Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected system antivirus not starting & web redirecting


  • This topic is locked This topic is locked
22 replies to this topic

#1 markvincent

markvincent

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:26 PM

Posted 24 August 2011 - 07:29 AM

Hi all

Hope you can help

I first noticed the problem when the Avira antivirus guard service stopped.
Also redirects web acces to random sites but will go to required site on refresh.
System also takes ages to stabilise after logging into windows.

I tried Malwarebytes Antimalware which will initially start running then just stops.
I have tried to install with renamed install file which installs fine and renaming mbam.exe which runs but same result as above.
The exe file will then not run and is not renamable system comes up with a 'you are not authorised type message'

Tried super antispyware which ran fine but just picked up adware tracking cookies.

Tried to run GMER but same result as above
See attached DDS log files

Thanx in advance

Mark



.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_26
Run by Mark at 13:14:35 on 2011-08-24
Microsoft Windows 7 Professional 6.1.7600.0.1252.44.1033.18.2814.1711 [GMT 1:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\ibmpmsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\4025563533:1925582352.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe
C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe
C:\Program Files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe
C:\Windows\system32\atieclxx.exe
C:\Program Files\3 Mobile Broadband\3Connect\BecHelperService.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Lenovo\Communications Utility\CAMMUTE.exe
C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe
C:\Program Files\Lenovo\Communications Utility\TPKNRSVC.exe
C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe
C:\Windows\system32\MNSFramework.exe
C:\Program Files\BUFFALO\NASNAVI\nassvc.exe
C:\Program Files\Nitro PDF\Reader\NitroPDFReaderDriverService.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Macrium\Reflect\ReflectService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
C:\Windows\system32\vmnat.exe
C:\Windows\system32\vmnetdhcp.exe
C:\Program Files\Lenovo\Access Connections\AcSvc.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\LENOVO\HOTKEY\tposdsvc.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\TpShocks.exe
C:\Program Files\CONEXANT\cAudioFilterAgent\cAudioFilterAgent.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Lenovo\Message Center Plus\MCPLaunch.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Lenovo\Access Connections\ACWLIcon.exe
C:\Program Files\Lenovo\Communications Utility\TPKNRRES.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Iomega\QuikProtect\startQuikProtect.exe
C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\PicPick\picpick.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Windows\system32\SearchIndexer.exe
C:\Users\Mark\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\Program Files\Lenovo\System Update\SUService.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uStart Page = about:blank
uDefault_Page_URL = hxxp://lenovo.msn.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: LastPass Browser Helper Object: {95d9ecf5-2a4d-4550-be49-70d42f71296e} - c:\program files\lastpass\LPBar.dll
BHO: IePasswordManagerHelper Class: {bf468356-bb7e-42d7-9f15-4f3b9bcfced2} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - c:\program files\lastpass\LPBar.dll
uRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"
uRun: [ShowBatteryBar] "c:\program files\batterybar\ShowBatteryBar.exe" show
uRun: [PicPick Start] c:\program files\picpick\picpick.exe
uRun: [SugarSync] "c:\program files\sugarsync\SugarSyncManager.exe" -startInTray -usedelay=true
uRun: [Google Update] "c:\users\mark\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
mRun: [<NO NAME>]
mRun: [TpShocks] TpShocks.exe
mRun: [cAudioFilterAgent] c:\program files\conexant\caudiofilteragent\cAudioFilterAgent.exe
mRun: [SmartAudio] c:\program files\conexant\saii\SAIICpl.exe /t
mRun: [PWMTRV] rundll32 c:\progra~1\thinkpad\utilit~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
mRun: [Message Center Plus] c:\program files\lenovo\message center plus\MCPLaunch.exe /start
mRun: [AcWin7Hlpr] c:\program files\lenovo\access connections\AcTBenabler.exe
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min /ns
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [ACWLIcon] c:\program files\lenovo\access connections\ACWLIcon.exe
mRun: [LENOVO.TPKNRRES] c:\program files\lenovo\communications utility\TPKNRRES.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [QuiKProtect] c:\program files\iomega\quikprotect\StartQuikProtect.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\users\mark\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\mark\appdata\roaming\dropbox\bin\Dropbox.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\thinkpad\bluetooth software\BTTray.exe
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: LastPass - file://c:\program files\lastpass\context.html?cmd=lastpass
IE: LastPass Fill Forms - file://c:\program files\lastpass\context.html?cmd=fillforms
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: Send image to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - c:\program files\lastpass\LPBar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
IE: {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
LSP: mswsock.dll
LSP: c:\program files\vmware\vmware player\vsocklib.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{8BB962CD-A607-49C8-87BB-0067E69B01E3} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{8BB962CD-A607-49C8-87BB-0067E69B01E3}\2656C6B696E6534376 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{8BB962CD-A607-49C8-87BB-0067E69B01E3}\D4C4350275966696 : DhcpNameServer = 192.168.0.5 192.168.0.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
STS: FencesShlExt Class: {1984dd45-52cf-49cd-ab77-18f378fea264} - c:\program files\stardock\fences\FencesMenu.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Notification Packages = scecli ACGina
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\mark\appdata\roaming\mozilla\firefox\profiles\k7cz4jph.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - component: c:\program files\siber systems\ai roboform\firefox\components\rfproxy_31.dll
FF - component: c:\users\mark\appdata\roaming\mozilla\firefox\profiles\k7cz4jph.default\extensions\afom@idevfh\components\npAFOM.dll
FF - component: c:\users\mark\appdata\roaming\mozilla\firefox\profiles\k7cz4jph.default\extensions\support@lastpass.com\platform\winnt_x86-msvc\components\lpxpcom.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\opera\program\plugins\np_gp.dll
FF - plugin: c:\program files\tracker software\pdf viewer\npPDFXCviewNPPlugin.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\mark\appdata\local\google\update\1.3.21.65\npGoogleUpdate3.dll
.
============= SERVICES / DRIVERS ===============
.
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [2011-1-17 16024]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2009-10-9 20520]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-2-26 11608]
R1 eusk2par;EUTRON SmartKey Parallel Driver;c:\windows\system32\drivers\eusk2par.sys [2011-7-26 30656]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [2011-1-13 13680]
R1 SASDIFSV;SASDIFSV;c:\users\mark\appdata\local\temp\sas_selfextract\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\users\mark\appdata\local\temp\sas_selfextract\saskutil.sys [2010-5-10 67656]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]
R2 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files\adobe\elements organizer 8.0\PhotoshopElementsFileAgent.exe [2009-9-6 169312]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-1-13 172032]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-2-26 109568]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-2-26 56816]
R2 BecHelperService;BecHelperService;c:\program files\3 mobile broadband\3connect\BecHelperService.exe [2011-1-18 1737464]
R2 LENOVO.CAMMUTE;Lenovo Camera Mute;c:\program files\lenovo\communications utility\CamMute.exe [2011-1-13 50536]
R2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\lenovo\hotkey\micmute.exe [2011-1-13 45496]
R2 LENOVO.TPKNRSVC;Lenovo Keyboard Noise Reduction;c:\program files\lenovo\communications utility\TPKNRSVC.exe [2011-1-13 74088]
R2 Lenovo.VIRTSCRLSVC;Lenovo Auto Scroll;c:\program files\lenovo\virtscrl\lvvsst.exe [2011-1-13 93032]
R2 NasPmService;NAS PM Service;c:\program files\buffalo\nasnavi\nassvc.exe -service_execute -dcyc=60 -dto=3 -dluc=0 -dmin=1 -dmax=60 -dflc=0 -apc=0 -log=0 -pm=1 -pall=1 -phttp=0 -pbc=0 -ppro=0 -pcyc=0 -pmin=1 -pmax=60 -pflc=0 --> c:\program files\buffalo\nasnavi\nassvc.exe -Service_Execute -dcyc=60 -dto=3 -dluc=0 -dmin=1 -dmax=60 -dflc=0 -apc=0 -log=0 -pm=1 -pall=1 -phttp=0 -pbc=0 -ppro=0 -pcyc=0 -pmin=1 -pmax=60 -pflc=0 [?]
R2 NitroReaderDriverReadSpool;NitroPDFReaderDriverCreatorReadSpool;c:\program files\nitro pdf\reader\NitroPDFReaderDriverService.exe [2011-1-28 196912]
R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\macrium\reflect\ReflectService.exe [2011-1-17 220824]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2011-8-23 1153368]
R2 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\lenovo\hotkey\tphkload.exe [2011-1-13 101376]
R2 TPHKSVC;On Screen Display;c:\program files\lenovo\hotkey\TPHKSVC.exe [2011-1-13 64440]
R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\common files\vmware\usb\vmware-usbarbitrator.exe [2010-11-11 539248]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2011-1-13 189784]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2010-6-23 275048]
R3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\drivers\rtl8192se.sys [2010-12-3 1113704]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2011-6-17 128272]
R3 usbsmi;Integrated Camera;c:\windows\system32\drivers\SMIksdrv.sys [2011-1-13 181120]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-14 14336]
S1 vflt;Shrew Soft Lightweight Filter;c:\windows\system32\drivers\vfilter.sys [2010-9-2 17920]
S2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-8-22 185089]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 Virtual Router;VirtualRouterService;c:\program files\virtual router\VirtualRouterService.exe [2009-11-18 13824]
S3 androidusb;SAMSUNG Android Composite ADB Interface Driver;c:\windows\system32\drivers\ssadadb.sys [2011-4-3 30312]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2010-2-3 29472]
S3 JCYNGGTQ;JCYNGGTQ;c:\users\mark\appdata\local\temp\JCYNGGTQ.exe [2011-8-23 412544]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2011-1-18 9216]
S3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\1E0B.tmp [2011-8-23 6144]
S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
S3 PCDSRVC{3037D694-FD904ACA-06000000}_0;PCDSRVC{3037D694-FD904ACA-06000000}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\pc-doctor\pcdsrvc.pkms [2010-9-8 21360]
S3 PCDSRVC{3037D694-FD904ACA-06020000}_0;PCDSRVC{3037D694-FD904ACA-06020000}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\pc-doctor\pcdsrvc.pkms [2010-9-8 21360]
S3 Power Manager DBC Service;Power Manager DBC Service;c:\program files\thinkpad\utilities\PWMDBSVC.exe [2010-2-3 75112]
S3 QPCopyEngine;QPCopyEngine;c:\program files\iomega\quikprotect\QpMonitor.exe [2010-6-24 247088]
S3 QsFsFltr;QsFsFltr;c:\windows\system32\drivers\QsFsFltr.sys [2010-6-24 19384]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [2011-4-3 96488]
S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [2011-4-3 12776]
S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [2011-4-3 121576]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 20992]
S3 vnet;Shrew Soft Virtual Adapter;c:\windows\system32\drivers\virtualnet.sys [2010-9-2 13824]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-6-20 1343400]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2009-7-14 17920]
S3 XYDF;XYDF;c:\users\mark\appdata\local\temp\XYDF.exe [2011-8-23 588672]
.
=============== File Associations ===============
.
.txt=
.
=============== Created Last 30 ================
.
2011-08-23 22:01:12 6144 ------w- c:\windows\system32\1E0B.tmp
2011-08-23 22:00:36 6144 ------w- c:\windows\system32\8F82.tmp
2011-08-23 20:22:17 6144 ------w- c:\windows\system32\5744.tmp
2011-08-23 20:20:51 6144 ------w- c:\windows\system32\5F9.tmp
2011-08-23 20:09:30 205072 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-08-23 19:45:10 65808 ----a-w- c:\windows\system32\drivers\tmrkb.sys
2011-08-23 18:02:20 -------- d-----w- c:\program files\Sophos
2011-08-23 14:33:57 -------- d-----w- c:\program files\mwb2
2011-08-23 08:14:40 -------- d-----w- c:\program files\mwb
2011-08-23 08:12:16 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-08-23 08:12:16 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-08-22 20:11:09 -------- d-----r- C:\Sandbox
2011-08-22 20:10:03 -------- d-----w- c:\program files\Sandboxie
2011-08-22 19:56:03 4096 --sha-w- c:\users\mark\wevtapi.dll
2011-08-22 19:56:03 227328 ----a-w- c:\users\mark\taskmgr.exe
2011-08-22 19:51:38 -------- d-----w- c:\programdata\phpDesigner
2011-08-22 18:27:55 7152464 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{fd7ff0d1-c0bd-4aa0-b2a3-c7a60f888ae7}\mpengine.dll
2011-08-21 19:18:56 -------- d-----w- c:\users\mark\appdata\roaming\enchant
2011-08-21 19:18:54 -------- d-----w- c:\users\mark\.bluefish
2011-08-21 17:45:47 -------- d-----w- c:\program files\common files\GTK
2011-08-21 17:39:37 -------- d-----w- c:\program files\Bluefish
2011-08-20 08:44:43 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-06 19:03:07 -------- d-----w- c:\users\mark\appdata\local\MLS Service m
2011-08-06 18:27:33 -------- d-----w- c:\users\mark\appdata\roaming\Prism
2011-08-06 18:27:33 -------- d-----w- c:\users\mark\appdata\local\Prism
2011-08-06 18:17:01 -------- d-----w- c:\users\mark\appdata\local\MLS Service n
2011-08-06 18:15:46 -------- d-----w- c:\users\mark\appdata\local\MLS Service
2011-08-06 18:15:37 -------- d-----w- c:\users\mark\appdata\roaming\WebApps
2011-08-06 18:03:38 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-08-06 18:03:37 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-08-06 18:03:37 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-08-06 18:03:37 465880 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-08-06 18:03:37 1850328 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-08-06 18:03:37 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-08-06 18:03:36 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-08-06 18:03:36 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
2011-07-26 15:41:16 43968 ----a-w- c:\windows\system32\drivers\eusk3usb.sys
2011-07-26 15:41:14 30656 ----a-w- c:\windows\system32\drivers\eusk2par.sys
2011-07-26 15:31:11 -------- d-----w- c:\program files\MyLab_Desk
2011-07-26 15:30:10 16384 ----a-w- c:\windows\system32\FileOps.exe
2011-07-26 15:25:19 -------- d-----w- c:\users\mark\appdata\local\ApplicationHistory
2011-07-26 15:21:56 -------- d-----w- c:\windows\system32\URTTEMP
.
==================== Find3M ====================
.
2011-07-06 18:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 18:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
.
============= FINISH: 13:17:59.90 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,729 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:26 PM

Posted 29 August 2011 - 07:30 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/415879 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:26 PM

Posted 30 August 2011 - 06:55 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.

Please don't carry out HelpBot's instructions, you have Windows 7 so Gmer is not effective. Instead please run aswMBR

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Posted Image
m0le is a proud member of UNITE

#4 markvincent

markvincent
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:26 PM

Posted 01 September 2011 - 05:34 PM

Hi m0le

Thanks for helping me.

I've tried to run aswMBR and it runs for a minute finds win32:sirefef-f in drivers/dfsc.sys
aswMBR will then not run until i redownload it. Same result in safe mode.

Any ideas?

Edited by markvincent, 01 September 2011 - 05:36 PM.


#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:26 PM

Posted 01 September 2011 - 05:42 PM

Any ideas?


Oh yes. This is not a rootkit but is quite a nasty infection. We will attempt to use a more powerful tool to remove it


First run RKill

Download and Run RKill

Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

Link 1
Link 2
Link 3
Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • Please post the resulting log in your next reply.


Next please run Combofix

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#6 markvincent

markvincent
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:26 PM

Posted 01 September 2011 - 06:41 PM

rKill log. Running combofix now

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 02/09/2011 at 0:35:41.
Operating System: Windows 7 Professional


Processes terminated by Rkill or while it was running:

C:\Program Files\SugarSync\SugarSyncManager.exe
C:\Users\Mark\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Windows\system32\sppsvc.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE


Rkill completed on 02/09/2011 at 0:39:22.

#7 markvincent

markvincent
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:26 PM

Posted 02 September 2011 - 04:49 AM

Hi m0le

Sorry for the delay Combofix took forever to disinfect alot of files.

See logs below

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 02/09/2011 at 0:35:41.
Operating System: Windows 7 Professional


Processes terminated by Rkill or while it was running:

C:\Program Files\SugarSync\SugarSyncManager.exe
C:\Users\Mark\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Windows\system32\sppsvc.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE


Rkill completed on 02/09/2011 at 0:39:22.

---------------------------------------------------------

ComboFix 11-09-01.03 - Mark 02/09/2011 1:02.2.1 - x86
Microsoft Windows 7 Professional 6.1.7600.0.1252.44.1033.18.2814.1809 [GMT 1:00]
Running from: c:\users\Mark\Desktop\comfix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\tmp6B8C.tmp
c:\programdata\tmp8E09.tmp
c:\programdata\tmp9C4C.tmp
c:\programdata\tmpDAD2.tmp
c:\users\Mark\Taskmgr.exe
c:\users\Mark\wevtapi.dll
c:\windows\system32\Thumbs.db
Q:\AUTORUN.INF
.
Infected copy of c:\program files\Lenovo\Access Connections\AcPrfMgrSvc.exe was found and disinfected
Restored copy from - c:\comfix\HarddiskVolumeShadowCopy8_!Program Files!Lenovo!Access Connections!AcPrfMgrSvc.exe
.
Infected copy of c:\program files\Lenovo\Access Connections\AcSvc.exe was found and disinfected
Restored copy from - c:\comfix\HarddiskVolumeShadowCopy8_!Program Files!Lenovo!Access Connections!AcSvc.exe
.
Infected copy of c:\program files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe was found and disinfected
Restored copy from - c:\comfix\HarddiskVolumeShadowCopy8_!Program Files!Adobe!Elements Organizer 8.0!PhotoshopElementsFileAgent.exe
.
Infected copy of c:\windows\system32\atiesrxx.exe was found and disinfected
Restored copy from - c:\windows\System32\DriverStore\FileRepository\cw_93974.inf_x86_neutral_47387ff6249c82ad\B_93196\atiesrxx.exe
.
c:\program files\Avira\AntiVir Desktop\sched.exe . . . is infected!!
.
Infected copy of c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe was found and disinfected
Restored copy from - c:\comfix\HarddiskVolumeShadowCopy8_!Program Files!Common Files!Apple!Mobile Device Support!AppleMobileDeviceService.exe
.
Infected copy of c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe was found and disinfected
Restored copy from - c:\comfix\HarddiskVolumeShadowCopy8_!Program Files!Microsoft Small Business!Business Contact Manager!BcmSqlStartupSvc.exe
.
Infected copy of c:\program files\3 Mobile Broadband\3Connect\BecHelperService.exe was found and disinfected
Restored copy from - c:\comfix\HarddiskVolumeShadowCopy8_!Program Files!3 Mobile Broadband!3Connect!BecHelperService.exe
.
Infected copy of c:\program files\Bonjour\mDNSResponder.exe was found and disinfected
Restored copy from - c:\comfix\HarddiskVolumeShadowCopy8_!Program Files!Bonjour!mDNSResponder.exe
.
Infected copy of c:\program files\ThinkPad\Bluetooth Software\btwdins.exe was found and disinfected
Restored copy from - c:\comfix\HarddiskVolumeShadowCopy8_!Program Files!ThinkPad!Bluetooth Software!btwdins.exe
.
Infected copy of c:\windows\system32\ibmpmsvc.exe was found and disinfected
Restored copy from - c:\windows\System32\DriverStore\FileRepository\ibmpmdrv.inf_x86_neutral_33148031f86fba35\x86\ibmpmsvc.exe
.
Infected copy of c:\program files\iPod\bin\iPodService.exe was found and disinfected
Restored copy from - c:\comfix\HarddiskVolumeShadowCopy8_!Program Files!iPod!bin!iPodService.exe
.
Infected copy of c:\program files\Lenovo\Communications Utility\CAMMUTE.exe was found and disinfected
Restored copy from - c:\comfix\HarddiskVolumeShadowCopy8_!Program Files!Lenovo!Communications Utility!CamMute.exe
.
Infected copy of c:\program files\LENOVO\HOTKEY\MICMUTE.exe was found and disinfected
Restored copy from - c:\comfix\HarddiskVolumeShadowCopy8_!Program Files!Lenovo!HOTKEY!micmute.exe
.
Infected copy of c:\program files\Lenovo\Communications Utility\TPKNRSVC.exe was found and disinfected
Restored copy from - c:\comfix\HarddiskVolumeShadowCopy8_!Program Files!Lenovo!Communications Utility!TPKNRSVC.exe
.
Infected copy of c:\program files\LENOVO\VIRTSCRL\lvvsst.exe was found and disinfected
Restored copy from - c:\comfix\HarddiskVolumeShadowCopy8_!Program Files!Lenovo!VIRTSCRL!lvvsst.exe
.
Infected copy of c:\windows\system32\MNSFramework.exe was found and disinfected
Restored copy from - c:\comfix\HarddiskVolumeShadowCopy8_!Windows!System32!MNSFramework.exe
.
Infected copy of c:\program files\BUFFALO\NASNAVI\nassvc.exe was found and disinfected
Restored copy from - c:\comfix\HarddiskVolumeShadowCopy8_!Program Files!BUFFALO!NASNAVI!nassvc.exe
.
Infected copy of c:\program files\Nitro PDF\Reader\NitroPDFReaderDriverService.exe was found and disinfected
Restored copy from - c:\comfix\HarddiskVolumeShadowCopy8_!Program Files!Nitro PDF!Reader!NitroPDFReaderDriverService.exe
.
Infected copy of c:\program files\Macrium\Reflect\ReflectService.exe was found and disinfected
Restored copy from - c:\comfix\HarddiskVolumeShadowCopy8_!Program Files!Macrium!Reflect!ReflectService.exe
.
c:\program files\Sandboxie\SbieSvc.exe . . . is infected!!
.
.
Infected copy of c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe was found and disinfected
Restored copy from - c:\comfix\HarddiskVolumeShadowCopy8_!Program Files!Microsoft!Search Enhancement Pack!SeaPort!SeaPort.exe
.
Infected copy of c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe was found and disinfected
Restored copy from - c:\comfix\HarddiskVolumeShadowCopy8_!Program Files!Microsoft SQL Server!90!Shared!sqlwriter.exe
.
c:\program files\Lenovo\System Update\SUService.exe . . . is infected!!
.
Infected copy of c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe was found and disinfected
Restored copy from - c:\comfix\HarddiskVolumeShadowCopy8_!Program Files!Common Files!Lenovo!tvt_reg_monitor_svc.exe
.
c:\program files\LENOVO\HOTKEY\TPHKLOAD.exe . . . is infected!!
.
Infected copy of c:\program files\LENOVO\HOTKEY\TPHKSVC.exe was found and disinfected
Restored copy from - c:\comfix\HarddiskVolumeShadowCopy8_!Program Files!Lenovo!HOTKEY!TPHKSVC.exe
.
Infected copy of c:\program files\Lenovo\Rescue and Recovery\rrservice.exe was found and disinfected
Restored copy from - c:\comfix\HarddiskVolumeShadowCopy8_!Program Files!Lenovo!Rescue and Recovery!rrservice.exe
.
c:\program files\Virtual Router\VirtualRouterService.exe . . . is infected!!
.
Infected copy of c:\program files\VMware\VMware Player\vmware-authd.exe was found and disinfected
Restored copy from - c:\comfix\HarddiskVolumeShadowCopy8_!Program Files!VMware!VMware Player!vmware-authd.exe
.
Infected copy of c:\windows\system32\vmnetdhcp.exe was found and disinfected
Restored copy from - c:\comfix\HarddiskVolumeShadowCopy8_!Windows!System32!vmnetdhcp.exe
.
Infected copy of c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe was found and disinfected
Restored copy from - c:\comfix\HarddiskVolumeShadowCopy8_!Program Files!Common Files!VMware!USB!vmware-usbarbitrator.exe
.
Infected copy of c:\windows\system32\vmnat.exe was found and disinfected
Restored copy from - c:\comfix\HarddiskVolumeShadowCopy8_!Windows!System32!vmnat.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_8d39f1ef
.
.
((((((((((((((((((((((((( Files Created from 2011-08-02 to 2011-09-02 )))))))))))))))))))))))))))))))
.
.
2011-09-02 07:54 . 2011-09-02 08:03 -------- d-----w- c:\users\Mark\AppData\Local\temp
2011-09-02 07:54 . 2011-09-02 07:54 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-09-02 07:54 . 2010-11-11 13:31 404080 ----a-w- c:\windows\system32\vmnat.exe
2011-09-02 07:51 . 2010-11-11 13:31 334448 ----a-w- c:\windows\system32\vmnetdhcp.exe
2011-09-02 01:05 . 2008-09-03 17:27 186360 ----a-w- c:\windows\system32\MNSFramework.exe
2011-09-01 23:48 . 2009-07-13 23:14 78336 ----a-w- c:\windows\system32\drivers\dfsc.sys
2011-08-24 14:19 . 2011-08-24 14:19 -------- d-----w- c:\program files\ESET
2011-08-23 22:01 . 2011-05-12 13:03 6144 ------w- c:\windows\system32\1E0B.tmp
2011-08-23 22:00 . 2011-05-12 13:03 6144 ------w- c:\windows\system32\8F82.tmp
2011-08-23 20:22 . 2011-05-12 13:03 6144 ------w- c:\windows\system32\5744.tmp
2011-08-23 20:20 . 2011-05-12 13:03 6144 ------w- c:\windows\system32\5F9.tmp
2011-08-23 20:09 . 2011-08-23 20:09 205072 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-08-23 19:45 . 2011-08-23 19:45 65808 ----a-w- c:\windows\system32\drivers\tmrkb.sys
2011-08-23 18:02 . 2011-08-23 18:02 -------- d-----w- c:\program files\Sophos
2011-08-23 08:14 . 2011-08-23 08:57 -------- d-----w- c:\program files\mwb
2011-08-23 08:12 . 2011-09-02 07:13 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-08-23 08:12 . 2011-08-23 08:57 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-08-22 20:11 . 2011-08-23 08:57 -------- d-----r- C:\Sandbox
2011-08-22 20:10 . 2011-09-02 01:08 -------- d-----w- c:\program files\Sandboxie
2011-08-22 19:51 . 2011-08-22 19:51 -------- d-----w- c:\programdata\phpDesigner
2011-08-21 19:18 . 2011-08-21 19:18 -------- d-----w- c:\users\Mark\AppData\Roaming\enchant
2011-08-21 19:18 . 2011-08-21 19:21 -------- d-----w- c:\users\Mark\.bluefish
2011-08-21 17:45 . 2011-08-21 17:45 -------- d-----w- c:\program files\Common Files\GTK
2011-08-21 17:39 . 2011-08-23 08:57 -------- d-----w- c:\program files\Bluefish
2011-08-20 10:30 . 2011-08-20 10:30 -------- d-----w- c:\program files\Common Files\Java
2011-08-20 08:44 . 2011-08-20 08:44 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-06 19:03 . 2011-08-06 19:03 -------- d-----w- c:\users\Mark\AppData\Local\MLS Service m
2011-08-06 18:27 . 2011-08-06 18:43 -------- d-----w- c:\users\Mark\AppData\Roaming\Prism
2011-08-06 18:27 . 2011-08-06 18:43 -------- d-----w- c:\users\Mark\AppData\Local\Prism
2011-08-06 18:17 . 2011-08-06 18:17 -------- d-----w- c:\users\Mark\AppData\Local\MLS Service n
2011-08-06 18:15 . 2011-08-06 18:15 -------- d-----w- c:\users\Mark\AppData\Local\MLS Service
2011-08-06 18:15 . 2011-08-06 19:03 -------- d-----w- c:\users\Mark\AppData\Roaming\WebApps
2011-08-06 18:03 . 2011-07-08 07:16 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-08-06 18:03 . 2011-07-08 07:16 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-08-06 18:03 . 2011-07-08 07:16 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-08-06 18:03 . 2011-07-08 07:16 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-08-06 18:03 . 2011-07-08 07:16 1850328 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-08-06 18:03 . 2011-07-08 07:16 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-08-06 18:03 . 2010-01-01 08:00 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-08-06 18:03 . 2010-01-01 08:00 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-12 02:44 . 2011-08-22 18:27 7152464 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{FD7FF0D1-C0BD-4AA0-B2A3-C7A60F888AE7}\mpengine.dll
2011-07-06 18:52 . 2011-03-03 13:02 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 18:52 . 2011-03-03 13:02 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-08 07:16 . 2011-08-06 18:03 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Mark\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Mark\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Mark\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncBackedUp]
@="{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}"
[HKEY_CLASSES_ROOT\CLSID\{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}]
2011-03-23 04:56 319488 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncPending]
@="{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}"
[HKEY_CLASSES_ROOT\CLSID\{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}]
2011-03-23 04:56 319488 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncRoot]
@="{A759AFF6-5851-457D-A540-F4ECED148351}"
[HKEY_CLASSES_ROOT\CLSID\{A759AFF6-5851-457D-A540-F4ECED148351}]
2011-03-23 04:56 319488 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncShared]
@="{1574C9EF-7D58-488F-B358-8B78C1538F51}"
[HKEY_CLASSES_ROOT\CLSID\{1574C9EF-7D58-488F-B358-8B78C1538F51}]
2011-03-23 04:56 319488 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"ShowBatteryBar"="c:\program files\BatteryBar\ShowBatteryBar.exe" [2009-05-28 90624]
"PicPick Start"="c:\program files\PicPick\picpick.exe" [2011-02-22 8058368]
"SugarSync"="c:\program files\SugarSync\SugarSyncManager.exe" [2011-03-23 15921152]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2011-06-17 412432]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TpShocks"="TpShocks.exe" [2009-12-11 337256]
"cAudioFilterAgent"="c:\program files\Conexant\cAudioFilterAgent\cAudioFilterAgent.exe" [2009-11-16 487992]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2009-11-19 307768]
"PWMTRV"="c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2010-11-05 894312]
"Message Center Plus"="c:\program files\LENOVO\Message Center Plus\MCPLaunch.exe" [2009-05-28 49976]
"AcWin7Hlpr"="c:\program files\Lenovo\Access Connections\AcTBenabler.exe" [2010-09-17 31592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-04-22 1725736]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"ACWLIcon"="c:\program files\Lenovo\Access Connections\ACWLIcon.exe" [2010-09-17 181608]
"LENOVO.TPKNRRES"="c:\program files\Lenovo\Communications Utility\TPKNRRES.exe" [2010-07-27 62312]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-12-16 98304]
"QuiKProtect"="c:\program files\Iomega\QuikProtect\StartQuikProtect.exe" [2010-06-24 58672]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
c:\users\Mark\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Mark\AppData\Roaming\Dropbox\bin\Dropbox.exe [2011-5-25 24176560]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2009-10-3 795936]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{1984DD45-52CF-49cd-AB77-18F378FEA264}"= "c:\program files\Stardock\Fences\FencesMenu.dll" [2010-06-22 202088]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Virtual Router Manager.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Virtual Router Manager.lnk
backup=c:\windows\pss\Virtual Router Manager.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^Mark^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^BUFFALO NAS Navigator2.lnk]
path=c:\users\Mark\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BUFFALO NAS Navigator2.lnk
backup=c:\windows\pss\BUFFALO NAS Navigator2.lnk.Startup
backupExtension=.Startup
.
[HKLM\~\startupfolder\C:^Users^Mark^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^NAS Scheduler.lnk]
path=c:\users\Mark\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NAS Scheduler.lnk
backup=c:\windows\pss\NAS Scheduler.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 01:57 35760 ------w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-11-01 13:42 136176 ----atw- c:\users\Mark\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 16:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoboForm]
2010-05-26 19:29 160328 ----a-w- c:\program files\Siber Systems\AI RoboForm\robotaskbaricon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-06-26 16:27 24235816 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-01-26 14:31 2144088 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SyncForLazy]
2010-09-27 19:44 465288 ----a-w- c:\program files\SyncForLazy\SyncForLazy.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VMware hqtray]
2010-11-11 13:31 64112 ----a-w- c:\program files\VMware\VMware Player\hqtray.exe
.
R1 SASDIFSV;SASDIFSV;c:\users\Mark\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV.SYS [x]
R1 SASKUTIL;SASKUTIL;c:\users\Mark\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL.SYS [x]
R1 vflt;Shrew Soft Lightweight Filter;c:\windows\system32\DRIVERS\vfilter.sys [2010-09-02 17920]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-09-02 109568]
R2 BecHelperService;BecHelperService;c:\program files\3 Mobile Broadband\3Connect\BecHelperService.exe [2010-01-28 1737464]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\LENOVO\HOTKEY\TPHKLOAD.exe [x]
R2 Virtual Router;VirtualRouterService;c:\program files\Virtual Router\VirtualRouterService.exe [x]
R3 androidusb;SAMSUNG Android Composite ADB Interface Driver;c:\windows\system32\Drivers\ssadadb.sys [2010-08-27 30312]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2009-04-07 29472]
R3 JCYNGGTQ;JCYNGGTQ;c:\users\Mark\AppData\Local\Temp\JCYNGGTQ.exe [x]
R3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2010-01-19 9216]
R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\1E0B.tmp [2011-05-12 6144]
R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
R3 PCDSRVC{3037D694-FD904ACA-06000000}_0;PCDSRVC{3037D694-FD904ACA-06000000}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\pc-doctor\pcdsrvc.pkms [2010-09-08 21360]
R3 PCDSRVC{3037D694-FD904ACA-06020000}_0;PCDSRVC{3037D694-FD904ACA-06020000}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\pc-doctor\pcdsrvc.pkms [2010-09-08 21360]
R3 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.EXE [2010-11-05 75112]
R3 QPCopyEngine;QPCopyEngine;c:\program files\Iomega\QuikProtect\QpMonitor.exe [2010-06-24 247088]
R3 QsFsFltr;QsFsFltr;c:\windows\system32\DRIVERS\QsFsFltr.sys [2010-06-24 19384]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
R3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\DRIVERS\ssadbus.sys [2010-08-27 96488]
R3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\DRIVERS\ssadmdfl.sys [2010-08-27 12776]
R3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\DRIVERS\ssadmdm.sys [2010-08-27 121576]
R3 vnet;Shrew Soft Virtual Adapter;c:\windows\system32\DRIVERS\virtualnet.sys [2010-09-02 13824]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-06-15 1343400]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2009-07-14 17920]
R3 XYDF;XYDF;c:\users\Mark\AppData\Local\Temp\XYDF.exe [x]
S0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\DRIVERS\pssnap.sys [2011-01-17 16024]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-03-05 691696]
S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM86.sys [2009-10-09 20520]
S1 eusk2par;EUTRON SmartKey Parallel Driver;c:\windows\system32\Drivers\eusk2par.sys [2010-05-11 30656]
S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiif32.sys [2010-09-07 13680]
S1 VBoxDrv;VirtualBox Service;c:\windows\system32\DRIVERS\VBoxDrv.sys [2011-02-17 160560]
S1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\DRIVERS\VBoxUSBMon.sys [2011-02-17 44784]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [2009-09-06 169312]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-12-16 172032]
S2 LENOVO.CAMMUTE;Lenovo Camera Mute;c:\program files\Lenovo\Communications Utility\CAMMUTE.exe [2010-07-27 50536]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [2010-11-24 45496]
S2 LENOVO.TPKNRSVC;Lenovo Keyboard Noise Reduction;c:\program files\Lenovo\Communications Utility\TPKNRSVC.exe [2010-07-27 74088]
S2 Lenovo.VIRTSCRLSVC;Lenovo Auto Scroll;c:\program files\LENOVO\VIRTSCRL\lvvsst.exe [2010-04-07 93032]
S2 NasPmService;NAS PM Service;c:\program files\BUFFALO\NASNAVI\nassvc.exe [2011-01-10 251256]
S2 NitroReaderDriverReadSpool;NitroPDFReaderDriverCreatorReadSpool;c:\program files\Nitro PDF\Reader\NitroPDFReaderDriverService.exe [2011-01-28 196912]
S2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [2011-01-17 220824]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2010-12-02 64440]
S2 vmci;VMware vmci;c:\windows\system32\Drivers\vmci.sys [2010-11-11 70768]
S2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [2010-11-11 539248]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2010-05-07 189784]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2010-06-23 275048]
S3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\DRIVERS\rtl8192se.sys [2011-01-15 1113704]
S3 usbsmi;Integrated Camera;c:\windows\system32\DRIVERS\SMIksdrv.sys [2009-11-23 181120]
S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\DRIVERS\VBoxNetAdp.sys [2011-02-17 111152]
S3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys [2011-02-17 122032]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1181201483-2319753422-3661502966-1003Core.job
- c:\users\Mark\AppData\Local\Google\Update\GoogleUpdate.exe [2010-11-01 13:42]
.
2011-09-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1181201483-2319753422-3661502966-1003UA.job
- c:\users\Mark\AppData\Local\Google\Update\GoogleUpdate.exe [2010-11-01 13:42]
.
2011-08-20 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\PC-Doctor\uaclauncher.exe [2010-09-08 21:08]
.
2011-09-01 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\PC-Doctor\pcdrcui.exe [2010-09-08 21:08]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: LastPass - file://c:\program files\LastPass\context.html?cmd=lastpass
IE: LastPass Fill Forms - file://c:\program files\LastPass\context.html?cmd=fillforms
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: Send image to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm
LSP: c:\program files\VMware\VMware Player\vsocklib.dll
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\Mark\AppData\Roaming\Mozilla\Firefox\Profiles\k7cz4jph.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
.
.
------- File Associations -------
.
.txt=
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
MSConfigStartUp-FlashPlayerUpdate - c:\windows\system32\Macromed\Flash\FlashUtil10h_Plugin.exe
MSConfigStartUp-Flock Update - c:\users\Mark\AppData\Local\Flock\Update\FlockUpdate.exe
AddRemove-01_Simmental - c:\program files\AppInventor\commands-for-Appinventor\usb_driver\tabusb\01_Simmental\Uninstall.exe
AddRemove-02_Siberian - c:\program files\AppInventor\commands-for-Appinventor\usb_driver\tabusb\02_Siberian\Uninstall.exe
AddRemove-03_Swallowtail - c:\program files\AppInventor\commands-for-Appinventor\usb_driver\tabusb\03_Swallowtail\Uninstall.exe
AddRemove-04_semseyite - c:\program files\AppInventor\commands-for-Appinventor\usb_driver\tabusb\04_semseyite\Uninstall.exe
AddRemove-05_Sloan - c:\program files\AppInventor\commands-for-Appinventor\usb_driver\tabusb\05_Sloan\Uninstall.exe
AddRemove-06_Spencer - c:\program files\AppInventor\commands-for-Appinventor\usb_driver\tabusb\06_Spencer\Uninstall.exe
AddRemove-07_Schorl - c:\program files\AppInventor\commands-for-Appinventor\usb_driver\tabusb\07_Schorl\Uninstall.exe
AddRemove-08_EMPChipset - c:\program files\AppInventor\commands-for-Appinventor\usb_driver\tabusb\08_EMPChipset\Uninstall.exe
AddRemove-09_Hsp - c:\program files\AppInventor\commands-for-Appinventor\usb_driver\tabusb\09_Hsp\Uninstall.exe
AddRemove-11_HSP_Plus_Default - c:\program files\AppInventor\commands-for-Appinventor\usb_driver\tabusb\11_HSP_Plus_Default\Uninstall.exe
AddRemove-12_Symbian_USB_Download_Driver - c:\program files\AppInventor\commands-for-Appinventor\usb_driver\tabusb\12_Symbian_USB_Download_Driver\Uninstall.exe
AddRemove-15_Symbian_Samsung_PC_DLC_Driver - c:\program files\AppInventor\commands-for-Appinventor\usb_driver\tabusb\15_Symbian_Samsung_PC_DLC_Driver\Uninstall.exe
AddRemove-16_Shrewsbury - c:\program files\AppInventor\commands-for-Appinventor\usb_driver\tabusb\16_Shrewsbury\Uninstall.exe
AddRemove-17_EMP_Chipset2 - c:\program files\AppInventor\commands-for-Appinventor\usb_driver\tabusb\17_EMP_Chipset2\Uninstall.exe
AddRemove-18_Zinia_Serial_Driver - c:\program files\AppInventor\commands-for-Appinventor\usb_driver\tabusb\18_Zinia_Serial_Driver\Uninstall.exe
AddRemove-19_VIA_driver - c:\program files\AppInventor\commands-for-Appinventor\usb_driver\tabusb\19_VIA_driver\Uninstall.exe
AddRemove-20_NXP_Driver - c:\program files\AppInventor\commands-for-Appinventor\usb_driver\tabusb\20_NXP_Driver\Uninstall.exe
AddRemove-21_Searsburg - c:\program files\AppInventor\commands-for-Appinventor\usb_driver\tabusb\21_Searsburg\Uninstall.exe
AddRemove-22_WiBro_WiMAX - c:\program files\AppInventor\commands-for-Appinventor\usb_driver\tabusb\22_WiBro_WiMAX\Uninstall.exe
AddRemove-24_flashusbdriver - c:\program files\AppInventor\commands-for-Appinventor\usb_driver\tabusb\24_flashusbdriver\Uninstall.exe
AddRemove-25_escape - c:\program files\AppInventor\commands-for-Appinventor\usb_driver\tabusb\25_escape\Uninstall.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\1E0B.tmp"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCDSRVC{3037D694-FD904ACA-06000000}_0]
"ImagePath"="\??\c:\program files\pc-doctor\pcdsrvc.pkms"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCDSRVC{3037D694-FD904ACA-06020000}_0]
"ImagePath"="\??\c:\program files\pc-doctor\pcdsrvc.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(1116)
c:\program files\Lenovo\Client Security Solution\tvtpwm_windows_hook.dll
c:\users\Mark\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
c:\windows\Microsoft.NET\Framework\v2.0.50727\WMINet_Utils.dll
c:\program files\Stardock\Fences\FencesMenu.dll
c:\program files\stardock\fences\DesktopDock.dll
c:\program files\ThinkPad\Bluetooth Software\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\atieclxx.exe
c:\program files\Lenovo\Access Connections\AcPrfMgrSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\vmnat.exe
c:\program files\VMware\VMware Player\vmware-authd.exe
c:\program files\Lenovo\Client Security Solution\cssauth.exe
c:\windows\system32\vmnetdhcp.exe
c:\program files\Lenovo\Access Connections\AcSvc.exe
c:\windows\system32\conhost.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\ThinkPad\Bluetooth Software\btwdins.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Lenovo\Client Security Solution\password_manager.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
.
**************************************************************************
.
Completion time: 2011-09-02 09:21:09 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-02 08:21
.
Pre-Run: 101,095,866,368 bytes free
Post-Run: 100,808,900,608 bytes free
.
- - End Of File - - 809C76A8D1675BE548B8A20201119E23

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:26 PM

Posted 02 September 2011 - 05:58 PM

Very infected!

Please rerun Combofix as shown below

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

File::
c:\users\Mark\AppData\Local\Temp\JCYNGGTQ.exe
c:\users\Mark\AppData\Local\Temp\XYDF.exe

Driver::
JCYNGGTQ
XYDF

RegLock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

If the program requests for you to update Combofix then click Yes.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
m0le is a proud member of UNITE

#9 markvincent

markvincent
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:26 PM

Posted 03 September 2011 - 06:21 AM

ComboFix 11-09-02.04 - Mark 03/09/2011 10:10:25.4.1 - x86
Microsoft Windows 7 Professional 6.1.7600.0.1252.44.1033.18.2814.1892 [GMT 1:00]
Running from: c:\users\Mark\Desktop\comfix.exe
Command switches used :: c:\users\Mark\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\users\Mark\AppData\Local\Temp\JCYNGGTQ.exe"
"c:\users\Mark\AppData\Local\Temp\XYDF.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-- Previous Run --
.
c:\program files\Avira\AntiVir Desktop\sched.exe . . . is infected!!
.
--------
.
c:\program files\Avira\AntiVir Desktop\sched.exe . . . is infected!!
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_JCYNGGTQ
-------\Service_XYDF
.
.
((((((((((((((((((((((((( Files Created from 2011-08-03 to 2011-09-03 )))))))))))))))))))))))))))))))
.
.
2011-09-03 09:44 . 2011-09-03 09:44 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-09-02 07:54 . 2011-09-03 09:47 -------- d-----w- c:\users\Mark\AppData\Local\temp
2011-09-02 07:54 . 2010-11-11 13:31 404080 ----a-w- c:\windows\system32\vmnat.exe
2011-09-02 07:51 . 2010-11-11 13:31 334448 ----a-w- c:\windows\system32\vmnetdhcp.exe
2011-09-02 01:05 . 2008-09-03 17:27 186360 ----a-w- c:\windows\system32\MNSFramework.exe
2011-09-01 23:48 . 2009-07-13 23:14 78336 ----a-w- c:\windows\system32\drivers\dfsc.sys
2011-08-24 14:19 . 2011-08-24 14:19 -------- d-----w- c:\program files\ESET
2011-08-23 22:01 . 2011-05-12 13:03 6144 ------w- c:\windows\system32\1E0B.tmp
2011-08-23 22:00 . 2011-05-12 13:03 6144 ------w- c:\windows\system32\8F82.tmp
2011-08-23 20:22 . 2011-05-12 13:03 6144 ------w- c:\windows\system32\5744.tmp
2011-08-23 20:20 . 2011-05-12 13:03 6144 ------w- c:\windows\system32\5F9.tmp
2011-08-23 20:09 . 2011-08-23 20:09 205072 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-08-23 19:45 . 2011-08-23 19:45 65808 ----a-w- c:\windows\system32\drivers\tmrkb.sys
2011-08-23 18:02 . 2011-08-23 18:02 -------- d-----w- c:\program files\Sophos
2011-08-23 08:14 . 2011-08-23 08:57 -------- d-----w- c:\program files\mwb
2011-08-23 08:12 . 2011-09-02 07:13 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-08-23 08:12 . 2011-08-23 08:57 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-08-22 20:11 . 2011-08-23 08:57 -------- d-----r- C:\Sandbox
2011-08-22 20:10 . 2011-09-02 01:08 -------- d-----w- c:\program files\Sandboxie
2011-08-22 19:51 . 2011-08-22 19:51 -------- d-----w- c:\programdata\phpDesigner
2011-08-22 18:27 . 2011-08-12 02:44 7152464 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{FD7FF0D1-C0BD-4AA0-B2A3-C7A60F888AE7}\mpengine.dll
2011-08-21 19:18 . 2011-08-21 19:18 -------- d-----w- c:\users\Mark\AppData\Roaming\enchant
2011-08-21 19:18 . 2011-08-21 19:21 -------- d-----w- c:\users\Mark\.bluefish
2011-08-21 17:45 . 2011-08-21 17:45 -------- d-----w- c:\program files\Common Files\GTK
2011-08-21 17:39 . 2011-08-23 08:57 -------- d-----w- c:\program files\Bluefish
2011-08-20 10:30 . 2011-08-20 10:30 -------- d-----w- c:\program files\Common Files\Java
2011-08-20 08:44 . 2011-08-20 08:44 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-06 19:03 . 2011-08-06 19:03 -------- d-----w- c:\users\Mark\AppData\Local\MLS Service m
2011-08-06 18:27 . 2011-08-06 18:43 -------- d-----w- c:\users\Mark\AppData\Roaming\Prism
2011-08-06 18:27 . 2011-08-06 18:43 -------- d-----w- c:\users\Mark\AppData\Local\Prism
2011-08-06 18:17 . 2011-08-06 18:17 -------- d-----w- c:\users\Mark\AppData\Local\MLS Service n
2011-08-06 18:15 . 2011-08-06 18:15 -------- d-----w- c:\users\Mark\AppData\Local\MLS Service
2011-08-06 18:15 . 2011-08-06 19:03 -------- d-----w- c:\users\Mark\AppData\Roaming\WebApps
2011-08-06 18:03 . 2011-07-08 07:16 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-08-06 18:03 . 2011-07-08 07:16 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-08-06 18:03 . 2011-07-08 07:16 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-08-06 18:03 . 2011-07-08 07:16 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-08-06 18:03 . 2011-07-08 07:16 1850328 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-08-06 18:03 . 2011-07-08 07:16 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-08-06 18:03 . 2010-01-01 08:00 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-08-06 18:03 . 2010-01-01 08:00 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-06 18:52 . 2011-03-03 13:02 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 18:52 . 2011-03-03 13:02 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-08 07:16 . 2011-08-06 18:03 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-09-02_08.02.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-14 04:55 . 2011-09-03 09:48 53850 c:\windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2010-02-25 18:55 . 2011-09-03 09:49 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-02-25 18:55 . 2011-09-01 21:48 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-02-25 18:55 . 2011-09-03 09:49 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-02-25 18:55 . 2011-09-01 21:48 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:41 . 2011-09-03 09:49 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:41 . 2011-09-01 21:48 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-02-27 04:09 . 2011-09-02 08:04 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-02-27 04:09 . 2011-09-03 09:08 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-02-27 04:09 . 2011-09-02 08:04 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-02-27 04:09 . 2011-09-03 09:08 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-02-25 18:56 . 2011-09-03 09:48 9174 c:\windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1181201483-2319753422-3661502966-1003_UserData.bin
+ 2011-09-02 08:35 . 2011-09-02 08:35 9560 c:\windows\System32\NetworkList\Icons\{0E9DBF8C-83EF-446D-83C2-A5DE10F78502}_48.bin
+ 2011-09-02 08:35 . 2011-09-02 08:35 4280 c:\windows\System32\NetworkList\Icons\{0E9DBF8C-83EF-446D-83C2-A5DE10F78502}_32.bin
+ 2011-09-02 08:35 . 2011-09-02 08:35 2456 c:\windows\System32\NetworkList\Icons\{0E9DBF8C-83EF-446D-83C2-A5DE10F78502}_24.bin
- 2011-09-01 23:50 . 2011-09-02 07:59 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-09-01 23:50 . 2011-09-03 09:45 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-09-01 23:50 . 2011-09-02 07:59 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-09-01 23:50 . 2011-09-03 09:45 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-02-26 07:24 . 2011-09-03 09:05 256958 c:\windows\System32\wdi\SuspendPerformanceDiagnostics_SystemData_S4.bin
- 2009-07-14 02:05 . 2011-09-01 23:38 686620 c:\windows\System32\perfh009.dat
+ 2009-07-14 02:05 . 2011-09-02 09:02 686620 c:\windows\System32\perfh009.dat
+ 2009-07-14 02:05 . 2011-09-02 09:02 133370 c:\windows\System32\perfc009.dat
- 2009-07-14 02:05 . 2011-09-01 23:38 133370 c:\windows\System32\perfc009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Mark\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Mark\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Mark\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncBackedUp]
@="{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}"
[HKEY_CLASSES_ROOT\CLSID\{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}]
2011-03-23 04:56 319488 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncPending]
@="{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}"
[HKEY_CLASSES_ROOT\CLSID\{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}]
2011-03-23 04:56 319488 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncRoot]
@="{A759AFF6-5851-457D-A540-F4ECED148351}"
[HKEY_CLASSES_ROOT\CLSID\{A759AFF6-5851-457D-A540-F4ECED148351}]
2011-03-23 04:56 319488 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncShared]
@="{1574C9EF-7D58-488F-B358-8B78C1538F51}"
[HKEY_CLASSES_ROOT\CLSID\{1574C9EF-7D58-488F-B358-8B78C1538F51}]
2011-03-23 04:56 319488 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"ShowBatteryBar"="c:\program files\BatteryBar\ShowBatteryBar.exe" [2009-05-28 90624]
"PicPick Start"="c:\program files\PicPick\picpick.exe" [2011-02-22 8058368]
"SugarSync"="c:\program files\SugarSync\SugarSyncManager.exe" [2011-03-23 15921152]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2011-06-17 412432]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TpShocks"="TpShocks.exe" [2009-12-11 337256]
"cAudioFilterAgent"="c:\program files\Conexant\cAudioFilterAgent\cAudioFilterAgent.exe" [2009-11-16 487992]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2009-11-19 307768]
"PWMTRV"="c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2010-11-05 894312]
"Message Center Plus"="c:\program files\LENOVO\Message Center Plus\MCPLaunch.exe" [2009-05-28 49976]
"AcWin7Hlpr"="c:\program files\Lenovo\Access Connections\AcTBenabler.exe" [2010-09-17 31592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-04-22 1725736]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"ACWLIcon"="c:\program files\Lenovo\Access Connections\ACWLIcon.exe" [2010-09-17 181608]
"LENOVO.TPKNRRES"="c:\program files\Lenovo\Communications Utility\TPKNRRES.exe" [2010-07-27 62312]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-12-16 98304]
"QuiKProtect"="c:\program files\Iomega\QuikProtect\StartQuikProtect.exe" [2010-06-24 58672]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
c:\users\Mark\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Mark\AppData\Roaming\Dropbox\bin\Dropbox.exe [2011-5-25 24176560]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2009-10-3 795936]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{1984DD45-52CF-49cd-AB77-18F378FEA264}"= "c:\program files\Stardock\Fences\FencesMenu.dll" [2010-06-22 202088]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Virtual Router Manager.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Virtual Router Manager.lnk
backup=c:\windows\pss\Virtual Router Manager.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^Mark^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^BUFFALO NAS Navigator2.lnk]
path=c:\users\Mark\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BUFFALO NAS Navigator2.lnk
backup=c:\windows\pss\BUFFALO NAS Navigator2.lnk.Startup
backupExtension=.Startup
.
[HKLM\~\startupfolder\C:^Users^Mark^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^NAS Scheduler.lnk]
path=c:\users\Mark\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NAS Scheduler.lnk
backup=c:\windows\pss\NAS Scheduler.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 01:57 35760 ------w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-11-01 13:42 136176 ----atw- c:\users\Mark\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 16:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoboForm]
2010-05-26 19:29 160328 ----a-w- c:\program files\Siber Systems\AI RoboForm\robotaskbaricon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-06-26 16:27 24235816 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-01-26 14:31 2144088 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SyncForLazy]
2010-09-27 19:44 465288 ----a-w- c:\program files\SyncForLazy\SyncForLazy.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VMware hqtray]
2010-11-11 13:31 64112 ----a-w- c:\program files\VMware\VMware Player\hqtray.exe
.
R1 SASDIFSV;SASDIFSV;c:\users\Mark\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV.SYS [x]
R1 SASKUTIL;SASKUTIL;c:\users\Mark\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL.SYS [x]
R1 vflt;Shrew Soft Lightweight Filter;c:\windows\system32\DRIVERS\vfilter.sys [2010-09-02 17920]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-09-02 109568]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\LENOVO\HOTKEY\TPHKLOAD.exe [x]
R2 Virtual Router;VirtualRouterService;c:\program files\Virtual Router\VirtualRouterService.exe [x]
R3 androidusb;SAMSUNG Android Composite ADB Interface Driver;c:\windows\system32\Drivers\ssadadb.sys [2010-08-27 30312]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2009-04-07 29472]
R3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2010-01-19 9216]
R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\1E0B.tmp [2011-05-12 6144]
R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
R3 PCDSRVC{3037D694-FD904ACA-06000000}_0;PCDSRVC{3037D694-FD904ACA-06000000}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\pc-doctor\pcdsrvc.pkms [2010-09-08 21360]
R3 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.EXE [2010-11-05 75112]
R3 QPCopyEngine;QPCopyEngine;c:\program files\Iomega\QuikProtect\QpMonitor.exe [2010-06-24 247088]
R3 QsFsFltr;QsFsFltr;c:\windows\system32\DRIVERS\QsFsFltr.sys [2010-06-24 19384]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
R3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\DRIVERS\ssadbus.sys [2010-08-27 96488]
R3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\DRIVERS\ssadmdfl.sys [2010-08-27 12776]
R3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\DRIVERS\ssadmdm.sys [2010-08-27 121576]
R3 vnet;Shrew Soft Virtual Adapter;c:\windows\system32\DRIVERS\virtualnet.sys [2010-09-02 13824]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-06-15 1343400]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2009-07-14 17920]
S0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\DRIVERS\pssnap.sys [2011-01-17 16024]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-03-05 691696]
S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM86.sys [2009-10-09 20520]
S1 eusk2par;EUTRON SmartKey Parallel Driver;c:\windows\system32\Drivers\eusk2par.sys [2010-05-11 30656]
S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiif32.sys [2010-09-07 13680]
S1 VBoxDrv;VirtualBox Service;c:\windows\system32\DRIVERS\VBoxDrv.sys [2011-02-17 160560]
S1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\DRIVERS\VBoxUSBMon.sys [2011-02-17 44784]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [2009-09-06 169312]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-12-16 172032]
S2 BecHelperService;BecHelperService;c:\program files\3 Mobile Broadband\3Connect\BecHelperService.exe [2010-01-28 1737464]
S2 LENOVO.CAMMUTE;Lenovo Camera Mute;c:\program files\Lenovo\Communications Utility\CAMMUTE.exe [2010-07-27 50536]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [2010-11-24 45496]
S2 LENOVO.TPKNRSVC;Lenovo Keyboard Noise Reduction;c:\program files\Lenovo\Communications Utility\TPKNRSVC.exe [2010-07-27 74088]
S2 Lenovo.VIRTSCRLSVC;Lenovo Auto Scroll;c:\program files\LENOVO\VIRTSCRL\lvvsst.exe [2010-04-07 93032]
S2 NasPmService;NAS PM Service;c:\program files\BUFFALO\NASNAVI\nassvc.exe [2011-01-10 251256]
S2 NitroReaderDriverReadSpool;NitroPDFReaderDriverCreatorReadSpool;c:\program files\Nitro PDF\Reader\NitroPDFReaderDriverService.exe [2011-01-28 196912]
S2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [2011-01-17 220824]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2010-12-02 64440]
S2 vmci;VMware vmci;c:\windows\system32\Drivers\vmci.sys [2010-11-11 70768]
S2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [2010-11-11 539248]
S3 PCDSRVC{3037D694-FD904ACA-06020000}_0;PCDSRVC{3037D694-FD904ACA-06020000}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\pc-doctor\pcdsrvc.pkms [2010-09-08 21360]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2010-05-07 189784]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2010-06-23 275048]
S3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\DRIVERS\rtl8192se.sys [2011-01-15 1113704]
S3 usbsmi;Integrated Camera;c:\windows\system32\DRIVERS\SMIksdrv.sys [2009-11-23 181120]
S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\DRIVERS\VBoxNetAdp.sys [2011-02-17 111152]
S3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys [2011-02-17 122032]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1181201483-2319753422-3661502966-1003Core.job
- c:\users\Mark\AppData\Local\Google\Update\GoogleUpdate.exe [2010-11-01 13:42]
.
2011-09-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1181201483-2319753422-3661502966-1003UA.job
- c:\users\Mark\AppData\Local\Google\Update\GoogleUpdate.exe [2010-11-01 13:42]
.
2011-08-20 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\PC-Doctor\uaclauncher.exe [2010-09-08 21:08]
.
2011-09-03 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\PC-Doctor\pcdrcui.exe [2010-09-08 21:08]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: LastPass - file://c:\program files\LastPass\context.html?cmd=lastpass
IE: LastPass Fill Forms - file://c:\program files\LastPass\context.html?cmd=fillforms
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: Send image to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm
LSP: c:\program files\VMware\VMware Player\vsocklib.dll
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\Mark\AppData\Roaming\Mozilla\Firefox\Profiles\k7cz4jph.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\1E0B.tmp"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCDSRVC{3037D694-FD904ACA-06000000}_0]
"ImagePath"="\??\c:\program files\pc-doctor\pcdsrvc.pkms"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCDSRVC{3037D694-FD904ACA-06020000}_0]
"ImagePath"="\??\c:\program files\pc-doctor\pcdsrvc.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3884)
c:\program files\Lenovo\Client Security Solution\tvtpwm_windows_hook.dll
c:\users\Mark\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
c:\windows\Microsoft.NET\Framework\v2.0.50727\WMINet_Utils.dll
c:\program files\Stardock\Fences\FencesMenu.dll
c:\program files\stardock\fences\DesktopDock.dll
c:\program files\ThinkPad\Bluetooth Software\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\Lenovo\Access Connections\AcPrfMgrSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\windows\system32\MNSFramework.exe
c:\windows\system32\vmnat.exe
c:\program files\VMware\VMware Player\vmware-authd.exe
c:\windows\system32\vmnetdhcp.exe
c:\program files\Lenovo\Access Connections\AcSvc.exe
c:\windows\system32\atieclxx.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\Lenovo\Client Security Solution\cssauth.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\ThinkPad\Bluetooth Software\btwdins.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Lenovo\Client Security Solution\password_manager.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\conhost.exe
.
**************************************************************************
.
Completion time: 2011-09-03 11:07:33 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-03 10:07
.
Pre-Run: 100,345,655,296 bytes free
Post-Run: 100,301,004,800 bytes free
.
- - End Of File - - CC02ABC7B77EC4843F439FF348C1F12E

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:26 PM

Posted 03 September 2011 - 06:30 PM

Combofix says an Avira file is infected. :blink:

We need to check that before we go on.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Go to Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

c:\program files\Avira\AntiVir Desktop\sched.exe

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at VirusTotal
Posted Image
m0le is a proud member of UNITE

#11 markvincent

markvincent
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:26 PM

Posted 04 September 2011 - 04:34 PM

[Avast! antivirus] 2011-09-04 Win32:Patched-WQ
[Avira AntiVir] 2011-09-02 W32/PatchLoad.A
[Sophos] 2011-09-04 W32/Patched-AK


Antivirus Version Last Update Result
AhnLab-V3 2011.09.04.00 2011.09.04 -
AVG 10.0.0.1190 2011.09.04 -
BitDefender 7.2 2011.09.04 -
ByteHero None 2011.09.04 -
DrWeb 5.0.2.03300 2011.09.04 -
eSafe 7.0.17.0 2011.09.01 -
F-Secure 9.0.16440.0 2011.09.04 -
GData 22 2011.09.04 Win32:Patched-WQ
Kaspersky 9.0.0.837 2011.09.04 -
McAfee 5.400.0.1158 2011.09.04 -
McAfee-GW-Edition 2010.1D 2011.09.04 Heuristic.BehavesLike.Exploit.CodeExec.NLLG
Microsoft 1.7604 2011.09.04 -
Norman 6.07.11 2011.09.04 -
Sophos 4.69.0 2011.09.04 W32/Patched-AK
SUPERAntiSpyware 4.40.0.1006 2011.09.04 Trojan.Agent/Gen-Nullo[Short]
Symantec 20111.2.0.82 2011.09.04 Bloodhound.MalPE
VBA32 3.12.16.4 2011.09.02 -
VirusBuster 14.0.200.0 2011.09.03 -

#12 markvincent

markvincent
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:26 PM

Posted 04 September 2011 - 04:39 PM

Jotti
[Avast! antivirus] 2011-09-04 Win32:Patched-WQ
[Avira AntiVir] 2011-09-02 W32/PatchLoad.A
[Sophos] 2011-09-04 W32/Patched-AK

VirusTotal
GData 22 2011.09.04 Win32:Patched-WQ
McAfee-GW-Edition 2010.1D 2011.09.04 Heuristic.BehavesLike.Exploit.CodeExec.NLLG
Sophos 4.69.0 2011.09.04 W32/Patched-AK
SUPERAntiSpyware 4.40.0.1006 2011.09.04 Trojan.Agent/Gen-Nullo[Short]
Symantec 20111.2.0.82 2011.09.04 Bloodhound.MalPE

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:26 PM

Posted 04 September 2011 - 05:37 PM

Have you any idea how your Avira antivirus has been infected? Legitimate antivirus files can't be infected.

If it is legitimate I would uninstall it and go to the Avira website and reinstall it.
Posted Image
m0le is a proud member of UNITE

#14 markvincent

markvincent
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:26 PM

Posted 04 September 2011 - 06:14 PM

No idea as far as i know it was just the free version that was installed about a year ago.
Uninstalling now. Gonna try Avast.

Where all of the infections found previously due to the same cause or would they have been over a period of time.

What do we do next or am i clean?
Laptop feels more responsive could this have existed for months?

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:26 PM

Posted 04 September 2011 - 06:42 PM

I think a file infector has been busy in your system. Combofix was able to replace most of the files but couldn't find a copy of the Avira file. Once that is gone we need to see what brought the malware to the machine.

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • Copy and paste the resulting log in your next reply
If no log is generated that means nothing was found. Please let me know if this happens.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users