Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Medfos.B - tenaciously nasty and hard to remove [Solved]


  • This topic is locked This topic is locked

#16
gnach

gnach

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Gringo- Happy New Year to you and thank you for great help. This has been an eye opening experience.

There are no problems to report, everything seems to be operating smoothly.
When I ran REVO it was unable to create a restore point. I'm only curious, other programs have indicated success.
Does it pay to delete old RPs?
  • 0

Advertisements


#17
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello

Does it pay to delete old RPs? - Depends on when and why - for example when we are done here it will pay to delete all the old ones to make sure you do not get reinfected

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):


    • O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
      O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
      O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe -r
      O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
      O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
      O4 - HKLM\..\RunOnce: [GBTUpd] C:\Program Files\GIGABYTE\UpdManager\PreRun.exe
      O4 - HKCU\..\Run: [Greenshot] "C:\Program Files\Greenshot_scrn-capt\Greenshot.exe"
      O4 - Global Startup: Online plug-in.lnk = ?
      O4 - Global Startup: Secunia PSI Tray.lnk = C:\Program Files\Secunia\PSI\psi_tray.exe
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the add/on to be installed
    • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • wait for the virus definitions to be downloaded
  • Wait for the scan to finish

When the scan is complete

  • If no threats were found
  • put a checkmark in "Uninstall application on close"
  • close program
  • report to me that nothing was found

  • If threats were found
  • click on "list of threats found"
  • click on "export to text file" and save it as ESET SCAN and save to the desktop
  • Click on back
  • put a checkmark in "Uninstall application on close"
  • click on finish
  • close program
  • copy and paste the report here

Gringo
  • 0

#18
gnach

gnach

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
ESET SCAN-
F:\Users\Gary\AppData\Roaming\Mozilla\Firefox\Profiles\63gci3kg.Suzy\extensions\{fef13a18-44af-4511-9a30-840cf7b42cdf}.xpi JS/Redirector.NCL trojan
F:\Users\Gary\AppData\Roaming\Mozilla\Firefox\Profiles\hwtau7xz.default\extensions\{fef13a18-44af-4511-9a30-840cf7b42cdf}.xpi JS/Redirector.NCL trojan
F:\Users\Gary\AppData\Roaming\Mozilla\Firefox\Profiles\pbsu3b8j.Jow\extensions\{fef13a18-44af-4511-9a30-840cf7b42cdf}.xpi JS/Redirector.NCL trojan
F:\Users\Gary\Desktop\! AV\stray dll files from log\wiprol.dll a variant of Win32/Medfos.HK trojan
I:\Boot-filz\!mt2009_utils.iso Win32/MPass application

!!shite!!
The redirector is in each of the 3 firefox profiles. I did uncheck the the Remove found threat. I just looked in that folder and did not find those files. I then went to ESET folder in Program Files and in the Quarantine folder I only see the files there were from a search I did on 1/29. What's up? I mean why don't I find them. aaarrgh!
The 4th file is one of the .dlls that was called for in a registry scan earlier. I moved it to the current folder. I just ran MSE and MBAM on that folder and neither one ID'd the threat
The fifth is an old boot utilities disk. The actual file is not specified.

-edit-
Just ran ESET again, only on the Win7 drive. NO threats found.

Edited by gnach, 02 January 2013 - 11:22 AM.

  • 0

#19
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache:: 

File::
F:\Users\Gary\AppData\Roaming\Mozilla\Firefox\Profiles\63gci3kg.Suzy\extensions\{fef13a18-44af-4511-9a30-840cf7b42cdf}.xpi
F:\Users\Gary\AppData\Roaming\Mozilla\Firefox\Profiles\hwtau7xz.default\extensions\{fef13a18-44af-4511-9a30-840cf7b42cdf}.xpi
F:\Users\Gary\AppData\Roaming\Mozilla\Firefox\Profiles\pbsu3b8j.Jow\extensions\{fef13a18-44af-4511-9a30-840cf7b42cdf}.xpi
F:\Users\Gary\Desktop\! AV\stray dll files from log\wiprol.dll
I:\Boot-filz\!mt2009_utils.iso

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

  • 0

#20
gnach

gnach

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
ComboFix 13-01-02.02 - Gary 01/02/2013 18:17:21.4.4 - x86
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3486.1993 [GMT -8:00]
Running from: f:\users\Gary\Desktop\! AV\ComboFix.exe
Command switches used :: f:\users\Gary\Desktop\! AV\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
SP: Microsoft Security Essentials *Disabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
FILE ::
"f:\users\Gary\AppData\Roaming\Mozilla\Firefox\Profiles\63gci3kg.Suzy\extensions\{fef13a18-44af-4511-9a30-840cf7b42cdf}.xpi"
"f:\users\Gary\AppData\Roaming\Mozilla\Firefox\Profiles\hwtau7xz.default\extensions\{fef13a18-44af-4511-9a30-840cf7b42cdf}.xpi"
"f:\users\Gary\AppData\Roaming\Mozilla\Firefox\Profiles\pbsu3b8j.Jow\extensions\{fef13a18-44af-4511-9a30-840cf7b42cdf}.xpi"
"f:\users\Gary\Desktop\! AV\stray dll files from log\wiprol.dll"
"i:\boot-filz\!mt2009_utils.iso"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
f:\users\Gary\AppData\Roaming\Mozilla\Firefox\Profiles\63gci3kg.Suzy\extensions\{fef13a18-44af-4511-9a30-840cf7b42cdf}.xpi
f:\users\Gary\AppData\Roaming\Mozilla\Firefox\Profiles\hwtau7xz.default\extensions\{fef13a18-44af-4511-9a30-840cf7b42cdf}.xpi
f:\users\Gary\AppData\Roaming\Mozilla\Firefox\Profiles\pbsu3b8j.Jow\extensions\{fef13a18-44af-4511-9a30-840cf7b42cdf}.xpi
i:\boot-filz\!mt2009_utils.iso
.
.
((((((((((((((((((((((((( Files Created from 2012-12-03 to 2013-01-03 )))))))))))))))))))))))))))))))
.
.
2013-01-03 02:23 . 2013-01-03 02:23 -------- dc----w- f:\users\Gary\AppData\Local\temp
2013-01-03 02:23 . 2013-01-03 02:23 -------- dc----w- f:\users\Default\AppData\Local\temp
2013-01-03 02:23 . 2013-01-03 02:23 -------- dc----w- f:\users\Admin\AppData\Local\temp
2013-01-03 02:06 . 2013-01-03 02:06 29904 ----a-w- f:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F3F885C6-1B70-491C-A167-3BC52290645F}\MpKsl8373946f.sys
2013-01-02 18:59 . 2012-11-08 18:00 6812136 ----a-w- f:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F3F885C6-1B70-491C-A167-3BC52290645F}\mpengine.dll
2013-01-02 17:16 . 2012-11-08 18:00 6812136 ----a-w- f:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-01-01 19:41 . 2013-01-01 19:41 -------- dc----w- f:\program files\CCleaner
2013-01-01 19:16 . 2013-01-01 19:16 -------- dc----w- f:\programdata\PDF Architect
2013-01-01 19:05 . 2013-01-01 19:05 -------- dc----w- f:\program files\Common Files\Java
2013-01-01 19:04 . 2013-01-01 19:04 93640 -c--a-w- f:\windows\system32\WindowsAccessBridge.dll
2013-01-01 19:01 . 2013-01-01 19:01 -------- dc----w- f:\users\Gary\AppData\Local\VS Revo Group
2013-01-01 19:00 . 2009-12-30 19:21 27192 -c--a-w- f:\windows\system32\drivers\revoflt.sys
2013-01-01 19:00 . 2013-01-01 19:00 -------- dc----w- f:\program files\VS Revo Group
2012-12-29 19:13 . 2012-12-29 19:13 -------- dc----w- F:\_OTM
2012-12-29 05:35 . 2012-12-29 05:35 -------- dc----w- f:\program files\ESET
2012-12-29 05:35 . 2012-12-29 05:35 181808 -c--a-w- f:\windows\RegBootClean.exe
2012-12-29 05:24 . 2012-12-29 05:24 -------- dc----w- f:\users\Gary\AppData\Roaming\Malwarebytes
2012-12-29 05:24 . 2012-12-29 05:24 -------- dc----w- f:\programdata\Malwarebytes
2012-12-29 05:24 . 2012-12-29 05:24 -------- dc----w- f:\program files\Malwarebytes' Anti-Malware
2012-12-29 05:24 . 2012-12-15 00:49 21104 -c--a-w- f:\windows\system32\drivers\mbam.sys
2012-12-29 02:01 . 2012-12-29 02:01 309320 -c--a-w- f:\windows\system32\drivers\TrufosAlt.sys
2012-12-29 01:07 . 2012-12-29 01:07 -------- dc----w- f:\users\Admin\AppData\Roaming\Thunderbird
2012-12-29 01:07 . 2012-12-29 01:07 -------- dc----w- f:\users\Admin\AppData\Local\Thunderbird
2012-12-29 01:05 . 2012-12-29 01:05 -------- dc----w- f:\users\Admin\AppData\Local\Macromedia
2012-12-29 00:29 . 2012-12-29 00:29 -------- dc----w- f:\users\Admin\AppData\Roaming\f-secure
2012-12-29 00:29 . 2012-12-29 00:29 -------- dc----w- f:\programdata\F-Secure
2012-12-29 00:01 . 2012-12-29 00:01 -------- dc----w- f:\users\Admin\AppData\Local\Mozilla
2012-12-28 22:23 . 2012-12-28 22:23 -------- dc----w- f:\windows\Windows Defender Offline
2012-12-28 22:06 . 2012-12-29 01:58 -------- dc----w- f:\programdata\6C476B460D86CEC000006C46FF02D284
2012-12-24 03:17 . 2012-12-24 03:41 -------- dc----w- f:\users\Gary\AppData\Roaming\Mp3tag
2012-12-24 03:17 . 2012-12-24 03:17 -------- dc----w- f:\program files\Mp3tag
2012-12-21 11:00 . 2012-12-21 11:00 34304 ----a-w- f:\windows\system32\atmlib.dll
2012-12-21 11:00 . 2012-12-21 11:00 295424 ----a-w- f:\windows\system32\atmfd.dll
2012-12-20 20:31 . 2013-01-01 19:17 -------- dc----w- f:\users\Gary\AppData\Roaming\PDF Architect
2012-12-12 04:56 . 2012-12-12 11:02 2048 ----a-w- f:\windows\system32\tzres.dll
2012-12-11 06:01 . 2005-04-25 21:01 458752 -c--a-w- f:\windows\system32\NCTAudioRecord2.dll
2012-12-11 06:01 . 2005-04-25 21:01 458752 -c--a-w- f:\windows\system32\NCTAudioPlayer2.dll
2012-12-11 06:01 . 2007-10-25 02:57 1986560 -c--a-w- f:\windows\system32\NCTAudioFile2.dll
2012-12-11 06:01 . 2007-10-25 02:57 835584 -c--a-w- f:\windows\system32\NCTAudioCDGrabber2.dll
2012-12-11 06:01 . 2005-05-18 19:52 1212416 -c--a-w- f:\windows\system32\NCTAudioInformation2.dll
2012-12-11 06:01 . 2005-02-24 19:51 348160 -c--a-w- f:\windows\system32\NCTWMAFile2.dll
2012-12-11 06:01 . 2003-08-07 23:01 237568 -c--a-w- f:\windows\system32\lame_enc.dll
2012-12-11 06:01 . 2012-12-11 06:01 -------- dc----w- f:\program files\Audio Convert Merge Free
2012-12-11 04:44 . 2012-12-11 04:44 -------- dc----w- f:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E1
2012-12-11 04:44 . 2012-12-11 04:44 -------- dc----w- f:\program files\iTunes
2012-12-11 04:44 . 2012-12-11 04:44 -------- dc----w- f:\program files\iPod
2012-12-10 04:22 . 2012-12-10 04:22 -------- dc----w- f:\users\Gary\AppData\Roaming\APP_NAME_NON_STRING
2012-12-10 04:22 . 2012-10-29 02:32 88576 -c--a-w- f:\windows\system32\pdfcmon.dll
2012-12-10 04:22 . 2012-05-05 18:54 23552 -c--a-w- f:\windows\system32\MSMPIDE.DLL
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-01-01 19:04 . 2012-06-13 19:16 859072 -c--a-w- f:\windows\system32\npdeployJava1.dll
2013-01-01 19:04 . 2011-05-19 00:49 779704 -c--a-w- f:\windows\system32\deployJava1.dll
2012-12-12 01:31 . 2012-04-04 21:29 697272 -c--a-w- f:\windows\system32\FlashPlayerApp.exe
2012-12-12 01:31 . 2011-05-18 02:05 73656 -c--a-w- f:\windows\system32\FlashPlayerCPLApp.cpl
2012-11-29 18:27 . 2012-11-29 18:28 740840 ------w- f:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5A153396-565E-4525-8F33-85AD40CB38C9}\gapaengine.dll
2012-11-28 05:56 . 2012-11-27 22:02 561664 ----a-w- f:\windows\apppatch\AcLayers.dll
2012-11-14 08:29 . 2012-11-14 08:00 52224 ----a-w- f:\windows\system32\nlaapi.dll
2012-11-14 08:29 . 2012-11-14 08:00 499712 ----a-w- f:\windows\system32\iphlpsvc.dll
2012-11-14 08:29 . 2012-11-14 08:00 35328 ----a-w- f:\windows\system32\drivers\tcpipreg.sys
2012-11-14 08:29 . 2012-11-14 08:00 242176 ----a-w- f:\windows\system32\nlasvc.dll
2012-11-14 08:29 . 2012-11-14 08:00 175104 ----a-w- f:\windows\system32\netcorehc.dll
2012-11-14 08:29 . 2012-11-14 08:00 156672 ----a-w- f:\windows\system32\ncsi.dll
2012-11-14 08:29 . 2012-11-14 08:00 1293680 ----a-w- f:\windows\system32\drivers\tcpip.sys
2012-11-14 08:29 . 2012-11-14 08:00 18944 ----a-w- f:\windows\system32\netevent.dll
2012-11-14 08:29 . 2012-11-14 08:29 73216 ----a-w- f:\windows\system32\WUDFSvc.dll
2012-11-14 08:29 . 2012-11-14 08:29 66560 ----a-w- f:\windows\system32\drivers\WUDFPf.sys
2012-11-14 08:29 . 2012-11-14 08:29 172032 ----a-w- f:\windows\system32\WUDFPlatform.dll
2012-11-14 08:29 . 2012-11-14 08:29 155136 ----a-w- f:\windows\system32\drivers\WUDFRd.sys
2012-11-14 08:29 . 2012-11-14 08:29 613888 ----a-w- f:\windows\system32\WUDFx.dll
2012-11-14 08:29 . 2012-11-14 08:29 38912 ----a-w- f:\windows\system32\WUDFCoinstaller.dll
2012-11-14 08:29 . 2012-11-14 08:29 196608 ----a-w- f:\windows\system32\WUDFHost.exe
2012-11-14 08:29 . 2012-11-14 08:00 78336 ----a-w- f:\windows\system32\synceng.dll
2012-11-14 08:28 . 2012-11-14 08:00 44032 ----a-w- f:\windows\system32\dhcpcsvc6.dll
2012-11-14 08:28 . 2012-11-14 08:00 193536 ----a-w- f:\windows\system32\dhcpcore6.dll
2012-11-14 01:18 . 2012-11-14 01:18 9728 ----a-w- f:\windows\system32\Wdfres.dll
2012-11-14 01:18 . 2012-11-14 01:18 526952 ----a-w- f:\windows\system32\drivers\Wdf01000.sys
2012-11-14 01:18 . 2012-11-14 01:18 47720 ----a-w- f:\windows\system32\drivers\WdfLdr.sys
2012-11-14 01:18 . 2012-11-14 01:18 2560 ----a-w- f:\windows\system32\drivers\en-US\wdf01000.sys.mui
2012-11-02 23:37 . 2012-11-02 23:37 862664 -c--a-w- f:\windows\system32\msvcr110.dll
2012-11-02 23:37 . 2012-11-02 23:37 534480 -c--a-w- f:\windows\system32\msvcp110.dll
2012-11-02 23:37 . 2012-11-02 23:37 44184 -c--a-w- f:\windows\system32\drivers\point32.sys
2012-11-02 23:37 . 2012-11-02 23:37 251864 -c--a-w- f:\windows\system32\vccorlib110.dll
2012-11-02 05:52 . 2012-11-02 05:52 64664 -c--a-w- f:\windows\system32\drivers\dc3d.sys
2012-11-02 05:52 . 2012-11-02 05:52 1629040 -c--a-w- f:\windows\system32\WdfCoInstaller01011.dll
2012-10-25 11:12 . 2012-10-25 11:12 94208 -c--a-w- f:\windows\system32\QuickTimeVR.qtx
2012-10-25 11:12 . 2012-10-25 11:12 69632 -c--a-w- f:\windows\system32\QuickTime.qts
2012-10-14 05:25 . 2012-10-14 05:25 86528 ----a-w- f:\windows\system32\iesysprep.dll
2012-10-14 05:25 . 2012-10-14 05:25 76800 ----a-w- f:\windows\system32\SetIEInstalledDate.exe
2012-10-14 05:25 . 2012-10-14 05:25 74752 ----a-w- f:\windows\system32\RegisterIEPKEYs.exe
2012-10-14 05:25 . 2012-10-14 05:25 48640 ----a-w- f:\windows\system32\mshtmler.dll
2012-10-14 05:25 . 2012-10-14 05:25 161792 ----a-w- f:\windows\system32\msls31.dll
2012-10-14 05:25 . 2012-10-14 05:25 110592 ----a-w- f:\windows\system32\IEAdvpack.dll
2012-10-14 05:25 . 2012-10-14 05:25 74752 ----a-w- f:\windows\system32\iesetup.dll
2012-10-14 05:25 . 2012-10-14 05:25 63488 ----a-w- f:\windows\system32\tdc.ocx
2012-10-14 05:25 . 2012-10-14 05:25 367104 ----a-w- f:\windows\system32\html.iec
2012-10-14 05:25 . 2012-10-14 05:25 35840 ----a-w- f:\windows\system32\imgutil.dll
2012-10-14 05:25 . 2012-10-14 05:25 23552 ----a-w- f:\windows\system32\licmgr10.dll
2012-10-14 05:25 . 2012-10-14 05:25 152064 ----a-w- f:\windows\system32\wextract.exe
2012-10-14 05:25 . 2012-10-14 05:25 150528 ----a-w- f:\windows\system32\iexpress.exe
2012-10-14 05:25 . 2012-10-14 05:25 11776 ----a-w- f:\windows\system32\mshta.exe
2012-10-14 05:25 . 2012-10-14 05:25 101888 ----a-w- f:\windows\system32\admparse.dll
2012-10-11 10:03 . 2012-10-10 14:33 172544 ----a-w- f:\windows\system32\wintrust.dll
2012-10-11 10:02 . 2012-10-10 14:33 140288 ----a-w- f:\windows\system32\cryptsvc.dll
2012-10-11 10:02 . 2012-10-10 14:33 1159680 ----a-w- f:\windows\system32\crypt32.dll
2012-10-11 10:02 . 2012-10-10 14:33 103936 ----a-w- f:\windows\system32\cryptnet.dll
2012-10-11 10:02 . 2012-10-10 14:33 1211760 ----a-w- f:\windows\system32\drivers\ntfs.sys
2012-10-11 10:00 . 2012-10-10 14:33 542208 ----a-w- f:\windows\system32\kerberos.dll
2012-10-11 10:00 . 2012-10-10 14:33 3968880 ----a-w- f:\windows\system32\ntkrnlpa.exe
2012-10-11 10:00 . 2012-10-10 14:33 3914096 ----a-w- f:\windows\system32\ntoskrnl.exe
2012-03-28 10:04 . 2012-03-28 10:04 124864 -c--a-w- f:\program files\mozilla firefox\plugins\CCMSDK.dll
2012-03-28 10:47 . 2012-03-28 10:47 13760 -c--a-w- f:\program files\mozilla firefox\plugins\cgpcfg.dll
2012-03-28 10:06 . 2012-03-28 10:06 71104 -c--a-w- f:\program files\mozilla firefox\plugins\CgpCore.dll
2012-03-28 10:05 . 2012-03-28 10:05 92096 -c--a-w- f:\program files\mozilla firefox\plugins\confmgr.dll
2012-03-28 10:05 . 2012-03-28 10:05 22976 -c--a-w- f:\program files\mozilla firefox\plugins\ctxlogging.dll
2012-03-28 10:03 . 2012-03-28 10:03 255936 -c--a-w- f:\program files\mozilla firefox\plugins\ctxmui.dll
2012-03-28 10:05 . 2012-03-28 10:05 32192 -c--a-w- f:\program files\mozilla firefox\plugins\icafile.dll
2012-03-28 10:05 . 2012-03-28 10:05 40896 -c--a-w- f:\program files\mozilla firefox\plugins\icalogon.dll
2012-03-19 17:21 . 2012-03-19 17:21 903096 -c--a-w- f:\program files\mozilla firefox\plugins\sslsdk_b.dll
2012-03-28 10:06 . 2012-03-28 10:06 24512 -c--a-w- f:\program files\mozilla firefox\plugins\TcpPServ.dll
2012-12-06 01:55 . 2012-12-06 01:55 262112 -c--a-w- f:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Greenshot"="f:\program files\Greenshot_scrn-capt\Greenshot.exe" [2010-07-12 548864]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="f:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2011-07-07 10754664]
"MSC"="f:\program files\Microsoft Security Client\msseces.exe" [2012-09-13 947176]
"nmctxth"="f:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2009-07-07 647216]
"nmapp"="f:\program files\Pure Networks\Network Magic\nmapp.exe" [2009-07-08 472112]
"HotKeysCmds"="f:\windows\system32\hkcmd.exe" [2012-03-30 180504]
"Persistence"="f:\windows\system32\igfxpers.exe" [2012-03-30 187672]
"HDAudDeck"="f:\program files\VIA\VIAudioi\VDeck\VDeck.exe" [2012-05-11 3920496]
"USB3MON"="f:\program files\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe" [2012-03-27 291608]
"IntelliType Pro"="f:\program files\Microsoft Mouse and Keyboard Center\itype.exe" [2012-11-02 1093232]
"IntelliPoint"="f:\program files\Microsoft Mouse and Keyboard Center\ipoint.exe" [2012-11-02 1668720]
"ConnectionCenter"="f:\program files\Citrix\ICA Client\concentr.exe" [2012-03-28 309184]
"SunJavaUpdateSched"="f:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
f:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Secunia PSI Tray.lnk - f:\program files\Secunia\PSI\psi_tray.exe [2012-7-25 572000]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\F:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^GammaTray.lnk]
path=f:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\GammaTray.lnk
backup=f:\windows\pss\GammaTray.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\F:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Google Calendar Sync.lnk]
path=f:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Google Calendar Sync.lnk
backup=f:\windows\pss\Google Calendar Sync.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\F:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Secunia PSI Tray.lnk]
path=f:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Secunia PSI Tray.lnk
backup=f:\windows\pss\Secunia PSI Tray.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\F:^Users^Gary^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.4.1.lnk]
path=f:\users\Gary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.4.1.lnk
backup=f:\windows\pss\OpenOffice.org 3.4.1.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-11-28 22:13 59280 -c--a-w- f:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CmTray]
2011-12-28 20:08 94208 -c--a-w- f:\program files\Content Manager\launchCM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HipServ Agent]
2011-04-16 06:00 2618736 -c--a-w- f:\program files\NETGEAR\Stora Desktop Applications\HipServAgent\HipServAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-11-29 08:49 151952 -c--a-w- f:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper.exe]
2012-11-29 08:49 151952 -c--a-w- f:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2010-08-16 20:45 2736128 -c--a-w- f:\program files\Common Files\LightScribe\LightScribeControlPanel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MagicTuneLauncher]
2011-01-04 17:31 51712 -c--a-w- f:\program files\MagicTune Premium\MagicTuneLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSOSYNC.EXE]
2012-01-21 04:03 719672 -c--a-w- f:\program files\Microsoft Office\Office14\MSOSYNC.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
2006-03-21 20:19 69632 -c--a-w- f:\program files\ScanSoft\OmniPageSE4.0\OpWareSE4.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QTTask.exe]
2012-10-25 11:12 421888 -c--a-w- f:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-10-25 11:12 421888 -c--a-w- f:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2003-09-30 07:14 155648 -c--a-r- f:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
.
R2 mrtRate;mrtRate; [x]
R3 AppleChargerSrv;AppleChargerSrv;f:\windows\system32\AppleChargerSrv.exe [x]
R3 becldr3Service;BCL EasyConverter SDK 3 Loader;f:\program files\BCL Technologies\easyConverter SDK 3\Common\becldr.exe [x]
R3 BrSerIb;Brother MFC Serial Interface Driver(WDM);f:\windows\system32\DRIVERS\BrSerIb.sys [x]
R3 BrUsbSIb;Brother MFC Serial USB Driver(WDM);f:\windows\system32\DRIVERS\BrUsbSIb.sys [x]
R3 epmntdrv;epmntdrv;f:\windows\system32\epmntdrv.sys [x]
R3 EuGdiDrv;EuGdiDrv;f:\windows\system32\EuGdiDrv.sys [x]
R3 NisDrv;Microsoft Network Inspection System;f:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;f:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 pwdrvio;pwdrvio;f:\windows\system32\pwdrvio.sys [x]
R3 pwdspio;pwdspio;f:\windows\system32\pwdspio.sys [x]
R3 Revoflt;Revoflt;f:\windows\system32\DRIVERS\revoflt.sys [x]
R3 RTL8167;Realtek 8167 NT Driver;f:\windows\system32\DRIVERS\Rt86win7.sys [x]
R3 SamsungMonitorFirmware;SamsungMonitorFirmware;f:\windows\system32\drivers\MFWCtwl.sys [x]
R3 TsUsbFlt;TsUsbFlt;f:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;f:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;f:\windows\system32\DRIVERS\iusb3hcs.sys [x]
S1 AppleCharger;AppleCharger;f:\windows\system32\DRIVERS\AppleCharger.sys [x]
S1 ctxusbm;Citrix USB Monitor Driver;f:\windows\system32\DRIVERS\ctxusbm.sys [x]
S1 MpKsl8373946f;MpKsl8373946f;f:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F3F885C6-1B70-491C-A167-3BC52290645F}\MpKsl8373946f.sys [x]
S2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;f:\program files\Intel\iCLS Client\HeciServer.exe [x]
S2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;f:\program files\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [x]
S2 nlsX86cc;Nalpeiron Licensing Service;f:\windows\system32\nlssrv32.exe [x]
S2 Secunia PSI Agent;Secunia PSI Agent;f:\program files\Secunia\PSI\PSIA.exe [x]
S2 Secunia Update Agent;Secunia Update Agent;f:\program files\Secunia\PSI\sua.exe [x]
S2 UNS;Intel® Management and Security Application User Notification Service;f:\program files\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
S2 VIAKaraokeService;VIA Karaoke digital mixer Service;f:\windows\system32\viakaraokesrv.exe [x]
S3 dc3d;MS Hardware Device Detection Driver (USB);f:\windows\system32\DRIVERS\dc3d.sys [x]
S3 EtronHub3;Etron USB 3.0 Extensible Hub Driver;f:\windows\system32\Drivers\EtronHub3.sys [x]
S3 EtronXHCI;Etron USB 3.0 Extensible Host Controller Driver;f:\windows\system32\Drivers\EtronXHCI.sys [x]
S3 IntcDAud;Intel® Display Audio;f:\windows\system32\DRIVERS\IntcDAud.sys [x]
S3 iusb3hub;Intel® USB 3.0 Hub Driver;f:\windows\system32\DRIVERS\iusb3hub.sys [x]
S3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;f:\windows\system32\DRIVERS\iusb3xhc.sys [x]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;f:\windows\system32\DRIVERS\L1C62x86.sys [x]
S3 MEI;Intel® Management Engine Interface ;f:\windows\system32\DRIVERS\HECI.sys [x]
S3 PSI;PSI;f:\windows\system32\DRIVERS\psi_mf.sys [x]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;f:\windows\system32\drivers\viahduaa.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL8373946F
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-08-16 20:43 451872 -c--a-w- f:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-01-03 f:\windows\Tasks\Adobe Flash Player Updater.job
- f:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-04 01:31]
.
2013-01-02 f:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- f:\program files\Google\Update\GoogleUpdate.exe [2011-06-15 16:41]
.
2013-01-03 f:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- f:\program files\Google\Update\GoogleUpdate.exe [2011-06-15 16:41]
.
2013-01-02 f:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4266632814-318362380-4285844594-1001Core.job
- f:\users\Gary\AppData\Local\Google\Update\GoogleUpdate.exe [2011-05-16 01:52]
.
2013-01-03 f:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4266632814-318362380-4285844594-1001UA.job
- f:\users\Gary\AppData\Local\Google\Update\GoogleUpdate.exe [2011-05-16 01:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.2.1
DPF: {7823A620-9DD9-11CF-A662-00AA00C066D2} - hxxps://athenanet.athenahealth.com/static_20120620_smerrillnach/iemenu.cab
FF - ProfilePath - f:\users\Gary\AppData\Roaming\Mozilla\Firefox\Profiles\hwtau7xz.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - ExtSQL: 2012-12-30 23:45; {fef13a18-44af-4511-9a30-840cf7b42cdf}; f:\users\Gary\AppData\Roaming\Mozilla\Firefox\Profiles\hwtau7xz.default\extensions\{fef13a18-44af-4511-9a30-840cf7b42cdf}.xpi
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-01-02 18:24:52
ComboFix-quarantined-files.txt 2013-01-03 02:24
ComboFix2.txt 2013-01-01 01:05
ComboFix3.txt 2012-12-31 20:33
ComboFix4.txt 2012-12-31 18:43
.
Pre-Run: 68,252,565,504 bytes free
Post-Run: 67,908,448,256 bytes free
.
- - End Of File - - D638FDE9F6A61A7F34C20921788D1B0F
  • 0

#21
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello

Very well done!! This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are.

:Why we need to remove some of our tools:

Some of the tools we have used to clean your computer were made by fellow malware fighters and are very powerful and if used incorrectly or at the wronge time can make the computer an expensive paper weight.
They are updated all the time and some of them more than once a day so by the time you are ready to use them again they will already be outdated.

The following procedures will implement some cleanup procedures to remove these tools. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.
:DeFogger:

Note** Defogger only needs to be run if it was run when we first started. If you have not already run it then skip this.

  • To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK.
Your Emulation drivers are now re-enabled.

:Uninstall ComboFix:

  • turn off all active protection software
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
  • Posted Image

:Remove the rest of our tools:

Please download OTCleanIt and save it to desktop. This tool will remove all the tools we used to clean your pc.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.
  • If asked to restart the computer, please do so
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

:The programs you can keep:

Some of the programs that we have used would be a good idea to keep and used often in helping to keep the computer clean. I use these programs on my computer.

Revo Uninstaller Free - this is the uninstaller that I had you download and works allot better than add/remove in windows and has saved me more than once from corrupted installs and uninstalls

CCleaner - This is a good program to clean out temp files, I would use this once a week or before any malware scan to remove unwanted temp files - It has a built in registry cleaner but I would leave that alone and not use any registry cleaner

Malwarebytes' Anti-Malware The Gold standerd today in antimalware scanners

:Security programs:

One of the questions I am asked all the time is "What programs do you use" I have at this time 4 computers in my home and I have this setup on all 4 of them.

  • Microsoft Security Essentials - provides real-time protection for your home PC that guards against viruses, spyware, and other malicious software.
  • WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
  • Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
    totally free but for real-time protection you will have to pay a small one-time fee. We used this to help clean your computer and recomend keeping it and using often. (I have upgraded to the paid version of MBAM and I am glad I did)

    Note** If you decide to install MSE you will need to uninstall your present Antivirus

:Security awareness:

The other question I am asked all the time is "How can I prevent this from happening again." and the short answer to that is to be aware of what is out there and how to start spotting dangers.

Here are some articles that are must reads and should be read by everybody in your household that uses the internet

internetsafety

Internet Safety for Kids

Here is some more reading for you from some of my colleges

PC Safety and Security - What Do I Need? from my friends at Tech Support Forum

COMPUTER SECURITY - a short guide to staying safer online from my friends at Malware Removal

quoted from Tech Support Forum

Conclusion

There is no such thing as ‘perfect security’. This applies to many things, not just computer systems. Using the above guide you should be able to take all the reasonable steps you can to prevent infection. However, the most important part of all this is you, the user. Surf sensibly and think before you download a file or click on a link. Take a few moments to assess the possible risks and you should be able to enjoy all the internet has to offer.


I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

I Will Keep This Open For About Three Days, If Anything Comes Up - Just Come Back And Let Me Know, after that time you will have to send me a PM

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

Gringo
  • 0

#22
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP