BleepingComputer.com: Infected wtih TDSS and google keeps redirecting

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

Infected wtih TDSS and google keeps redirecting Don't know how to remove it.

#1 User is offline   Joe121 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 1
  • Joined: 10-September 11

Posted 10 September 2011 - 01:12 PM

About 5 days ago I noticed google, bing and other searches were being redirected to incorrect sites in both IE and Firefox. I've tried installing a number of applications including malwarebytes and Kapersky. Malwarebytes did find TDSS as did Kapersky and they deleted files, but each time I start Firefox, the problem returns so I know the tools have yet to locate the source of what is infecting my machine. Malware bytes now brings up bubble in bottom right corner of my screen when redirect attempt is initiated and it prevents it from occurring. However, the rootkit malware is obviously still on my machine. Would appreciate your assistance in locating the source of the google redirect malware. Here is my DDS.TXT, attach.txt and ark.txt files. In addition, I noticed I wasn't given the same checkbox options as the directions stated in the gmer.exe application. I've taken a screen shot of my application (ark.txt app.jpg) to show how many of the check boxes are disabled. Not sure if that is a problem. Also, Malwarebytes is now detecting several times an hour the csrss.exe file making suspicious callouts to different ip addresses and it is blocking those attempts.

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_22
Run by bill at 10:10:12 on 2011-09-10
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.8088.5554 [GMT -7:00]
.
AV: COMODO Antivirus *Enabled/Updated* {675CEE69-9702-A524-3989-6D7CC8BF3695}
SP: COMODO Defense+ *Enabled/Updated* {DC3D0F8D-B138-AAAA-0339-560EB3387C28}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: COMODO Firewall *Enabled* {5F676F4C-DD6D-A47C-12D6-C449366C71EE}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Lenovo\ThinkPad USB Port Replicator with Digital Video\dqscrproj.exe
C:\Windows\system32\atieclxx.exe
C:\Program Files\Lenovo\ThinkPad USB Port Replicator with Digital Video\dqScrProxy.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Windows\SysWOW64\lxdvcoms.exe
C:\Program Files (x86)\AT&T Global Network Client\netcfgsvr.exe
C:\Program Files (x86)\AT&T Global Network Client\NetClientSvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Synology\Assistant\UsbClientService.exe
C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator.exe
C:\Windows\SysWOW64\vmnat.exe
C:\Windows\SysWOW64\vmnetdhcp.exe
C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Lenovo\ThinkPad USB Port Replicator with Digital Video\dcute.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
C:\Program Files (x86)\PdaNet for Android\PdaNetPC.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86) (x86)\Lexmark X5400 Series\lxdvamon.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Users\Public\Documents\COMODO\binaries\gb_setup_3.3.191520.52.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\wuauclt.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\PROGRA~2\AT&TGL~1\NETLOG~1.EXE
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
uRun: [NetSP - restore settings on power failure] "C:\Program Files (x86)\AT&T Global Network Client\NetSP.exe" -show
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized
uRun: [AROReminder] C:\Program Files (x86)\ARO 2011\ARO.exe -rem
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [vmware-tray] "C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [lxdvmon.exe] "C:\Program Files (x86) (x86)\Lexmark X5400 Series\lxdvmon.exe"
mRun: [lxdvamon] "C:\Program Files (x86) (x86)\Lexmark X5400 Series\lxdvamon.exe"
mRun: [Lexmark X5400 Series] "C:\Program Files (x86) (x86)\Lexmark X5400 Series\fm3032.exe" /s
mRun: [COMODO] C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLA.exe
mRun: [CPA] C:\Program Files\COMODO\COMODO GeekBuddy\VALA.exe
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
StartupFolder: C:\Users\bill\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
StartupFolder: C:\Users\bill\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\PDANET~1.LNK - C:\Program Files (x86)\PdaNet for Android\PdaNetPC.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\AT&TGL~1.LNK - C:\Windows\Installer\{297563AA-0243-43EC-B5C9-37F92A405D9C}\NetGM1_89563E53ECF44E868145468A128BDC83.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - C:\Windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~1\MICROS~1\Office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
LSP: mswsock.dll
LSP: C:\Program Files (x86)\VMware\VMware Workstation\vsocklib.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{7522F2DA-2047-4C44-BDED-0261FCC95F03} : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{BF3BE487-A24B-4B5B-A9EE-E7679EB773E4}\24165627E45647 : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{BF3BE487-A24B-4B5B-A9EE-E7679EB773E4}\24F696E676F60284F6473707F647 : DhcpNameServer = 10.4.0.1 66.103.80.4 66.103.64.4
TCP: Interfaces\{BF3BE487-A24B-4B5B-A9EE-E7679EB773E4}\37A6366627565677966696 : DhcpNameServer = 50.17.236.35 206.13.28.12 204.60.203.190 4.2.2.2
TCP: Interfaces\{BF3BE487-A24B-4B5B-A9EE-E7679EB773E4}\76F676F696E666C696768647 : DhcpNameServer = 172.19.134.2
TCP: Interfaces\{BF3BE487-A24B-4B5B-A9EE-E7679EB773E4}\84F6D65627 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{C6A10D0C-17DC-4FB7-B115-DDE7A4B82A42}\3496465627 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{C6A10D0C-17DC-4FB7-B115-DDE7A4B82A42}\8686F6E6F62737 : DhcpNameServer = 12.127.16.67 12.127.17.71
TCP: Interfaces\{CCC4318C-2D13-40A8-A0C5-34BF3BBE5409} : NameServer = 9.0.6.11,9.0.7.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
SubSystems: Windows = basesrv,1 winsrv:UserServerDllInitialization,3 consrv:ConServerDllInitialization,2 sxssrv,4
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
BHO-X64: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO-X64: SkypeIEPluginBHO - No File
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [vmware-tray] "C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe"
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [lxdvmon.exe] "C:\Program Files (x86) (x86)\Lexmark X5400 Series\lxdvmon.exe"
mRun-x64: [lxdvamon] "C:\Program Files (x86) (x86)\Lexmark X5400 Series\lxdvamon.exe"
mRun-x64: [Lexmark X5400 Series] "C:\Program Files (x86) (x86)\Lexmark X5400 Series\fm3032.exe" /s
mRun-x64: [COMODO] C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLA.exe
mRun-x64: [CPA] C:\Program Files\COMODO\COMODO GeekBuddy\VALA.exe
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\bill\AppData\Roaming\Mozilla\Firefox\Profiles\uxbaaq25.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/?_bc=1
FF - component: C:\Program Files (x86)\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}\components\SkypeFfComponent.dll
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npcpsweb.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npwdplugin821.dll
FF - plugin: C:\Users\bill\AppData\Roaming\Mozilla\plugins\npatgpc.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Click to call with Skype: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - C:\Program Files (x86)\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF - Ext: Xmarks: foxmarks@kei.com - %profile%\extensions\foxmarks@kei.com
FF - Ext: Forecastfox: {0538E3E3-7E9B-4d49-8831-A227C80A7AD3} - %profile%\extensions\{0538E3E3-7E9B-4d49-8831-A227C80A7AD3}
FF - Ext: Easy YouTube Video Downloader: {c0c9a2c7-2e5c-4447-bc53-97718bc91e1b} - %profile%\extensions\{c0c9a2c7-2e5c-4447-bc53-97718bc91e1b}
FF - Ext: Table2Clipboard: {9ab67d74-ec41-4cb2-b417-df5d93ba1beb} - %profile%\extensions\{9ab67d74-ec41-4cb2-b417-df5d93ba1beb}
.
============= SERVICES / DRIVERS ===============
.
R0 ALvldr;ALvldr;C:\Windows\system32\DRIVERS\ALvldr.sys --> C:\Windows\system32\DRIVERS\ALvldr.sys [?]
R1 cmderd;COMODO Internet Security Eradication Driver;C:\Windows\system32\DRIVERS\cmderd.sys --> C:\Windows\system32\DRIVERS\cmderd.sys [?]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;C:\Windows\system32\DRIVERS\cmdguard.sys --> C:\Windows\system32\DRIVERS\cmdguard.sys [?]
R1 cmdHlp;COMODO Internet Security Helper Driver;C:\Windows\system32\DRIVERS\cmdhlp.sys --> C:\Windows\system32\DRIVERS\cmdhlp.sys [?]
R1 dqBridge;dqBridge;C:\Windows\system32\DRIVERS\dqbridge.sys --> C:\Windows\system32\DRIVERS\dqbridge.sys [?]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 CLPSLS;COMODO livePCsupport Service;C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe [2011-4-5 161080]
R2 lxdv_device;lxdv_device;C:\Windows\SysWOW64\lxdvcoms.exe -service --> C:\Windows\SysWOW64\lxdvcoms.exe -service [?]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-9-9 366640]
R2 NetClientSvc;AT&T Global Network Client Service;C:\Program Files (x86)\AT&T Global Network Client\NetClientSvc.exe [2010-4-5 342368]
R2 ScrProj;Lenovo USB Display Screen Projector;C:\Program Files\Lenovo\ThinkPad USB Port Replicator with Digital Video\dqscrproj.exe [2010-5-25 88576]
R2 UsbClientService;UsbClientService;C:\Program Files (x86)\Synology\Assistant\UsbClientService.exe [2011-2-17 245760]
R2 VMUSBArbService;VMware USB Arbitration Service;C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator.exe [2010-11-11 539248]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atipmdag.sys --> C:\Windows\system32\DRIVERS\atipmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 busenum;Synology Virtual USB Hub;C:\Windows\system32\DRIVERS\busenum.sys --> C:\Windows\system32\DRIVERS\busenum.sys [?]
R3 dqusb;Driver for Lenovo USB port rep;C:\Windows\system32\DRIVERS\dqusb.sys --> C:\Windows\system32\DRIVERS\dqusb.sys [?]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;C:\Windows\system32\DRIVERS\e1y60x64.sys --> C:\Windows\system32\DRIVERS\e1y60x64.sys [?]
R3 intelkmd;intelkmd;C:\Windows\system32\DRIVERS\igdpmd64.sys --> C:\Windows\system32\DRIVERS\igdpmd64.sys [?]
R3 lvlddrv;Lenovo DsplyFltDrv Filter Driver;C:\Windows\system32\DRIVERS\lvlddrv.sys --> C:\Windows\system32\DRIVERS\lvlddrv.sys [?]
R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
R3 NetLogSvc;NetLogSvc;C:\PROGRA~2\AT&TGL~1\NETLOG~1.EXE [2010-4-5 75616]
R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\system32\DRIVERS\netw5v64.sys --> C:\Windows\system32\DRIVERS\netw5v64.sys [?]
R3 pnetmdm;PdaNet Modem;C:\Windows\system32\DRIVERS\pnetmdm64.sys --> C:\Windows\system32\DRIVERS\pnetmdm64.sys [?]
R3 SrvHsfHDA;SrvHsfHDA;C:\Windows\system32\DRIVERS\VSTAZL6.SYS --> C:\Windows\system32\DRIVERS\VSTAZL6.SYS [?]
R3 SrvHsfV92;SrvHsfV92;C:\Windows\system32\DRIVERS\VSTDPV6.SYS --> C:\Windows\system32\DRIVERS\VSTDPV6.SYS [?]
R3 SrvHsfWinac;SrvHsfWinac;C:\Windows\system32\DRIVERS\VSTCNXT6.SYS --> C:\Windows\system32\DRIVERS\VSTCNXT6.SYS [?]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;C:\Program Files\Microsoft Office\Office14\GROOVE.EXE [2010-3-25 51456888]
S3 ose64;Office 64 Source Engine;C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-1-9 174440]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S3 WSDPrintDevice;WSD Print Support via UMB;C:\Windows\system32\DRIVERS\WSDPrint.sys --> C:\Windows\system32\DRIVERS\WSDPrint.sys [?]
.
=============== Created Last 30 ================
.
2011-09-09 22:57:17 -------- d-----w- C:\Users\bill\AppData\Roaming\Malwarebytes
2011-09-09 22:57:09 41272 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-09-09 22:57:08 -------- d-----w- C:\ProgramData\Malwarebytes
2011-09-09 22:57:05 25912 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-09-09 22:57:05 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-09-09 22:24:43 12872 ----a-w- C:\Windows\System32\bootdelete.exe
2011-09-09 22:02:11 25160 ----a-w- C:\Windows\System32\drivers\hitmanpro35.sys
2011-09-09 22:01:49 -------- d-----w- C:\ProgramData\Hitman Pro
2011-09-06 16:55:01 -------- d-----w- C:\Users\bill\AppData\Roaming\Sammsoft
2011-09-06 16:54:49 -------- d-----w- C:\Program Files (x86)\ARO 2011
2011-09-06 15:04:36 -------- d-----we C:\Windows\system64
2011-09-06 14:21:39 -------- d-sh--w- C:\$RECYCLE.BIN
2011-09-06 03:35:23 98816 ----a-w- C:\Windows\sed.exe
2011-09-06 03:35:23 518144 ----a-w- C:\Windows\SWREG.exe
2011-09-06 03:35:23 256000 ----a-w- C:\Windows\PEV.exe
2011-09-06 03:35:23 208896 ----a-w- C:\Windows\MBR.exe
2011-09-03 06:08:34 -------- d-----w- C:\StatResolver
2011-09-01 16:22:17 404640 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-09-01 05:33:51 -------- d-----w- C:\glassfish3
2011-09-01 04:31:40 -------- d-----w- C:\Users\bill\.jedit
2011-09-01 04:28:34 -------- d-----w- C:\Program Files\jEdit
2011-08-30 03:56:27 -------- d-----w- C:\Windows\Pointstreak K-ForCE PC Edition
2011-08-30 03:56:27 -------- d-----w- C:\Program Files (x86)\All-Pro Software
2011-08-29 16:14:10 -------- d-----w- C:\Program Files (x86)\LotusLive Meetings for IBM
2011-08-26 23:45:23 -------- d-----w- C:\ProgramData\Synology
2011-08-26 23:44:26 -------- d-----w- C:\Program Files (x86)\Synology
.
==================== Find3M ====================
.
2011-09-08 18:13:11 60 ----a-w- C:\Windows\wpd99.drv
.
============= FINISH: 10:12:44.09 ===============

Attached File(s)


#2 User is offline   snemelk 

  • inżynier
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 1,368
  • Joined: 26-February 08

Posted 16 September 2011 - 09:11 AM

Hi Joe121, and welcome to Bleeping Computer.

I see you've run ComboFix on your own... Please note: ComboFix is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained!!

Please do the following:

Firstly,
  • Please launch Malwarebytes' Anti-Malware, click the Update tab, and then Check for Updates.
  • Then choose the Scanner tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.


Secondly,
Download OTL.exe by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe.
  • In the "Custom Scans/Fixes" window (under the light green bar) paste the following in bold:

    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs


  • Click Run Scan and let the program run uninterrupted.
  • When the scan completes, it will open two Notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL. Post both logs in this thread.
  • You may need to use two posts to get it all.

Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!
"If I had some duct tape, I could fix that." - MacGyver

#3 User is offline   snemelk 

  • inżynier
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 1,368
  • Joined: 26-February 08

Posted 29 September 2011 - 12:48 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
Posted Image
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!
"If I had some duct tape, I could fix that." - MacGyver

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users