Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

popup ads in lower left/corner of browser


  • This topic is locked This topic is locked
26 replies to this topic

#1 ttt03

ttt03

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 09 September 2012 - 07:51 PM

I am on Windows 7 Enterprise SP1 (64 bit). Inside IE I have a small window that pops up in lower corner, mostly on left and sometime on right. The pop up has the information of recent searches or websites Also i get some redirects from time to time when i open a link in a new window. Ran MalwareBytes but found nothing.


DDS.txt

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_32
Run by ttu1 at 20:43:52 on 2012-09-09
Microsoft Windows 7 Enterprise 6.1.7601.1.1252.1.1033.18.8149.5202 [GMT -4:00]
.
AV: McAfee VirusScan Enterprise *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee VirusScan Enterprise Antispyware Module *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
c:\Program Files (x86)\Novell\CASA\bin\micasad.exe
C:\Windows\system32\CmgShieldSvc.exe
C:\Windows\system32\EMSService.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\IDT\WDM\STacSV64.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\WUDFHost.exe
C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
c:\Novell\ZENworks\bin\ZenworksWindowsService.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Lotus\Notes\nslsvice.exe
C:\Program Files\Novell\Client\XTier\Services\XTSvcMgr.exe
C:\Program Files (x86)\ABC\Licenser\LocalClient\i386\ClientNT.exe
C:\Program Files\IDT\WDM\AESTSr64.exe
C:\Windows\SysWOW64\atashost.exe
C:\Program Files (x86)\Courion Corporation\Courion Client Manager\CourClientSvr.exe
C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe
C:\Lotus\Notes\SUService.exe
C:\Lotus\Notes\nsd.exe
C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe
C:\Program Files (x86)\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Windows\system32\mfevtps.exe
C:\Program Files (x86)\ABC\Licenser\LocalClient\i386\cpsyssrv.exe
C:\Program Files (x86)\McAfee\VirusScan Enterprise\mfeann.exe
C:\Windows\system32\conhost.exe
C:\Lotus\Notes\ntmulti.exe
c:\Novell\ZENworks\bin\nzrWinVNC.exe
C:\Windows\system32\DRIVERS\o2flash.exe
c:\Novell\ZENworks\bin\nzrWinVNCApp.exe
C:\Program Files (x86)\Wireless AutoSwitch\WrlsAutoSW.exs
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files (x86)\McAfee\Common Framework\naPrdMgr.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\UI0Detect.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
c:\Novell\ZENworks\bin\ZenUserDaemon.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Google\Google Pinyin 2\GooglePinyinService.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\McAfee\Common Framework\UdaterUI.exe
C:\Program Files (x86)\McAfee\Common Framework\McTray.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\System32\nwtray.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\IDT\WDM\sttray64.exe
C:\Windows\System32\iprntctl.exe
C:\Windows\System32\iprntlgn.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Windows\System32\CmgShieldUI.exe
C:\Windows\System32\EmsServiceHelper.exe
C:\Program Files\iFolder\iFolderApp.exe
C:\Novell\ZENworks\bin\ZenNotifyIcon.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Windows\system32\conhost.exe
C:\Program Files (x86)\SSH Communications Security\SSH Tectia\SSH Tectia AUX\Support binaries\ssh-broker-gui.exe
C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\iFolder\lib\simias\web\bin\Simias.exe
C:\Windows\system32\conhost.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\McAfee\Common Framework\McScript_InUse.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20120210150231.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
EB: &IEWatch: {e69657ff-19ac-4849-bf35-91243eef1687} - C:\Program Files (x86)\IEWatch\IEWatch.dll
uRun: [<NO NAME>]
uRun: [iFolder] "C:\Program Files\iFolder\iFolderApp.exe" -checkautorun
mRun: [ZenNotifyIcon] c:\Novell\Zenworks\bin\ZenNotifyIcon.exe
mRun: [NalView] c:\Novell\ZENworks\bin\nalview.exe
mRun: [ShStatEXE] "C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "C:\Program Files (x86)\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
mRun: [Cisco AnyConnect Secure Mobility Agent for Windows] "C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe" -minimized
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRunOnce: [Repair Adobe Reader Resources] "msiexec" /i {AC76BA86-7AD7-1033-7B44-A95000000001} /qn REINSTALL=Resources
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SSHTEC~1.LNK - C:\Program Files (x86)\SSH Communications Security\SSH Tectia\SSH Tectia AUX\Support binaries\ssh-broker-gui.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\VPNGUI~1.LNK - C:\Windows\Installer\{467D5E81-8349-4892-9E81-C3674ED8E451}\Icon09DB8A851.exe
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
uPolicies-explorer: NoWelcomeScreen = 1 (0x1)
uPolicies-explorer: DisallowRun = 1 (0x1)
uPolicies-disallowrun: 1 = ds-rwe.exe
uPolicies-disallowrun: 2 = jupdate.exe
uPolicies-disallowrun: 3 = jusched.exe
uPolicies-disallowrun: 4 = kazaa.exe
uPolicies-disallowrun: 5 = limewirewin.exe
uPolicies-disallowrun: 6 = ssl32dr.exe
uPolicies-disallowrun: 7 = windde32.exe
uPolicies-disallowrun: 8 = winlog.exe
uPolicies-disallowrun: 9 = freecell.exe
uPolicies-disallowrun: 10 = chess.exe
uPolicies-disallowrun: 11 = hearts.exe
uPolicies-disallowrun: 12 = mahjong.exe
uPolicies-disallowrun: 13 = minesweeper.exe
uPolicies-disallowrun: 14 = purpleplace.exe
uPolicies-disallowrun: 15 = solitaire.exe
uPolicies-disallowrun: 16 = spidersolitaire.exe
uPolicies-disallowrun: 17 = bckgzm.exe
uPolicies-disallowrun: 18 = chkrzm.exe
uPolicies-disallowrun: 19 = shvlzm.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
mPolicies-system: HideFastUserSwitching = 1 (0x1)
mPolicies-system: SynchronousMachineGroupPolicy = 1 (0x1)
mPolicies-system: SynchronousUserGroupPolicy = 1 (0x1)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBC} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
IE: {145581C9-1BCA-4ff2-8435-746011EC2180} - {01111111-D318-45F9-A54A-DAE0FB0D16B8} - C:\Windows\Downloaded Program Files\HemiIEButton.dll
IE: {78E5BB46-9A20-402F-BA66-B5634D177D77} - {E69657FF-19AC-4849-BF35-91243EEF1687} - C:\Program Files (x86)\IEWatch\IEWatch.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\OFFICE11\REFIEBAR.DLL
Trusted Zone: filenet
Trusted Zone: harvardpilgrim.org
Trusted Zone: healthtrioconnect.com\www
Trusted Zone: hphc.org
Trusted Zone: hphc.org\filenet
Trusted Zone: hphc.org\webfocusmredev
Trusted Zone: hphc.org\webfocusmreprd
Trusted Zone: hphc.org\webfocusmreuat
Trusted Zone: uhc.com\myexternal
DPF: {01111111-D318-45F9-A54A-DAE0FB0D16B8} - hxxp://fmsprd1.hphc.org/OA_HTML/UPK/PlayerPackage/stdhemi/hemi/ietbutton/hemiiebutton.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/_layouts/ClientBin/ieawsdc32.cab
DPF: {6C64B50D-0472-4CD6-9312-644BEF37D4E6} - hxxps://aim-uat.hphc.org/AIM/Courion/AccessOptions/HTML/PasswordCourierSS/CourLocal.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
DPF: {A640B7AC-03CF-11D4-8F5F-0000E87715F0} - hxxps://support.cyber-ark.com/webclient/paweb/pasetup.cab
DPF: {AE3E8210-B33F-49C1-B4E2-860F5F4D732F} - hxxps://n2vapp072.hphc.org:444/dsview/applets/viewerLauncher.cab
DPF: {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
DPF: {CC679CB8-DC4B-458B-B817-D447B3B6AC31} - vpnweb.cab
DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} - hxxps://ntnotes004.hphc.org/dwa7W.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://akamaicdn.webex.com/client/WBXclient-T27L10NSP32EP1-13926/webex/ieatgpc1.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{97F43B78-DE9D-49A3-92F2-99C3D84A4B3B} : DhcpNameServer = 192.168.0.1
Notify: PCANotify - PCANotify.dll
LSA: Authentication Packages = msv1_0 ncv1_0 ZenV1_0
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO-X64: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20120210150231.dll
BHO-X64: scriptproxy - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
EB-X64: {E69657FF-19AC-4849-BF35-91243EEF1687} - No File
mRun-x64: [ZenNotifyIcon] c:\Novell\Zenworks\bin\ZenNotifyIcon.exe
mRun-x64: [NalView] c:\Novell\ZENworks\bin\nalview.exe
mRun-x64: [ShStatEXE] "C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
mRun-x64: [McAfeeUpdaterUI] "C:\Program Files (x86)\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
mRun-x64: [Cisco AnyConnect Secure Mobility Agent for Windows] "C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe" -minimized
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRunOnce-x64: [Repair Adobe Reader Resources] "msiexec" /i {AC76BA86-7AD7-1033-7B44-A95000000001} /qn REINSTALL=Resources
Hosts: 64.46.36.178 www.google-analytics.com.
Hosts: 64.46.36.178 ad-emea.doubleclick.net.
Hosts: 64.46.36.178 www.statcounter.com.
Hosts: 64.27.10.42 www.google-analytics.com.
Hosts: 64.27.10.42 ad-emea.doubleclick.net.
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\TTu1\AppData\Roaming\Mozilla\Firefox\Profiles\TTu1\
FF - prefs.js: browser.startup.homepage - hxxp://online.hphc.org/
FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npicaN.dll
FF - plugin: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files\Adobe\Reader 9.0\Reader\browser\nppdf32.dll
FF - plugin: C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Users\TTu1\AppData\Roaming\Mozilla\plugins\npnzrPlugin.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_271.dll
FF - plugin: C:\Windows\SysWOW64\npdeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
FF - plugin: C:\Windows\SysWOW64\npnipp.dll
FF - plugin: C:\Windows\SysWOW64\npnisp.dll
.
============= SERVICES / DRIVERS ===============
.
R0 CmgHiber;CmgHiber;C:\Windows\system32\DRIVERS\CmgHiber.sys --> C:\Windows\system32\DRIVERS\CmgHiber.sys [?]
R0 CmgShieldCEF;CmgShieldCEF;C:\Windows\system32\DRIVERS\CMGShCEF.sys --> C:\Windows\system32\DRIVERS\CMGShCEF.sys [?]
R0 CMGShieldReg;CMGShieldReg;C:\Windows\system32\DRIVERS\CmgShREG.sys --> C:\Windows\system32\DRIVERS\CmgShREG.sys [?]
R0 mfehidk;McAfee Inc. mfehidk;C:\Windows\system32\drivers\mfehidk.sys --> C:\Windows\system32\drivers\mfehidk.sys [?]
R0 mfewfpk;McAfee Inc. mfewfpk;C:\Windows\system32\drivers\mfewfpk.sys --> C:\Windows\system32\drivers\mfewfpk.sys [?]
R0 NCFilter;Novell UNC Filter - Filter;C:\Windows\system32\DRIVERS\NCFilter.sys --> C:\Windows\system32\DRIVERS\NCFilter.sys [?]
R0 NCRecognizer;Novell UNC Filter - Recognizer;C:\Windows\system32\DRIVERS\NCRecognizer.sys --> C:\Windows\system32\DRIVERS\NCRecognizer.sys [?]
R0 NCUncFilter;Novell UNC Filter - UNC Filter;C:\Windows\system32\DRIVERS\NCUncFilter.sys --> C:\Windows\system32\DRIVERS\NCUncFilter.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 ABC Client Monitor;ABC Client Monitor;C:\Program Files (x86)\ABC\Licenser\LocalClient\i386\ClientNT.exe [2011-4-14 389696]
R2 AESTFilters;Andrea ST Filters Service;C:\Program Files\IDT\WDM\AESTSr64.exe [2011-8-3 89600]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 atashost;WebEx Service Host for Support Center;C:\Windows\SysWOW64\atashost.exe [2012-6-11 134456]
R2 CMGShield;CMGShield;C:\Windows\system32\CmgShieldSvc.exe --> C:\Windows\system32\CmgShieldSvc.exe [?]
R2 CourClientSvr;CourClientSvr;C:\Program Files (x86)\Courion Corporation\Courion Client Manager\CourClientSvr.exe [2012-3-21 225184]
R2 EMS;EMS;EMSService.exe --> EMSService.exe [?]
R2 LNSUSvc;Lotus Notes Smart Upgrade Service;C:\Lotus\Notes\SUService.exe [2011-9-16 189832]
R2 Lotus Notes Diagnostics;Lotus Notes Diagnostics;C:\Lotus\Notes\nsd.exe -svcinvoke -ini "C:\Lotus\Notes\notes.ini" --> C:\Lotus\Notes\nsd.exe -svcinvoke -ini C:\Lotus\Notes\notes.ini [?]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-9-9 655944]
R2 McAfeeFramework;McAfee Framework Service;C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe [2011-5-19 120128]
R2 McShield;McAfee McShield;C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe [2012-2-10 190256]
R2 McTaskManager;McAfee Task Manager;C:\Program Files (x86)\McAfee\VirusScan Enterprise\VsTskMgr.exe [2011-1-12 209760]
R2 mfevtp;McAfee Validation Trust Protection Service;"C:\Windows\system32\mfevtps.exe" --> C:\Windows\system32\mfevtps.exe [?]
R2 Monitor System;Monitor System;C:\Program Files (x86)\ABC\Licenser\LocalClient\i386\cpsyssrv.exe [2011-4-14 303168]
R2 NCFSD;Novell Client File System Redirector;C:\Program Files\Novell\Client\XTier\Drivers\ncfsd.sys [2011-8-3 96792]
R2 NCIOCTL;Novell Xplat IoCtl Driver;C:\Program Files\Novell\Client\XTier\Drivers\ncioctl.sys [2011-8-3 83480]
R2 Novell Identity Store;Novell Identity Store;C:\Program Files (x86)\Novell\CASA\bin\micasad.exe [2011-5-26 253952]
R2 Novell ZENworks Agent Service;Novell ZENworks Agent Service;C:\Novell\ZENworks\bin\ZenworksWindowsService.exe [2011-11-5 28672]
R2 nzwinvnc;Novell ZENworks Remote Management powered by VNC;c:\Novell\ZENworks\bin\nzrWinVNC.exe -service --> c:\Novell\ZENworks\bin\nzrWinVNC.exe -service [?]
R2 vpnagent;Cisco AnyConnect Secure Mobility Agent;C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe [2012-1-13 476112]
R2 Wireless_AutoSwitch;Wireless AutoSwitch;C:\Program Files (x86)\Wireless AutoSwitch\WrlsAutoSW.exs [2011-5-25 146680]
R2 XTSvcMgr;Novell XTier Service Manager;C:\Program Files\Novell\Client\XTier\Services\xtsvcmgr.exe [2011-8-3 21016]
R3 acsock;acsock;C:\Windows\system32\DRIVERS\acsock64.sys --> C:\Windows\system32\DRIVERS\acsock64.sys [?]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]
R3 cvusbdrv;Dell ControlVault;C:\Windows\system32\Drivers\cvusbdrv.sys --> C:\Windows\system32\Drivers\cvusbdrv.sys [?]
R3 dfmirage;dfmirage;C:\Windows\system32\DRIVERS\dfmirage.sys --> C:\Windows\system32\DRIVERS\dfmirage.sys [?]
R3 e1cexpress;Intel® PRO/1000 PCI Express Network Connection Driver C;C:\Windows\system32\DRIVERS\e1c62x64.sys --> C:\Windows\system32\DRIVERS\e1c62x64.sys [?]
R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
R3 mfeavfk;McAfee Inc. mfeavfk;C:\Windows\system32\drivers\mfeavfk.sys --> C:\Windows\system32\drivers\mfeavfk.sys [?]
R3 NETwNs64;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\system32\DRIVERS\NETwNs64.sys --> C:\Windows\system32\DRIVERS\NETwNs64.sys [?]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\Windows\system32\DRIVERS\nusb3hub.sys --> C:\Windows\system32\DRIVERS\nusb3hub.sys [?]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\Windows\system32\DRIVERS\nusb3xhc.sys --> C:\Windows\system32\DRIVERS\nusb3xhc.sys [?]
R3 O2MDRRDR;O2MDRRDR;C:\Windows\system32\DRIVERS\O2MDRvstx64.sys --> C:\Windows\system32\DRIVERS\O2MDRvstx64.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 Novell ZENworks Image-Safe Data Service;Novell ZENworks ISD Service;C:\Program Files (x86)\Novell\ZENworks\bin\preboot\novell-zisdservice.exe [2010-6-29 90112]
S3 dmvsc;dmvsc;C:\Windows\system32\drivers\dmvsc.sys --> C:\Windows\system32\drivers\dmvsc.sys [?]
S3 GoToAssist Express Customer;GoToAssist Express Customer;C:\Program Files (x86)\Citrix\GoToAssist Express Customer\403\g2ax_service.exe [2012-7-12 609144]
S3 mferkdet;McAfee Inc. mferkdet;C:\Windows\system32\drivers\mferkdet.sys --> C:\Windows\system32\drivers\mferkdet.sys [?]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys --> C:\Windows\system32\drivers\rdpvideominiport.sys [?]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 Synth3dVsc;Microsoft Virtual 3D Video Transport Driver;C:\Windows\system32\drivers\Synth3dVsc.sys --> C:\Windows\system32\drivers\Synth3dVsc.sys [?]
S3 terminpt;Microsoft Remote Desktop Input Driver;C:\Windows\system32\drivers\terminpt.sys --> C:\Windows\system32\drivers\terminpt.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]
S3 tsusbhub;Remote Deskotop USB Hub;C:\Windows\system32\drivers\tsusbhub.sys --> C:\Windows\system32\drivers\tsusbhub.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S3 ZENPreAgent;Novell ZENworks Pre Agent;C:\Windows\novell\zenworks\bin\ZENPreAgent.exe [2012-6-5 196608]
S4 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-8-14 250056]
.
=============== Created Last 30 ================
.
2012-09-09 18:00:56 711240 ----a-w- C:\Windows\isRS-000.tmp
2012-09-09 18:00:56 711240 ----a-w- C:\Windows\CEFC1da.isRS-000.tmp.TBD
2012-09-09 17:57:19 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-09-09 17:57:18 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-09-09 17:44:41 -------- d-----w- C:\Users\TTu1\AppData\Local\Macromedia
2012-09-09 03:14:54 -------- d-----w- C:\Users\TTu1\AppData\Roaming\Malwarebytes
2012-09-09 03:14:09 -------- d-----w- C:\ProgramData\Malwarebytes
2012-09-08 14:22:50 428032 ----a-w- C:\Windows\SysWow64\vbscript.dll
2012-09-08 14:22:49 609792 ----a-w- C:\Windows\System32\vbscript.dll
2012-09-07 12:20:49 -------- d-----w- C:\Users\TTu1\AppData\Roaming\smkits
2012-09-01 14:53:26 3148800 ----a-w- C:\Windows\System32\win32k.sys
2012-09-01 14:50:27 59392 ----a-w- C:\Windows\System32\browcli.dll
2012-09-01 14:50:27 41984 ----a-w- C:\Windows\SysWow64\browcli.dll
2012-09-01 14:50:26 136704 ----a-w- C:\Windows\System32\browser.dll
2012-09-01 14:48:32 956416 ----a-w- C:\Windows\System32\localspl.dll
2012-08-14 13:43:56 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
.
==================== Find3M ====================
.
2012-08-24 22:10:29 59 ----a-w- C:\Windows\wpd99.drv
2012-08-15 16:55:33 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-17 14:02:13 476960 ----a-w- C:\Windows\SysWow64\npdeployJava1.dll
2012-07-17 14:02:13 472864 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2012-07-12 13:45:12 110456 ----a-w- C:\Users\TTu1\g2ax_customer_downloadhelper_win32_x86.exe
2012-06-27 07:06:53 1188864 ----a-w- C:\Windows\System32\wininet.dll
2012-06-27 05:53:07 981504 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-06-27 04:53:10 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2012-06-27 04:10:55 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2009-10-14 22:37:42 114688 ----a-w- C:\Program Files (x86)\ad_ff.dll
.
============= FINISH: 20:44:27.87 ===============


Attach.txt

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Enterprise
Boot Device: \Device\HarddiskVolume1
Install Date: 2/10/2012 2:28:59 PM
System Uptime: 9/9/2012 2:08:06 PM (6 hours ago)
.
Motherboard: Dell Inc. | | 08V9YG
Processor: Intel® Core™ i7-2820QM CPU @ 2.30GHz | CPU 1 | 2301/100mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 238 GiB total, 152.843 GiB free.
D: is CDROM ()
F: - No root directory. Drive type could not be determined.
H: is NetworkDisk (NcFsd) - 0 GiB total, 0 GiB free.
V: - No root directory. Drive type could not be determined.
.
==== Disabled Device Manager Items =============
.
Class GUID:
Description: PCI Serial Port
Device ID: PCI\VEN_8086&DEV_1C3D&SUBSYS_04A31028&REV_04\3&11583659&1&B3
Manufacturer:
Name: PCI Serial Port
PNP Device ID: PCI\VEN_8086&DEV_1C3D&SUBSYS_04A31028&REV_04\3&11583659&1&B3
Service:
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Cisco Systems VPN Adapter for 64-bit Windows
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter for 64-bit Windows
PNP Device ID: ROOT\NET\0000
Service: CVirtA
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows x64
Device ID: ROOT\NET\0001
Manufacturer: Cisco Systems
Name: Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows x64
PNP Device ID: ROOT\NET\0001
Service: vpnva
.
Class GUID:
Description:
Device ID: ACPI\SMO8800\1
Manufacturer:
Name:
PNP Device ID: ACPI\SMO8800\1
Service:
.
==== System Restore Points ===================
.
RP63: 7/11/2012 3:24:58 PM - Scheduled Checkpoint
RP64: 7/11/2012 3:47:44 PM - Windows Update
RP65: 7/12/2012 9:52:32 AM - Windows Update
RP66: 7/12/2012 10:00:24 AM - Removed Citrix Presentation Server Client
RP67: 7/12/2012 10:01:12 AM - Installed Citrix XenApp Plugin for Hosted Apps
RP68: 7/12/2012 10:18:54 AM - Installed Java™ 6 Update 23
RP69: 7/13/2012 9:14:33 AM - Windows Update
RP70: 7/20/2012 9:52:48 AM - Windows Update
RP71: 7/30/2012 5:25:43 PM - Scheduled Checkpoint
RP72: 8/7/2012 4:26:42 PM - Installed Softerra LDAP Browser 4.5 (64-bit)
RP73: 8/16/2012 1:14:16 AM - Scheduled Checkpoint
RP74: 9/1/2012 10:47:49 AM - Windows Update
RP75: 9/8/2012 10:22:05 AM - Windows Update
.
==== Hosts File Hijack ======================
.
Hosts: 64.46.36.178 www.google-analytics.com.
Hosts: 64.46.36.178 ad-emea.doubleclick.net.
Hosts: 64.46.36.178 www.statcounter.com.
Hosts: 64.27.10.42 www.google-analytics.com.
Hosts: 64.27.10.42 ad-emea.doubleclick.net.
Hosts: 64.27.10.42 www.statcounter.com.
.
==== Installed Programs ======================
.
.NET Data Provider for Teradata 13.01.00.02
2007 Microsoft Office Suite Service Pack 2 (SP2)
ABC LanLicenser Client
AccelerometerP11
Action Handler Resources
actions-langs
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader 9.5.2
assetmanagementmodule-langs
auth-satellite-server-langs
BMC Remedy Action Request System 7.5.00 Install 1
bundle-langs
Catalyst Control Center InstallProxy
Cisco AnyConnect Secure Mobility Client
Cisco AnyConnect Secure Mobility Client
Cisco AnyConnect Start Before Login Module
Citrix XenApp Plugin for Hosted Apps
Classic Menu for Office 2007
ConsoleOne 1.3.5
content-distribution-point-langs
Courion Client Manager
Crystal11_Redistributables
FileNet IDM Viewer 4.0
GoToAssist Customer 1.6.0.403
IBM Lotus Sametime Connect 8.0.2
IEWatch Professional 5.1
inventory-langs
Java Auto Updater
Java™ 6 Update 32
Lotus Notes 8.5.3
Malwarebytes Anti-Malware version 1.62.0.1300
McAfee Agent
McAfee VirusScan Enterprise
Microsoft Office 2003 Web Components
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Plus 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Visio Professional 2003
Microsoft Office Visio Viewer 2003 (English)
Microsoft Office Word MUI (English) 2007
Microsoft Redistributable Files (x86)
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Books Online (English)
Microsoft SQL Server 2005 Tools
Microsoft SQL Server Setup Support Files (English)
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual Studio 2005 Premier Partner Edition - ENU
Mozilla Firefox 5.0.1 (x86 en-US)
NICI (Shared) U.S./Worldwide (128 bit) (2.7.6-1)
novell-zenworks-patch-management-agent
Novell ZENworks
Novell ZENworks Adaptive Agent Help
Novell ZENworks Image-Safe Data Service
ODBC Driver for Teradata 13.10.0.2
OracleSmartHelp
patch-langs
Pdf995
policy-langs
Policy Action Handler Resources
Policy Handler Resources
primary-agent-langs
PrivateArk Client
remotemanagement-langs
Reporting Snapin
Security Update for 2007 Microsoft Office System (KB2553089)
Security Update for 2007 Microsoft Office System (KB2553090)
Security Update for 2007 Microsoft Office System (KB2584063)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft Office 2007 suites (KB2596666) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596880) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597162) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687441) 32-Bit Edition
Security Update for Microsoft Office Excel 2007 (KB2597161) 32-Bit Edition
Security Update for Microsoft Office InfoPath 2007 (KB2510061)
Security Update for Microsoft Office InfoPath 2007 (KB2596786) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
Security Update for Microsoft Office Word 2007 (KB2596917) 32-Bit Edition
Shared ICU Libraries for Teradata 13.10.0.1
Softerra LDAP Administrator 2012.1
SSH Tectia Client
status-collection-point-langs
Symantec pcAnywhere
Teradata Administrator 13.10.0.2
Teradata BTEQ 13.10.0.1
Teradata CLIv2 13.10.0.1
Teradata Data Connector 13.10.0.2
Teradata GSS Client nt-i386
Teradata SQL Assistant 13.10.0.2
TextPad 5
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft Office 2007 System (KB2539530)
WebEx
windows-desktop-langs-x86_64
WinProxy-langs
WinZip 15.0
Wireless AutoSwitch XPV
zencore-agent-langs
zennotifyicon-langs
ZENworks Action Handlers
ZENworks Action Utilities
ZENworks Actions
ZENworks Agent Asset Management Module
ZENworks Agent Authentication Satellite Module
ZENworks Agent Bundle Management
ZENworks Agent Core Modules
ZENworks Agent Inventory Management
ZENworks Agent Patch Management
ZENworks Agent Policy Management
ZENworks Agent System Update Module
ZENworks Agent WinProxy Module
ZENworks Content Distribution Point
ZENworks Extensions Libraries
ZENworks Image-Safe Data Agent
ZENworks Image Management
ZENworks Imaging Server
ZENworks Information Icon
ZENworks Policy Handlers
ZENworks Policy Libraries
ZENworks Primary Agent
ZENworks Remote Management
ZENworks Remote Management Viewer
ZENworks Status Collection Point
ZENworks Uninstaller
ZENworks Version Information
ZENworks Windows UI
.
==== Event Viewer Messages From Past Week ========
.
9/9/2012 8:31:44 PM, Error: Schannel [36888] - The following fatal alert was generated: 40. The internal error state is 107.
9/9/2012 8:31:44 PM, Error: Schannel [36874] - An SSL 3.0 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.
9/9/2012 7:17:23 PM, Error: Microsoft-Windows-GroupPolicy [1129] - The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.
9/9/2012 7:11:05 PM, Error: NETLOGON [5719] - This computer was not able to set up a secure session with a domain controller in domain EHEALTH due to the following: There are currently no logon servers available to service the logon request. This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. ADDITIONAL INFO If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.
9/9/2012 2:08:19 PM, Error: CMGShieldReg [8217] - Failed to save settings.
9/9/2012 1:48:50 PM, Error: Microsoft-Windows-TerminalServices-RemoteConnectionManager [1067] - The terminal server cannot register 'TERMSRV' Service Principal Name to be used for server authentication. The following error occured: The specified domain either does not exist or could not be contacted. .
.
==== End Of File ===========================

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 135,818 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:39 AM

Posted 10 September 2012 - 05:38 AM

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 ttt03

ttt03
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 10 September 2012 - 10:26 AM

checkup.txt

Results of screen317's Security Check version 0.99.50
Windows 7 Service Pack 1 x64 (UAC is disabled!)
Internet Explorer 8 Out of date!
``````````````Antivirus/Firewall Check:``````````````
McAfee VirusScan Enterprise
Antivirus up to date! (On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.62.0.1300
Java™ 6 Update 32
Java version out of Date!
Adobe Flash Player 11.3.300.271 Flash Player out of Date!
Adobe Reader 9 Adobe Reader out of Date!
Mozilla Firefox (5.0.1)
````````Process Check: objlist.exe by Laurent````````
Malwarebytes Anti-Malware mbamservice.exe
Malwarebytes Anti-Malware mbamgui.exe
McAfee VirusScan Enterprise VsTskMgr.exe
McAfee VirusScan Enterprise mfeann.exe
McAfee VirusScan Enterprise mcconsol.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 4%
````````````````````End of Log``````````````````````


combofix doesn't run with the error message

"Windows must be restarted because EMS services terminated unexpectedly". It could be the enterprise security setting forcing the reboot. Tried twice and the same results.

Thanks.

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 135,818 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:39 AM

Posted 10 September 2012 - 10:42 AM

Hello

Ok lets try this, I want you to run combofix in safe mode but it is very important that when combofix reboots the computer for you to direct it back into safe mode so it can finish the scan.

Boot into Safe Mode

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.

after combofix has finished its scan please post the report back here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 ttt03

ttt03
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 10 September 2012 - 11:13 AM

I was able to run Combofix under safe mode. The in-browser popup seems gone for now. And here's thecombofix log.

ComboFix 12-09-10.03 - TTU1 09/10/2012 12:01:04.1.8 - x64 MINIMAL
Microsoft Windows 7 Enterprise 6.1.7601.1.1252.1.1033.18.8149.7401 [GMT -4:00]
Running from: c:\users\TTu1\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: McAfee VirusScan Enterprise Antispyware Module *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\vpngui.exe.lnk
c:\users\TTu1\Documents\FTM59.tmp
c:\users\TTu1\g2ax_customer_downloadhelper_win32_x86.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-08-10 to 2012-09-10 )))))))))))))))))))))))))))))))
.
.
2012-09-10 16:03 . 2012-09-10 16:03 -------- d-----w- c:\users\zentest\AppData\Local\temp
2012-09-10 16:03 . 2012-09-10 16:03 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-09-10 16:03 . 2012-09-10 16:03 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2012-09-09 17:57 . 2012-07-03 17:46 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-09 17:57 . 2012-09-09 18:02 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-09-09 17:44 . 2012-09-09 17:44 -------- d-----w- c:\users\TTu1\AppData\Local\Macromedia
2012-09-09 03:14 . 2012-09-09 03:14 -------- d-----w- c:\users\TTu1\AppData\Roaming\Malwarebytes
2012-09-09 03:14 . 2012-09-09 03:14 -------- d-----w- c:\programdata\Malwarebytes
2012-09-08 14:22 . 2012-06-16 04:26 428032 ----a-w- c:\windows\SysWow64\vbscript.dll
2012-09-08 14:22 . 2012-06-16 05:16 609792 ----a-w- c:\windows\system32\vbscript.dll
2012-09-08 14:22 . 2012-06-16 05:15 911360 ----a-w- c:\windows\system32\jscript.dll
2012-09-04 14:16 . 2012-09-04 14:16 -------- d-----w- c:\program files (x86)\Common Files\Adobe
2012-09-01 14:53 . 2012-06-12 03:08 3148800 ----a-w- c:\windows\system32\win32k.sys
2012-09-01 14:52 . 2012-06-09 05:43 14172672 ----a-w- c:\windows\system32\shell32.dll
2012-09-01 14:50 . 2012-07-04 22:16 73216 ----a-w- c:\windows\system32\netapi32.dll
2012-09-01 14:50 . 2012-07-04 22:13 59392 ----a-w- c:\windows\system32\browcli.dll
2012-09-01 14:50 . 2012-07-04 21:14 41984 ----a-w- c:\windows\SysWow64\browcli.dll
2012-09-01 14:50 . 2012-07-04 22:13 136704 ----a-w- c:\windows\system32\browser.dll
2012-09-01 14:48 . 2012-06-27 07:03 9059840 ----a-w- c:\windows\system32\mshtml.dll
2012-09-01 14:48 . 2012-06-27 07:02 12297216 ----a-w- c:\windows\system32\ieframe.dll
2012-09-01 14:48 . 2012-05-14 05:20 956416 ----a-w- c:\windows\system32\localspl.dll
2012-08-14 13:43 . 2012-08-15 16:55 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-15 16:55 . 2012-02-10 21:30 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-17 14:02 . 2012-07-17 14:02 476960 ----a-w- c:\windows\SysWow64\npdeployJava1.dll
2012-07-17 14:02 . 2012-02-10 21:31 472864 ----a-w- c:\windows\SysWow64\deployJava1.dll
2009-10-14 22:37 . 2009-10-14 22:37 114688 ----a-w- c:\program files (x86)\ad_ff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iFolder"="c:\program files\iFolder\iFolderApp.exe" [2011-02-28 1383936]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"ZenNotifyIcon"="c:\novell\Zenworks\bin\ZenNotifyIcon.exe" [2011-11-02 147456]
"NalView"="c:\novell\ZENworks\bin\nalview.exe" [2011-11-02 65024]
"ShStatEXE"="c:\program files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2011-01-12 215360]
"McAfeeUpdaterUI"="c:\program files (x86)\McAfee\Common Framework\udaterui.exe" [2011-05-19 161088]
"Cisco AnyConnect Secure Mobility Agent for Windows"="c:\program files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe" [2012-01-13 527312]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"Repair Adobe Reader Resources"="msiexec" [X]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
SSH Tectia Broker.lnk - c:\program files (x86)\SSH Communications Security\SSH Tectia\SSH Tectia AUX\Support binaries\ssh-broker-gui.exe [2008-4-4 2924544]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"HideFastUserSwitching"= 1 (0x1)
"SynchronousMachineGroupPolicy"= 1 (0x1)
"SynchronousUserGroupPolicy"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2007-04-27 17:10 18744 ----a-w- c:\windows\System32\PCANotify.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0200804]
Ime File REG_SZ GOOGLEPINYIN2.IME
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 ABC Client Monitor;ABC Client Monitor;c:\program files (x86)\ABC\Licenser\LocalClient\i386\ClientNT.exe [2011-04-14 389696]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 Novell ZENworks Image-Safe Data Service;Novell ZENworks ISD Service;c:\program files (x86)\Novell\ZENworks\bin\preboot\novell-zisdservice.exe [2010-06-30 90112]
R3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\Accelern.sys [x]
R3 acsock;acsock;c:\windows\system32\DRIVERS\acsock64.sys [2012-01-13 106408]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168]
R3 GoToAssist Express Customer;GoToAssist Express Customer;c:\program files (x86)\Citrix\GoToAssist Express Customer\403\g2ax_service.exe Start=service [x]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2012-02-10 97960]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-21 20992]
R3 Synth3dVsc;Microsoft Virtual 3D Video Transport Driver;c:\windows\system32\drivers\Synth3dVsc.sys [2010-11-21 88960]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2010-11-21 34816]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 tsusbhub;Remote Deskotop USB Hub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-21 117248]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-01-27 1255736]
R3 ZENPreAgent;Novell ZENworks Pre Agent;c:\windows\novell\zenworks\bin\ZENPreAgent.exe [2012-05-22 196608]
R4 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-15 250056]
S0 CmgHiber;CmgHiber;c:\windows\system32\DRIVERS\CmgHiber.sys [2011-05-04 92328]
S0 CmgShieldCEF;CmgShieldCEF;c:\windows\system32\DRIVERS\CMGShCEF.sys [2011-05-04 363688]
S0 CMGShieldReg;CMGShieldReg;c:\windows\system32\DRIVERS\CmgShREG.sys [2011-05-04 24232]
S0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2012-02-10 281544]
S0 NCFilter;Novell UNC Filter - Filter;c:\windows\system32\DRIVERS\NCFilter.sys [2009-12-27 113176]
S0 NCRecognizer;Novell UNC Filter - Recognizer;c:\windows\system32\DRIVERS\NCRecognizer.sys [2009-12-27 119320]
S0 NCUncFilter;Novell UNC Filter - UNC Filter;c:\windows\system32\DRIVERS\NCUncFilter.sys [2009-12-27 26136]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe [2009-03-03 89600]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2012-01-16 204288]
S2 atashost;WebEx Service Host for Support Center;c:\windows\SysWOW64\atashost.exe [2012-06-11 134456]
S2 CMGShield;CMGShield;c:\windows\system32\CmgShieldSvc.exe [2011-05-04 2964904]
S2 CourClientSvr;CourClientSvr;c:\program files (x86)\Courion Corporation\Courion Client Manager\CourClientSvr.exe [2011-04-13 225184]
S2 EMS;EMS;EMSService.exe [x]
S2 LNSUSvc;Lotus Notes Smart Upgrade Service;c:\lotus\Notes\SUService.exe [2011-09-16 189832]
S2 Lotus Notes Diagnostics;Lotus Notes Diagnostics;c:\lotus\Notes\nsd.exe [2011-09-16 4453768]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-07-03 655944]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2012-02-10 156248]
S2 Monitor System;Monitor System;c:\program files (x86)\ABC\Licenser\LocalClient\i386\cpsyssrv.exe [2011-04-14 303168]
S2 NCFSD;Novell Client File System Redirector;c:\program files\Novell\Client\XTier\Drivers\ncfsd.sys [2009-12-27 96792]
S2 NCIOCTL;Novell Xplat IoCtl Driver;c:\program files\Novell\Client\XTier\Drivers\ncioctl.sys [2009-12-27 83480]
S2 Novell Identity Store;Novell Identity Store;c:\program files (x86)\Novell\CASA\bin\micasad.exe [2011-05-27 253952]
S2 Novell ZENworks Agent Service;Novell ZENworks Agent Service;c:\novell\ZENworks\bin\ZenworksWindowsService.exe [2011-11-06 28672]
S2 nzwinvnc;Novell ZENworks Remote Management powered by VNC;c:\novell\ZENworks\bin\nzrWinVNC.exe [2011-11-02 1839104]
S2 vpnagent;Cisco AnyConnect Secure Mobility Agent;c:\program files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe [2012-01-13 476112]
S2 Wireless_AutoSwitch;Wireless AutoSwitch;c:\program files (x86)\Wireless AutoSwitch\WrlsAutoSW.exs [2011-05-25 146680]
S2 XTSvcMgr;Novell XTier Service Manager;c:\program files\Novell\Client\XTier\Services\XTSvcMgr.exe [2009-12-27 21016]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2012-01-16 10497024]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2012-01-16 326656]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2011-12-05 95248]
S3 cvusbdrv;Dell ControlVault;c:\windows\system32\Drivers\cvusbdrv.sys [2011-07-05 45672]
S3 dfmirage;dfmirage;c:\windows\system32\DRIVERS\dfmirage.sys [2010-03-24 36432]
S3 e1cexpress;Intel® PRO/1000 PCI Express Network Connection Driver C;c:\windows\system32\DRIVERS\e1c62x64.sys [2011-07-20 342704]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-07-03 24904]
S3 NETwNs64;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETwNs64.sys [2010-12-21 8505856]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [2010-11-19 80384]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [2010-11-19 181248]
S3 O2MDRRDR;O2MDRRDR;c:\windows\system32\DRIVERS\O2MDRvstx64.sys [2011-01-03 75112]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
*Deregistered* - nciom
*Deregistered* - ncp
*Deregistered* - ncpl
*Deregistered* - ndm
*Deregistered* - ndmndap
*Deregistered* - ndslpp
*Deregistered* - niam
*Deregistered* - nipctl
*Deregistered* - nscm
*Deregistered* - nsns
*Deregistered* - nsvccost
*Deregistered* - xtxplat
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-10 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-14 16:55]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\iFolder0]
@="{AA81D830-3B41-497c-B508-E9D02F8DF421}"
[HKEY_CLASSES_ROOT\CLSID\{AA81D830-3B41-497c-B508-E9D02F8DF421}]
2011-02-28 23:34 99328 ----a-w- c:\program files\iFolder\iFolderShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\iFolder1]
@="{AA81D831-3B41-497c-B508-E9D02F8DF421}"
[HKEY_CLASSES_ROOT\CLSID\{AA81D831-3B41-497c-B508-E9D02F8DF421}]
2011-02-28 23:34 99328 ----a-w- c:\program files\iFolder\iFolderShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NWTRAY"="NWTRAY.EXE" [2009-12-27 37400]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2011-04-05 608112]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2011-01-25 525312]
"iPrint Tray"="c:\windows\system32\iprntctl.exe" [2011-04-19 66136]
"iPrint Event Monitor"="c:\windows\system32\iprntlgn.exe" [2011-04-19 69720]
"CmgShieldUI"="c:\windows\System32\CMGShieldUI.exe" [2011-05-04 359848]
"EmsService"="EmsServiceHelper.exe" [2011-05-04 2302888]
"combofix"="c:\combofix\CF28650.3XE" [2010-11-21 345088]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{763370C4-268E-4308-A60C-D8DA0342BE32}"= "c:\novell\ZENworks\bin\NalShell.dll" [2011-11-02 1463296]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: {{145581C9-1BCA-4ff2-8435-746011EC2180} - {01111111-D318-45F9-A54A-DAE0FB0D16B8} - c:\windows\Downloaded Program Files\HemiIEButton.dll
Trusted Zone: filenet
Trusted Zone: harvardpilgrim.org
Trusted Zone: healthtrioconnect.com\www
Trusted Zone: hphc.org
Trusted Zone: hphc.org\filenet
Trusted Zone: hphc.org\webfocusmredev
Trusted Zone: hphc.org\webfocusmreprd
Trusted Zone: hphc.org\webfocusmreuat
Trusted Zone: uhc.com\myexternal
TCP: DhcpNameServer = 192.168.0.1
DPF: {01111111-D318-45F9-A54A-DAE0FB0D16B8} - hxxp://fmsprd1.hphc.org/OA_HTML/UPK/PlayerPackage/stdhemi/hemi/ietbutton/hemiiebutton.cab
DPF: {6C64B50D-0472-4CD6-9312-644BEF37D4E6} - hxxps://aim-uat.hphc.org/AIM/Courion/AccessOptions/HTML/PasswordCourierSS/CourLocal.CAB
DPF: {A640B7AC-03CF-11D4-8F5F-0000E87715F0} - hxxps://support.cyber-ark.com/webclient/paweb/pasetup.cab
DPF: {AE3E8210-B33F-49C1-B4E2-860F5F4D732F} - hxxps://n2vapp072.hphc.org:444/dsview/applets/viewerLauncher.cab
DPF: {CC679CB8-DC4B-458B-B817-D447B3B6AC31} - vpnweb.cab
FF - ProfilePath - c:\users\TTu1\AppData\Roaming\Mozilla\Firefox\Profiles\TTu1\
FF - prefs.js: browser.startup.homepage - hxxp://online.hphc.org/
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Toolbar-Locked - (no file)
AddRemove-C1RPTING - c:\program files (x86)\Common Files\Novell\ni\bin\install.exe -remove ..\data\ip.db ..\data\remove.rsp
AddRemove-CONSOLE1 - c:\program files (x86)\Common Files\Novell\ni\bin\install.exe -remove ..\data\ip.db ..\data\remove.rsp
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Wireless_AutoSwitch]
"ImagePath"="\"c:\program files (x86)\Wireless AutoSwitch\WrlsAutoSW.exs\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\lotus\Notes\nslsvice.exe
c:\program files (x86)\Cisco Systems\VPN Client\cvpnd.exe
c:\program files (x86)\McAfee\Common Framework\FrameworkService.exe
c:\program files (x86)\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files (x86)\McAfee\VirusScan Enterprise\mfeann.exe
c:\lotus\Notes\ntmulti.exe
c:\windows\system32\DRIVERS\o2flash.exe
c:\novell\ZENworks\bin\nzrWinVNCApp.exe
c:\program files (x86)\McAfee\Common Framework\naPrdMgr.exe
c:\program files (x86)\McAfee\Common Framework\McScript_InUse.exe
c:\program files (x86)\McAfee\Common Framework\McTray.exe
c:\program files (x86)\McAfee\VirusScan Enterprise\mcconsol.exe
.
**************************************************************************
.
Completion time: 2012-09-10 12:11:26 - machine was rebooted
ComboFix-quarantined-files.txt 2012-09-10 16:11
.
Pre-Run: 164,046,348,288 bytes free
Post-Run: 163,582,914,560 bytes free
.
- - End Of File - - 1E9EC561F477BC6D13AFECB16DE069F0

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 135,818 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:39 AM

Posted 10 September 2012 - 11:17 AM

--RogueKiller--

  • Download & SAVE to your Desktop RogueKiller or from here
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • Click on Report and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 ttt03

ttt03
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 10 September 2012 - 11:39 AM

RogueKiller V8.0.2 [08/31/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : TTU1 [Admin rights]
Mode : Scan -- Date : 09/10/2012 12:37:44

Bad processes : 0

Registry Entries : 9
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJPOL] HKLM\[...]\Wow6432Node\System : DisableRegistryTools (0) -> FOUND
[HJ] HKLM\[...]\Wow6432Node\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ] HKLM\[...]\Wow6432Node\System : EnableLUA (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

Particular Files / Folders:

Driver : [NOT LOADED]

Infection :

HOSTS File:
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost


MBR Check:

+++++ PhysicalDrive0: SAMSUNG SSD PM830 2.5" 7 +++++
--- User ---
[MBR] ed5374b773bb404674f0f552f6b12665
[BSP] ddc83179a7d526c1e5aba2c39088748b : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 208845 | Size: 244089 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1].txt >>
RKreport[1].txt

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 135,818 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:39 AM

Posted 10 September 2012 - 11:44 AM

Greetings

We are going to run RougeKiller again but this time we are going to allow it to fix what it finds

--Run RogueKiller--

  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator" to start
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 ttt03

ttt03
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 10 September 2012 - 11:47 AM

RogueKiller V8.0.2 [08/31/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : TTU1 [Admin rights]
Mode : Remove -- Date : 09/10/2012 12:46:36

Bad processes : 0

Registry Entries : 7
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> ERROR [0x5]
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> REPLACED (2)
[HJPOL] HKLM\[...]\Wow6432Node\System : DisableRegistryTools (0) -> ERROR [0x5]
[HJ] HKLM\[...]\System : EnableLUA (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> REPLACED (1)
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

Particular Files / Folders:

Driver : [NOT LOADED]

Infection :

HOSTS File:
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost


MBR Check:

+++++ PhysicalDrive0: SAMSUNG SSD PM830 2.5" 7 +++++
--- User ---
[MBR] ed5374b773bb404674f0f552f6b12665
[BSP] ddc83179a7d526c1e5aba2c39088748b : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 208845 | Size: 244089 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 135,818 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:39 AM

Posted 10 September 2012 - 11:53 AM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 ttt03

ttt03
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 10 September 2012 - 11:57 AM

Combofix won't run under normal mode due to security settings. Should I ran this under safe mode?

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 135,818 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:39 AM

Posted 10 September 2012 - 12:05 PM

yes you may - just run the script in safe mode


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 ttt03

ttt03
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 10 September 2012 - 12:18 PM

ran the script in safe mode and the system got rebooted later. However after login, it got stuck at the welcome page and no desktop coming up. Waited about 10 minutes and still waiting.

Edited by ttt03, 10 September 2012 - 12:18 PM.


#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 135,818 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:39 AM

Posted 10 September 2012 - 12:19 PM

restart once more


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 ttt03

ttt03
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 10 September 2012 - 12:22 PM

Which means I have to force the power off. Is it safe? And should I restart in safe mode or regular mode?




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users