Help Removing System Check Bug

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Posted Image

Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.

Posted Image

DO NOT RUN ComboFix unless requested to.

Posted Image

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

Posted Image

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Posted Image

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

4 Pages
1
2
3
→
Last »

You cannot start a new topic
This topic is locked

Help Removing System Check Bug

#1 PaulitosWay

Member

Group: Members
Posts: 29
Joined: 18-January 12

Posted 18 January 2012 - 02:46 PM

Hi,

I am having trouble removing system Check. When starting my laptop normally, System Check starts up as well as an error that spawns multiple times in the background. The error says "Failed to save all the components for the file \\System...." A short time later I get a memory overrun blee screen.

I have started my laptop in Safe Mode to create the dds log and run gmer. I am attaching the dds log but I can't save the gmer log because with the display in Safe Mode I can't reach the Save As button.

.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
Run by ppinckney at 11:09:15 on 2012-01-18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1251 [GMT -6:00]
.
AV: Trend Micro OfficeScan Antivirus *Enabled/Updated* {515A9A24-3E56-4F30-B5D2-60182C89A785}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
FW: Trend Micro Personal Firewall *Enabled*
.
============== Running Processes ===============
.
C:\windows\system32\svchost -k DcomLaunch
svchost.exe
C:\windows\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\windows\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\windows\system32\ctfmon.exe
C:\Documents and Settings\ppinckney\Desktop\Defogger.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
uWindow Title = Internet Explorer, optimized for Bing and MSN
uInternet Settings,ProxyServer = http=127.0.0.1:6092
uInternet Settings,ProxyOverride = <local>
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\Wcescomm.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [eFax 4.4] "c:\program files\efax messenger 4.4\J2GDllCmd.exe" /R
uRun: [Mikogo] "c:\documents and settings\ppinckney\application data\mikogo\Mikogo-Host.exe" -asp
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [systray] c:\program files\dell\dell mobile broadband\systray.exe
mRun: [KADxMain] c:\windows\system32\KADxMain.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [VMware hqtray] "c:\program files\vmware\vmware player\hqtray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [gfUomFNvRQL.exe] c:\documents and settings\all users\application data\gfUomFNvRQL.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10w_ActiveX.exe -update activex
StartupFolder: c:\docume~1\ppinck~1\startm~1\programs\startup\efax44~1.lnk - c:\program files\efax messenger 4.4\J2GTray.exe
uPolicies-explorer: NoDesktop = 1 (0x1)
uPolicies-system: ConnectHomeDirToRoot = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49}
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: mswsock.dll
LSP: c:\program files\vmware\vmware player\vsocklib.dll
DPF: {00134F72-5284-44F7-95A8-52A619F70751} - hxxps://nvdc2.amcad.com:4343/officescan/console/html/ClientInstall/WinNTChk.cab
DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} - hxxps://nvdc2.amcad.com:4343/officescan/console/html/ClientInstall/setup.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} - hxxps://nvdc2.amcad.com:4343/officescan/console/html/root/AtxEnc.cab
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://vpn.amcad.com/CACHE/stc/1/binaries/vpnweb.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1244829733578
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} - hxxp://l.yimg.com/jh/games/web_games/playtime/mahjongescape/PTGameLauncher.cab
TCP: DhcpNameServer = 10.128.74.207 10.128.74.208
TCP: Interfaces\{121070DB-B8E9-4905-A23E-66985F097ED2} : DhcpNameServer = 192.168.1.1 172.16.66.2
TCP: Interfaces\{8FC820CE-06B0-493B-8038-2C472F737E98} : DhcpNameServer = 192.168.1.1 172.16.66.2
TCP: Interfaces\{E674D28F-5C87-47A1-9F76-FCDB3915F70A} : DhcpNameServer = 10.128.74.207 10.128.74.208
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: igfxcui - igfxdev.dll
Notify: NecUsb3Sevice - USB3Nw32.dll
Notify: USB3Nw32 - USB3Nw32.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\ppinckney\application data\mozilla\firefox\profiles\z6p25q49.default\
FF - plugin: c:\documents and settings\ppinckney\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\ppinckney\application data\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\google\update\1.3.21.93\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: XULRunner: {F943AB9E-4275-4464-A1B5-09F879BF4A57} - c:\documents and settings\ppinckney\local settings\application data\{F943AB9E-4275-4464-A1B5-09F879BF4A57}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\ppinckney\application data\Move Networks
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-12-16 64512]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-11-3 2152152]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2007-4-20 338960]
S2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2006-12-19 79432]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-11-29 136176]
S2 Ias;Network Security;c:\windows\system32\svchost.exe -k netsvcs [2004-8-11 14336]
S2 msftesql$SQL2005;SQL Server FullText Search (SQL2005);c:\program files\microsoft sql server\mssql.1\mssql\binn\msftesql.exe [2006-8-28 92952]
S2 NecUsb;USB Service;c:\windows\system32\svchost.exe -k NecUsbSevice [2004-8-11 14336]
S2 svchost32;Windows Service Manager;c:\windows\system32\inetsrv\svchost.exe /service --> c:\windows\system32\inetsrv\svchost.exe [?]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2010-1-8 50192]
S2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\tmxpflt.sys [2009-3-27 225808]
S2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\tmpreflt.sys [2009-3-27 36368]
S2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2008-10-28 54960]
S2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2011-9-22 645048]
S3 B-Service;B-Service;c:\documents and settings\ppinckney\application data\mikogo\B-Service.exe [2010-10-1 185640]
S3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [2006-11-2 97536]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-11-29 136176]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2010-3-25 30969208]
S3 MSSQL$SQL2005;SQL Server (SQL2005);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2007-2-10 29178224]
S3 NWDellModem;Dell Wireless Mobile Broadband Modem Driver;c:\windows\system32\drivers\nwdelmdm.sys [2007-11-1 92288]
S3 NWDellPort;Dell Wireless Mobile Broadband Status Port Driver;c:\windows\system32\drivers\nwdelser.sys [2007-11-1 92288]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 SQLAgent$SQL2005;SQL Server Agent (SQL2005);c:\program files\microsoft sql server\mssql.1\mssql\binn\SQLAGENT90.EXE [2007-2-10 344944]
S3 TmPfw;OfficeScan NT Firewall;c:\program files\trend micro\officescan client\TmPfw.exe [2007-4-4 488768]
S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\trend micro\officescan client\TmProxy.exe [2007-4-27 652552]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2005-9-23 2799808]
S4 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]
.
=============== Created Last 30 ================
.
2012-01-18 16:52:55 358144 ----a-w- c:\documents and settings\all users\application data\me8v5QQuZc8fdS.exe
2012-01-18 16:04:17 358144 ----a-w- c:\documents and settings\all users\application data\KOZmzOUbZ6a39m.exe
2012-01-18 04:12:46 692480 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2012-01-17 22:15:01 453376 ----a-w- c:\documents and settings\all users\application data\gfUomFNvRQL.exe
2012-01-13 19:13:25 156672 ---ha-w- c:\windows\system32\NUSB3w32.dll
2012-01-13 19:13:24 37888 ---ha-w- c:\windows\system32\USB3Nw32.dll
2012-01-13 15:45:34 -------- d--h--w- c:\program files\Microsoft Synchronization Services
2012-01-13 15:44:33 -------- d--h--w- c:\program files\Microsoft SQL Server Compact Edition
2011-12-25 17:13:55 -------- d--h--w- C:\HandBrakeOutput
2011-12-25 17:10:54 -------- d-----w- c:\documents and settings\ppinckney\local settings\application data\HandBrake
2011-12-25 17:10:54 -------- d-----w- c:\documents and settings\ppinckney\application data\HandBrake
2011-12-25 17:10:33 -------- d--h--w- c:\program files\Handbrake
2011-12-25 15:51:24 -------- d--h--w- C:\Movies
.
==================== Find3M ====================
.
2011-12-16 19:11:30 16432 ---ha-w- c:\windows\system32\lsdelete.exe
2011-12-16 19:11:30 101720 ---ha-w- c:\windows\system32\drivers\SBREDrv.sys
2011-12-10 21:24:06 20464 ---ha-w- c:\windows\system32\drivers\mbam.sys
2011-11-03 18:06:56 64512 ---ha-w- c:\windows\system32\drivers\Lbd.sys
.
============= FINISH: 11:16:21.23 ===============

Attached File(s)

dds.txt (15.03K)
Number of downloads: 0

#2 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,568
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 22 January 2012 - 12:16 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

Do not run any other tool untill instructed to do so!
please Do not Attach logs or put in code boxes.
Tell me about any problems that have occurred during the fix.
Tell me of any other symptoms you may be having as these can help also.
Do not run anything while running a fix.
Do not run any other tool untill instructed to do so!

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.

Link 1

Link 2

Link 3

1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

Log from Combofix
let me know of any problems you may have had
How is the computer doing now?

Gringo

I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->

<-- Don't worry every little bit helps.

#3 PaulitosWay

Member

Group: Members
Posts: 29
Joined: 18-January 12

Posted 22 January 2012 - 09:43 AM

Thanks for your reply. i an trying to run combo fix in safe mode and am being notified that adaware and trend micro are running. i don't see them in the system tray. do you know how to disable?

#4 PaulitosWay

Member

Group: Members
Posts: 29
Joined: 18-January 12

Posted 22 January 2012 - 01:00 PM

ComboFix 12-01-21.02 - ppinckney 01/22/2012 10:25:45.1.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1377 [GMT -6:00]
Running from: c:\documents and settings\ppinckney\Desktop\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: Trend Micro OfficeScan Antivirus *Enabled/Updated* {515A9A24-3E56-4F30-B5D2-60182C89A785}
FW: Trend Micro Personal Firewall *Enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\~docDNiDOcLRChC
c:\documents and settings\All Users\Application Data\~docDNiDOcLRChCr
c:\documents and settings\All Users\Application Data\~hogEBIF2JCKWH7
c:\documents and settings\All Users\Application Data\~hogEBIF2JCKWH7r
c:\documents and settings\All Users\Application Data\~KOZmzOUbZ6a39m
c:\documents and settings\All Users\Application Data\~KOZmzOUbZ6a39mr
c:\documents and settings\All Users\Application Data\~me8v5QQuZc8fdS
c:\documents and settings\All Users\Application Data\~me8v5QQuZc8fdSr
c:\documents and settings\All Users\Application Data\BtM5JaO2yejwBZ
c:\documents and settings\All Users\Application Data\docDNiDOcLRChC
c:\documents and settings\All Users\Application Data\gfUomFNvRQL.exe
c:\documents and settings\All Users\Application Data\GTLcayfSEzrjGN
c:\documents and settings\All Users\Application Data\hogEBIF2JCKWH7
c:\documents and settings\All Users\Application Data\KOZmzOUbZ6a39m
c:\documents and settings\All Users\Application Data\me8v5QQuZc8fdS
c:\documents and settings\ppinckney\Desktop\System Check.lnk
c:\documents and settings\ppinckney\g2mdlhlpx.exe
c:\documents and settings\ppinckney\My Documents\TMP39A.tmp
c:\documents and settings\ppinckney\My Documents\TMP39B.tmp
c:\documents and settings\ppinckney\Start Menu\Programs\System Check
c:\documents and settings\ppinckney\Start Menu\Programs\System Check\System Check.lnk
c:\documents and settings\ppinckney\Start Menu\Programs\System Check\Uninstall System Check.lnk
c:\windows\$NtUninstallKB35346$
c:\windows\$NtUninstallKB35346$\1487601771
c:\windows\$NtUninstallKB35346$\3931070557\@
c:\windows\$NtUninstallKB35346$\3931070557\bckfg.tmp
c:\windows\$NtUninstallKB35346$\3931070557\cfg.ini
c:\windows\$NtUninstallKB35346$\3931070557\Desktop.ini
c:\windows\$NtUninstallKB35346$\3931070557\keywords
c:\windows\$NtUninstallKB35346$\3931070557\kwrd.dll
c:\windows\$NtUninstallKB35346$\3931070557\L\iahonoel
c:\windows\$NtUninstallKB35346$\3931070557\lsflt7.ver
c:\windows\$NtUninstallKB35346$\3931070557\U\00000001.@
c:\windows\$NtUninstallKB35346$\3931070557\U\00000002.@
c:\windows\$NtUninstallKB35346$\3931070557\U\00000004.@
c:\windows\$NtUninstallKB35346$\3931070557\U\80000000.@
c:\windows\$NtUninstallKB35346$\3931070557\U\80000004.@
c:\windows\$NtUninstallKB35346$\3931070557\U\80000032.@
c:\windows\EventSystem.log
c:\windows\system32\NUSB3w32.dll
c:\windows\system32\USB3Nw32.dll
.
Infected copy of c:\windows\system32\drivers\afd.sys was found and disinfected
Restored copy from - The cat found it

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_6TO4
-------\Legacy_IAS
-------\Legacy_SVCHOST32
-------\Service_6to4
-------\Service_Ias
-------\Service_svchost32
-------\Legacy_NecUsb
-------\Service_NecUsb
.
.
((((((((((((((((((((((((( Files Created from 2011-12-22 to 2012-01-22 )))))))))))))))))))))))))))))))
.
.
2012-01-22 15:05 . 2011-02-16 13:22 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2012-01-18 04:12 . 2012-01-22 17:27 692480 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2012-01-17 18:10 . 2012-01-17 18:10 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2012-01-13 18:11 . 2012-01-13 18:11 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2012-01-13 15:45 . 2012-01-13 15:45 -------- d--h--w- c:\program files\Microsoft Synchronization Services
2012-01-13 15:44 . 2012-01-13 15:44 -------- d--h--w- c:\program files\Microsoft Sync Framework
2012-01-13 15:44 . 2012-01-13 15:44 -------- d--h--w- c:\program files\Microsoft SQL Server Compact Edition
2011-12-25 17:13 . 2011-12-25 20:40 -------- d-----w- C:\HandBrakeOutput
2011-12-25 17:10 . 2011-12-25 17:22 -------- d--h--w- c:\documents and settings\ppinckney\Application Data\HandBrake
2011-12-25 17:10 . 2011-12-25 17:10 -------- d--h--w- c:\documents and settings\ppinckney\Local Settings\Application Data\HandBrake
2011-12-25 17:10 . 2011-12-25 17:10 -------- d--h--w- c:\program files\Handbrake
2011-12-25 15:51 . 2011-12-25 16:01 -------- d-----w- C:\Movies
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-16 19:11 . 2011-12-16 19:20 16432 ---ha-w- c:\windows\system32\lsdelete.exe
2011-12-16 19:11 . 2011-12-16 19:11 101720 ---ha-w- c:\windows\system32\drivers\SBREDrv.sys
2011-12-10 21:24 . 2010-09-11 23:16 20464 ---ha-w- c:\windows\system32\drivers\mbam.sys
2011-11-03 18:06 . 2011-12-16 19:09 64512 ---ha-w- c:\windows\system32\drivers\Lbd.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]
"eFax 4.4"="c:\program files\eFax Messenger 4.4\J2GDllCmd.exe" [2008-10-07 95744]
"Mikogo"="c:\documents and settings\ppinckney\Application Data\Mikogo\Mikogo-Host.exe" [2011-11-14 5420408]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-11-29 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2007-04-16 159744]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-31 8429568]
"nwiz"="nwiz.exe" [2007-05-31 1626112]
"NVHotkey"="nvHotkey.dll" [2007-05-31 67584]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-05-31 81920]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-05-14 1191936]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 823296]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 974848]
"systray"="c:\program files\Dell\Dell Mobile Broadband\systray.exe" [2007-04-13 331851]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 303104]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2009-04-16 746792]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-31 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-31 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-30 138008]
"VMware hqtray"="c:\program files\VMware\VMware Player\hqtray.exe" [2008-10-29 64048]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10w_ActiveX.exe" [2011-09-19 243360]
.
c:\documents and settings\ppinckney\Start Menu\Programs\Startup\
eFax 4.4.lnk - c:\program files\eFax Messenger 4.4\J2GTray.exe [2008-10-7 656896]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-11-1 50688]
VPN Client.lnk - c:\windows\Installer\{CCBAA1F7-E5E1-48B2-9ED9-A79C6A37CE78}\Icon3E5562ED7.ico [2009-6-18 6144]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"ConnectHomeDirToRoot"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1343024091-115176313-1801674531-6469\Scripts\Logon\0\0]
"Script"=user_logon.vbs
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer_Service.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"62569:TCP"= 62569:TCP:Trend Micro OfficeScan Listener
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [12/16/2011 1:09 PM 64512]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [12/19/2006 1:21 PM 79432]
R2 msftesql$SQL2005;SQL Server FullText Search (SQL2005);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe [8/28/2006 1:53 AM 92952]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [1/8/2010 7:30 AM 50192]
R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\tmxpflt.sys [3/27/2009 5:16 PM 225808]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [3/27/2009 5:16 PM 36368]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [10/28/2008 9:01 PM 54960]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [9/22/2011 12:43 PM 645048]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [4/20/2007 4:44 PM 338960]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/29/2011 8:41 AM 136176]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [11/3/2011 12:06 PM 2152152]
S3 B-Service;B-Service;c:\documents and settings\ppinckney\Application Data\Mikogo\B-Service.exe [10/1/2010 7:44 AM 185640]
S3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [11/2/2006 11:32 AM 97536]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [11/29/2011 8:41 AM 136176]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [3/25/2010 10:25 AM 30969208]
S3 MSSQL$SQL2005;SQL Server (SQL2005);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2/10/2007 4:29 AM 29178224]
S3 NWDellModem;Dell Wireless Mobile Broadband Modem Driver;c:\windows\system32\drivers\nwdelmdm.sys [11/1/2007 4:01 AM 92288]
S3 NWDellPort;Dell Wireless Mobile Broadband Status Port Driver;c:\windows\system32\drivers\nwdelser.sys [11/1/2007 4:01 AM 92288]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 9:37 PM 4640000]
S3 SQLAgent$SQL2005;SQL Server Agent (SQL2005);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE [2/10/2007 4:29 AM 344944]
S3 TmPfw;OfficeScan NT Firewall;c:\program files\Trend Micro\OfficeScan Client\TmPfw.exe [4/4/2007 8:35 PM 488768]
S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [4/27/2007 6:35 PM 652552]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 6:01 AM 2799808]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
NecUsbSevice REG_MULTI_SZ NecUsb
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-22 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-11-03 18:06]
.
2012-01-17 c:\windows\Tasks\Backups.job
- c:\windows\system32\ntbackup.exe [2004-08-11 00:12]
.
2012-01-17 c:\windows\Tasks\Daily Backups.job
- c:\windows\system32\ntbackup.exe [2004-08-11 00:12]
.
2012-01-17 c:\windows\Tasks\DailyBckups.job
- c:\windows\system32\ntbackup.exe [2004-08-11 00:12]
.
2012-01-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-11-29 14:41]
.
2012-01-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-11-29 14:41]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:6092
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\program files\VMware\VMware Player\vsocklib.dll
TCP: DhcpNameServer = 8.8.8.8 8.8.4.4
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://vpn.amcad.com/CACHE/stc/1/binaries/vpnweb.cab
DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} - hxxp://l.yimg.com/jh/games/web_games/playtime/mahjongescape/PTGameLauncher.cab
FF - ProfilePath - c:\documents and settings\ppinckney\Application Data\Mozilla\Firefox\Profiles\z6p25q49.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: XULRunner: {F943AB9E-4275-4464-A1B5-09F879BF4A57} - c:\documents and settings\ppinckney\Local Settings\Application Data\{F943AB9E-4275-4464-A1B5-09F879BF4A57}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\ppinckney\Application Data\Move Networks
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-gfUomFNvRQL.exe - c:\documents and settings\All Users\Application Data\gfUomFNvRQL.exe
Notify-NecUsb3Sevice - USB3Nw32.dll
Notify-USB3Nw32 - USB3Nw32.dll
AddRemove-KB921896_SQL9 - c:\windows\SQL9_KB921896_ENU\Hotfix.exe
AddRemove-KB921896_SQLTools9 - c:\windows\SQLTools9_KB921896_ENU\Hotfix.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-22 11:26
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql$SQL2005]
"ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:SQL2005"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ab,90,7e,51,2e,d5,14,49,af,92,8c,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ab,90,7e,51,2e,d5,14,49,af,92,8c,\
.
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1860)
c:\windows\system32\igfxdev.dll
.
- - - - - - - > 'explorer.exe'(5988)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\Macromed\Flash\Flash10w.ocx
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\program files\Trend Micro\OfficeScan Client\ntrtscan.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\vmnat.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Trend Micro\OfficeScan Client\tmlisten.exe
c:\program files\VMware\VMware Player\vmware-authd.exe
c:\windows\system32\vmnetdhcp.exe
c:\program files\Trend Micro\BM\TMBMSRV.exe
c:\windows\system32\rundll32.exe
c:\program files\Apoint\ApMsgFwd.exe
c:\program files\Apoint\HidFind.exe
c:\program files\Apoint\Apntex.exe
c:\windows\stsystra.exe
c:\windows\system32\igfxsrvc.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
.
**************************************************************************
.
Completion time: 2012-01-22 11:55:03 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-22 17:54
.
Pre-Run: 55,910,662,144 bytes free
Post-Run: 55,885,864,960 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\windows
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\windows="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 643F8D0E3617D566B84F6FA8CF37BCE3

#5 PaulitosWay

Member

Group: Members
Posts: 29
Joined: 18-January 12

Posted 22 January 2012 - 01:05 PM

I ran combofix but I believe the adaware and office scan were still running at the time. In safe mode I couldn't disable either and in normal boot mode I get a blue screen from a memory leak from the System Check before I can disable them there.

Laptop seems to be running alot better...no System Check at startup...No blue screens

Please review the combo log and tell me what you think!

Thanks again.

#6 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,568
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 22 January 2012 - 01:18 PM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:6092
uInternet Settings,ProxyOverride = <local>

Firefox::
FF - ProfilePath - c:\documents and settings\ppinckney\Application Data\Mozilla\Firefox\Profiles\z6p25q49.default\
FF - Ext: XULRunner: {F943AB9E-4275-4464-A1B5-09F879BF4A57} - c:\documents and settings\ppinckney\Local Settings\Application Data\{F943AB9E-4275-4464-A1B5-09F879BF4A57}

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

In your next post I need the following

report from Combofix
let me know of any problems you may have had
How is the computer doing now after running the script?

Gringo

<-- Don't worry every little bit helps.

#7 PaulitosWay

Member

Group: Members
Posts: 29
Joined: 18-January 12

Posted 22 January 2012 - 05:52 PM

I can't get a internet connection and when I tried to open Firefox I got a second window opening that tried to do a redirect. I copied the CFScript log to a thumbdrive and am sending from another computer.

From CFScript:

ComboFix 12-01-21.02 - ppinckney 01/22/2012 14:36:04.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1195 [GMT -6:00]
Running from: c:\documents and settings\ppinckney\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\ppinckney\Desktop\CFScript.txt
AV: Trend Micro OfficeScan Antivirus *Disabled/Outdated* {515A9A24-3E56-4F30-B5D2-60182C89A785}
FW: Trend Micro Personal Firewall *Enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\ppinckney\Local Settings\Application Data\{F943AB9E-4275-4464-A1B5-09F879BF4A57}
c:\documents and settings\ppinckney\Local Settings\Application Data\{F943AB9E-4275-4464-A1B5-09F879BF4A57}\chrome.manifest
c:\documents and settings\ppinckney\Local Settings\Application Data\{F943AB9E-4275-4464-A1B5-09F879BF4A57}\chrome\content\_cfg.js
c:\documents and settings\ppinckney\Local Settings\Application Data\{F943AB9E-4275-4464-A1B5-09F879BF4A57}\chrome\content\overlay.xul
c:\documents and settings\ppinckney\Local Settings\Application Data\{F943AB9E-4275-4464-A1B5-09F879BF4A57}\install.rdf
.
.
((((((((((((((((((((((((( Files Created from 2011-12-22 to 2012-01-22 )))))))))))))))))))))))))))))))
.
.
2012-01-22 15:05 . 2011-02-16 13:22 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2012-01-18 04:12 . 2012-01-22 20:17 692480 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2012-01-17 18:10 . 2012-01-17 18:10 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2012-01-13 18:11 . 2012-01-13 18:11 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2012-01-13 15:45 . 2012-01-13 15:45 -------- d--h--w- c:\program files\Microsoft Synchronization Services
2012-01-13 15:44 . 2012-01-13 15:44 -------- d--h--w- c:\program files\Microsoft Sync Framework
2012-01-13 15:44 . 2012-01-13 15:44 -------- d--h--w- c:\program files\Microsoft SQL Server Compact Edition
2011-12-25 17:13 . 2011-12-25 20:40 -------- d-----w- C:\HandBrakeOutput
2011-12-25 17:10 . 2011-12-25 17:22 -------- d--h--w- c:\documents and settings\ppinckney\Application Data\HandBrake
2011-12-25 17:10 . 2011-12-25 17:10 -------- d--h--w- c:\documents and settings\ppinckney\Local Settings\Application Data\HandBrake
2011-12-25 17:10 . 2011-12-25 17:10 -------- d--h--w- c:\program files\Handbrake
2011-12-25 15:51 . 2011-12-25 16:01 -------- d-----w- C:\Movies
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-16 19:11 . 2011-12-16 19:11 101720 ---ha-w- c:\windows\system32\drivers\SBREDrv.sys
2011-12-10 21:24 . 2010-09-11 23:16 20464 ---ha-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2012-01-22_17.27.41 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-01-22 20:13 . 2012-01-22 20:13 16384 c:\windows\temp\Perflib_Perfdata_604.dat
+ 2012-01-22 20:13 . 2012-01-22 20:13 16384 c:\windows\temp\Perflib_Perfdata_314.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]
"eFax 4.4"="c:\program files\eFax Messenger 4.4\J2GDllCmd.exe" [2008-10-07 95744]
"Mikogo"="c:\documents and settings\ppinckney\Application Data\Mikogo\Mikogo-Host.exe" [2011-11-14 5420408]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-11-29 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2007-04-16 159744]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-31 8429568]
"nwiz"="nwiz.exe" [2007-05-31 1626112]
"NVHotkey"="nvHotkey.dll" [2007-05-31 67584]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-05-31 81920]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-05-14 1191936]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 823296]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 974848]
"systray"="c:\program files\Dell\Dell Mobile Broadband\systray.exe" [2007-04-13 331851]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 303104]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2009-04-16 746792]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-31 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-31 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-30 138008]
"VMware hqtray"="c:\program files\VMware\VMware Player\hqtray.exe" [2008-10-29 64048]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10w_ActiveX.exe" [2011-09-19 243360]
.
c:\documents and settings\ppinckney\Start Menu\Programs\Startup\
eFax 4.4.lnk - c:\program files\eFax Messenger 4.4\J2GTray.exe [2008-10-7 656896]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-11-1 50688]
VPN Client.lnk - c:\windows\Installer\{CCBAA1F7-E5E1-48B2-9ED9-A79C6A37CE78}\Icon3E5562ED7.ico [2009-6-18 6144]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"ConnectHomeDirToRoot"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1343024091-115176313-1801674531-6469\Scripts\Logon\0\0]
"Script"=user_logon.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TmProxy"=3 (0x3)
"TmPfw"=3 (0x3)
"tmlisten"=2 (0x2)
"TMBMServer"=3 (0x3)
"ntrtscan"=2 (0x2)
"Lavasoft Ad-Aware Service"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer_Service.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"62569:TCP"= 62569:TCP:Trend Micro OfficeScan Listener
.
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [12/19/2006 1:21 PM 79432]
R2 msftesql$SQL2005;SQL Server FullText Search (SQL2005);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe [8/28/2006 1:53 AM 92952]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [1/8/2010 7:30 AM 50192]
R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\tmxpflt.sys [3/27/2009 5:16 PM 225808]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [3/27/2009 5:16 PM 36368]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [10/28/2008 9:01 PM 54960]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [9/22/2011 12:43 PM 645048]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [4/20/2007 4:44 PM 338960]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/29/2011 8:41 AM 136176]
S3 B-Service;B-Service;c:\documents and settings\ppinckney\Application Data\Mikogo\B-Service.exe [10/1/2010 7:44 AM 185640]
S3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [11/2/2006 11:32 AM 97536]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [11/29/2011 8:41 AM 136176]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [3/25/2010 10:25 AM 30969208]
S3 MSSQL$SQL2005;SQL Server (SQL2005);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2/10/2007 4:29 AM 29178224]
S3 NWDellModem;Dell Wireless Mobile Broadband Modem Driver;c:\windows\system32\drivers\nwdelmdm.sys [11/1/2007 4:01 AM 92288]
S3 NWDellPort;Dell Wireless Mobile Broadband Status Port Driver;c:\windows\system32\drivers\nwdelser.sys [11/1/2007 4:01 AM 92288]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 9:37 PM 4640000]
S3 SQLAgent$SQL2005;SQL Server Agent (SQL2005);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE [2/10/2007 4:29 AM 344944]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 6:01 AM 2799808]
S4 TmPfw;OfficeScan NT Firewall;c:\program files\Trend Micro\OfficeScan Client\TmPfw.exe [4/4/2007 8:35 PM 488768]
S4 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [4/27/2007 6:35 PM 652552]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
NecUsbSevice REG_MULTI_SZ NecUsb
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-17 c:\windows\Tasks\Backups.job
- c:\windows\system32\ntbackup.exe [2004-08-11 00:12]
.
2012-01-17 c:\windows\Tasks\Daily Backups.job
- c:\windows\system32\ntbackup.exe [2004-08-11 00:12]
.
2012-01-17 c:\windows\Tasks\DailyBckups.job
- c:\windows\system32\ntbackup.exe [2004-08-11 00:12]
.
2012-01-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-11-29 14:41]
.
2012-01-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-11-29 14:41]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\program files\VMware\VMware Player\vsocklib.dll
TCP: DhcpNameServer = 8.8.8.8 8.8.4.4
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://vpn.amcad.com/CACHE/stc/1/binaries/vpnweb.cab
DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} - hxxp://l.yimg.com/jh/games/web_games/playtime/mahjongescape/PTGameLauncher.cab
FF - ProfilePath - c:\documents and settings\ppinckney\Application Data\Mozilla\Firefox\Profiles\z6p25q49.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\ppinckney\Application Data\Move Networks
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-22 15:19
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql$SQL2005]
"ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:SQL2005"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ab,90,7e,51,2e,d5,14,49,af,92,8c,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ab,90,7e,51,2e,d5,14,49,af,92,8c,\
.
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
Completion time: 2012-01-22 15:38:37
ComboFix-quarantined-files.txt 2012-01-22 21:37
ComboFix2.txt 2012-01-22 17:55
.
Pre-Run: 56,039,198,720 bytes free
Post-Run: 56,085,221,376 bytes free
.
- - End Of File - - 6476DEFDFC5F82B264F55D8BA186F31C

#8 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,568
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 22 January 2012 - 09:48 PM

Hello

Lets check your internet connection

Please download Farbar Service Scanner and run it on the computer with the issue.

Make sure all the boxes are checked
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.

Gringo

<-- Don't worry every little bit helps.

#9 PaulitosWay

Member

Group: Members
Posts: 29
Joined: 18-January 12

Posted 22 January 2012 - 10:12 PM

Farbar Service Scanner Version: 18-01-2012 01
Ran by ppinckney (administrator) on 22-01-2012 at 21:09:24
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable

Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall"=DWORD:0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0

System Restore:
============

System Restore Disabled Policy:
========================

Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.
Checking LEGACY_wscsvc: Attention! Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist.

Windows Update:
===========
BITS Service is not running. Checking service configuration:
The start type of BITS service is OK.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.

File Check:
========
C:\windows\system32\dhcpcsvc.dll => MD5 is legit
C:\windows\system32\Drivers\afd.sys => MD5 is legit
C:\windows\system32\Drivers\netbt.sys => MD5 is legit
C:\windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\windows\system32\Drivers\ipsec.sys => MD5 is legit
C:\windows\system32\dnsrslvr.dll => MD5 is legit
C:\windows\system32\ipnathlp.dll => MD5 is legit
C:\windows\system32\netman.dll => MD5 is legit
C:\windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\windows\system32\srsvc.dll => MD5 is legit
C:\windows\system32\Drivers\sr.sys => MD5 is legit
C:\windows\system32\wscsvc.dll => MD5 is legit
C:\windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\windows\system32\wuauserv.dll => MD5 is legit
C:\windows\system32\qmgr.dll => MD5 is legit
C:\windows\system32\es.dll => MD5 is legit
C:\windows\system32\cryptsvc.dll => MD5 is legit
C:\windows\system32\svchost.exe => MD5 is legit
C:\windows\system32\rpcss.dll => MD5 is legit
C:\windows\system32\services.exe => MD5 is legit

Extra List:
=======
AegisP(8) DNE(9) Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3) tmcfw(12) VMnetBridge(11)
0x0C0000000400000001000000020000000300000005000000060000000700000008000000090000000A0000000B0000000C000000
IpSec Tag value is correct.

**** End of log ****

#10 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,568
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 22 January 2012 - 11:20 PM

Hello

here is what I want you to try next

1. Locate the file - C:\Windows\inf\Nettcpip.inf

It's important that you first make a copy of the file. Place the copy on your Desktop.
Once you have done that, use Notepad open the original file for editing.

2. Locate the [MS_TCPIP.PrimaryInstall] section.

3. Edit the Characteristics = 0xa0 entry and replace 0xa0 with 0×80.

Posted Image

4. Save the file, and then exit Notepad.

Posted Image

5. In Control Panel, double-click Network Connections, right-click Local Area Connection, and then select Properties.

Posted Image

6. On the General tab, click Install, select Protocol, and then click Add.

Posted Image

7. In the Select Network Protocols window, click Have Disk.

Posted Image

8. In the Copy manufacturer’s files from: text box, type c:\windows\inf, and then click OK.

Posted Image

9. Select Internet Protocol (TCP/IP), and then click OK.

Posted Image

Note This step will return you to the Local Area Connection Properties screen, but now the Uninstall button is available.

10. Select Internet Protocol (TCP/IP), click Uninstall, and then click Yes.

11. It is important that you restart the computer to complete the uninstall.

------------

Step #2 - Reinstall of TCP/IP

Posted Image

Take the nettcpip.inf which you have earlier copied to Desktop. Move it back to the directory C:\Windows\INF\ overwriting the existing copy. The file shall now look exactly like the sample above.

Redo sub-steps 4-11 to re-install TCP/IP

<-- Don't worry every little bit helps.

#11 PaulitosWay

Member

Group: Members
Posts: 29
Joined: 18-January 12

Posted 23 January 2012 - 10:44 AM

OK. I still have the same issue. Let me clarify(Sorry about that). I am not able to access my wireless network. I am plugged in now and I am able to access the network. This may not be an issue. Apologies.

Another issue is that not all of my installed applications are present in Start -- All Programs.
Also I am having redirects from IE and Firefox when choosing a link from a search result in yahoo or goog.

#12 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,568
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 23 January 2012 - 10:47 AM

Hello

thanks for the clarification lets work on the redirects and see what we have after

let me know when the redirects stop

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.

Download TDSSKiller and save it to your Desktop.
doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
If an infected file is detected, the default action will be Cure, click on Continue.
If a suspicious file is detected, the default action will be Skip, click on Continue.
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo

<-- Don't worry every little bit helps.

#13 PaulitosWay

Member

Group: Members
Posts: 29
Joined: 18-January 12

Posted 23 January 2012 - 11:45 AM

I doubleclick TDSSKiller and nothing happens. Does it take some time to startup?

Thanks

#14 PaulitosWay

Member

Group: Members
Posts: 29
Joined: 18-January 12

Posted 23 January 2012 - 03:13 PM

And now I'm back to square one it looks like. I stepped away and now I show that Smart Protection 2012 AND System Check are installed!!! Wow. Start again?