I can't access all sites but McAfee!

August 11, 2012 at 01:14:33
Specs: Windows 7
Hi,

I hope this is the right place to post this question as I have seen similar posts here.

My laptop has two accounts, one of the accounts has this issue of not being able to access any McAfee related sites at all and I can't run any scan as well. I always use Firefox but for some reason even this appears to have broken down with explorer working less stable. Please help, I have no knowledge about malware and spyware issues. I only scan my laptop regularly using Mcafee assuming that it should take care of everything, apparently when I use the other account and do the scan it came out with no detection, which I can't understand.

Please help...

Thanks
Chennai


See More: I cant access all sites but McAfee!

Report •

#1
August 11, 2012 at 02:16:44
Try checking your firewall settings and see if it's banning anything to do with this. If that dosn't work, someone may have changed Parental Controls on McAfee.

Report •

#2
August 11, 2012 at 03:45:43
My firewall settings are controlled by McAfee, unfortunately I can't access McAfee panel on this account now! So I can either check what is banned or what parental controls is currently in place...

And when I try opening McAfee services, I get a scan unavailable message anfd that my PC isn't connected to internet although my laptop is connected to the internet.


Report •

#3
August 11, 2012 at 05:11:06
Please find below my system specs,

Manufacturer: Hewlett-packard
Model: Hp pavilion dv6 notebook pc
OS: Windows 7
CPU/Ram: 2.399 GHz / 3893 MB
Video Card: Intel(R) HD Graphics ATI Mobility Radeon HD 5470
Sound Card: ATI High Definition Audio Device IDT High Definition Audio CODEC


Report •

Related Solutions

#4
August 11, 2012 at 05:21:19
Run ESET & post the log please.

General clean up and Prep (Do prior to any AV scans)
http://www.computing.net/howtos/sho...
http://forums.majorgeeks.com/showth...
http://www.eset.eu/online-scanner
http://www.eset.com/us/online-scanner
How can I view the log file from ESET Online Scanner?
http://www.eset.eu/eset-online-scan...


Report •

#5
August 12, 2012 at 01:24:14
I couldn't connect with the links above to run ESET! are there any other alternatives?

Report •

#6
August 12, 2012 at 01:40:11
"I couldn't connect with the links above to run ESET! are there any other alternatives?"

Go to a good comp & download, put it on a thumb drive & run in Safe mode with networking.

More help in this very good step by step guide.

http://www.selectrealsecurity.com/m...

Get back, if you get stuck.


Report •

#7
August 12, 2012 at 08:18:55
John,

Thanks for the help, please find below the report after the scan. There were 4 affected files which were cleaned, does it mean everything should be normal now?
Please advice...

C:\Users\JEYA\0.87850229209306.exe a variant of Win32/Kryptik.AJKL trojan cleaned by deleting - quarantined
C:\Users\JEYA\AppData\Local\ejfwjqbr\mpwjtqkf.exe a variant of Win32/Kryptik.AJKL trojan cleaned by deleting - quarantined
C:\Users\JEYA\AppData\Local\Temp\eurhvsjo.exe a variant of Win32/Kryptik.AJKL trojan cleaned by deleting - quarantined
C:\Users\JEYA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mpwjtqkf.exe a variant of Win32/Kryptik.AJKL trojan cleaned by deleting - quarantined


Report •

#8
August 12, 2012 at 14:27:07
"does it mean everything should be normal now?"
Doubt it, it takes multi tools to get it clean.

Did you run TDSSKiller from the guide?

Post the log please.


Report •

#9
August 12, 2012 at 22:43:57
The TDSS scan resulted in no threats, I couldn't post the entire report as it was too large for this form. Kindly let me know what should I do next.

Thanks


06:36:47.0666 7416 TDSS rootkit removing tool 2.7.48.0 Jul 24 2012 13:16:32
06:36:48.0929 7416
06:37:32.0632 7872 ============================================================
06:37:32.0632 7872 Scan finished
06:37:32.0632 7872 ============================================================
06:37:32.0642 6192 Detected object count: 0
06:37:32.0642 6192 Actual detected object count: 0


Report •

#10
August 12, 2012 at 23:37:59
"Kindly let me know what should I do next"

Refer the guide for Proxy.


Report •

#11
August 12, 2012 at 23:43:20
Are you referring to the farbar's mini toolbox scan?

Report •

#12
August 12, 2012 at 23:54:02
I had to go & have a look, yes that's it.

Report •

#13
August 12, 2012 at 23:59:32
The log as below,

MiniToolBox by Farbar Version: 23-07-2012
Ran by JEYA (administrator) on 13-08-2012 at 07:58:18
Microsoft Windows 7 Home Premium (X64)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================


**** End of log ****


Report •

#14
August 13, 2012 at 00:05:22
"And when I try opening McAfee services, I get a scan unavailable message anfd that my PC isn't connected to internet although my laptop is connected to the internet"

You hav'nt told us if it fixed your problem.


Report •

#15
August 13, 2012 at 12:29:54
John,

yes that appears fixed and everything works fine with regards to McAfee, apart from the fact that I don't understand why in the first place McAfee wasn't able to trap these trojans and fix it for me? I can also access McAfee website and Microsoft website without issue now.

So does this mean my laptop is free from virus now?

Thanks


Report •

#16
August 13, 2012 at 12:57:06
"apart from the fact that I don't understand why in the first place McAfee wasn't able to trap these trojans and fix it for me?"

Malware Prevention
http://www.malwarevault.com/index.html
"There is no magic involved. The majority of malware is installed by the user themselves"


Report •

#17
August 13, 2012 at 12:58:37
"So does this mean my laptop is free from virus now?"
Maybe.

Run ComboFix
http://www.bleepingcomputer.com/dow...
http://download.bleepingcomputer.co...
http://www.techsupportforum.com/sec...
http://www.forospyware.com/sUBs/Com...
A guide and tutorial on using ComboFix
http://www.bleepingcomputer.com/com...
Note:
Do not mouseclick combofix's window while it is running. That may cause it to stall.
If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.
Can't Install an Antivirus - Windows Security Center still detects previous AV
http://www.experts-exchange.com/Vir...
We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:
* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found in this topic.
http://www.bleepingcomputer.com/for...
Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.
When finished, clear away any of the files and folders that were created by ComboFix.
Start > Run, Copy and Paste > ComboFix /uninstall and click OK.
Qoobox is a folder created by Combofix to quarantine any infected files.


Report •

#18
August 13, 2012 at 14:41:08
John,

Please find below the report from combofix scanning,

ComboFix 12-08-13.01 - JEYA 13/08/2012 22:09:51.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.44.1033.18.3894.2514 [GMT 1:00]
Running from: c:\users\JEYA\Downloads\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: McAfee Firewall *Disabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\JEYA\AppData\Local\alhggfnp.log
c:\users\JEYA\AppData\Local\cebdsers.log
c:\users\JEYA\AppData\Local\evrqympf.log
c:\users\JEYA\AppData\Local\gsqsxnnf.log
c:\users\JEYA\AppData\Local\nsjfmpcc.log
c:\users\JEYA\AppData\Local\ojnsimjy.log
c:\users\JEYA\AppData\Local\pjdigtmp.log
c:\users\JEYA\AppData\Local\sceaoivt.log
c:\users\JEYA\AppData\Local\yyofclhy.log
c:\users\JEYA\Documents\~WRL0001.tmp
c:\users\JEYA\FacebookVideoCallSetup_v1.2.203.0.exe
c:\users\JEYA\GoToAssistDownloadHelper.exe
c:\users\JEYA\SPUDownloadManager_1111a.exe
c:\users\JEYA\videos\setup_Lidl-Photos.exe
c:\windows\SysWow64\muzapp.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-07-13 to 2012-08-13 )))))))))))))))))))))))))))))))
.
.
2012-08-13 21:22 . 2012-08-13 21:22 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-13 21:22 . 2012-08-13 21:22 -------- d-----w- c:\users\Anu\AppData\Local\temp
2012-08-12 15:33 . 2012-08-12 16:08 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-08-12 15:33 . 2012-08-12 16:08 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-08-12 12:44 . 2012-08-12 12:44 -------- d-----w- c:\program files (x86)\Common Files\Skype
2012-08-12 12:44 . 2012-08-12 12:44 -------- d-----r- c:\program files (x86)\Skype
2012-08-12 12:21 . 2012-08-12 12:21 -------- d-----w- c:\program files (x86)\ESET
2012-08-12 12:20 . 2012-08-12 12:20 -------- d-----w- c:\users\Anu\AppData\Roaming\Sony Corporation
2012-08-11 07:15 . 2012-08-11 07:15 -------- d-----w- c:\users\Anu\AppData\Roaming\McAFee TechCheck
2012-08-11 07:13 . 2012-08-11 07:19 -------- d-----w- c:\users\Anu\AppData\Roaming\TechCheck
2012-08-11 07:11 . 2012-08-11 07:11 -------- d-----w- c:\users\Anu\AppData\Roaming\McAfee
2012-08-10 06:28 . 2012-08-10 06:28 -------- d-----w- c:\users\Anu\AppData\Local\Macromedia
2012-08-10 06:25 . 2012-08-10 06:25 -------- d-----w- c:\users\Anu\AppData\Roaming\ICAClient
2012-08-10 06:25 . 2012-08-10 21:52 -------- d-----w- c:\users\Anu\AppData\Local\Citrix
2012-08-08 20:00 . 2012-08-10 06:16 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service
2012-08-08 05:40 . 2012-08-08 05:40 -------- d-----w- c:\windows\Sun
2012-08-04 08:52 . 2012-08-12 14:32 -------- d-----w- c:\users\JEYA\AppData\Local\ejfwjqbr
2012-07-17 23:05 . 2012-07-17 23:05 -------- d-----w- c:\users\JEYA\AppData\Roaming\Samsung
2012-07-17 20:36 . 2012-07-17 20:36 -------- d-----w- c:\program files (x86)\MarkAny
2012-07-17 20:36 . 2012-06-26 15:02 821824 ----a-w- c:\windows\SysWow64\dgderapi.dll
2012-07-17 20:36 . 2012-07-17 20:38 -------- d-----w- c:\program files (x86)\Samsung
2012-07-17 20:36 . 2012-07-17 20:38 -------- d-----w- c:\programdata\Samsung
2012-07-17 20:28 . 2012-07-17 20:28 -------- d-----w- c:\users\JEYA\AppData\Local\Downloaded Installations
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-12 18:03 . 2011-05-08 15:42 59701280 ----a-w- c:\windows\system32\MRT.exe
2012-06-26 15:02 . 2012-06-26 15:02 90112 ----a-w- c:\windows\MAMCityDownload.ocx
2012-06-26 15:02 . 2012-06-26 15:02 330240 ----a-w- c:\windows\MASetupCaller.dll
2012-06-26 15:02 . 2012-06-26 15:02 30568 ----a-w- c:\windows\MusiccityDownload.exe
2012-06-26 15:02 . 2012-06-26 15:02 974848 ----a-w- c:\windows\SysWow64\cis-2.4.dll
2012-06-26 15:02 . 2012-06-26 15:02 81920 ----a-w- c:\windows\SysWow64\issacapi_bs-2.3.dll
2012-06-26 15:02 . 2012-06-26 15:02 65536 ----a-w- c:\windows\SysWow64\issacapi_pe-2.3.dll
2012-06-26 15:02 . 2012-06-26 15:02 57344 ----a-w- c:\windows\SysWow64\MTXSYNCICON.dll
2012-06-26 15:02 . 2012-06-26 15:02 57344 ----a-w- c:\windows\SysWow64\MK_Lyric.dll
2012-06-26 15:02 . 2012-06-26 15:02 57344 ----a-w- c:\windows\SysWow64\issacapi_se-2.3.dll
2012-06-26 15:02 . 2012-06-26 15:02 569344 ----a-w- c:\windows\SysWow64\muzdecode.ax
2012-06-26 15:02 . 2012-06-26 15:02 491520 ----a-w- c:\windows\SysWow64\muzapp.dll
2012-06-26 15:02 . 2012-06-26 15:02 49152 ----a-w- c:\windows\SysWow64\MaJGUILib.dll
2012-06-26 15:02 . 2012-06-26 15:02 45320 ----a-w- c:\windows\SysWow64\MAMACExtract.dll
2012-06-26 15:02 . 2012-06-26 15:02 45056 ----a-w- c:\windows\SysWow64\MaXMLProto.dll
2012-06-26 15:02 . 2012-06-26 15:02 45056 ----a-w- c:\windows\SysWow64\MACXMLProto.dll
2012-06-26 15:02 . 2012-06-26 15:02 40960 ----a-w- c:\windows\SysWow64\MTTELECHIP.dll
2012-06-26 15:02 . 2012-06-26 15:02 352256 ----a-w- c:\windows\SysWow64\MSLUR71.dll
2012-06-26 15:02 . 2012-06-26 15:02 258048 ----a-w- c:\windows\SysWow64\muzoggsp.ax
2012-06-26 15:02 . 2012-06-26 15:02 245760 ----a-w- c:\windows\SysWow64\MSCLib.dll
2012-06-26 15:02 . 2012-06-26 15:02 24576 ----a-w- c:\windows\SysWow64\MASetupCleaner.exe
2012-06-26 15:02 . 2012-06-26 15:02 200704 ----a-w- c:\windows\SysWow64\muzwmts.dll
2012-06-26 15:02 . 2012-06-26 15:02 155648 ----a-w- c:\windows\SysWow64\MSFLib.dll
2012-06-26 15:02 . 2012-06-26 15:02 143360 ----a-w- c:\windows\SysWow64\3DAudio.ax
2012-06-26 15:02 . 2012-06-26 15:02 135168 ----a-w- c:\windows\SysWow64\muzaf1.dll
2012-06-26 15:02 . 2012-06-26 15:02 131072 ----a-w- c:\windows\SysWow64\muzmpgsp.ax
2012-06-26 15:02 . 2012-06-26 15:02 122880 ----a-w- c:\windows\SysWow64\muzeffect.ax
2012-06-26 15:02 . 2012-06-26 15:02 118784 ----a-w- c:\windows\SysWow64\MaDRM.dll
2012-06-26 15:02 . 2012-06-26 15:02 110592 ----a-w- c:\windows\SysWow64\muzmp4sp.ax
2012-06-25 15:04 . 2012-06-25 15:04 1394248 ----a-w- c:\windows\SysWow64\msxml4.dll
2012-06-12 03:02 . 2012-07-12 18:09 3147264 ----a-w- c:\windows\system32\win32k.sys
2012-06-09 05:30 . 2012-07-11 05:32 14165504 ----a-w- c:\windows\system32\shell32.dll
2012-06-06 05:50 . 2012-07-11 05:32 1880064 ----a-w- c:\windows\system32\msxml3.dll
2012-06-06 05:50 . 2012-07-11 05:32 2003968 ----a-w- c:\windows\system32\msxml6.dll
2012-06-06 05:09 . 2012-07-11 05:32 1389568 ----a-w- c:\windows\SysWow64\msxml6.dll
2012-06-06 05:09 . 2012-07-11 05:32 1236992 ----a-w- c:\windows\SysWow64\msxml3.dll
2012-06-02 22:19 . 2012-06-22 05:56 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-22 05:56 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-22 05:56 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-22 05:56 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-22 05:56 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:15 . 2012-06-22 05:56 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-22 05:56 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 14:19 . 2012-06-22 05:55 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 14:15 . 2012-06-22 05:55 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 05:38 . 2012-07-11 05:32 95088 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-06-02 05:38 . 2012-07-11 05:32 152432 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-06-02 05:37 . 2012-07-11 05:32 459216 ----a-w- c:\windows\system32\drivers\cng.sys
2012-06-02 05:27 . 2012-07-11 05:32 340992 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 05:27 . 2012-07-11 05:32 307200 ----a-w- c:\windows\system32\ncrypt.dll
2012-06-02 04:48 . 2012-07-11 05:32 22016 ----a-w- c:\windows\SysWow64\secur32.dll
2012-06-02 04:48 . 2012-07-11 05:32 225280 ----a-w- c:\windows\SysWow64\schannel.dll
2012-06-02 04:47 . 2012-07-11 05:32 219136 ----a-w- c:\windows\SysWow64\ncrypt.dll
2012-06-02 04:42 . 2012-07-11 05:32 96768 ----a-w- c:\windows\SysWow64\sspicli.dll
2012-05-25 16:13 . 2011-07-08 22:27 162224 ----a-w- c:\windows\system32\mfevtps.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPAdvisorDock"="c:\program files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe" [2010-02-10 1712184]
"LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2010-06-16 2736128]
"Messenger (Yahoo!)"="c:\progra~2\Yahoo!\Messenger\YahooMessenger.exe" [2010-06-01 5252408]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2012-07-13 17418928]
"KiesPreload"="c:\program files (x86)\Samsung\Kies\Kies.exe" [2012-07-02 975288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-06-22 98304]
"Norton Online Backup"="c:\program files (x86)\Symantec\Norton Online Backup\NOBuClient.exe" [2010-06-01 1155928]
"Easybits Recovery"="c:\program files (x86)\EasyBits For Kids\ezRecover.exe" [2010-06-02 61112]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"HP Quick Launch"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2011-06-14 587320]
"PMBVolumeWatcher"="c:\program files (x86)\Sony\PMB\PMBVolumeWatcher.exe" [2011-08-24 651832]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2012-03-21 1675160]
"KiesTrayAgent"="c:\program files (x86)\Samsung\Kies\KiesTrayAgent.exe" [2012-07-02 3524536]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"HideFastUserSwitching"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)
.
[hkey_local_machine\software\Wow6432Node\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2012-07-05 3048136]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-07-13 160944]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-12 250056]
R3 btmaudio;Motorola Bluetooth Audio Service;c:\windows\system32\drivers\btmaud.sys [2010-05-20 42496]
R3 BTMCOM;Bluetooth Serial Port;c:\windows\system32\Drivers\btmcom.sys [2010-04-09 52736]
R3 Droppix Service;Droppix Service;c:\program files (x86)\Common Files\Droppix\DxService.exe [2008-02-01 151552]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2012-02-22 100912]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-07-14 113120]
R3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [2009-06-10 5434368]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4925184]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2010-01-11 232992]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2010-03-05 346144]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [2009-06-10 292864]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 740864]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-05-08 1255736]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2009-06-10 389120]
S0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2012-02-22 289664]
S0 RapportKE64;RapportKE64;c:\windows\System32\Drivers\RapportKE64.sys [2011-06-22 64272]
S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [2012-02-22 75936]
S1 MOBK835Filter;MOBK835Filter;c:\windows\system32\DRIVERS\MOBK835.sys [2010-10-14 66040]
S1 RapportCerberus_32029;RapportCerberus_32029;c:\programdata\Trusteer\Rapport\store\exts\RapportCerberus\32029\RapportCerberus64_32029.sys [2011-10-18 396816]
S1 RapportEI64;RapportEI64;c:\program files (x86)\Trusteer\Rapport\bin\x64\RapportEI64.sys [2011-06-22 52496]
S1 RapportPG64;RapportPG64;c:\program files (x86)\Trusteer\Rapport\bin\x64\RapportPG64.sys [2011-06-22 61200]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe [2011-05-09 89600]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-06-22 203264]
S2 Bluetooth OBEX Service;Bluetooth OBEX Service;c:\program files\Motorola\Bluetooth\obexsrv.exe [2010-05-20 677128]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]
S2 ezSharedSvc;Easybits Services for Windows;c:\windows\System32\ezSharedSvcHost.exe [x]
S2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2011-09-09 86072]
S2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2010-06-18 103992]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-05-21 103992]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2009-07-08 30520]
S2 HPWMISVC;HPWMISVC;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2011-06-14 26680]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-01-27 249936]
S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-01-27 249936]
S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-01-27 249936]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2012-05-25 210616]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2012-05-25 162224]
S2 MOBK835backup;McAfee Online Backup Service;c:\program files (x86)\McAfee Online Backup\MOBK835backup.exe [2010-10-14 208696]
S2 NOBU;Norton Online Backup;c:\program files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe SERVICE [x]
S2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files (x86)\Sony\PMB\PMBDeviceInfoProvider.exe [2011-08-24 430136]
S2 RapportMgmtService;Rapport Management Service;c:\program files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe [2011-06-22 870200]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]
S2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2010-05-01 2533400]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2010-06-22 6856704]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-06-22 264192]
S3 Bluetooth Device Manager;Bluetooth Device Manager;c:\program files\Motorola\Bluetooth\devmgrsrv.exe [2010-06-29 4181256]
S3 Bluetooth Media Service;Bluetooth Media Service;c:\program files\Motorola\Bluetooth\audiosrv.exe [2010-05-20 1096968]
S3 BTMNET;Motorola Bluetooth Network Adapter Service;c:\windows\system32\DRIVERS\btmnet.sys [2010-06-18 28672]
S3 BTMUSB;Motorola Bluetooth Radio Service;c:\windows\system32\Drivers\btmusb.sys [2010-06-29 3232768]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2012-02-22 65264]
S3 clwvd;HP Webcam Splitter;c:\windows\system32\DRIVERS\clwvd.sys [2010-06-25 32880]
S3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2010-09-16 1028096]
S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2010-05-01 56344]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2009-10-26 151936]
S3 intelkmd;intelkmd;c:\windows\system32\DRIVERS\igdpmd64.sys [2010-06-22 10342240]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2012-02-22 487296]
S3 netr28x;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\DRIVERS\netr28x.sys [2011-04-21 1360960]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2011-10-01 764264]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2011-10-01 268648]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2011-10-01 25960]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2011-10-01 22376]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 58301823
*Deregistered* - 58301823
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-06-16 20:38 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-13 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-12 16:08]
.
2012-08-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3547650862-3911483610-2434007877-1000Core.job
- c:\users\JEYA\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-19 13:40]
.
2012-08-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3547650862-3911483610-2434007877-1000UA.job
- c:\users\JEYA\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-19 13:40]
.
2012-08-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3547650862-3911483610-2434007877-1003Core.job
- c:\users\Anu\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-16 14:24]
.
2012-08-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3547650862-3911483610-2434007877-1003UA.job
- c:\users\Anu\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-16 14:24]
.
2012-08-13 c:\windows\Tasks\HP Photo Creations Communicator.job
- c:\programdata\HP Photo Creations\MessageCheck.exe [2011-11-09 23:13]
.
2012-08-10 c:\windows\Tasks\HPCeeScheduleForAnu.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-13 22:15]
.
2012-08-10 c:\windows\Tasks\HPCeeScheduleForJEYA-HP$.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-13 22:15]
.
2012-08-13 c:\windows\Tasks\HPCeeScheduleForJEYA.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-13 22:15]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK835]
@="{ae1faa88-1709-feae-29f0-71c9b2c38636}"
[HKEY_CLASSES_ROOT\CLSID\{ae1faa88-1709-feae-29f0-71c9b2c38636}]
2010-10-14 01:39 4719416 ----a-w- c:\program files (x86)\McAfee Online Backup\MOBK835shell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK8352]
@="{5529903d-678c-3d35-4289-fefe62bafadc}"
[HKEY_CLASSES_ROOT\CLSID\{5529903d-678c-3d35-4289-fefe62bafadc}]
2010-10-14 01:39 4719416 ----a-w- c:\program files (x86)\McAfee Online Backup\MOBK835shell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK8353]
@="{666c8f4a-83e6-bf31-5b56-822b5a4ce88b}"
[HKEY_CLASSES_ROOT\CLSID\{666c8f4a-83e6-bf31-5b56-822b5a4ce88b}]
2010-10-14 01:39 4719416 ----a-w- c:\program files (x86)\McAfee Online Backup\MOBK835shell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-06-22 161304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-06-22 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-06-22 414744]
"BTMTrayAgent"="c:\program files\Motorola\Bluetooth\btmshell.dll" [2010-06-10 24783624]
"SmartMenu"="c:\program files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [2010-01-20 611896]
"HPWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe" [2010-06-18 8192]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2011-05-09 487424]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: {{bd707fe6-39f6-4bda-9265-86a76719bdc5} - c:\program files\Motorola\Bluetooth\btmiesend.htm
TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
DPF: {2AB1C516-6654-4D3A-B3D6-2185BBCEB409} - hxxps://vpncrw.cggveritas.com/+CSCOL+/csvrloader32.cab
FF - ProfilePath - c:\users\JEYA\AppData\Roaming\Mozilla\Firefox\Profiles\5r8v5nj0.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?fr=mcafee&p=
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-avupdate - c:\users\JEYA\AppData\Roaming\mahmud.exe
Wow6432Node-HKCU-Run-KiesAirMessage - c:\program files (x86)\Samsung\Kies\KiesAirMessage.exe
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
AddRemove-Citrix Web Client - c:\windows\system32\ctxsetup.exe
AddRemove-EasyBits Magic Desktop - c:\windows\system32\ezMDUninstall.exe
AddRemove-{6F44AF95-3CDE-4513-AD3F-6D45F17BF324} - c:\program files (x86)\InstallShield Installation Information\{6F44AF95-3CDE-4513-AD3F-6D45F17BF324}\setup.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-08-13 22:33:28
ComboFix-quarantined-files.txt 2012-08-13 21:33
.
Pre-Run: 396,347,641,856 bytes free
Post-Run: 397,054,242,816 bytes free
.
- - End Of File - - 293862664EA8996894564AECB147919A


Report •

#19
August 13, 2012 at 14:48:52
Looking good chennai.

Uninstall Combofix & for a final check, Run > MBAM.

How to uninstall combofix
http://www.bleepingcomputer.com/com...

Malwarebytes' Anti-Malware ( MBAM ) Use Quick scan.
http://www.softpedia.com/get/Antivi...
http://www.softpedia.com/progScreen...
http://www.malwarebytes.org/mbam.php
http://www.spywareinfoforum.com/ind...
http://www.bleepingcomputer.com/vir...
If your MBAM log indicates "No action taken." That's usually a result of NOT clicking the Remove Selected button after the scan.
Quick Scan versus Full Scan
http://forums.malwarebytes.org/inde...


Report •

#20
August 13, 2012 at 22:55:51
John,

Just when everything looked normal, I guess I have got myself into trouble again!
last nite I sensed similar issues to above, so I had repeated the ESET scan again in safe mode and found out there were RAMNIT viruses, about 109 files were infected and cleaned. Please find the report below, Can I continue the same steps again as above?
C:\HP\Bin\animatedlogo.exe a variant of Win32/Ramnit.T virus deleted - quarantined
C:\HP\Bin\HPLocale.exe a variant of Win32/Ramnit.T virus deleted - quarantined
C:\HP\Bin\hpqnt.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\HP\Bin\HPQSI.exe a variant of Win32/Ramnit.T virus deleted - quarantined
C:\HP\Bin\Locale.exe a variant of Win32/Ramnit.T virus deleted - quarantined
C:\HP\Bin\Sleep.exe a variant of Win32/Ramnit.T virus deleted - quarantined
C:\HP\HPQWare\BingBar\x86\WizInstaller.exe a variant of Win32/Ramnit.T virus deleted - quarantined
C:\HP\HPQWare\Skype\x86\WizInstaller.exe a variant of Win32/Ramnit.T virus deleted - quarantined
C:\HP\HPQWare\WT_OemOrigin\x86\WizInstaller.exe a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\Drivers\Audio\WDM\Vista\AESTACap.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\Drivers\Audio\WDM\Vista\AESTARen.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\Drivers\Audio\WDM\Vista\AESTCom.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\Drivers\Audio\WDM\Vista\AESTECap.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\Drivers\Audio\WDM\Vista\AESTSrv.exe a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\Drivers\Audio\WDM\Vista\HPToneCtrls32.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\Drivers\Audio\WDM\Vista\idtmini1.exe a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\Drivers\Audio\WDM\Vista\IDTPIMA.exe a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\Drivers\Audio\WDM\Vista\slcshp32.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\Drivers\Audio\WDM\Vista\slh36032.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\Drivers\Audio\WDM\Vista\sltshd32.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\Drivers\Audio\WDM\Vista\sluapo32.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\Drivers\Audio\WDM\Vista\staco.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\Drivers\Audio\WDM\Vista\stapi32.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\Drivers\Audio\WDM\Vista\stapo.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\Drivers\Audio\WDM\Vista\stcplx.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\Drivers\Audio\WDM\Vista\stlang.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\Drivers\Audio\WDM\Vista\suhlp.exe a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\Drivers\Audio\WDM\WinXP\AESTCom.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\Drivers\Audio\WDM\WinXP\AESTFltr.exe a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\Drivers\Audio\WDM\WinXP\staco.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\Drivers\Audio\WDM\WinXP\stlang.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\Drivers\Audio\WDM\WinXP\suhlp.exe a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\Drivers\Chipset\CSVer.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\Drivers\MEI\MEWMIProv\MeProv.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\Drivers\MEI\MEWMIProv\StatusStrings.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\Drivers\MEI\MEWMIProv\xerces-c_2_7.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\Drivers\MEI\NAC_PP\IntelAMTPP.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\Drivers\MEI\UNS\xerces-c_2_7.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\Drivers\Network\WIN7\32\RTNUninst32.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\Drivers\Video\mfc80u.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\Drivers\Video\msvcp80.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\Drivers\Video\msvcr80.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\Drivers\Video\Bin\ATILog.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\Drivers\Video\Bin\ATIManifestDLMExt.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\Drivers\Video\Bin\CompressionDLMExt.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\Drivers\Video\Bin\ControlCenterActions.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\Drivers\Video\Bin\DLMCom.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\Drivers\Video\Bin\EncryptionDLMExt.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\Drivers\Video\Bin\InstallManager.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\Drivers\Video\Bin\InstallManagerApp.exe a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\Drivers\Video\Bin\LanguageMgr.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\Drivers\Video\Bin\mfc80u.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\Drivers\Video\Bin\msvcp80.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\Drivers\Video\Bin\msvcr80.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\Drivers\Video\Bin\PackageManager.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\Drivers\Video\Bin\xerces-c_2_6.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\Drivers\Video\Packages\Drivers\Display\W7_INF\B101662\coinst.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\LSSS\LsDriveDetect\LSDriveDetect.exe a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\LSSS\LsDriveDetect\msvcm80.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\LSSS\LsDriveDetect\msvcp80.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\LSSS\LsDriveDetect\msvcr80.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\MSDVD\src\HPDUtil.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\MSDVD\src\PatchDxRender.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\MSDVD\src\VerCheck.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\MSDVD\WizInstaller\x86\WizInstaller.exe a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\MSMenu\WizInstaller\x86\WizInstaller.exe a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\MSMovieTV\WizInstaller\x86\WizInstaller.exe a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\MSMusic\src\VerCheck.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\MSMusic\WizInstaller\x86\WizInstaller.exe a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\MSPhoto\src\vcredist_x86.exe a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\MSPhoto\WizInstaller\x86\WizInstaller.exe a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\MSVideo\HPMSTSDVDMenu\src\VerCheck.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\MSVideo\HPMSTSMovieTheme\src\VerCheck.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\MSVideo\WizInstaller\x86\WizInstaller.exe a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\MSWebcam\src\vcredist_x86.exe a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\MSWebcam\WizInstaller\x86\WizInstaller.exe a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\sp50642\WDM\Vista\AESTACap.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\sp50642\WDM\Vista\AESTARen.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\sp50642\WDM\Vista\AESTCom.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\sp50642\WDM\Vista\AESTECap.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\sp50642\WDM\Vista\AESTSrv.exe a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\sp50642\WDM\Vista\HPToneCtrls32.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\sp50642\WDM\Vista\idtmini1.exe a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\sp50642\WDM\Vista\IDTPIMA.exe a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\sp50642\WDM\Vista\slcshp32.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\sp50642\WDM\Vista\slh36032.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\sp50642\WDM\Vista\sltshd32.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\sp50642\WDM\Vista\sluapo32.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\sp50642\WDM\Vista\stapi32.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\sp50642\WDM\Vista\stapo.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\sp50642\WDM\Vista\stcplx.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\sp50642\WDM\Vista\stlang.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\sp50642\WDM\Vista\suhlp.exe a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\sp50642\WDM\WinXP\AESTCom.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\sp50642\WDM\WinXP\AESTFltr.exe a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\sp50642\WDM\WinXP\staco.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\sp50642\WDM\WinXP\stlang.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\sp50642\WDM\WinXP\suhlp.exe a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\sp55299\AtpTimerInfo.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\sp55299\FlsHook.exe a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\sp55299\FlsHookDll.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\sp55299\InsydeFlash.exe a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\sp55299\iscflash.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\SwSetup\sp55299\xerces-c_2_7.dll a variant of Win32/Ramnit.T virus deleted - quarantined
C:\Users\JEYA\AppData\Local\ejfwjqbr\mpwjtqkf.exe a variant of Win32/Injector.VCH trojan cleaned by deleting - quarantined
C:\Users\JEYA\AppData\Local\Temp\1jfuweif.exe a variant of Win32/Injector.VCH trojan cleaned by deleting - quarantined
C:\Users\JEYA\AppData\Local\Temp\eurhvsjo.exe a variant of Win32/Injector.VCH trojan cleaned by deleting - quarantined
C:\Users\JEYA\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\19\53331393-199fe270 Java/Exploit.Agent.NAO trojan deleted - quarantined
C:\Users\JEYA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mpwjtqkf.exe a variant of Win32/Injector.VCH trojan cleaned by deleting - quarantined


Report •

#21
August 14, 2012 at 00:50:55
"Can I continue the same steps again as above?"
Sure.

Report •

#22
August 14, 2012 at 01:14:34
John,

Please find below my version2 combofix log, this was run after all the previous steps were completed.

ComboFix 12-08-13.01 - JEYA 14/08/2012 8:33.2.4 - x64 NETWORK
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.44.1033.18.3894.3157 [GMT 1:00]
Running from: c:\users\JEYA\Downloads\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: McAfee Firewall *Disabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\JEYA\AppData\Local\alhggfnp.log
c:\users\JEYA\AppData\Local\cebdsers.log
c:\users\JEYA\AppData\Local\gsqsxnnf.log
c:\users\JEYA\AppData\Local\nsjfmpcc.log
c:\users\JEYA\AppData\Local\ojnsimjy.log
c:\users\JEYA\AppData\Local\pjdigtmp.log
c:\users\JEYA\AppData\Local\sceaoivt.log
.
.
((((((((((((((((((((((((( Files Created from 2012-07-14 to 2012-08-14 )))))))))))))))))))))))))))))))
.
.
2012-08-14 08:06 . 2012-08-14 08:06 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-14 08:06 . 2012-08-14 08:06 -------- d-----w- c:\users\Anu\AppData\Local\temp
2012-08-14 08:06 . 2012-08-14 08:06 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2012-08-14 07:22 . 2012-08-14 07:22 27256 ----a-w- c:\windows\system32\drivers\FixTDSS.sys
2012-08-14 07:22 . 2012-08-14 07:22 -------- d-----w- c:\users\JEYA\AppData\Roaming\FixTDSS
2012-08-13 22:40 . 2012-08-13 22:40 -------- d--h--w- c:\windows\AxInstSV
2012-08-13 22:37 . 2012-08-13 22:43 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-08-13 22:37 . 2012-08-13 22:43 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-08-13 21:53 . 2012-08-13 21:59 -------- d-----w- c:\program files (x86)\Google
2012-08-12 12:44 . 2012-08-12 12:44 -------- d-----w- c:\program files (x86)\Common Files\Skype
2012-08-12 12:44 . 2012-08-12 12:44 -------- d-----r- c:\program files (x86)\Skype
2012-08-12 12:21 . 2012-08-12 12:21 -------- d-----w- c:\program files (x86)\ESET
2012-08-12 12:20 . 2012-08-12 12:20 -------- d-----w- c:\users\Anu\AppData\Roaming\Sony Corporation
2012-08-11 07:15 . 2012-08-11 07:15 -------- d-----w- c:\users\Anu\AppData\Roaming\McAFee TechCheck
2012-08-11 07:13 . 2012-08-11 07:19 -------- d-----w- c:\users\Anu\AppData\Roaming\TechCheck
2012-08-11 07:11 . 2012-08-11 07:11 -------- d-----w- c:\users\Anu\AppData\Roaming\McAfee
2012-08-10 06:28 . 2012-08-10 06:28 -------- d-----w- c:\users\Anu\AppData\Local\Macromedia
2012-08-10 06:25 . 2012-08-10 06:25 -------- d-----w- c:\users\Anu\AppData\Roaming\ICAClient
2012-08-10 06:25 . 2012-08-10 21:52 -------- d-----w- c:\users\Anu\AppData\Local\Citrix
2012-08-08 20:00 . 2012-08-10 06:16 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service
2012-08-08 05:40 . 2012-08-08 05:40 -------- d-----w- c:\windows\Sun
2012-08-04 08:52 . 2012-08-13 23:36 -------- d-----w- c:\users\JEYA\AppData\Local\ejfwjqbr
2012-07-17 23:05 . 2012-07-17 23:05 -------- d-----w- c:\users\JEYA\AppData\Roaming\Samsung
2012-07-17 20:36 . 2012-07-17 20:36 -------- d-----w- c:\program files (x86)\MarkAny
2012-07-17 20:36 . 2012-06-26 15:02 821824 ----a-w- c:\windows\SysWow64\dgderapi.dll
2012-07-17 20:36 . 2012-07-17 20:38 -------- d-----w- c:\program files (x86)\Samsung
2012-07-17 20:36 . 2012-07-17 20:38 -------- d-----w- c:\programdata\Samsung
2012-07-17 20:28 . 2012-07-17 20:28 -------- d-----w- c:\users\JEYA\AppData\Local\Downloaded Installations
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-12 18:03 . 2011-05-08 15:42 59701280 ----a-w- c:\windows\system32\MRT.exe
2012-06-26 15:02 . 2012-06-26 15:02 90112 ----a-w- c:\windows\MAMCityDownload.ocx
2012-06-26 15:02 . 2012-06-26 15:02 330240 ----a-w- c:\windows\MASetupCaller.dll
2012-06-26 15:02 . 2012-06-26 15:02 30568 ----a-w- c:\windows\MusiccityDownload.exe
2012-06-26 15:02 . 2012-06-26 15:02 974848 ----a-w- c:\windows\SysWow64\cis-2.4.dll
2012-06-26 15:02 . 2012-06-26 15:02 81920 ----a-w- c:\windows\SysWow64\issacapi_bs-2.3.dll
2012-06-26 15:02 . 2012-06-26 15:02 65536 ----a-w- c:\windows\SysWow64\issacapi_pe-2.3.dll
2012-06-26 15:02 . 2012-06-26 15:02 57344 ----a-w- c:\windows\SysWow64\MTXSYNCICON.dll
2012-06-26 15:02 . 2012-06-26 15:02 57344 ----a-w- c:\windows\SysWow64\MK_Lyric.dll
2012-06-26 15:02 . 2012-06-26 15:02 57344 ----a-w- c:\windows\SysWow64\issacapi_se-2.3.dll
2012-06-26 15:02 . 2012-06-26 15:02 569344 ----a-w- c:\windows\SysWow64\muzdecode.ax
2012-06-26 15:02 . 2012-06-26 15:02 491520 ----a-w- c:\windows\SysWow64\muzapp.dll
2012-06-26 15:02 . 2012-06-26 15:02 49152 ----a-w- c:\windows\SysWow64\MaJGUILib.dll
2012-06-26 15:02 . 2012-06-26 15:02 45320 ----a-w- c:\windows\SysWow64\MAMACExtract.dll
2012-06-26 15:02 . 2012-06-26 15:02 45056 ----a-w- c:\windows\SysWow64\MaXMLProto.dll
2012-06-26 15:02 . 2012-06-26 15:02 45056 ----a-w- c:\windows\SysWow64\MACXMLProto.dll
2012-06-26 15:02 . 2012-06-26 15:02 40960 ----a-w- c:\windows\SysWow64\MTTELECHIP.dll
2012-06-26 15:02 . 2012-06-26 15:02 352256 ----a-w- c:\windows\SysWow64\MSLUR71.dll
2012-06-26 15:02 . 2012-06-26 15:02 258048 ----a-w- c:\windows\SysWow64\muzoggsp.ax
2012-06-26 15:02 . 2012-06-26 15:02 245760 ----a-w- c:\windows\SysWow64\MSCLib.dll
2012-06-26 15:02 . 2012-06-26 15:02 24576 ----a-w- c:\windows\SysWow64\MASetupCleaner.exe
2012-06-26 15:02 . 2012-06-26 15:02 200704 ----a-w- c:\windows\SysWow64\muzwmts.dll
2012-06-26 15:02 . 2012-06-26 15:02 155648 ----a-w- c:\windows\SysWow64\MSFLib.dll
2012-06-26 15:02 . 2012-06-26 15:02 143360 ----a-w- c:\windows\SysWow64\3DAudio.ax
2012-06-26 15:02 . 2012-06-26 15:02 135168 ----a-w- c:\windows\SysWow64\muzaf1.dll
2012-06-26 15:02 . 2012-06-26 15:02 131072 ----a-w- c:\windows\SysWow64\muzmpgsp.ax
2012-06-26 15:02 . 2012-06-26 15:02 122880 ----a-w- c:\windows\SysWow64\muzeffect.ax
2012-06-26 15:02 . 2012-06-26 15:02 118784 ----a-w- c:\windows\SysWow64\MaDRM.dll
2012-06-26 15:02 . 2012-06-26 15:02 110592 ----a-w- c:\windows\SysWow64\muzmp4sp.ax
2012-06-25 15:04 . 2012-06-25 15:04 1394248 ----a-w- c:\windows\SysWow64\msxml4.dll
2012-06-12 03:02 . 2012-07-12 18:09 3147264 ----a-w- c:\windows\system32\win32k.sys
2012-06-09 05:30 . 2012-07-11 05:32 14165504 ----a-w- c:\windows\system32\shell32.dll
2012-06-06 05:50 . 2012-07-11 05:32 1880064 ----a-w- c:\windows\system32\msxml3.dll
2012-06-06 05:50 . 2012-07-11 05:32 2003968 ----a-w- c:\windows\system32\msxml6.dll
2012-06-06 05:09 . 2012-07-11 05:32 1389568 ----a-w- c:\windows\SysWow64\msxml6.dll
2012-06-06 05:09 . 2012-07-11 05:32 1236992 ----a-w- c:\windows\SysWow64\msxml3.dll
2012-06-02 22:19 . 2012-06-22 05:56 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-22 05:56 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-22 05:56 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-22 05:56 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-22 05:56 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:15 . 2012-06-22 05:56 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-22 05:56 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 14:19 . 2012-06-22 05:55 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 14:15 . 2012-06-22 05:55 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 05:38 . 2012-07-11 05:32 95088 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-06-02 05:38 . 2012-07-11 05:32 152432 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-06-02 05:37 . 2012-07-11 05:32 459216 ----a-w- c:\windows\system32\drivers\cng.sys
2012-06-02 05:27 . 2012-07-11 05:32 340992 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 05:27 . 2012-07-11 05:32 307200 ----a-w- c:\windows\system32\ncrypt.dll
2012-06-02 04:48 . 2012-07-11 05:32 22016 ----a-w- c:\windows\SysWow64\secur32.dll
2012-06-02 04:48 . 2012-07-11 05:32 225280 ----a-w- c:\windows\SysWow64\schannel.dll
2012-06-02 04:47 . 2012-07-11 05:32 219136 ----a-w- c:\windows\SysWow64\ncrypt.dll
2012-06-02 04:42 . 2012-07-11 05:32 96768 ----a-w- c:\windows\SysWow64\sspicli.dll
2012-05-25 16:13 . 2011-07-08 22:27 162224 ----a-w- c:\windows\system32\mfevtps.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPAdvisorDock"="c:\program files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe" [2010-02-10 1712184]
"LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2010-06-16 2736128]
"Messenger (Yahoo!)"="c:\progra~2\Yahoo!\Messenger\YahooMessenger.exe" [2010-06-01 5252408]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2012-07-13 17418928]
"KiesPreload"="c:\program files (x86)\Samsung\Kies\Kies.exe" [2012-07-02 975288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-06-22 98304]
"Norton Online Backup"="c:\program files (x86)\Symantec\Norton Online Backup\NOBuClient.exe" [2010-06-01 1155928]
"Easybits Recovery"="c:\program files (x86)\EasyBits For Kids\ezRecover.exe" [2010-06-02 61112]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"HP Quick Launch"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2011-06-14 587320]
"PMBVolumeWatcher"="c:\program files (x86)\Sony\PMB\PMBVolumeWatcher.exe" [2011-08-24 651832]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2012-03-21 1675160]
"KiesTrayAgent"="c:\program files (x86)\Samsung\Kies\KiesTrayAgent.exe" [2012-07-02 3524536]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"FixTDSS"="start" [X]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files (x86)\McAfee Security Scan\3.0.207\SSScheduler.exe [2011-6-17 272528]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"HideFastUserSwitching"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)
.
[hkey_local_machine\software\Wow6432Node\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R0 RapportKE64;RapportKE64;c:\windows\System32\Drivers\RapportKE64.sys [2011-06-22 64272]
R1 MOBK835Filter;MOBK835Filter;c:\windows\system32\DRIVERS\MOBK835.sys [2010-10-14 66040]
R1 RapportCerberus_32029;RapportCerberus_32029;c:\programdata\Trusteer\Rapport\store\exts\RapportCerberus\32029\RapportCerberus64_32029.sys [2011-10-18 396816]
R1 RapportEI64;RapportEI64;c:\program files (x86)\Trusteer\Rapport\bin\x64\RapportEI64.sys [2011-06-22 52496]
R1 RapportPG64;RapportPG64;c:\program files (x86)\Trusteer\Rapport\bin\x64\RapportPG64.sys [2011-06-22 61200]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
R2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe [2011-05-09 89600]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-06-22 203264]
R2 Bluetooth OBEX Service;Bluetooth OBEX Service;c:\program files\Motorola\Bluetooth\obexsrv.exe [2010-05-20 677128]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]
R2 ezSharedSvc;Easybits Services for Windows;c:\windows\System32\ezSharedSvcHost.exe [x]
R2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2011-09-09 86072]
R2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2010-06-18 103992]
R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-05-21 103992]
R2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2009-07-08 30520]
R2 HPWMISVC;HPWMISVC;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2011-06-14 26680]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-01-27 249936]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-01-27 249936]
R2 MOBK835backup;McAfee Online Backup Service;c:\program files (x86)\McAfee Online Backup\MOBK835backup.exe [2010-10-14 208696]
R2 NOBU;Norton Online Backup;c:\program files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe SERVICE [x]
R2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files (x86)\Sony\PMB\PMBDeviceInfoProvider.exe [2011-08-24 430136]
R2 RapportMgmtService;Rapport Management Service;c:\program files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe [2011-06-22 870200]
R2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]
R2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2012-07-05 3048136]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-07-13 160944]
R2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2010-05-01 2533400]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-13 250056]
R3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2010-06-22 6856704]
R3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-06-22 264192]
R3 Bluetooth Device Manager;Bluetooth Device Manager;c:\program files\Motorola\Bluetooth\devmgrsrv.exe [2010-06-29 4181256]
R3 Bluetooth Media Service;Bluetooth Media Service;c:\program files\Motorola\Bluetooth\audiosrv.exe [2010-05-20 1096968]
R3 btmaudio;Motorola Bluetooth Audio Service;c:\windows\system32\drivers\btmaud.sys [2010-05-20 42496]
R3 BTMCOM;Bluetooth Serial Port;c:\windows\system32\Drivers\btmcom.sys [2010-04-09 52736]
R3 BTMNET;Motorola Bluetooth Network Adapter Service;c:\windows\system32\DRIVERS\btmnet.sys [2010-06-18 28672]
R3 BTMUSB;Motorola Bluetooth Radio Service;c:\windows\system32\Drivers\btmusb.sys [2010-06-29 3232768]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2012-02-22 65264]
R3 clwvd;HP Webcam Splitter;c:\windows\system32\DRIVERS\clwvd.sys [2010-06-25 32880]
R3 Droppix Service;Droppix Service;c:\program files (x86)\Common Files\Droppix\DxService.exe [2008-02-01 151552]
R3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2010-09-16 1028096]
R3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2009-10-26 151936]
R3 intelkmd;intelkmd;c:\windows\system32\DRIVERS\igdpmd64.sys [2010-06-22 10342240]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files (x86)\McAfee Security Scan\3.0.207\McCHSvc.exe [2011-06-17 237008]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2012-02-22 100912]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-07-14 113120]
R3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [2009-06-10 5434368]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4925184]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2010-01-11 232992]
R3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2011-10-01 764264]
R3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2011-10-01 268648]
R3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2011-10-01 25960]
R3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2011-10-01 22376]
R3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [2009-06-10 292864]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 740864]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-05-08 1255736]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2009-06-10 389120]
S0 FixTDSS;TDSS Fixtool driver;c:\windows\system32\drivers\FixTDSS.sys [2012-08-14 27256]
S0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2012-02-22 289664]
S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [2012-02-22 75936]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-01-27 249936]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2012-05-25 210616]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2012-05-25 162224]
S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2010-05-01 56344]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2012-02-22 487296]
S3 netr28x;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\DRIVERS\netr28x.sys [2011-04-21 1360960]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2010-03-05 346144]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 03477883
*NewlyCreated* - FIXTDSS
*Deregistered* - 03477883
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-06-16 20:38 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-13 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-13 22:43]
.
2012-08-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3547650862-3911483610-2434007877-1000Core.job
- c:\users\JEYA\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-19 13:40]
.
2012-08-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3547650862-3911483610-2434007877-1000UA.job
- c:\users\JEYA\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-19 13:40]
.
2012-08-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3547650862-3911483610-2434007877-1003Core.job
- c:\users\Anu\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-16 14:24]
.
2012-08-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3547650862-3911483610-2434007877-1003UA.job
- c:\users\Anu\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-16 14:24]
.
2012-08-13 c:\windows\Tasks\HP Photo Creations Communicator.job
- c:\programdata\HP Photo Creations\MessageCheck.exe [2011-11-09 23:13]
.
2012-08-10 c:\windows\Tasks\HPCeeScheduleForAnu.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-13 22:15]
.
2012-08-10 c:\windows\Tasks\HPCeeScheduleForJEYA-HP$.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-13 22:15]
.
2012-08-13 c:\windows\Tasks\HPCeeScheduleForJEYA.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-13 22:15]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK835]
@="{ae1faa88-1709-feae-29f0-71c9b2c38636}"
[HKEY_CLASSES_ROOT\CLSID\{ae1faa88-1709-feae-29f0-71c9b2c38636}]
2010-10-14 01:39 4719416 ----a-w- c:\program files (x86)\McAfee Online Backup\MOBK835shell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK8352]
@="{5529903d-678c-3d35-4289-fefe62bafadc}"
[HKEY_CLASSES_ROOT\CLSID\{5529903d-678c-3d35-4289-fefe62bafadc}]
2010-10-14 01:39 4719416 ----a-w- c:\program files (x86)\McAfee Online Backup\MOBK835shell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK8353]
@="{666c8f4a-83e6-bf31-5b56-822b5a4ce88b}"
[HKEY_CLASSES_ROOT\CLSID\{666c8f4a-83e6-bf31-5b56-822b5a4ce88b}]
2010-10-14 01:39 4719416 ----a-w- c:\program files (x86)\McAfee Online Backup\MOBK835shell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-06-22 161304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-06-22 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-06-22 414744]
"BTMTrayAgent"="c:\program files\Motorola\Bluetooth\btmshell.dll" [2010-06-10 24783624]
"SmartMenu"="c:\program files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [2010-01-20 611896]
"HPWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe" [2010-06-18 8192]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2011-05-09 487424]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: {{bd707fe6-39f6-4bda-9265-86a76719bdc5} - c:\program files\Motorola\Bluetooth\btmiesend.htm
TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
DPF: {2AB1C516-6654-4D3A-B3D6-2185BBCEB409} - hxxps://vpncrw.cggveritas.com/+CSCOL+/csvrloader32.cab
FF - ProfilePath - c:\users\JEYA\AppData\Roaming\Mozilla\Firefox\Profiles\5r8v5nj0.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?fr=mcafee&p=
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
AddRemove-Citrix Web Client - c:\windows\system32\ctxsetup.exe
AddRemove-EasyBits Magic Desktop - c:\windows\system32\ezMDUninstall.exe
AddRemove-{6F44AF95-3CDE-4513-AD3F-6D45F17BF324} - c:\program files (x86)\InstallShield Installation Information\{6F44AF95-3CDE-4513-AD3F-6D45F17BF324}\setup.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-08-14 09:09:09
ComboFix-quarantined-files.txt 2012-08-14 08:09
ComboFix2.txt 2012-08-13 21:33
.
Pre-Run: 405,603,995,648 bytes free
Post-Run: 405,299,933,184 bytes free
.
- - End Of File - - CFC5E0F4C4269D16FE7C93326B860740


Report •

#23
August 14, 2012 at 01:41:19
chennai Make sure you run everything already mentioned on this page & in the guide.

I suspect the virus has made an hidden partition. Use this.

Download GetPartitions from the link below. You must right click on the link and choose Save as.... Save it as GetPartitions.bat on your desktop
http://www.osvemu.com/getpartitions...
Double click it to run it (If running Vista or Windows 7, right click on it and select "Run as an Administrator").
It will produce C:\DiskReport.txt log, please post results from that log here. This will show if the infection has created a hidden partition.


Report •

#24
August 14, 2012 at 08:43:44
John, please find below the report,

Microsoft DiskPart version 6.1.7600
Copyright (C) 1999-2008 Microsoft Corporation.
On computer: JEYA-HP

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
Volume 0 E DVD-ROM 0 B No Media
Volume 1 SYSTEM NTFS Partition 199 MB Healthy System
Volume 2 C NTFS Partition 445 GB Healthy Boot
Volume 3 D RECOVERY NTFS Partition 20 GB Healthy
Volume 4 F HP_TOOLS FAT32 Partition 103 MB Healthy


Report •

#25
August 14, 2012 at 14:47:29
Hi chennai, if you suspect any of those partitions were not made by you or are not genuine, try this.

As usual, anything can happen when dealing with infections,

Trojan.Zeroaccess Removal Tool
http://www.softpedia.com/get/Antivi...
http://www.softpedia.com/progScreen...
http://www.symantec.com/business/se...
This application will allow users to detect and remove any traces left by Trojan.Zeroaccess infections.
If you are removing an infection from a network, first make sure that all the shares are disabled or set to Read Only.
The Removal Tool does the following:
· Terminates the associated processes
· Deletes the associated files
· Removes hidden partition unconditionally if detection occurs. Windows XP / Vista / 7.


Report •

#26
August 14, 2012 at 23:02:54
John,

Under my computer, I can see all partitions but the 'Volume 1 SYSTEM NTFS Partition 199 MB Healthy System'. Is it not that all the available partitions should be visible in the windows explorer?
How can I be sure that this is genuine. I don't want to remove something that is required for the proper functioning of the system.

When you say disabling shares, are you meaning the partitions?

Thanks
C


Report •

#27
August 15, 2012 at 00:19:37
"When you say disabling shares, are you meaning the partitions?"
I'm not saying anything about shares, that is on the web page I gave you.

I have just googled all your questions.

disabling shares windows 7
http://is.gd/0BCQVO

"Removes hidden partition unconditionally if detection occurs"
Now, I'm assuming it removes only infected partitions.

"Is it not that all the available partitions should be visible in the windows explorer?
The hidden partition is not visible under My Computer as no letter is assigned to it."

My install of W7 has'nt got any other partitions, because I choose not to.

100mb -200mb partitions can be done during the install.

hidden partitions windows 7
http://is.gd/HnJ2ti
http://en.kioskea.net/faq/3917-wind...


Report •

#28
August 16, 2012 at 13:12:10
John,

The scanning using the Symantec's removing tool has come up with no infections found result. I think things have returned to normal now but have decided to follow the tips to avoid malware/spyware page that you have shown above from now on.

Thanks for your help, effort and time, much appreciated.

C


Report •

#29
August 16, 2012 at 18:55:07
chennai, it is not that long ago the Ramnit virus, regardless of the version, was considered irremovable. Maybe things have changed, but usually the system was compromised so much that all your doc's, exe's & many more became infected. Any online banking or sensitive work was hacked & the recommended fix was to stop online banking etc or reinstall the operating system. ALL partitions must be deleted & format the drive to NTFS. Then change ALL passwords for banking etc.

Have you googled your version?

I have other ways of finding hidden partitions, if you decide to go down that path.


Report •

#30
August 17, 2012 at 13:59:39
John,

Please can you let me know the other ways to trace the hidden partitions? I'm just little worried about Ramnit and just want to make sure nothing is compromised before I can commence my online banking.

Thanks
C


Report •

#31
August 17, 2012 at 18:57:22
"little worried about Ramnit"
chennai, to get infected, that is telling you, your defenses are not good enough. Any USB storage devices ( thumb drives etc ) you have, need to be cleaned.

Before we proceed, do this please.

Download Security Check by screen317 from one of the following links and save it to your desktop.
http://screen317.spywareinfoforum.o...
http://screen317.changelog.fr/Secur...
* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Save it to your Desktop.
* Double click SecurityCheck.exe. If you run Windows Vista or 7, right click and choose 'Run as Administrator'.
o If you are asked by Windows to run this program or not, please click 'Yes' or 'Run'.
o When you see a console window, press any key to continue scanning.
o Wait while it scans.
o If your firewall alerts you of Security Check, please press 'Allow' or similar.
* A Notepad document should open automatically after scan is completed. It will be called checkup.txt; please post the contents of that document.
Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.


Report •

#32
August 18, 2012 at 04:26:41
John, please find below the contents of checkup.txt,

Results of screen317's Security Check version 0.99.46
Windows 7 x64 [color=red][b](UAC is disabled!)[/b][/color]
[url=http://windows.microsoft.com/en-US/windows7/install-windows-7-service-pack-1][color=red][b]Out of date service pack!![/color][/url][/b]
Internet Explorer 8 [color=red][b]Out of date![/b][/color]
[b][u]``````````````Antivirus/Firewall Check:``````````````[/b][/u]
Windows Firewall Enabled!
McAfee Anti-Virus and Anti-Spyware
[size=1]WMI entry may not exist for antivirus; attempting automatic update.[/size]
[b][u]`````````Anti-malware/Other Utilities Check:`````````[/b][/u]
Java(TM) 6 Update 30
[color=red][b]Java version out of Date![/b][/color]
Adobe Reader X (10.1.4)
Mozilla Firefox (14.0.1)
[b][u]````````Process Check: objlist.exe by Laurent````````[/b][/u]
Symantec Norton Online Backup NOBuAgent.exe
McAfee Online Backup MOBK835backup.exe
[b][u]`````````````````System Health check`````````````````[/b][/u]
Total Fragmentation on Drive C: 1%
[b][u]````````````````````End of Log``````````````````````[/b][/u]


Report •

#33
August 18, 2012 at 16:03:42
Thanks chennai, to get better security you need to update the Service Pack & your Java. Also with Java, check the size of the cache.
Reduce your Java Cache
http://www.steveshank.com/Newslette...
Dumping Java cache improves browser performance
http://windowssecrets.com/2009/11/1...

I use MSE AntiVirus.

Microsoft Security Essentials ( MSE )
http://www.softpedia.com/get/Antivi...
http://www.softpedia.com/progScreen...
http://www.techsupportalert.com/9be...
http://www.techsupportalert.com/bes...
http://lifehacker.com/5401453/stop-...
http://lifehacker.com/5433229/micro...
http://www.techradar.com/reviews/pc...
http://www.cnet.com.au/microsoft-se...
http://windows.microsoft.com/en-US/...
System requirements
http://www.microsoft.com/en-us/secu...
Can Microsoft Security Essentials ( MSE ) protect me from online banking and shopping.
http://answers.microsoft.com/en-us/...
If you choose to use Security Essentials, please follow the steps in this thread first, especially the part about removing all existing realtime antimalware:
http://social.answers.microsoft.com...


Report •

#34
August 18, 2012 at 16:05:08
When I googled re hidden partitions, I got this way to check, using GETxPUD.
Googling GETxPUD.exe you will get many more hits, they will probably differ from this way.

I found by renaming the mbr.bin to mbr.txt ( do it on a spare copy ) I was able to read it with EditPad Lite. I got the mbr.bin from a site that had asked for it, clearly it said bad, confirmed by the the infection expert.
EditPad Lite
http://www.softpedia.com/get/Office...
http://www.softpedia.com/progScreen...
http://www.editpadpro.com/editpadli...

To check if hidden partition is infected.

Try this please. You will need a USB drive.
Download GETxPUD.exe to the desktop of your clean computer
http://noahdfear.net/downloads/GETx...
Run GETxPUD.exe
A new folder will appear on the desktop.
Open the GETxPUD folder and click on the get&burn.bat
The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
Click on Start and follow the prompts to burn the image to a CD.
Remove the USB & CD and insert it in the sick computer
Boot the Sick computer with the CD you just burned
The computer must be set to boot from the CD
Gently tap F12 and choose to boot from the CD
Follow the prompts
A Welcome to xPUD screen will appear
Press File
Expand mnt
sda1,2...usually corresponds to your HDD
sdb1 is likely your USB
Click on the folder that represents your USB drive (sdb1 ?)
Press Tool at the top
Choose Open Terminal
Type the following and press enter:
dd if=/dev/sda of=mbr.bin bs=512 count=1
Press Enter
After it has finished a file will be located on your USB drive named mbr.bin
Remove the USB drive and insert it back in your working computer and navigate to mbr.bin, zip it up and attach it to your next reply.
This will allow me to have a look at the MasterBootRecord of your drive and see if it is infected.
If infected.
Please insert the USB back in the good computer and download.
http://noahdfear.net/downloads/tdl_...
Back on the sick computer:
Boot into xPUD with the CD then click the File tab.
Press File
Expand mnt
Click on the folder under mnt that represents your USB drive (sdb1 ?)
You should see the tdl_fix.sh file in the main window.
Select Tool from the Menu
Choose Open Terminal
Type bash tdl_fix.sh then press Enter.
Read the warning then type y and press Enter to continue.
Type sda then press Enter when prompted.
You will be shown a list of partitions to choose marking active.
Type 2 then press Enter.
If you are presented with a warning about no bootloader files, type n then press Enter to choose another.
When you receive no warning about bootloader files but are presented with another view of the partition structure and asked if it looks correct, type y then press Enter.
The script will complete and prompt you to reboot the computer.
Close the Terminal window and restart back into Windows.
Post the contents of the tdl_fix.txt file that was created on your flash drive and let me know how the computer is running now, and what problems are left.


Report •

#35
August 18, 2012 at 16:34:43
Here is another to try.

Please download and run ListParts by Farbar (for 32-bit system):
http://download.bleepingcomputer.co...
Please download and run ListParts64 by Farbar (for 64-bit system):
http://download.bleepingcomputer.co...
Click on the Scan button.
The scan results will open in Notepad.
Post those results in your next reply.


Report •

#36
August 19, 2012 at 06:56:55
John,

I have done the Java cache clean up and also realised that my laptop didn't have the SP1 for WIN7. Managed to get that done as well.

With regards to the hidden partitions, honestly speaking what you have suggested appears to be quite a comprehensive approach and I'm thinking is it worth checking my laptop to this extent? if the laptop had been infected would it not have showed by some means with our updates and checks that we have done so far? Excuse me if I make no sense, I'm pretty lay on these areas but just wondered.

If you think it is best to get this done, I don't mind doing it but I only have one laptop, is it ok if I use the other account in the same laptop to do the procedure you have shown?

About MSE, I have subscribed to McAfee which only expires next year, Can I continue with this until this runs out?


Report •

#37
August 19, 2012 at 13:32:05
"I have done the Java cache clean up and also realised that my laptop didn't have the SP1 for WIN7. Managed to get that done as well"
That's a good start chennai.

"if the laptop had been infected would it not have showed"
Probably, because I cannot see what is going on, all I'm doing is trying to visualize, so I'm just putting idea's to you in response to you asking. There are trillions of problems out there, the badies are always ahead of the goodies, so as I have mentioned, GOOGLING is how to check on messages you get & don't understand.

"Please download and run ListParts64 by Farbar"
That is quite a simple report to do.
"Can I continue with this until this runs out?"
Sure, as long as you are happy. If you do change, make sure you follow the uninstall procedure I gave you.


Report •

#38
August 21, 2012 at 15:43:14
John,
Please find below the listparts report,

ListParts by Farbar Version: 10-08-2012
Ran by JEYA (administrator) on 21-08-2012 at 23:41:17
Windows 7 (X64)
Running From: C:\Users\JEYA\Downloads
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 35%
Total physical RAM: 3893.86 MB
Available physical RAM: 2495.19 MB
Total Pagefile: 7785.91 MB
Available Pagefile: 5577.54 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:445.4 GB) (Free:372.44 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive d: (RECOVERY) (Fixed) (Total:20.06 GB) (Free:2.92 GB) NTFS ==>[System with boot components (obtained from reading drive)]
4 Drive f: (HP_TOOLS) (Fixed) (Total:0.1 GB) (Free:0.08 GB) FAT32

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 199 MB 1024 KB
Partition 2 Primary 445 GB 200 MB
Partition 3 Primary 20 GB 445 GB
Partition 4 Primary 103 MB 465 GB

======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 SYSTEM NTFS Partition 199 MB Healthy System (partition with boot components)

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 445 GB Healthy Boot

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 D RECOVERY NTFS Partition 20 GB Healthy

======================================================================================================

Disk: 0
Partition 4
Type : 0C
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 F HP_TOOLS FAT32 Partition 103 MB Healthy

======================================================================================================

****** End Of Log ******


Report •

#39
August 21, 2012 at 16:09:52
chennai, looks good, as you can see, it reports no hidden partitions.

Report •

#40
August 21, 2012 at 23:26:56
Thanks John for the all the advice, time and help.

One last question, is the above procedures always valid for any infection, just to be sure so that in an unlikely event again can I follow the steps. Do these executables get updated often?

Cheers
Chennai


Report •

#41
August 21, 2012 at 23:57:16
"One last question, is the above procedures always valid for any infection"
Maybe, I google the ( a lot of experts say, I will have to research ) problem & read the successful info. Anything that diverts you to paying or using a credit card, avoid.

This guide, as long as he can keep putting time into it & keep it updated, is still one of the best.
http://www.selectrealsecurity.com/m...

"Do these executables get updated often?"
Some do, some don't need to be.


Report •

#42
August 25, 2012 at 03:34:10
John,

All of sudden, my laptop couldn't conenct to the internet, it complains with the following message,

'windows can't communicate with primary dns server'

I just realised that I didn't unistal the programs that I had installed for the checks I made to get rid of the virus, like combox etc... could this have caused this by any chance?

I spoke to the ISP provider, after all their checks they seemd to think that something isn't with right with the laptop. I tried flushing the DNS, Ipv4 and v6 protocols set to obtain ip and dns settings automatically and . McAffe antivirus. Toggled firewall without result., nothing seems to have helped so far.

Regards
C


Report •

#43
August 25, 2012 at 05:02:53
"unistal the programs that I had installed for the checks I made to get rid of the virus, like combox etc"
Combobox is the only one I gave you instructions to uninstall.

Have you done it yet?


Report •

#44
August 25, 2012 at 05:05:31
"'windows can't communicate with primary dns server'"
Is that the EXACT message?

Did you click on > Fix Internet on the TOP of the Guide?


Report •

#45
August 25, 2012 at 07:46:04
John, i hv just uninstalled combofix as recommended.
'Fix internet on top of the guide' pls can u tell me which guide you are refering to here?

Report •

#46
August 25, 2012 at 07:59:25
I think i found the guide you are refering it is the one in the step by step guide page. When i run the network diagnostics the message i get is as below,

'Your computer appears to be correctly configured, but the device or resource (DNS server) is not responding'


Report •

#47
August 25, 2012 at 10:54:22
John,

I have attempted the three suggestions in the 'fix internet' section of the guide and it has not helped. Please find below the scan results of the FSS

Farbar Service Scanner Version: 06-08-2012
Ran by JEYA (administrator) on 25-08-2012 at 18:46:42
Running from "C:\Users\JEYA\Desktop"
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Attempt to access Google IP returned error: Google IP is offline
Attempt to access Google.com returned error: Other errors
Attempt to access Yahoo IP returned error: Yahoo IP is offline
Attempt to access Yahoo.com returned error: Other errors


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Windows\System32\ipnathlp.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****


Report •

#48
August 25, 2012 at 10:55:22
John,

I would also like to add that my laptop connects to internet fine when in safe mode with network..


Report •

#49
August 25, 2012 at 16:06:22
"I would also like to add that my laptop connects to internet fine when in safe mode with network."

That is a very big clue chennai, uninstall mcafee & test, if Ok, install MSE.

Use this to uninstall, this makes sure you get it all.

Revo Uninstaller
http://www.softpedia.com/get/Tweak/...
http://www.softpedia.com/progScreen...
http://www.revouninstaller.com/
Open Revo, double click on McAfee, click > Yes & then you get your options, with Advanced down the bottom.
If you have partially uninstalled your program, you get a message from Revo, that it can't find the uninstaller, hit Cancel & let Revo continue on, to search for the remnants.
If you get a reboot message, ignore it & do it after Revo has finished.
I use Advanced Mode. Screenshots of how to use.
http://i.imgur.com/Rkkna.gif
http://i.imgur.com/VonCA.gif
http://i.imgur.com/fGmmb.gif
http://i.imgur.com/pdhbV.gif
http://i.imgur.com/fIgy0.gif
http://i.imgur.com/tDH9Z.gif
http://i.imgur.com/DbfgN.gif
http://i.imgur.com/tDafK.gif
http://i.imgur.com/Bz5j9.gif
http://i.imgur.com/X5S5I.gif


Report •

#50
August 27, 2012 at 10:47:17
John, just before I ran the revo uninstaller, I just wanted to ensure whatever I had for McAfee was properly updated. So I did an update check @ McAfee.com and the results showed few issues with my product and when I chose the option to fix them, after a reboot internet returned to normal.

I guess your point about "That is a very big clue chennai, uninstall mcafee & test, if Ok, install MSE." struck me. As I had paid for the McAfee subscription I'm a bit reluctant to uninstall it, although I understand that McAfee is not great, I'd like to make use of it for the remaining period of the subscription.


Report •

Ask Question