ntoskrnl.exe blue screen after randomware removal

May 12, 2013 at 16:38:41
Specs: Windows 7, AMD Athlon II X2 270 3.4Ghz
I am getting a ntoskrnl.exe bsod when using the computer - usually browsing the internet but has also crashed when left running Malwarebytes scan.

The computer is running Windows 7 Ultimate 64-bit Service Pack 1.

A minidump has been created with Driver Verifier enabled: http://www.filedropper.com/051313-1...

Blue screens started after running HitmanPro.Kickstart to successfully remove ransomware/police malware.

Windows Update has all latest updates installed except for Internet Explorer 10. Initially this service did not work after running HitmanPro.Kickstart. I fixed it but do not recall how. Running Internet Explorer 9.

Windows Memory Diagnostic has not detected any issues.

Malwarebytes quick scan does not detect any issues. Have not been able to complete a full scan.

Thanks


See More: ntoskrnl.exe blue screen after randomware removal

Report •

#1
May 12, 2013 at 17:03:43
"HitmanPro.Kickstart"
Do a search for the log, then Copy & Paste the contents in your next reply please.

Report •

#2
May 12, 2013 at 18:19:17
After posting the Hitman log, lets do some more checks to make sure you are clean ( which I doubt )

I have downloaded your .dmp file & will report on that later.

1: Download & run Unhide
http://www.bleepingcomputer.com/for...
http://download.bleepingcomputer.co...
A introduction as to what this program does.
http://www.bleepingcomputer.com/for...
For those of you who no longer have the %Temp%\Smtmp folder, you will not be able to use Unhide to restore your Start Menu items. With this in mind, I have created some scripts to restore the default Start Menu for specific versions of Windows that I have access to. You can view the available versions below. I will be adding more as time goes on.
Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run, it does take some time, be patient. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.
When Unhide is complete, it will create a logfile on the Windows Desktop called Unhide.txt. Let me know if it dosn't produce a log please.

2: Reboot

3: Run TDSSKiller & post the contents of the log.
http://www.softpedia.com/get/Antivi...
http://www.softpedia.com/progScreen...
http://support.kaspersky.com/faq/?q...
http://support.kaspersky.com/viruse...


Report •

#3
May 12, 2013 at 19:29:44
I suggest you try sfc /scannow, possibly in off-line mode.

How To Ask Questions The Smart Way


Report •

Related Solutions

#4
May 12, 2013 at 22:30:41
Thanks for the fast responses.

I can not find a HitmanPro.Kickstart log. I ran this program off a USB and have since deleted the program off the USB.

Malwarebytes completed a full scan and did not find anything.

I am not sure if this is part of the issue in OP but I have also noted that another computer (computer B) in the office was using a printer connected to this computer (computer A) via the homegroup. Computer B can no longer print. Computer A can still print. Settings have not been changed on Computer B as far as I know.

Here is the unhide log:
Unhide by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Unhide.exe can be found at this link:
http://www.bleepingcomputer.com/for...

Program started at: 05/13/2013 05:14:59 PM
Windows Version: Windows 7

Please be patient while your files are made visible again.

Processing the C:\ drive
Finished processing the C:\ drive. 239243 files processed.

Processing the E:\ drive
Finished processing the E:\ drive. 64 files processed.

Processing the Z:\ drive
Finished processing the Z:\ drive. 191 files processed.

The C:\Users\user\AppData\Local\Temp\smtmp\ folder does not exist!!
Unhide cannot restore your missing shortcuts!!
Please see this topic in order to learn how to restore default
Start Menu shortcuts: http://www.bleepingcomputer.com/for...

Searching for Windows Registry changes made by FakeHDD rogues.
- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
* NoActiveDesktopChanges policy was found and deleted!
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
* Start_TrackDocs was set to 0! It was set back to 1!
* Start_TrackProgs was set to 0! It was set back to 1!

Program finished at: 05/13/2013 05:27:56 PM
Execution time: 0 hours(s), 12 minute(s), and 57 seconds(s)

-

Will run TDDSkiller next.


Report •

#5
May 12, 2013 at 22:42:49
TDDSKiller log http://www.filedropper.com/tdsskill...

tddskiller rebooted the computer then i ran it again:
http://www.filedropper.com/tdsskill...


Report •

#6
May 12, 2013 at 22:43:40
"Will run TDDSkiller next"
Ok, I suspect we will still have more work to do.



Report •

#7
May 12, 2013 at 22:55:20
4: Run RogueKiller
http://www.softpedia.com/get/Securi...
http://www.softpedia.com/progScreen...
http://majorgeeks.com/RogueKiller_d...
http://www.geekstogo.com/forum/file...
http://www.sur-la-toile.com/RogueKi...
http://www.sur-la-toile.com/RogueKi...
Download & SAVE to your Desktop.
Quit all programs that you may have started.
Please disconnect any USB or external drives from the computer before you run this scan!
For Vista or Windows 7, right-click and select "Run as Administrator to start"
For Windows XP, double-click to start.
Wait until Prescan has finished ...
Then Click on "Scan" button
Wait until the Status box shows "Scan Finished"
click on "delete"
Wait until the Status box shows "Deleting Finished"
Click on "Report" and copy/paste the content of the Notepad into your next reply.
The log should be found in RKreport[1].txt on your Desktop
Exit/Close RogueKiller.

Report •

#8
May 13, 2013 at 02:27:14
RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/file...
Website : http://tigzy.geekstogo.com/roguekil...
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : user [Admin rights]
Mode : Remove -- Date : 05/13/2013 21:23:32
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 4 ¤¤¤
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> REPLACED (2)
[HJ] HKLM\[...]\System : EnableLUA (0) -> REPLACED (1)
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD5000AAKX-00U6AA0 ATA Device +++++
--- User ---
[MBR] 6febdb7d5ffece9a75ee67804c5926d9
[BSP] fb08a32f357f3896d5d3068b1a88a6a4 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 476838 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2]_D_05132013_02d2123.txt >>
RKreport[1]_S_05132013_02d2113.txt ; RKreport[2]_D_05132013_02d2123.txt



Report •

#9
May 13, 2013 at 02:59:33
"I am not sure if this is part of the issue"
I can only focus on the infected comp, sorry. Trying to visualize anything past that, makes it too complicated.

As we dismantle the infection bit by bit, that may allow the repeat use of programs, which may in turn pick up more.
Removal of infected parts of the system, may cause other parts to stop working, such as your Internet connection or Services. These we then, have to repair later.

If any program won't run ( due to the infection ) let me know.

Copy and Paste the contents of the log/logs after running each program.

5: Run ComboFix & post the contents of the log please. ComboFix's log should be located at C:\COMBOFIX.TXT.
http://www.bleepingcomputer.com/dow...
http://download.bleepingcomputer.co...
http://www.forospyware.com/sUBs/Com...

A guide and tutorial on using ComboFix
http://www.bleepingcomputer.com/com...
http://www.winhelp.us/index.php/gen...
Manually restoring the Internet connection
http://www.bleepingcomputer.com/com...
"There are circumstances ComboFix will hang, crash or stall at various stages due to malware interference, failure to disable other real-time protection tools or the presence of CD Emulators (Daemon Tools, Alchohol 120%, Astroburn, AnyDVD) so that it does not complete successfully. Also, depending on how badly a system is infected, ComboFix may take longer to complete its routine than it normally does or fail to run properly. While that is not normal behavior, it is not unusual"
Run Defogger
http://majorgeeks.com/Defogger_d708...
This program can enable and disable CD emulation, often required in removing difficult malware. Some CD Emulation programs use a hidden driver that may be seen as a rootkit or that will interfere with the proper operation of the anti-rootkit scanner.
If you think it's frozen look at computer clock.
If it's running Combofix is still working.

Note:
Do not mouseclick combofix's window while it is running. That may cause it to stall.
NOTE:
ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
Allow ComboFix to download the Recovery Console.
Accept the End-User License Agreement.
The Recovery Console will be installed.
You will then get this next prompt that asks if you want to continue the malware scan, select yes.

If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.

Can't Install an Antivirus - Windows Security Center still detects previous AV
http://www.experts-exchange.com/Vir...

We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:
* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found in this topic.
http://www.bleepingcomputer.com/for...
Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.


Report •

#10
May 13, 2013 at 11:04:32
ComboFix 13-05-12.01 - user 13/05/2013 22:11:21.1.2 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.64.1033.18.3582.2595 [GMT 12:00]
Running from: c:\users\user\Downloads\ComboFix.exe
AV: COMODO Antivirus *Enabled/Updated* {458BB331-2324-0753-3D5F-1472EB102AC0}
FW: COMODO Firewall *Enabled* {7DB03214-694B-060B-1600-BD4715C36DBB}
SP: COMODO Antivirus *Enabled/Updated* {FEEA52D5-051E-08DD-07EF-2F009097607D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\user\AppData\Roaming\DefaultTab\DefaultTab
c:\users\user\AppData\Roaming\DefaultTab\DefaultTab\DefaultTabUninstaller.exe
c:\users\user\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe
.
.
((((((((((((((((((((((((( Files Created from 2013-04-13 to 2013-05-13 )))))))))))))))))))))))))))))))
.
.
2013-05-13 10:26 . 2013-05-13 10:26 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-05-13 05:33 . 2013-05-13 05:33 -------- d-----w- C:\TDSSKiller_Quarantine
2013-05-11 00:33 . 2013-05-11 00:33 -------- d-----w- c:\users\user\AppData\Roaming\Malwarebytes
2013-05-11 00:33 . 2013-05-11 00:33 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2013-05-11 00:33 . 2013-05-11 00:33 -------- d-----w- c:\programdata\Malwarebytes
2013-05-11 00:33 . 2013-04-04 02:50 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-05-10 23:37 . 2013-05-10 23:38 -------- d-----w- c:\program files\Core Temp
2013-05-10 23:36 . 2013-05-13 10:25 -------- d-----w- c:\users\user\AppData\Roaming\DefaultTab
2013-05-10 23:34 . 2013-05-10 23:34 -------- d-----w- c:\programdata\APN
2013-05-10 02:51 . 2013-04-01 07:58 72702784 ----a-w- c:\windows\system32\MRT.exe
2013-05-10 02:44 . 2013-05-10 02:44 -------- d-----w- c:\program files (x86)\Common Files\Java
2013-05-10 02:44 . 2013-05-10 02:44 95648 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-05-10 02:44 . 2013-05-10 02:44 -------- d-----w- c:\program files (x86)\Java
2013-05-09 08:14 . 2013-05-09 08:14 32000 ----a-w- c:\windows\system32\drivers\hitmanpro37.sys
2013-05-09 08:01 . 2013-05-09 08:08 -------- d-----w- c:\programdata\HitmanPro
2013-04-26 01:48 . 2013-05-13 05:06 -------- d-----w- c:\users\user\AppData\Local\CrashDumps
2013-04-23 20:31 . 2013-04-12 14:45 1656680 ----a-w- c:\windows\system32\drivers\ntfs.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-10 02:44 . 2013-02-26 22:37 866720 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2013-05-10 02:44 . 2013-02-26 22:37 788896 ----a-w- c:\windows\SysWow64\deployJava1.dll
2013-05-10 02:36 . 2013-02-27 23:50 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-05-10 02:36 . 2013-02-27 23:50 691592 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-04-25 10:05 . 2013-01-16 06:51 96800 ----a-w- c:\windows\system32\drivers\inspect.sys
2013-04-23 14:04 . 2013-01-24 09:43 437176 ----a-w- c:\windows\system32\guard64.dll
2013-04-23 14:04 . 2013-01-24 09:43 348048 ----a-w- c:\windows\SysWow64\guard32.dll
2013-04-15 17:38 . 2013-01-16 06:51 48360 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2013-04-15 17:38 . 2013-01-16 06:51 706560 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2013-04-15 17:38 . 2013-01-16 06:51 23168 ----a-w- c:\windows\system32\drivers\cmderd.sys
2013-04-15 17:38 . 2013-01-24 09:43 43216 ----a-w- c:\windows\system32\cmdcsr.dll
2013-04-15 17:38 . 2013-01-24 09:42 343760 ----a-w- c:\windows\system32\cmdvrt64.dll
2013-04-15 17:38 . 2013-01-24 09:42 45776 ----a-w- c:\windows\system32\cmdkbd64.dll
2013-04-15 17:38 . 2013-01-24 09:42 276688 ----a-w- c:\windows\SysWow64\cmdvrt32.dll
2013-04-15 17:38 . 2013-01-24 09:42 40656 ----a-w- c:\windows\SysWow64\cmdkbd32.dll
2013-03-19 06:04 . 2013-04-10 20:31 5550424 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-19 05:46 . 2013-04-10 20:31 43520 ----a-w- c:\windows\system32\csrsrv.dll
2013-03-19 05:04 . 2013-04-10 20:31 3968856 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2013-03-19 05:04 . 2013-04-10 20:31 3913560 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2013-03-19 04:47 . 2013-04-10 20:31 6656 ----a-w- c:\windows\SysWow64\apisetschema.dll
2013-03-19 03:06 . 2013-04-10 20:31 112640 ----a-w- c:\windows\system32\smss.exe
2013-03-01 03:36 . 2013-04-10 20:31 3153408 ----a-w- c:\windows\system32\win32k.sys
2013-02-26 03:57 . 2013-02-26 03:57 74752 ----a-w- c:\windows\SysWow64\RegisterIEPKEYs.exe
2013-02-26 03:57 . 2013-02-26 03:57 161792 ----a-w- c:\windows\SysWow64\msls31.dll
2013-02-26 03:57 . 2013-02-26 03:57 110592 ----a-w- c:\windows\SysWow64\IEAdvpack.dll
2013-02-26 03:57 . 2013-02-26 03:57 86528 ----a-w- c:\windows\SysWow64\iesysprep.dll
2013-02-26 03:57 . 2013-02-26 03:57 76800 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe
2013-02-26 03:57 . 2013-02-26 03:57 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll
2013-02-26 03:57 . 2013-02-26 03:57 63488 ----a-w- c:\windows\SysWow64\tdc.ocx
2013-02-26 03:57 . 2013-02-26 03:57 367104 ----a-w- c:\windows\SysWow64\html.iec
2013-02-26 03:57 . 2013-02-26 03:57 74752 ----a-w- c:\windows\SysWow64\iesetup.dll
2013-02-26 03:57 . 2013-02-26 03:57 23552 ----a-w- c:\windows\SysWow64\licmgr10.dll
2013-02-26 03:57 . 2013-02-26 03:57 152064 ----a-w- c:\windows\SysWow64\wextract.exe
2013-02-26 03:57 . 2013-02-26 03:57 150528 ----a-w- c:\windows\SysWow64\iexpress.exe
2013-02-26 03:57 . 2013-02-26 03:57 11776 ----a-w- c:\windows\SysWow64\mshta.exe
2013-02-26 03:57 . 2013-02-26 03:57 101888 ----a-w- c:\windows\SysWow64\admparse.dll
2013-02-26 03:57 . 2013-02-26 03:57 89088 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2013-02-26 03:57 . 2013-02-26 03:57 65024 ----a-w- c:\windows\system32\pngfilt.dll
2013-02-26 03:57 . 2013-02-26 03:57 55296 ----a-w- c:\windows\system32\msfeedsbs.dll
2013-02-26 03:57 . 2013-02-26 03:57 49664 ----a-w- c:\windows\system32\imgutil.dll
2013-02-26 03:57 . 2013-02-26 03:57 35840 ----a-w- c:\windows\SysWow64\imgutil.dll
2013-02-26 03:57 . 2013-02-26 03:57 267776 ----a-w- c:\windows\system32\ieaksie.dll
2013-02-26 03:57 . 2013-02-26 03:57 222208 ----a-w- c:\windows\system32\msls31.dll
2013-02-26 03:57 . 2013-02-26 03:57 197120 ----a-w- c:\windows\system32\msrating.dll
2013-02-26 03:57 . 2013-02-26 03:57 163840 ----a-w- c:\windows\system32\ieakui.dll
2013-02-26 03:57 . 2013-02-26 03:57 149504 ----a-w- c:\windows\system32\occache.dll
2013-02-26 03:57 . 2013-02-26 03:57 145920 ----a-w- c:\windows\system32\iepeers.dll
2013-02-26 03:57 . 2013-02-26 03:57 12288 ----a-w- c:\windows\system32\mshta.exe
2013-02-26 03:57 . 2013-02-26 03:57 114176 ----a-w- c:\windows\system32\admparse.dll
2013-02-26 03:57 . 2013-02-26 03:57 10752 ----a-w- c:\windows\system32\msfeedssync.exe
2013-02-26 03:57 . 2013-02-26 03:57 91648 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2013-02-26 03:57 . 2013-02-26 03:57 89088 ----a-w- c:\windows\system32\ie4uinit.exe
2013-02-26 03:57 . 2013-02-26 03:57 85504 ----a-w- c:\windows\system32\iesetup.dll
2013-02-26 03:57 . 2013-02-26 03:57 82432 ----a-w- c:\windows\system32\icardie.dll
2013-02-26 03:57 . 2013-02-26 03:57 76800 ----a-w- c:\windows\system32\tdc.ocx
2013-02-26 03:57 . 2013-02-26 03:57 534528 ----a-w- c:\windows\system32\ieapfltr.dll
2013-02-26 03:57 . 2013-02-26 03:57 48640 ----a-w- c:\windows\system32\mshtmler.dll
2013-02-26 03:57 . 2013-02-26 03:57 452608 ----a-w- c:\windows\system32\dxtmsft.dll
2013-02-26 03:57 . 2013-02-26 03:57 448512 ----a-w- c:\windows\system32\html.iec
2013-02-26 03:57 . 2013-02-26 03:57 403248 ----a-w- c:\windows\system32\iedkcs32.dll
2013-02-26 03:57 . 2013-02-26 03:57 39936 ----a-w- c:\windows\system32\iernonce.dll
2013-02-26 03:57 . 2013-02-26 03:57 3695416 ----a-w- c:\windows\system32\ieapfltr.dat
2013-02-26 03:57 . 2013-02-26 03:57 30720 ----a-w- c:\windows\system32\licmgr10.dll
2013-02-26 03:57 . 2013-02-26 03:57 282112 ----a-w- c:\windows\system32\dxtrans.dll
2013-02-26 03:57 . 2013-02-26 03:57 249344 ----a-w- c:\windows\system32\webcheck.dll
2013-02-26 03:57 . 2013-02-26 03:57 165888 ----a-w- c:\windows\system32\iexpress.exe
2013-02-26 03:57 . 2013-02-26 03:57 160256 ----a-w- c:\windows\system32\wextract.exe
2013-02-26 03:57 . 2013-02-26 03:57 160256 ----a-w- c:\windows\system32\ieakeng.dll
2013-02-26 03:57 . 2013-02-26 03:57 135168 ----a-w- c:\windows\system32\IEAdvpack.dll
2013-02-26 03:57 . 2013-02-26 03:57 111616 ----a-w- c:\windows\system32\iesysprep.dll
2013-02-26 03:57 . 2013-02-26 03:57 103936 ----a-w- c:\windows\system32\inseng.dll
2013-02-26 03:40 . 2013-02-26 03:40 348160 ----a-w- c:\windows\SysWow64\msvcr71.dll
2013-02-26 03:40 . 2013-02-26 03:40 1700352 ----a-w- c:\windows\SysWow64\gdiplus.dll
2013-02-26 03:40 . 2013-02-26 03:40 1060864 ----a-w- c:\windows\SysWow64\mfc71.dll
2013-02-26 03:09 . 2013-02-26 03:11 286720 ----a-w- c:\windows\iun507.exe
2013-02-22 06:57 . 2013-04-11 04:51 17817088 ----a-w- c:\windows\system32\mshtml.dll
2013-02-22 06:29 . 2013-04-11 04:51 10925568 ----a-w- c:\windows\system32\ieframe.dll
2013-02-22 06:27 . 2013-04-11 04:51 2312704 ----a-w- c:\windows\system32\jscript9.dll
2013-02-22 06:21 . 2013-04-11 04:51 1346560 ----a-w- c:\windows\system32\urlmon.dll
2013-02-22 06:20 . 2013-04-11 04:51 1392128 ----a-w- c:\windows\system32\wininet.dll
2013-02-22 06:19 . 2013-04-11 04:51 1494528 ----a-w- c:\windows\system32\inetcpl.cpl
2013-02-22 06:18 . 2013-04-11 04:51 237056 ----a-w- c:\windows\system32\url.dll
2013-02-22 06:17 . 2013-04-11 04:51 85504 ----a-w- c:\windows\system32\jsproxy.dll
2013-02-22 06:15 . 2013-04-11 04:51 173056 ----a-w- c:\windows\system32\ieUnatt.exe
2013-02-22 06:15 . 2013-04-11 04:51 599040 ----a-w- c:\windows\system32\vbscript.dll
2013-02-22 06:15 . 2013-04-11 04:51 816640 ----a-w- c:\windows\system32\jscript.dll
2013-02-22 06:14 . 2013-04-11 04:51 729088 ----a-w- c:\windows\system32\msfeeds.dll
2013-02-22 06:13 . 2013-04-11 04:51 2147840 ----a-w- c:\windows\system32\iertutil.dll
2013-02-22 06:13 . 2013-04-11 04:51 96768 ----a-w- c:\windows\system32\mshtmled.dll
2013-02-22 06:12 . 2013-04-11 04:51 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2013-02-22 06:09 . 2013-04-11 04:51 248320 ----a-w- c:\windows\system32\ieui.dll
2013-02-22 03:46 . 2013-04-11 04:51 1800704 ----a-w- c:\windows\SysWow64\jscript9.dll
2013-02-22 03:38 . 2013-04-11 04:51 1129472 ----a-w- c:\windows\SysWow64\wininet.dll
2013-02-22 03:37 . 2013-04-11 04:51 1427968 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2013-02-22 03:34 . 2013-04-11 04:51 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2013-02-22 03:34 . 2013-04-11 04:51 420864 ----a-w- c:\windows\SysWow64\vbscript.dll
2013-02-22 03:31 . 2013-04-11 04:51 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-04-06 102400]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-01-21 91520]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS6ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" [2012-03-09 1073312]
"Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2012-12-18 39136]
"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2012-12-18 825560]
"Panasonic Device Manager for Multi-Function Station software"="c:\program files (x86)\Panasonic\MFStation\PCCMFSDM.exe" [2010-11-04 139264]
"Panasonic PCFAX for Multi-Function Station software"="c:\program files (x86)\Panasonic\MFStation\KmPcFax.exe" [2011-01-04 811008]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2013-02-19 152392]
"ConnectionCenter"="c:\program files (x86)\Citrix\ICA Client\concentr.exe" [2010-03-10 300400]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-03-11 253816]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 ALSysIO;ALSysIO;c:\users\user\AppData\Local\Temp\ALSysIO64.sys [x]
R3 AppleChargerSrv;AppleChargerSrv;c:\windows\system32\AppleChargerSrv.exe [2010-04-06 31272]
R3 cmdvirth;COMODO Virtual Service Manager;c:\program files\COMODO\COMODO Internet Security\cmdvirth.exe [2013-04-15 158928]
R3 hitmanpro37;HitmanPro 3.7 Support Driver;c:\windows\system32\drivers\hitmanpro37.sys [2013-05-09 32000]
R3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\DRIVERS\netaapl64.sys [2012-09-09 22528]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-08-23 19456]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-06-10 187392]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2012-08-23 57856]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2012-08-23 30208]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-12-13 54784]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2013-02-26 1255736]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2011-11-02 56208]
S1 AppleCharger;AppleCharger;c:\windows\system32\DRIVERS\AppleCharger.sys [2012-03-07 22128]
S1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\DRIVERS\cmderd.sys [2013-04-15 23168]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2013-04-15 706560]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2013-04-15 48360]
S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [2009-10-04 87600]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-04-19 203776]
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-04-04 418376]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2013-04-04 701512]
S2 Panasonic Local Printer Service;Panasonic Local Printer Service;c:\progra~2\PANASO~1\LocalCom\lmsrvnt.exe [2010-01-08 49152]
S2 TeamViewer8;TeamViewer 8;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe [2013-04-23 3574624]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2012-11-26 75904]
S3 L1C;NDIS Miniport Driver for Qualcomm Atheros AR81xx PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys [2012-07-19 110744]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-04-04 25928]
S3 Point64;Microsoft Mouse and Keyboard Center Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2013-01-29 50800]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-04-10 20:28 1642448 ----a-w- c:\program files (x86)\Google\Chrome\Application\26.0.1410.64\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-05-13 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-02-27 02:36]
.
2013-05-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-02-23 09:17]
.
2013-05-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-02-23 09:17]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2012-06-11 12503184]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cistray.exe" [2013-04-15 3603152]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2012-04-03 446392]
"UniPrint Client Init"="c:\program files (x86)\UniPrint Suite\Client\UPCInit.exe" [2011-11-28 203624]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalService
FontCache
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.254
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-AdobeBridge - (no file)
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
SafeBoot-10222196.sys
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_169_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_169_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_169_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_169_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_169.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_169.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_169.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_169.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\TeamViewer\Version8\TeamViewer_Desktop.exe
c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
c:\program files (x86)\teamviewer\version8\TeamViewer.exe
c:\program files (x86)\TeamViewer\Version8\tv_w32.exe
.
**************************************************************************
.
Completion time: 2013-05-14 06:01:48 - machine was rebooted
ComboFix-quarantined-files.txt 2013-05-13 18:01
.
Pre-Run: 174,023,180,288 bytes free
Post-Run: 174,377,881,600 bytes free
.
- - End Of File - - A6898268605D218BA01DA121AB4C0328

Report •

#11
May 13, 2013 at 11:15:29
So, how'd that sfc /scannow turn out?

How To Ask Questions The Smart Way


Report •

#12
May 13, 2013 at 12:18:29
I left it running then came back and the window had closed? Does it generate a log some where?

Report •

#13
May 13, 2013 at 12:40:10
I don't think so. Typically you run it from the Command Prompt and not the Run box. Then you can examine the output.

If you haven't rebooted since running SFC, reboot now and check the date modified for ntoskrnl.exe. It should be March ‎19, ‎2013, ‏‎2:04:06 AM.

How To Ask Questions The Smart Way


Report •

#14
May 13, 2013 at 13:01:27
We are still cleaning out infections, Combofix removed more, TDSS removed some rootkits, need to get the comp clean before running any other fixes.

RogueKiller & Unhide also did their job.

System Restore will have infected files in it, turning System Restore OFF & then ON will remove them.
Windows 7
http://www.recipester.org/Recipe:Di...


Report •

#15
May 13, 2013 at 13:02:15
6: Run AdwCleaner
http://www.softpedia.com/get/Antivi...
http://www.softpedia.com/progScreen...
http://general-changelog-team.fr/en...
http://www.raymond.cc/blog/adwclean...
Please download AdwCleaner by Xplode onto your desktop.
Close all open programs and internet browsers.
Double click on AdwCleaner.exe to run the tool.
Click on Delete.
Confirm each time with Ok.
Your computer will be rebooted automatically. A text file will open after the restart.
Please post the content of that logfile with your next answer.
You can find the logfile at C:\AdwCleaner[S1].txt as well.

7: Run Junkware Removal Tool
http://www.softpedia.com/get/Securi...
http://www.softpedia.com/progScreen...
http://www.bleepingcomputer.com/dow...
http://thisisudax.blogspot.com.au/2...
Download Junkware Removal Tool to your desktop.
Warning! Once the scan is complete JRT will shut down your browser with NO warning.
Shut down your protection software now to avoid potential conflicts.
Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them. http://www.bleepingcomputer.com/for...
Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click JRT and select Run as Administrator
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Copy and Paste the contents of the JRT.txt log please.


Report •

#16
May 13, 2013 at 13:09:27
"I left it running then came back and the window had closed? Does it generate a log some where?"

I already know from your dump file that you had unknown corruption, that is why I suspected infections.

SFC results are in the CBS log.
Copy the CBS.log file created (C:\Windows\Logs\CBS\CBS.log) & Paste to your desktop (you can't manipulate it directly) and then Compress/Zip the copy and upload it to a site of your choosing and post a link to it so that I can take a look.


Report •

#17
May 13, 2013 at 13:09:28
Johnw: Don't worry about the foundation; we're building the second floor
Well, that attitude has never backfired.

How To Ask Questions The Smart Way


Report •

#18
May 13, 2013 at 20:28:59
The computer has been in use all day (the past 8 hours) and has not had any blue screens. In the past few days it has had 3-4 blue screens a day. Should I do the steps above for system restore, AdwCleaner, and Junkware Removal Tool?

Re the printer issue, I went in to services.msc and changed the homegroup services from manual and off to automatic and on. Homegroup now functions correctly and printers are working normally.


Report •

#19
May 13, 2013 at 20:44:15
"Should I do the steps above for system restore, AdwCleaner, and Junkware Removal Tool?"

Yes please & upload the CBS log.


Report •

#20
May 14, 2013 at 11:31:43
AdwCleaner

# AdwCleaner v2.300 - Logfile created 05/15/2013 at 06:27:07
# Updated 28/04/2013 by Xplode
# Operating system : Windows 7 Ultimate Service Pack 1 (64 bits)
# User : user - SERVER
# Boot Mode : Normal
# Running from : C:\Users\user\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Folder Deleted : C:\ProgramData\APN

***** [Registry] *****

Key Deleted : HKLM\Software\Default Tab
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16476

[OK] Registry is clean.

-\\ Google Chrome v26.0.1410.64

*************************

AdwCleaner[S1].txt - [718 octets] - [15/05/2013 06:27:07]

########## EOF - C:\AdwCleaner[S1].txt - [777 octets] ##########


Report •

#21
May 14, 2013 at 11:35:42
C:\Windows\System32\ntoskrnl.exe

5.29MB (5,550,424 bytes)

Created & accessed: Thursday, 11 April 2013, 8:31:09am
Modified: Tuesday, 19 March 2013, 7:04:06pm


Report •

#22
May 14, 2013 at 11:46:16
JDW
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.9.4 (05.06.2013:1)
OS: Windows 7 Ultimate x64
Ran by user on Wed 15/05/2013 at 6:32:23.37
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


~~~ Services

~~~ Registry Values

~~~ Registry Keys

~~~ Files

~~~ Folders

Successfully deleted: [Folder] "C:\Users\user\AppData\Roaming\defaulttab"

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 15/05/2013 at 6:44:47.40
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Report •

#23
May 14, 2013 at 15:16:46
We are getting there, just need to really make sure nothing is lurking, otherwise the you will get problems again.

8: Please download and run ListParts64 by Farbar (for 64-bit system):
http://download.bleepingcomputer.co...
Click on the Scan button.
The scan results will open in Notepad.
Please Copy and Paste the contents into your reply.


Report •

#24
May 14, 2013 at 20:56:59
Computer has been in use for past 8 hours. One blue screen 7 hours ago. This time it was L1C62x64.sys error.

ListParts64 log:
ListParts by Farbar Version: 10-05-2013
Ran by user (administrator) on 15-05-2013 at 15:55:02
Windows 7 (X64)
Running From: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JY0XZ3AL
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 37%
Total physical RAM: 3581.55 MB
Available physical RAM: 2231.24 MB
Total Pagefile: 7163.11 MB
Available Pagefile: 4929.49 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:465.66 GB) (Free:171.53 GB) NTFS
3 Drive z: () (Fixed) (Total:465.66 GB) (Free:171.53 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B

Partitions of Disk 0:
===============

Disk ID: B2179B6A

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 465 GB 101 MB

======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 System Rese NTFS Partition 100 MB Healthy System (partition with boot components)

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 465 GB Healthy Boot

======================================================================================================
============================== MBR Partition Table ==================

==============================
Partitions of Disk 0:
===============
Disk ID: B2179B6A
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=466 GB) - (Type=07 NTFS)


****** End Of Log ******


Report •

#25
May 14, 2013 at 22:19:02
Nothing lurking there.

9: Run TFC
http://www.geekstogo.com/forum/file...
http://oldtimer.geekstogo.com/TFC.exe
http://www.itxassociates.com/OT-Too...
Please double-click TFC.exe to run it. (Note: If you are running on Vista/Windows 7, right-click on the file and choose Run As Administrator).
It will close all programs when run, so make sure you have saved all your work before you begin.
Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.


Report •

#26
May 15, 2013 at 12:49:26
I have completed step 9

Report •

#27
May 15, 2013 at 16:23:30
Ok, next step involves using ESET ( keep this program ) First part is a very deep scan & the second it will try & find out how you got infected. Here is the first part.

10: Run ESET Online Scanner, Copy and Paste the contents of the log please. This scan may take a very long while, so please be patient. Maybe start it before going to work or bed.
http://www.eset.com/us/online-scann...
http://www.eset.com/home/products/o...

Configure ESET this way & disable your AV.
http://i.imgur.com/3U7YC.gif
How to Temporarily Disable your Anti-virus
http://www.bleepingcomputer.com/for...
Why Would I Ever Need an Online Virus Scanner?
I already have an antivirus program installed, isn't that enough?
http://www.squidoo.com/the-best-fre...
Once onto a machine, malware can disable antivirus programs, prevent antimalware programs from downloading updates, or prevent a user from running antivirus scans or installing new antivirus software or malware removal tools. At this point even though you are aware the computer is infected, removal is very difficult.
5: Why does the ESET Online Scanner run slowly on my computer?
If you have other antivirus, antispyware or anti-malware programs running on your computer, they may intercept the scan being performed by the ESET Online Scanner and hinder performance. You may wish to disable the real-time protection components of your other security software before running the ESET Online Scanner. Remember to turn them back on after you are finished.
17: How can I view the log file from ESET Online Scanner?
http://kb.eset.com/esetkb/index?pag...
http://www.eset.com/home/products/o...
The ESET Online Scanner saves a log file after running, which can be examined or sent in to ESET for further analysis. The path to the log file is "C:\Program Files\EsetOnlineScanner\log.txt". You can view this file by navigating to the directory and double-clicking on it in Windows Explorer, or by copying and pasting the path specification above (including the quotation marks) into the Start ? Run dialog box from the Start Menu on the desktop.
If no threats are found, you will simply see an information window that no threats were found.
http://www.trishtech.com/security/s...


Report •

#28
May 16, 2013 at 11:17:29
ESETSmartInstaller@High as downloader log:
all ok
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=ac06780aea2af441a788d2a40ff48875
# engine=13841
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2013-05-16 01:21:05
# local_time=2013-05-17 01:21:05 (+1200, New Zealand Standard Time)
# country="New Zealand"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=3074 16777213 100 84 0 15203487 0 0
# compatibility_mode=5893 16776574 100 94 65282592 120343915 0 0
# scanned=203504
# found=1
# cleaned=1
# scan_time=18681
sh=EA111903F48C1CB7FE5056509351A88EFE85114F ft=1 fh=0f73ddfd31d1def0 vn="Win32/Toolbar.DefaultTab.A application (cleaned by deleting - quarantined)" ac=C fn="C:\Qoobox\Quarantine\C\Users\user\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe.vir"

Report •

#29
May 16, 2013 at 11:50:31
11: To find the offending program.
Run ESET again please.
1: Click the Start button.
2: Accept any security warnings from your browser.
3: Under scan settings, check "Scan Archives" and "Remove found threats"
4: Click Advanced settings and select the following:
* Scan potentially unwanted applications
* Scan for potentially unsafe applications
* Enable Anti-Stealth technology
5: ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
6: When the scan completes, click List Threats.
7: Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
8: Click the Back button.
9: Click the Finish button.

Report •

Ask Question