1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Generic DX Removal

Discussion in 'Virus & Other Malware Removal' started by Mikecurran7, Feb 6, 2012.

Thread Status:
Not open for further replies.
Advertisement
  1. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    10,158
    Okey Dokey...
     
  2. Mikecurran7

    Mikecurran7 Thread Starter

    Joined:
    Feb 6, 2012
    Messages:
    21
    ComboFix 12-02-13.01 - mcurran 14/02/2012 17:02:52.1.2 - x86
    Microsoft Windows 7 Professional 6.1.7600.0.1252.353.1033.18.3536.2763 [GMT 0:00]
    Running from: d:\users\mcurran\Desktop\ComboFix.exe
    AV: McAfee VirusScan Enterprise *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    * Resident AV is active
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\programdata\Windows
    c:\programdata\windows\dumd.dat
    c:\programdata\Windows\xdor.dat
    C:\sooi832.bin
    c:\windows\$NtUninstallKB6481$
    c:\windows\$NtUninstallKB6481$\400035465\@
    c:\windows\$NtUninstallKB6481$\400035465\cfg.ini
    c:\windows\$NtUninstallKB6481$\400035465\Desktop.ini
    c:\windows\$NtUninstallKB6481$\400035465\L\xadqgnnk
    c:\windows\$NtUninstallKB6481$\400035465\U\00000001.@
    c:\windows\$NtUninstallKB6481$\400035465\U\00000002.@
    c:\windows\$NtUninstallKB6481$\400035465\U\00000004.@
    c:\windows\$NtUninstallKB6481$\400035465\U\80000000.@
    c:\windows\$NtUninstallKB6481$\400035465\U\80000004.@
    c:\windows\$NtUninstallKB6481$\400035465\U\80000032.@
    c:\windows\$NtUninstallKB6481$\400035465\version
    c:\windows\$NtUninstallKB6481$\721151185
    c:\windows\system32\GroupPolicy\Machine\Registry.pol
    c:\windows\system32\SET113A.tmp
    c:\windows\system32\SET1C82.tmp
    c:\windows\system32\SET4936.tmp
    c:\windows\system32\SET4E72.tmp
    c:\windows\system32\SET5B87.tmp
    c:\windows\system32\SET6384.tmp
    c:\windows\system32\SET63FE.tmp
    c:\windows\system32\SET676A.tmp
    c:\windows\system32\SET724F.tmp
    c:\windows\system32\SET9CF3.tmp
    c:\windows\system32\SETA8FE.tmp
    c:\windows\system32\SETB051.tmp
    c:\windows\system32\SETBF1C.tmp
    c:\windows\system32\SETC047.tmp
    c:\windows\system32\SETDB5E.tmp
    c:\windows\system32\SETDCAB.tmp
    c:\windows\system32\SETEB03.tmp
    c:\windows\system32\SETF48D.tmp
    c:\windows\system32\SETF49F.tmp
    c:\windows\system32\SETF5A3.tmp
    C:\zr8161F.tmp
    C:\zr8164F.tmp
    C:\zr817C4.tmp
    C:\zr817E3.tmp
    C:\zr82857.tmp
    C:\zr82933.tmp
    C:\zr83227.tmp
    C:\zr83256.tmp
    C:\zr83285.tmp
    C:\zr8470E.tmp
    C:\zr8475D.tmp
    C:\zr8478A.tmp
    C:\zr84837.tmp
    C:\zr84B42.tmp
    C:\zr84B72.tmp
    C:\zr8558E.tmp
    C:\zr855CE.tmp
    C:\zr858F8.tmp
    C:\zr858F9.tmp
    C:\zr85957.tmp
    C:\zr85958.tmp
    C:\zr860F4.tmp
    C:\zr86161.tmp
    C:\zr86172.tmp
    C:\zr861AF.tmp
    C:\zr8623C.tmp
    C:\zr8627B.tmp
    C:\zr8670C.tmp
    C:\zr8677A.tmp
    C:\zr875DA.tmp
    C:\zr8760A.tmp
    C:\zr87983.tmp
    C:\zr879D2.tmp
    C:\zr879FF.tmp
    C:\zr87A2F.tmp
    C:\zr884A9.tmp
    C:\zr88546.tmp
    C:\zr88565.tmp
    C:\zr885C3.tmp
    C:\zr8869.tmp
    C:\zr8899.tmp
    C:\zr8A0FF.tmp
    C:\zr8A13F.tmp
    C:\zr8A14D.tmp
    C:\zr8A17D.tmp
    C:\zr8A4F5.tmp
    C:\zr8A564.tmp
    C:\zr8A61E.tmp
    C:\zr8A63D.tmp
    C:\zr8A66D.tmp
    C:\zr8A66E.tmp
    C:\zr8A717.tmp
    C:\zr8A757.tmp
    C:\zr8BA3A.tmp
    C:\zr8BA98.tmp
    C:\zr8BB91.tmp
    C:\zr8BBD0.tmp
    C:\zr8C909.tmp
    C:\zr8C937.tmp
    C:\zr8C967.tmp
    C:\zr8C986.tmp
    C:\zr8CAEC.tmp
    C:\zr8CB4B.tmp
    C:\zr8CCFF.tmp
    C:\zr8CDBB.tmp
    C:\zr8D642.tmp
    C:\zr8D681.tmp
    C:\zr8E62.tmp
    C:\zr8E91.tmp
    C:\zr8EF2E.tmp
    C:\zr8EF6E.tmp
    C:\zr8F122.tmp
    C:\zr8F180.tmp
    C:\zr8F4D9.tmp
    C:\zr8F519.tmp
    C:\zr8FE5B.tmp
    C:\zr8FE8A.tmp
    d:\users\mcurran\AppData\Local\alsgjbho.log
    d:\users\mcurran\AppData\Local\assembly\tmp
    d:\users\mcurran\AppData\Local\detxupqs.log
    d:\users\mcurran\AppData\Local\hnwemmio.log
    d:\users\mcurran\AppData\Local\jgqbylmr.log
    d:\users\mcurran\AppData\Local\nugqbump.log
    d:\users\mcurran\AppData\Local\oqevhuil\ttvirurc.exe
    d:\users\mcurran\AppData\Local\vodnltex.log
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-01-14 to 2012-02-14 )))))))))))))))))))))))))))))))
    .
    .
    2012-02-13 18:10 . 2012-02-13 18:10 -------- d-----w- d:\users\mcurran\AppData\Roaming\Malwarebytes
    2012-02-13 18:10 . 2012-02-13 18:10 -------- d-----w- c:\programdata\Malwarebytes
    2012-02-13 18:10 . 2012-02-13 18:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-02-13 18:10 . 2011-12-10 15:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-02-06 23:19 . 2012-02-06 23:19 388096 ----a-r- d:\users\mcurran\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2012-02-06 22:55 . 2012-02-06 22:55 -------- d-----w- c:\program files\Trend Micro
    2012-02-05 18:20 . 2012-02-05 18:21 -------- d-----w- d:\users\mcurran\AppData\Roaming\uTorrent
    2012-01-31 21:55 . 2012-01-31 21:55 -------- d-----w- C:\Poker
    2012-01-31 21:35 . 2012-01-31 21:35 -------- d-----w- d:\users\mcurran\AppData\Local\Apple Computer
    2012-01-31 21:18 . 2012-02-13 22:21 -------- d-----w- C:\TDSSKiller_Quarantine
    2012-01-31 20:43 . 2012-01-31 20:43 -------- d--h--w- c:\programdata\Common Files
    2012-01-31 20:41 . 2012-01-31 21:45 -------- d-----w- c:\programdata\MFAData
    2012-01-31 20:10 . 2012-02-14 17:20 -------- d-----w- d:\users\mcurran\AppData\Local\oqevhuil
    2012-01-31 20:09 . 2012-02-14 17:20 -------- d-----w- C:\QUARANTINE
    2012-01-25 23:26 . 2012-01-25 23:26 -------- d-----w- c:\program files\VideoLAN
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-01-31 21:19 . 2009-07-13 23:12 187904 ----a-w- c:\windows\system32\drivers\netbt.sys
    2011-11-22 12:40 . 2011-11-22 12:40 663512 ----a-w- C:\wpayback.zip
    2011-11-21 10:47 . 2011-12-22 10:14 6823496 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{06876E24-E19B-4571-AF74-57E6488AA0B7}\mpengine.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
    @="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
    [HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
    2010-08-13 15:39 62832 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
    @="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
    [HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
    2010-08-13 15:39 62832 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DymoQuickPrint"="c:\program files\DYMO\DYMO Label Software\DymoQuickPrint.exe" [2010-01-27 1885944]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    "Apoint"="c:\program files\DellTPad\Apoint.exe" [2010-06-04 292208]
    "EmbassySecurityCheck"="c:\program files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe" [2010-08-17 95616]
    "ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2010-10-22 124224]
    "McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-09-25 136512]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-28 141848]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-28 174104]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-28 151064]
    "SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2010-07-26 495708]
    "ASMReg"="c:\program files\eSMART\Register.exe" [2011-07-29 65536]
    "DLSService"="c:\program files\DYMO\DYMO Label Software\DLSService.exe" [2010-01-27 55808]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
    .
    d:\users\mcurran\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Picture This.lnk - d:\users\mcurran\AppData\Roaming\Microsoft\Installer\{1FC6CB91-C46E-4878-A086-13DD6CCF79EE}\Icon1FC6CB913.exe [2011-6-30 12288]
    ttvirurc.exe [2012-1-31 98260]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    TdmNotify.lnk - c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmNotify.exe [2010-8-13 132456]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "Userinit"="c:\windows\system32\userinit.exe,,d:\users\mcurran\AppData\Local\oqevhuil\ttvirurc.exe"
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Authentication Packages REG_MULTI_SZ msv1_0 wvauth
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1352148485-155271270-1313727497-2865\Scripts\Logon\0\0]
    "Script"=\\gti.int\SysVol\gti.int\scripts\sig.bat
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\Accelern.sys [2010-07-26 42672]
    R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-04-14 45736]
    R3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k6232.sys [2010-07-26 214696]
    R3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-07-26 232960]
    R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-10-22 66536]
    R3 NETw5s32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [2010-07-26 6114816]
    R3 risdpcie;risdpcie;c:\windows\system32\DRIVERS\risdpe86.sys [2010-07-26 59904]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-11-18 1343400]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
    S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\aestsrv.exe [2010-07-26 81920]
    S2 ATService;AuthenTec Fingerprint Service;c:\program files\Fingerprint Sensor\AtService.exe [2009-05-15 1803512]
    S2 eSMARTUM;eSMART Usage Monitoring;c:\program files\eSMART\eSMARTUM.exe [2012-01-09 50176]
    S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-13 652360]
    S2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [2010-10-22 22816]
    S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-10-22 69192]
    S3 cvusbdrv;Dell ControlVault;c:\windows\system32\Drivers\cvusbdrv.sys [2010-07-26 33832]
    S3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y6232.sys [2009-09-28 221912]
    S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2010-07-26 126976]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-10 20464]
    S3 NETwNs32;___ Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETwNs32.sys [2010-07-14 6814720]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://portal/Pages/default.aspx
    uInternet Settings,ProxyOverride = *.local;vaultserver1.gti.int;evgt01;<local>
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
    IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a}
    TCP: DhcpNameServer = 8.8.8.8 8.8.4.4
    .
    - - - - ORPHANS REMOVED - - - -
    .
    URLSearchHooks-{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - (no file)
    Toolbar-Locked - (no file)
    WebBrowser-{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - (no file)
    HKCU-Run-TtvIrurc - d:\users\mcurran\AppData\Local\oqevhuil\ttvirurc.exe
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'lsass.exe'(520)
    c:\windows\system32\wvauth.DLL
    c:\program files\Wave Systems Corp\Common\CryptoManager.dll
    c:\windows\system32\tcg15.dll
    c:\windows\system32\Tsp1.dll
    c:\windows\system32\wclient14.dll
    .
    - - - - - - - > 'Explorer.exe'(5840)
    c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
    c:\program files\McAfee\Common Framework\McTrayLegacySupportPlugin.dll
    c:\program files\McAfee\Common Framework\McTrayInterfaceLib.dll
    c:\program files\McAfee\Common Framework\McAfeeWin32GUISupportDLL.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\IDT\WDM\STacSV.exe
    c:\windows\system32\WUDFHost.exe
    c:\windows\system32\WLANExt.exe
    c:\windows\system32\conhost.exe
    c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\eSMART\ASMAgent.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\McAfee\Common Framework\FrameworkService.exe
    c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
    c:\program files\McAfee\Common Framework\naPrdMgr.exe
    c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
    c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
    c:\program files\McAfee\VirusScan Enterprise\mfeann.exe
    c:\windows\system32\conhost.exe
    c:\program files\Intel\WiFi\bin\EvtEng.exe
    c:\windows\system32\wbem\unsecapp.exe
    c:\windows\system32\taskhost.exe
    c:\windows\system32\conhost.exe
    c:\program files\DellTPad\ApMsgFwd.exe
    c:\program files\DellTPad\Apntex.exe
    c:\windows\system32\conhost.exe
    c:\program files\DellTPad\HidFind.exe
    c:\windows\system32\igfxsrvc.exe
    c:\program files\GTPicThis\GTPicThis.EXE
    c:\program files\McAfee\Common Framework\McTray.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    c:\windows\system32\sppsvc.exe
    c:\program files\Common Files\Java\Java Update\jucheck.exe
    .
    **************************************************************************
    .
    Completion time: 2012-02-14 17:26:15 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-02-14 17:26
    .
    Pre-Run: 42,283,319,296 bytes free
    Post-Run: 42,227,798,016 bytes free
    .
    - - End Of File - - 79548FAE55B610629B72DA476A35F54A
     
  3. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    10,158
    Hiya Mike,

    Continue as follows;

    Step 1

    1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    3. Open notepad and copy/paste the text in the Codebox below into it:

    Code:
    
    KillAll::
    ClearJavaCache::
    Folder::
    d:\users\mcurran\AppData\Local\oqevhuil
    DirLook::
    C:\Poker
    C:\QUARANTINE
    C:\TDSSKiller_Quarantine
    DDS::
    uInternet Settings,ProxyOverride = *.local;vaultserver1.gti.int;evgt01;<local>
    IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a}
    
    Save this as CFScript.txt, and as Type: All Files (*.*) in the same location as ComboFix.exe

    [​IMG]

    [​IMG]

    Refering to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

    Step 2

    Run ESET Online Scan
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESET OnlineScan
    • Click the [​IMG] button.
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on [​IMG] to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the [​IMG] icon on your desktop.
    • Check [​IMG]
    • Click the [​IMG] button.
    • Accept any security warnings from your browser.
    • Check [​IMG]
    • Leave the tick out of remove found threats
    • Push the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push [​IMG]
    • Push [​IMG], and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • Push the [​IMG] button.
    • Push [​IMG]
    You can refer to this animation by neomage if needed.
    Frequently asked questions available Here Please read them before running the scan.

    Also be aware this scan can take several hours to complete depending on the size of your system.

    ESET log can be found here "C:\Program Files\ESET\EsetOnlineScanner\log.txt".

    Post those two logs, also give update on current issues..

    Kevin
     
  4. Mikecurran7

    Mikecurran7 Thread Starter

    Joined:
    Feb 6, 2012
    Messages:
    21
    ComboFix 12-02-13.01 - mcurran 14/02/2012 20:13:56.2.2 - x86
    Microsoft Windows 7 Professional 6.1.7600.0.1252.353.1033.18.3536.2641 [GMT 0:00]
    Running from: d:\users\mcurran\Desktop\ComboFix.exe
    Command switches used :: d:\users\mcurran\Desktop\CFScript.txt
    AV: McAfee VirusScan Enterprise *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    * Resident AV is active
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    d:\users\mcurran\AppData\Local\oqevhuil
    d:\users\mcurran\AppData\Local\oqevhuil\ttvirurc.exe
    d:\users\mcurran\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ttvirurc.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-01-14 to 2012-02-14 )))))))))))))))))))))))))))))))
    .
    .
    2012-02-14 20:23 . 2012-02-14 20:23 -------- d-----w- d:\users\Default\AppData\Local\temp
    2012-02-14 20:23 . 2012-02-14 20:23 -------- d-----w- d:\users\Administrator\AppData\Local\temp
    2012-02-14 19:24 . 2012-02-14 20:24 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{06876E24-E19B-4571-AF74-57E6488AA0B7}\offreg.dll
    2012-02-13 18:10 . 2012-02-13 18:10 -------- d-----w- d:\users\mcurran\AppData\Roaming\Malwarebytes
    2012-02-13 18:10 . 2012-02-13 18:10 -------- d-----w- c:\programdata\Malwarebytes
    2012-02-06 22:55 . 2012-02-06 22:55 -------- d-----w- c:\program files\Trend Micro
    2012-02-05 18:20 . 2012-02-05 18:21 -------- d-----w- d:\users\mcurran\AppData\Roaming\uTorrent
    2012-01-31 21:55 . 2012-01-31 21:55 -------- d-----w- C:\Poker
    2012-01-31 21:35 . 2012-01-31 21:35 -------- d-----w- d:\users\mcurran\AppData\Local\Apple Computer
    2012-01-31 21:18 . 2012-02-13 22:21 -------- d-----w- C:\TDSSKiller_Quarantine
    2012-01-31 20:43 . 2012-01-31 20:43 -------- d--h--w- c:\programdata\Common Files
    2012-01-31 20:41 . 2012-01-31 21:45 -------- d-----w- c:\programdata\MFAData
    2012-01-31 20:09 . 2012-02-14 20:13 -------- d-----w- C:\QUARANTINE
    2012-01-25 23:26 . 2012-01-25 23:26 -------- d-----w- c:\program files\VideoLAN
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-01-31 21:19 . 2009-07-13 23:12 187904 ----a-w- c:\windows\system32\drivers\netbt.sys
    2011-11-22 12:40 . 2011-11-22 12:40 663512 ----a-w- C:\wpayback.zip
    2011-11-21 10:47 . 2011-12-22 10:14 6823496 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{06876E24-E19B-4571-AF74-57E6488AA0B7}\mpengine.dll
    .
    .
    (((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    ---- Directory of C:\Poker ----
    .
    .
    ---- Directory of C:\QUARANTINE ----
    .
    2012-02-14 20:13 . 2012-02-14 20:13 3072 ----a-w- c:\quarantine\7dc2e14d39380.bup
    2012-02-14 19:25 . 2012-02-14 20:01 18944 ----a-w- c:\quarantine\7dc2e13191932b0.bup
    2012-02-14 18:08 . 2012-02-14 18:32 18944 ----a-w- c:\quarantine\7dc2e128351940.bup
    2012-02-14 17:20 . 2012-02-14 18:05 18944 ----a-w- c:\quarantine\7dc2e11142834a0.bup
    2012-02-14 17:02 . 2012-02-14 17:02 3072 ----a-w- c:\quarantine\7dc2e112343de0.bup
    2012-02-14 17:01 . 2012-02-14 17:01 32768 ----a-w- c:\quarantine\7dc2e111252b0.bup
    2012-02-14 16:42 . 2012-02-14 17:00 18944 ----a-w- c:\quarantine\7dc2e102a11c20.bup
    2012-02-13 22:23 . 2012-02-14 00:59 18944 ----a-w- c:\quarantine\7dc2d161742600.bup
    2012-02-13 19:56 . 2012-02-13 22:21 114688 ----a-w- c:\quarantine\7dc2d133863d30.bup
    2012-02-13 19:03 . 2012-02-13 22:21 192512 ----a-w- c:\quarantine\7dc2d1331f50.bup
    2012-02-13 18:27 . 2012-02-13 22:21 18944 ----a-w- c:\quarantine\7dc2d121b1f2580.bup
    2012-02-13 18:18 . 2012-02-13 18:25 24576 ----a-w- c:\quarantine\7dc2d121226970.bup
    2012-02-12 22:55 . 2012-02-13 18:25 18944 ----a-w- c:\quarantine\7dc2c163728880.bup
    2012-02-12 17:53 . 2012-02-12 20:00 18944 ----a-w- c:\quarantine\7dc2c11352f320.bup
    2012-02-12 13:15 . 2012-02-12 14:52 18944 ----a-w- c:\quarantine\7dc2cdf2c36f0.bup
    2012-02-11 21:22 . 2012-02-11 21:26 18944 ----a-w- c:\quarantine\7dc2b1516a26b0.bup
    2012-02-11 20:46 . 2012-02-11 21:06 18944 ----a-w- c:\quarantine\7dc2b142e42790.bup
    2012-02-11 13:40 . 2012-02-11 16:10 18944 ----a-w- c:\quarantine\7dc2bd28372ad0.bup
    2012-02-08 22:08 . 2012-02-08 22:08 17920 ----a-w- c:\quarantine\7dc281683b1d0.bup
    2012-02-07 22:29 . 2012-02-07 22:29 17920 ----a-w- c:\quarantine\7dc27161d61dc0.bup
    2012-02-06 22:46 . 2012-02-06 22:46 17920 ----a-w- c:\quarantine\7dc26162e2a3a0.bup
    2012-02-06 22:00 . 2012-02-06 22:00 17920 ----a-w- c:\quarantine\7dc26160714b0.bup
    2012-02-06 21:54 . 2012-02-06 21:58 114688 ----a-w- c:\quarantine\7dc26153616320.bup
    2012-02-06 18:28 . 2012-02-06 18:28 17920 ----a-w- c:\quarantine\7dc26121c62a60.bup
    2012-02-05 23:32 . 2012-02-05 23:32 17920 ----a-w- c:\quarantine\7dc2517202f26e0.bup
    2012-02-05 17:22 . 2012-02-05 18:29 24576 ----a-w- c:\quarantine\7dc251116c2880.bup
    2012-02-05 17:21 . 2012-02-05 17:21 17920 ----a-w- c:\quarantine\7dc251115201920.bup
    2012-02-05 16:12 . 2012-02-05 16:12 3584 ----a-w- c:\quarantine\7dc2510c1815e0.bup
    2012-02-05 16:12 . 2012-02-05 16:12 24576 ----a-w- c:\quarantine\7dc2510c17950.bup
    2012-02-01 22:16 . 2012-02-01 22:16 17920 ----a-w- c:\quarantine\7dc21161031920.bup
    2012-01-31 21:21 . 2012-01-31 21:21 17920 ----a-w- c:\quarantine\7dc11f15152adb0.bup
    2012-01-31 20:21 . 2012-01-31 20:28 369152 ----a-w- c:\quarantine\7dc11f1415a13e0.bup
    2012-01-31 20:15 . 2012-01-31 20:15 8192 ----a-w- c:\quarantine\7dc11f14f2b2720.bup
    2012-01-31 20:15 . 2012-01-31 20:15 8192 ----a-w- c:\quarantine\7dc11f14f25b70.bup
    2012-01-31 20:15 . 2012-01-31 20:15 8192 ----a-w- c:\quarantine\7dc11f14f18db0.bup
    2012-01-31 20:15 . 2012-01-31 20:15 8192 ----a-w- c:\quarantine\7dc11f14f1222d0.bup
    2012-01-31 20:15 . 2012-01-31 20:15 8192 ----a-w- c:\quarantine\7dc11f14f121520.bup
    2012-01-31 20:15 . 2012-01-31 20:15 8192 ----a-w- c:\quarantine\7dc11f14f71450.bup
    2012-01-31 20:15 . 2012-01-31 20:15 8192 ----a-w- c:\quarantine\7dc11f14f76a0.bup
    2012-01-31 20:14 . 2012-01-31 20:14 8192 ----a-w- c:\quarantine\7dc11f14e3a3100.bup
    2012-01-31 20:14 . 2012-01-31 20:14 8192 ----a-w- c:\quarantine\7dc11f14e3034a0.bup
    2012-01-31 20:14 . 2012-01-31 20:14 8192 ----a-w- c:\quarantine\7dc11f14e20cf0.bup
    2012-01-31 20:14 . 2012-01-31 20:14 8192 ----a-w- c:\quarantine\7dc11f14e1628e0.bup
    2012-01-31 20:14 . 2012-01-31 20:14 8192 ----a-w- c:\quarantine\7dc11f14ed1360.bup
    2012-01-31 20:14 . 2012-01-31 20:14 8192 ----a-w- c:\quarantine\7dc11f14e43ac0.bup
    2012-01-31 20:13 . 2012-01-31 20:13 8192 ----a-w- c:\quarantine\7dc11f14d392480.bup
    2012-01-31 20:13 . 2012-01-31 20:13 8192 ----a-w- c:\quarantine\7dc11f14d371ca0.bup
    2012-01-31 20:13 . 2012-01-31 20:13 8192 ----a-w- c:\quarantine\7dc11f14d302a80.bup
    2012-01-31 20:13 . 2012-01-31 20:13 8192 ----a-w- c:\quarantine\7dc11f14d291200.bup
    2012-01-31 20:13 . 2012-01-31 20:13 8192 ----a-w- c:\quarantine\7dc11f14d221720.bup
    2012-01-31 20:13 . 2012-01-31 20:13 8192 ----a-w- c:\quarantine\7dc11f14d1b2f40.bup
    2012-01-31 20:13 . 2012-01-31 20:13 8192 ----a-w- c:\quarantine\7dc11f14dc32b0.bup
    2012-01-31 20:13 . 2012-01-31 20:13 8192 ----a-w- c:\quarantine\7dc11f14d7fc0.bup
    2012-01-31 20:12 . 2012-01-31 20:12 8192 ----a-w- c:\quarantine\7dc11f14c3315d0.bup
    2012-01-31 20:12 . 2012-01-31 20:12 8192 ----a-w- c:\quarantine\7dc11f14c71b50.bup
    2012-01-31 20:12 . 2012-01-31 20:12 8192 ----a-w- c:\quarantine\7dc11f14c02d60.bup
    2012-01-31 20:11 . 2012-01-31 20:11 8192 ----a-w- c:\quarantine\7dc11f14b312320.bup
    2012-01-31 20:11 . 2012-01-31 20:11 8192 ----a-w- c:\quarantine\7dc11f14b291330.bup
    2012-01-31 20:11 . 2012-01-31 20:11 8192 ----a-w- c:\quarantine\7dc11f14b191e0.bup
    2012-01-31 20:11 . 2012-01-31 20:11 8192 ----a-w- c:\quarantine\7dc11f14b123c80.bup
    2012-01-31 20:11 . 2012-01-31 20:11 8192 ----a-w- c:\quarantine\7dc11f14b7ee0.bup
    2012-01-31 20:10 . 2012-01-31 20:10 17920 ----a-w- c:\quarantine\7dc11f14a2a3070.bup
    2012-01-31 20:09 . 2012-01-31 20:09 8192 ----a-w- c:\quarantine\7dc11f1491b2790.bup
    .
    ---- Directory of C:\TDSSKiller_Quarantine ----
    .
    2012-02-13 22:21 . 2012-02-13 22:21 260 ----a-w- c:\tdsskiller_quarantine\13.02.2012_22.12.46\susp0001\svc0000\object.ini
    2012-02-13 22:21 . 2012-02-13 22:21 54016 ----a-w- c:\tdsskiller_quarantine\13.02.2012_22.12.46\susp0001\svc0000\tsk0000.dta
    2012-02-13 22:21 . 2012-02-13 22:21 232 ----a-w- c:\tdsskiller_quarantine\13.02.2012_22.12.46\susp0001\svc0000\tsk0000.ini
    2012-02-13 22:21 . 2012-02-13 22:21 112 ----a-w- c:\tdsskiller_quarantine\13.02.2012_22.12.46\susp0001\object.ini
    2012-02-13 22:21 . 2012-02-13 22:21 234 ----a-w- c:\tdsskiller_quarantine\13.02.2012_22.12.46\susp0000\svc0000\tsk0000.ini
    2012-02-13 22:21 . 2012-02-13 22:21 306 ----a-w- c:\tdsskiller_quarantine\13.02.2012_22.12.46\susp0000\svc0000\object.ini
    2012-02-13 22:21 . 2012-02-13 22:21 6757 ----a-w- c:\tdsskiller_quarantine\13.02.2012_22.12.46\susp0000\svc0000\tsk0000.dta
    2012-02-13 22:21 . 2012-02-13 22:21 112 ----a-w- c:\tdsskiller_quarantine\13.02.2012_22.12.46\susp0000\object.ini
    2012-01-31 21:18 . 2012-01-31 21:18 234 ----a-w- c:\tdsskiller_quarantine\31.01.2012_21.17.16\rtkt0000\svc0000\tsk0001.ini
    2012-01-31 21:18 . 2012-01-31 21:18 187904 ----a-w- c:\tdsskiller_quarantine\31.01.2012_21.17.16\rtkt0000\svc0000\tsk0001.dta
    2012-01-31 21:18 . 2012-01-31 21:18 234 ----a-w- c:\tdsskiller_quarantine\31.01.2012_21.17.16\rtkt0000\svc0000\tsk0000.ini
    2012-01-31 21:18 . 2012-01-31 21:18 336 ----a-w- c:\tdsskiller_quarantine\31.01.2012_21.17.16\rtkt0000\svc0000\object.ini
    2012-01-31 21:18 . 2012-01-31 21:18 102 ----a-w- c:\tdsskiller_quarantine\31.01.2012_21.17.16\rtkt0000\object.ini
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
    @="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
    [HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
    2010-08-13 15:39 62832 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
    @="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
    [HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
    2010-08-13 15:39 62832 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DymoQuickPrint"="c:\program files\DYMO\DYMO Label Software\DymoQuickPrint.exe" [2010-01-27 1885944]
    "TtvIrurc"="d:\users\mcurran\AppData\Local\oqevhuil\ttvirurc.exe" [BU]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    "Apoint"="c:\program files\DellTPad\Apoint.exe" [2010-06-04 292208]
    "EmbassySecurityCheck"="c:\program files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe" [2010-08-17 95616]
    "ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2010-10-22 124224]
    "McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-09-25 136512]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-28 141848]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-28 174104]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-28 151064]
    "SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2010-07-26 495708]
    "ASMReg"="c:\program files\eSMART\Register.exe" [2011-07-29 65536]
    "DLSService"="c:\program files\DYMO\DYMO Label Software\DLSService.exe" [2010-01-27 55808]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
    .
    d:\users\mcurran\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Picture This.lnk - d:\users\mcurran\AppData\Roaming\Microsoft\Installer\{1FC6CB91-C46E-4878-A086-13DD6CCF79EE}\Icon1FC6CB913.exe [2011-6-30 12288]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    TdmNotify.lnk - c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmNotify.exe [2010-8-13 132456]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Authentication Packages REG_MULTI_SZ msv1_0 wvauth
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1352148485-155271270-1313727497-2865\Scripts\Logon\0\0]
    "Script"=\\gti.int\SysVol\gti.int\scripts\sig.bat
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 eSMARTUM;eSMART Usage Monitoring;c:\program files\eSMART\eSMARTUM.exe [2012-01-09 50176]
    R3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\Accelern.sys [2010-07-26 42672]
    R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-04-14 45736]
    R3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k6232.sys [2010-07-26 214696]
    R3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-07-26 232960]
    R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-10-22 66536]
    R3 NETw5s32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [2010-07-26 6114816]
    R3 risdpcie;risdpcie;c:\windows\system32\DRIVERS\risdpe86.sys [2010-07-26 59904]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-11-18 1343400]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
    S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\aestsrv.exe [2010-07-26 81920]
    S2 ATService;AuthenTec Fingerprint Service;c:\program files\Fingerprint Sensor\AtService.exe [2009-05-15 1803512]
    S2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [2010-10-22 22816]
    S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-10-22 69192]
    S3 cvusbdrv;Dell ControlVault;c:\windows\system32\Drivers\cvusbdrv.sys [2010-07-26 33832]
    S3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y6232.sys [2009-09-28 221912]
    S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2010-07-26 126976]
    S3 NETwNs32;___ Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETwNs32.sys [2010-07-14 6814720]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://portal/Pages/default.aspx
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
    IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a}
    TCP: DhcpNameServer = 8.8.8.8 8.8.4.4
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'lsass.exe'(536)
    c:\windows\system32\wvauth.DLL
    c:\program files\Wave Systems Corp\Common\CryptoManager.dll
    c:\windows\system32\tcg15.dll
    c:\windows\system32\Tsp1.dll
    c:\windows\system32\wclient14.dll
    .
    - - - - - - - > 'Explorer.exe'(3268)
    c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\IDT\WDM\STacSV.exe
    c:\windows\system32\WUDFHost.exe
    c:\windows\system32\WLANExt.exe
    c:\windows\system32\conhost.exe
    c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\eSMART\ASMAgent.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\McAfee\Common Framework\FrameworkService.exe
    c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
    c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
    c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
    c:\program files\McAfee\Common Framework\naPrdMgr.exe
    c:\program files\McAfee\VirusScan Enterprise\mfeann.exe
    c:\windows\system32\conhost.exe
    c:\program files\Intel\WiFi\bin\EvtEng.exe
    c:\windows\system32\wbem\unsecapp.exe
    c:\windows\system32\taskhost.exe
    c:\windows\system32\conhost.exe
    c:\program files\DellTPad\ApMsgFwd.exe
    c:\windows\system32\igfxsrvc.exe
    c:\program files\GTPicThis\GTPicThis.EXE
    c:\program files\DellTPad\HidFind.exe
    c:\program files\DellTPad\Apntex.exe
    c:\windows\system32\conhost.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    .
    **************************************************************************
    .
    Completion time: 2012-02-14 20:53:24 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-02-14 20:53
    ComboFix2.txt 2012-02-14 17:26
    .
    Pre-Run: 42,299,760,640 bytes free
    Post-Run: 42,191,392,768 bytes free
    .
    - - End Of File - - 032EFE69AA1002E6731EC367F3473EE9





    C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8PU495RY\help[1].htm JS/Kryptik.GV trojan
    C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EHCX1G0A\belissimowe_org_in[2].htm HTML/Iframe.B.Gen virus
    C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EHCX1G0A\bysex_wen_su[1].txt HTML/Iframe.B.Gen virus
    C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P9QDEY9I\forum[1].htm JS/Kryptik.GV trojan




    McAfee still says there is something spotted everytime i turn the computer on
     
  5. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    10,158
    Please download OTM by OldTimer.

    Alternative Mirror 1
    Alternative Mirror 2

    Save it to your desktop.
    Double click OTM.exe to start the tool. Vista or Windows 7 users right click and select Run as Administrator. Be aware all processes will stopped during run, also Desktop will disappear, this will be put back on completion....
    • Copy the text from the code box belowbelow to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :reg
      [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
      "TtvIrurc"=-
      :Services
      :Files
      ipconfig /flushdns /c
      :Commands
      [EmptyTemp]
       
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
    • Click the red [​IMG] button.
    • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTM
    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

    If the machine reboots, the Results log can be found here:

    c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

    Where mmddyyyy_hhmmss is the date of the tool run.


    Let me see that log. What is McAfee alerting to? can you give screen shot or write down what it states. Is it Artemis?

    Kevin
     
  6. Mikecurran7

    Mikecurran7 Thread Starter

    Joined:
    Feb 6, 2012
    Messages:
    21
    All processes killed
    ========== REGISTRY ==========
    Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru not found.
    ========== SERVICES/DRIVERS ==========
    ========== FILES ==========
    < ipconfig /flushdns /c >
    Windows IP Configuration
    Successfully flushed the DNS Resolver Cache.
    D:\USERS\mcurran\Desktop\cmd.bat deleted successfully.
    D:\USERS\mcurran\Desktop\cmd.txt deleted successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 294871 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 456 bytes

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 294871 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 456 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: mcurran
    ->Temp folder emptied: 188549 bytes
    ->Temporary Internet Files folder emptied: 95821670 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 3850 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 50999 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 92.00 mb


    OTM by OldTimer - Version 3.1.19.0 log created on 02152012_173809



    That saved to D:

    The Message that McAfee keeps popping up is
    Detection Type - Trojan
     
  7. Mikecurran7

    Mikecurran7 Thread Starter

    Joined:
    Feb 6, 2012
    Messages:
    21
    Detected as - Generic dx!zvv
    Number of objects 6
    DAt Version 6619.0000
    Engine Version 5400.1158
     
  8. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    10,158
    Download aswMBR from Here
    If it asks to update during the process please allow this to happen.

    • Save aswMBR.exe to your Desktop
    • Double click aswMBR.exe to run it
    • Click the Scan button to start the scan as illustrated below

      [​IMG]

      Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives
    • Once the scan finishes click Save log to save the log to your Desktop.

      [​IMG]
    • Copy and paste the contents of aswMBR.txt back here for review
    • You will also notice another file created on the desktop named MBR.dat. Right-click that file and select Send To and then Compressed (zipped) file. Attach that zipped file to your next reply as well.

    Kevin
     
  9. Mikecurran7

    Mikecurran7 Thread Starter

    Joined:
    Feb 6, 2012
    Messages:
    21
    aswMBR version 0.9.9.1532 Copyright(c) 2011 AVAST Software
    Run date: 2012-02-15 21:45:26
    -----------------------------
    21:45:26.740 OS Version: Windows 6.1.7600
    21:45:26.740 Number of processors: 2 586 0x1706
    21:45:26.740 ComputerName: 4QLKZ3J UserName: mcurran
    21:46:02.231 Initialize success
    21:46:17.387 AVAST engine defs: 12021501
    21:46:55.514 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
    21:46:55.514 Disk 0 Vendor: ST912082 3.AD Size: 114473MB BusType: 3
    21:46:55.529 Disk 0 MBR read successfully
    21:46:55.529 Disk 0 MBR scan
    21:46:55.561 Disk 0 Windows 7 default MBR code
    21:46:55.561 Disk 0 Partition 1 00 07 HPFS/NTFS NTFS 61440 MB offset 2048
    21:46:55.607 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 52720 MB offset 125831168
    21:46:55.654 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 300 MB offset 233801728
    21:46:55.717 Disk 0 scanning sectors +234416128
    21:46:55.826 Disk 0 scanning C:\Windows\system32\drivers
    21:47:25.091 Service scanning
    21:47:27.307 Modules scanning
    21:47:41.503 Disk 0 trace - called modules:
    21:47:41.549 ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys halmacpi.dll
    21:47:41.549 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x884f1880]
    21:47:41.565 3 CLASSPNP.SYS[8379b59e] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x865eb028]
    21:47:42.142 AVAST engine scan C:\Windows
    21:47:57.337 AVAST engine scan C:\Windows\system32
    21:55:52.198 AVAST engine scan C:\Windows\system32\drivers
    21:56:22.935 AVAST engine scan D:\USERS\mcurran
    22:02:24.955 AVAST engine scan C:\ProgramData
    22:04:21.909 Scan finished successfully
    22:08:25.405 Disk 0 MBR has been saved successfully to "D:\USERS\mcurran\Desktop\MBR.dat"
    22:08:25.421 The log file has been saved successfully to "D:\USERS\mcurran\Desktop\aswMBR.txt"
     

    Attached Files:

    • MBR.zip
      File size:
      597 bytes
      Views:
      1
  10. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    10,158
    That log is clean, are you still seeing the alert from McAfee?
     
  11. Mikecurran7

    Mikecurran7 Thread Starter

    Joined:
    Feb 6, 2012
    Messages:
    21
    i think its gone. havent got a warning in a while.

    Thanks very much.
     
  12. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    10,158
    Run the following:

    Remove Combofix now that we're done with it
    • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
    • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
      [​IMG]
    • Please follow the prompts to uninstall Combofix.
    • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
    The above procedure will delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:_OtMoveIt folder, if present
    • Reset the clock settings.
    • Hide file extensions, if required.
    • Hide System/Hidden files, if required.
    • Reset System Restore.
    It is very important that you get a successful uninstall because of the extra functions done at the same time, let me know if this does not happen.

    Next,

    • Download OTC by OldTimer and save it to your desktop. Alternative mirror
    • Double click [​IMG] icon to start the program.
      If you are using Vista or Windows 7, please right-click and choose run as administrator
    • Then Click the big [​IMG] button.
    • You will get a prompt saying "Begining Cleanup Process". Please select Yes.
    • Restart your computer when prompted.
    • This will remove tools we have used and itself. Any tools/logs remaining on the Desktop can be deleted.

    Next,

    Remove ESET online scanner:

    • Click Start, type Uninstall a Program into the Search programs and files box, and then press ENTER.
    • Click to select ESET Online Scanner from the listing of installed products, and then click Uninstall/Change from the bar that displays the available tasks. Uninstall ESETonline Scanner, only re-boot if prompted.

    Next,

    You will have several programs installed, these maybe outdated and vulnerable to exploits also. To be certain, please run the free online scan by Secunia, available Here Before clicking the Start scan* button, please check the box for the option Enable thorough system inspection. Just below the "Scan Options:" section, you'll see the status of what's currently processing.... [​IMG]
    ...when the scan completes, the message "Detection completed successfully" will appear in the Programs/Result section. For each problem detected, Secunia will offer a "Solution" option. Please follow those instructions to download updated versions of the programs as recommended by Secunia.

    Let me know if those steps complete OK, also give update on any remaining issues or concerns...

    Kevin
     
  13. Mikecurran7

    Mikecurran7 Thread Starter

    Joined:
    Feb 6, 2012
    Messages:
    21
    Tried to go a Combofix Uninstall - it said it couldnt find it.

    Got a message from McAfee again. See ZIP attached.
     

    Attached Files:

  14. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    10,158
    Hiya Mike,

    Did you continue with the other two steps? the alert is nothing to worry about. Run the following, when you re-boot on completion let me know if McAfee alerts again...

    Download [​IMG] TFC to your desktop, from either of the following links
    Link 1
    Link 2
    • Save any open work. TFC will close all open application windows.
    • Double-click TFC.exe to run the program. Vista or Windows 7 users right click and select &#8220;Run as Administartor&#8221;
    • If prompted, click "Yes" to reboot.
    TFC will automatically close any open programs, including your Desktop. Let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. TFC may re-boot your system, if not Re-boot it yourself to complete cleaning process <---- Very Important

    Keep TFC it is an excellent utility to keep your system optimized, it empties all user temp folders, Java cache etc etc. Always remember to re-boot after a run, even if not prompted

    Kevin
     
  15. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1039862