« previous next »
Pages: [1] 2 3 ... 9   Go Down

Author Topic: Windows 7 (something) 2012 rogue  (Read 3613 times)

0 Members and 1 Guest are viewing this topic.

Offline DonnaB

  • Sr. Member
  • ****
  • Posts: 254
Windows 7 (something) 2012 rogue
« on: December 25, 2011, 07:45:12 AM »
Hi everybody! Merry Christmas! :)

My sons laptop is infected with one of the Window 7's 2012 rogues. He called me the day before yesterday after he had scanned with MBAM which quarantined a couple nasty entries. He said that it seemed to run ok, then all of a sudden he said it started all over again last night with the Windows 7 2012 rogue popping up and scanning again. This time he scanned with MBAM in Safe Mode which quarantined more. Said he tried to run MSE but service was not able to start so he uninstalled thinking he could reinstall to get the service started again. Now he can not get MSE to reinstall.

So of course he brought the laptop to mom. My first lecture was about the downloading with utorrent...of course!

I couldn't get RSIT to install, nor Security Check. The error I get when I try to install those programs is:

Internet connection was reset.

I did get DDS to install though I can't get laptop to function properly so I can post the log. I continually get disconnected in IE. I'm also having problems clicking on links to get to a forum to post for guidance.

I formatted my USB Flash drive to transfer the logs from my laptop (which I am using to type this post) to the forum but I have another problem. The laptop was attacked a few weeks ago by a curious 18 month old and the adapter was broken off at the port. Bryan (my son) took it back to Best Buy where he purchased it last March and they pried out the broken end of the old adapter and sold him a new universal adapter. Thing is, I think the port itself was damaged and may have been separated from the MoBo. The adapter does charge the laptop if it is turned off and the lid is closed but does not charge the laptop when it is plugged and turned on with the lid open. The adapter does seem loose when plugged into the port and will shut down, which it did as I was trying to post the DDS log and the MBAM logs that he got earlier. I told him to contact ASUS to see if the warranty was still good and if it would be covered...or not. Probably not, but doesn't hurt to ask. Right?

Another thing I am worried about is that he said that his phone (can't remember what kind) has been acting funny and freezing on him. He does connect it to the computer and he did this morning just before he started getting those Win7 rogue popups again.

Could his phone be infected? I'm afraid to use my USB Flash drive to transfer the logs to post. I did install Panda USB Vaccine onto my computer. Will that keep me from getting infected if I use my USB to transfer the logs if I have to? The laptop is presently charging with the lid closed and by morning I should be able to post the logs from the infected laptop which works best in Safe Mode. 

Opinions please!

Thank you,

Donna

Logged
"To achieve the impossible, it is precisely the unthinkable that must be thought."
Tom Robbins

Offline DonnaB

  • Sr. Member
  • ****
  • Posts: 254
Re: Windows 7 (something) 2012 rogue
« Reply #1 on: December 25, 2011, 01:33:51 PM »
Finally! Laptop has charged. Took several attempts to get connected to this site. I'm posting the logs that I have while I have the chance. Presently in Safe Mode with Networking.

.
DDS (Ver_2011-08-26.01) - NTFSAMD64 NETWORK
Internet Explorer: 8.0.7601.17514
Run by Bryan Calvert at 1:22:51 on 2011-12-25
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.6069.5204 [GMT -6:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Bryan Calvert\Desktop\OTL.exe
C:\Windows\notepad.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWOW64\ping.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.facebook.com/
uSearch Bar = Preserve
mStart Page = hxxp://www.yahoo.com
uURLSearchHooks: YTNavAssistPlugin Class: {81017ea9-9aa8-4a6a-9734-7af40e7d593f} - C:\PROGRA~2\Yahoo!\Companion\Installs\cpn1\yt.dll
mURLSearchHooks: H - No File
mWinlogon: Userinit=userinit.exe,
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - C:\PROGRA~2\Yahoo!\Companion\Installs\cpn1\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - C:\PROGRA~2\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - C:\PROGRA~2\Yahoo!\Companion\Installs\cpn1\yt.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - No File
TB: {30F9B915-B755-4826-820B-08FBA6BD249D} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [ATKOSD2] C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe
mRun: [ATKMEDIA] C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe
mRun: [HControlUser] C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe
mRun: [VolPanel] "C:\Program Files (x86)\Creative\SB Audigy\Volume Panel\VolPanlu.exe" /r
mRun: [Wireless Console 3] C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\ACTIVC~1.LNK - C:\Program Files (x86)\ActivIdentity\ActivClient\acsagent.exe
uPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
LSP: mswsock.dll
Trusted Zone: navy.mil
DPF: {2FD395CB-BD93-4BA9-AA4B-D725754E20D1} - hxxp://test.player.portalarium.com/installers/win32/PortalariumPlayer.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
TCP: DhcpNameServer = 75.105.128.61
TCP: Interfaces\{4F4011DB-24D6-4379-B115-4C176D6A08E3} : DhcpNameServer = 75.105.128.61
TCP: Interfaces\{4F4011DB-24D6-4379-B115-4C176D6A08E3}\24259514E43414C465542545D20534F5E4564777F627B6 : DhcpNameServer = 192.168.2.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} -
SubSystems: Windows = basesrv,1 winsrv:UserServerDllInitialization,3 consrv:ConServerDllInitialization,2 sxssrv,4
BHO-X64: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~2\Yahoo!\Companion\Installs\cpn1\yt.dll
BHO-X64:     0x1 - No File
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64:     AcroIEHelperStub - No File
BHO-X64: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: SingleInstance Class: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~2\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
TB-X64: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~2\Yahoo!\Companion\Installs\cpn1\yt.dll
TB-X64: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB-X64: {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - No File
TB-X64: {30F9B915-B755-4826-820B-08FBA6BD249D} - No File
TB-X64: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [ATKOSD2] C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe
mRun-x64: [ATKMEDIA] C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe
mRun-x64: [HControlUser] C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe
mRun-x64: [VolPanel] "C:\Program Files (x86)\Creative\SB Audigy\Volume Panel\VolPanlu.exe" /r
mRun-x64: [Wireless Console 3] C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe
.
============= SERVICES / DRIVERS ===============
.
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R3 HECIx64;Intel(R) Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\Windows\system32\DRIVERS\L1C62x64.sys --> C:\Windows\system32\DRIVERS\L1C62x64.sys [?]
R3 NETw5s64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\system32\DRIVERS\NETw5s64.sys --> C:\Windows\system32\DRIVERS\NETw5s64.sys [?]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]
S2 ac.sharedstore;ActivIdentity Shared Store Service;C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe [2009-6-3 277032]
S2 AFBAgent;AFBAgent;"C:\Windows\system32\FBAgent.exe" --> C:\Windows\system32\FBAgent.exe [?]
S2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
S2 ASMMAP64;ASMMAP64;C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\ASMMAP64.sys [2009-7-2 15416]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2010-10-20 821664]
S2 DMAgent;Intel® PROSet/Wireless WiMAX Red Bend Device Management Service;C:\Program Files\Intel\WiMAX\Bin\DMAgent.exe [2010-6-7 408576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-10-4 136176]
S2 MotoHelper;MotoHelper Service;C:\Program Files (x86)\Motorola\MotoHelper\MotoHelperService.exe [2011-8-10 227184]
S2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2010-9-14 508264]
S2 TurboB;Turbo Boost UI Monitor driver;C:\Windows\system32\DRIVERS\TurboB.sys --> C:\Windows\system32\DRIVERS\TurboB.sys [?]
S2 UNS;Intel(R) Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2010-9-24 2314240]
S2 WiMAXAppSrv;Intel® PROSet/Wireless WiMAX Service;C:\Program Files\Intel\WiMAX\Bin\AppSrv.exe [2010-6-7 911872]
S3 bpenum;bpenum;C:\Windows\system32\DRIVERS\bpenum.sys --> C:\Windows\system32\DRIVERS\bpenum.sys [?]
S3 bpmp;Intel(R) Centrino(R) WiMAX 6050 Series;C:\Windows\system32\DRIVERS\bpmp.sys --> C:\Windows\system32\DRIVERS\bpmp.sys [?]
S3 bpusb;bpusb;C:\Windows\system32\Drivers\bpusb.sys --> C:\Windows\system32\Drivers\bpusb.sys [?]
S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2010-9-24 79360]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2010-9-24 79360]
S3 fssfltr;fssfltr;C:\Windows\system32\DRIVERS\fssfltr.sys --> C:\Windows\system32\DRIVERS\fssfltr.sys [?]
S3 fsssvc;Windows Live Family Safety;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2008-12-8 533344]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-10-4 136176]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 pbfilter;pbfilter;C:\Program Files\PeerBlock\pbfilter.sys [2011-2-28 19544]
S3 pnetmdm;PdaNet Modem;C:\Windows\system32\DRIVERS\pnetmdm64.sys --> C:\Windows\system32\DRIVERS\pnetmdm64.sys [?]
S3 S3XXx64;SCR3xx USB SmartCardReader64;C:\Windows\system32\DRIVERS\S3XXx64.sys --> C:\Windows\system32\DRIVERS\S3XXx64.sys [?]
S3 Sftfs;Sftfs;C:\Windows\system32\DRIVERS\Sftfslh.sys --> C:\Windows\system32\DRIVERS\Sftfslh.sys [?]
S3 Sftplay;Sftplay;C:\Windows\system32\DRIVERS\Sftplaylh.sys --> C:\Windows\system32\DRIVERS\Sftplaylh.sys [?]
S3 Sftredir;Sftredir;C:\Windows\system32\DRIVERS\Sftredirlh.sys --> C:\Windows\system32\DRIVERS\Sftredirlh.sys [?]
S3 Sftvol;Sftvol;C:\Windows\system32\DRIVERS\Sftvollh.sys --> C:\Windows\system32\DRIVERS\Sftvollh.sys [?]
S3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2010-9-14 219496]
S3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;C:\Windows\system32\DRIVERS\SiSG664.sys --> C:\Windows\system32\DRIVERS\SiSG664.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 TurboBoost;TurboBoost;C:\Program Files\Intel\TurboBoost\TurboBoost.exe [2009-8-6 118672]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2011-12-25 00:35:26   29184   ----a-w-   C:\Windows\SysWow64\1VxJv.com
2011-12-15 07:34:57   2048   ----a-w-   C:\Windows\SysWow64\tzres.dll
2011-12-15 07:34:57   2048   ----a-w-   C:\Windows\System32\tzres.dll
2011-12-06 18:12:57   --------   d-----w-   C:\Users\Bryan Calvert\AppData\Roaming\uTorrent
2011-12-01 03:14:20   --------   d-----w-   C:\_OTL
2011-11-30 08:59:13   --------   d-----we   C:\Windows\system64
.
==================== Find3M  ====================
.
2011-12-19 07:25:54   45056   ----a-w-   C:\Windows\System32\acovcnt.exe
2011-12-18 17:21:45   414368   ----a-w-   C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-11-24 04:52:09   3145216   ----a-w-   C:\Windows\System32\win32k.sys
2011-11-05 05:41:43   1188864   ----a-w-   C:\Windows\System32\wininet.dll
2011-11-05 04:35:00   981504   ----a-w-   C:\Windows\SysWow64\wininet.dll
2011-11-05 03:32:47   1638912   ----a-w-   C:\Windows\System32\mshtml.tlb
2011-11-05 02:48:51   1638912   ----a-w-   C:\Windows\SysWow64\mshtml.tlb
2011-10-26 05:21:20   43520   ----a-w-   C:\Windows\System32\csrsrv.dll
2011-10-15 06:31:56   723456   ----a-w-   C:\Windows\System32\EncDec.dll
2011-10-15 05:38:59   534528   ----a-w-   C:\Windows\SysWow64\EncDec.dll
2011-09-29 16:29:28   1923952   ----a-w-   C:\Windows\System32\drivers\tcpip.sys
.
============= FINISH:  1:23:51.83 ===============


1st MBAM log:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8293

Windows 6.1.7601 Service Pack 1
Internet Explorer 8.0.7601.17514

12/23/2011 7:13:31 PM
mbam-log-2011-12-23 (19-13-31).txt

Scan type: Quick scan
Objects scanned: 170300
Time elapsed: 3 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Value: (default) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Bryan Calvert\AppData\Local\esl.exe" -a "C:\Program Files (x86)\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)



2nd MBAM log:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 911122405

Windows 6.1.7601 Service Pack 1 (Safe Mode)
Internet Explorer 8.0.7601.17514

12/24/2011 7:03:51 PM
mbam-log-2011-12-24 (19-03-51).txt

Scan type: Quick scan
Objects scanned: 173420
Time elapsed: 2 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Value: (default) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CLASSES_ROOT\.exe\(default) (PUM.HijackExefiles) -> Bad: (DE) Good: (exefile) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Bryan Calvert\AppData\Local\esl.exe" -a "iexplore.exe) Good: (iexplore.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\bryan calvert\local settings\aho.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\bryan calvert\local settings\esl.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\bryan calvert\local settings\application data\aho.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\bryan calvert\local settings\application data\esl.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Logged
"To achieve the impossible, it is precisely the unthinkable that must be thought."
Tom Robbins

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 11530
  • "Stronger than the past, united in our goal."
    • Security Garden
Re: Windows 7 (something) 2012 rogue
« Reply #2 on: December 25, 2011, 02:22:04 PM »
Hi, DonnaB.

Merry Christmas!  (When you talk to our common friend, please send my best wishes along to him as well.)

I have bad news about your son's laptop.  It looks like it is infected with ZeroAccess.  Please note the following:
  • One or more of the identified infections is a backdoor trojan and password stealer.
  • This type of infection allows hackers to access and remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.
  • If you do any banking or other financial transactions on the PC or if it contains any other sensitive information, then from a clean computer, change all passwords where applicable.
  • It would also be wise to contact those same financial institutions to appraise them of your situation.

I would strongly recommend format and reinstallation of this machine. For more information, you may wish to read one of these excellent articles:Please let me know if you wish to continue to clean this machine or if you wish to format.
Logged
,  

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline DonnaB

  • Sr. Member
  • ****
  • Posts: 254
Re: Windows 7 (something) 2012 rogue
« Reply #3 on: December 25, 2011, 02:54:33 PM »
Hi Corrine,

I will send your wishes along to my dearly beloved.

As for the diagnosis .............. :thud: OMG! I tried to warn him about the dangers of downloading from the internet.

At this time a format and reinstallation may be out of the question. He does have some very important Military info in his documents folder and I'm afraid to plug my USB Flash drive into his laptop to retrieve it. What do you know about the Panda USB Vaccine? Would I be safe inserting my Flash drive into his laptop to retrieve all the personal files?

There is no recovery partition, though just after Thanksgiving I did create the recovery disks for him. The computer was acting funny then. Would the Recovery disks be bad if they were created from a sick machine?

I'd like to continue to clean his laptop if you'd be willing to guide me. I'll contact him to let him know about the diagnosis/backdoor trojan so he can get to a clean computer and change his passwords as soon as possible and see where he would like to go from there.

Hm....would ZeroAccess cause the issues with the adapter port problem too?

Please take your time.  I'm in no hurry to clean this machine. Family is much more important on this glorious day.

Thanks Corrine,

Donna
Logged
"To achieve the impossible, it is precisely the unthinkable that must be thought."
Tom Robbins

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 11530
  • "Stronger than the past, united in our goal."
    • Security Garden
Re: Windows 7 (something) 2012 rogue
« Reply #4 on: December 25, 2011, 07:45:19 PM »
Hi, Donna.

We know that no A/V is perfect but it will certainly help.  If you are up-to-date with Microsoft Security Updates and have autorun disabled on your machine, between that and Panda, you should be fine. 

You'll need to transfer ComboFix to your son's laptop.  Even if you have a recent copy, delete it and download the latest version, please.

Please follow these instructions carefully.

Download ComboFix from one of the following locations:

Link 1
Link 2

!!! IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your antivirus and anti-malware security applications. If not disabled, these programs will likely interfere with cleanup process. This can usually be accomplished by a right-click on the icon in the System Tray. 

Note:  If you are unsure how to disable your security software, see the instructions in this topic at Tech Support Forum:  How to disable your security applications.

Now, please run ComboFix:
  • Note:  If infections are found, ComboFix will automatically reboot the machine to complete the removal process.  Please ensure all opened windows are closed before proceeding.
  • Double-click ComboFix.exe on your desktop and follow the prompts.
  • As part of the process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it is strongly recommended to have this pre-installed on your machine before doing any malware removal. The Recovery Console will allow you to start up the computer in a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    Please note: If the Microsoft Windows Recovery Console is already installed on the computer, ComboFix will continue the malware removal procedures.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

  • After the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click "Yes" to continue scanning for malware.
  • When finished, a log will be produced. Please include the C:\ComboFix.txt in your next reply.
Logged
,  

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline DonnaB

  • Sr. Member
  • ****
  • Posts: 254
Re: Windows 7 (something) 2012 rogue
« Reply #5 on: December 25, 2011, 11:25:45 PM »
Corrine,

I have a question. In the DDS log above I found the following entries:

AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}

MSE is not on this computer. He did uninstall it.  A search on the laptop for MSE finds nothing though I did find a folder in C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Choice Guard and found that they are related to MSE as shown in this thread.

Can I assume that MSE is not enabled? Should I delete that folder?

Just made sure my laptop is up to date with MS Updates. Verified that Use AutoPlay for all Media and Devices is unchecked in Control Panel.

I'll post the ComboFix log as soon as I can. Thank you for your help.  :hug:
Logged
"To achieve the impossible, it is precisely the unthinkable that must be thought."
Tom Robbins

Offline DonnaB

  • Sr. Member
  • ****
  • Posts: 254
Re: Windows 7 (something) 2012 rogue
« Reply #6 on: December 26, 2011, 12:10:36 AM »
Hi Corrine,

Was able to install and run ComboFix with the infected laptop. Upon clicking on the desktop icon it did warn me that MSE needed to be deactivated even though it does not show up in Control Panel > Program Files. I went ahead and deleted the folder in C:\Program Files (x86) and rebooted. Then ran ComboFix. It does show in the log below that MSE was Enabled. I have no idea why???

Here's the log:

ComboFix 11-12-25.01 - Bryan Calvert 12/25/2011  18:45:15.1.8 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.6069.4632 [GMT -6:00]
Running from: c:\users\Bryan Calvert\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Bryan Calvert\AppData\Roaming\app
c:\users\Bryan Calvert\AppData\Roaming\app\Jerakine_lang.dat
c:\users\Bryan Calvert\AppData\Roaming\app\Jerakine_lang_vesrion.dat
c:\windows\system32\consrv.dll
c:\windows\System64
c:\windows\SysWow64\system
.
.
(((((((((((((((((((((((((   Files Created from 2011-11-26 to 2011-12-26  )))))))))))))))))))))))))))))))
.
.
2011-12-26 00:50 . 2011-12-26 00:50   --------   d-----w-   c:\users\Default\AppData\Local\temp
2011-12-25 00:35 . 2011-12-25 00:35   29184   ----a-w-   c:\windows\SysWow64\1VxJv.com
2011-12-18 17:21 . 2011-12-18 17:21   --------   d-----w-   c:\windows\system32\Macromed
2011-12-15 07:34 . 2011-11-05 05:32   2048   ----a-w-   c:\windows\system32\tzres.dll
2011-12-15 07:34 . 2011-11-05 04:26   2048   ----a-w-   c:\windows\SysWow64\tzres.dll
2011-12-06 18:12 . 2011-12-11 19:42   --------   d-----w-   c:\users\Bryan Calvert\AppData\Roaming\uTorrent
2011-12-01 03:14 . 2011-12-01 03:14   --------   d-----w-   C:\_OTL
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-26 00:51 . 2011-09-07 18:00   45056   ----a-w-   c:\windows\system32\acovcnt.exe
2011-12-18 17:21 . 2011-07-10 04:29   414368   ----a-w-   c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-11-11 23:08 . 2011-11-11 23:08   388096   ----a-r-   c:\users\Bryan Calvert\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-09-29 16:29 . 2011-11-09 18:50   1923952   ----a-w-   c:\windows\system32\drivers\tcpip.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\progra~2\Yahoo!\Companion\Installs\cpn1\yt.dll" [2011-10-06 2015544]
.
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-12-17 98304]
"ATKOSD2"="c:\program files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe" [2010-06-25 6806144]
"ATKMEDIA"="c:\program files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe" [2010-05-03 170624]
"HControlUser"="c:\program files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe" [2009-06-19 105016]
"VolPanel"="c:\program files (x86)\Creative\SB Audigy\Volume Panel\VolPanlu.exe" [2008-12-29 237693]
"Wireless Console 3"="c:\program files (x86)\ASUS\Wireless Console 3\wcourier.exe" [2010-04-26 1597440]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
ActivClient Agent.lnk - c:\program files\ActivIdentity\ActivClient\acsagent.exe [2009-6-3 164904]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Best Buy pc app.lnk - c:\programdata\Best Buy pc app\ClickOnceSetup.exe [2010-6-24 9216]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-10-20 821664]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-05 136176]
R3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\DRIVERS\motfilt.sys

R3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2010-09-24 79360]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2010-09-24 79360]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-05 136176]
R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys

R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys

R3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\DRIVERS\Motousbnet.sys

R3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\DRIVERS\motusbdevice.sys

R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [2009-09-28 19544]
R3 S3XXx64;SCR3xx USB SmartCardReader64;c:\windows\system32\DRIVERS\S3XXx64.sys

R3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;c:\windows\system32\DRIVERS\SiSG664.sys

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys

R3 TurboBoost;TurboBoost;c:\program files\Intel\TurboBoost\TurboBoost.exe [2009-08-06 118672]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys

S2 ac.sharedstore;ActivIdentity Shared Store Service;c:\program files\Common Files\ActivIdentity\ac.sharedstore.exe [2009-06-03 277032]
S2 AFBAgent;AFBAgent;c:\windows\system32\FBAgent.exe

S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe

S2 ASMMAP64;ASMMAP64;c:\program files (x86)\ASUS\ATK Package\ATKGFNEX\ASMMAP64.sys [2009-07-03 15416]
S2 DMAgent;Intel® PROSet/Wireless WiMAX Red Bend Device Management Service;c:\program files\Intel\WiMAX\Bin\DMAgent.exe [2010-06-07 408576]
S2 MotoHelper;MotoHelper Service;c:\program files (x86)\Motorola\MotoHelper\MotoHelperService.exe [2011-08-10 227184]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2010-09-14 508264]
S2 TurboB;Turbo Boost UI Monitor driver;c:\windows\system32\DRIVERS\TurboB.sys

S2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2009-10-01 2314240]
S2 WiMAXAppSrv;Intel® PROSet/Wireless WiMAX Service;c:\program files\Intel\WiMAX\Bin\AppSrv.exe [2010-06-07 911872]
S3 bpenum;bpenum;c:\windows\system32\DRIVERS\bpenum.sys

S3 bpmp;Intel(R) Centrino(R) WiMAX 6050 Series;c:\windows\system32\DRIVERS\bpmp.sys

S3 bpusb;bpusb;c:\windows\system32\Drivers\bpusb.sys

S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys

S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys

S3 NETw5s64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETw5s64.sys

S3 pnetmdm;PdaNet Modem;c:\windows\system32\DRIVERS\pnetmdm64.sys

S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys

S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys

S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys

S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys

S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2010-09-14 219496]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys

.
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-25 c:\windows\Tasks\At1.job
- c:\windows\system32\1VxJv.com [2011-12-25 00:35]
.
2011-12-25 c:\windows\Tasks\At11.job
- c:\windows\system32\1VxJv.com [2011-12-25 00:35]
.
2011-12-25 c:\windows\Tasks\At13.job
- c:\windows\system32\1VxJv.com [2011-12-25 00:35]
.
2011-12-25 c:\windows\Tasks\At15.job
- c:\windows\system32\1VxJv.com [2011-12-25 00:35]
.
2011-12-25 c:\windows\Tasks\At17.job
- c:\windows\system32\1VxJv.com [2011-12-25 00:35]
.
2011-12-25 c:\windows\Tasks\At19.job
- c:\windows\system32\1VxJv.com [2011-12-25 00:35]
.
2011-12-25 c:\windows\Tasks\At21.job
- c:\windows\system32\1VxJv.com [2011-12-25 00:35]
.
2011-12-25 c:\windows\Tasks\At23.job
- c:\windows\system32\1VxJv.com [2011-12-25 00:35]
.
2011-12-25 c:\windows\Tasks\At25.job
- c:\windows\system32\1VxJv.com [2011-12-25 00:35]
.
2011-12-25 c:\windows\Tasks\At27.job
- c:\windows\system32\1VxJv.com [2011-12-25 00:35]
.
2011-12-25 c:\windows\Tasks\At29.job
- c:\windows\system32\1VxJv.com [2011-12-25 00:35]
.
2011-12-25 c:\windows\Tasks\At3.job
- c:\windows\system32\1VxJv.com [2011-12-25 00:35]
.
2011-12-25 c:\windows\Tasks\At31.job
- c:\windows\system32\1VxJv.com [2011-12-25 00:35]
.
2011-12-25 c:\windows\Tasks\At33.job
- c:\windows\system32\1VxJv.com [2011-12-25 00:35]
.
2011-12-25 c:\windows\Tasks\At35.job
- c:\windows\system32\1VxJv.com [2011-12-25 00:35]
.
2011-12-26 c:\windows\Tasks\At37.job
- c:\windows\system32\1VxJv.com [2011-12-25 00:35]
.
2011-12-25 c:\windows\Tasks\At39.job
- c:\windows\system32\1VxJv.com [2011-12-25 00:35]
.
2011-12-25 c:\windows\Tasks\At41.job
- c:\windows\system32\1VxJv.com [2011-12-25 00:35]
.
2011-12-25 c:\windows\Tasks\At43.job
- c:\windows\system32\1VxJv.com [2011-12-25 00:35]
.
2011-12-25 c:\windows\Tasks\At45.job
- c:\windows\system32\1VxJv.com [2011-12-25 00:35]
.
2011-12-25 c:\windows\Tasks\At47.job
- c:\windows\system32\1VxJv.com [2011-12-25 00:35]
.
2011-12-25 c:\windows\Tasks\At5.job
- c:\windows\system32\1VxJv.com [2011-12-25 00:35]
.
2011-12-25 c:\windows\Tasks\At7.job
- c:\windows\system32\1VxJv.com [2011-12-25 00:35]
.
2011-12-25 c:\windows\Tasks\At9.job
- c:\windows\system32\1VxJv.com [2011-12-25 00:35]
.
2011-12-18 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1811056662-50345387-146203039-1000Core.job
- c:\users\Bryan Calvert\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-08-29 02:56]
.
2011-12-24 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1811056662-50345387-146203039-1000UA.job
- c:\users\Bryan Calvert\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-08-29 02:56]
.
2011-12-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-05 01:05]
.
2011-12-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-05 01:05]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AmIcoSinglun64"="c:\program files (x86)\AmIcoSingLun\AmIcoSinglun64.exe" [2010-05-03 324096]
"IntelWirelessWiMAX"="c:\program files\Intel\WiMAX\Bin\WiMAXCU.exe" [2010-06-08 1441792]
"RunDLLEntry"="c:\windows\system32\RunDLL32.exe" [2009-07-14 45568]
"acevents"="c:\program files\ActivIdentity\ActivClient\acevents.exe" [2009-06-03 196648]
"accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2009-06-03 483880]
"combofix"="c:\combofix\CF11265.3XE" [2010-11-20 345088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x1
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.facebook.com/
mStart Page = hxxp://www.yahoo.com
mLocal Page = c:\windows\system32\blank.htm
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
Trusted Zone: navy.mil
TCP: DhcpNameServer = 75.105.128.61
DPF: {2FD395CB-BD93-4BA9-AA4B-D725754E20D1} - hxxp://test.player.portalarium.com/installers/win32/PortalariumPlayer.cab
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Toolbar-Locked - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - (no file)
WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
HKLM-Run-Setwallpaper - c:\programdata\SetWallpaper.cmd
HKLM-Run-(Default) - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe
c:\program files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe
c:\program files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
c:\program files (x86)\ASUS\SmartLogon\sensorsrv.exe
c:\program files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe
c:\program files (x86)\Motorola\MotoHelper\MotoHelperAgent.exe
c:\program files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files (x86)\ASUS\ControlDeck\ControlDeck.exe
.
**************************************************************************
.
Completion time: 2011-12-25  18:56:25 - machine was rebooted
ComboFix-quarantined-files.txt  2011-12-26 00:56
.
Pre-Run: 459,263,574,016 bytes free
Post-Run: 458,971,398,144 bytes free
.
- - End Of File - - CDE5E9F1E883CC87CD48085C0D0494B5
Logged
"To achieve the impossible, it is precisely the unthinkable that must be thought."
Tom Robbins

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 11530
  • "Stronger than the past, united in our goal."
    • Security Garden
Re: Windows 7 (something) 2012 rogue
« Reply #7 on: December 26, 2011, 12:48:26 AM »
Hi, Donna.

Sometimes the Security Center needs a jump start to show the correct entries.  We'll take care of that with ComboFix. 

I meant to comment about your son's phone earlier.  Most of the information in my article on Tablet Security Tips also applies to Android smart phones.  (I was asked to limit the article to Android devices.)   If his phone is a Windows Phone, I would recommend ESET:  http://www.eset.com/us/home/products/mobile-security/

Can the laptop access the Internet now?

Custom CFScript

Note: The following instructions were created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

  • Please open Notepad (Click Start -> Run -> type notepad in the Open field -> OK).  Copy/Paste all of the text present inside the code box below:
Code: [Select]
SecCenter::
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}

RegLock::

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
  • Save this as CFScript.txt and place it on your desktop.
  • Close any open browsers.
  • Close/disable all antivirus and anti-malware programs so they do not interfere with the running of ComboFix.




  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

In addition, Please go here to run an on-line scan from ESET.
  • Note: It is easiest if you use Internet explorer for this scan.  (If you use an alternate browser, it will be necessary to download the ESET Smart Installer)
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic and also let me know how things are now.
Logged
,  

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline DonnaB

  • Sr. Member
  • ****
  • Posts: 254
Re: Windows 7 (something) 2012 rogue
« Reply #8 on: December 26, 2011, 02:23:31 AM »
Followed instructions for Custom CFScript. Was able to access internet connection before and after. Clicked on desktop link to this thread, and right clicked on link, chose Open in New Tab,  to access ESET Online scanner and lost connection. Clicked on open tab to post ComboFix log created from fix and lost connection. Inserted Flash Drive to retrieve ComboFix log and transfer to clean laptop to post  below.

Also was warned about the AV being enabled again after fix before ComboFix ran scan that created log below. Internet will not connect now. IE is the only browser installed. I see Bryan must have uninstalled Firefox that I installed a month ago. :angry:

ComboFix 11-12-25.01 - Bryan Calvert 12/25/2011  20:49:54.2.8 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.6069.4634 [GMT -6:00]
Running from: c:\users\Bryan Calvert\Desktop\ComboFix.exe
Command switches used :: c:\users\Bryan Calvert\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2011-11-26 to 2011-12-26  )))))))))))))))))))))))))))))))
.
.
2011-12-26 02:53 . 2011-12-26 02:53   --------   d-----w-   c:\users\Default\AppData\Local\temp
2011-12-25 00:35 . 2011-12-25 00:35   29184   ----a-w-   c:\windows\SysWow64\1VxJv.com
2011-12-18 17:21 . 2011-12-18 17:21   --------   d-----w-   c:\windows\system32\Macromed
2011-12-15 07:34 . 2011-11-05 05:32   2048   ----a-w-   c:\windows\system32\tzres.dll
2011-12-15 07:34 . 2011-11-05 04:26   2048   ----a-w-   c:\windows\SysWow64\tzres.dll
2011-12-06 18:12 . 2011-12-11 19:42   --------   d-----w-   c:\users\Bryan Calvert\AppData\Roaming\uTorrent
2011-12-01 03:14 . 2011-12-01 03:14   --------   d-----w-   C:\_OTL
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-26 00:51 . 2011-09-07 18:00   45056   ----a-w-   c:\windows\system32\acovcnt.exe
2011-12-18 17:21 . 2011-07-10 04:29   414368   ----a-w-   c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-11-11 23:08 . 2011-11-11 23:08   388096   ----a-r-   c:\users\Bryan Calvert\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-09-29 16:29 . 2011-11-09 18:50   1923952   ----a-w-   c:\windows\system32\drivers\tcpip.sys
.
.
(((((((((((((((((((((((((((((   SnapShot@2011-12-26_00.51.50   )))))))))))))))))))))))))))))))))))))))))
.
- 2009-07-14 04:54 . 2011-12-26 00:51   49152              c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2011-12-26 02:37   49152              c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-09-24 09:06 . 2011-12-26 02:39   54536              c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2011-12-26 02:39   38354              c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
- 2009-07-14 05:10 . 2011-12-26 00:05   38354              c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-02-12 05:51 . 2011-12-26 02:39   14450              c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1811056662-50345387-146203039-1000_UserData.bin
- 2010-09-24 08:45 . 2011-12-26 00:51   16384              c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-09-24 08:45 . 2011-12-26 02:37   16384              c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-09-24 08:45 . 2011-12-26 02:37   32768              c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-09-24 08:45 . 2011-12-26 00:51   32768              c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2011-12-26 00:51   16384              c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2011-12-26 02:37   16384              c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-03-04 03:44 . 2011-12-26 00:05   16384              c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-03-04 03:44 . 2011-12-26 02:39   16384              c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-03-04 03:44 . 2011-12-26 02:39   32768              c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2011-03-04 03:44 . 2011-12-26 00:05   32768              c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2011-03-04 03:44 . 2011-12-26 00:05   16384              c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-03-04 03:44 . 2011-12-26 02:39   16384              c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-02-12 05:55 . 2011-12-26 00:03   16384              c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-02-12 05:55 . 2011-12-26 02:40   16384              c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-02-12 05:55 . 2011-12-26 02:40   16384              c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-02-12 05:55 . 2011-12-26 00:03   16384              c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-12-26 00:51 . 2011-12-26 00:51   2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-12-26 02:37 . 2011-12-26 02:37   2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-12-26 00:51 . 2011-12-26 00:51   2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-12-26 02:37 . 2011-12-26 02:37   2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-14 04:54 . 2011-12-26 02:37   196608              c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2011-12-26 00:51   196608              c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2011-12-26 00:51   212992              c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2011-12-26 02:37   212992              c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 05:01 . 2011-12-26 00:50   228720              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2011-12-26 01:13   228720              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\progra~2\Yahoo!\Companion\Installs\cpn1\yt.dll" [2011-10-06 2015544]
.
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-12-17 98304]
"ATKOSD2"="c:\program files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe" [2010-06-25 6806144]
"ATKMEDIA"="c:\program files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe" [2010-05-03 170624]
"HControlUser"="c:\program files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe" [2009-06-19 105016]
"VolPanel"="c:\program files (x86)\Creative\SB Audigy\Volume Panel\VolPanlu.exe" [2008-12-29 237693]
"Wireless Console 3"="c:\program files (x86)\ASUS\Wireless Console 3\wcourier.exe" [2010-04-26 1597440]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
ActivClient Agent.lnk - c:\program files\ActivIdentity\ActivClient\acsagent.exe [2009-6-3 164904]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Best Buy pc app.lnk - c:\programdata\Best Buy pc app\ClickOnceSetup.exe [2010-6-24 9216]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-05 136176]
R3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\DRIVERS\motfilt.sys

R3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2010-09-24 79360]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2010-09-24 79360]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-05 136176]
R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys

R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys

R3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\DRIVERS\Motousbnet.sys

R3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\DRIVERS\motusbdevice.sys

R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [2009-09-28 19544]
R3 S3XXx64;SCR3xx USB SmartCardReader64;c:\windows\system32\DRIVERS\S3XXx64.sys

R3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;c:\windows\system32\DRIVERS\SiSG664.sys

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys

R3 TurboBoost;TurboBoost;c:\program files\Intel\TurboBoost\TurboBoost.exe [2009-08-06 118672]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys

S2 ac.sharedstore;ActivIdentity Shared Store Service;c:\program files\Common Files\ActivIdentity\ac.sharedstore.exe [2009-06-03 277032]
S2 AFBAgent;AFBAgent;c:\windows\system32\FBAgent.exe

S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe

S2 ASMMAP64;ASMMAP64;c:\program files (x86)\ASUS\ATK Package\ATKGFNEX\ASMMAP64.sys [2009-07-03 15416]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-10-20 821664]
S2 DMAgent;Intel® PROSet/Wireless WiMAX Red Bend Device Management Service;c:\program files\Intel\WiMAX\Bin\DMAgent.exe [2010-06-07 408576]
S2 MotoHelper;MotoHelper Service;c:\program files (x86)\Motorola\MotoHelper\MotoHelperService.exe [2011-08-10 227184]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2010-09-14 508264]
S2 TurboB;Turbo Boost UI Monitor driver;c:\windows\system32\DRIVERS\TurboB.sys

S2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2009-10-01 2314240]
S2 WiMAXAppSrv;Intel® PROSet/Wireless WiMAX Service;c:\program files\Intel\WiMAX\Bin\AppSrv.exe [2010-06-07 911872]
S3 bpenum;bpenum;c:\windows\system32\DRIVERS\bpenum.sys

S3 bpmp;Intel(R) Centrino(R) WiMAX 6050 Series;c:\windows\system32\DRIVERS\bpmp.sys

S3 bpusb;bpusb;c:\windows\system32\Drivers\bpusb.sys

S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys

S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys

S3 NETw5s64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETw5s64.sys

S3 pnetmdm;PdaNet Modem;c:\windows\system32\DRIVERS\pnetmdm64.sys

S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys

S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys

S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys

S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys

S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2010-09-14 219496]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys

.
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-25 c:\windows\Tasks\At1.job
- c:\windows\system32\1VxJv.com [2011-12-25 00:35]
.
2011-12-25 c:\windows\Tasks\At11.job
- c:\windows\system32\1VxJv.com [2011-12-25 00:35]
.
2011-12-25 c:\windows\Tasks\At13.job
- c:\windows\system32\1VxJv.com [2011-12-25 00:35]
.
2011-12-25 c:\windows\Tasks\At15.job
- c:\windows\system32\1VxJv.com [2011-12-25 00:35]
.
2011-12-25 c:\windows\Tasks\At17.job
- c:\windows\system32\1VxJv.com [2011-12-25 00:35]
.
2011-12-25 c:\windows\Tasks\At19.job
- c:\windows\system32\1VxJv.com [2011-12-25 00:35]
.
2011-12-25 c:\windows\Tasks\At21.job
- c:\windows\system32\1VxJv.com [2011-12-25 00:35]
.
2011-12-25 c:\windows\Tasks\At23.job
- c:\windows\system32\1VxJv.com [2011-12-25 00:35]
.
2011-12-25 c:\windows\Tasks\At25.job
- c:\windows\system32\1VxJv.com [2011-12-25 00:35]
.
2011-12-25 c:\windows\Tasks\At27.job
- c:\windows\system32\1VxJv.com [2011-12-25 00:35]
.
2011-12-25 c:\windows\Tasks\At29.job
- c:\windows\system32\1VxJv.com [2011-12-25 00:35]
.
2011-12-25 c:\windows\Tasks\At3.job
- c:\windows\system32\1VxJv.com [2011-12-25 00:35]
.
2011-12-25 c:\windows\Tasks\At31.job
- c:\windows\system32\1VxJv.com [2011-12-25 00:35]
.
2011-12-25 c:\windows\Tasks\At33.job
- c:\windows\system32\1VxJv.com [2011-12-25 00:35]
.
2011-12-25 c:\windows\Tasks\At35.job
- c:\windows\system32\1VxJv.com [2011-12-25 00:35]
.
2011-12-26 c:\windows\Tasks\At37.job
- c:\windows\system32\1VxJv.com [2011-12-25 00:35]
.
2011-12-25 c:\windows\Tasks\At39.job
- c:\windows\system32\1VxJv.com [2011-12-25 00:35]
.
2011-12-26 c:\windows\Tasks\At41.job
- c:\windows\system32\1VxJv.com [2011-12-25 00:35]
.
2011-12-25 c:\windows\Tasks\At43.job
- c:\windows\system32\1VxJv.com [2011-12-25 00:35]
.
2011-12-25 c:\windows\Tasks\At45.job
- c:\windows\system32\1VxJv.com [2011-12-25 00:35]
.
2011-12-25 c:\windows\Tasks\At47.job
- c:\windows\system32\1VxJv.com [2011-12-25 00:35]
.
2011-12-25 c:\windows\Tasks\At5.job
- c:\windows\system32\1VxJv.com [2011-12-25 00:35]
.
2011-12-25 c:\windows\Tasks\At7.job
- c:\windows\system32\1VxJv.com [2011-12-25 00:35]
.
2011-12-25 c:\windows\Tasks\At9.job
- c:\windows\system32\1VxJv.com [2011-12-25 00:35]
.
2011-12-18 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1811056662-50345387-146203039-1000Core.job
- c:\users\Bryan Calvert\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-08-29 02:56]
.
2011-12-26 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1811056662-50345387-146203039-1000UA.job
- c:\users\Bryan Calvert\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-08-29 02:56]
.
2011-12-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-05 01:05]
.
2011-12-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-05 01:05]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AmIcoSinglun64"="c:\program files (x86)\AmIcoSingLun\AmIcoSinglun64.exe" [2010-05-03 324096]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"IntelWirelessWiMAX"="c:\program files\Intel\WiMAX\Bin\WiMAXCU.exe" [2010-06-08 1441792]
"RunDLLEntry"="c:\windows\system32\RunDLL32.exe" [2009-07-14 45568]
"Setwallpaper"="c:\programdata\SetWallpaper.cmd" [BU]
"acevents"="c:\program files\ActivIdentity\ActivClient\acevents.exe" [2009-06-03 196648]
"accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2009-06-03 483880]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.facebook.com/
mStart Page = hxxp://www.yahoo.com
mLocal Page = c:\windows\system32\blank.htm
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
Trusted Zone: navy.mil
TCP: DhcpNameServer = 75.105.128.61
DPF: {2FD395CB-BD93-4BA9-AA4B-D725754E20D1} - hxxp://test.player.portalarium.com/installers/win32/PortalariumPlayer.cab
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - (no file)
WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
.
.
.
Completion time: 2011-12-25  20:55:47
ComboFix-quarantined-files.txt  2011-12-26 02:55
ComboFix2.txt  2011-12-26 00:56
.
Pre-Run: 459,316,277,248 bytes free
Post-Run: 459,262,885,888 bytes free
.
- - End Of File - - E5FD3FC32C0A519394939E53B9D41BB9




Logged
"To achieve the impossible, it is precisely the unthinkable that must be thought."
Tom Robbins

Offline DonnaB

  • Sr. Member
  • ****
  • Posts: 254
Re: Windows 7 (something) 2012 rogue
« Reply #9 on: December 26, 2011, 03:48:45 AM »
Hi Corrine,

I believe the internet connection issue may be due to my Wildblue Satellite connection. I clicked on Diagnos connection problem and found I had an IP conflict. After power cycling the router I did get back online with both laptops. Though having trouble sporadically with connection timing out.

I'll try tomorrow to see if I can get to the ESET Online scanner.

Donna
Logged
"To achieve the impossible, it is precisely the unthinkable that must be thought."
Tom Robbins

Offline DonnaB

  • Sr. Member
  • ****
  • Posts: 254
Re: Windows 7 (something) 2012 rogue
« Reply #10 on: December 26, 2011, 01:23:56 PM »
testing ability to post with infected laptop.....
Logged
"To achieve the impossible, it is precisely the unthinkable that must be thought."
Tom Robbins

Offline zep516

  • Full Member
  • ***
  • Posts: 126
Re: Windows 7 (something) 2012 rogue
« Reply #11 on: December 26, 2011, 02:38:46 PM »
You go girls!!!!!!!! :)

Quote
Merry Christmas!  (When you talk to our common friend, please send my best wishes along to him as well.)
Corrine you have no idea what that meant to me, your concern, compassion for other people is truly a gift. You're the best ever! God bless you...

Joe
Logged
You're only as safe as your last update.

Offline DonnaB

  • Sr. Member
  • ****
  • Posts: 254
Re: Windows 7 (something) 2012 rogue
« Reply #12 on: December 26, 2011, 02:51:42 PM »
Good Morning Corrine,

Sorry for the post above. Checking to see what my abilities/limits were and how the laptop was functioning. I'm typing this from my laptop. Internet connection is fine now.
Here's an update:

The laptop will connect to the internet and I can access this thread. When I click on the link for ESET, thinker orb continually spins and the connection either times out or if I do connect can not click on download button. When I type ESET Online scanner in search engine I can get to the list of links and access the site. When I click on Run ESET Online Scanner button, place a check in Yes, I accept the Terms of Use I can not click on the Start button. When I refresh the page I get the Diagnose Connection Problems page. Thinker orb continually spins. Pages are loading very slowly. Sometimes I can pull up a page, sometimes I can't.

If needed, I do have the 4 recovery disks that I made on 12-2-2011 but I am not sure they are not corrupted. On 11-30-2011, he ran MBAM that removed 4 Registry Values that were infected and one infected file. I have those logs saved if you need to see them. On 12-2-2011, after another MBAM scan came up clean I then created the disks for him. I have that log too!

If I knew that those disks were safe to use I would just transfer his pics and Military docs to my Flash Drive and use them.

I'll await your next response.

Donna :)

PS: Thank you for the info about ESET for the phone. I'll make sure he gets that info.
Logged
"To achieve the impossible, it is precisely the unthinkable that must be thought."
Tom Robbins

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 11530
  • "Stronger than the past, united in our goal."
    • Security Garden
Re: Windows 7 (something) 2012 rogue
« Reply #13 on: December 26, 2011, 05:23:11 PM »
Quote from: zep516 on December 26, 2011, 02:38:46 PM
You go girls!!!!!!!! :)

Quote
Merry Christmas!  (When you talk to our common friend, please send my best wishes along to him as well.)
Corrine you have no idea what that meant to me, your concern, compassion for other people is truly a gift. You're the best ever! God bless you...

Joe


Thank you, Joe.  :rose:

You certainly paint a pretty picture!  ;)

Ok, Donna, I don't know why I missed scripting this yesterday, but let's see what this does.

Custom CFScript

Note: The following instructions were created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

  • Please open Notepad (Click Start -> Run -> type notepad in the Open field -> OK).  Copy/Paste all of the text present inside the code box below:
Code: [Select]
AtJob::

File::
c:\windows\system32\1VxJv.com
  • Save this as CFScript.txt and place it on your desktop.
  • Close any open browsers.
  • Close/disable all antivirus and anti-malware programs so they do not interfere with the running of ComboFix.




  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Logged
,  

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline DonnaB

  • Sr. Member
  • ****
  • Posts: 254
Re: Windows 7 (something) 2012 rogue
« Reply #14 on: December 26, 2011, 07:31:28 PM »
Tried to access ESET Online scanner link above and received Internet Explorer cannot display webpage again! I had no trouble accessing the thread to post this from the desktop link.

Below is the ComboFix log requested:

ComboFix 11-12-25.01 - Bryan Calvert 12/26/2011  13:37:42.3.8 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.6069.4746 [GMT -6:00]
Running from: c:\users\Bryan Calvert\Desktop\ComboFix.exe
Command switches used :: c:\users\Bryan Calvert\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\windows\system32\1VxJv.com"
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\Tasks\At1.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At9.job
.
.
(((((((((((((((((((((((((   Files Created from 2011-11-26 to 2011-12-26  )))))))))))))))))))))))))))))))
.
.
2011-12-26 19:49 . 2011-12-26 19:49   --------   d-----w-   c:\users\Default\AppData\Local\temp
2011-12-25 00:35 . 2011-12-25 00:35   29184   ----a-w-   c:\windows\SysWow64\1VxJv.com
2011-12-18 17:21 . 2011-12-18 17:21   --------   d-----w-   c:\windows\system32\Macromed
2011-12-15 07:34 . 2011-11-05 05:32   2048   ----a-w-   c:\windows\system32\tzres.dll
2011-12-15 07:34 . 2011-11-05 04:26   2048   ----a-w-   c:\windows\SysWow64\tzres.dll
2011-12-06 18:12 . 2011-12-11 19:42   --------   d-----w-   c:\users\Bryan Calvert\AppData\Roaming\uTorrent
2011-12-01 03:14 . 2011-12-01 03:14   --------   d-----w-   C:\_OTL
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-26 19:30 . 2011-09-07 18:00   45056   ----a-w-   c:\windows\system32\acovcnt.exe
2011-12-18 17:21 . 2011-07-10 04:29   414368   ----a-w-   c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-11-11 23:08 . 2011-11-11 23:08   388096   ----a-r-   c:\users\Bryan Calvert\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-09-29 16:29 . 2011-11-09 18:50   1923952   ----a-w-   c:\windows\system32\drivers\tcpip.sys
.
.
(((((((((((((((((((((((((((((   SnapShot@2011-12-26_00.51.50   )))))))))))))))))))))))))))))))))))))))))
.
- 2011-12-26 00:50 . 2011-12-26 00:50   12167              c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
+ 2011-12-26 16:28 . 2011-12-26 16:28   12167              c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
+ 2009-07-14 04:54 . 2011-12-26 19:30   49152              c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2011-12-26 00:51   49152              c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-09-24 09:06 . 2011-12-26 19:32   54552              c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2011-12-26 19:32   38354              c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
- 2009-07-14 05:10 . 2011-12-26 00:05   38354              c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-02-12 05:51 . 2011-12-26 19:32   14450              c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1811056662-50345387-146203039-1000_UserData.bin
+ 2010-09-24 08:45 . 2011-12-26 19:30   16384              c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-09-24 08:45 . 2011-12-26 00:51   16384              c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-09-24 08:45 . 2011-12-26 19:30   32768              c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-09-24 08:45 . 2011-12-26 00:51   32768              c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2011-12-26 19:30   16384              c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2011-12-26 00:51   16384              c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-03-04 03:44 . 2011-12-26 00:05   16384              c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-03-04 03:44 . 2011-12-26 19:32   16384              c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:46 . 2011-12-26 12:47   91888              c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
+ 2011-03-04 03:44 . 2011-12-26 19:32   32768              c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2011-03-04 03:44 . 2011-12-26 00:05   32768              c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-03-04 03:44 . 2011-12-26 19:32   16384              c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-03-04 03:44 . 2011-12-26 00:05   16384              c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-02-12 05:55 . 2011-12-26 00:03   16384              c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-02-12 05:55 . 2011-12-26 19:35   16384              c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-02-12 05:55 . 2011-12-26 00:03   16384              c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-02-12 05:55 . 2011-12-26 19:35   16384              c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-12-26 19:30 . 2011-12-26 19:30   2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-12-26 00:51 . 2011-12-26 00:51   2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-12-26 00:51 . 2011-12-26 00:51   2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-12-26 19:30 . 2011-12-26 19:30   2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-14 04:54 . 2011-12-26 19:30   196608              c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2011-12-26 00:51   196608              c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2011-12-26 00:51   212992              c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2011-12-26 19:30   212992              c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 02:36 . 2011-12-25 06:24   660982              c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2011-12-26 03:05   660982              c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2011-12-26 03:05   121620              c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2011-12-25 06:24   121620              c:\windows\system32\perfc009.dat
- 2009-07-14 05:01 . 2011-12-26 00:50   228720              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2011-12-26 16:28   228720              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2010-09-24 11:32 . 2011-12-26 00:50   1017536              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2010-09-24 11:32 . 2011-12-26 16:28   1017536              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\progra~2\Yahoo!\Companion\Installs\cpn1\yt.dll" [2011-10-06 2015544]
.
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-12-17 98304]
"ATKOSD2"="c:\program files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe" [2010-06-25 6806144]
"ATKMEDIA"="c:\program files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe" [2010-05-03 170624]
"HControlUser"="c:\program files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe" [2009-06-19 105016]
"VolPanel"="c:\program files (x86)\Creative\SB Audigy\Volume Panel\VolPanlu.exe" [2008-12-29 237693]
"Wireless Console 3"="c:\program files (x86)\ASUS\Wireless Console 3\wcourier.exe" [2010-04-26 1597440]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
ActivClient Agent.lnk - c:\program files\ActivIdentity\ActivClient\acsagent.exe [2009-6-3 164904]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Best Buy pc app.lnk - c:\programdata\Best Buy pc app\ClickOnceSetup.exe [2010-6-24 9216]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-05 136176]
R3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\DRIVERS\motfilt.sys

R3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2010-09-24 79360]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2010-09-24 79360]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-05 136176]
R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys

R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys

R3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\DRIVERS\Motousbnet.sys

R3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\DRIVERS\motusbdevice.sys

R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [2009-09-28 19544]
R3 S3XXx64;SCR3xx USB SmartCardReader64;c:\windows\system32\DRIVERS\S3XXx64.sys

R3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;c:\windows\system32\DRIVERS\SiSG664.sys

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys

R3 TurboBoost;TurboBoost;c:\program files\Intel\TurboBoost\TurboBoost.exe [2009-08-06 118672]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys

S2 ac.sharedstore;ActivIdentity Shared Store Service;c:\program files\Common Files\ActivIdentity\ac.sharedstore.exe [2009-06-03 277032]
S2 AFBAgent;AFBAgent;c:\windows\system32\FBAgent.exe

S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe

S2 ASMMAP64;ASMMAP64;c:\program files (x86)\ASUS\ATK Package\ATKGFNEX\ASMMAP64.sys [2009-07-03 15416]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-10-20 821664]
S2 DMAgent;Intel® PROSet/Wireless WiMAX Red Bend Device Management Service;c:\program files\Intel\WiMAX\Bin\DMAgent.exe [2010-06-07 408576]
S2 MotoHelper;MotoHelper Service;c:\program files (x86)\Motorola\MotoHelper\MotoHelperService.exe [2011-08-10 227184]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2010-09-14 508264]
S2 TurboB;Turbo Boost UI Monitor driver;c:\windows\system32\DRIVERS\TurboB.sys

S2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2009-10-01 2314240]
S2 WiMAXAppSrv;Intel® PROSet/Wireless WiMAX Service;c:\program files\Intel\WiMAX\Bin\AppSrv.exe [2010-06-07 911872]
S3 bpenum;bpenum;c:\windows\system32\DRIVERS\bpenum.sys

S3 bpmp;Intel(R) Centrino(R) WiMAX 6050 Series;c:\windows\system32\DRIVERS\bpmp.sys

S3 bpusb;bpusb;c:\windows\system32\Drivers\bpusb.sys

S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys

S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys

S3 NETw5s64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETw5s64.sys

S3 pnetmdm;PdaNet Modem;c:\windows\system32\DRIVERS\pnetmdm64.sys

S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys

S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys

S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys

S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys

S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2010-09-14 219496]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys

.
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-26 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1811056662-50345387-146203039-1000Core.job
- c:\users\Bryan Calvert\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-08-29 02:56]
.
2011-12-26 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1811056662-50345387-146203039-1000UA.job
- c:\users\Bryan Calvert\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-08-29 02:56]
.
2011-12-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-05 01:05]
.
2011-12-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-05 01:05]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AmIcoSinglun64"="c:\program files (x86)\AmIcoSingLun\AmIcoSinglun64.exe" [2010-05-03 324096]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"IntelWirelessWiMAX"="c:\program files\Intel\WiMAX\Bin\WiMAXCU.exe" [2010-06-08 1441792]
"RunDLLEntry"="c:\windows\system32\RunDLL32.exe" [2009-07-14 45568]
"Setwallpaper"="c:\programdata\SetWallpaper.cmd" [BU]
"acevents"="c:\program files\ActivIdentity\ActivClient\acevents.exe" [2009-06-03 196648]
"accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2009-06-03 483880]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.facebook.com/
mStart Page = hxxp://www.yahoo.com
mLocal Page = c:\windows\system32\blank.htm
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
Trusted Zone: navy.mil
DPF: {2FD395CB-BD93-4BA9-AA4B-D725754E20D1} - hxxp://test.player.portalarium.com/installers/win32/PortalariumPlayer.cab
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - (no file)
WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
.
.
.
Completion time: 2011-12-26  14:06:03
ComboFix-quarantined-files.txt  2011-12-26 20:05
ComboFix2.txt  2011-12-26 02:55
ComboFix3.txt  2011-12-26 00:56
.
Pre-Run: 458,476,740,608 bytes free
Post-Run: 458,433,101,824 bytes free
.
- - End Of File - - F147107438F397A9DF307504B818EA8F
Logged
"To achieve the impossible, it is precisely the unthinkable that must be thought."
Tom Robbins
Pages: [1] 2 3 ... 9   Go Up
« previous next »