Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

not sure what's wrong, been crazy for months


  • This topic is locked This topic is locked
32 replies to this topic

#1 mtaffer

mtaffer

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 15 June 2012 - 02:39 PM

Really, if we can't find anything wrong we have to do a re-install. I just want to make sure we are not missing anything. I can tell you that combofix just will not run...it will sit there for hours. I keep getting messages that the recycle bin is corrupted, freeware implementation of XCACLS has stopped working. Random stuff like websites not loading or it completely losing the gateway. Just need some help guys. Maybe you can see something i'm missing.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_31
Run by Administrator at 13:29:05 on 2012-06-15
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3582.2711 [GMT -5:00]
.
AV: Trend Micro OfficeScan Antivirus *Enabled/Updated* {68F968AC-2AA0-091D-848C-803E83E35902}
SP: Trend Micro OfficeScan Anti-spyware *Enabled/Updated* {D3988948-0C9A-0693-BE3C-BB4CF86413BF}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Program Files\BarracudaNG\phions.exe
C:\Program Files\BarracudaNG\Opswat\CAntiVirusCOM.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Fingerprint Reader Suite\upeksvr.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_24288096a5cd99f6\aestsrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\crypserv.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Kodak\Digital Display\OrbKodakLauncher\DllStartupService.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_24288096a5cd99f6\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\BarracudaNG\phion.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Trend Micro\OfficeScan Client\PccNTMon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Fingerprint Reader Suite\psqltray.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\system32\conhost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\tm\tmsimg\bin\ftsrvr.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\conhost.exe
.
============== Pseudo HJT Report ===============
.
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [PSQLLauncher] "c:\program files\fingerprint reader suite\launcher.exe" /startup
mRun: [phion] c:\program files\barracudang\phion.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\imagin~1.lnk - c:\tm\tmsimg\bin\tmimgpcx.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
mPolicies-system: DisableCAD = 1 (0x1)
mPolicies-system: HideFastUserSwitching = 0 (0x0)
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file:///C:/Windows/Java/classes/xmldso.cab
DPF: {00000035-9593-4264-8B29-930B3E4EDCCD} - hxxps://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall35.cab
DPF: {00134F72-5284-44F7-95A8-52A619F70751} - hxxps://bhmbackup1:4343/officescan/console/html/ClientInstall/WinNTChk.cab
DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} - hxxps://bhmbackup1:4343/officescan/console/html/ClientInstall/setup.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {33415AC7-AFFA-4D55-B41C-C64C0D07DFCA} - hxxp://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISWebManager.CAB
DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} - hxxps://bhmbackup1:4343/officescan/console/html/root/AtxEnc.cab
DPF: {6EEFD7B1-B26C-440D-B55A-1EC677189F30} - hxxps://66.195.246.242/NELX.cab
DPF: {71D73A47-975F-11D1-AA77-00A0C98D86D4} - hxxp://bhmvoip2/ShoreWareDirector/VoiceMessage.ocx
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://cargill.webex.com/client/T27L10NSP11EP5/webex/ieatgpc1.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.101.23 192.168.101.9
TCP: Interfaces\{03457E59-B8B9-4DE0-ADEA-BFD977086BDF} : DhcpNameServer = 4.2.2.2 4.2.2.1
TCP: Interfaces\{03457E59-B8B9-4DE0-ADEA-BFD977086BDF}\2416C6C656E6765627 : DhcpNameServer = 192.168.1.1 24.177.176.38 97.81.22.195
TCP: Interfaces\{03457E59-B8B9-4DE0-ADEA-BFD977086BDF}\2686D616075616374713 : DhcpNameServer = 208.67.222.222 208.67.220.220
TCP: Interfaces\{03457E59-B8B9-4DE0-ADEA-BFD977086BDF}\47D637160723 : DhcpNameServer = 192.168.100.25 192.168.100.10
TCP: Interfaces\{03457E59-B8B9-4DE0-ADEA-BFD977086BDF}\5737562736F6E66623031303 : DhcpNameServer = 192.168.1.1 216.136.95.2 64.132.94.250
TCP: Interfaces\{03457E59-B8B9-4DE0-ADEA-BFD977086BDF}\8686F6E6562737 : DhcpNameServer = 4.2.2.2 4.2.2.1
TCP: Interfaces\{03457E59-B8B9-4DE0-ADEA-BFD977086BDF}\C696E6B6379737 : DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
TCP: Interfaces\{171F1D9A-3300-4A9C-A52E-25FA35EC826A} : DhcpNameServer = 172.18.206.215 172.18.206.215
TCP: Interfaces\{6D1347A1-AD42-4A04-8A2B-C6C95999C659} : DhcpNameServer = 192.168.101.23 192.168.101.9
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: psfus - c:\windows\system32\psqlpwd.dll
LSA: Notification Packages = scecli psqlpwd
.
================= FIREFOX ===================
.
FF - ProfilePath -
.
============= SERVICES / DRIVERS ===============
.
R0 20395224;20395224;c:\windows\system32\drivers\20395224.sys [2011-10-25 133208]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_x86_neutral_24288096a5cd99f6\AEstSrv.exe [2011-2-1 73728]
R2 KodakDigitalDisplayService;KodakDigitalDisplayService;c:\program files\kodak\digital display\orbkodaklauncher\DllStartupService.exe [2008-3-6 81920]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2011-7-6 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2011-1-11 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2011-7-26 47640]
R2 phions;Barracuda NG Client;c:\program files\barracudang\phions.exe [2010-3-10 4495296]
R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\TmXpflt.sys [2011-7-12 262416]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\TmPreflt.sys [2011-7-12 36624]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2010-8-23 323360]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-5-26 136176]
S2 InAspi32;InAspi32;c:\windows\system32\drivers\InAspi32.sys [2005-9-28 8704]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-5-26 136176]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [2010-4-19 18432]
S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
S3 phionvpn; phion VPN Adapter Driver;c:\windows\system32\drivers\phionvpn.sys [2011-2-1 31728]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2010-6-15 57424]
S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\trend micro\officescan client\TmProxy.exe [2010-4-24 689416]
S3 vpcuxd;USB Virtualization Stub Service;c:\windows\system32\drivers\vpcuxd.sys [2011-2-7 12800]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-5-3 1343400]
.
=============== Created Last 30 ================
.
2012-06-15 17:51:40 -------- d-s---w- C:\ComboFix
2012-06-15 17:29:48 -------- d-----w- c:\users\administrator\appdata\local\CrashDumps
2012-06-15 16:22:38 -------- d-----w- c:\windows\pss
2012-06-15 15:55:41 98816 ----a-w- c:\windows\sed.exe
2012-06-15 15:55:41 518144 ----a-w- c:\windows\SWREG.exe
2012-06-15 15:55:41 256000 ----a-w- c:\windows\PEV.exe
2012-06-15 15:55:41 208896 ----a-w- c:\windows\MBR.exe
.
==================== Find3M ====================
.
.
============= FINISH: 13:30:06.48 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,299 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:32 AM

Posted 15 June 2012 - 11:52 PM

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



I would like you to download an updated version of combofix.

update combofix

Delete the version of combofix you have now on your desktop and download a new one from here

Link 1
Link 2
Link 3
**Note: It is important that it is saved directly to your desktop**

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note:Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer
[/list]
"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 mtaffer

mtaffer
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 18 June 2012 - 12:54 PM

Hey, this is just a note to tell you that it does not appear that I can get combofix to run.

I get
Scanning for infected files...
This typically doesn't take more than 10 minutes
However, scan times for badly infected machines may easily double

And then I get a flashing cursor below that and nothing happens.

I did get the other log you requested if you want me to post that.

Some behavior issues:
Everytime windows comes up I get
The recycle bin on c:\ is corrupted
Do you want to empty the recycle bin (there is never anything in it)
And I keep getting a warning telling me my copy of windows is not authentic (although it's activated).
I even went through the phone activation and it's validated and still get that message.
That's just what has happened since i've had it on today.

Please advise what to do next.
I still have combofix running, and will keep it up until told otherwise.

Edit: Just had this message pop-up right after posting the above message.
Freeware implementation of XCACLS has stopped working.
I don't know if that has anything to do with why combofix is not working or not.

Thanks,
mtaffer

Edited by mtaffer, 18 June 2012 - 01:32 PM.


#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,299 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:32 AM

Posted 18 June 2012 - 03:15 PM

Greetings

go ahead and stop it

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 mtaffer

mtaffer
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 18 June 2012 - 06:29 PM

Shortly after you sent me these latest instructions, I rebooted the machine after removing combofix.
This was a bad idea.
When it came back up, it was like I was in a temp profile.
I have completely lost network connectivity of any kind (wireless or wired)
Some windows services are failing. (DNS related)
I cannot flushdns

I am currently in safe mode trying to get the internet to work again.
The reason is because I can't update those avast definitions on the pc in question.

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,299 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:32 AM

Posted 18 June 2012 - 09:36 PM

Hello


This seems to getting worse very quick - just to be safe backup anything you cannot replace in case something happens





download Farbar Recovery Scan Tool and save it to a flash drive.


Plug the flash drive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]
Gringo[/b]
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 mtaffer

mtaffer
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 19 June 2012 - 08:51 AM

Ok, a small update. The windows repair was asking me to use a local login, and I knew none of the passwords for the usernames it gave.
So I tried to boot into windows again to see the users. I logged in as admin on the domain.
I was greeted with the message that my access to the desktop was denied after I logged in.
Luckily we have a password reset tool, which allowed me to clear the local administrator account and I could run your tool afterwards.
Here is the log as requested.

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 18-06-2012 02
Ran by SYSTEM at 19-06-2012 08:38:37
Running from F:\
Windows 7 Professional (X86) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe [288040 2010-04-05] (Alps Electric Co., Ltd.)
HKLM\...\Run: [PSQLLauncher] "C:\Program Files\Fingerprint Reader Suite\launcher.exe" /startup [49168 2007-04-16] (UPEK Inc.)
HKLM\...\Run: [phion] C:\Program Files\BarracudaNG\phion.exe [2717624 2010-03-10] (Barracuda Networks)
HKLM\...\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe [405504 2008-02-15] (IDT, Inc.)
HKLM\...\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [1797008 2010-07-21] (Microsoft Corporation)
HKLM\...\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [63048 2011-01-11] (LogMeIn, Inc.)
HKLM\...\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow [870712 2010-08-12] (Trend Micro Inc.)
HKU\administrator\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2011-05-26] (Google Inc.)
HKU\johnp\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2011-05-26] (Google Inc.)
HKU\johnp\...\Policies\system: [HideLegacyLogonScripts] 1
HKU\rodneyc\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2011-05-26] (Google Inc.)
HKU\rodneyc\...\Run: [Google Update] "C:\Users\rodneyc\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2012-02-29] (Google Inc.)
HKU\rodneyc\...\Policies\system: [HideLegacyLogonScripts] 1
HKU\administrator\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2011-05-26] (Google Inc.)
HKU\johnp\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2011-05-26] (Google Inc.)
HKU\johnp\...\Policies\system: [HideLegacyLogonScripts] 1
HKU\rodneyc\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2011-05-26] (Google Inc.)
HKU\rodneyc\...\Run: [Google Update] "C:\Users\rodneyc\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2012-02-29] (Google Inc.)
HKU\rodneyc\...\Policies\system: [HideLegacyLogonScripts] 1
Winlogon\Notify\GoToAssist: C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll [X]
Winlogon\Notify\psfus: C:\Windows\system32\psqlpwd.dll (UPEK Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.101.23 192.168.101.9
Lsa: [Notification Packages] scecli
psqlpwd
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Imaging Server.lnk
ShortcutTarget: Imaging Server.lnk -> C:\tm\tmsimg\bin\tmimgpcx.exe (McLeod Software Inc.)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Imaging Server.lnk
ShortcutTarget: Imaging Server.lnk -> C:\tm\tmsimg\bin\tmimgpcx.exe (McLeod Software Inc.)

================================ Services (Whitelisted) ==================

2 AESTFilters; C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_24288096a5cd99f6\aestsrv.exe [73728 2007-09-20] (Andrea Electronics Corporation)
2 Crypkey License; crypserv.exe [122880 2008-05-07] (CrypKey (Canada) Ltd.)
3 EFS; C:\Windows\System32\lsass.exe [22528 2009-07-13] (Microsoft Corporation)
3 ehRecvr; C:\Windows\ehome\ehRecvr.exe [557056 2009-07-13] (Microsoft Corporation)
3 ehSched; C:\Windows\ehome\ehsched.exe [94720 2009-07-13] (Microsoft Corporation)
2 eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [20992 2009-07-13] (Microsoft Corporation)
2 EvtEng; C:\Program Files\Intel\Wireless\Bin\EvtEng.exe [647168 2007-07-25] (Intel Corporation)
3 Fax; C:\Windows\System32\fxssvc.exe [522752 2009-07-13] (Microsoft Corporation)
3 GoToAssist; "C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe" Start=service [16680 2011-02-07] (Citrix Online, a division of Citrix Systems, Inc.)
3 KeyIso; C:\Windows\System32\lsass.exe [22528 2009-07-13] (Microsoft Corporation)
2 KodakDigitalDisplayService; "C:\Program Files\Kodak\Digital Display\OrbKodakLauncher\DllStartupService.exe" [81920 2008-03-06] (Orb Networks)
2 LMIGuardianSvc; "C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe" [374152 2011-12-23] (LogMeIn, Inc.)
2 LMIMaint; "C:\Program Files\LogMeIn\x86\RaMaint.exe" [136584 2011-12-23] (LogMeIn, Inc.)
2 LogMeIn; "C:\Program Files\LogMeIn\x86\LogMeIn.exe" [390528 2011-01-11] (LogMeIn, Inc.)
3 MSDTC; C:\Windows\System32\msdtc.exe [134144 2009-07-13] (Microsoft Corporation)
3 msiserver; C:\Windows\System32\msiexec.exe /V [73216 2009-07-13] (Microsoft Corporation)
2 Netlogon; C:\Windows\System32\lsass.exe [22528 2009-07-13] (Microsoft Corporation)
2 ntrtscan; "C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe" [1459872 2010-08-04] (Trend Micro Inc.)
2 phions; "C:\Program Files\BarracudaNG\phions.exe" [4495296 2010-03-10] (Barracuda Networks)
3 ProtectedStorage; C:\Windows\System32\lsass.exe [22528 2009-07-13] (Microsoft Corporation)
2 RegSrvc; C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe [327680 2007-07-25] (Intel Corporation)
3 RpcLocator; C:\Windows\System32\locator.exe [9216 2009-07-13] (Microsoft Corporation)
2 SamSs; C:\Windows\System32\lsass.exe [22528 2009-07-13] (Microsoft Corporation)
3 SNMPTRAP; C:\Windows\System32\snmptrap.exe [12800 2009-07-13] (Microsoft Corporation)
2 Spooler; C:\Windows\System32\spoolsv.exe [316928 2010-08-20] (Microsoft Corporation)
2 sppsvc; C:\Windows\System32\sppsvc.exe [3179520 2009-07-13] (Microsoft Corporation)
2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_24288096a5cd99f6\STacSV.exe [102400 2008-02-15] (IDT, Inc.)
3 StorSvc; C:\Windows\System32\storsvc.dll [16384 2009-07-13] (Microsoft Corporation)
3 TMBMServer; "C:\Program Files\Trend Micro\BM\TMBMSRV.exe" /service [345424 2010-06-15] (Trend Micro Inc.)
2 tmlisten; "C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe" [1580640 2010-08-04] (Trend Micro Inc.)
3 TmProxy; "C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe" [689416 2010-04-24] (Trend Micro Inc.)
3 UI0Detect; C:\Windows\System32\UI0Detect.exe [35840 2009-07-13] (Microsoft Corporation)
3 VaultSvc; C:\Windows\System32\lsass.exe [22528 2009-07-13] (Microsoft Corporation)
3 vds; C:\Windows\System32\vds.exe [452608 2009-07-13] (Microsoft Corporation)
3 VSS; C:\Windows\System32\vssvc.exe [1025536 2009-07-13] (Microsoft Corporation)
3 wbengine; "C:\Windows\system32\wbengine.exe" [1202688 2009-07-13] (Microsoft Corporation)
3 WinHttpAutoProxySvc; C:\Windows\System32\svchost.exe -k LocalService [20992 2009-07-13] (Microsoft Corporation)

========================== Drivers (Whitelisted) =============

0 20395224; C:\Windows\System32\DRIVERS\20395224.sys [133208 2011-10-25] (Kaspersky Lab ZAO)
3 CVirtA; C:\Windows\System32\DRIVERS\CVirtA.sys [5275 2007-01-18] (Cisco Systems, Inc.)
4 DNE; C:\Windows\System32\DRIVERS\dne2000.sys [131984 2008-11-16] (Deterministic Networks, Inc.)
3 Dot4Scan; C:\Windows\System32\DRIVERS\Dot4Scan.sys [10752 2009-07-13] (Microsoft Corporation)
3 iirsp; C:\Windows\system32\DRIVERS\iirsp.sys [41040 2009-07-13] (Intel Corp./ICP vortex GmbH)
2 InAspi32; \??\C:\Windows\system32\drivers\InAspi32.sys [8704 2005-09-27] (Initio Corporation)
2 LMIInfo; \??\C:\Program Files\LogMeIn\x86\RaInfo.sys [12856 2011-01-11] (LogMeIn, Inc.)
3 lmimirr; C:\Windows\System32\DRIVERS\lmimirr.sys [10144 2011-01-11] (LogMeIn, Inc.)
2 LMIRfsDriver; \??\C:\Windows\system32\drivers\LMIRfsDriver.sys [47640 2011-01-11] (LogMeIn, Inc.)
3 Netaapl; C:\Windows\System32\DRIVERS\netaapl.sys [18432 2010-04-19] (Apple Inc.)
3 NETw4v32; C:\Windows\System32\DRIVERS\NETw4v32.sys [2226688 2007-08-08] (Intel Corporation)
1 NetworkX; C:\Windows\system32\ckldrv.sys [19584 2008-03-17] ()
3 NuidFltr; C:\Windows\System32\DRIVERS\NuidFltr.sys [21520 2010-07-21] (Microsoft Corporation)
3 OEM02Dev; C:\Windows\System32\DRIVERS\OEM02Dev.sys [235520 2007-07-17] (Creative Technology Ltd.)
3 OEM02Vfx; C:\Windows\System32\DRIVERS\OEM02Vfx.sys [7424 2007-03-05] (EyePower Games Pte. Ltd.)
3 phionvpn; C:\Windows\System32\DRIVERS\phionvpn.sys [31728 2009-11-23] (Phion AG)
3 tmactmon; C:\Windows\System32\DRIVERS\tmactmon.sys [67664 2010-06-15] (Trend Micro Inc.)
2 tmcomm; C:\Windows\System32\DRIVERS\tmcomm.sys [178448 2011-07-19] (Trend Micro Inc.)
3 tmevtmgr; C:\Windows\System32\DRIVERS\tmevtmgr.sys [57424 2010-06-15] (Trend Micro Inc.)
2 TmFilter; \??\C:\Program Files\Trend Micro\OfficeScan Client\TmXPFlt.sys [262416 2011-07-12] (Trend Micro Inc.)
2 TmPreFilter; \??\C:\Program Files\Trend Micro\OfficeScan Client\TmPreFlt.sys [36624 2011-07-12] (Trend Micro Inc.)
3 vpcbus; C:\Windows\System32\DRIVERS\vpchbus.sys [165376 2009-09-22] (Microsoft Corporation)
1 vpcnfltr; C:\Windows\System32\DRIVERS\vpcnfltr.sys [55040 2009-09-22] (Microsoft Corporation)
3 vpcusb; C:\Windows\System32\DRIVERS\vpcusb.sys [78336 2009-09-22] (Microsoft Corporation)
3 vpcuxd; C:\Windows\System32\DRIVERS\vpcuxd.sys [12800 2009-09-22] (Microsoft Corporation)
1 vpcvmm; C:\Windows\System32\drivers\vpcvmm.sys [295936 2009-12-31] (Microsoft Corporation)
2 VSApiNt; \??\C:\Program Files\Trend Micro\OfficeScan Client\VSApiNt.sys [1405720 2011-07-12] (Trend Micro Inc.)
3 yukonw7; C:\Windows\System32\DRIVERS\yk62x86.sys [311296 2009-07-13] (Marvell)
3 catchme; \??\C:\Users\ADMINI~1\AppData\Local\Temp\catchme.sys [x]
3 DFUBTUSB; C:\Windows\System32\Drivers\frmupgr.sys [x]
4 LMIRfsClientNP; [x]
4 Messenger; [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-06-19 08:38 - 2012-06-19 08:38 - 00000000 ____D C:\FRST
2012-06-18 15:27 - 2012-06-18 15:28 - 00137324 ____A C:\TDSSKiller.2.7.40.0_18.06.2012_18.27.46_log.txt
2012-06-18 14:35 - 2012-06-18 14:40 - 00138618 ____A C:\TDSSKiller.2.7.40.0_18.06.2012_17.35.59_log.txt
2012-06-18 14:21 - 2012-06-18 14:21 - 00000000 ____D C:\Windows\System32\%LocalAppData%
2012-06-18 14:13 - 2012-06-18 14:13 - 00003664 ____N C:\bootsqm.dat
2012-06-18 12:43 - 2012-06-18 12:43 - 00008091 ____A C:\Windows\brndlog.txt
2012-06-18 12:41 - 2012-06-18 12:41 - 00000000 ___SD C:\32788R22FWJFW
2012-06-18 08:39 - 2012-06-18 08:39 - 00001518 ____A C:\Users\administrator\Desktop\checkup.txt
2012-06-18 08:39 - 2012-06-18 08:39 - 00001518 ____A C:\Documents and Settings\administrator\Desktop\checkup.txt
2012-06-18 08:36 - 2012-06-18 08:36 - 00881475 ____A C:\Users\administrator\Desktop\SecurityCheck.exe
2012-06-18 08:36 - 2012-06-18 08:36 - 00881475 ____A C:\Documents and Settings\administrator\Desktop\SecurityCheck.exe
2012-06-15 10:56 - 2012-06-15 10:56 - 00004413 ____A C:\Users\administrator\Desktop\ark.txt
2012-06-15 10:56 - 2012-06-15 10:56 - 00004413 ____A C:\Documents and Settings\administrator\Desktop\ark.txt
2012-06-15 10:33 - 2012-06-15 10:33 - 00008228 ____A C:\Users\administrator\Desktop\Attach.txt
2012-06-15 10:33 - 2012-06-15 10:33 - 00008228 ____A C:\Documents and Settings\administrator\Desktop\Attach.txt
2012-06-15 10:31 - 2012-06-15 10:31 - 00012536 ____A C:\Users\administrator\Desktop\DDS.txt
2012-06-15 10:31 - 2012-06-15 10:31 - 00012536 ____A C:\Documents and Settings\administrator\Desktop\DDS.txt
2012-06-15 10:25 - 2012-06-15 10:25 - 00302592 ____A C:\Users\administrator\Desktop\vsis6bry.exe
2012-06-15 10:25 - 2012-06-15 10:25 - 00302592 ____A C:\Documents and Settings\administrator\Desktop\vsis6bry.exe
2012-06-15 10:23 - 2012-06-15 10:23 - 00607260 ___RA (Swearware) C:\Users\administrator\Desktop\dds.scr
2012-06-15 10:23 - 2012-06-15 10:23 - 00607260 ___RA (Swearware) C:\Documents and Settings\administrator\Desktop\dds.scr
2012-06-15 09:49 - 2012-06-15 09:50 - 00137698 ____A C:\TDSSKiller.2.7.40.0_15.06.2012_12.49.58_log.txt
2012-06-15 09:49 - 2012-06-15 09:49 - 00000000 ____D C:\Users\administrator\Desktop\tdsskiller
2012-06-15 09:49 - 2012-06-15 09:49 - 00000000 ____D C:\Documents and Settings\administrator\Desktop\tdsskiller
2012-06-15 09:47 - 2012-06-18 15:33 - 00000361 ____A C:\rkill.log
2012-06-15 09:46 - 2012-06-15 09:46 - 01012656 ____A C:\Users\administrator\Desktop\iExplore.exe
2012-06-15 09:46 - 2012-06-15 09:46 - 01012656 ____A C:\Documents and Settings\administrator\Desktop\iExplore.exe
2012-06-15 09:29 - 2012-06-18 15:29 - 00000000 ____D C:\Users\administrator\Local Settings\Application Data\CrashDumps
2012-06-15 09:29 - 2012-06-18 15:29 - 00000000 ____D C:\Users\administrator\AppData\Local\CrashDumps
2012-06-15 09:29 - 2012-06-18 15:29 - 00000000 ____D C:\Documents and Settings\administrator\Local Settings\Application Data\CrashDumps
2012-06-15 09:29 - 2012-06-18 15:29 - 00000000 ____D C:\Documents and Settings\administrator\AppData\Local\CrashDumps
2012-06-15 08:22 - 2012-06-15 08:22 - 00000000 ____D C:\Windows\pss
2012-06-15 07:24 - 2012-06-15 07:25 - 00138402 ____A C:\TDSSKiller.2.7.40.0_15.06.2012_10.24.17_log.txt
2012-06-15 07:23 - 2012-06-15 07:23 - 00000414 ____A C:\TDSSKiller.2.5.22.0_15.06.2012_10.23.40_log.txt
2012-06-04 10:32 - 2012-06-04 10:32 - 00001181 ____A C:\Users\test\Desktop\Add new LoadMaster application.lnk
2012-06-04 10:32 - 2012-06-04 10:32 - 00001181 ____A C:\Users\rodneyc\Desktop\Add new LoadMaster application.lnk
2012-06-04 10:32 - 2012-06-04 10:32 - 00001181 ____A C:\Users\kodak\Desktop\Add new LoadMaster application.lnk
2012-06-04 10:32 - 2012-06-04 10:32 - 00001181 ____A C:\Users\kevinb\Desktop\Add new LoadMaster application.lnk
2012-06-04 10:32 - 2012-06-04 10:32 - 00001181 ____A C:\Users\johnp\Desktop\Add new LoadMaster application.lnk
2012-06-04 10:32 - 2012-06-04 10:32 - 00001181 ____A C:\Users\administrator\Desktop\Add new LoadMaster application.lnk
2012-06-04 10:32 - 2012-06-04 10:32 - 00001181 ____A C:\Documents and Settings\test\Desktop\Add new LoadMaster application.lnk
2012-06-04 10:32 - 2012-06-04 10:32 - 00001181 ____A C:\Documents and Settings\rodneyc\Desktop\Add new LoadMaster application.lnk
2012-06-04 10:32 - 2012-06-04 10:32 - 00001181 ____A C:\Documents and Settings\kodak\Desktop\Add new LoadMaster application.lnk
2012-06-04 10:32 - 2012-06-04 10:32 - 00001181 ____A C:\Documents and Settings\kevinb\Desktop\Add new LoadMaster application.lnk
2012-06-04 10:32 - 2012-06-04 10:32 - 00001181 ____A C:\Documents and Settings\johnp\Desktop\Add new LoadMaster application.lnk
2012-06-04 10:32 - 2012-06-04 10:32 - 00001181 ____A C:\Documents and Settings\administrator\Desktop\Add new LoadMaster application.lnk
2012-06-04 10:32 - 2012-06-04 10:32 - 00000000 ____D C:\users\kevinb
2012-06-04 06:14 - 2012-06-04 06:14 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_NuidFltr_01009.Wdf

============ 3 Months Modified Files and Folders ===============

2012-06-19 05:34 - 2010-07-12 06:01 - 00335446 ____A C:\Windows\System32\TmInstall.log
2012-06-19 05:34 - 2010-03-25 10:44 - 00032536 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-06-19 05:34 - 2010-03-25 10:44 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-06-19 05:34 - 2010-03-23 12:02 - 00046004 ____A C:\Windows\error.log
2012-06-19 05:34 - 2010-03-23 12:02 - 00011482 ____A C:\Windows\errord.log
2012-06-19 05:34 - 2010-03-22 12:46 - 01776573 ____A C:\Windows\WindowsUpdate.log
2012-06-19 05:34 - 2010-03-22 12:43 - 3756064768 __ASH C:\pagefile.sys
2012-06-19 05:34 - 2010-03-22 12:43 - 2817048576 __ASH C:\hiberfil.sys
2012-06-19 05:34 - 2009-07-13 20:39 - 00063656 ____A C:\Windows\setupact.log
2012-06-19 05:26 - 2009-07-13 20:34 - 00021520 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-06-19 05:26 - 2009-07-13 20:34 - 00021520 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-06-19 05:23 - 2011-05-26 15:59 - 00000880 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-06-19 05:14 - 2011-05-26 15:59 - 00000884 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-06-19 05:13 - 2012-02-29 19:33 - 00000916 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-606747145-630328440-1801674531-2673UA.job
2012-06-19 05:13 - 2012-02-29 19:33 - 00000864 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-606747145-630328440-1801674531-2673Core.job
2012-06-19 05:13 - 2011-07-26 09:42 - 00000000 ____D C:\Users\All Users\LogMeIn
2012-06-19 05:13 - 2011-07-26 09:42 - 00000000 ____D C:\Documents and Settings\All Users\LogMeIn
2012-06-18 15:43 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\NDF
2012-06-18 15:33 - 2012-06-15 09:47 - 00000361 ____A C:\rkill.log
2012-06-18 15:29 - 2012-06-15 09:29 - 00000000 ____D C:\Users\administrator\Local Settings\Application Data\CrashDumps
2012-06-18 15:29 - 2012-06-15 09:29 - 00000000 ____D C:\Users\administrator\AppData\Local\CrashDumps
2012-06-18 15:29 - 2012-06-15 09:29 - 00000000 ____D C:\Documents and Settings\administrator\Local Settings\Application Data\CrashDumps
2012-06-18 15:29 - 2012-06-15 09:29 - 00000000 ____D C:\Documents and Settings\administrator\AppData\Local\CrashDumps
2012-06-18 15:28 - 2012-06-18 15:27 - 00137324 ____A C:\TDSSKiller.2.7.40.0_18.06.2012_18.27.46_log.txt
2012-06-18 15:28 - 2010-11-29 12:37 - 00000000 ____D C:\Users\administrator\Local Settings\Application Data\ElevatedDiagnostics
2012-06-18 15:28 - 2010-11-29 12:37 - 00000000 ____D C:\Users\administrator\AppData\Local\ElevatedDiagnostics
2012-06-18 15:28 - 2010-11-29 12:37 - 00000000 ____D C:\Documents and Settings\administrator\Local Settings\Application Data\ElevatedDiagnostics
2012-06-18 15:28 - 2010-11-29 12:37 - 00000000 ____D C:\Documents and Settings\administrator\AppData\Local\ElevatedDiagnostics
2012-06-18 15:27 - 2011-02-07 06:08 - 00382028 ____A C:\Windows\ntbtlog.txt
2012-06-18 14:53 - 2009-07-13 18:37 - 00000000 ____D C:\Windows
2012-06-18 14:40 - 2012-06-18 14:35 - 00138618 ____A C:\TDSSKiller.2.7.40.0_18.06.2012_17.35.59_log.txt
2012-06-18 14:38 - 2010-03-22 10:54 - 00960614 ____A C:\Windows\System32\PerfStringBackup.INI
2012-06-18 14:24 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\DriverStore
2012-06-18 14:21 - 2012-06-18 14:21 - 00000000 ____D C:\Windows\System32\%LocalAppData%
2012-06-18 14:13 - 2012-06-18 14:13 - 00003664 ____N C:\bootsqm.dat
2012-06-18 12:43 - 2012-06-18 12:43 - 00008091 ____A C:\Windows\brndlog.txt
2012-06-18 12:43 - 2011-10-06 14:38 - 00000000 ___RD C:\Users\administrator\Virtual Machines
2012-06-18 12:43 - 2011-10-06 14:38 - 00000000 ___RD C:\Documents and Settings\administrator\Virtual Machines
2012-06-18 12:42 - 2010-03-22 11:48 - 00310298 ____A C:\Windows\PFRO.log
2012-06-18 12:41 - 2012-06-18 12:41 - 00000000 ___SD C:\32788R22FWJFW
2012-06-18 12:41 - 2011-10-25 08:00 - 00000000 ____D C:\Windows\ERDNT
2012-06-18 12:17 - 2009-07-13 18:36 - 00000000 __SHD C:\$Recycle.Bin
2012-06-18 12:16 - 2009-07-13 18:37 - 00000000 _SHDC C:\Windows\$NtUninstallKB43717$
2012-06-18 08:58 - 2010-03-22 11:04 - 00000120 ____A C:\Windows\System32\config\netlogon.ftl
2012-06-18 08:39 - 2012-06-18 08:39 - 00001518 ____A C:\Users\administrator\Desktop\checkup.txt
2012-06-18 08:39 - 2012-06-18 08:39 - 00001518 ____A C:\Documents and Settings\administrator\Desktop\checkup.txt
2012-06-18 08:36 - 2012-06-18 08:36 - 00881475 ____A C:\Users\administrator\Desktop\SecurityCheck.exe
2012-06-18 08:36 - 2012-06-18 08:36 - 00881475 ____A C:\Documents and Settings\administrator\Desktop\SecurityCheck.exe
2012-06-18 08:30 - 2010-03-22 13:56 - 00010871 ____A C:\Windows\cfgall.ini
2012-06-18 08:28 - 2010-03-22 11:06 - 00006100 _RASH C:\Users\All Users\ntuser.pol
2012-06-18 08:28 - 2010-03-22 11:06 - 00006100 _RASH C:\Documents and Settings\All Users\ntuser.pol
2012-06-18 08:28 - 2009-07-13 18:37 - 00000000 ___HD C:\ProgramData
2012-06-15 10:56 - 2012-06-15 10:56 - 00004413 ____A C:\Users\administrator\Desktop\ark.txt
2012-06-15 10:56 - 2012-06-15 10:56 - 00004413 ____A C:\Documents and Settings\administrator\Desktop\ark.txt
2012-06-15 10:33 - 2012-06-15 10:33 - 00008228 ____A C:\Users\administrator\Desktop\Attach.txt
2012-06-15 10:33 - 2012-06-15 10:33 - 00008228 ____A C:\Documents and Settings\administrator\Desktop\Attach.txt
2012-06-15 10:31 - 2012-06-15 10:31 - 00012536 ____A C:\Users\administrator\Desktop\DDS.txt
2012-06-15 10:31 - 2012-06-15 10:31 - 00012536 ____A C:\Documents and Settings\administrator\Desktop\DDS.txt
2012-06-15 10:25 - 2012-06-15 10:25 - 00302592 ____A C:\Users\administrator\Desktop\vsis6bry.exe
2012-06-15 10:25 - 2012-06-15 10:25 - 00302592 ____A C:\Documents and Settings\administrator\Desktop\vsis6bry.exe
2012-06-15 10:23 - 2012-06-15 10:23 - 00607260 ___RA (Swearware) C:\Users\administrator\Desktop\dds.scr
2012-06-15 10:23 - 2012-06-15 10:23 - 00607260 ___RA (Swearware) C:\Documents and Settings\administrator\Desktop\dds.scr
2012-06-15 09:50 - 2012-06-15 09:49 - 00137698 ____A C:\TDSSKiller.2.7.40.0_15.06.2012_12.49.58_log.txt
2012-06-15 09:49 - 2012-06-15 09:49 - 00000000 ____D C:\Users\administrator\Desktop\tdsskiller
2012-06-15 09:49 - 2012-06-15 09:49 - 00000000 ____D C:\Documents and Settings\administrator\Desktop\tdsskiller
2012-06-15 09:46 - 2012-06-15 09:46 - 01012656 ____A C:\Users\administrator\Desktop\iExplore.exe
2012-06-15 09:46 - 2012-06-15 09:46 - 01012656 ____A C:\Documents and Settings\administrator\Desktop\iExplore.exe
2012-06-15 08:22 - 2012-06-15 08:22 - 00000000 ____D C:\Windows\pss
2012-06-15 08:20 - 2011-12-23 19:52 - 00009019 ____A C:\logfile
2012-06-15 07:27 - 2009-07-13 18:37 - 00000000 ___RD C:\Program Files
2012-06-15 07:25 - 2012-06-15 07:24 - 00138402 ____A C:\TDSSKiller.2.7.40.0_15.06.2012_10.24.17_log.txt
2012-06-15 07:23 - 2012-06-15 07:23 - 00000414 ____A C:\TDSSKiller.2.5.22.0_15.06.2012_10.23.40_log.txt
2012-06-04 14:31 - 2011-10-02 10:46 - 00000440 ___AH C:\Windows\Tasks\Norton Security Scan for johnp.job
2012-06-04 14:08 - 2010-03-23 08:04 - 00000459 ____A C:\Windows\ODBC.INI
2012-06-04 10:32 - 2012-06-04 10:32 - 00001181 ____A C:\Users\test\Desktop\Add new LoadMaster application.lnk
2012-06-04 10:32 - 2012-06-04 10:32 - 00001181 ____A C:\Users\rodneyc\Desktop\Add new LoadMaster application.lnk
2012-06-04 10:32 - 2012-06-04 10:32 - 00001181 ____A C:\Users\kodak\Desktop\Add new LoadMaster application.lnk
2012-06-04 10:32 - 2012-06-04 10:32 - 00001181 ____A C:\Users\kevinb\Desktop\Add new LoadMaster application.lnk
2012-06-04 10:32 - 2012-06-04 10:32 - 00001181 ____A C:\Users\johnp\Desktop\Add new LoadMaster application.lnk
2012-06-04 10:32 - 2012-06-04 10:32 - 00001181 ____A C:\Users\administrator\Desktop\Add new LoadMaster application.lnk
2012-06-04 10:32 - 2012-06-04 10:32 - 00001181 ____A C:\Documents and Settings\test\Desktop\Add new LoadMaster application.lnk
2012-06-04 10:32 - 2012-06-04 10:32 - 00001181 ____A C:\Documents and Settings\rodneyc\Desktop\Add new LoadMaster application.lnk
2012-06-04 10:32 - 2012-06-04 10:32 - 00001181 ____A C:\Documents and Settings\kodak\Desktop\Add new LoadMaster application.lnk
2012-06-04 10:32 - 2012-06-04 10:32 - 00001181 ____A C:\Documents and Settings\kevinb\Desktop\Add new LoadMaster application.lnk
2012-06-04 10:32 - 2012-06-04 10:32 - 00001181 ____A C:\Documents and Settings\johnp\Desktop\Add new LoadMaster application.lnk
2012-06-04 10:32 - 2012-06-04 10:32 - 00001181 ____A C:\Documents and Settings\administrator\Desktop\Add new LoadMaster application.lnk
2012-06-04 10:32 - 2012-06-04 10:32 - 00000000 ____D C:\users\kevinb
2012-06-04 10:32 - 2010-08-05 07:08 - 00000000 ____D C:\users\test
2012-06-04 10:32 - 2009-07-13 18:37 - 00000000 ___RD C:\Users
2012-06-04 06:14 - 2012-06-04 06:14 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_NuidFltr_01009.Wdf


========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 12%
Total physical RAM: 4094.06 MB
Available physical RAM: 3599.16 MB
Total Pagefile: 4092.34 MB
Available Pagefile: 3601.04 MB
Total Virtual: 2047.88 MB
Available Virtual: 1968.7 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:148.95 GB) (Free:59.57 GB) NTFS
3 Drive f: () (Removable) (Total:7.53 GB) (Free:0.59 GB) NTFS
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
5 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 149 GB 0 B
Disk 1 Online 7711 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 148 GB 101 MB

======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y System Rese NTFS Partition 100 MB Healthy

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 148 GB Healthy

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 7710 MB 1024 KB

======================================================================================================

Disk: 1
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F NTFS Removable 7710 MB Healthy

======================================================================================================

==========================================================

Last Boot: 2012-06-18 12:35

======================= End Of Log ==========================

Thanks for all your help.
I know it's going to take a miracle to pull this out.

mtaffer

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,299 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:32 AM

Posted 19 June 2012 - 01:50 PM

Greetings

not seeing anything in there - try and run TDSSKiller and aswMBR for me now


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,299 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:32 AM

Posted 22 June 2012 - 01:25 AM

Greetings


I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools




Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 mtaffer

mtaffer
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 22 June 2012 - 10:58 AM

Still cannot get network access to update the answr program.
I think it's a lost cause unfortunatley

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,299 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:32 AM

Posted 22 June 2012 - 05:02 PM

Hello

I would like you to download an updated version of combofix.

update combofix

Delete the version of combofix you have now on your desktop and download a new one from here

Link 1
Link 2
Link 3
**Note: It is important that it is saved directly to your desktop**


Ok lets try this, I want you to run combofix in safe mode but it is very important that when combofix reboots the computer for you to direct it back into safe mode so it can finish the scan.

Boot into Safe Mode

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.

after combofix has finished its scan please post the report back here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 mtaffer

mtaffer
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 22 June 2012 - 05:04 PM

Ok, I will try this, but it will be on Monday as this is a work machine.
I appreciate you not giving up.

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,299 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:32 AM

Posted 22 June 2012 - 07:38 PM

It will take a little bit more to make me give up



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 mtaffer

mtaffer
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 25 June 2012 - 02:07 PM

Well finally a little progress.
Was able to get combofix to work this time (what kind of magic did you put in this?) and surprise surprise Zero rootkit found.
Here's the log

ComboFix 12-06-25.03 - Administrator 06/25/2012 13:58:33.1.2 - x86 NETWORK
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3582.2812 [GMT -5:00]
Running from: c:\users\Administrator\Desktop\combofix.exe
AV: Trend Micro OfficeScan Antivirus *Enabled/Updated* {68F968AC-2AA0-091D-848C-803E83E35902}
SP: Trend Micro OfficeScan Anti-spyware *Enabled/Updated* {D3988948-0C9A-0693-BE3C-BB4CF86413BF}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Roaming
c:\programdata\Roaming\Intel\Wireless\Settings\Settings.ini
c:\windows\$NtUninstallKB43717$
c:\windows\dasetup.log
c:\windows\system32\INETWH32.dll
c:\windows\system32\INETWH32.dll\INETWH32.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-05-25 to 2012-06-25 )))))))))))))))))))))))))))))))
.
.
2012-06-25 19:03 . 2012-06-25 19:03 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2012-06-25 19:03 . 2012-06-25 19:03 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-06-25 18:45 . 2012-06-25 18:45 -------- d-----w- c:\users\Administrator
2012-06-19 16:38 . 2012-06-19 17:58 -------- d-----w- C:\FRST
2012-06-18 22:21 . 2012-06-18 22:21 -------- d-----w- c:\windows\system32\%LocalAppData%
2012-06-18 20:43 . 2012-06-18 20:43 -------- d-----w- c:\windows\system32\config\systemprofile\Bluetooth Software
2012-06-18 20:43 . 2012-06-18 20:43 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\LogMeIn
2012-06-18 20:42 . 2012-06-19 20:50 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\CrashDumps
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-09-10 21:50 2957312 ----a-w- c:\program files\Fingerprint Reader Suite\farchns.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-09-10 21:50 2957312 ----a-w- c:\program files\Fingerprint Reader Suite\farchns.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2010-08-12 870712]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"DisableCAD"= 1 (0x1)
"HideFastUserSwitching"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-04-17 04:04 86528 ----a-w- c:\windows\System32\psqlpwd.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-606747145-630328440-1801674531-1158\Scripts\Logon\0\0]
"Script"=connectXDrive.vbs
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Imaging Server.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Imaging Server.lnk
backup=c:\windows\pss\Imaging Server.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^administrator^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^_uninst_20395224.lnk]
path=c:\users\administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_20395224.lnk
backup=c:\windows\pss\_uninst_20395224.lnk.Startup
backupExtension=.Startup
.
[HKLM\~\startupfolder\C:^Users^administrator^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^_uninst_68927768.lnk]
path=c:\users\administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_68927768.lnk
backup=c:\windows\pss\_uninst_68927768.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2010-04-05 22:46 288040 ----a-w- c:\program files\DellTPad\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2007-07-24 23:02 174616 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
2010-07-21 22:52 1797008 ----a-w- c:\program files\Microsoft IntelliPoint\ipoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-01-25 21:08 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
2011-01-12 00:04 63048 ----a-w- c:\program files\LogMeIn\x86\LogMeInSystray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVHotkey]
2010-03-17 01:46 88168 ----a-w- c:\windows\System32\nvhotkey.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OEM02Mon.exe]
2007-05-10 06:01 36864 ----a-w- c:\windows\OEM02Mon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfficeScanNT Monitor]
2010-08-12 21:39 870712 ----a-w- c:\program files\Trend Micro\OfficeScan Client\PccNTMon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\phion]
2010-03-10 18:53 2717624 ----a-w- c:\program files\BarracudaNG\phion.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSQLLauncher]
2007-04-17 03:50 49168 ----a-w- c:\program files\Fingerprint Reader Suite\launcher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 23:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2008-02-16 00:23 405504 ----a-w- c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\STXMSGHOST]
2004-12-17 17:58 102400 ----a-w- c:\progra~1\Softrax\Tools\msghost.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-18 20:02 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2011-05-26 23:59 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
R2 InAspi32;InAspi32;c:\windows\system32\drivers\InAspi32.sys [2005-09-28 8704]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2011-01-12 12856]
R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\TmXPFlt.sys [2011-07-12 262416]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\TmPreFlt.sys [2011-07-12 36624]
R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2010-07-08 44432]
R3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\DRIVERS\netaapl.sys [2010-04-20 18432]
R3 phionvpn; phion VPN Adapter Driver;c:\windows\system32\DRIVERS\phionvpn.sys [2009-11-23 31728]
R3 tmevtmgr;tmevtmgr;c:\windows\system32\DRIVERS\tmevtmgr.sys [2010-06-15 57424]
R3 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [2010-04-25 689416]
R3 vpcuxd;USB Virtualization Stub Service;c:\windows\system32\DRIVERS\vpcuxd.sys [2009-09-23 12800]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-03 1343400]
R4 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_24288096a5cd99f6\aestsrv.exe [2007-09-20 73728]
R4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-05-26 136176]
R4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-05-26 136176]
R4 KodakDigitalDisplayService;KodakDigitalDisplayService;c:\program files\Kodak\Digital Display\OrbKodakLauncher\DllStartupService.exe [2008-03-06 81920]
R4 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [2011-12-23 374152]
R4 phions;Barracuda NG Client;c:\program files\BarracudaNG\phions.exe [2010-03-10 4495296]
S0 20395224;20395224;c:\windows\system32\DRIVERS\20395224.sys [2011-10-26 133208]
S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-07-13 311296]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-05-26 23:59]
.
2012-06-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-05-26 23:59]
.
.
------- Supplementary Scan -------
.
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 192.168.101.23 192.168.101.9
DPF: Microsoft XML Parser for Java - file:///C:/Windows/Java/classes/xmldso.cab
DPF: {71D73A47-975F-11D1-AA77-00A0C98D86D4} - hxxp://bhmvoip2/ShoreWareDirector/VoiceMessage.ocx
FF - ProfilePath -
.
- - - - ORPHANS REMOVED - - - -
.
Notify-GoToAssist - c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
SafeBoot-32032083.sys
AddRemove-HijackThis - c:\users\johnp\AppData\Local\Temp\Temp1_hithis.zip\HijackThis.exe
AddRemove-HitmanPro35 - c:\users\johnp\Desktop\34567256.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1b,ee,03,e8,4a,3a,53,4e,ab,40,29,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1b,ee,03,e8,4a,3a,53,4e,ab,40,29,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(508)
c:\windows\system32\psqlpwd.DLL
c:\program files\Fingerprint Reader Suite\homefus2.dll
c:\program files\Fingerprint Reader Suite\infra.dll
.
Completion time: 2012-06-25 14:05:04
ComboFix-quarantined-files.txt 2012-06-25 19:05
.
Pre-Run: 109,396,787,200 bytes free
Post-Run: 109,525,020,672 bytes free
.
- - End Of File - - FDBFA4C3EF88E155DFA5C7BD92408203

Nice! :)
I have the internet back now.

mtaffer

Edited by mtaffer, 25 June 2012 - 02:11 PM.


#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,299 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:32 AM

Posted 25 June 2012 - 10:33 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users