Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Black screen w/blinking cursor after Trojans


  • Please log in to reply

#16
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,018 posts
Great. Lets scan:

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link or this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • Install the Recovery Console if prompted.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" .
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.
  • 0

Advertisements


#17
Silveragain

Silveragain

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
I was mistaken; not all icons are there. My Computer options, etc. are missing. Start menu comes up empty except for All Programs option (which shows folders that mostly say they are empty). Search is available, which I used to try to find the combofix log, but it's not showing up. McAfee says the computer isn't protected - the firewall will not turn on. The antivirus is working, so I made sure that was off before I ran combofix.

I was certain that combofix said complete after it ran, but I didn't get a message that a log had been created. Tried to run it again and this time I did see it say complete, but again, no log.

Silver
  • 0

#18
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,018 posts
Download OTL to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • OTL should now start. Change the following settings
    • Change Drivers to All
    • Change Standard Registry to All
    • Under File Scans, change File age to 30
  • Under the Custom Scan box paste this in


    netsvcs
    set /c
    %SYSTEMDRIVE%\*.*
    %systemroot%\System32\config\*.sav
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job
    %systemroot%\assembly\tmp\U\*.* /s

  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt (first run only). These are saved in the same location as OTL.
    • Please post the contents of the OTL.txt file and attach the Extras.Txt, if any, in your next reply.

  • 0

#19
Silveragain

Silveragain

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
I had not been back to the ailing computer since my post earlier this afternoon until receiving your reply a few minutes ago. A combofix window was showing on the desktop, asking me to disable the antivirus so it could run (I had disabled it earlier for 30 minutes). I seems that combofix only ran partially earlier and eventually continued (30 minutes!?), so I decided to let it finish. I disabled the antivirus again and it finished running and did produce the log below.

I then went to open IE to come back to the post to give you an update, but IE will not open now. It says "illegal operation attempted on a registry key that has been marked for deletion. C:\programfiles(x86)\internet explorer\iexplore.exe."

I saved the combofix log to flash and returned to the good computer to send this post. I have not yet downloaded or run OTL on the ailing computer.


ComboFix 13-02-26.01 - West 02/28/2013 16:52:52.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8191.7036 [GMT -5:00]
Running from: c:\users\West\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Outdated* {ADA629C7-7F48-5689-624A-3B76997E0892}
FW: McAfee Firewall *Disabled* {959DA8E2-3527-57D1-4915-924367AD4FE9}
SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Outdated* {16C7C823-5972-5907-58FA-0004E2F9422F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\Search Toolbar
c:\program files (x86)\Search Toolbar\icon.ico
c:\program files (x86)\Search Toolbar\SearchToolbar.dll
c:\program files (x86)\Search Toolbar\SearchToolbarUninstall.exe
c:\program files (x86)\Search Toolbar\SearchToolbarUpdater.exe
c:\users\Public\20060217162527468_SM730BA.exe
c:\users\West\3.0.1.8874 US PTR Installer
c:\users\West\3.0.1.8874 US PTR Installer\Blizzard Updater.app\Contents\Info.plist
c:\users\West\3.0.1.8874 US PTR Installer\Blizzard Updater.app\Contents\MacOS\Installer
c:\users\West\3.0.1.8874 US PTR Installer\Blizzard Updater.app\Contents\PkgInfo
c:\users\West\3.0.1.8874 US PTR Installer\Blizzard Updater.app\Contents\Resources\Alert.icns
c:\users\West\3.0.1.8874 US PTR Installer\Blizzard Updater.app\Contents\Resources\CD.icns
c:\users\West\3.0.1.8874 US PTR Installer\Blizzard Updater.app\Contents\Resources\en_GB.lproj\Localizable.strings
c:\users\West\3.0.1.8874 US PTR Installer\Blizzard Updater.app\Contents\Resources\English.lproj\Localizable.strings
c:\users\West\3.0.1.8874 US PTR Installer\Blizzard Updater.app\Contents\Resources\Error.png
c:\users\West\3.0.1.8874 US PTR Installer\Blizzard Updater.app\Contents\Resources\French.lproj\Localizable.strings
c:\users\West\3.0.1.8874 US PTR Installer\Blizzard Updater.app\Contents\Resources\German.lproj\Localizable.strings
c:\users\West\3.0.1.8874 US PTR Installer\Blizzard Updater.app\Contents\Resources\Icon.icns
c:\users\West\3.0.1.8874 US PTR Installer\Blizzard Updater.app\Contents\Resources\InstallerMainWindow.nib\classes.nib
c:\users\West\3.0.1.8874 US PTR Installer\Blizzard Updater.app\Contents\Resources\InstallerMainWindow.nib\info.nib
c:\users\West\3.0.1.8874 US PTR Installer\Blizzard Updater.app\Contents\Resources\InstallerMainWindow.nib\keyedobjects.nib
c:\users\West\3.0.1.8874 US PTR Installer\Blizzard Updater.app\Contents\Resources\Italian.lproj\Localizable.strings
c:\users\West\3.0.1.8874 US PTR Installer\Blizzard Updater.app\Contents\Resources\Japanese.lproj\Localizable.strings
c:\users\West\3.0.1.8874 US PTR Installer\Blizzard Updater.app\Contents\Resources\ko.lproj\Localizable.strings
c:\users\West\3.0.1.8874 US PTR Installer\Blizzard Updater.app\Contents\Resources\listfile
c:\users\West\3.0.1.8874 US PTR Installer\Blizzard Updater.app\Contents\Resources\Message.png
c:\users\West\3.0.1.8874 US PTR Installer\Blizzard Updater.app\Contents\Resources\signature
c:\users\West\3.0.1.8874 US PTR Installer\Blizzard Updater.app\Contents\Resources\Spanish.lproj\Localizable.strings
c:\users\West\3.0.1.8874 US PTR Installer\Blizzard Updater.app\Contents\Resources\Warning.png
c:\users\West\3.0.1.8874 US PTR Installer\Blizzard Updater.app\Contents\Resources\zh_CN.lproj\Localizable.strings
c:\users\West\3.0.1.8874 US PTR Installer\Blizzard Updater.app\Contents\Resources\zh_TW.lproj\Localizable.strings
c:\users\West\3.0.1.8874 US PTR Installer\Blizzard Updater.exe
c:\users\West\3.0.1.8874 US PTR Installer\Installer Tome 2.mpq
c:\users\West\3.0.1.8874 US PTR Installer\Installer Tome.mpq
c:\users\West\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\System Repair.lnk
c:\users\West\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Repair
c:\users\West\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Repair\System Repair.lnk
c:\users\West\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Repair\Uninstall System Repair.lnk
c:\windows\SysWow64\URTTemp
c:\windows\SysWow64\URTTemp\regtlib.exe
.
.
((((((((((((((((((((((((( Files Created from 2013-01-28 to 2013-02-28 )))))))))))))))))))))))))))))))
.
.
2013-02-28 07:09 . 2013-02-28 08:06 -------- d-----w- c:\programdata\Recovery
2013-02-28 05:26 . 2013-02-28 05:26 -------- d-----w- C:\FRST
2013-02-21 15:41 . 2013-02-21 15:41 -------- d-----w- c:\program files (x86)\Common Files\Adobe
2013-02-15 22:04 . 2013-02-15 22:04 208448 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\nppdf32.dll
2013-02-14 08:01 . 2013-01-09 01:10 996352 ----a-w- c:\program files\Common Files\Microsoft Shared\VGX\VGX.dll
2013-02-14 08:01 . 2013-01-08 22:01 768000 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll
2013-02-13 09:43 . 2013-01-05 05:53 5553512 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-02-13 09:43 . 2013-01-05 05:00 3967848 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2013-02-13 09:43 . 2013-01-05 05:00 3913064 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2013-02-13 09:43 . 2013-01-04 03:26 3153408 ----a-w- c:\windows\system32\win32k.sys
2013-02-13 09:42 . 2013-01-04 05:46 215040 ----a-w- c:\windows\system32\winsrv.dll
2013-02-13 09:42 . 2013-01-04 02:47 25600 ----a-w- c:\windows\SysWow64\setup16.exe
2013-02-13 09:42 . 2013-01-04 04:51 5120 ----a-w- c:\windows\SysWow64\wow32.dll
2013-02-13 09:42 . 2013-01-04 02:47 7680 ----a-w- c:\windows\SysWow64\instnm.exe
2013-02-13 09:42 . 2013-01-04 02:47 14336 ----a-w- c:\windows\SysWow64\ntvdm64.dll
2013-02-13 09:42 . 2013-01-04 02:47 2048 ----a-w- c:\windows\SysWow64\user.exe
2013-02-13 09:42 . 2013-01-03 06:00 1913192 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-02-13 09:42 . 2013-01-03 06:00 288088 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2013-02-06 21:46 . 2013-02-21 15:51 -------- d-----w- c:\program files (x86)\Common Files\Steam
2013-02-06 21:46 . 2013-02-28 18:48 -------- d-----w- c:\program files (x86)\Steam
2013-02-06 21:27 . 2013-02-06 21:27 -------- d-----w- c:\program files (x86)\Bohemia Interactive
2013-02-06 00:30 . 2013-02-06 21:27 -------- d-----w- c:\users\West\AppData\Local\Play withSIX
2013-02-06 00:30 . 2013-02-06 00:30 -------- d-----w- c:\users\West\AppData\Roaming\Play withSIX
2013-02-06 00:30 . 2013-02-06 00:30 -------- d-----w- c:\users\West\AppData\Local\IsolatedStorage
2013-02-06 00:30 . 2013-02-06 21:27 -------- d-----w- C:\Desktop
2013-02-06 00:28 . 2013-02-06 21:10 -------- d-----w- c:\users\West\AppData\Local\Downloaded Installations
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-02-28 18:48 . 2012-06-14 01:06 691568 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-02-21 15:36 . 2011-05-14 20:26 71024 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-02-14 08:04 . 2009-12-07 00:46 70004024 ----a-w- c:\windows\system32\MRT.exe
2013-02-02 06:53 . 2012-03-28 00:59 18055184 ----a-w- c:\windows\system32\nvd3dumx.dll
2013-02-02 06:53 . 2011-05-21 10:01 15053264 ----a-w- c:\windows\system32\nvwgf2umx.dll
2013-02-02 06:53 . 2012-03-28 00:59 1107440 ----a-w- c:\windows\system32\nvumdshimx.dll
2013-02-02 06:53 . 2011-05-21 10:01 2826040 ----a-w- c:\windows\system32\nvapi64.dll
2013-02-02 06:53 . 2012-10-11 02:23 1510176 ----a-w- c:\windows\system32\nvdispgenco64.dll
2013-02-02 06:53 . 2012-01-24 02:27 1814304 ----a-w- c:\windows\system32\nvdispco64.dll
2013-01-18 15:00 . 2010-07-09 21:27 6390048 ----a-w- c:\windows\system32\nvcpl.dll
2013-01-18 15:00 . 2010-07-09 21:27 3460896 ----a-w- c:\windows\system32\nvsvc64.dll
2013-01-18 15:00 . 2012-03-28 01:02 2953448 ----a-w- c:\windows\system32\nvcoproc.bin
2013-01-18 15:00 . 2011-08-06 22:28 2558240 ----a-w- c:\windows\system32\nvsvcr.dll
2013-01-18 15:00 . 2010-07-09 21:27 884512 ----a-w- c:\windows\system32\nvvsvc.exe
2013-01-18 15:00 . 2010-07-09 21:27 118560 ----a-w- c:\windows\system32\nvmctray.dll
2013-01-18 15:00 . 2009-09-27 23:22 63776 ----a-w- c:\windows\system32\nvshext.dll
2013-01-18 13:15 . 2013-01-18 13:15 550176 ----a-w- c:\windows\SysWow64\nvStreaming.exe
2013-01-04 04:43 . 2013-02-13 09:42 44032 ----a-w- c:\windows\apppatch\acwow64.dll
2012-12-26 14:55 . 2010-09-07 12:56 69672 ----a-w- c:\windows\system32\drivers\cfwids.sys
2012-12-26 14:52 . 2010-09-07 12:56 339776 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2012-12-26 14:51 . 2010-09-07 12:56 10288 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2012-12-26 14:51 . 2010-09-07 12:56 106112 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2012-12-26 14:50 . 2010-09-07 12:56 771096 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2012-12-26 14:49 . 2010-09-07 12:56 515528 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2012-12-26 14:49 . 2010-09-07 12:56 309400 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2012-12-26 14:48 . 2010-09-07 12:56 178840 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2012-12-16 17:11 . 2012-12-22 08:00 46080 ----a-w- c:\windows\system32\atmlib.dll
2012-12-16 14:45 . 2012-12-22 08:00 367616 ----a-w- c:\windows\system32\atmfd.dll
2012-12-16 14:13 . 2012-12-22 08:00 295424 ----a-w- c:\windows\SysWow64\atmfd.dll
2012-12-16 14:13 . 2012-12-22 08:00 34304 ----a-w- c:\windows\SysWow64\atmlib.dll
2012-12-07 13:20 . 2013-01-09 21:36 441856 ----a-w- c:\windows\system32\Wpc.dll
2012-12-07 13:15 . 2013-01-09 21:36 2746368 ----a-w- c:\windows\system32\gameux.dll
2012-12-07 12:26 . 2013-01-09 21:36 308736 ----a-w- c:\windows\SysWow64\Wpc.dll
2012-12-07 12:20 . 2013-01-09 21:36 2576384 ----a-w- c:\windows\SysWow64\gameux.dll
2012-12-07 11:20 . 2013-01-09 21:36 30720 ----a-w- c:\windows\system32\usk.rs
2012-12-07 11:20 . 2013-01-09 21:36 43520 ----a-w- c:\windows\system32\csrr.rs
2012-12-07 11:20 . 2013-01-09 21:36 23552 ----a-w- c:\windows\system32\oflc.rs
2012-12-07 11:20 . 2013-01-09 21:36 45568 ----a-w- c:\windows\system32\oflc-nz.rs
2012-12-07 11:20 . 2013-01-09 21:36 44544 ----a-w- c:\windows\system32\pegibbfc.rs
2012-12-07 11:20 . 2013-01-09 21:36 20480 ----a-w- c:\windows\system32\pegi-fi.rs
2012-12-07 11:20 . 2013-01-09 21:36 20480 ----a-w- c:\windows\system32\pegi-pt.rs
2012-12-07 11:19 . 2013-01-09 21:36 20480 ----a-w- c:\windows\system32\pegi.rs
2012-12-07 11:19 . 2013-01-09 21:36 46592 ----a-w- c:\windows\system32\fpb.rs
2012-12-07 11:19 . 2013-01-09 21:36 40960 ----a-w- c:\windows\system32\cob-au.rs
2012-12-07 11:19 . 2013-01-09 21:36 15360 ----a-w- c:\windows\system32\djctq.rs
2012-12-07 11:19 . 2013-01-09 21:36 21504 ----a-w- c:\windows\system32\grb.rs
2012-12-07 11:19 . 2013-01-09 21:36 55296 ----a-w- c:\windows\system32\cero.rs
2012-12-07 11:19 . 2013-01-09 21:36 51712 ----a-w- c:\windows\system32\esrb.rs
2012-12-07 10:46 . 2013-01-09 21:36 43520 ----a-w- c:\windows\SysWow64\csrr.rs
2012-12-07 10:46 . 2013-01-09 21:36 30720 ----a-w- c:\windows\SysWow64\usk.rs
2012-12-07 10:46 . 2013-01-09 21:36 45568 ----a-w- c:\windows\SysWow64\oflc-nz.rs
2012-12-07 10:46 . 2013-01-09 21:36 44544 ----a-w- c:\windows\SysWow64\pegibbfc.rs
2012-12-07 10:46 . 2013-01-09 21:36 20480 ----a-w- c:\windows\SysWow64\pegi-pt.rs
2012-12-07 10:46 . 2013-01-09 21:36 23552 ----a-w- c:\windows\SysWow64\oflc.rs
2012-12-07 10:46 . 2013-01-09 21:36 20480 ----a-w- c:\windows\SysWow64\pegi-fi.rs
2012-12-07 10:46 . 2013-01-09 21:36 46592 ----a-w- c:\windows\SysWow64\fpb.rs
2012-12-07 10:46 . 2013-01-09 21:36 20480 ----a-w- c:\windows\SysWow64\pegi.rs
2012-12-07 10:46 . 2013-01-09 21:36 21504 ----a-w- c:\windows\SysWow64\grb.rs
2012-12-07 10:46 . 2013-01-09 21:36 40960 ----a-w- c:\windows\SysWow64\cob-au.rs
2012-12-07 10:46 . 2013-01-09 21:36 15360 ----a-w- c:\windows\SysWow64\djctq.rs
2012-12-07 10:46 . 2013-01-09 21:36 51712 ----a-w- c:\windows\SysWow64\esrb.rs
2012-12-07 10:46 . 2013-01-09 21:36 55296 ----a-w- c:\windows\SysWow64\cero.rs
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2012-07-13 17418928]
"Steam"="c:\program files (x86)\Steam\Steam.exe" [2013-02-15 1597864]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2013-01-14 1534504]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-10-25 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-11-29 151952]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-18 946352]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-06-07 160944]
R3 HipShieldK;McAfee Inc. HipShieldK;c:\windows\system32\drivers\HipShieldK.sys [2012-04-20 196440]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2009-05-25 138752]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2012-12-26 106112]
R3 netr28x;Ralink 802.11n Wireless Driver for Windows Vista;c:\windows\system32\DRIVERS\netr28x.sys [2009-06-10 620544]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-07-09 52736]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-14 1255736]
S0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2012-12-26 339776]
S2 Device Handle Service;Device Handle Service;c:\windows\SysWOW64\AsHookDevice.exe [2009-08-20 196608]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~2\mcafee\SITEAD~1\mcsacore.exe [2012-12-04 103472]
S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2012-08-31 201304]
S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2012-08-31 201304]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2012-12-26 218320]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [2012-12-26 182312]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2013-01-18 383264]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2012-12-26 69672]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2012-12-26 515528]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-01-21 413800]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2013-02-28 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-14 15:36]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-05-23 7833120]
"Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2009-05-23 1833504]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 74.128.19.102 74.128.17.114 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{293e7470-fd3b-4d28-a20f-688ce8292340} - (no file)
BHO-{9D425283-D487-4337-BAB6-AB8354A81457} - c:\program files (x86)\Search Toolbar\SearchToolbar.dll
Toolbar-Locked - (no file)
Toolbar-{9D425283-D487-4337-BAB6-AB8354A81457} - c:\program files (x86)\Search Toolbar\SearchToolbar.dll
Toolbar-Locked - (no file)
WebBrowser-{293E7470-FD3B-4D28-A20F-688CE8292340} - (no file)
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_171_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_171_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_171_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_171_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_171.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_171.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_171.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_171.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\SysWOW64\rundll32.exe
c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
.
**************************************************************************
.
Completion time: 2013-02-28 17:07:18 - machine was rebooted
ComboFix-quarantined-files.txt 2013-02-28 22:07
.
Pre-Run: 219,037,065,216 bytes free
Post-Run: 219,740,827,648 bytes free
.
- - End Of File - - DBC4B6837B15F83480674C4AC477A84D
  • 0

#20
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,018 posts

I then went to open IE to come back to the post to give you an update, but IE will not open now. It says "illegal operation attempted on a registry key that has been marked for deletion. C:\programfiles(x86)\internet explorer\iexplore.exe."


This should disappear after a restart.

Lets scan for remnants:

Run adwCleaner.

Download AdwCleaner from here to your desktop
Run AdwCleaner and select Delete

Posted Image

Once done it will ask to reboot, allow this.

On reboot a log will be produced at C:\ADWCleaner[XX].txt please attach that.

Malwarebytes' Anti-Malware


Posted Image Please download Malwarebytes' Anti-Malware from Here. Never download Malwarebytes' Anti-Malware from other sources.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

ESET online scannner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista or Windows 7, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • First please Disable any Antivirus you have active, as shown in This topic.
  • Note: Don't forget to re-enable it after the scan.
  • Next hold down Control then click on the following link to open a new window to ESET online scannner.
  • Select the option YES, I accept the Terms of Use then click on Start.

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.

  • All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:

    Scan for potentially unwanted applications
    Scan for potentially unsafe applications
    Enable Anti-Stealth Technology

  • Now click on Start.
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on Finish.
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.

  • 0

#21
Silveragain

Silveragain

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
You were correct, restarting fixed the IE problem, thanks.

Here is the AdwCleaner log:

# AdwCleaner v2.113 - Logfile created 02/28/2013 at 20:44:57
# Updated 23/02/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : West - WEST-PC
# Boot Mode : Normal
# Running from : C:\Users\West\Desktop\AdwCleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Folder Deleted : C:\Users\West\AppData\Local\Conduit

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\conduitEngine
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{9D425283-D487-4337-BAB6-AB8354A81457}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9D425283-D487-4337-BAB6-AB8354A81457}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4CE516A7-F7AC-4628-B411-8F886DC5733E}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\TbCommonUtils.DLL
Key Deleted : HKLM\SOFTWARE\Classes\Conduit.Engine
Key Deleted : HKLM\SOFTWARE\Classes\TbCommonUtils.CommonUtils
Key Deleted : HKLM\SOFTWARE\Classes\TbCommonUtils.CommonUtils.1
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2428392
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C4BAE205-5E02-4E32-876E-F34B4E2D000C}
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\Freeze.com
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{3BDF4CE9-E81D-432B-A55E-9F0570CE811F}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{9D425283-D487-4337-BAB6-AB8354A81457}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{01221FCC-4BFB-461C-B08C-F6D2DF309921}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9D425283-D487-4337-BAB6-AB8354A81457}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{01221FCC-4BFB-461C-B08C-F6D2DF309921}
Value Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{9D425283-D487-4337-BAB6-AB8354A81457}]

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16464

[OK] Registry is clean.

*************************

AdwCleaner[R1].txt - [2943 octets] - [28/02/2013 20:42:44]
AdwCleaner[S1].txt - [2778 octets] - [28/02/2013 20:44:57]

########## EOF - C:\AdwCleaner[S1].txt - [2838 octets] ##########


MBAM log:

Malwarebytes Anti-Malware (Trial) 1.70.0.1100
www.malwarebytes.org

Database version: v2013.03.01.02

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
West :: WEST-PC [administrator]

Protection: Enabled

2/28/2013 9:25:19 PM
mbam-log-2013-02-28 (21-25-19).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 231681
Time elapsed: 3 minute(s), 55 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 3
HKCU\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


Here is the ESET log:

[email protected] as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK
  • 0

#22
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,018 posts
Security check

Download and run Security Check by screen317 and post its report.

How is it doing?
  • 0

#23
Silveragain

Silveragain

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Seems to be doing very well, thanks to you.

The ESET run did find some problems, but I couldn't tell from the end text or the log what it did with them. Did it fix them or delete them as it ran?


Results of screen317's Security Check version 0.99.60
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
McAfee Anti-Virus and Anti-Spyware
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
Java™ 6 Update 29
Java version out of Date!
Adobe Reader XI
````````Process Check: objlist.exe by Laurent````````
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````
  • 0

#24
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,018 posts

The ESET run did find some problems, but I couldn't tell from the end text or the log what it did with them. Did it fix them or delete them as it ran?


Sometimes it does. Do you have the latest report?

Remove the installed JAVA and get the latest version here.
  • 0

#25
Silveragain

Silveragain

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
This is the only thing in the log from the ESET scan last evening:

[email protected] as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK

I ran it again this morning and it only found one problem. I believe there were 5 yesterday. Here is the log from today's scan:

[email protected] as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=45879ab4202276479acb03e5e76888fe
# engine=13275
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=false
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2013-03-01 05:07:49
# local_time=2013-03-01 12:07:49 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=5122 16777213 100 90 0 110832265 0 0
# compatibility_mode=5893 16776574 100 94 59509186 113701119 0 0
# scanned=262283
# found=1
# cleaned=0
# scan_time=6562
sh=80C0D01F9F8F5E6C2305C9E2C59544AE135E2213 ft=0 fh=0000000000000000 vn="BAT/BadJoke.H trojan" ac=I fn="C:\Users\West\Desktop\Vampy Docs\Fun Game.bat"

I ran a McAfee scan on the contents of that particular folder (Vampy Docs) and it didn't find anything. Opening the folder, I was easily able to see the fun game.bat, so I deleted it.


When removing the old java and installing the new version, McAfee popped up that it found a trojan and deleted it. Here is what it said it found:
Exploit-FDV!CVE2010-4476
in C:users\west\appdata\local low\sun\java\deployment\cache\6.0\42\1269ad2a-1b70b6d5
  • 0

Advertisements


#26
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,018 posts
I am glad you have that deleted.

Lets do some housekeeping:

Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.

The following will implement some cleanup procedures as well as reset System Restore points:


  • Press the Windows key + R. At the Run command type or copy and paste the following:

    Combofix /uninstall


Remove the C:\FRST folder

Manually remove any tool left.

Here are some suggestions.

  • Always keep your JAVA updated. Older versions will make your computer vulnerable.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Miekiemoes.

It has been my pleasure. Best wishes! Posted Image
  • 0

#27
Silveragain

Silveragain

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hello JSntgRvr,

Thank you for generously offering your time and knowledge to help me out. The computer seems to be running great!

One last thing - I cannot delete the C:/FRST folder. I get error code 0x80070091: the directory is not empty. I was able to delete the folders within, except for the quarantine one. I get the same error code when I try to delete it. I checked and it is empty, including with show hidden files and folders turned on.

Silver
  • 0

#28
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,018 posts
Please download the OTM by OldTimer.
  • Save it to your desktop.
  • Please double-click OTM.exe to run it. (Vista users, please right click on OTM.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :files
    C:\FRST

  • Return to OTM, right click in the "Paste instructions for items to be Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTM\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTM
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
  • 0

#29
Silveragain

Silveragain

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
It looks like OTM successfully moved the items.

========== FILES ==========
C:\FRST\Quarantine\$7d049a04e11b896b2a9dfd255201f599 folder moved successfully.
C:\FRST\Quarantine folder moved successfully.
C:\FRST folder moved successfully.

OTM by OldTimer - Version 3.1.21.0 log created on 03022013_132445


New update: my daughter was playing minecraft last evening and received a 1a BSOD. It hasn't happened again since, although the computer hasn't been used much since. Should I take that as indication something is still amiss? Here is the bluescreen log and the error log.

Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.1.7601.2.1.0.768.3
Locale ID: 1033

Additional information about the problem:
BCCode: 1a
BCP1: 0000000000041790
BCP2: FFFFFA80062C2F50
BCP3: 000000000000FFFF
BCP4: 0000000000000000
OS Version: 6_1_7601
Service Pack: 1_0
Product: 768_1

Files that help describe the problem:
C:\Windows\Minidump\030113-20888-01.dmp
C:\Users\West\AppData\Local\Temp\WER-65582-0.sysdata.xml


#
# A fatal error has been detected by the Java Runtime Environment:
#
# EXCEPTION_ACCESS_VIOLATION (0xc0000005) at pc=0x0000000070a65472, pid=840, tid=2572
#
# JRE version: 7.0_15-b03
# Java VM: Java HotSpot™ 64-Bit Server VM (23.7-b01 mixed mode windows-amd64 compressed oops)
# Problematic frame:
# V [jvm.dll+0x25472]
#
# Failed to write core dump. Minidumps are not enabled by default on client versions of Windows
#
# If you would like to submit a bug report, please visit:
# http://bugreport.sun...eport/crash.jsp
#

--------------- T H R E A D ---------------

Current thread (0x0000000002098000): GCTaskThread [stack: 0x00000000061d0000,0x00000000062d0000] [id=2572]

siginfo: ExceptionCode=0xc0000005, reading address 0x00000000000000a8

Registers:
RAX=0x0000000000000000, RBX=0x00000007b28b4610, RCX=0x000000077d705a08, RDX=0x00000007b28b4610
RSP=0x00000000062cfa78, RBP=0x000000000213b5e0, RSI=0x00000007f481ea1c, RDI=0x00000007b28b4610
R8 =0x0000000000000000, R9 =0x000000077d705a08, R10=0x000000000000ea73, R11=0x00000007b28b4650
R12=0x00000007f481f010, R13=0x0000000000671c00, R14=0x00000007f2e58000, R15=0x0000000000d3429e
RIP=0x0000000070a65472, EFLAGS=0x0000000000010246

Top of Stack: (sp=0x00000000062cfa78)
0x00000000062cfa78: 0000000070aede6b 00000007b28b4650
0x00000000062cfa88: 000000000213b5e0 00000007f481ea18
0x00000000062cfa98: 0000000000000008 00000007b28b4610
0x00000000062cfaa8: 0000000070b3033a 00000000000001b0
0x00000000062cfab8: 0000000070b09b4b 000000077d7059c8
0x00000000062cfac8: 0000000070d98729 00000007f2e58000
0x00000000062cfad8: 0000000070bf5f32 0000000000000000
0x00000000062cfae8: 0000000002098340 0000000002098728
0x00000000062cfaf8: 00000007b28c55d0 00000000000001b0
0x00000000062cfb08: 0000000070d993ed 000000000213b5e0
0x00000000062cfb18: 000082bf0000e9f1 0000000002098350
0x00000000062cfb28: 00006fd2000001b0 000082bf0000e9f1
0x00000000062cfb38: 000051bb0000e799 00000007f2e58000
0x00000000062cfb48: 0000000000671a00 000000000dffb800
0x00000000062cfb58: 000000000037ba01 0000000002092401
0x00000000062cfb68: 0000000002098728 0000000002098350

Instructions: (pc=0x0000000070a65472)
0x0000000070a65452: e2 49 8d 0c 11 49 f7 d1 48 03 c1 49 c1 e9 03 48
0x0000000070a65462: c1 e8 03 41 23 c1 c3 48 8b 02 48 8b d1 49 8b c9
0x0000000070a65472: 48 ff a0 a8 00 00 00 cc cc cc cc cc cc cc 80 3d
0x0000000070a65482: 91 68 68 00 00 48 8b c1 74 1f 8b 51 08 8b 0d 83


Register to memory mapping:

RAX=0x0000000000000000 is an unknown value
RBX=
[error occurred during error reporting (printing register info), id 0xc0000005]

Stack: [0x00000000061d0000,0x00000000062d0000], sp=0x00000000062cfa78, free space=1022k
Native frames: (J=compiled Java code, j=interpreted, Vv=VM code, C=native code)
V [jvm.dll+0x25472]


--------------- P R O C E S S ---------------

Java Threads: ( => current thread )
0x000000000dff9800 JavaThread "File IO Thread" [_thread_blocked, id=3904, stack(0x000000001f0b0000,0x000000001f1b0000)]
0x000000000dffb800 JavaThread "Server thread" [_thread_blocked, id=4764, stack(0x0000000011280000,0x0000000011380000)]
0x000000000e000000 JavaThread "Snooper Timer" daemon [_thread_blocked, id=5484, stack(0x0000000012630000,0x0000000012730000)]
0x000000000e001000 JavaThread "Thread-54" [_thread_blocked, id=4900, stack(0x000000001f490000,0x000000001f590000)]
0x000000000dffa000 JavaThread "Thread-53" [_thread_blocked, id=3956, stack(0x0000000017610000,0x0000000017710000)]
0x000000000dff8800 JavaThread "Minecraft main thread" [_thread_blocked, id=4772, stack(0x00000000144d0000,0x00000000145d0000)]
0x000000000dffd000 JavaThread "Timer hack thread" daemon [_thread_blocked, id=4596, stack(0x0000000013390000,0x0000000013490000)]
0x000000000dffc800 JavaThread "Snooper Timer" daemon [_thread_blocked, id=4516, stack(0x0000000014280000,0x0000000014380000)]
0x000000000dffe000 JavaThread "Thread-49" [_thread_blocked, id=3792, stack(0x00000000143a0000,0x00000000144a0000)]
0x000000000dffe800 JavaThread "DestroyJavaVM" [_thread_blocked, id=2692, stack(0x0000000002150000,0x0000000002250000)]
0x000000000e015800 JavaThread "TimerQueue" daemon [_thread_blocked, id=5344, stack(0x0000000013b10000,0x0000000013c10000)]
0x000000000dd52000 JavaThread "D3D Screen Updater" daemon [_thread_blocked, id=4244, stack(0x0000000012790000,0x0000000012890000)]
0x000000000d9af800 JavaThread "Log Flush Thread" daemon [_thread_blocked, id=5432, stack(0x0000000010be0000,0x0000000010ce0000)]
0x000000000d94f800 JavaThread "AWT-EventQueue-0" [_thread_blocked, id=3140, stack(0x00000000103e0000,0x00000000104e0000)]
0x000000000d872800 JavaThread "AWT-Windows" daemon [_thread_blocked, id=676, stack(0x000000000e610000,0x000000000e710000)]
0x000000000daf7000 JavaThread "AWT-Shutdown" [_thread_blocked, id=4228, stack(0x000000000e320000,0x000000000e420000)]
0x000000000db04000 JavaThread "Java2D Disposer" daemon [_thread_blocked, id=660, stack(0x000000000cf80000,0x000000000d080000)]
0x000000000b970800 JavaThread "Service Thread" daemon [_thread_blocked, id=4912, stack(0x000000000d200000,0x000000000d300000)]
0x000000000b96f800 JavaThread "C2 CompilerThread1" daemon [_thread_blocked, id=880, stack(0x000000000d0b0000,0x000000000d1b0000)]
0x000000000b96a800 JavaThread "C2 CompilerThread0" daemon [_thread_blocked, id=1488, stack(0x000000000cba0000,0x000000000cca0000)]
0x000000000b969800 JavaThread "Attach Listener" daemon [_thread_blocked, id=5624, stack(0x000000000ce60000,0x000000000cf60000)]
0x000000000b95e800 JavaThread "Signal Dispatcher" daemon [_thread_blocked, id=5512, stack(0x000000000cd20000,0x000000000ce20000)]
0x0000000002148000 JavaThread "Finalizer" daemon [_thread_blocked, id=4252, stack(0x000000000ca90000,0x000000000cb90000)]
0x0000000002141000 JavaThread "Reference Handler" daemon [_thread_blocked, id=4532, stack(0x000000000c690000,0x000000000c790000)]

Other Threads:
0x000000000b8e3000 VMThread [stack: 0x000000000c870000,0x000000000c970000] [id=5712]
0x000000000b983000 WatcherThread [stack: 0x000000000d340000,0x000000000d440000] [id=5016]

=>0x0000000002098000 (exited) GCTaskThread [stack: 0x00000000061d0000,0x00000000062d0000] [id=2572]

VM state:at safepoint (normal execution)

VM Mutex/Monitor currently owned by a thread: ([mutex/lock_event])
[0x000000000037a9b0] Threads_lock - owner thread: 0x000000000b8e3000
[0x000000000037aeb0] Heap_lock - owner thread: 0x000000000dff8800

Heap
PSYoungGen total 448448K, used 215330K [0x00000007d5560000, 0x0000000800000000, 0x0000000800000000)
eden space 233088K, 0% used [0x00000007d5560000,0x00000007d5560000,0x00000007e3900000)
from space 215360K, 99% used [0x00000007f2db0000,0x00000007ffff8a98,0x0000000800000000)
to space 232960K, 0% used [0x00000007e3900000,0x00000007e3900000,0x00000007f1c80000)
ParOldGen total 1090496K, used 1090306K [0x0000000780000000, 0x00000007c28f0000, 0x00000007d5560000)
object space 1090496K, 99% used [0x0000000780000000,0x00000007c28c0bd0,0x00000007c28f0000)
PSPermGen total 63680K, used 51341K [0x000000077ae00000, 0x000000077ec30000, 0x0000000780000000)
object space 63680K, 80% used [0x000000077ae00000,0x000000077e0237c8,0x000000077ec30000)

Card table byte_map: [0x00000000053c0000,0x00000000057f0000] byte_map_base: 0x00000000017e9000

Polling page: 0x0000000000340000

Code Cache [0x00000000023c0000, 0x0000000003330000, 0x00000000053c0000)
total_blobs=5299 nmethods=4425 adapters=820 free_code_cache=33602Kb largest_free_block=34200768

Compilation events (10 events):
Event: 2903.603 Thread 0x000000000b96a800 nmethod 4932 0x0000000003302150 code [0x00000000033022a0, 0x00000000033023b8]
Event: 2903.603 Thread 0x000000000b96f800 nmethod 4931 0x00000000029dd190 code [0x00000000029dd2e0, 0x00000000029dd428]
Event: 2903.603 Thread 0x000000000b96f800 4933 java.nio.Bits::makeInt (29 bytes)
Event: 2903.603 Thread 0x000000000b96f800 nmethod 4933 0x0000000002d65f90 code [0x0000000002d660c0, 0x0000000002d66118]
Event: 2916.813 Thread 0x000000000b96f800 4934 akt::b (168 bytes)
Event: 2916.821 Thread 0x000000000b96f800 nmethod 4934 0x000000000323e410 code [0x000000000323e5e0, 0x000000000323ed00]
Event: 2916.836 Thread 0x000000000b96a800 4935 akt::b (168 bytes)
Event: 2916.843 Thread 0x000000000b96a800 nmethod 4935 0x000000000323d490 code [0x000000000323d620, 0x000000000323dbe8]
Event: 2918.559 Thread 0x000000000b96f800 4936 com.google.common.collect.AbstractMultimap::wrapList (33 bytes)
Event: 2918.562 Thread 0x000000000b96f800 nmethod 4936 0x00000000029dccd0 code [0x00000000029dce20, 0x00000000029dcf98]

GC Heap History (10 events):
Event: 2922.242 GC heap after
Heap after GC invocations=179 (full 12):
PSYoungGen total 604096K, used 57215K [0x00000007d5560000, 0x0000000800000000, 0x0000000800000000)
eden space 511808K, 0% used [0x00000007d5560000,0x00000007d5560000,0x00000007f4930000)
from space 92288K, 61% used [0x00000007f4930000,0x00000007f810fcf0,0x00000007fa350000)
to space 91648K, 0% used [0x00000007fa680000,0x00000007fa680000,0x0000000800000000)
ParOldGen total 579520K, used 512534K [0x0000000780000000, 0x00000007a35f0000, 0x00000007d5560000)
object space 579520K, 88% used [0x0000000780000000,0x000000079f4859e8,0x00000007a35f0000)
PSPermGen total 65856K, used 51342K [0x000000077ae00000, 0x000000077ee50000, 0x0000000780000000)
object space 65856K, 77% used [0x000000077ae00000,0x000000077e023a78,0x000000077ee50000)
}
Event: 2925.583 GC heap before
{Heap before GC invocations=180 (full 12):
PSYoungGen total 604096K, used 569023K [0x00000007d5560000, 0x0000000800000000, 0x0000000800000000)
eden space 511808K, 100% used [0x00000007d5560000,0x00000007f4930000,0x00000007f4930000)
from space 92288K, 61% used [0x00000007f4930000,0x00000007f810fcf0,0x00000007fa350000)
to space 91648K, 0% used [0x00000007fa680000,0x00000007fa680000,0x0000000800000000)
ParOldGen total 579520K, used 512534K [0x0000000780000000, 0x00000007a35f0000, 0x00000007d5560000)
object space 579520K, 88% used [0x0000000780000000,0x000000079f4859e8,0x00000007a35f0000)
PSPermGen total 65856K, used 51342K [0x000000077ae00000, 0x000000077ee50000, 0x0000000780000000)
object space 65856K, 77% used [0x000000077ae00000,0x000000077e023a78,0x000000077ee50000)
Event: 2926.243 GC heap after
Heap after GC invocations=180 (full 12):
PSYoungGen total 359936K, used 91629K [0x00000007d5560000, 0x0000000800000000, 0x0000000800000000)
eden space 268288K, 0% used [0x00000007d5560000,0x00000007d5560000,0x00000007e5b60000)
from space 91648K, 99% used [0x00000007fa680000,0x00000007ffffb7f8,0x0000000800000000)
to space 215360K, 0% used [0x00000007e5b60000,0x00000007e5b60000,0x00000007f2db0000)
ParOldGen total 828928K, used 828750K [0x0000000780000000, 0x00000007b2980000, 0x00000007d5560000)
object space 828928K, 99% used [0x0000000780000000,0x00000007b29539e8,0x00000007b2980000)
PSPermGen total 65856K, used 51342K [0x000000077ae00000, 0x000000077ee50000, 0x0000000780000000)
object space 65856K, 77% used [0x000000077ae00000,0x000000077e023a78,0x000000077ee50000)
}
Event: 2926.243 GC heap before
{Heap before GC invocations=181 (full 13):
PSYoungGen total 359936K, used 91629K [0x00000007d5560000, 0x0000000800000000, 0x0000000800000000)
eden space 268288K, 0% used [0x00000007d5560000,0x00000007d5560000,0x00000007e5b60000)
from space 91648K, 99% used [0x00000007fa680000,0x00000007ffffb7f8,0x0000000800000000)
to space 215360K, 0% used [0x00000007e5b60000,0x00000007e5b60000,0x00000007f2db0000)
ParOldGen total 828928K, used 828750K [0x0000000780000000, 0x00000007b2980000, 0x00000007d5560000)
object space 828928K, 99% used [0x0000000780000000,0x00000007b29539e8,0x00000007b2980000)
PSPermGen total 65856K, used 51342K [0x000000077ae00000, 0x000000077ee50000, 0x0000000780000000)
object space 65856K, 77% used [0x000000077ae00000,0x000000077e023a78,0x000000077ee50000)
Event: 2928.615 GC heap after
Heap after GC invocations=181 (full 13):
PSYoungGen total 359936K, used 0K [0x00000007d5560000, 0x0000000800000000, 0x0000000800000000)
eden space 268288K, 0% used [0x00000007d5560000,0x00000007d5560000,0x00000007e5b60000)
from space 91648K, 0% used [0x00000007fa680000,0x00000007fa680000,0x0000000800000000)
to space 215360K, 0% used [0x00000007e5b60000,0x00000007e5b60000,0x00000007f2db0000)
ParOldGen total 1055360K, used 824858K [0x0000000780000000, 0x00000007c06a0000, 0x00000007d5560000)
object space 1055360K, 78% used [0x0000000780000000,0x00000007b2586bd0,0x00000007c06a0000)
PSPermGen total 63680K, used 51341K [0x000000077ae00000, 0x000000077ec30000, 0x0000000780000000)
object space 63680K, 80% used [0x000000077ae00000,0x000000077e0237c8,0x000000077ec30000)
}
Event: 2930.820 GC heap before
{Heap before GC invocations=182 (full 13):
PSYoungGen total 359936K, used 268288K [0x00000007d5560000, 0x0000000800000000, 0x0000000800000000)
eden space 268288K, 100% used [0x00000007d5560000,0x00000007e5b60000,0x00000007e5b60000)
from space 91648K, 0% used [0x00000007fa680000,0x00000007fa680000,0x0000000800000000)
to space 215360K, 0% used [0x00000007e5b60000,0x00000007e5b60000,0x00000007f2db0000)
ParOldGen total 1055360K, used 824858K [0x0000000780000000, 0x00000007c06a0000, 0x00000007d5560000)
object space 1055360K, 78% used [0x0000000780000000,0x00000007b2586bd0,0x00000007c06a0000)
PSPermGen total 63680K, used 51341K [0x000000077ae00000, 0x000000077ec30000, 0x0000000780000000)
object space 63680K, 80% used [0x000000077ae00000,0x000000077e0237c8,0x000000077ec30000)
Event: 2931.144 GC heap after
Heap after GC invocations=182 (full 13):
PSYoungGen total 483648K, used 215351K [0x00000007d5560000, 0x0000000800000000, 0x0000000800000000)
eden space 268288K, 0% used [0x00000007d5560000,0x00000007d5560000,0x00000007e5b60000)
from space 215360K, 99% used [0x00000007e5b60000,0x00000007f2dadc70,0x00000007f2db0000)
to space 215360K, 0% used [0x00000007f2db0000,0x00000007f2db0000,0x0000000800000000)
ParOldGen total 1055360K, used 866178K [0x0000000780000000, 0x00000007c06a0000, 0x00000007d5560000)
object space 1055360K, 82% used [0x0000000780000000,0x00000007b4de0bd0,0x00000007c06a0000)
PSPermGen total 63680K, used 51341K [0x000000077ae00000, 0x000000077ec30000, 0x0000000780000000)
object space 63680K, 80% used [0x000000077ae00000,0x000000077e0237c8,0x000000077ec30000)
}
Event: 2933.844 GC heap before
{Heap before GC invocations=183 (full 13):
PSYoungGen total 483648K, used 483639K [0x00000007d5560000, 0x0000000800000000, 0x0000000800000000)
eden space 268288K, 100% used [0x00000007d5560000,0x00000007e5b60000,0x00000007e5b60000)
from space 215360K, 99% used [0x00000007e5b60000,0x00000007f2dadc70,0x00000007f2db0000)
to space 215360K, 0% used [0x00000007f2db0000,0x00000007f2db0000,0x0000000800000000)
ParOldGen total 1055360K, used 866178K [0x0000000780000000, 0x00000007c06a0000, 0x00000007d5560000)
object space 1055360K, 82% used [0x0000000780000000,0x00000007b4de0bd0,0x00000007c06a0000)
PSPermGen total 63680K, used 51341K [0x000000077ae00000, 0x000000077ec30000, 0x0000000780000000)
object space 63680K, 80% used [0x000000077ae00000,0x000000077e0237c8,0x000000077ec30000)
Event: 2934.495 GC heap after
Heap after GC invocations=183 (full 13):
PSYoungGen total 448448K, used 215330K [0x00000007d5560000, 0x0000000800000000, 0x0000000800000000)
eden space 233088K, 0% used [0x00000007d5560000,0x00000007d5560000,0x00000007e3900000)
from space 215360K, 99% used [0x00000007f2db0000,0x00000007ffff8a98,0x0000000800000000)
to space 232960K, 0% used [0x00000007e3900000,0x00000007e3900000,0x00000007f1c80000)
ParOldGen total 1090496K, used 1090306K [0x0000000780000000, 0x00000007c28f0000, 0x00000007d5560000)
object space 1090496K, 99% used [0x0000000780000000,0x00000007c28c0bd0,0x00000007c28f0000)
PSPermGen total 63680K, used 51341K [0x000000077ae00000, 0x000000077ec30000, 0x0000000780000000)
object space 63680K, 80% used [0x000000077ae00000,0x000000077e0237c8,0x000000077ec30000)
}
Event: 2934.495 GC heap before
{Heap before GC invocations=184 (full 14):
PSYoungGen total 448448K, used 215330K [0x00000007d5560000, 0x0000000800000000, 0x0000000800000000)
eden space 233088K, 0% used [0x00000007d5560000,0x00000007d5560000,0x00000007e3900000)
from space 215360K, 99% used [0x00000007f2db0000,0x00000007ffff8a98,0x0000000800000000)
to space 232960K, 0% used [0x00000007e3900000,0x00000007e3900000,0x00000007f1c80000)
ParOldGen total 1090496K, used 1090306K [0x0000000780000000, 0x00000007c28f0000, 0x00000007d5560000)
object space 1090496K, 99% used [0x0000000780000000,0x00000007c28c0bd0,0x00000007c28f0000)
PSPermGen total 63680K, used 51341K [0x000000077ae00000, 0x000000077ec30000, 0x0000000780000000)
object space 63680K, 80% used [0x000000077ae00000,0x000000077e0237c8,0x000000077ec30000)

Deoptimization events (10 events):
Event: 2895.497 Thread 0x000000000dff8800 Uncommon trap 42 fr.pc 0x00000000029cf0f0
Event: 2895.521 Thread 0x000000000dff8800 Uncommon trap 42 fr.pc 0x0000000002b5639c
Event: 2916.765 Thread 0x000000000dff8800 Uncommon trap -34 fr.pc 0x00000000029bb264
Event: 2916.765 Thread 0x000000000dff8800 Uncommon trap -34 fr.pc 0x00000000029bb264
Event: 2916.765 Thread 0x000000000dff8800 Uncommon trap -34 fr.pc 0x00000000029bb264
Event: 2916.765 Thread 0x000000000dff8800 Uncommon trap -34 fr.pc 0x00000000029bb264
Event: 2916.832 Thread 0x000000000dff8800 Uncommon trap -58 fr.pc 0x000000000323ebac
Event: 2916.832 Thread 0x000000000dff8800 Uncommon trap -58 fr.pc 0x000000000323ebac
Event: 2916.832 Thread 0x000000000dff8800 Uncommon trap -58 fr.pc 0x000000000323ebac
Event: 2916.832 Thread 0x000000000dff8800 Uncommon trap -58 fr.pc 0x000000000323ebac

Internal exceptions (10 events):
Event: 2933.641 Thread 0x000000000dffa000 Threw 0x00000007e48dd8e0 at C:\jdk7u2_64p\jdk7u15\hotspot\src\share\vm\prims\jvm.cpp:2888
Event: 2933.660 Thread 0x000000000dffa000 Threw 0x00000007e4d9b558 at C:\jdk7u2_64p\jdk7u15\hotspot\src\share\vm\prims\jvm.cpp:2888
Event: 2933.685 Thread 0x000000000dffa000 Threw 0x00000007e4d9b718 at C:\jdk7u2_64p\jdk7u15\hotspot\src\share\vm\prims\jvm.cpp:2888
Event: 2933.710 Thread 0x000000000dffa000 Threw 0x00000007e4d9b8d8 at C:\jdk7u2_64p\jdk7u15\hotspot\src\share\vm\prims\jvm.cpp:2888
Event: 2933.734 Thread 0x000000000dffa000 Threw 0x00000007e4d9ba98 at C:\jdk7u2_64p\jdk7u15\hotspot\src\share\vm\prims\jvm.cpp:2888
Event: 2933.752 Thread 0x000000000dffa000 Threw 0x00000007e4d9bc58 at C:\jdk7u2_64p\jdk7u15\hotspot\src\share\vm\prims\jvm.cpp:2888
Event: 2933.775 Thread 0x000000000dffa000 Threw 0x00000007e56d2930 at C:\jdk7u2_64p\jdk7u15\hotspot\src\share\vm\prims\jvm.cpp:2888
Event: 2933.797 Thread 0x000000000dffa000 Threw 0x00000007e56d2af0 at C:\jdk7u2_64p\jdk7u15\hotspot\src\share\vm\prims\jvm.cpp:2888
Event: 2933.818 Thread 0x000000000dffa000 Threw 0x00000007e56d2cb0 at C:\jdk7u2_64p\jdk7u15\hotspot\src\share\vm\prims\jvm.cpp:2888
Event: 2933.840 Thread 0x000000000dffa000 Threw 0x00000007e56d2e70 at C:\jdk7u2_64p\jdk7u15\hotspot\src\share\vm\prims\jvm.cpp:2888

Events (10 events):
Event: 2922.242 Executing VM operation: ParallelGCFailedAllocation done
Event: 2925.583 Executing VM operation: ParallelGCFailedAllocation
Event: 2928.615 Executing VM operation: ParallelGCFailedAllocation done
Event: 2929.375 Thread 0x000000000e005800 Thread added: 0x000000000e005800
Event: 2929.384 Executing VM operation: RevokeBias
Event: 2929.384 Executing VM operation: RevokeBias done
Event: 2929.384 Thread 0x000000000e005800 Thread exited: 0x000000000e005800
Event: 2930.819 Executing VM operation: ParallelGCFailedAllocation
Event: 2931.144 Executing VM operation: ParallelGCFailedAllocation done
Event: 2933.844 Executing VM operation: ParallelGCFailedAllocation


Dynamic libraries:
0x000000013fc50000 - 0x000000013fc83000 C:\Program Files\Java\jre7\bin\javaw.exe
0x0000000077360000 - 0x0000000077509000 C:\Windows\SYSTEM32\ntdll.dll
0x0000000076d80000 - 0x0000000076e9f000 C:\Windows\system32\kernel32.dll
0x000007fefd910000 - 0x000007fefd97b000 C:\Windows\system32\KERNELBASE.dll
0x000007feff580000 - 0x000007feff65b000 C:\Windows\system32\ADVAPI32.dll
0x000007feff210000 - 0x000007feff2af000 C:\Windows\system32\msvcrt.dll
0x000007feff2b0000 - 0x000007feff2cf000 C:\Windows\SYSTEM32\sechost.dll
0x000007fefded0000 - 0x000007fefdffd000 C:\Windows\system32\RPCRT4.dll
0x0000000076c80000 - 0x0000000076d7a000 C:\Windows\system32\USER32.dll
0x000007fefde50000 - 0x000007fefdeb7000 C:\Windows\system32\GDI32.dll
0x000007fefdec0000 - 0x000007fefdece000 C:\Windows\system32\LPK.dll
0x000007feff140000 - 0x000007feff209000 C:\Windows\system32\USP10.dll
0x000007fefbf10000 - 0x000007fefc104000 C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll
0x000007fefe080000 - 0x000007fefe0f1000 C:\Windows\system32\SHLWAPI.dll
0x000007fefe1a0000 - 0x000007fefe1ce000 C:\Windows\system32\IMM32.DLL
0x000007fefefc0000 - 0x000007feff0c9000 C:\Windows\system32\MSCTF.dll
0x0000000074140000 - 0x0000000074211000 C:\Program Files\Java\jre7\bin\msvcr100.dll
0x0000000070a40000 - 0x000000007115f000 C:\Program Files\Java\jre7\bin\server\jvm.dll
0x000007fef3210000 - 0x000007fef3219000 C:\Windows\system32\WSOCK32.dll
0x000007feff0d0000 - 0x000007feff11d000 C:\Windows\system32\WS2_32.dll
0x000007feff660000 - 0x000007feff668000 C:\Windows\system32\NSI.dll
0x000007fefb5d0000 - 0x000007fefb60b000 C:\Windows\system32\WINMM.dll
0x0000000077520000 - 0x0000000077527000 C:\Windows\system32\PSAPI.DLL
0x00000000745a0000 - 0x00000000745af000 C:\Program Files\Java\jre7\bin\verify.dll
0x0000000074330000 - 0x0000000074358000 C:\Program Files\Java\jre7\bin\java.dll
0x0000000074500000 - 0x0000000074515000 C:\Program Files\Java\jre7\bin\zip.dll
0x0000000074530000 - 0x0000000074549000 C:\Program Files\Java\jre7\bin\net.dll
0x000007fefcff0000 - 0x000007fefd045000 C:\Windows\system32\mswsock.dll
0x000007fefcfe0000 - 0x000007fefcfe7000 C:\Windows\System32\wship6.dll
0x0000000074310000 - 0x0000000074321000 C:\Program Files\Java\jre7\bin\nio.dll
0x0000000073a90000 - 0x0000000073c23000 C:\Program Files\Java\jre7\bin\awt.dll
0x000007fefdd70000 - 0x000007fefde47000 C:\Windows\system32\OLEAUT32.dll
0x000007feff370000 - 0x000007feff573000 C:\Windows\system32\ole32.dll
0x000007fef7e00000 - 0x000007fef7e07000 c:\PROGRA~2\mcafee\SITEAD~1\x64\saHook.dll
0x000007fefd6f0000 - 0x000007fefd6ff000 C:\Windows\system32\CRYPTBASE.dll
0x000007fefba80000 - 0x000007fefba98000 C:\Windows\system32\DWMAPI.DLL
0x000007feec100000 - 0x000007feec2ff000 C:\Windows\system32\d3d9.dll
0x000007fefc8b0000 - 0x000007fefc8bc000 C:\Windows\system32\VERSION.dll
0x000007fefc620000 - 0x000007fefc627000 C:\Windows\system32\d3d8thk.dll
0x000007fee8820000 - 0x000007fee9957000 C:\Windows\system32\nvd3dumx.dll
0x000007fefc630000 - 0x000007fefc65c000 C:\Windows\system32\powrprof.dll
0x000007fefdb90000 - 0x000007fefdd67000 C:\Windows\system32\SETUPAPI.dll
0x000007fefd870000 - 0x000007fefd8a6000 C:\Windows\system32\CFGMGR32.dll
0x000007fefd8b0000 - 0x000007fefd8ca000 C:\Windows\system32\DEVOBJ.dll
0x0000000180000000 - 0x0000000180139000 C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPI64.dll
0x000007fefe1d0000 - 0x000007fefef58000 C:\Windows\system32\SHELL32.dll
0x00000000742d0000 - 0x0000000074304000 C:\Program Files\Java\jre7\bin\fontmanager.dll
0x0000000074280000 - 0x00000000742c1000 C:\Program Files\Java\jre7\bin\t2k.dll
0x000007fefd050000 - 0x000007fefd067000 C:\Windows\system32\CRYPTSP.dll
0x000007fefcd50000 - 0x000007fefcd97000 C:\Windows\system32\rsaenh.dll
0x000007fefcac0000 - 0x000007fefcade000 C:\Windows\system32\USERENV.dll
0x000007fefd7c0000 - 0x000007fefd7cf000 C:\Windows\system32\profapi.dll
0x000007fefb4e0000 - 0x000007fefb4f5000 C:\Windows\system32\NLAapi.dll
0x000007fefc5e0000 - 0x000007fefc5f5000 C:\Windows\system32\napinsp.dll
0x000007fefc5c0000 - 0x000007fefc5d9000 C:\Windows\system32\pnrpnsp.dll
0x000007fef9590000 - 0x000007fef95be000 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL
0x000007fefce70000 - 0x000007fefcecb000 C:\Windows\system32\DNSAPI.dll
0x000007fefc5b0000 - 0x000007fefc5bb000 C:\Windows\System32\winrnr.dll
0x00000000728c0000 - 0x00000000728e6000 C:\Program Files\Bonjour\mdnsNSP.dll
0x000007fefaf50000 - 0x000007fefaf77000 C:\Windows\system32\Iphlpapi.DLL
0x000007fefaf40000 - 0x000007fefaf4b000 C:\Windows\system32\WINNSI.DLL
0x000007fefc980000 - 0x000007fefc987000 C:\Windows\System32\wshtcpip.dll
0x000007fef9580000 - 0x000007fef9588000 C:\Windows\system32\rasadhlp.dll
0x000007fefae00000 - 0x000007fefae53000 C:\Windows\System32\fwpuclnt.dll
0x0000000074250000 - 0x0000000074280000 C:\Program Files\Java\jre7\bin\jpeg.dll
0x000007fefe100000 - 0x000007fefe199000 C:\Windows\system32\CLBCatQ.DLL
0x000007fefb910000 - 0x000007fefba3a000 C:\Windows\system32\WindowsCodecs.dll
0x000007fefd690000 - 0x000007fefd6e7000 C:\Windows\system32\apphelp.dll
0x000007fef6580000 - 0x000007fef65b5000 C:\Windows\system32\EhStorShell.dll
0x000007fefc400000 - 0x000007fefc52c000 C:\Windows\system32\PROPSYS.dll
0x000007fef6500000 - 0x000007fef6580000 C:\Windows\system32\ntshrui.dll
0x000007fefd560000 - 0x000007fefd583000 C:\Windows\system32\srvcli.dll
0x000007fef64f0000 - 0x000007fef64ff000 C:\Windows\system32\cscapi.dll
0x000007fefb410000 - 0x000007fefb41b000 C:\Windows\system32\slc.dll
0x0000000074110000 - 0x000000007413a000 C:\Program Files\Java\jre7\bin\dcpr.dll
0x00000000740e0000 - 0x0000000074104000 C:\Program Files\Java\jre7\bin\sunec.dll
0x0000000074590000 - 0x000000007459b000 C:\Program Files\Java\jre7\bin\sunmscapi.dll
0x000007fefd980000 - 0x000007fefdaea000 C:\Windows\system32\CRYPT32.dll
0x000007fefd860000 - 0x000007fefd86f000 C:\Windows\system32\MSASN1.dll
0x000007fef9ca0000 - 0x000007fef9d40000 C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_a4d6a923711520a9\comctl32.dll
0x000000000c7e0000 - 0x000000000c828000 C:\Users\West\AppData\Roaming\.technic\voltz\bin\natives\lwjgl64.dll
0x000007feebc60000 - 0x000007feebd7d000 C:\Windows\system32\OPENGL32.dll
0x000007fef57b0000 - 0x000007fef57dd000 C:\Windows\system32\GLU32.dll
0x000007feefc30000 - 0x000007feefd21000 C:\Windows\system32\DDRAW.dll
0x000007fefb260000 - 0x000007fefb268000 C:\Windows\system32\DCIMAN32.dll
0x0000000074240000 - 0x0000000074247000 C:\Program Files\Java\jre7\bin\jawt.dll
0x0000000067750000 - 0x0000000069134000 C:\Windows\system32\nvoglv64.DLL
0x000007fefd8d0000 - 0x000007fefd909000 C:\Windows\system32\WINTRUST.dll
0x000007fefb610000 - 0x000007fefb63d000 C:\Windows\system32\ntmarta.dll
0x000007fefef60000 - 0x000007fefefb2000 C:\Windows\system32\WLDAP32.dll
0x000007feebb30000 - 0x000007feebc52000 C:\Users\West\AppData\Roaming\.technic\voltz\bin\natives\OpenAL64.dll
0x000007fef6930000 - 0x000007fef69b8000 C:\Windows\system32\dsound.dll
0x000007fefc530000 - 0x000007fefc57b000 C:\Windows\System32\MMDevApi.dll
0x000007fefb420000 - 0x000007fefb45b000 C:\Windows\system32\wdmaud.drv
0x0000000074a70000 - 0x0000000074a76000 C:\Windows\system32\ksuser.dll
0x000007fefc600000 - 0x000007fefc609000 C:\Windows\system32\AVRT.dll
0x000007fefb340000 - 0x000007fefb38f000 C:\Windows\system32\AUDIOSES.DLL
0x000007fefb310000 - 0x000007fefb31a000 C:\Windows\system32\msacm32.drv
0x000007fefb2f0000 - 0x000007fefb308000 C:\Windows\system32\MSACM32.dll
0x000007fefb2e0000 - 0x000007fefb2e9000 C:\Windows\system32\midimap.dll
0x00000000740d0000 - 0x00000000740db000 C:\Program Files\Java\jre7\bin\management.dll
0x000007fefaca0000 - 0x000007fefacb1000 C:\Windows\system32\dhcpcsvc6.DLL
0x000007fefac80000 - 0x000007fefac98000 C:\Windows\system32\dhcpcsvc.DLL
0x000007feef970000 - 0x000007feefa95000 C:\Windows\system32\dbghelp.dll

VM Arguments:
java_command: org.spoutcraft.launcher.entrypoint.Start -Launcher C:\Users\West\Desktop\TechnicLauncher.exe
Launcher Type: SUN_STANDARD

Environment Variables:
CLASSPATH=.;C:\Program Files (x86)\Java\jre6\lib\ext\QTJava.zip
PATH=C:\Windows\system32;C:\Windows;C:\Windows\system32\wbem;C:\Program Files (x86)\NVIDIA Corporation\PhysX\Common;C:\Program Files\Common Files\Microsoft Shared\Windows Live;C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live;C:\Windows\System32\WindowsPowerShell\v1.0;C:\Program Files (x86)\Windows Live\Shared;C:\Program Files (x86)\QuickTime\QTSystem;C:\Program Files\Java\jre7\bin;C:\Program Files\Java\jre7\bin;C:\Program Files\Java\jre7\bin
USERNAME=West
OS=Windows_NT
PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 23 Stepping 10, GenuineIntel



--------------- S Y S T E M ---------------

OS: Windows 7 , 64 bit Build 7601 Service Pack 1

CPU:total 4 (4 cores per cpu, 1 threads per core) family 6 model 23 stepping 10, cmov, cx8, fxsr, mmx, sse, sse2, sse3, ssse3, sse4.1, tsc

Memory: 4k page, physical 8387704k(3475360k free), swap 16773552k(11324756k free)

vm_info: Java HotSpot™ 64-Bit Server VM (23.7-b01) for windows-amd64 JRE (1.7.0_15-b03), built on Feb 15 2013 13:43:57 by "java_re" with unknown MS VC++:1600

time: Fri Mar 01 17:12:52 2013
elapsed time: 2935 seconds
  • 0

#30
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,018 posts
Run OTM once again. This time around click on the Cleanup button and follow the prompts. After a restart the application will be removed along with the quarantined items.

In regard to the JAVA error, seems that the Classpath was not modified during installation.

CLASSPATH=.;C:\Program Files (x86)\Java\jre6\lib\ext\QTJava.zip should point to the jre7 folder and not to the jre6, CLASSPATH=.;C:\Program Files\Java\jre7\lib\ext\QTJava.zip.

I would suggest that you uninstall JAVA once again and install the latest. Perhaps that would resolve the issue. If McAfee intervenes, disable it and start once again.

Keep me posted.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP