New
#71
Thanks a lot :)
I've tried several times to download and use the Microsoft Security Essentials, but it won't work because of the malware...I can't even open the program.
So I think I will try the avast! Free Antivirus :)
Thanks a lot :)
I've tried several times to download and use the Microsoft Security Essentials, but it won't work because of the malware...I can't even open the program.
So I think I will try the avast! Free Antivirus :)
Thanks for the info.
Please post back on how it goes with avast! Free. Particularly, if you get any error messages.
It is installed on the computer that I am using now.
Crumble,
Please open Task Scheduler by clicking the following in sequence: Start > Control Panel > System and Security > Administrative Tools, and then double-clicking: Task Scheduler
When Task Scheduler opens, expand Active Tasks to see a list of everything that is scheduled to run.
Now scroll through the list and find: IKOPXBS
Double-click it.
Next, the Task Scheduler Library opens.
Right-click on the task and select: Delete
Verify that you want to completely delete the task.
Click: Yes
Post back on whether it worked.
Next, go back to VirusTotal as before (Post #36), and also have the following analyzed:
C:\Users\All Users\188F1432-103A-4ffb-80F1-36B633C5C9E1
When done, please post the results.
Now, follow the instructions below, and see if you can find:
c:\windows\system32\deskperfm.dll
Instructions:
How to show hidden files in Windows 7
If you find the file, also get it analyzed at VirusTotal and post the results.
hmmm, I can't find IKOPXBS!
And I can find the other file (C:\Users\All Users\188F1432-103A-4ffb-80F1-36B633C5C9E1) on my computer, but it is not an option when I want to choose the file in VirusTotal.
avast! found 6 viruses, although I can find only 5...I've placed them in the "virus chest". I'm not quite sure what to do about them, should I delete them or just leave them be? Posting an image:
Excellent job, Crumble!!
The entries in the Virus Chest will not be activated, and are under the control of Avast.
You can remove the entries from the chest, though.
To do that :
Start Avast
From the Maintenance tab, click on: Virus Chest
Select the all the files (one at a time), right-click on the selected item, select: Delete
Next, throughly scan your computer again with a Boot Time Scan:
Instructions:
How to Perform a Boot-Time Scan with Avast! Anti-Virus
Then, scan again, selecting a Full Sytem Scan.
Post back whether the system shows up clean.
When done with the above (avast!)...
ComboFix is once again ready for download and use.
Please remove the previous copy from your Desktop, and download a new copy from:
ComboFix Download
Temporarily disable avast!,since it may interfere with ComboFix.
Info on disabling protection programs:
Topic:
How to disable your security applications - Tech Support Forum
Topic:
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
To run ComboFix, right-click on ComboFix.exe and select: Run as Administrator
Click on Yes, to continue scanning for malware.
The scan make take a while, since it has some 50+ stages.
When finished, CF produces a report.
Please provide a copy of the C:\ComboFix.txt in your reply.
Notes:
1. Please do not mouse-click the ComboFix window while it is running. This action may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
3. CF disconnects your machine from the Internet. However, the connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
After the Boot time scan 3 viruses were found, and I deleted them. Then I ran the Full System Scan which showed up clean :)
Here is the ComboFix result:
ComboFix 13-02-03.03 - siri1802 04.02.2013 7:29.3.2 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.47.1044.18.2003.634 [GMT 1:00]
Kjører fra: c:\users\siri1802\Downloads\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
.
.
((((((((((((((((((((((((((((((((((((((( Andre slettinger )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\3002.abs
c:\programdata\3002.xml
.
.
((((((((((((((((((((((((((( Filer Opprettet Fra 2013-01-04 til 2013-02-04 )))))))))))))))))))))))))))))))))
.
.
2013-02-04 06:38 . 2013-02-04 06:38 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-02-01 03:45 . 2012-10-30 22:51 21256 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2013-02-01 03:45 . 2012-10-30 22:51 361032 ----a-w- c:\windows\system32\drivers\aswSP.sys
2013-02-01 03:45 . 2012-10-15 16:59 44784 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
2013-02-01 03:45 . 2012-10-30 22:51 54232 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2013-02-01 03:45 . 2012-10-30 22:51 738504 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2013-02-01 03:45 . 2012-10-30 22:51 58680 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2013-02-01 03:44 . 2012-10-30 22:51 41224 ----a-w- c:\windows\avastSS.scr
2013-02-01 03:44 . 2012-10-30 22:50 227648 ----a-w- c:\windows\system32\aswBoot.exe
2013-02-01 03:43 . 2013-02-01 03:43 -------- d-----w- c:\programdata\AVAST Software
2013-02-01 03:43 . 2013-02-01 03:43 -------- d-----w- c:\program files\AVAST Software
2013-01-31 07:12 . 2013-01-31 07:12 -------- d-----w- C:\FRST
2013-01-30 04:26 . 2013-01-30 04:26 -------- d-----w- c:\program files\ESET
2013-01-28 03:45 . 2013-01-28 03:50 181064 ----a-w- c:\windows\PSEXESVC.EXE
2013-01-28 03:43 . 2013-01-28 03:46 -------- d-----w- C:\Tweaking.com_Windows_Repair_Logs
2013-01-28 03:43 . 2013-01-28 03:43 -------- d-----w- c:\program files\Tweaking.com
2013-01-28 02:57 . 2013-01-28 03:11 5522 ----a-w- C:\backup.reg
2013-01-22 03:23 . 2013-01-22 03:23 -------- d-----w- c:\program files\iPod
2013-01-22 03:22 . 2013-01-22 03:23 -------- d-----w- c:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-01-22 03:22 . 2013-01-22 03:23 -------- d-----w- c:\program files\iTunes
2013-01-19 11:48 . 2013-01-19 11:48 -------- d-----w- c:\users\siri1802\AppData\Roaming\Malwarebytes
2013-01-19 11:47 . 2013-01-19 11:47 -------- d-----w- c:\programdata\Malwarebytes
2013-01-19 11:47 . 2013-01-19 11:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-01-19 11:47 . 2012-12-14 15:49 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-01-19 11:39 . 2013-01-19 11:39 -------- d-----w- c:\users\siri1802\AppData\Local\Programs
2013-01-18 09:09 . 2013-01-18 09:09 -------- d-----w- c:\program files\Common Files\Java
2013-01-18 09:08 . 2013-01-18 09:08 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-01-16 10:17 . 2013-01-16 10:17 -------- d-----w- c:\program files\WinPcap
2013-01-16 04:00 . 2013-01-16 04:00 -------- d-----w- c:\program files\MSECache
2013-01-14 03:06 . 2012-12-16 14:13 295424 ----a-w- c:\windows\system32\atmfd.dll
2013-01-14 03:06 . 2012-12-16 14:13 34304 ----a-w- c:\windows\system32\atmlib.dll
2013-01-13 15:06 . 2012-11-22 04:45 626688 ----a-w- c:\windows\system32\usp10.dll
2013-01-13 15:06 . 2012-11-23 02:56 2345984 ----a-w- c:\windows\system32\win32k.sys
2013-01-13 15:02 . 2012-12-07 12:20 2576384 ----a-w- c:\windows\system32\gameux.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-02-04 06:22 . 2012-09-24 09:51 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2013-02-04 06:22 . 2012-09-25 07:30 58288 ----a-w- c:\windows\system32\rpcnet.dll
2013-01-31 07:18 . 2012-09-24 09:52 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2013-01-18 09:08 . 2012-09-25 07:27 859552 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-01-18 09:08 . 2011-05-20 14:10 780192 ----a-w- c:\windows\system32\deployJava1.dll
2013-01-13 14:39 . 2012-09-24 22:16 697864 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-01-13 14:39 . 2011-05-20 14:10 74248 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-11-09 04:42 . 2012-12-12 03:10 2048 ----a-w- c:\windows\system32\tzres.dll
2013-01-19 16:36 . 2013-01-19 16:35 262552 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((( Oppstartspunkter I Registeret )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Merk* tomme oppføringer & gyldige standardoppføringer vises ikke
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00 avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-10-30 22:50 121528 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GD riveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2012-12-17 18:50 556648 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GD riveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
2012-12-17 18:50 556648 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GD riveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2012-12-17 18:50 556648 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GD riveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2012-12-17 18:50 556648 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-06-04 1791272]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-15 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-12-12 152544]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-10-30 4297136]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [x]
R3 ATSwpWDF;AuthenTec TruePrint USB WBF WDF Driver;c:\windows\system32\Drivers\ATSwpWDF.sys [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 Synth3dVsc;Microsoft Virtual 3D Video Transport Driver;c:\windows\system32\drivers\Synth3dVsc.sys [x]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;%TsUsbGD.DeviceDesc.Generic%;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 tsusbhub;Remote Deskotop USB Hub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [x]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [x]
S2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-02-01 04:50 1607120 ----a-w- c:\program files\Google\Chrome\Application\24.0.1312.57\Installer\chrmstp.exe
.
Innholdet i mappen 'Scheduled Tasks' (planlagte oppgaver)
.
2013-02-04 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-09-24 14:39]
.
2013-02-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-10-07 15:20]
.
2013-02-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-10-07 15:20]
.
.
------- Tilleggsskanning -------
.
uStart Page = hxxp://google.no/
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: E&ksporter til Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000
IE: Se&nd til OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.11.1
FF - ProfilePath - c:\users\siri1802\AppData\Roaming\Mozilla\Firefox\Profiles\3pt7z1m9.default\
FF - prefs.js: browser.search.defaulturl -
FF - ExtSQL: !HIDDEN! 2012-09-25 10:35; {1FD91A9C-410C-4090-BBCC-55D3450EF433}; c:\program files\Searchqu Toolbar\Datamngr\FirefoxExtension
.
.
--------------------- LÅSTE REGISTERNØKLER ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe ,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Tidspunkt ferdig: 2013-02-04 07:44:03
ComboFix-quarantined-files.txt 2013-02-04 06:44
ComboFix2.txt 2013-01-25 09:40
.
Pre-Run: 14*284*525*568 byte ledig
Post-Run: 14*241*857*536 byte ledig
.
- - End Of File - - E26CB0E1E1B22773EACB24C1A35BCE6B
avast! is for you...
Have to take a closer look at the ComboFix report.
In the meantime, to see the Security Center service, press the Windows key and the R key simultaneously.
In the Run box that appears, type: services.msc
In the Services window, go down to: Security Center
Set the Startup type to: Automatic (Delayed start), and press the Start button.
Does it stay on?
Also run Farbar Service Scanner once again.
Make sure the following options are checked:
Press: Scan
- Internet Services
- Windows Firewall
- System Restore
- Security Center
- Windows Update
- Windows Defender
Please provide the new FSS.txt in your reply.
Sure, take your time :) :) :)
Here's the FSS result:
Farbar Service Scanner Version: 30-01-2013
Ran by siri1802 (administrator) on 05-02-2013 at 05:31:50
Running from "C:\Users\siri1802\Downloads"
Windows 7 Ultimate Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Attempt to access Google IP returned error. Google IP is offline
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.
Windows Firewall:
=============
Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\Standard Profile]
"EnableFirewall"=DWORD:0
System Restore:
============
System Restore Disabled Policy:
========================
Action Center:
============
Windows Update:
============
Windows Autoupdate Disabled Policy:
============================
Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is OK.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.
Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1
Other Services:
==============
File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit
**** End of log ****
I have another question for you:
My computer has started to get really slow the last few weeks, and the screen drive stops responding/working all the time in which case the screen turns black for a while. Do you think this has got something to do with the viruses? Is there any way to fix it? :)
Btw - the Security Center stays on!!
Last edited by Crumble; 05 Feb 2013 at 00:19.
Crumble,
"Btw - the Security Center stays on!!"
^^^ ^^^
See if you can start the Windows Firewall, or do you have another Firewall running?
Post back on this, please.
On the problems with the screen/display, there may be a problem with its graphic card. Your best bet is to go to the following forum, and describe the problem there:
Graphic Cards - Windows 7 Forums
Malware is basically what I do. You do not want me guiding you thru a display issue.
I'm confused enough with what I do!