIVERS\RtsPStor.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2010-09-14 219496]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3139890736-3921819157-3585904417-1001Core.job
- c:\users\Brook\AppData\Local\Google\Update\GoogleUpdate.exe [2011-12-21 18:18]
.
2011-12-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3139890736-3921819157-3585904417-1001UA.job
- c:\users\Brook\AppData\Local\Google\Update\GoogleUpdate.exe [2011-12-21 18:18]
.
2011-12-27 c:\windows\Tasks\HPCeeScheduleForBrook.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 05:15]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2011-03-11 1128448]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2009-10-01 825184]
"combofix"="c:\combofix\CF11976.3XE" [2010-11-21 345088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.iminent.com/?appId=BD461244-FBB9-48B6-AA2B-9A9D36311D6F
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyServer = http=127.0.0.1:58404
TCP: DhcpNameServer = 192.168.2.1
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files (x86)\adawaretb\adawareDx.dll
Toolbar-{6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files (x86)\adawaretb\adawareDx.dll
WebBrowser-{977AE9CC-AF83-45E8-9E03-E2798216E2D5} - (no file)
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
AddRemove-{09FF4DB8-7DE9-4D47-B7DB-915DB7D9A8CA} - c:\programdata\{83C3B2FD-37EA-4C06-A228-E9B5E32FF0B1}\bm_installer.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SysWOW64\ezSharedSvcHost.exe
c:\windows\SysWOW64\PnkBstrA.exe
.
**************************************************************************
.
Completion time: 2011-12-26 20:03:06 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-27 02:03
.
Pre-Run: 552,053,542,912 bytes free
Post-Run: 551,750,029,312 bytes free
.
- - End Of File - - D3B1F2DE5A7DA17B79DA5DD96247462E
-
-
First, it does seem to be gone. I'm not getting redirects anymore, and browsing was fast, responsive, and nice.
When I downloaded the aswMBR.exe to my desktop and tried to open it I got the following message:
"C:\Users\Brook\Desktop\aswMBR(1).exe
Illegal operation attempted on a registry key that has been marked for deletion."
In fact nearly every program I try to open comes up with that error.
In addition, I checked to see if my Windows Firewall was enabled and/or working and the window for it was highlighted in red and said:
"Windows Firewall is not using the recommended settings to protect your computer."
When I tried clicking the button that says Use Recommended Settings, an error message pops up that reads: "Windows Firewall can't change some of your settings. Error code 0x80070424."
I right clicked the asw EXE file as ran it as an Admin. Only by doing this was I able to run it. Log attached.
ESET Scan resulted in finding 5 threats.
aswMBR version 0.9.9.1120 Copyright(c) 2011 AVAST Software
Run date: 2011-12-27 20:12:44
-----------------------------
20:12:44.416 OS Version: Windows x64 6.1.7601 Service Pack 1
20:12:44.417 Number of processors: 4 586 0x100
20:12:44.418 ComputerName: BROOK-HP UserName: Brook
20:12:49.526 Initialize success
20:21:49.021 AVAST engine defs: 11122702
20:22:44.417 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000063
20:22:44.417 Disk 0 Vendor: ST964032 0002 Size: 610480MB BusType: 11
20:22:46.492 Disk 0 MBR read successfully
20:22:46.492 Disk 0 MBR scan
20:22:46.508 Disk 0 Windows 7 default MBR code
20:22:46.523 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 199 MB offset 2048
20:22:46.539 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 595243 MB offset 409600
20:22:46.586 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 14933 MB offset 1219467264
20:22:46.601 Disk 0 Partition 4 00 0C FAT32 LBA MSDOS5.0 103 MB offset 1250050048
20:22:46.617 Service scanning
20:22:47.693 Modules scanning
20:22:47.693 Disk 0 trace - called modules:
20:22:47.756 ntoskrnl.exe CLASSPNP.SYS disk.sys hpdskflt.sys amd_xata.sys storport.sys hal.dll amd_sata.sys
20:22:47.756 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80060be060]
20:22:47.771 3 CLASSPNP.SYS[fffff8800199c43f] -> nt!IofCallDriver -> [0xfffffa8005deeb10]
20:22:47.771 5 hpdskflt.sys[fffff88001943361] -> nt!IofCallDriver -> [0xfffffa8005c71040]
20:22:47.787 7 amd_xata.sys[fffff8800112e8f7] -> nt!IofCallDriver -> \Device\00000063[0xfffffa8005c75060]
20:22:52.560 AVAST engine scan C:\Windows
20:22:57.022 AVAST engine scan C:\Windows\system32
20:24:56.971 AVAST engine scan C:\Windows\system32\drivers
20:25:11.104 AVAST engine scan C:\Users\Brook
20:26:29.026 AVAST engine scan C:\ProgramData
20:26:59.634 Scan finished successfully
20:28:06.979 Disk 0 MBR has been saved successfully to "C:\Users\Brook\Desktop\MBR.dat"
20:28:06.994 The log file has been saved successfully to "C:\Users\Brook\Desktop\aswMBRlog2.txt"
C:\Qoobox\Quarantine\C\Users\Brook\AppData\Local\784b8e91\U\80000000.@.vir Win64/Sirefef.P trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Users\Brook\AppData\Local\784b8e91\U\800000cb.@.vir Win64/Sirefef.M trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Users\Brook\AppData\Local\784b8e91\U\800000cf.@.vir Win64/Sirefef.O trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\System32\consrv.dll.vir Win64/Sirefef.G trojan cleaned by deleting - quarantined
C:\Users\Brook\Downloads\asc-setup.exe a variant of Win32/Toolbar.Widgi application deleted - quarantined
Last edited by ken545; 2011-12-28 at 10:02.
-
Good Morning,
Just copy and paste any logs we ask for into this thread , its easier for us to analyse .
You already had aswMBR on your desktop and you redownloaded it and it named it aswMBR(1).exe, thats why you got that error. The new log looks fine,
ESET, line number 8
8. Make sure that the option "Remove found threats" is Unchecked
We put this in purposely in case it removes something legit by mistake, but you squeaked by on this one.
All those files in Qoobox are just back ups of what Combofix removed , we clean all that out as a final cleaning. Advanced System Care was removed and not needed.
Any problems ?
-
I don't seem to be experiencing those problems anymore, and everything works perfect as far as I can tell.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules