BleepingComputer.com: Search Engine redirect virus

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  • 4 Pages +
  • « First
  • 2
  • 3
  • 4
  • You cannot start a new topic
  • This topic is locked

Search Engine redirect virus I need some help getting rid of this virus

#46 User is offline   wpeppers 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 25
  • Joined: 18-December 11

Posted 31 December 2011 - 07:15 PM

Hello the log is below it restarted in normal mode and seems to be working now. Also during the combo fix run i had an error. PEV.3XE failed to execute.

Thanks.



ComboFix 11-12-31.03 - WEP0901 12/31/2011 17:52:25.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1455 [GMT -6:00]
Running from: c:\documents and settings\wep0901\Desktop\ComboFix.exe
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: McAfee VirusScan Enterprise *Enabled/Outdated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.
.
((((((((((((((((((((((((( Files Created from 2011-12-01 to 2012-01-01 )))))))))))))))))))))))))))))))
.
.
2011-12-30 02:11 . 2011-12-30 02:11 -------- d-----w- c:\windows\system32\wbem\Repository
2011-12-30 02:09 . 2011-12-30 02:09 -------- d-----w- c:\program files\Common Files\Java
2011-12-30 02:09 . 2011-12-30 02:09 -------- d--h--w- c:\windows\msdownld.tmp
2011-12-30 02:09 . 2011-12-30 02:09 -------- d-----w- c:\windows\35C03C043F1F42C2A989A757EE691F65.TMP
2011-12-27 08:15 . 2011-12-27 08:15 -------- d-----w- c:\program files\Trend Micro
2011-12-21 01:48 . 2011-12-21 02:02 -------- d-----w- c:\documents and settings\wep0901\Application Data\PerformerSoft
2011-12-21 01:47 . 2011-12-03 00:04 17464 ----a-w- c:\windows\system32\roboot.exe
2011-12-21 01:47 . 2011-12-21 01:47 -------- d-----w- c:\program files\InstallBrainService
2011-12-19 14:56 . 2010-10-23 02:07 66536 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-12-19 14:56 . 2010-10-23 02:07 91896 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-12-19 14:56 . 2010-10-23 02:07 76024 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2011-12-19 14:56 . 2010-10-23 02:07 69192 ----a-w- c:\windows\system32\mfevtps.exe
2011-12-19 14:56 . 2010-10-23 02:07 64208 ----a-w- c:\windows\system32\drivers\mfetdik.sys
2011-12-19 14:56 . 2010-10-23 02:07 43192 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-12-19 14:56 . 2010-10-23 02:07 344712 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-12-19 14:21 . 2011-12-19 14:21 -------- d-----w- c:\program files\McAfee
2011-12-19 14:21 . 2011-12-19 14:21 -------- d-----w- c:\program files\Common Files\McAfee
2011-12-17 15:21 . 2011-12-17 15:21 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-12-17 15:20 . 2011-12-17 15:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2011-12-16 04:06 . 2011-12-16 04:06 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2011-12-16 00:08 . 2011-12-16 00:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-16 00:08 . 2011-08-31 23:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-15 05:14 . 2011-11-28 17:51 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-12-15 05:14 . 2011-11-28 17:53 314456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-12-15 05:14 . 2011-11-28 17:52 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-12-15 05:14 . 2011-11-28 17:52 52952 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-12-15 05:14 . 2011-11-28 17:53 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-12-15 05:14 . 2011-11-28 17:52 111320 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-12-15 05:14 . 2011-11-28 17:51 105176 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-12-15 05:14 . 2011-11-28 17:48 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-12-15 05:11 . 2011-11-28 18:01 41184 ----a-w- c:\windows\avastSS.scr
2011-12-15 05:11 . 2011-11-28 18:01 199816 ----a-w- c:\windows\system32\aswBoot.exe
2011-12-12 22:38 . 2011-09-09 15:59 57000 ----a-r- c:\windows\system32\drivers\acsmux.sys
2011-12-12 22:38 . 2011-09-09 15:59 38440 ----a-r- c:\windows\system32\drivers\acsint.sys
2011-12-12 22:37 . 2011-12-12 22:37 -------- d-----w- c:\program files\Cisco
2011-12-12 22:37 . 2011-12-12 22:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Cisco
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-22 01:55 . 2011-07-21 02:59 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-21 20:25 . 2011-11-21 20:25 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-11-21 20:25 . 2011-11-21 20:26 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-02 14:24 . 2011-11-02 14:24 68896 ----a-w- c:\windows\system32\NLSSRV32.EXE
2011-11-02 14:21 . 2011-11-21 21:29 26400 ----a-w- c:\windows\system32\nitrolocalmon2.dll
2011-11-02 14:21 . 2011-11-21 21:29 17696 ----a-w- c:\windows\system32\nitrolocalui2.dll
2011-10-10 14:22 . 2007-06-11 20:33 692736 ----a-w- c:\windows\system32\inetcomm.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-11-28 18:01 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-26 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2007-01-25 159744]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-16 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-16 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-16 138008]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-11-28 3744552]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-02-16 417792]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2010-10-23 124224]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-12-19 20:43 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-539991693-2948609479-2399450076-11709\Scripts\Logon\0\0]
"Script"=JunkEmailLists.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-539991693-2948609479-2399450076-11709\Scripts\Logon\1\0]
"Script"=ExplorerUpdatePatch.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-539991693-2948609479-2399450076-11709\Scripts\Logon\2\0]
"Script"=IE7JIFix.cmd
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-539991693-2948609479-2399450076-11709\Scripts\Logon\3\0]
"Script"=AlertClientInstall.cmd
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-539991693-2948609479-2399450076-11709\Scripts\Logon\4\0]
"Script"=WebBan_Inst.cmd
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-539991693-2948609479-2399450076-11709\Scripts\Logon\5\0]
"Script"=WebBan_Inst.cmd
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-539991693-2948609479-2399450076-11709\Scripts\Logon\6\0]
"Script"=AppsDrive.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-539991693-2948609479-2399450076-11709\Scripts\Logon\7\0]
"Script"=Remote Assistance.bat
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^wep0901^Start Menu^Programs^Startup^Logitech . Product Registration.lnk]
path=c:\documents and settings\wep0901\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
backup=c:\windows\pss\Logitech . Product Registration.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 22:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlertClient]
2006-04-19 14:32 9216 ----a-w- c:\program files\Alert Client\AlertClient.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]
2009-08-24 20:27 623960 ----a-w- c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ChromeFrameHelper]
2011-11-15 05:38 94776 ----a-w- c:\documents and settings\wep0901\Local Settings\Application Data\Google\Chrome\Application\15.0.874.121\chrome_frame_helper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cisco AnyConnect Secure Mobility Agent for Windows]
2011-09-09 16:09 523216 ----a-w- c:\program files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Communicator]
2010-11-12 23:54 5145952 ----a-w- c:\program files\Microsoft Office Communicator\communicator.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Facebook Update]
2011-11-14 22:18 137536 ----atw- c:\documents and settings\wep0901\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-09-09 02:16 136176 ----atw- c:\documents and settings\wep0901\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2009-11-18 21:13 54576 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-02-16 00:07 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
2010-01-27 17:22 63048 ----a-w- c:\program files\LogMeIn\x86\LogMeInSystray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LWS]
2010-05-08 00:35 165208 ----a-w- c:\program files\Logitech\LWS\Webcam Software\LWS.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
2010-10-15 22:05 140608 ----a-w- c:\program files\Network Associates\Common Framework\UdaterUI.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ptmsgfrm.exe]
2008-08-03 12:30 42312 ----a-w- c:\program files\WebEx\Productivity Tools\ptmsgfrm.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-02-16 00:50 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Shockwave Updater]
2009-03-19 15:55 460216 ----a-w- c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150595.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShStatEXE]
2010-10-23 02:07 124224 ----a-w- c:\program files\McAfee\VirusScan Enterprise\shstat.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2007-02-19 18:26 303104 ----a-w- c:\windows\stsystra.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 17:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-09-26 05:04 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SAP\\FrontEnd\\SAPgui\\saplogon.exe"=
"c:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\IBS\\SBN\\SBN.exe"=
"c:\\Program Files\\Lantronix\\DeviceInstaller\\DeviceInstaller.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\OnGuard\\acsmntr.exe"=
"c:\\Program Files\\OnGuard\\AreaAccessManager.exe"=
"c:\\WINDOWS\\system32\\OPCENUM.EXE"=
"c:\\Program Files\\OnGuard\\LnlPTZTourServer.exe"=
"c:\\Program Files\\OnGuard\\LSLServer.exe"=
"c:\\Program Files\\OnGuard\\VideoViewer.exe"=
"c:\\Program Files\\OnGuard\\SystemAdministration.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Lantronix\\DeviceInstaller4.2\\DeviceInstaller.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"c:\\Program Files\\Honeywell Video Systems\\Honeywell IP Utility\\Honeywell IP Utility.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\{68550918-63B5-4762-85CB-3C160AA4B213}\\setup\\hpznui01.exe"=
"c:\\Program Files\\RealVNC\\VNC4\\vncviewer.exe"=
"c:\\Documents and Settings\\wep0901\\Local Settings\\Application Data\\Facebook\\Video\\Skype\\FacebookVideoCalling.exe"=
"c:\\Program Files\\Cisco\\Cisco AnyConnect Secure Mobility Client\\acwebsecagent.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"9322:TCP"= 9322:TCP:EKDiscovery
"135:TCP"= 135:TCP:RPC Port
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
"161:UDP"= 161:UDP:FMAudit Agent Default
"33333:UDP"= 33333:UDP:FMAudit Agent Fallback
.
R0 a320raid;a320raid;c:\windows\system32\drivers\a320raid.sys [7/18/2007 1:36 PM 218112]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [12/14/2011 11:14 PM 435032]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/14/2011 11:14 PM 314456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/14/2011 11:14 PM 20568]
R2 FMAuditAgent;FMAudit Agent;c:\program files\FMAudit, LLC\FMAudit Agent\fmaagent.exe [11/2/2009 12:59 PM 294912]
R2 InstallBrainService;InstallBrain Updater Service;c:\program files\InstallBrainService\InstallBrainService.exe [12/20/2011 7:47 PM 273912]
R2 iPCAgent;iPCAgent;c:\program files\iPass\iPassConnect\iPCAgent.exe [9/12/2008 6:01 PM 90112]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [10/11/2010 8:29 AM 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [1/27/2010 11:22 AM 12856]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [10/22/2010 8:07 PM 22816]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [12/19/2011 8:56 AM 69192]
R2 NitroDriverReadSpool2;NitroPDFDriverCreatorReadSpool2;c:\program files\Nitro PDF\Professional 7\NitroPDFDriverService2.exe [11/2/2011 8:23 AM 196896]
R2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [11/2/2011 8:24 AM 68896]
R2 vpnagent;Cisco AnyConnect Secure Mobility Agent;c:\program files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe [9/9/2011 10:08 AM 475088]
R3 acsint;acsint;c:\windows\system32\drivers\acsint.sys [12/12/2011 4:38 PM 38440]
R3 acsmux;acsmux;c:\windows\system32\drivers\acsmux.sys [12/12/2011 4:38 PM 57000]
R3 acwebsecagent;Cisco AnyConnect Web Security Agent;c:\program files\Cisco\Cisco AnyConnect Secure Mobility Client\acwebsecagent.exe [9/9/2011 10:10 AM 844728]
S2 gupdate1ca12d3e9990700;Google Update Service (gupdate1ca12d3e9990700);c:\program files\Google\Update\GoogleUpdate.exe [8/1/2009 12:14 PM 133104]
S3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [8/27/2007 7:55 AM 87936]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [8/1/2009 12:14 PM 133104]
S3 LpsSearchSvc;LpsSearchSvc;c:\program files\Common Files\Lenel\LpsSearchSvc.exe [5/8/2009 9:51 PM 573440]
S3 LS Config Download Service;LS Config Download Service;c:\program files\OnGuard\LnlConfigDownloadService.exe [5/8/2009 11:48 PM 115200]
S3 LS Linkage Server;LS Linkage Server;c:\program files\OnGuard\LSLServer.exe [9/30/2009 2:47 PM 1128736]
S3 LS PTZ Tour Server;LS PTZ Tour Server;c:\program files\OnGuard\LnlPTZTourServer.exe [5/8/2009 11:21 PM 179712]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [12/19/2011 8:56 AM 66536]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [6/28/2007 6:01 PM 42512]
S3 SWNC8U12;Sierra Wireless MUX NDIS Driver (UMTS12);c:\windows\system32\drivers\swnc8u12.sys [3/26/2007 1:21 PM 82432]
S3 swumx12;Sierra Wireless USB MUX Driver (UMTS12);c:\windows\system32\drivers\swumx12.sys [3/26/2007 1:21 PM 66304]
S3 Usblink;Usblink Driver;c:\windows\system32\drivers\ulink.sys [3/4/2010 10:02 AM 37616]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2/28/2006 6:00 AM 14336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
2011-12-26 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-682003330-1229272821-839522115-54342Core.job
- c:\documents and settings\wep0901\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2011-11-14 22:18]
.
2011-12-30 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-682003330-1229272821-839522115-54342UA.job
- c:\documents and settings\wep0901\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2011-11-14 22:18]
.
2011-12-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-01 18:14]
.
2011-12-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-01 18:14]
.
2011-12-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-682003330-1229272821-839522115-54342Core.job
- c:\documents and settings\wep0901\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-10-02 02:16]
.
2011-12-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-682003330-1229272821-839522115-54342UA.job
- c:\documents and settings\wep0901\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-10-02 02:16]
.
2011-12-31 c:\windows\Tasks\User_Feed_Synchronization-{09B1069B-2F3A-4361-89ED-E250AEA69FD5}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ecentral.stanleyblackanddecker.com
uInternet Connection Wizard,ShellNext = hxxp://stanleyatwork/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: cleo
Trusted Zone: internet
Trusted Zone: kltvms.com
Trusted Zone: mcafee.com
Trusted Zone: nbc-vdev-nss
Trusted Zone: ogi
Trusted Zone: reciva.com\www
Trusted Zone: reporting
Trusted Zone: stanleyworks.com\reset
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 192.168.2.1
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/mygarmin/m/GarminAxControl.CAB
DPF: {3B0AFE6A-6AEF-47D7-83EA-D1929568B81B} - file:///D:/client16.cab
DPF: {8BA1621C-F6E9-47C5-A55D-2F4BAB913B2B} - hxxps://reset.stanleyworks.com/CachedCredUtil.cab
DPF: {ACC5EE0C-9D3E-4BB0-A1B4-4B9A176DC2B8} - hxxp://169.254.105.15/HD4MDIP.cab
DPF: {C111A91F-D4EC-4D22-8D27-C3BCB0389F43} - hxxp://169.254.61.35/activex/AMC.cab
DPF: {C1A7666B-C2BA-4046-BE4F-D95E1E14576A} - hxxp://169.254.81.113/HD3MDIH.cab
DPF: {CC679CB8-DC4B-458B-B817-D447B3B6AC31} - vpnweb.cab
DPF: {D46EA44D-DB4E-4B73-A78C-C334435879D7} - hxxp://10.100.192.80/HD4MDIH.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://192.168.0.90/activex/AMC.cab
DPF: {ED324F9E-715D-4BE2-B6DF-44FCB674AADF} - hxxp://inthot01/StanleyIntranet/Portal/resources/msddsc.cab
.
.
------- File Associations -------
.
.scr=DWGTrueViewScriptFile
.
.
**************************************************************************
.
disk not found C:\
.
please note that you need administrator rights to perform deep scan
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1464)
c:\windows\system32\LMIinit.dll
.
Completion time: 2011-12-31 18:07:53
ComboFix-quarantined-files.txt 2012-01-01 00:07
.
Pre-Run: 46,085,083,136 bytes free
Post-Run: 46,155,706,368 bytes free
.
- - End Of File - - 5E1E4584ADDB42805825DADE4FE25379

#47 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,524
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 31 December 2011 - 07:33 PM

have you rechecked the DMA again?

gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#48 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,524
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 03 January 2012 - 11:22 PM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!


Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#49 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,524
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 06 January 2012 - 11:56 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

Share this topic:


  • 4 Pages +
  • « First
  • 2
  • 3
  • 4
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users