Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

malware from link in facebook chat

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

malware from link in facebook chat

Unread postby nemoaquis » August 24th, 2011, 8:29 am

Thank you in advance for your time and help.
clicked link on facebook chat directed to site that looked like youtube. can not play video instructed to download adobe flash update. both sites appeared genuine at first glance. you tube had comments from FB friends using FB profile pics.

update file unable to open once downloaded. caused computer to shutdown. Always opens in safe mode, able to open with networking for net access. two friends were also fooled into doing this on their computers. ran malwarebytes, hitmanpro and spybot search and destroy. Malware found on all computers, on one appears to be successful and running normally. Other two still repeatedly start in safemode on one computer malwarebytes seemed to be removed without user. all virus signiture databases appear to be up to date.

files C:windows/ufa/ufa.exe and CoinMine may be involved

ran combofix DDS and atach files bellow

any help greatly recieved.
.
DDS (Ver_2011-06-23.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.7600.16385
Run by USER at 19:47:00 on 2011-08-24
Microsoft Windows 7 Starter 6.1.7600.0.1252.60.1033.18.1014.509 [GMT 8:00]
.
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www1.ap.dell.com/content/default ... l=en&s=gen
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~3\office12\GR469A~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [UIExec] "c:\program files\celcom broadband\UIExec.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\users\user\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{6302ED27-4FAB-4BE3-8D74-4EA4ED78F58B} : NameServer = 192.168.1.254
TCP: Interfaces\{97A450A1-ADB3-4CA9-A4F2-7CC51089FF2C} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{97A450A1-ADB3-4CA9-A4F2-7CC51089FF2C}\255736B6371636B696E6E6 : DhcpNameServer = 165.21.100.88 165.21.83.88
TCP: Interfaces\{97A450A1-ADB3-4CA9-A4F2-7CC51089FF2C}\26A6162636 : DhcpNameServer = 192.168.123.254 0.0.0.0
TCP: Interfaces\{97A450A1-ADB3-4CA9-A4F2-7CC51089FF2C}\458656022416C636F6E697 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{97A450A1-ADB3-4CA9-A4F2-7CC51089FF2C}\75962756C6563737B4C4 : DhcpNameServer = 10.0.2.1
TCP: Interfaces\{97A450A1-ADB3-4CA9-A4F2-7CC51089FF2C}\8496070796564456241627 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{97A450A1-ADB3-4CA9-A4F2-7CC51089FF2C}\D457C64796D6564696160237F6C6574796F6E6 : DhcpNameServer = 192.168.2.1 203.142.82.222 202.169.33.222 203.142.84.222
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~3\office12\GRA32A~1.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office12\GR469A~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\user\appdata\roaming\mozilla\firefox\profiles\xnuqimeg.default\
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\mozilla firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: DivX Plus Web Player HTML5 &lt;video&gt;: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\divx\divx plus web player\firefox\html5video
FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\divx\divx plus web player\firefox\wpa
.
============= SERVICES / DRIVERS ===============
.
R0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [2009-6-27 13680]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-11-18 167936]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-14 14336]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\realtek\audio\hda\AERTSrv.exe [2009-11-18 81920]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-5 135664]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2011-8-24 1153368]
S2 UI Assistant Service;UI Assistant Service;c:\program files\celcom broadband\AssistantServices.exe [2011-6-5 255800]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [2009-11-18 143840]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-4-5 135664]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2011-6-5 9216]
S3 qcusbser;Mobile Connector USB Device for Legacy Serial Communication;c:\windows\system32\drivers\qcusbser.sys [2010-8-15 103552]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2009-11-18 167424]
.
=============== Created Last 30 ================
.
2011-08-24 11:22:14 -------- d-sh--w- C:\$RECYCLE.BIN
2011-08-24 11:22:08 -------- d-----w- c:\users\user\appdata\local\temp
2011-08-24 11:06:59 98816 ----a-w- c:\windows\sed.exe
2011-08-24 11:06:59 518144 ----a-w- c:\windows\SWREG.exe
2011-08-24 11:06:59 256000 ----a-w- c:\windows\PEV.exe
2011-08-24 11:06:59 208896 ----a-w- c:\windows\MBR.exe
2011-08-24 10:15:24 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-24 10:15:19 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-24 09:06:30 -------- d-----w- c:\programdata\Hitman Pro
2011-08-24 07:14:39 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-08-24 07:14:39 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-08-23 14:37:48 -------- d-----w- c:\users\user\appdata\roaming\Malwarebytes
2011-08-23 14:37:41 -------- d-----w- c:\programdata\Malwarebytes
2011-08-23 14:37:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-23 13:53:31 -------- d-----w- c:\windows\ufa
2011-08-19 07:37:33 7152464 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{c65742de-3bb6-4f17-98df-86f31c451e04}\mpengine.dll
2011-08-11 01:32:57 -------- d-----w- c:\users\user\appdata\roaming\opencpn
2011-08-11 01:32:09 -------- d-----w- c:\program files\OpenCPN
2011-08-11 01:19:02 860672 ----a-w- c:\program files\internet explorer\iedvtool.dll
2011-08-11 01:19:01 981504 ----a-w- c:\windows\system32\wininet.dll
2011-08-11 01:19:00 673040 ----a-w- c:\program files\internet explorer\iexplore.exe
2011-08-11 01:18:58 44544 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-11 01:18:57 386048 ----a-w- c:\windows\system32\html.iec
2011-08-11 01:18:57 163328 ----a-w- c:\program files\internet explorer\ieproxy.dll
2011-08-11 01:18:56 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-08-11 01:18:08 3957120 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-08-11 01:18:06 3902336 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-08-11 01:16:47 222720 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-08-11 01:15:47 1286016 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-08-11 01:06:20 94208 ----a-w- c:\program files\common files\system\ole db\msdaosp.dll
2011-08-11 01:06:20 86016 ----a-w- c:\windows\system32\odbccu32.dll
2011-08-11 01:06:20 81920 ----a-w- c:\windows\system32\odbccr32.dll
2011-08-11 01:06:20 319488 ----a-w- c:\windows\system32\odbcjt32.dll
2011-08-11 01:06:20 163840 ----a-w- c:\windows\system32\odbctrac.dll
2011-08-11 01:06:20 122880 ----a-w- c:\windows\system32\odbccp32.dll
2011-08-07 11:31:34 -------- d-----w- c:\program files\Totaltide
2011-08-07 11:31:33 -------- d-----w- c:\program files\common files\Chersoft
.
==================== Find3M ====================
.
2011-07-16 04:37:32 169984 ----a-w- c:\windows\system32\winsrv.dll
2011-07-16 04:34:28 290816 ----a-w- c:\windows\system32\KernelBase.dll
2011-07-16 04:31:12 271360 ----a-w- c:\windows\system32\conhost.exe
2011-07-16 02:21:47 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2011-07-16 02:21:47 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2011-07-16 02:21:47 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2011-07-16 02:21:47 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2011-06-11 02:37:19 2332672 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 19:48:14.58 ===============
.
DDS (Ver_2011-06-23.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.7600.16385
Run by USER at 19:47:00 on 2011-08-24
Microsoft Windows 7 Starter 6.1.7600.0.1252.60.1033.18.1014.509 [GMT 8:00]
.
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www1.ap.dell.com/content/default ... l=en&s=gen
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~3\office12\GR469A~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [UIExec] "c:\program files\celcom broadband\UIExec.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\users\user\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{6302ED27-4FAB-4BE3-8D74-4EA4ED78F58B} : NameServer = 192.168.1.254
TCP: Interfaces\{97A450A1-ADB3-4CA9-A4F2-7CC51089FF2C} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{97A450A1-ADB3-4CA9-A4F2-7CC51089FF2C}\255736B6371636B696E6E6 : DhcpNameServer = 165.21.100.88 165.21.83.88
TCP: Interfaces\{97A450A1-ADB3-4CA9-A4F2-7CC51089FF2C}\26A6162636 : DhcpNameServer = 192.168.123.254 0.0.0.0
TCP: Interfaces\{97A450A1-ADB3-4CA9-A4F2-7CC51089FF2C}\458656022416C636F6E697 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{97A450A1-ADB3-4CA9-A4F2-7CC51089FF2C}\75962756C6563737B4C4 : DhcpNameServer = 10.0.2.1
TCP: Interfaces\{97A450A1-ADB3-4CA9-A4F2-7CC51089FF2C}\8496070796564456241627 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{97A450A1-ADB3-4CA9-A4F2-7CC51089FF2C}\D457C64796D6564696160237F6C6574796F6E6 : DhcpNameServer = 192.168.2.1 203.142.82.222 202.169.33.222 203.142.84.222
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~3\office12\GRA32A~1.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office12\GR469A~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\user\appdata\roaming\mozilla\firefox\profiles\xnuqimeg.default\
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\mozilla firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: DivX Plus Web Player HTML5 &lt;video&gt;: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\divx\divx plus web player\firefox\html5video
FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\divx\divx plus web player\firefox\wpa
.
============= SERVICES / DRIVERS ===============
.
R0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [2009-6-27 13680]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-11-18 167936]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-14 14336]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\realtek\audio\hda\AERTSrv.exe [2009-11-18 81920]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-5 135664]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2011-8-24 1153368]
S2 UI Assistant Service;UI Assistant Service;c:\program files\celcom broadband\AssistantServices.exe [2011-6-5 255800]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [2009-11-18 143840]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-4-5 135664]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2011-6-5 9216]
S3 qcusbser;Mobile Connector USB Device for Legacy Serial Communication;c:\windows\system32\drivers\qcusbser.sys [2010-8-15 103552]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2009-11-18 167424]
.
=============== Created Last 30 ================
.
2011-08-24 11:22:14 -------- d-sh--w- C:\$RECYCLE.BIN
2011-08-24 11:22:08 -------- d-----w- c:\users\user\appdata\local\temp
2011-08-24 11:06:59 98816 ----a-w- c:\windows\sed.exe
2011-08-24 11:06:59 518144 ----a-w- c:\windows\SWREG.exe
2011-08-24 11:06:59 256000 ----a-w- c:\windows\PEV.exe
2011-08-24 11:06:59 208896 ----a-w- c:\windows\MBR.exe
2011-08-24 10:15:24 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-24 10:15:19 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-24 09:06:30 -------- d-----w- c:\programdata\Hitman Pro
2011-08-24 07:14:39 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-08-24 07:14:39 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-08-23 14:37:48 -------- d-----w- c:\users\user\appdata\roaming\Malwarebytes
2011-08-23 14:37:41 -------- d-----w- c:\programdata\Malwarebytes
2011-08-23 14:37:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-23 13:53:31 -------- d-----w- c:\windows\ufa
2011-08-19 07:37:33 7152464 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{c65742de-3bb6-4f17-98df-86f31c451e04}\mpengine.dll
2011-08-11 01:32:57 -------- d-----w- c:\users\user\appdata\roaming\opencpn
2011-08-11 01:32:09 -------- d-----w- c:\program files\OpenCPN
2011-08-11 01:19:02 860672 ----a-w- c:\program files\internet explorer\iedvtool.dll
2011-08-11 01:19:01 981504 ----a-w- c:\windows\system32\wininet.dll
2011-08-11 01:19:00 673040 ----a-w- c:\program files\internet explorer\iexplore.exe
2011-08-11 01:18:58 44544 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-11 01:18:57 386048 ----a-w- c:\windows\system32\html.iec
2011-08-11 01:18:57 163328 ----a-w- c:\program files\internet explorer\ieproxy.dll
2011-08-11 01:18:56 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-08-11 01:18:08 3957120 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-08-11 01:18:06 3902336 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-08-11 01:16:47 222720 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-08-11 01:15:47 1286016 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-08-11 01:06:20 94208 ----a-w- c:\program files\common files\system\ole db\msdaosp.dll
2011-08-11 01:06:20 86016 ----a-w- c:\windows\system32\odbccu32.dll
2011-08-11 01:06:20 81920 ----a-w- c:\windows\system32\odbccr32.dll
2011-08-11 01:06:20 319488 ----a-w- c:\windows\system32\odbcjt32.dll
2011-08-11 01:06:20 163840 ----a-w- c:\windows\system32\odbctrac.dll
2011-08-11 01:06:20 122880 ----a-w- c:\windows\system32\odbccp32.dll
2011-08-07 11:31:34 -------- d-----w- c:\program files\Totaltide
2011-08-07 11:31:33 -------- d-----w- c:\program files\common files\Chersoft
.
==================== Find3M ====================
.
2011-07-16 04:37:32 169984 ----a-w- c:\windows\system32\winsrv.dll
2011-07-16 04:34:28 290816 ----a-w- c:\windows\system32\KernelBase.dll
2011-07-16 04:31:12 271360 ----a-w- c:\windows\system32\conhost.exe
2011-07-16 02:21:47 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2011-07-16 02:21:47 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2011-07-16 02:21:47 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2011-07-16 02:21:47 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2011-06-11 02:37:19 2332672 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 19:48:14.58 ===============
nemoaquis
Active Member
 
Posts: 10
Joined: August 24th, 2011, 7:34 am
Advertisement
Register to Remove

Re: malware from link in facebook chat

Unread postby deltalima » August 29th, 2011, 10:52 am

Checking your log - back soon.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: malware from link in facebook chat

Unread postby deltalima » August 29th, 2011, 11:04 am

Hi nemoaquis,

Welcome to the forum.

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Please note the following:
  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please do not run any scans or make any changes to the system unless I ask you too.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • If after 3 days you have not responded to this topic, it will be closed, and you will need to start a new one.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

Please Note:
The programs I ask you to run need to be run in Administrator Mode by... Right clicking the program file and selecting: Run as Administrator.
Additionally, the built-in User Account Control (UAC) utility, if enabled, may prompt you for permission to run the program.
When prompted, please select: Allow. Reference: User Account Control (UAC) and Running as Administrator

You posted the DDS.txt file twice, please post the Attach.txt file.

Please also post the log file from when you ran Combofix.

You have described the symptoms of 3 computers, please describe exactly the current symptoms of only the one computer that you are posting logs for.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: malware from link in facebook chat

Unread postby nemoaquis » August 30th, 2011, 5:04 am

Thank you very much for your time.
I have searched for the extras.txt and DDS.txt they no longer appear to be on my system. Which program do i download to produce them? I did not run the programs as administrator, including the combofix text below.
Should I start all this from the beginning? I hope to be back online in 3 hours.

The symptoms for this computer are as above. Will only restart in safemode no matter which option is selected after pressing F8, with networking is possible. The computer had avast running but the owner of the computer thinks the trial period had expired. i know the address of the site the site the virus was downloaded from if that will help. Windows security center can not be turned on. Windows malicious software removal tool for August found no problems.

Thanks again, will be back online in about 3 hours

ComboFix 11-08-24.02 - USER 24/08/2011 19:09:12.1.2 - x86 NETWORK
Microsoft Windows 7 Starter 6.1.7600.0.1252.60.1033.18.1014.567 [GMT 8:00]
Running from: c:\users\USER\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\USER\AppData\Roaming\DataSafeDotNet.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-07-24 to 2011-08-24 )))))))))))))))))))))))))))))))
.
.
2011-08-24 11:17 . 2011-08-24 11:18 -------- d-----w- c:\users\USER\AppData\Local\temp
2011-08-24 11:17 . 2011-08-24 11:17 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-08-24 10:15 . 2011-07-06 11:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-24 10:15 . 2011-07-06 11:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-24 09:06 . 2011-08-24 09:06 -------- d-----w- c:\programdata\Hitman Pro
2011-08-24 07:14 . 2011-08-24 09:05 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-08-24 07:14 . 2011-08-24 08:24 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-08-23 14:37 . 2011-08-23 14:37 -------- d-----w- c:\users\USER\AppData\Roaming\Malwarebytes
2011-08-23 14:37 . 2011-08-23 14:37 -------- d-----w- c:\programdata\Malwarebytes
2011-08-23 14:37 . 2011-08-24 10:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-23 13:53 . 2011-08-23 14:09 -------- d-----w- c:\windows\ufa
2011-08-19 07:37 . 2011-08-12 02:44 7152464 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C65742DE-3BB6-4F17-98DF-86F31C451E04}\mpengine.dll
2011-08-11 01:32 . 2011-08-11 02:32 -------- d-----w- c:\users\USER\AppData\Roaming\opencpn
2011-08-11 01:32 . 2011-08-11 02:18 -------- d-----w- c:\program files\OpenCPN
2011-08-11 01:19 . 2011-06-21 05:34 860672 ----a-w- c:\program files\Internet Explorer\iedvtool.dll
2011-08-11 01:19 . 2011-06-21 05:36 981504 ----a-w- c:\windows\system32\wininet.dll
2011-08-11 01:19 . 2011-06-21 05:37 673040 ----a-w- c:\program files\Internet Explorer\iexplore.exe
2011-08-11 01:18 . 2011-06-21 05:35 44544 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-11 01:18 . 2011-06-21 05:34 163328 ----a-w- c:\program files\Internet Explorer\ieproxy.dll
2011-08-11 01:18 . 2011-06-21 04:26 386048 ----a-w- c:\windows\system32\html.iec
2011-08-11 01:18 . 2011-07-22 04:56 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-08-11 01:18 . 2011-06-23 04:38 3957120 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-08-11 01:18 . 2011-06-23 04:38 3902336 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-08-11 01:16 . 2011-07-09 02:26 222720 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-08-11 01:15 . 2011-06-21 05:39 1286016 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-08-11 01:06 . 2011-06-15 09:04 86016 ----a-w- c:\windows\system32\odbccu32.dll
2011-08-11 01:06 . 2011-06-15 09:04 81920 ----a-w- c:\windows\system32\odbccr32.dll
2011-08-11 01:06 . 2011-06-15 09:04 319488 ----a-w- c:\windows\system32\odbcjt32.dll
2011-08-11 01:06 . 2011-06-15 09:04 163840 ----a-w- c:\windows\system32\odbctrac.dll
2011-08-11 01:06 . 2011-06-15 09:04 122880 ----a-w- c:\windows\system32\odbccp32.dll
2011-08-11 01:06 . 2011-06-15 09:04 94208 ----a-w- c:\program files\Common Files\System\Ole DB\msdaosp.dll
2011-08-07 11:31 . 2011-08-07 11:31 -------- d-----w- c:\program files\Totaltide
2011-08-07 11:31 . 2011-08-07 11:31 -------- d-----w- c:\program files\Common Files\Chersoft
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-19 11:22 . 2011-07-19 11:22 0 ---ha-w- c:\users\USER\AppData\Local\BITF009.tmp
2011-06-11 02:37 . 2011-07-14 00:46 2332672 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-03-18 39408]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
"UIExec"="c:\program files\Celcom Broadband\UIExec.exe" [2010-07-23 138552]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
.
c:\users\USER\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-11-18 08:24 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSrv.exe [2009-03-31 81920]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-04-05 135664]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
R2 UI Assistant Service;UI Assistant Service;c:\program files\Celcom Broadband\AssistantServices.exe [2010-07-23 255800]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [2009-03-12 143840]
R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\DRIVERS\ewusbnet.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-04-05 135664]
R3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\DRIVERS\ewusbfake.sys [x]
R3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2010-06-03 9216]
R3 qcusbser;Mobile Connector USB Device for Legacy Serial Communication;c:\windows\system32\DRIVERS\qcusbser.sys [2009-08-27 103552]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2009-06-24 167424]
S0 EMSC;COMPAL Embedded System Control;c:\windows\system32\DRIVERS\EMSC.SYS [2009-06-26 13680]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-05-22 167936]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-05 10:05]
.
2011-08-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-05 10:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www1.ap.dell.com/content/default ... l=en&s=gen
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{6302ED27-4FAB-4BE3-8D74-4EA4ED78F58B}: NameServer = 192.168.1.254
FF - ProfilePath - c:\users\USER\AppData\Roaming\Mozilla\Firefox\Profiles\xnuqimeg.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: DivX Plus Web Player HTML5 &lt;video&gt;: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\DivX\DivX Plus Web Player\firefox\html5video
FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\DivX\DivX Plus Web Player\firefox\wpa
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-08-24 19:22:04
ComboFix-quarantined-files.txt 2011-08-24 11:22
.
Pre-Run: 168,327,045,120 bytes free
Post-Run: 168,046,669,824 bytes free
.
- - End Of File - - 6EDCA7A60528B581703147FA2D774C1E
nemoaquis
Active Member
 
Posts: 10
Joined: August 24th, 2011, 7:34 am

Re: malware from link in facebook chat

Unread postby deltalima » August 30th, 2011, 5:43 am

The computer had avast running but the owner of the computer thinks the trial period had expired


Is this not your computer?

Attach.txt and DDS.txt are created by DDS. Please run DDS again and post Attach.txt
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: malware from link in facebook chat

Unread postby nemoaquis » August 30th, 2011, 8:32 am

This computer belongs to my friend who has been kind enough to let me use it for emails and facebook. This makes the fact that I got it infected all the worse. Fortunately they have been understanding.

extras.txt below
Thank you

OTL Extras logfile created on: 8/29/2011 6:27:34 PM - Run 1
OTL by OldTimer - Version 3.2.26.6 Folder = C:\Users\USER\Desktop
Starter Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: Malaysia | Language: ENM | Date Format: d/M/yyyy

1014.43 Mb Total Physical Memory | 643.78 Mb Available Physical Memory | 63.46% Memory free
1.99 Gb Paging File | 1.61 Gb Available in Paging File | 81.12% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 218.20 Gb Total Space | 156.06 Gb Free Space | 71.52% Space Free | Partition Type: NTFS

Computer Name: USER-PC | User Name: USER | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-2825751487-3836164688-3930067475-1000\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{053E51D3-885D-425C-9586-EA5183C4C688}" = Function Keys
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{13766F76-6C8C-4E57-A9F3-3212D1C6E0D1}" = Dell DataSafe Online
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216014FF}" = Java(TM) 6 Update 14
"{3138EAD3-700B-4A10-B617-B3F8096EE30D}" = Dell Edoc Viewer
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{51C7AD07-C3F6-4635-8E8A-231306D810FE}" = Cisco LEAP Module
"{543A4F31-9590-416A-A621-42CEB4C6A694}" = Battery Meter
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{64BF0187-F3D2-498B-99EA-163AF9AE6EC9}" = Cisco EAP-FAST Module
"{65D0C510-D7B6-4438-9FC8-E6B91115AB0D}" = Live! Cam Avatar Creator
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90578106-70AF-4198-B9DE-1924FA83B03A}" = CapsLKNotify
"{93D34EE3-99B3-4DB1-8B0A-0A657466F90D}" = Celcom Broadband
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A6FDF86A-F541-4E7B-AEA0-8849A2A700D5}" = iTunes
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1.2
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{CD95D125-2992-4858-B3EF-5F6FB52FBAD6}" = Skype Toolbars
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{E2A79F64-ECF0-4CEF-80A8-B29EDDD48A1E}" = TotalTide V1.0.11.0
"{E3BFEE55-39E2-4BE0-B966-89FE583822C1}" = Dell Support Center (Support Software)
"{E633D396-5188-4E9D-8F6B-BFB8BF3467E8}" = Skype™ 5.1
"{E6CB6126-D120-4FB5-9D1B-E2E19003E66C}" = WSED
"{ED5776D5-59B4-46B7-AF81-5F2D94D7C640}" = Cisco PEAP Module
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{FEF06E73-A519-4510-8CF3-B66041B91D8A}" = EMSC
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Advanced Audio FX Engine" = Advanced Audio FX Engine
"Dell Webcam Central" = Dell Webcam Central
"Dell Wireless WLAN Card Utility" = Dell Wireless WLAN Card Utility
"DivX Setup.divx.com" = DivX Setup
"ENTERPRISE" = Microsoft Office Enterprise 2007
"ESET Online Scanner" = ESET Online Scanner v3
"GoToAssist" = GoToAssist 8.0.0.514
"HDMI" = Intel(R) Graphics Media Accelerator Driver
"InstallShield_{543A4F31-9590-416A-A621-42CEB4C6A694}" = Battery Meter
"InstallShield_{90578106-70AF-4198-B9DE-1924FA83B03A}" = CapsLKNotify
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.1.1800
"McAfee Security Scan" = McAfee Security Scan Plus
"Mobile Partner" = Mobile Partner
"Mozilla Firefox (3.6.20)" = Mozilla Firefox (3.6.20)
"OpenCPN_is1" = OpenCPN version 1.3.4
"Picasa 3" = Picasa 3
"RealPlayer 6.0" = RealPlayer
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"uTorrent" = µTorrent
"VLC media player" = VLC media player 1.1.9
"Winamp" = Winamp

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 8/29/2011 5:04:00 AM | Computer Name = USER-PC | Source = Outlook | ID = 35
Description = Failed to determine if the store is in the crawl scope (error=0x8007043c).

Error - 8/29/2011 5:04:00 AM | Computer Name = USER-PC | Source = Outlook | ID = 35
Description = Failed to determine if the store is in the crawl scope (error=0x8007043c).

Error - 8/29/2011 5:04:00 AM | Computer Name = USER-PC | Source = Outlook | ID = 35
Description = Failed to determine if the store is in the crawl scope (error=0x8007043c).

Error - 8/29/2011 5:04:00 AM | Computer Name = USER-PC | Source = Outlook | ID = 35
Description = Failed to determine if the store is in the crawl scope (error=0x8007043c).

Error - 8/29/2011 5:04:00 AM | Computer Name = USER-PC | Source = Outlook | ID = 35
Description = Failed to determine if the store is in the crawl scope (error=0x8007043c).

Error - 8/29/2011 5:04:00 AM | Computer Name = USER-PC | Source = Outlook | ID = 35
Description = Failed to determine if the store is in the crawl scope (error=0x8007043c).

Error - 8/29/2011 5:04:00 AM | Computer Name = USER-PC | Source = Outlook | ID = 35
Description = Failed to determine if the store is in the crawl scope (error=0x8007043c).

Error - 8/29/2011 5:04:00 AM | Computer Name = USER-PC | Source = Outlook | ID = 35
Description = Failed to determine if the store is in the crawl scope (error=0x8007043c).

Error - 8/29/2011 5:04:00 AM | Computer Name = USER-PC | Source = Outlook | ID = 35
Description = Failed to determine if the store is in the crawl scope (error=0x8007043c).

Error - 8/29/2011 6:29:16 AM | Computer Name = USER-PC | Source = System Restore | ID = 8193
Description =

[ Broadcom Wireless LAN Events ]
Error - 12/9/2010 3:03:46 AM | Computer Name = USER-PC | Source = WLAN-Tray | ID = 0
Description = 15:03:46, Thu, Dec 09, 10 Error - Unable to gain access to user store


Error - 2/11/2011 4:43:23 AM | Computer Name = USER-PC | Source = WLAN-Tray | ID = 0
Description = 16:43:22, Fri, Feb 11, 11 Error - Unable to gain access to user store


[ OSession Events ]
Error - 7/27/2011 8:44:37 PM | Computer Name = USER-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 52581
seconds with 60 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 8/29/2011 5:22:41 AM | Computer Name = USER-PC | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Server service which failed
to start because of the following error: %%1068

Error - 8/29/2011 5:22:41 AM | Computer Name = USER-PC | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Server service which failed
to start because of the following error: %%1068

Error - 8/29/2011 5:22:41 AM | Computer Name = USER-PC | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Server service which failed
to start because of the following error: %%1068

Error - 8/29/2011 5:22:46 AM | Computer Name = USER-PC | Source = Service Control Manager | ID = 7001
Description = The HomeGroup Provider service depends on the Function Discovery Provider
Host service which failed to start because of the following error: %%1068

Error - 8/29/2011 5:22:46 AM | Computer Name = USER-PC | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Server service which failed
to start because of the following error: %%1068

Error - 8/29/2011 5:22:46 AM | Computer Name = USER-PC | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Server service which failed
to start because of the following error: %%1068

Error - 8/29/2011 5:22:46 AM | Computer Name = USER-PC | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Server service which failed
to start because of the following error: %%1068

Error - 8/29/2011 5:22:46 AM | Computer Name = USER-PC | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Server service which failed
to start because of the following error: %%1068

Error - 8/29/2011 5:22:46 AM | Computer Name = USER-PC | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Server service which failed
to start because of the following error: %%1068

Error - 8/29/2011 5:22:46 AM | Computer Name = USER-PC | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Server service which failed
to start because of the following error: %%1068


< End of report >
nemoaquis
Active Member
 
Posts: 10
Joined: August 24th, 2011, 7:34 am

Re: malware from link in facebook chat

Unread postby deltalima » August 30th, 2011, 10:09 am

Hi nemoaquis,

  • Please download this tool from Microsoft.
  • Double click on MGADiag.exe to run it.
  • Click Continue.
  • The program will run. It takes a while to finish the diagnosis, please be patient.
  • Once done, click on Copy.
  • Open Notepad and paste the contents in the window.
  • Save this file and copy/paste it in your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: malware from link in facebook chat

Unread postby nemoaquis » August 30th, 2011, 10:30 am

As requested thanks

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->

Validation Code: 0
Cached Online Validation Code: N/A, hr = 0x8007043c
Windows Product Key: *****-*****-MGJ3H-FT7VD-FG72J
Windows Product Key Hash: MajJQMO7x6C/zF514M1WFV804Hs=
Windows Product ID: 00342-OEM-8992707-00082
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 6.1.7600.2.00010300.0.0.011
ID: {BED597E1-8CE7-4F3F-9B77-90027A752852}(1)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Starter
Architecture: 0x00000000
Build lab: 7600.win7_gdr.110622-1503
TTS Error:
Validation Diagnostic:
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 100 Genuine
Microsoft Office Enterprise 2007 - 100 Genuine
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->
File Mismatch: C:\Windows\system32\wat\watadminsvc.exe[Hr = 0x80070003]
File Mismatch: C:\Windows\system32\wat\npwatweb.dll[Hr = 0x80070003]
File Mismatch: C:\Windows\system32\wat\watux.exe[Hr = 0x80070003]
File Mismatch: C:\Windows\system32\wat\watweb.dll[Hr = 0x80070003]

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{BED597E1-8CE7-4F3F-9B77-90027A752852}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7600.2.00010300.0.0.011</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-FG72J</PKey><PID>00342-OEM-8992707-00082</PID><PIDType>2</PIDType><SID>S-1-5-21-2825751487-3836164688-3930067475</SID><SYSTEM><Manufacturer>Dell Inc.</Manufacturer><Model>Inspiron 1011</Model></SYSTEM><BIOS><Manufacturer>Dell Inc.</Manufacturer><Version>A06</Version><SMBIOSVersion major="2" minor="5"/><Date>20090729000000.000000+000</Date></BIOS><HWID>CBB80600018400E4</HWID><UserLCID>4409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Malay Peninsula Standard Time(GMT+08:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>DELL </OEMID><OEMTableID>CL09 </OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{90120000-0030-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Enterprise 2007</Name><Ver>12</Ver><Val>64BC76978749586</Val><Hash>GW6PzcEVEDTVKeO5Ym5UUm41dBk=</Hash><Pid>89388-707-0441865-65257</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="12" Result="100"/><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="19" Version="12" Result="100"/><App Id="1A" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/><App Id="44" Version="12" Result="100"/><App Id="A1" Version="12" Result="100"/><App Id="BA" Version="12" Result="100"/></Applications></Office></Software></GenuineResults>

Spsys.log Content: 0x80070002

Licensing Data-->
On a computer running Microsoft Windows non-core edition, run 'slui.exe 0x2a 0x8007043C' to display the error text.
Error: 0x8007043C

Windows Activation Technologies-->
HrOffline: 0x00000000
HrOnline: N/A
HealthStatus: 0x0000000000000000
Event Time Stamp: N/A
ActiveX: Not Registered - 0x80040154
Admin Service: Not Registered - 0x80040154
HealthStatus Bitmask Output:


HWID Data-->
HWID Hash Current: LAAAAAAAAgABAAIAAAAAAAAAAgABAAEAnJ/Yy+pO2HRIJ9b4iH/yF9Rechk=

OEM Activation 1.0 Data-->
N/A

OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes
Windows marker version: 0x20001
OEMID and OEMTableID Consistent: yes
BIOS Information:
ACPI Table Name OEMID Value OEMTableID Value
APIC INTEL CALISTGA
FACP INTEL CALISTGA
HPET INTEL CALISTGA
BOOT PTLTD $SBFTBL$
MCFG INTEL CALISTGA
TCPA PTLTD CALISTGA
TMOR PTLTD
APIC INTEL CALISTGA
SLIC DELL CL09
SSDT SataRe SataPri
SSDT SataRe SataPri
SSDT SataRe SataPri
nemoaquis
Active Member
 
Posts: 10
Joined: August 24th, 2011, 7:34 am

Re: malware from link in facebook chat

Unread postby deltalima » August 30th, 2011, 12:41 pm

Hi nemoaquis,

Before we continue, please obtain permission from the owner as removing Malware is a potentially hazardous undertaking.

Remove P2P Programs

  • I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

    µTorrent


  • Please read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.
  • Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

  • Click on start
  • Then Run
  • In the open text entry box please copy/paste appwiz.cpl Then click enter.
  • Press the "Remove" or "Change/Remove"...button to uninstall the programs listed above (in red) and any other P2P you have installed NOW.
  • Take care when answering any questions posed by an uninstaller. Some questions may be worded to deceive you into keeping the program.

Also please uninstall Spybot - Search & Destroy.

MBRBackup
Download MBRBackup to your Desktop.
http://www.misec.net/products/MBRBackup.exe
Doubleclick MBRBackup.exe to launch the program. If prompted by your computer allow it to run.
Click SaveMBR (top left corner) and save the backup file to your Desktop.
Exit the program.
It will have a name similar to MBR_2010-10-06.bin where the numbers correspond to the date the backup was made.


Analyze file(s).
Please visit Virustotal.

Click on browse > navigate to the MBR_2010-xx-xx.bin backup file > Click Open:

  • Press Send File - this will submit the file for testing.
  • Please wait for all the scanners to finish then copy and paste the permalink (web address) in your next response.
Example of web address :
Image
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: malware from link in facebook chat

Unread postby nemoaquis » August 31st, 2011, 7:30 am

I misread your instruction "In the open text entry box please copy/paste appwiz.cpl Then click enter." (will be more careful in reading future instruction). I accessed add/remove through control panel. Appears to be no Run on windows 7 start menu, opening the appwiz.cpl directly or typing it in to command prompt under accessories both took me to add/remove programed.

Software uninstalled, Utorrent removed ok no other p2p software, spybot returned error message "Service SBSD Security Centre Service failed to uninstall with error: Not found"
And
some patrs could not be uninstalled but can be removed manually, in programe files sbybot folder left advcheck.dll and SDWinSec.exe. Moved to recycle bin.

http://www.virustotal.com/file-scan/rep ... 1314789125

Grateful thanks for your time help.
nemoaquis
Active Member
 
Posts: 10
Joined: August 24th, 2011, 7:34 am

Re: malware from link in facebook chat

Unread postby deltalima » August 31st, 2011, 8:00 am

Hi nemoaquis,

TDSSKiller

  • Please Download TDSSKiller.zip and save it on your desktop.
  • Extract (unzip) its contents to your Desktop.
  • Double-click the TDSSKiller Folder on your desktop.
  • Right-click on TDSSKiller.exe and click Copy then Paste it directly on to your Desktop.
  • Important!: Run this fix once and once only.
  • Right click the TDSSKiller icon on you're desktop and select: Run as Administrator.
  • A box will appear saying System scan completed.
  • If any Malicious objects are found click Cure > Continue > Reboot now.
  • A log file should be created on your C: drive named something like TDSSKiller.2.4.0.0 24.07.2010.
  • To find the log click Start > Computer > C:.
  • Please post the contents of that log in your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: malware from link in facebook chat

Unread postby nemoaquis » August 31st, 2011, 8:29 am

2011/08/31 20:25:30.0229 0948 TDSS rootkit removing tool 2.5.17.0 Aug 22 2011 15:46:57
2011/08/31 20:25:31.0386 0948 ================================================================================
2011/08/31 20:25:31.0386 0948 SystemInfo:
2011/08/31 20:25:31.0387 0948
2011/08/31 20:25:31.0387 0948 OS Version: 6.1.7600 ServicePack: 0.0
2011/08/31 20:25:31.0387 0948 Product type: Workstation
2011/08/31 20:25:31.0387 0948 ComputerName: USER-PC
2011/08/31 20:25:31.0391 0948 UserName: USER
2011/08/31 20:25:31.0391 0948 Windows directory: C:\Windows
2011/08/31 20:25:31.0391 0948 System windows directory: C:\Windows
2011/08/31 20:25:31.0391 0948 Processor architecture: Intel x86
2011/08/31 20:25:31.0391 0948 Number of processors: 2
2011/08/31 20:25:31.0392 0948 Page size: 0x1000
2011/08/31 20:25:31.0392 0948 Boot type: Safe boot with network
2011/08/31 20:25:31.0392 0948 ================================================================================
2011/08/31 20:25:32.0843 0948 Initialize success
2011/08/31 20:25:42.0989 1900 ================================================================================
2011/08/31 20:25:42.0990 1900 Scan started
2011/08/31 20:25:42.0990 1900 Mode: Manual;
2011/08/31 20:25:42.0990 1900 ================================================================================
2011/08/31 20:25:43.0732 1900 1394ohci (6d2aca41739bfe8cb86ee8e85f29697d) C:\Windows\system32\DRIVERS\1394ohci.sys
2011/08/31 20:25:43.0964 1900 ACPI (f0e07d144c8685b8774bc32fc8da4df0) C:\Windows\system32\DRIVERS\ACPI.sys
2011/08/31 20:25:44.0180 1900 AcpiPmi (98d81ca942d19f7d9153b095162ac013) C:\Windows\system32\DRIVERS\acpipmi.sys
2011/08/31 20:25:44.0384 1900 adp94xx (21e785ebd7dc90a06391141aac7892fb) C:\Windows\system32\DRIVERS\adp94xx.sys
2011/08/31 20:25:44.0565 1900 adpahci (0c676bc278d5b59ff5abd57bbe9123f2) C:\Windows\system32\DRIVERS\adpahci.sys
2011/08/31 20:25:44.0712 1900 adpu320 (7c7b5ee4b7b822ec85321fe23a27db33) C:\Windows\system32\DRIVERS\adpu320.sys
2011/08/31 20:25:44.0957 1900 AFD (0db7a48388d54d154ebec120461a0fcd) C:\Windows\system32\drivers\afd.sys
2011/08/31 20:25:45.0041 1900 agp440 (507812c3054c21cef746b6ee3d04dd6e) C:\Windows\system32\DRIVERS\agp440.sys
2011/08/31 20:25:45.0144 1900 aic78xx (8b30250d573a8f6b4bd23195160d8707) C:\Windows\system32\DRIVERS\djsvs.sys
2011/08/31 20:25:45.0360 1900 aliide (0d40bcf52ea90fc7df2aeab6503dea44) C:\Windows\system32\DRIVERS\aliide.sys
2011/08/31 20:25:45.0416 1900 amdagp (3c6600a0696e90a463771c7422e23ab5) C:\Windows\system32\DRIVERS\amdagp.sys
2011/08/31 20:25:45.0471 1900 amdide (cd5914170297126b6266860198d1d4f0) C:\Windows\system32\DRIVERS\amdide.sys
2011/08/31 20:25:45.0561 1900 AmdK8 (00dda200d71bac534bf56a9db5dfd666) C:\Windows\system32\DRIVERS\amdk8.sys
2011/08/31 20:25:45.0723 1900 AmdPPM (3cbf30f5370fda40dd3e87df38ea53b6) C:\Windows\system32\DRIVERS\amdppm.sys
2011/08/31 20:25:45.0854 1900 amdsata (2101a86c25c154f8314b24ef49d7fbc2) C:\Windows\system32\DRIVERS\amdsata.sys
2011/08/31 20:25:46.0043 1900 amdsbs (ea43af0c423ff267355f74e7a53bdaba) C:\Windows\system32\DRIVERS\amdsbs.sys
2011/08/31 20:25:46.0104 1900 amdxata (b81c2b5616f6420a9941ea093a92b150) C:\Windows\system32\DRIVERS\amdxata.sys
2011/08/31 20:25:46.0263 1900 AppID (feb834c02ce1e84b6a38f953ca067706) C:\Windows\system32\drivers\appid.sys
2011/08/31 20:25:46.0525 1900 arc (2932004f49677bd84dbc72edb754ffb3) C:\Windows\system32\DRIVERS\arc.sys
2011/08/31 20:25:46.0587 1900 arcsas (5d6f36c46fd283ae1b57bd2e9feb0bc7) C:\Windows\system32\DRIVERS\arcsas.sys
2011/08/31 20:25:46.0775 1900 AsyncMac (add2ade1c2b285ab8378d2daaf991481) C:\Windows\system32\DRIVERS\asyncmac.sys
2011/08/31 20:25:46.0845 1900 atapi (338c86357871c167a96ab976519bf59e) C:\Windows\system32\DRIVERS\atapi.sys
2011/08/31 20:25:47.0065 1900 b06bdrv (1a231abec60fd316ec54c66715543cec) C:\Windows\system32\DRIVERS\bxvbdx.sys
2011/08/31 20:25:47.0258 1900 b57nd60x (bd8869eb9cde6bbe4508d869929869ee) C:\Windows\system32\DRIVERS\b57nd60x.sys
2011/08/31 20:25:47.0359 1900 BCM42RLY (eb4434444e2721d721a8ac8d5d2ad26b) C:\Windows\system32\drivers\BCM42RLY.sys
2011/08/31 20:25:47.0551 1900 BCM43XX (919832d1a7d067119cd5ee29ba76327a) C:\Windows\system32\DRIVERS\bcmwl6.sys
2011/08/31 20:25:47.0781 1900 Beep (505506526a9d467307b3c393dedaf858) C:\Windows\system32\drivers\Beep.sys
2011/08/31 20:25:47.0890 1900 blbdrive (2287078ed48fcfc477b05b20cf38f36f) C:\Windows\system32\DRIVERS\blbdrive.sys
2011/08/31 20:25:48.0095 1900 bowser (9a5c671b7fbae4865149bb11f59b91b2) C:\Windows\system32\DRIVERS\bowser.sys
2011/08/31 20:25:48.0171 1900 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\DRIVERS\BrFiltLo.sys
2011/08/31 20:25:48.0226 1900 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\DRIVERS\BrFiltUp.sys
2011/08/31 20:25:48.0328 1900 Brserid (845b8ce732e67f3b4133164868c666ea) C:\Windows\System32\Drivers\Brserid.sys
2011/08/31 20:25:48.0400 1900 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\System32\Drivers\BrSerWdm.sys
2011/08/31 20:25:48.0455 1900 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\System32\Drivers\BrUsbMdm.sys
2011/08/31 20:25:48.0508 1900 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\System32\Drivers\BrUsbSer.sys
2011/08/31 20:25:48.0644 1900 BthEnum (2865a5c8e98c70c605f417908cebb3a4) C:\Windows\system32\drivers\BthEnum.sys
2011/08/31 20:25:48.0725 1900 BTHMODEM (ed3df7c56ce0084eb2034432fc56565a) C:\Windows\system32\DRIVERS\bthmodem.sys
2011/08/31 20:25:48.0836 1900 BthPan (ad1872e5829e8a2c3b5b4b641c3eab0e) C:\Windows\system32\DRIVERS\bthpan.sys
2011/08/31 20:25:48.0913 1900 BTHPORT (88059ff1ded4472acd17eebabd393069) C:\Windows\System32\Drivers\BTHport.sys
2011/08/31 20:25:49.0023 1900 BTHUSB (80e6384beec03b8bd45edea29802d657) C:\Windows\System32\Drivers\BTHUSB.sys
2011/08/31 20:25:49.0097 1900 btwavdt (d282c14a69357d0e1bafaecc2ca98c3a) C:\Windows\system32\DRIVERS\btwavdt.sys
2011/08/31 20:25:49.0165 1900 btwrchid (02eb4d2b05967df2d32f29c84ab1fb17) C:\Windows\system32\DRIVERS\btwrchid.sys
2011/08/31 20:25:49.0487 1900 cdfs (77ea11b065e0a8ab902d78145ca51e10) C:\Windows\system32\DRIVERS\cdfs.sys
2011/08/31 20:25:49.0670 1900 cdrom (ba6e70aa0e6091bc39de29477d866a77) C:\Windows\system32\DRIVERS\cdrom.sys
2011/08/31 20:25:49.0878 1900 circlass (3fe3fe94a34df6fb06e6418d0f6a0060) C:\Windows\system32\DRIVERS\circlass.sys
2011/08/31 20:25:49.0955 1900 CLFS (635181e0e9bbf16871bf5380d71db02d) C:\Windows\system32\CLFS.sys
2011/08/31 20:25:50.0116 1900 CmBatt (dea805815e587dad1dd2c502220b5616) C:\Windows\system32\DRIVERS\CmBatt.sys
2011/08/31 20:25:50.0263 1900 cmdide (c537b1db64d495b9b4717b4d6d9edbf2) C:\Windows\system32\DRIVERS\cmdide.sys
2011/08/31 20:25:50.0361 1900 CNG (1b675691ed940766149c93e8f4488d68) C:\Windows\system32\Drivers\cng.sys
2011/08/31 20:25:50.0546 1900 Compbatt (a6023d3823c37043986713f118a89bee) C:\Windows\system32\DRIVERS\compbatt.sys
2011/08/31 20:25:50.0612 1900 CompositeBus (f1724ba27e97d627f808fb0ba77a28a6) C:\Windows\system32\DRIVERS\CompositeBus.sys
2011/08/31 20:25:50.0697 1900 crcdisk (2c4ebcfc84a9b44f209dff6c6e6c61d1) C:\Windows\system32\DRIVERS\crcdisk.sys
2011/08/31 20:25:50.0893 1900 CtClsFlt (b27d15c551a6678137c6b751b160756d) C:\Windows\system32\DRIVERS\CtClsFlt.sys
2011/08/31 20:25:51.0065 1900 DfsC (83d1ecea8faae75604c0fa49ac7ad996) C:\Windows\system32\Drivers\dfsc.sys
2011/08/31 20:25:51.0138 1900 discache (1a050b0274bfb3890703d490f330c0da) C:\Windows\system32\drivers\discache.sys
2011/08/31 20:25:51.0252 1900 Disk (565003f326f99802e68ca78f2a68e9ff) C:\Windows\system32\DRIVERS\disk.sys
2011/08/31 20:25:51.0485 1900 drmkaud (b918e7c5f9bf77202f89e1a9539f2eb4) C:\Windows\system32\drivers\drmkaud.sys
2011/08/31 20:25:51.0593 1900 DXGKrnl (8b6c3464d7fac176500061dbfff42ad4) C:\Windows\System32\drivers\dxgkrnl.sys
2011/08/31 20:25:51.0878 1900 ebdrv (024e1b5cac09731e4d868e64dbfb4ab0) C:\Windows\system32\DRIVERS\evbdx.sys
2011/08/31 20:25:52.0153 1900 elxstor (0ed67910c8c326796faa00b2bf6d9d3c) C:\Windows\system32\DRIVERS\elxstor.sys
2011/08/31 20:25:52.0334 1900 EMSC (cf460f454a0473e6c7ad846b94d8382a) C:\Windows\system32\DRIVERS\EMSC.SYS
2011/08/31 20:25:52.0404 1900 ErrDev (8fc3208352dd3912c94367a206ab3f11) C:\Windows\system32\DRIVERS\errdev.sys
2011/08/31 20:25:52.0695 1900 exfat (2dc9108d74081149cc8b651d3a26207f) C:\Windows\system32\drivers\exfat.sys
2011/08/31 20:25:52.0750 1900 fastfat (7e0ab74553476622fb6ae36f73d97d35) C:\Windows\system32\drivers\fastfat.sys
2011/08/31 20:25:52.0851 1900 fdc (e817a017f82df2a1f8cfdbda29388b29) C:\Windows\system32\DRIVERS\fdc.sys
2011/08/31 20:25:52.0946 1900 FileInfo (6cf00369c97f3cf563be99be983d13d8) C:\Windows\system32\drivers\fileinfo.sys
2011/08/31 20:25:53.0002 1900 Filetrace (42c51dc94c91da21cb9196eb64c45db9) C:\Windows\system32\drivers\filetrace.sys
2011/08/31 20:25:53.0073 1900 flpydisk (87907aa70cb3c56600f1c2fb8841579b) C:\Windows\system32\DRIVERS\flpydisk.sys
2011/08/31 20:25:53.0160 1900 FltMgr (7520ec808e0c35e0ee6f841294316653) C:\Windows\system32\drivers\fltmgr.sys
2011/08/31 20:25:53.0338 1900 FsDepends (1a16b57943853e598cff37fe2b8cbf1d) C:\Windows\system32\drivers\FsDepends.sys
2011/08/31 20:25:53.0393 1900 Fs_Rec (a574b4360e438977038aae4bf60d79a2) C:\Windows\system32\drivers\Fs_Rec.sys
2011/08/31 20:25:53.0460 1900 fvevol (5592f5dba26282d24d2b080eb438a4d7) C:\Windows\system32\DRIVERS\fvevol.sys
2011/08/31 20:25:53.0564 1900 gagp30kx (65ee0c7a58b65e74ae05637418153938) C:\Windows\system32\DRIVERS\gagp30kx.sys
2011/08/31 20:25:53.0724 1900 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
2011/08/31 20:25:53.0970 1900 hcw85cir (c44e3c2bab6837db337ddee7544736db) C:\Windows\system32\drivers\hcw85cir.sys
2011/08/31 20:25:54.0059 1900 HDAudBus (717a2207fd6f13ad3e664c7d5a43c7bf) C:\Windows\system32\DRIVERS\HDAudBus.sys
2011/08/31 20:25:54.0129 1900 HidBatt (1d58a7f3e11a9731d0eaaaa8405acc36) C:\Windows\system32\DRIVERS\HidBatt.sys
2011/08/31 20:25:54.0197 1900 HidBth (89448f40e6df260c206a193a4683ba78) C:\Windows\system32\DRIVERS\hidbth.sys
2011/08/31 20:25:54.0254 1900 HidIr (cf50b4cf4a4f229b9f3c08351f99ca5e) C:\Windows\system32\DRIVERS\hidir.sys
2011/08/31 20:25:54.0491 1900 HidUsb (25072fb35ac90b25f9e4e3bacf774102) C:\Windows\system32\DRIVERS\hidusb.sys
2011/08/31 20:25:54.0637 1900 HpSAMD (295fdc419039090eb8b49ffdbb374549) C:\Windows\system32\DRIVERS\HpSAMD.sys
2011/08/31 20:25:54.0767 1900 HTTP (c531c7fd9e8b62021112787c4e2c5a5a) C:\Windows\system32\drivers\HTTP.sys
2011/08/31 20:25:54.0980 1900 hwdatacard (63b3eff36272787619c1e773ed581693) C:\Windows\system32\DRIVERS\ewusbmdm.sys
2011/08/31 20:25:55.0053 1900 hwpolicy (8305f33cde89ad6c7a0763ed0b5a8d42) C:\Windows\system32\drivers\hwpolicy.sys
2011/08/31 20:25:55.0469 1900 i8042prt (f151f0bdc47f4a28b1b20a0818ea36d6) C:\Windows\system32\DRIVERS\i8042prt.sys
2011/08/31 20:25:55.0650 1900 iaStorV (934af4d7c5f457b9f0743f4299b77b67) C:\Windows\system32\DRIVERS\iaStorV.sys
2011/08/31 20:25:55.0893 1900 igfx (9467514ea189475a6e7fdc5d7bde9d3f) C:\Windows\system32\DRIVERS\igdkmd32.sys
2011/08/31 20:25:56.0167 1900 iirsp (4173ff5708f3236cf25195fecd742915) C:\Windows\system32\DRIVERS\iirsp.sys
2011/08/31 20:25:56.0347 1900 IntcAzAudAddService (15d839bb1bd1bde95aae98b10ad88d8c) C:\Windows\system32\drivers\RTKVHDA.sys
2011/08/31 20:25:56.0492 1900 intelide (a0f12f2c9ba6c72f3987ce780e77c130) C:\Windows\system32\DRIVERS\intelide.sys
2011/08/31 20:25:56.0620 1900 intelppm (3b514d27bfc4accb4037bc6685f766e0) C:\Windows\system32\DRIVERS\intelppm.sys
2011/08/31 20:25:56.0802 1900 IpFilterDriver (709d1761d3b19a932ff0238ea6d50200) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2011/08/31 20:25:56.0916 1900 IPMIDRV (e4454b6c37d7ffd5649611f6496308a7) C:\Windows\system32\DRIVERS\IPMIDrv.sys
2011/08/31 20:25:57.0031 1900 IPNAT (a5fa468d67abcdaa36264e463a7bb0cd) C:\Windows\system32\drivers\ipnat.sys
2011/08/31 20:25:57.0156 1900 IRENUM (42996cff20a3084a56017b7902307e9f) C:\Windows\system32\drivers\irenum.sys
2011/08/31 20:25:57.0220 1900 isapnp (1f32bb6b38f62f7df1a7ab7292638a35) C:\Windows\system32\DRIVERS\isapnp.sys
2011/08/31 20:25:57.0289 1900 iScsiPrt (ed46c223ae46c6866ab77cdc41c404b7) C:\Windows\system32\DRIVERS\msiscsi.sys
2011/08/31 20:25:57.0393 1900 kbdclass (adef52ca1aeae82b50df86b56413107e) C:\Windows\system32\DRIVERS\kbdclass.sys
2011/08/31 20:25:57.0574 1900 kbdhid (3d9f0ebf350edcfd6498057301455964) C:\Windows\system32\DRIVERS\kbdhid.sys
2011/08/31 20:25:57.0660 1900 KSecDD (e36a061ec11b373826905b21be10948f) C:\Windows\system32\Drivers\ksecdd.sys
2011/08/31 20:25:57.0737 1900 KSecPkg (365c6154bbbc5377173f1ca7bfb6cc59) C:\Windows\system32\Drivers\ksecpkg.sys
2011/08/31 20:25:57.0929 1900 lltdio (f7611ec07349979da9b0ae1f18ccc7a6) C:\Windows\system32\DRIVERS\lltdio.sys
2011/08/31 20:25:58.0130 1900 LSI_FC (eb119a53ccf2acc000ac71b065b78fef) C:\Windows\system32\DRIVERS\lsi_fc.sys
2011/08/31 20:25:58.0217 1900 LSI_SAS (8ade1c877256a22e49b75d1cc9161f9c) C:\Windows\system32\DRIVERS\lsi_sas.sys
2011/08/31 20:25:58.0288 1900 LSI_SAS2 (dc9dc3d3daa0e276fd2ec262e38b11e9) C:\Windows\system32\DRIVERS\lsi_sas2.sys
2011/08/31 20:25:58.0378 1900 LSI_SCSI (0a036c7d7cab643a7f07135ac47e0524) C:\Windows\system32\DRIVERS\lsi_scsi.sys
2011/08/31 20:25:58.0596 1900 luafv (6703e366cc18d3b6e534f5cf7df39cee) C:\Windows\system32\drivers\luafv.sys
2011/08/31 20:25:58.0803 1900 massfilter (8d9c68fa8b7fbe0e225bde0bbcd8ce9b) C:\Windows\system32\drivers\massfilter.sys
2011/08/31 20:25:58.0923 1900 megasas (0fff5b045293002ab38eb1fd1fc2fb74) C:\Windows\system32\DRIVERS\megasas.sys
2011/08/31 20:25:58.0992 1900 MegaSR (dcbab2920c75f390caf1d29f675d03d6) C:\Windows\system32\DRIVERS\MegaSR.sys
2011/08/31 20:25:59.0171 1900 Modem (f001861e5700ee84e2d4e52c712f4964) C:\Windows\system32\drivers\modem.sys
2011/08/31 20:25:59.0262 1900 monitor (79d10964de86b292320e9dfe02282a23) C:\Windows\system32\DRIVERS\monitor.sys
2011/08/31 20:25:59.0445 1900 mouclass (fb18cc1d4c2e716b6b903b0ac0cc0609) C:\Windows\system32\DRIVERS\mouclass.sys
2011/08/31 20:25:59.0623 1900 mouhid (2c388d2cd01c9042596cf3c8f3c7b24d) C:\Windows\system32\DRIVERS\mouhid.sys
2011/08/31 20:25:59.0728 1900 mountmgr (921c18727c5920d6c0300736646931c2) C:\Windows\system32\drivers\mountmgr.sys
2011/08/31 20:25:59.0838 1900 mpio (2af5997438c55fb79d33d015c30e1974) C:\Windows\system32\DRIVERS\mpio.sys
2011/08/31 20:25:59.0923 1900 mpsdrv (ad2723a7b53dd1aacae6ad8c0bfbf4d0) C:\Windows\system32\drivers\mpsdrv.sys
2011/08/31 20:26:00.0027 1900 MRxDAV (b1be47008d20e43da3adc37c24cdb89d) C:\Windows\system32\drivers\mrxdav.sys
2011/08/31 20:26:00.0139 1900 mrxsmb (ca7570e42522e24324a12161db14ec02) C:\Windows\system32\DRIVERS\mrxsmb.sys
2011/08/31 20:26:00.0230 1900 mrxsmb10 (f965c3ab2b2ae5c378f4562486e35051) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2011/08/31 20:26:00.0309 1900 mrxsmb20 (25c38264a3c72594dd21d355d70d7a5d) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2011/08/31 20:26:00.0385 1900 msahci (4326d168944123f38dd3b2d9c37a0b12) C:\Windows\system32\DRIVERS\msahci.sys
2011/08/31 20:26:00.0445 1900 msdsm (455029c7174a2dbb03dba8a0d8bddd9a) C:\Windows\system32\DRIVERS\msdsm.sys
2011/08/31 20:26:00.0554 1900 Msfs (daefb28e3af5a76abcc2c3078c07327f) C:\Windows\system32\drivers\Msfs.sys
2011/08/31 20:26:00.0615 1900 mshidkmdf (3e1e5767043c5af9367f0056295e9f84) C:\Windows\System32\drivers\mshidkmdf.sys
2011/08/31 20:26:00.0681 1900 msisadrv (0a4e5757ae09fa9622e3158cc1aef114) C:\Windows\system32\DRIVERS\msisadrv.sys
2011/08/31 20:26:00.0807 1900 MSKSSRV (8c0860d6366aaffb6c5bb9df9448e631) C:\Windows\system32\drivers\MSKSSRV.sys
2011/08/31 20:26:00.0966 1900 MSPCLOCK (3ea8b949f963562cedbb549eac0c11ce) C:\Windows\system32\drivers\MSPCLOCK.sys
2011/08/31 20:26:01.0035 1900 MSPQM (f456e973590d663b1073e9c463b40932) C:\Windows\system32\drivers\MSPQM.sys
2011/08/31 20:26:01.0100 1900 MsRPC (0e008fc4819d238c51d7c93e7b41e560) C:\Windows\system32\drivers\MsRPC.sys
2011/08/31 20:26:01.0174 1900 mssmbios (fc6b9ff600cc585ea38b12589bd4e246) C:\Windows\system32\DRIVERS\mssmbios.sys
2011/08/31 20:26:01.0308 1900 MSTEE (b42c6b921f61a6e55159b8be6cd54a36) C:\Windows\system32\drivers\MSTEE.sys
2011/08/31 20:26:01.0375 1900 MTConfig (33599130f44e1f34631cea241de8ac84) C:\Windows\system32\DRIVERS\MTConfig.sys
2011/08/31 20:26:01.0542 1900 Mup (159fad02f64e6381758c990f753bcc80) C:\Windows\system32\Drivers\mup.sys
2011/08/31 20:26:01.0726 1900 NativeWifiP (26384429fcd85d83746f63e798ab1480) C:\Windows\system32\DRIVERS\nwifi.sys
2011/08/31 20:26:01.0894 1900 NDIS (23759d175a0a9baaf04d05047bc135a8) C:\Windows\system32\drivers\ndis.sys
2011/08/31 20:26:02.0059 1900 NdisCap (0e1787aa6c9191d3d319e8bafe86f80c) C:\Windows\system32\DRIVERS\ndiscap.sys
2011/08/31 20:26:02.0141 1900 NdisTapi (e4a8aec125a2e43a9e32afeea7c9c888) C:\Windows\system32\DRIVERS\ndistapi.sys
2011/08/31 20:26:02.0296 1900 Ndisuio (b30ae7f2b6d7e343b0df32e6c08fce75) C:\Windows\system32\DRIVERS\ndisuio.sys
2011/08/31 20:26:02.0364 1900 NdisWan (267c415eadcbe53c9ca873dee39cf3a4) C:\Windows\system32\DRIVERS\ndiswan.sys
2011/08/31 20:26:02.0421 1900 NDProxy (af7e7c63dcef3f8772726f86039d6eb4) C:\Windows\system32\drivers\NDProxy.sys
2011/08/31 20:26:02.0522 1900 NetBIOS (80b275b1ce3b0e79909db7b39af74d51) C:\Windows\system32\DRIVERS\netbios.sys
2011/08/31 20:26:02.0591 1900 NetBT (dd52a733bf4ca5af84562a5e2f963b91) C:\Windows\system32\DRIVERS\netbt.sys
2011/08/31 20:26:02.0832 1900 nfrd960 (1d85c4b390b0ee09c7a46b91efb2c097) C:\Windows\system32\DRIVERS\nfrd960.sys
2011/08/31 20:26:02.0934 1900 Npfs (1db262a9f8c087e8153d89bef3d2235f) C:\Windows\system32\drivers\Npfs.sys
2011/08/31 20:26:03.0000 1900 nsiproxy (e9a0a4d07e53d8fea2bb8387a3293c58) C:\Windows\system32\drivers\nsiproxy.sys
2011/08/31 20:26:03.0103 1900 Ntfs (3795dcd21f740ee799fb7223234215af) C:\Windows\system32\drivers\Ntfs.sys
2011/08/31 20:26:03.0191 1900 Null (f9756a98d69098dca8945d62858a812c) C:\Windows\system32\drivers\Null.sys
2011/08/31 20:26:03.0325 1900 nvraid (3f3d04b1d08d43c16ea7963954ec768d) C:\Windows\system32\DRIVERS\nvraid.sys
2011/08/31 20:26:03.0385 1900 nvstor (c99f251a5de63c6f129cf71933aced0f) C:\Windows\system32\DRIVERS\nvstor.sys
2011/08/31 20:26:03.0451 1900 nv_agp (5a0983915f02bae73267cc2a041f717d) C:\Windows\system32\DRIVERS\nv_agp.sys
2011/08/31 20:26:03.0586 1900 ohci1394 (08a70a1f2cdde9bb49b885cb817a66eb) C:\Windows\system32\DRIVERS\ohci1394.sys
2011/08/31 20:26:03.0760 1900 Parport (2ea877ed5dd9713c5ac74e8ea7348d14) C:\Windows\system32\DRIVERS\parport.sys
2011/08/31 20:26:03.0821 1900 partmgr (ff4218952b51de44fe910953a3e686b9) C:\Windows\system32\drivers\partmgr.sys
2011/08/31 20:26:03.0890 1900 Parvdm (eb0a59f29c19b86479d36b35983daadc) C:\Windows\system32\DRIVERS\parvdm.sys
2011/08/31 20:26:03.0989 1900 pci (c858cb77c577780ecc456a892e7e7d0f) C:\Windows\system32\DRIVERS\pci.sys
2011/08/31 20:26:04.0080 1900 pciide (afe86f419014db4e5593f69ffe26ce0a) C:\Windows\system32\DRIVERS\pciide.sys
2011/08/31 20:26:04.0214 1900 pcmcia (f396431b31693e71e8a80687ef523506) C:\Windows\system32\DRIVERS\pcmcia.sys
2011/08/31 20:26:04.0272 1900 pcw (250f6b43d2b613172035c6747aeeb19f) C:\Windows\system32\drivers\pcw.sys
2011/08/31 20:26:04.0351 1900 PEAUTH (9e0104ba49f4e6973749a02bf41344ed) C:\Windows\system32\drivers\peauth.sys
2011/08/31 20:26:04.0727 1900 PptpMiniport (631e3e205ad6d86f2aed6a4a8e69f2db) C:\Windows\system32\DRIVERS\raspptp.sys
2011/08/31 20:26:04.0808 1900 Processor (85b1e3a0c7585bc4aae6899ec6fcf011) C:\Windows\system32\DRIVERS\processr.sys
2011/08/31 20:26:05.0012 1900 Psched (6270ccae2a86de6d146529fe55b3246a) C:\Windows\system32\DRIVERS\pacer.sys
2011/08/31 20:26:05.0115 1900 qcusbser (9ccf89372c5a04e97cd89b58ae697796) C:\Windows\system32\DRIVERS\qcusbser.sys
2011/08/31 20:26:05.0223 1900 ql2300 (ab95ecf1f6659a60ddc166d8315b0751) C:\Windows\system32\DRIVERS\ql2300.sys
2011/08/31 20:26:05.0329 1900 ql40xx (b4dd51dd25182244b86737dc51af2270) C:\Windows\system32\DRIVERS\ql40xx.sys
2011/08/31 20:26:05.0498 1900 QWAVEdrv (584078ca1b95ca72df2a27c336f9719d) C:\Windows\system32\drivers\qwavedrv.sys
2011/08/31 20:26:05.0558 1900 RasAcd (30a81b53c766d0133bb86d234e5556ab) C:\Windows\system32\DRIVERS\rasacd.sys
2011/08/31 20:26:05.0663 1900 RasAgileVpn (57ec4aef73660166074d8f7f31c0d4fd) C:\Windows\system32\DRIVERS\AgileVpn.sys
2011/08/31 20:26:05.0770 1900 Rasl2tp (d9f91eafec2815365cbe6d167e4e332a) C:\Windows\system32\DRIVERS\rasl2tp.sys
2011/08/31 20:26:05.0944 1900 RasPppoe (0fe8b15916307a6ac12bfb6a63e45507) C:\Windows\system32\DRIVERS\raspppoe.sys
2011/08/31 20:26:06.0043 1900 RasSstp (44101f495a83ea6401d886e7fd70096b) C:\Windows\system32\DRIVERS\rassstp.sys
2011/08/31 20:26:06.0139 1900 rdbss (835d7e81bf517a3b72384bdcc85e1ce6) C:\Windows\system32\DRIVERS\rdbss.sys
2011/08/31 20:26:06.0225 1900 rdpbus (0d8f05481cb76e70e1da06ee9f0da9df) C:\Windows\system32\DRIVERS\rdpbus.sys
2011/08/31 20:26:06.0285 1900 RDPCDD (1e016846895b15a99f9a176a05029075) C:\Windows\system32\DRIVERS\RDPCDD.sys
2011/08/31 20:26:06.0430 1900 RDPENCDD (5a53ca1598dd4156d44196d200c94b8a) C:\Windows\system32\drivers\rdpencdd.sys
2011/08/31 20:26:06.0511 1900 RDPREFMP (44b0a53cd4f27d50ed461dae0c0b4e1f) C:\Windows\system32\drivers\rdprefmp.sys
2011/08/31 20:26:06.0594 1900 RDPWD (801371ba9782282892d00aadb08ee367) C:\Windows\system32\drivers\RDPWD.sys
2011/08/31 20:26:06.0708 1900 rdyboost (4ea225bf1cf05e158853f30a99ca29a7) C:\Windows\system32\drivers\rdyboost.sys
2011/08/31 20:26:06.0931 1900 RFCOMM (cb928d9e6daf51879dd6ba8d02f01321) C:\Windows\system32\DRIVERS\rfcomm.sys
2011/08/31 20:26:07.0149 1900 rspndr (032b0d36ad92b582d869879f5af5b928) C:\Windows\system32\DRIVERS\rspndr.sys
2011/08/31 20:26:07.0276 1900 RSUSBSTOR (96f8dd546677aa5102150acc140377b3) C:\Windows\system32\Drivers\RtsUStor.sys
2011/08/31 20:26:07.0452 1900 RTL8167 (26a9d6227d12b9d9da5a81bb9b55d810) C:\Windows\system32\DRIVERS\Rt86win7.sys
2011/08/31 20:26:07.0593 1900 SASDIFSV (39763504067962108505bff25f024345) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2011/08/31 20:26:07.0690 1900 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2011/08/31 20:26:07.0856 1900 sbp2port (34ee0c44b724e3e4ce2eff29126de5b5) C:\Windows\system32\DRIVERS\sbp2port.sys
2011/08/31 20:26:07.0953 1900 scfilter (a95c54b2ac3cc9c73fcdf9e51a1d6b51) C:\Windows\system32\DRIVERS\scfilter.sys
2011/08/31 20:26:08.0064 1900 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
2011/08/31 20:26:08.0208 1900 Serenum (9ad8b8b515e3df6acd4212ef465de2d1) C:\Windows\system32\DRIVERS\serenum.sys
2011/08/31 20:26:08.0376 1900 Serial (5fb7fcea0490d821f26f39cc5ea3d1e2) C:\Windows\system32\DRIVERS\serial.sys
2011/08/31 20:26:08.0436 1900 sermouse (79bffb520327ff916a582dfea17aa813) C:\Windows\system32\DRIVERS\sermouse.sys
2011/08/31 20:26:08.0587 1900 sffdisk (9f976e1eb233df46fce808d9dea3eb9c) C:\Windows\system32\DRIVERS\sffdisk.sys
2011/08/31 20:26:08.0646 1900 sffp_mmc (932a68ee27833cfd57c1639d375f2731) C:\Windows\system32\DRIVERS\sffp_mmc.sys
2011/08/31 20:26:08.0715 1900 sffp_sd (4f1e5b0fe7c8050668dbfade8999aefb) C:\Windows\system32\DRIVERS\sffp_sd.sys
2011/08/31 20:26:08.0775 1900 sfloppy (db96666cc8312ebc45032f30b007a547) C:\Windows\system32\DRIVERS\sfloppy.sys
2011/08/31 20:26:08.0902 1900 sisagp (2565cac0dc9fe0371bdce60832582b2e) C:\Windows\system32\DRIVERS\sisagp.sys
2011/08/31 20:26:09.0039 1900 SiSRaid2 (a9f0486851becb6dda1d89d381e71055) C:\Windows\system32\DRIVERS\SiSRaid2.sys
2011/08/31 20:26:09.0107 1900 SiSRaid4 (3727097b55738e2f554972c3be5bc1aa) C:\Windows\system32\DRIVERS\sisraid4.sys
2011/08/31 20:26:09.0217 1900 Smb (3e21c083b8a01cb70ba1f09303010fce) C:\Windows\system32\DRIVERS\smb.sys
2011/08/31 20:26:09.0326 1900 spldr (95cf1ae7527fb70f7816563cbc09d942) C:\Windows\system32\drivers\spldr.sys
2011/08/31 20:26:09.0581 1900 srv (c4a027b8c0bd3fc0699f41fa5e9e0c87) C:\Windows\system32\DRIVERS\srv.sys
2011/08/31 20:26:09.0646 1900 srv2 (414bb592cad8a79649d01f9d94318fb3) C:\Windows\system32\DRIVERS\srv2.sys
2011/08/31 20:26:09.0737 1900 srvnet (ff207d67700aa18242aaf985d3e7d8f4) C:\Windows\system32\DRIVERS\srvnet.sys
2011/08/31 20:26:09.0870 1900 stexstor (db32d325c192b801df274bfd12a7e72b) C:\Windows\system32\DRIVERS\stexstor.sys
2011/08/31 20:26:09.0947 1900 swenum (e58c78a848add9610a4db6d214af5224) C:\Windows\system32\DRIVERS\swenum.sys
2011/08/31 20:26:10.0073 1900 SynTP (b5d9bca58c9f50a6683ddbf5945c8f5e) C:\Windows\system32\DRIVERS\SynTP.sys
2011/08/31 20:26:10.0356 1900 Tcpip (c2daaeb48f3a47c410b041a0d2382ee1) C:\Windows\system32\drivers\tcpip.sys
2011/08/31 20:26:10.0488 1900 TCPIP6 (c2daaeb48f3a47c410b041a0d2382ee1) C:\Windows\system32\DRIVERS\tcpip.sys
2011/08/31 20:26:10.0656 1900 tcpipreg (e64444523add154f86567c469bc0b17f) C:\Windows\system32\drivers\tcpipreg.sys
2011/08/31 20:26:10.0732 1900 TDPIPE (1875c1490d99e70e449e3afae9fcbadf) C:\Windows\system32\drivers\tdpipe.sys
2011/08/31 20:26:10.0795 1900 TDTCP (7551e91ea999ee9a8e9c331d5a9c31f3) C:\Windows\system32\drivers\tdtcp.sys
2011/08/31 20:26:10.0862 1900 tdx (cb39e896a2a83702d1737bfd402b3542) C:\Windows\system32\DRIVERS\tdx.sys
2011/08/31 20:26:10.0919 1900 TermDD (c36f41ee20e6999dbf4b0425963268a5) C:\Windows\system32\DRIVERS\termdd.sys
2011/08/31 20:26:11.0104 1900 tssecsrv (98ae6fa07d12cb4ec5cf4a9bfa5f4242) C:\Windows\system32\DRIVERS\tssecsrv.sys
2011/08/31 20:26:11.0281 1900 tunnel (3e461d890a97f9d4c168f5fda36e1d00) C:\Windows\system32\DRIVERS\tunnel.sys
2011/08/31 20:26:11.0339 1900 uagp35 (750fbcb269f4d7dd2e420c56b795db6d) C:\Windows\system32\DRIVERS\uagp35.sys
2011/08/31 20:26:11.0415 1900 udfs (09cc3e16f8e5ee7168e01cf8fcbe061a) C:\Windows\system32\DRIVERS\udfs.sys
2011/08/31 20:26:11.0684 1900 uliagpkx (44e8048ace47befbfdc2e9be4cbc8880) C:\Windows\system32\DRIVERS\uliagpkx.sys
2011/08/31 20:26:11.0767 1900 umbus (049b3a50b3d646baeeee9eec9b0668dc) C:\Windows\system32\DRIVERS\umbus.sys
2011/08/31 20:26:11.0834 1900 UmPass (7550ad0c6998ba1cb4843e920ee0feac) C:\Windows\system32\DRIVERS\umpass.sys
2011/08/31 20:26:11.0953 1900 USBAAPL (1df89c499bf45d878b87ebd4421d462d) C:\Windows\system32\Drivers\usbaapl.sys
2011/08/31 20:26:12.0010 1900 usbccgp (8455c4ed038efd09e99327f9d2d48ffa) C:\Windows\system32\DRIVERS\usbccgp.sys
2011/08/31 20:26:12.0084 1900 usbcir (04ec7cec62ec3b6d9354eee93327fc82) C:\Windows\system32\DRIVERS\usbcir.sys
2011/08/31 20:26:12.0147 1900 usbehci (1c333bfd60f2fed2c7ad5daf533cb742) C:\Windows\system32\DRIVERS\usbehci.sys
2011/08/31 20:26:12.0241 1900 usbhub (ee6ef93ccfa94fae8c6ab298273d8ae2) C:\Windows\system32\DRIVERS\usbhub.sys
2011/08/31 20:26:12.0315 1900 usbohci (a6fb7957ea7afb1165991e54ce934b74) C:\Windows\system32\DRIVERS\usbohci.sys
2011/08/31 20:26:12.0395 1900 usbprint (797d862fe0875e75c7cc4c1ad7b30252) C:\Windows\system32\DRIVERS\usbprint.sys
2011/08/31 20:26:12.0475 1900 usbscan (576096ccbc07e7c4ea4f5e6686d6888f) C:\Windows\system32\DRIVERS\usbscan.sys
2011/08/31 20:26:12.0565 1900 USBSTOR (d8889d56e0d27e57ed4591837fe71d27) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2011/08/31 20:26:12.0631 1900 usbuhci (78780c3ebce17405b1ccd07a3a8a7d72) C:\Windows\system32\DRIVERS\usbuhci.sys
2011/08/31 20:26:12.0724 1900 usbvideo (f642a7e4bf78cfa359cca0a3557c28d7) C:\Windows\system32\Drivers\usbvideo.sys
2011/08/31 20:26:12.0913 1900 vdrvroot (a059c4c3edb09e07d21a8e5c0aabd3cb) C:\Windows\system32\DRIVERS\vdrvroot.sys
2011/08/31 20:26:13.0010 1900 vga (17c408214ea61696cec9c66e388b14f3) C:\Windows\system32\DRIVERS\vgapnp.sys
2011/08/31 20:26:13.0103 1900 VgaSave (8e38096ad5c8570a6f1570a61e251561) C:\Windows\System32\drivers\vga.sys
2011/08/31 20:26:13.0175 1900 vhdmp (3be6e1f3a4f1afec8cee0d7883f93583) C:\Windows\system32\DRIVERS\vhdmp.sys
2011/08/31 20:26:13.0233 1900 viaagp (c829317a37b4bea8f39735d4b076e923) C:\Windows\system32\DRIVERS\viaagp.sys
2011/08/31 20:26:13.0295 1900 ViaC7 (e02f079a6aa107f06b16549c6e5c7b74) C:\Windows\system32\DRIVERS\viac7.sys
2011/08/31 20:26:13.0347 1900 viaide (e43574f6a56a0ee11809b48c09e4fd3c) C:\Windows\system32\DRIVERS\viaide.sys
2011/08/31 20:26:13.0430 1900 volmgr (384e5a2aa49934295171e499f86ba6f3) C:\Windows\system32\DRIVERS\volmgr.sys
2011/08/31 20:26:13.0535 1900 volmgrx (b5bb72067ddddbbfb04b2f89ff8c3c87) C:\Windows\system32\drivers\volmgrx.sys
2011/08/31 20:26:13.0621 1900 volsnap (58df9d2481a56edde167e51b334d44fd) C:\Windows\system32\DRIVERS\volsnap.sys
2011/08/31 20:26:13.0722 1900 vsmraid (9dfa0cc2f8855a04816729651175b631) C:\Windows\system32\DRIVERS\vsmraid.sys
2011/08/31 20:26:13.0797 1900 vwifibus (90567b1e658001e79d7c8bbd3dde5aa6) C:\Windows\system32\DRIVERS\vwifibus.sys
2011/08/31 20:26:13.0887 1900 vwififlt (7090d3436eeb4e7da3373090a23448f7) C:\Windows\system32\DRIVERS\vwififlt.sys
2011/08/31 20:26:14.0073 1900 vwifimp (a3f04cbea6c2a10e6cb01f8b47611882) C:\Windows\system32\DRIVERS\vwifimp.sys
2011/08/31 20:26:14.0162 1900 WacomPen (de3721e89c653aa281428c8a69745d90) C:\Windows\system32\DRIVERS\wacompen.sys
2011/08/31 20:26:14.0222 1900 WANARP (692a712062146e96d28ba0b7d75de31b) C:\Windows\system32\DRIVERS\wanarp.sys
2011/08/31 20:26:14.0267 1900 Wanarpv6 (692a712062146e96d28ba0b7d75de31b) C:\Windows\system32\DRIVERS\wanarp.sys
2011/08/31 20:26:14.0403 1900 Wd (1112a9badacb47b7c0bb0392e3158dff) C:\Windows\system32\DRIVERS\wd.sys
2011/08/31 20:26:14.0490 1900 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\Windows\system32\drivers\Wdf01000.sys
2011/08/31 20:26:14.0697 1900 WfpLwf (8b9a943f3b53861f2bfaf6c186168f79) C:\Windows\system32\DRIVERS\wfplwf.sys
2011/08/31 20:26:14.0755 1900 WIMMount (5cf95b35e59e2a38023836fff31be64c) C:\Windows\system32\drivers\wimmount.sys
2011/08/31 20:26:15.0064 1900 WinUsb (30fc6e5448d0cbaaa95280eeef7fedae) C:\Windows\system32\DRIVERS\WinUsb.sys
2011/08/31 20:26:15.0173 1900 WmiAcpi (0217679b8fca58714c3bf2726d2ca84e) C:\Windows\system32\DRIVERS\wmiacpi.sys
2011/08/31 20:26:15.0329 1900 ws2ifsl (6db3276587b853bf886b69528fdb048c) C:\Windows\system32\drivers\ws2ifsl.sys
2011/08/31 20:26:15.0467 1900 WudfPf (6f9b6c0c93232cff47d0f72d6db1d21e) C:\Windows\system32\drivers\WudfPf.sys
2011/08/31 20:26:15.0603 1900 WUDFRd (f91ff1e51fca30b3c3981db7d5924252) C:\Windows\system32\DRIVERS\WUDFRd.sys
2011/08/31 20:26:15.0869 1900 ZTEusbmdm6k (3862318f85be7a91957ada5e814ed58c) C:\Windows\system32\DRIVERS\ZTEusbmdm6k.sys
2011/08/31 20:26:16.0078 1900 ZTEusbnmea (3862318f85be7a91957ada5e814ed58c) C:\Windows\system32\DRIVERS\ZTEusbnmea.sys
2011/08/31 20:26:16.0300 1900 ZTEusbser6k (3862318f85be7a91957ada5e814ed58c) C:\Windows\system32\DRIVERS\ZTEusbser6k.sys
2011/08/31 20:26:16.0446 1900 MBR (0x1B8) (5c616939100b85e558da92b899a0fc36) \Device\Harddisk0\DR0
2011/08/31 20:26:16.0497 1900 Boot (0x1200) (4fe9eab627e56f69e84eece0334eb959) \Device\Harddisk0\DR0\Partition0
2011/08/31 20:26:16.0557 1900 Boot (0x1200) (410041d4b7f75bc3d84a2a7a660622eb) \Device\Harddisk0\DR0\Partition1
2011/08/31 20:26:16.0582 1900 ================================================================================
2011/08/31 20:26:16.0582 1900 Scan finished
2011/08/31 20:26:16.0582 1900 ================================================================================
2011/08/31 20:26:16.0639 1872 Detected object count: 0
2011/08/31 20:26:16.0639 1872 Actual detected object count: 0
2011/08/31 20:27:37.0282 1704 Deinitialize success
nemoaquis
Active Member
 
Posts: 10
Joined: August 24th, 2011, 7:34 am

Re: malware from link in facebook chat

Unread postby deltalima » August 31st, 2011, 8:42 am

Hi nemoaquis,

MBRCheck

Please download MBRCheck.exe to your desktop.
  • Double-click on MBRCheck.exe to run it.
  • It will show a Black screen with some information.
  • if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
  • If nothing unusual is found just press Enter
  • A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
  • Please post the contents of that file in you're next reply.


Please download GMER Rootkit Scanner from here.
  • Right click the .exe file and select: Run as Administrator. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the "Scan" and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE
Important! Please do not select the "Show all" checkbox during the scan..
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: malware from link in facebook chat

Unread postby nemoaquis » August 31st, 2011, 9:25 am

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows 7 Starter Edition
Windows Information: (build 7600), 32-bit
Base Board Manufacturer: Dell Inc.
BIOS Manufacturer: Dell Inc.
System Manufacturer: Dell Inc.
System Product Name: Inspiron 1011
Logical Drives Mask: 0x00000004

Kernel Drivers (total 153):
0x8204E000 \SystemRoot\system32\ntkrnlpa.exe
0x82017000 \SystemRoot\system32\halmacpi.dll
0x81F82000 \SystemRoot\system32\kdcom.dll
0x82620000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x82698000 \SystemRoot\system32\PSHED.dll
0x826A9000 \SystemRoot\system32\BOOTVID.dll
0x826B1000 \SystemRoot\system32\CLFS.SYS
0x826F3000 \SystemRoot\system32\CI.dll
0x86414000 \SystemRoot\system32\drivers\Wdf01000.sys
0x86485000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x86493000 \SystemRoot\system32\DRIVERS\ACPI.sys
0x864DB000 \SystemRoot\system32\DRIVERS\WMILIB.SYS
0x864E4000 \SystemRoot\system32\DRIVERS\msisadrv.sys
0x864EC000 \SystemRoot\system32\DRIVERS\pci.sys
0x86516000 \SystemRoot\system32\DRIVERS\vdrvroot.sys
0x86521000 \SystemRoot\System32\drivers\partmgr.sys
0x86532000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x8653A000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x86545000 \SystemRoot\system32\DRIVERS\volmgr.sys
0x86555000 \SystemRoot\System32\drivers\volmgrx.sys
0x865A0000 \SystemRoot\system32\DRIVERS\intelide.sys
0x865A7000 \SystemRoot\system32\DRIVERS\PCIIDEX.SYS
0x865B5000 \SystemRoot\System32\drivers\mountmgr.sys
0x865CB000 \SystemRoot\system32\DRIVERS\atapi.sys
0x865D4000 \SystemRoot\system32\DRIVERS\ataport.SYS
0x865F7000 \SystemRoot\system32\DRIVERS\amdxata.sys
0x8279E000 \SystemRoot\system32\drivers\fltmgr.sys
0x86400000 \SystemRoot\system32\drivers\fileinfo.sys
0x86608000 \SystemRoot\System32\Drivers\Ntfs.sys
0x86737000 \SystemRoot\System32\Drivers\msrpc.sys
0x86762000 \SystemRoot\System32\Drivers\ksecdd.sys
0x86775000 \SystemRoot\System32\Drivers\cng.sys
0x867D2000 \SystemRoot\System32\drivers\pcw.sys
0x867E0000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x8682A000 \SystemRoot\system32\drivers\ndis.sys
0x868E1000 \SystemRoot\system32\drivers\NETIO.SYS
0x8691F000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x86944000 \SystemRoot\system32\DRIVERS\volsnap.sys
0x8698B000 \SystemRoot\System32\drivers\rdyboost.sys
0x869B8000 \SystemRoot\System32\Drivers\mup.sys
0x869C8000 \SystemRoot\System32\drivers\hwpolicy.sys
0x86A39000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x86A6B000 \SystemRoot\system32\DRIVERS\EMSC.SYS
0x86A73000 \SystemRoot\system32\DRIVERS\disk.sys
0x86A84000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
0x86ADB000 \SystemRoot\System32\Drivers\Null.SYS
0x86AE2000 \SystemRoot\System32\Drivers\Beep.SYS
0x86AE9000 \SystemRoot\System32\drivers\vga.sys
0x86AF5000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x86B16000 \SystemRoot\System32\drivers\watchdog.sys
0x86B23000 \SystemRoot\system32\drivers\rdpencdd.sys
0x86B2B000 \SystemRoot\System32\Drivers\Msfs.SYS
0x86B36000 \SystemRoot\System32\Drivers\Npfs.SYS
0x89C10000 \SystemRoot\System32\drivers\tcpip.sys
0x89D59000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x89D8A000 \SystemRoot\system32\DRIVERS\tdx.sys
0x89DA1000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x89DAC000 \SystemRoot\System32\DRIVERS\netbt.sys
0x86B44000 \SystemRoot\system32\drivers\afd.sys
0x89DDE000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x86B9E000 \SystemRoot\system32\DRIVERS\pacer.sys
0x89DE5000 \SystemRoot\system32\DRIVERS\vwififlt.sys
0x89C00000 \SystemRoot\system32\DRIVERS\netbios.sys
0x86BBD000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x89DF6000 \SystemRoot\system32\drivers\nsiproxy.sys
0x86A00000 \SystemRoot\System32\Drivers\dfsc.sys
0x86A18000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x869D0000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x8A030000 \SystemRoot\system32\DRIVERS\bcmwl6.sys
0x8A297000 \SystemRoot\system32\DRIVERS\vwifibus.sys
0x8A2A1000 \SystemRoot\system32\DRIVERS\Rt86win7.sys
0x8A2CD000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x8A2D8000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x8A323000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x8A332000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x8A34A000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x8A357000 \SystemRoot\system32\DRIVERS\SynTP.sys
0x8A389000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x8A38B000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x8A398000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x8A3A6000 \SystemRoot\system32\DRIVERS\CompositeBus.sys
0x8A3B3000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x8A3BD000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x8A3CF000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x8A3E7000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x8A000000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x86800000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x867E9000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x827D2000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x86818000 \SystemRoot\system32\DRIVERS\termdd.sys
0x8A022000 \SystemRoot\system32\DRIVERS\swenum.sys
0x88E2E000 \SystemRoot\system32\DRIVERS\ks.sys
0x88E70000 \SystemRoot\system32\DRIVERS\umbus.sys
0x88E7E000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x88EC2000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x88ED3000 \SystemRoot\System32\Drivers\crashdmp.sys
0x88EE0000 \SystemRoot\System32\Drivers\dump_dumpata.sys
0x88EEB000 \SystemRoot\System32\Drivers\dump_atapi.sys
0x88EF4000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x810D0000 \SystemRoot\System32\win32k.sys
0x88F05000 \SystemRoot\System32\drivers\Dxapi.sys
0x81320000 \SystemRoot\System32\drivers\dxg.sys
0x81350000 \SystemRoot\System32\TSDDD.dll
0x88F0F000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x813D0000 \SystemRoot\System32\framebuf.dll
0x88F26000 \SystemRoot\system32\drivers\WudfPf.sys
0x88F40000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x88F86000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x88F96000 \SystemRoot\system32\DRIVERS\bowser.sys
0x88FAF000 \SystemRoot\System32\drivers\mpsdrv.sys
0x88FC1000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x9121E000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x91259000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x91274000 \SystemRoot\system32\DRIVERS\vwifimp.sys
0x77AA0000 \Windows\System32\ntdll.dll
0x47EE0000 \Windows\System32\smss.exe
0x77CE0000 \Windows\System32\apisetschema.dll
0x004C0000 \Windows\System32\autochk.exe
0x77C70000 \Windows\System32\difxapi.dll
0x77900000 \Windows\System32\setupapi.dll
0x77C40000 \Windows\System32\imagehlp.dll
0x77880000 \Windows\System32\comdlg32.dll
0x77720000 \Windows\System32\ole32.dll
0x77C30000 \Windows\System32\lpk.dll
0x77C20000 \Windows\System32\normaliz.dll
0x776D0000 \Windows\System32\gdi32.dll
0x77600000 \Windows\System32\msctf.dll
0x775A0000 \Windows\System32\shlwapi.dll
0x77510000 \Windows\System32\oleaut32.dll
0x77480000 \Windows\System32\clbcatq.dll
0x773D0000 \Windows\System32\msvcrt.dll
0x77300000 \Windows\System32\user32.dll
0x77C00000 \Windows\System32\imm32.dll
0x77220000 \Windows\System32\kernel32.dll
0x77180000 \Windows\System32\usp10.dll
0x77080000 \Windows\System32\wininet.dll
0x77030000 \Windows\System32\Wldap32.dll
0x76EF0000 \Windows\System32\urlmon.dll
0x76E50000 \Windows\System32\advapi32.dll
0x76200000 \Windows\System32\shell32.dll
0x761C0000 \Windows\System32\ws2_32.dll
0x75FC0000 \Windows\System32\iertutil.dll
0x77BE0000 \Windows\System32\sechost.dll
0x75FB0000 \Windows\System32\nsi.dll
0x75F00000 \Windows\System32\rpcrt4.dll
0x75EF0000 \Windows\System32\psapi.dll
0x75EC0000 \Windows\System32\wintrust.dll
0x75EA0000 \Windows\System32\devobj.dll
0x75D80000 \Windows\System32\crypt32.dll
0x75D30000 \Windows\System32\KernelBase.dll
0x75D00000 \Windows\System32\cfgmgr32.dll
0x75C70000 \Windows\System32\comctl32.dll
0x75C60000 \Windows\System32\msasn1.dll

Processes (total 29):
0 System Idle Process
4 System
236 C:\Windows\System32\smss.exe
320 csrss.exe
356 csrss.exe
364 C:\Windows\System32\wininit.exe
392 C:\Windows\System32\winlogon.exe
456 C:\Windows\System32\services.exe
464 C:\Windows\System32\lsass.exe
472 C:\Windows\System32\lsm.exe
564 C:\Windows\System32\svchost.exe
640 C:\Windows\System32\svchost.exe
732 C:\Windows\System32\svchost.exe
764 C:\Windows\System32\svchost.exe
816 C:\Windows\System32\svchost.exe
860 C:\Windows\System32\svchost.exe
888 C:\Windows\System32\svchost.exe
1004 C:\Windows\System32\svchost.exe
1116 C:\Program Files\SUPERAntiSpyware\SASCore.exe
1264 C:\Windows\System32\svchost.exe
1420 C:\Windows\explorer.exe
1476 C:\Windows\System32\ctfmon.exe
624 C:\Windows\System32\svchost.exe
1456 C:\Windows\explorer.exe
1148 C:\Windows\explorer.exe
924 C:\Windows\explorer.exe
348 C:\Users\USER\Desktop\MBRCheck.exe
720 C:\Windows\System32\conhost.exe
1060 C:\Windows\System32\dllhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000003`ac000000 (NTFS)

PhysicalDrive0 Model Number: ST9250315AS, Rev: 0003DEM1

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 Windows 2008 MBR code detected
SHA1: 8DF43F2BDE2D9451948FA14B5279969C777A7979


Done!

The program stopped working
Problem signature:
Problem Event Name: APPCRASH
Application Name: o8f64ifh.exe
Application Version: 1.0.15.15641
Application Timestamp: 4e21f2b1
Fault Module Name: o8f64ifh.exe
Fault Module Version: 1.0.15.15641
Fault Module Timestamp: 4e21f2b1
Exception Code: c0000005
Exception Offset: 0000c676
OS Version: 6.1.7600.2.0.0.768.11
Locale ID: 17417
Additional Information 1: 0a9e
Additional Information 2: 0a9e372d3b4ad19135b953a78882e789
Additional Information 3: 0a9e
Additional Information 4: 0a9e372d3b4ad19135b953a78882e789

Read our privacy statement online:
http://go.microsoft.com/fwlink/?linkid= ... cid=0x0409

If the online privacy statement is not available, please read our privacy statement offline:
C:\Windows\system32\en-US\erofflps.txt
nemoaquis
Active Member
 
Posts: 10
Joined: August 24th, 2011, 7:34 am

Re: malware from link in facebook chat

Unread postby deltalima » August 31st, 2011, 9:49 am

Hi nemoaquis,

After a thorough check, there is no evidence of active malware on the computer.

Is is quite likely that the initial infection corrupted vital system files and that is why the system will not boot into normal mode.

Realistically, the only only option is to reinstall Windows from the Recovery partition.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 331 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware