Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

Virus & Other Malware Removal Virus & Other Malware Removal
Search Search
Search for:
Tech Support Guy > > >

Generic DX Removal

(In Progress)
(!)

kevinf80's Avatar
kevinf80   (Kevin) kevinf80 is offline kevinf80 is authorized to help remove malware. kevinf80 has a Profile Picture
Computer Specs
Malware Removal Specialist with 9,586 posts.
 
Join Date: Mar 2006
Location: Sunderland UK
Experience: Intermediate
14-Feb-2012, 03:27 AM #16
Okey Dokey...
Mikecurran7's Avatar
Mikecurran7 Mikecurran7 is offline
Computer Specs
Member with 21 posts.
THREAD STARTER
 
Join Date: Feb 2012
Experience: Beginner
14-Feb-2012, 01:26 PM #17
ComboFix 12-02-13.01 - mcurran 14/02/2012 17:02:52.1.2 - x86
Microsoft Windows 7 Professional 6.1.7600.0.1252.353.1033.18.3536.2763 [GMT 0:00]
Running from: d:\users\mcurran\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
* Resident AV is active
.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Windows
c:\programdata\windows\dumd.dat
c:\programdata\Windows\xdor.dat
C:\sooi832.bin
c:\windows\$NtUninstallKB6481$
c:\windows\$NtUninstallKB6481$\400035465\@
c:\windows\$NtUninstallKB6481$\400035465\cfg.ini
c:\windows\$NtUninstallKB6481$\400035465\Desktop.ini
c:\windows\$NtUninstallKB6481$\400035465\L\xadqgnnk
c:\windows\$NtUninstallKB6481$\400035465\U\00000001.@
c:\windows\$NtUninstallKB6481$\400035465\U\00000002.@
c:\windows\$NtUninstallKB6481$\400035465\U\00000004.@
c:\windows\$NtUninstallKB6481$\400035465\U\80000000.@
c:\windows\$NtUninstallKB6481$\400035465\U\80000004.@
c:\windows\$NtUninstallKB6481$\400035465\U\80000032.@
c:\windows\$NtUninstallKB6481$\400035465\version
c:\windows\$NtUninstallKB6481$\721151185
c:\windows\system32\GroupPolicy\Machine\Registry.pol
c:\windows\system32\SET113A.tmp
c:\windows\system32\SET1C82.tmp
c:\windows\system32\SET4936.tmp
c:\windows\system32\SET4E72.tmp
c:\windows\system32\SET5B87.tmp
c:\windows\system32\SET6384.tmp
c:\windows\system32\SET63FE.tmp
c:\windows\system32\SET676A.tmp
c:\windows\system32\SET724F.tmp
c:\windows\system32\SET9CF3.tmp
c:\windows\system32\SETA8FE.tmp
c:\windows\system32\SETB051.tmp
c:\windows\system32\SETBF1C.tmp
c:\windows\system32\SETC047.tmp
c:\windows\system32\SETDB5E.tmp
c:\windows\system32\SETDCAB.tmp
c:\windows\system32\SETEB03.tmp
c:\windows\system32\SETF48D.tmp
c:\windows\system32\SETF49F.tmp
c:\windows\system32\SETF5A3.tmp
C:\zr8161F.tmp
C:\zr8164F.tmp
C:\zr817C4.tmp
C:\zr817E3.tmp
C:\zr82857.tmp
C:\zr82933.tmp
C:\zr83227.tmp
C:\zr83256.tmp
C:\zr83285.tmp
C:\zr8470E.tmp
C:\zr8475D.tmp
C:\zr8478A.tmp
C:\zr84837.tmp
C:\zr84B42.tmp
C:\zr84B72.tmp
C:\zr8558E.tmp
C:\zr855CE.tmp
C:\zr858F8.tmp
C:\zr858F9.tmp
C:\zr85957.tmp
C:\zr85958.tmp
C:\zr860F4.tmp
C:\zr86161.tmp
C:\zr86172.tmp
C:\zr861AF.tmp
C:\zr8623C.tmp
C:\zr8627B.tmp
C:\zr8670C.tmp
C:\zr8677A.tmp
C:\zr875DA.tmp
C:\zr8760A.tmp
C:\zr87983.tmp
C:\zr879D2.tmp
C:\zr879FF.tmp
C:\zr87A2F.tmp
C:\zr884A9.tmp
C:\zr88546.tmp
C:\zr88565.tmp
C:\zr885C3.tmp
C:\zr8869.tmp
C:\zr8899.tmp
C:\zr8A0FF.tmp
C:\zr8A13F.tmp
C:\zr8A14D.tmp
C:\zr8A17D.tmp
C:\zr8A4F5.tmp
C:\zr8A564.tmp
C:\zr8A61E.tmp
C:\zr8A63D.tmp
C:\zr8A66D.tmp
C:\zr8A66E.tmp
C:\zr8A717.tmp
C:\zr8A757.tmp
C:\zr8BA3A.tmp
C:\zr8BA98.tmp
C:\zr8BB91.tmp
C:\zr8BBD0.tmp
C:\zr8C909.tmp
C:\zr8C937.tmp
C:\zr8C967.tmp
C:\zr8C986.tmp
C:\zr8CAEC.tmp
C:\zr8CB4B.tmp
C:\zr8CCFF.tmp
C:\zr8CDBB.tmp
C:\zr8D642.tmp
C:\zr8D681.tmp
C:\zr8E62.tmp
C:\zr8E91.tmp
C:\zr8EF2E.tmp
C:\zr8EF6E.tmp
C:\zr8F122.tmp
C:\zr8F180.tmp
C:\zr8F4D9.tmp
C:\zr8F519.tmp
C:\zr8FE5B.tmp
C:\zr8FE8A.tmp
d:\users\mcurran\AppData\Local\alsgjbho.log
d:\users\mcurran\AppData\Local\assembly\tmp
d:\users\mcurran\AppData\Local\detxupqs.log
d:\users\mcurran\AppData\Local\hnwemmio.log
d:\users\mcurran\AppData\Local\jgqbylmr.log
d:\users\mcurran\AppData\Local\nugqbump.log
d:\users\mcurran\AppData\Local\oqevhuil\ttvirurc.exe
d:\users\mcurran\AppData\Local\vodnltex.log
.
.
((((((((((((((((((((((((( Files Created from 2012-01-14 to 2012-02-14 )))))))))))))))))))))))))))))))
.
.
2012-02-13 18:10 . 2012-02-13 18:10 -------- d-----w- d:\users\mcurran\AppData\Roaming\Malwarebytes
2012-02-13 18:10 . 2012-02-13 18:10 -------- d-----w- c:\programdata\Malwarebytes
2012-02-13 18:10 . 2012-02-13 18:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-13 18:10 . 2011-12-10 15:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-06 23:19 . 2012-02-06 23:19 388096 ----a-r- d:\users\mcurran\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-02-06 22:55 . 2012-02-06 22:55 -------- d-----w- c:\program files\Trend Micro
2012-02-05 18:20 . 2012-02-05 18:21 -------- d-----w- d:\users\mcurran\AppData\Roaming\uTorrent
2012-01-31 21:55 . 2012-01-31 21:55 -------- d-----w- C:\Poker
2012-01-31 21:35 . 2012-01-31 21:35 -------- d-----w- d:\users\mcurran\AppData\Local\Apple Computer
2012-01-31 21:18 . 2012-02-13 22:21 -------- d-----w- C:\TDSSKiller_Quarantine
2012-01-31 20:43 . 2012-01-31 20:43 -------- d--h--w- c:\programdata\Common Files
2012-01-31 20:41 . 2012-01-31 21:45 -------- d-----w- c:\programdata\MFAData
2012-01-31 20:10 . 2012-02-14 17:20 -------- d-----w- d:\users\mcurran\AppData\Local\oqevhuil
2012-01-31 20:09 . 2012-02-14 17:20 -------- d-----w- C:\QUARANTINE
2012-01-25 23:26 . 2012-01-25 23:26 -------- d-----w- c:\program files\VideoLAN
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-31 21:19 . 2009-07-13 23:12 187904 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-11-22 12:40 . 2011-11-22 12:40 663512 ----a-w- C:\wpayback.zip
2011-11-21 10:47 . 2011-12-22 10:14 6823496 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{06876E24-E19B-4571-AF74-57E6488AA0B7}\mpengine.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
@="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
[HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
2010-08-13 15:39 62832 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\UninitializedFdeIconOverlay]
@="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
[HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
2010-08-13 15:39 62832 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DymoQuickPrint"="c:\program files\DYMO\DYMO Label Software\DymoQuickPrint.exe" [2010-01-27 1885944]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2010-06-04 292208]
"EmbassySecurityCheck"="c:\program files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe" [2010-08-17 95616]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2010-10-22 124224]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-09-25 136512]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-28 174104]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-28 151064]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2010-07-26 495708]
"ASMReg"="c:\program files\eSMART\Register.exe" [2011-07-29 65536]
"DLSService"="c:\program files\DYMO\DYMO Label Software\DLSService.exe" [2010-01-27 55808]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
.
d:\users\mcurran\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Picture This.lnk - d:\users\mcurran\AppData\Roaming\Microsoft\Installer\{1FC6CB91-C46E-4878-A086-13DD6CCF79EE}\Icon1FC6CB913.exe [2011-6-30 12288]
ttvirurc.exe [2012-1-31 98260]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
TdmNotify.lnk - c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmNotify.exe [2010-8-13 132456]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,d:\users\mcurran\AppData\Loca l\oqevhuil\ttvirurc.exe"
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1352148485-155271270-1313727497-2865\Scripts\Logon\0\0]
"Script"=\\gti.int\SysVol\gti.int\scripts\sig.bat
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\Accelern.sys [2010-07-26 42672]
R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-04-14 45736]
R3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k6232.sys [2010-07-26 214696]
R3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-07-26 232960]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-10-22 66536]
R3 NETw5s32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [2010-07-26 6114816]
R3 risdpcie;risdpcie;c:\windows\system32\DRIVERS\risdpe86.sys [2010-07-26 59904]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-11-18 1343400]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\aestsrv.exe [2010-07-26 81920]
S2 ATService;AuthenTec Fingerprint Service;c:\program files\Fingerprint Sensor\AtService.exe [2009-05-15 1803512]
S2 eSMARTUM;eSMART Usage Monitoring;c:\program files\eSMART\eSMARTUM.exe [2012-01-09 50176]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-13 652360]
S2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [2010-10-22 22816]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-10-22 69192]
S3 cvusbdrv;Dell ControlVault;c:\windows\system32\Drivers\cvusbdrv.sys [2010-07-26 33832]
S3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y6232.sys [2009-09-28 221912]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2010-07-26 126976]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-10 20464]
S3 NETwNs32;___ Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETwNs32.sys [2010-07-14 6814720]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://portal/Pages/default.aspx
uInternet Settings,ProxyOverride = *.local;vaultserver1.gti.int;evgt01;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a}
TCP: DhcpNameServer = 8.8.8.8 8.8.4.4
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - (no file)
Toolbar-Locked - (no file)
WebBrowser-{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - (no file)
HKCU-Run-TtvIrurc - d:\users\mcurran\AppData\Local\oqevhuil\ttvirurc.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(520)
c:\windows\system32\wvauth.DLL
c:\program files\Wave Systems Corp\Common\CryptoManager.dll
c:\windows\system32\tcg15.dll
c:\windows\system32\Tsp1.dll
c:\windows\system32\wclient14.dll
.
- - - - - - - > 'Explorer.exe'(5840)
c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
c:\program files\McAfee\Common Framework\McTrayLegacySupportPlugin.dll
c:\program files\McAfee\Common Framework\McTrayInterfaceLib.dll
c:\program files\McAfee\Common Framework\McAfeeWin32GUISupportDLL.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\IDT\WDM\STacSV.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\WLANExt.exe
c:\windows\system32\conhost.exe
c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\eSMART\ASMAgent.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\mfeann.exe
c:\windows\system32\conhost.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\Apntex.exe
c:\windows\system32\conhost.exe
c:\program files\DellTPad\HidFind.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\GTPicThis\GTPicThis.EXE
c:\program files\McAfee\Common Framework\McTray.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\sppsvc.exe
c:\program files\Common Files\Java\Java Update\jucheck.exe
.
**************************************************************************
.
Completion time: 2012-02-14 17:26:15 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-14 17:26
.
Pre-Run: 42,283,319,296 bytes free
Post-Run: 42,227,798,016 bytes free
.
- - End Of File - - 79548FAE55B610629B72DA476A35F54A
kevinf80's Avatar
kevinf80   (Kevin) kevinf80 is offline kevinf80 is authorized to help remove malware. kevinf80 has a Profile Picture
Computer Specs
Malware Removal Specialist with 9,586 posts.
 
Join Date: Mar 2006
Location: Sunderland UK
Experience: Intermediate
14-Feb-2012, 03:51 PM #18
Hiya Mike,

Continue as follows;

Step 1

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the Codebox below into it:

Code:
KillAll::
ClearJavaCache::
Folder::
d:\users\mcurran\AppData\Local\oqevhuil
DirLook::
C:\Poker
C:\QUARANTINE
C:\TDSSKiller_Quarantine
DDS::
uInternet Settings,ProxyOverride = *.local;vaultserver1.gti.int;evgt01;<local>
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Save this as CFScript.txt, and as Type: All Files (*.*) in the same location as ComboFix.exe





Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Step 2

Run ESET Online Scan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the icon on your desktop.
  • Check
  • Click the button.
  • Accept any security warnings from your browser.
  • Check
  • Leave the tick out of remove found threats
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the button.
  • Push
You can refer to this animation by neomage if needed.
Frequently asked questions available Here Please read them before running the scan.

Also be aware this scan can take several hours to complete depending on the size of your system.

ESET log can be found here "C:\Program Files\ESET\EsetOnlineScanner\log.txt".

Post those two logs, also give update on current issues..

Kevin
Mikecurran7's Avatar
Mikecurran7 Mikecurran7 is offline
Computer Specs
Member with 21 posts.
THREAD STARTER
 
Join Date: Feb 2012
Experience: Beginner
14-Feb-2012, 06:04 PM #19
ComboFix 12-02-13.01 - mcurran 14/02/2012 20:13:56.2.2 - x86
Microsoft Windows 7 Professional 6.1.7600.0.1252.353.1033.18.3536.2641 [GMT 0:00]
Running from: d:\users\mcurran\Desktop\ComboFix.exe
Command switches used :: d:\users\mcurran\Desktop\CFScript.txt
AV: McAfee VirusScan Enterprise *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
* Resident AV is active
.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
d:\users\mcurran\AppData\Local\oqevhuil
d:\users\mcurran\AppData\Local\oqevhuil\ttvirurc.exe
d:\users\mcurran\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ttvirurc.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-01-14 to 2012-02-14 )))))))))))))))))))))))))))))))
.
.
2012-02-14 20:23 . 2012-02-14 20:23 -------- d-----w- d:\users\Default\AppData\Local\temp
2012-02-14 20:23 . 2012-02-14 20:23 -------- d-----w- d:\users\Administrator\AppData\Local\temp
2012-02-14 19:24 . 2012-02-14 20:24 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{06876E24-E19B-4571-AF74-57E6488AA0B7}\offreg.dll
2012-02-13 18:10 . 2012-02-13 18:10 -------- d-----w- d:\users\mcurran\AppData\Roaming\Malwarebytes
2012-02-13 18:10 . 2012-02-13 18:10 -------- d-----w- c:\programdata\Malwarebytes
2012-02-06 22:55 . 2012-02-06 22:55 -------- d-----w- c:\program files\Trend Micro
2012-02-05 18:20 . 2012-02-05 18:21 -------- d-----w- d:\users\mcurran\AppData\Roaming\uTorrent
2012-01-31 21:55 . 2012-01-31 21:55 -------- d-----w- C:\Poker
2012-01-31 21:35 . 2012-01-31 21:35 -------- d-----w- d:\users\mcurran\AppData\Local\Apple Computer
2012-01-31 21:18 . 2012-02-13 22:21 -------- d-----w- C:\TDSSKiller_Quarantine
2012-01-31 20:43 . 2012-01-31 20:43 -------- d--h--w- c:\programdata\Common Files
2012-01-31 20:41 . 2012-01-31 21:45 -------- d-----w- c:\programdata\MFAData
2012-01-31 20:09 . 2012-02-14 20:13 -------- d-----w- C:\QUARANTINE
2012-01-25 23:26 . 2012-01-25 23:26 -------- d-----w- c:\program files\VideoLAN
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-31 21:19 . 2009-07-13 23:12 187904 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-11-22 12:40 . 2011-11-22 12:40 663512 ----a-w- C:\wpayback.zip
2011-11-21 10:47 . 2011-12-22 10:14 6823496 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{06876E24-E19B-4571-AF74-57E6488AA0B7}\mpengine.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of C:\Poker ----
.
.
---- Directory of C:\QUARANTINE ----
.
2012-02-14 20:13 . 2012-02-14 20:13 3072 ----a-w- c:\quarantine\7dc2e14d39380.bup
2012-02-14 19:25 . 2012-02-14 20:01 18944 ----a-w- c:\quarantine\7dc2e13191932b0.bup
2012-02-14 18:08 . 2012-02-14 18:32 18944 ----a-w- c:\quarantine\7dc2e128351940.bup
2012-02-14 17:20 . 2012-02-14 18:05 18944 ----a-w- c:\quarantine\7dc2e11142834a0.bup
2012-02-14 17:02 . 2012-02-14 17:02 3072 ----a-w- c:\quarantine\7dc2e112343de0.bup
2012-02-14 17:01 . 2012-02-14 17:01 32768 ----a-w- c:\quarantine\7dc2e111252b0.bup
2012-02-14 16:42 . 2012-02-14 17:00 18944 ----a-w- c:\quarantine\7dc2e102a11c20.bup
2012-02-13 22:23 . 2012-02-14 00:59 18944 ----a-w- c:\quarantine\7dc2d161742600.bup
2012-02-13 19:56 . 2012-02-13 22:21 114688 ----a-w- c:\quarantine\7dc2d133863d30.bup
2012-02-13 19:03 . 2012-02-13 22:21 192512 ----a-w- c:\quarantine\7dc2d1331f50.bup
2012-02-13 18:27 . 2012-02-13 22:21 18944 ----a-w- c:\quarantine\7dc2d121b1f2580.bup
2012-02-13 18:18 . 2012-02-13 18:25 24576 ----a-w- c:\quarantine\7dc2d121226970.bup
2012-02-12 22:55 . 2012-02-13 18:25 18944 ----a-w- c:\quarantine\7dc2c163728880.bup
2012-02-12 17:53 . 2012-02-12 20:00 18944 ----a-w- c:\quarantine\7dc2c11352f320.bup
2012-02-12 13:15 . 2012-02-12 14:52 18944 ----a-w- c:\quarantine\7dc2cdf2c36f0.bup
2012-02-11 21:22 . 2012-02-11 21:26 18944 ----a-w- c:\quarantine\7dc2b1516a26b0.bup
2012-02-11 20:46 . 2012-02-11 21:06 18944 ----a-w- c:\quarantine\7dc2b142e42790.bup
2012-02-11 13:40 . 2012-02-11 16:10 18944 ----a-w- c:\quarantine\7dc2bd28372ad0.bup
2012-02-08 22:08 . 2012-02-08 22:08 17920 ----a-w- c:\quarantine\7dc281683b1d0.bup
2012-02-07 22:29 . 2012-02-07 22:29 17920 ----a-w- c:\quarantine\7dc27161d61dc0.bup
2012-02-06 22:46 . 2012-02-06 22:46 17920 ----a-w- c:\quarantine\7dc26162e2a3a0.bup
2012-02-06 22:00 . 2012-02-06 22:00 17920 ----a-w- c:\quarantine\7dc26160714b0.bup
2012-02-06 21:54 . 2012-02-06 21:58 114688 ----a-w- c:\quarantine\7dc26153616320.bup
2012-02-06 18:28 . 2012-02-06 18:28 17920 ----a-w- c:\quarantine\7dc26121c62a60.bup
2012-02-05 23:32 . 2012-02-05 23:32 17920 ----a-w- c:\quarantine\7dc2517202f26e0.bup
2012-02-05 17:22 . 2012-02-05 18:29 24576 ----a-w- c:\quarantine\7dc251116c2880.bup
2012-02-05 17:21 . 2012-02-05 17:21 17920 ----a-w- c:\quarantine\7dc251115201920.bup
2012-02-05 16:12 . 2012-02-05 16:12 3584 ----a-w- c:\quarantine\7dc2510c1815e0.bup
2012-02-05 16:12 . 2012-02-05 16:12 24576 ----a-w- c:\quarantine\7dc2510c17950.bup
2012-02-01 22:16 . 2012-02-01 22:16 17920 ----a-w- c:\quarantine\7dc21161031920.bup
2012-01-31 21:21 . 2012-01-31 21:21 17920 ----a-w- c:\quarantine\7dc11f15152adb0.bup
2012-01-31 20:21 . 2012-01-31 20:28 369152 ----a-w- c:\quarantine\7dc11f1415a13e0.bup
2012-01-31 20:15 . 2012-01-31 20:15 8192 ----a-w- c:\quarantine\7dc11f14f2b2720.bup
2012-01-31 20:15 . 2012-01-31 20:15 8192 ----a-w- c:\quarantine\7dc11f14f25b70.bup
2012-01-31 20:15 . 2012-01-31 20:15 8192 ----a-w- c:\quarantine\7dc11f14f18db0.bup
2012-01-31 20:15 . 2012-01-31 20:15 8192 ----a-w- c:\quarantine\7dc11f14f1222d0.bup
2012-01-31 20:15 . 2012-01-31 20:15 8192 ----a-w- c:\quarantine\7dc11f14f121520.bup
2012-01-31 20:15 . 2012-01-31 20:15 8192 ----a-w- c:\quarantine\7dc11f14f71450.bup
2012-01-31 20:15 . 2012-01-31 20:15 8192 ----a-w- c:\quarantine\7dc11f14f76a0.bup
2012-01-31 20:14 . 2012-01-31 20:14 8192 ----a-w- c:\quarantine\7dc11f14e3a3100.bup
2012-01-31 20:14 . 2012-01-31 20:14 8192 ----a-w- c:\quarantine\7dc11f14e3034a0.bup
2012-01-31 20:14 . 2012-01-31 20:14 8192 ----a-w- c:\quarantine\7dc11f14e20cf0.bup
2012-01-31 20:14 . 2012-01-31 20:14 8192 ----a-w- c:\quarantine\7dc11f14e1628e0.bup
2012-01-31 20:14 . 2012-01-31 20:14 8192 ----a-w- c:\quarantine\7dc11f14ed1360.bup
2012-01-31 20:14 . 2012-01-31 20:14 8192 ----a-w- c:\quarantine\7dc11f14e43ac0.bup
2012-01-31 20:13 . 2012-01-31 20:13 8192 ----a-w- c:\quarantine\7dc11f14d392480.bup
2012-01-31 20:13 . 2012-01-31 20:13 8192 ----a-w- c:\quarantine\7dc11f14d371ca0.bup
2012-01-31 20:13 . 2012-01-31 20:13 8192 ----a-w- c:\quarantine\7dc11f14d302a80.bup
2012-01-31 20:13 . 2012-01-31 20:13 8192 ----a-w- c:\quarantine\7dc11f14d291200.bup
2012-01-31 20:13 . 2012-01-31 20:13 8192 ----a-w- c:\quarantine\7dc11f14d221720.bup
2012-01-31 20:13 . 2012-01-31 20:13 8192 ----a-w- c:\quarantine\7dc11f14d1b2f40.bup
2012-01-31 20:13 . 2012-01-31 20:13 8192 ----a-w- c:\quarantine\7dc11f14dc32b0.bup
2012-01-31 20:13 . 2012-01-31 20:13 8192 ----a-w- c:\quarantine\7dc11f14d7fc0.bup
2012-01-31 20:12 . 2012-01-31 20:12 8192 ----a-w- c:\quarantine\7dc11f14c3315d0.bup
2012-01-31 20:12 . 2012-01-31 20:12 8192 ----a-w- c:\quarantine\7dc11f14c71b50.bup
2012-01-31 20:12 . 2012-01-31 20:12 8192 ----a-w- c:\quarantine\7dc11f14c02d60.bup
2012-01-31 20:11 . 2012-01-31 20:11 8192 ----a-w- c:\quarantine\7dc11f14b312320.bup
2012-01-31 20:11 . 2012-01-31 20:11 8192 ----a-w- c:\quarantine\7dc11f14b291330.bup
2012-01-31 20:11 . 2012-01-31 20:11 8192 ----a-w- c:\quarantine\7dc11f14b191e0.bup
2012-01-31 20:11 . 2012-01-31 20:11 8192 ----a-w- c:\quarantine\7dc11f14b123c80.bup
2012-01-31 20:11 . 2012-01-31 20:11 8192 ----a-w- c:\quarantine\7dc11f14b7ee0.bup
2012-01-31 20:10 . 2012-01-31 20:10 17920 ----a-w- c:\quarantine\7dc11f14a2a3070.bup
2012-01-31 20:09 . 2012-01-31 20:09 8192 ----a-w- c:\quarantine\7dc11f1491b2790.bup
.
---- Directory of C:\TDSSKiller_Quarantine ----
.
2012-02-13 22:21 . 2012-02-13 22:21 260 ----a-w- c:\tdsskiller_quarantine\13.02.2012_22.12.46\susp0001\svc0000\object.ini
2012-02-13 22:21 . 2012-02-13 22:21 54016 ----a-w- c:\tdsskiller_quarantine\13.02.2012_22.12.46\susp0001\svc0000\tsk0000.dta
2012-02-13 22:21 . 2012-02-13 22:21 232 ----a-w- c:\tdsskiller_quarantine\13.02.2012_22.12.46\susp0001\svc0000\tsk0000.ini
2012-02-13 22:21 . 2012-02-13 22:21 112 ----a-w- c:\tdsskiller_quarantine\13.02.2012_22.12.46\susp0001\object.ini
2012-02-13 22:21 . 2012-02-13 22:21 234 ----a-w- c:\tdsskiller_quarantine\13.02.2012_22.12.46\susp0000\svc0000\tsk0000.ini
2012-02-13 22:21 . 2012-02-13 22:21 306 ----a-w- c:\tdsskiller_quarantine\13.02.2012_22.12.46\susp0000\svc0000\object.ini
2012-02-13 22:21 . 2012-02-13 22:21 6757 ----a-w- c:\tdsskiller_quarantine\13.02.2012_22.12.46\susp0000\svc0000\tsk0000.dta
2012-02-13 22:21 . 2012-02-13 22:21 112 ----a-w- c:\tdsskiller_quarantine\13.02.2012_22.12.46\susp0000\object.ini
2012-01-31 21:18 . 2012-01-31 21:18 234 ----a-w- c:\tdsskiller_quarantine\31.01.2012_21.17.16\rtkt0000\svc0000\tsk0001.ini
2012-01-31 21:18 . 2012-01-31 21:18 187904 ----a-w- c:\tdsskiller_quarantine\31.01.2012_21.17.16\rtkt0000\svc0000\tsk0001.dta
2012-01-31 21:18 . 2012-01-31 21:18 234 ----a-w- c:\tdsskiller_quarantine\31.01.2012_21.17.16\rtkt0000\svc0000\tsk0000.ini
2012-01-31 21:18 . 2012-01-31 21:18 336 ----a-w- c:\tdsskiller_quarantine\31.01.2012_21.17.16\rtkt0000\svc0000\object.ini
2012-01-31 21:18 . 2012-01-31 21:18 102 ----a-w- c:\tdsskiller_quarantine\31.01.2012_21.17.16\rtkt0000\object.ini
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
@="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
[HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
2010-08-13 15:39 62832 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\UninitializedFdeIconOverlay]
@="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
[HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
2010-08-13 15:39 62832 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DymoQuickPrint"="c:\program files\DYMO\DYMO Label Software\DymoQuickPrint.exe" [2010-01-27 1885944]
"TtvIrurc"="d:\users\mcurran\AppData\Local\oqevhuil\ttvirurc.exe" [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2010-06-04 292208]
"EmbassySecurityCheck"="c:\program files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe" [2010-08-17 95616]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2010-10-22 124224]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-09-25 136512]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-28 174104]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-28 151064]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2010-07-26 495708]
"ASMReg"="c:\program files\eSMART\Register.exe" [2011-07-29 65536]
"DLSService"="c:\program files\DYMO\DYMO Label Software\DLSService.exe" [2010-01-27 55808]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
.
d:\users\mcurran\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Picture This.lnk - d:\users\mcurran\AppData\Roaming\Microsoft\Installer\{1FC6CB91-C46E-4878-A086-13DD6CCF79EE}\Icon1FC6CB913.exe [2011-6-30 12288]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
TdmNotify.lnk - c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmNotify.exe [2010-8-13 132456]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1352148485-155271270-1313727497-2865\Scripts\Logon\0\0]
"Script"=\\gti.int\SysVol\gti.int\scripts\sig.bat
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 eSMARTUM;eSMART Usage Monitoring;c:\program files\eSMART\eSMARTUM.exe [2012-01-09 50176]
R3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\Accelern.sys [2010-07-26 42672]
R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-04-14 45736]
R3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k6232.sys [2010-07-26 214696]
R3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-07-26 232960]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-10-22 66536]
R3 NETw5s32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [2010-07-26 6114816]
R3 risdpcie;risdpcie;c:\windows\system32\DRIVERS\risdpe86.sys [2010-07-26 59904]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-11-18 1343400]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\aestsrv.exe [2010-07-26 81920]
S2 ATService;AuthenTec Fingerprint Service;c:\program files\Fingerprint Sensor\AtService.exe [2009-05-15 1803512]
S2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [2010-10-22 22816]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-10-22 69192]
S3 cvusbdrv;Dell ControlVault;c:\windows\system32\Drivers\cvusbdrv.sys [2010-07-26 33832]
S3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y6232.sys [2009-09-28 221912]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2010-07-26 126976]
S3 NETwNs32;___ Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETwNs32.sys [2010-07-14 6814720]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://portal/Pages/default.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a}
TCP: DhcpNameServer = 8.8.8.8 8.8.4.4
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(536)
c:\windows\system32\wvauth.DLL
c:\program files\Wave Systems Corp\Common\CryptoManager.dll
c:\windows\system32\tcg15.dll
c:\windows\system32\Tsp1.dll
c:\windows\system32\wclient14.dll
.
- - - - - - - > 'Explorer.exe'(3268)
c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\IDT\WDM\STacSV.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\WLANExt.exe
c:\windows\system32\conhost.exe
c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\eSMART\ASMAgent.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\McAfee\VirusScan Enterprise\mfeann.exe
c:\windows\system32\conhost.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\GTPicThis\GTPicThis.EXE
c:\program files\DellTPad\HidFind.exe
c:\program files\DellTPad\Apntex.exe
c:\windows\system32\conhost.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2012-02-14 20:53:24 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-14 20:53
ComboFix2.txt 2012-02-14 17:26
.
Pre-Run: 42,299,760,640 bytes free
Post-Run: 42,191,392,768 bytes free
.
- - End Of File - - 032EFE69AA1002E6731EC367F3473EE9





C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\8PU495RY\help[1].htm JS/Kryptik.GV trojan
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\EHCX1G0A\belissimowe_org_in[2].htm HTML/Iframe.B.Gen virus
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\EHCX1G0A\bysex_wen_su[1].txt HTML/Iframe.B.Gen virus
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\P9QDEY9I\forum[1].htm JS/Kryptik.GV trojan




McAfee still says there is something spotted everytime i turn the computer on
kevinf80's Avatar
kevinf80   (Kevin) kevinf80 is offline kevinf80 is authorized to help remove malware. kevinf80 has a Profile Picture
Computer Specs
Malware Removal Specialist with 9,586 posts.
 
Join Date: Mar 2006
Location: Sunderland UK
Experience: Intermediate
15-Feb-2012, 03:07 AM #20
Please download OTM by OldTimer.

Alternative Mirror 1
Alternative Mirror 2

Save it to your desktop.
Double click OTM.exe to start the tool. Vista or Windows 7 users right click and select Run as Administrator. Be aware all processes will stopped during run, also Desktop will disappear, this will be put back on completion....
  • Copy the text from the code box belowbelow to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code:
    :reg
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    "TtvIrurc"=-
    :Services
    :Files
    ipconfig /flushdns /c
    :Commands
    [EmptyTemp]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If the machine reboots, the Results log can be found here:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.


Let me see that log. What is McAfee alerting to? can you give screen shot or write down what it states. Is it Artemis?

Kevin
Mikecurran7's Avatar
Mikecurran7 Mikecurran7 is offline
Computer Specs
Member with 21 posts.
THREAD STARTER
 
Join Date: Feb 2012
Experience: Beginner
15-Feb-2012, 01:50 PM #21
All processes killed
========== REGISTRY ==========
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru not found.
========== SERVICES/DRIVERS ==========
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
D:\USERS\mcurran\Desktop\cmd.bat deleted successfully.
D:\USERS\mcurran\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 294871 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 456 bytes

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 294871 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 456 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: mcurran
->Temp folder emptied: 188549 bytes
->Temporary Internet Files folder emptied: 95821670 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 3850 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 50999 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 92.00 mb


OTM by OldTimer - Version 3.1.19.0 log created on 02152012_173809



That saved to D:

The Message that McAfee keeps popping up is
Detection Type - Trojan
Mikecurran7's Avatar
Mikecurran7 Mikecurran7 is offline
Computer Specs
Member with 21 posts.
THREAD STARTER
 
Join Date: Feb 2012
Experience: Beginner
15-Feb-2012, 01:52 PM #22
Detected as - Generic dx!zvv
Number of objects 6
DAt Version 6619.0000
Engine Version 5400.1158
kevinf80's Avatar
kevinf80   (Kevin) kevinf80 is offline kevinf80 is authorized to help remove malware. kevinf80 has a Profile Picture
Computer Specs
Malware Removal Specialist with 9,586 posts.
 
Join Date: Mar 2006
Location: Sunderland UK
Experience: Intermediate
15-Feb-2012, 02:16 PM #23
Download aswMBR from Here
If it asks to update during the process please allow this to happen.
  • Save aswMBR.exe to your Desktop
  • Double click aswMBR.exe to run it
  • Click the Scan button to start the scan as illustrated below



    Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives
  • Once the scan finishes click Save log to save the log to your Desktop.


  • Copy and paste the contents of aswMBR.txt back here for review
  • You will also notice another file created on the desktop named MBR.dat. Right-click that file and select Send To and then Compressed (zipped) file. Attach that zipped file to your next reply as well.

Kevin
Mikecurran7's Avatar
Mikecurran7 Mikecurran7 is offline
Computer Specs
Member with 21 posts.
THREAD STARTER
 
Join Date: Feb 2012
Experience: Beginner
15-Feb-2012, 06:19 PM #24
aswMBR version 0.9.9.1532 Copyright(c) 2011 AVAST Software
Run date: 2012-02-15 21:45:26
-----------------------------
21:45:26.740 OS Version: Windows 6.1.7600
21:45:26.740 Number of processors: 2 586 0x1706
21:45:26.740 ComputerName: 4QLKZ3J UserName: mcurran
21:46:02.231 Initialize success
21:46:17.387 AVAST engine defs: 12021501
21:46:55.514 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
21:46:55.514 Disk 0 Vendor: ST912082 3.AD Size: 114473MB BusType: 3
21:46:55.529 Disk 0 MBR read successfully
21:46:55.529 Disk 0 MBR scan
21:46:55.561 Disk 0 Windows 7 default MBR code
21:46:55.561 Disk 0 Partition 1 00 07 HPFS/NTFS NTFS 61440 MB offset 2048
21:46:55.607 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 52720 MB offset 125831168
21:46:55.654 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 300 MB offset 233801728
21:46:55.717 Disk 0 scanning sectors +234416128
21:46:55.826 Disk 0 scanning C:\Windows\system32\drivers
21:47:25.091 Service scanning
21:47:27.307 Modules scanning
21:47:41.503 Disk 0 trace - called modules:
21:47:41.549 ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys halmacpi.dll
21:47:41.549 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x884f1880]
21:47:41.565 3 CLASSPNP.SYS[8379b59e] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x865eb028]
21:47:42.142 AVAST engine scan C:\Windows
21:47:57.337 AVAST engine scan C:\Windows\system32
21:55:52.198 AVAST engine scan C:\Windows\system32\drivers
21:56:22.935 AVAST engine scan D:\USERS\mcurran
22:02:24.955 AVAST engine scan C:\ProgramData
22:04:21.909 Scan finished successfully
22:08:25.405 Disk 0 MBR has been saved successfully to "D:\USERS\mcurran\Desktop\MBR.dat"
22:08:25.421 The log file has been saved successfully to "D:\USERS\mcurran\Desktop\aswMBR.txt"
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
kevinf80's Avatar
kevinf80   (Kevin) kevinf80 is offline kevinf80 is authorized to help remove malware. kevinf80 has a Profile Picture
Computer Specs
Malware Removal Specialist with 9,586 posts.
 
Join Date: Mar 2006
Location: Sunderland UK
Experience: Intermediate
15-Feb-2012, 06:36 PM #25
That log is clean, are you still seeing the alert from McAfee?
Mikecurran7's Avatar
Mikecurran7 Mikecurran7 is offline
Computer Specs
Member with 21 posts.
THREAD STARTER
 
Join Date: Feb 2012
Experience: Beginner
15-Feb-2012, 06:47 PM #26
i think its gone. havent got a warning in a while.

Thanks very much.
kevinf80's Avatar
kevinf80   (Kevin) kevinf80 is offline kevinf80 is authorized to help remove malware. kevinf80 has a Profile Picture
Computer Specs
Malware Removal Specialist with 9,586 posts.
 
Join Date: Mar 2006
Location: Sunderland UK
Experience: Intermediate
15-Feb-2012, 06:55 PM #27
Run the following:

Remove Combofix now that we're done with it
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")

  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
The above procedure will delete the following:
  • ComboFix and its associated files and folders.
  • VundoFix backups, if present
  • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.
It is very important that you get a successful uninstall because of the extra functions done at the same time, let me know if this does not happen.

Next,
  • Download OTC by OldTimer and save it to your desktop. Alternative mirror
  • Double click icon to start the program.
    If you are using Vista or Windows 7, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Begining Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
  • This will remove tools we have used and itself. Any tools/logs remaining on the Desktop can be deleted.

Next,

Remove ESET online scanner:
  • Click Start, type Uninstall a Program into the Search programs and files box, and then press ENTER.
  • Click to select ESET Online Scanner from the listing of installed products, and then click Uninstall/Change from the bar that displays the available tasks. Uninstall ESETonline Scanner, only re-boot if prompted.

Next,

You will have several programs installed, these maybe outdated and vulnerable to exploits also. To be certain, please run the free online scan by Secunia, available Here Before clicking the Start scan* button, please check the box for the option Enable thorough system inspection. Just below the "Scan Options:" section, you'll see the status of what's currently processing....
...when the scan completes, the message "Detection completed successfully" will appear in the Programs/Result section. For each problem detected, Secunia will offer a "Solution" option. Please follow those instructions to download updated versions of the programs as recommended by Secunia.

Let me know if those steps complete OK, also give update on any remaining issues or concerns...

Kevin
Mikecurran7's Avatar
Mikecurran7 Mikecurran7 is offline
Computer Specs
Member with 21 posts.
THREAD STARTER
 
Join Date: Feb 2012
Experience: Beginner
15-Feb-2012, 07:15 PM #28
Tried to go a Combofix Uninstall - it said it couldnt find it.

Got a message from McAfee again. See ZIP attached.
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
kevinf80's Avatar
kevinf80   (Kevin) kevinf80 is offline kevinf80 is authorized to help remove malware. kevinf80 has a Profile Picture
Computer Specs
Malware Removal Specialist with 9,586 posts.
 
Join Date: Mar 2006
Location: Sunderland UK
Experience: Intermediate
16-Feb-2012, 03:52 AM #29
Hiya Mike,

Did you continue with the other two steps? the alert is nothing to worry about. Run the following, when you re-boot on completion let me know if McAfee alerts again...

Download TFC to your desktop, from either of the following links
Link 1
Link 2
  • Save any open work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program. Vista or Windows 7 users right click and select “Run as Administartor”
  • If prompted, click "Yes" to reboot.
TFC will automatically close any open programs, including your Desktop. Let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. TFC may re-boot your system, if not Re-boot it yourself to complete cleaning process <---- Very Important

Keep TFC it is an excellent utility to keep your system optimized, it empties all user temp folders, Java cache etc etc. Always remember to re-boot after a run, even if not prompted

Kevin
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.


Tags
generic, spyeyes, trojan

(clock)
THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools


WELCOME
You Are Using: Server ID
Trusted Website Back to the Top ↑