Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect and random sounds. Previously infected with "Security Protection"


  • This topic is locked This topic is locked
18 replies to this topic

#1 jackmcgraw

jackmcgraw

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:03:36 AM

Posted 10 September 2011 - 10:01 AM

Referred from here: http://www.bleepingcomputer.com/forums/topic417174.html ~ OB

I was working with boopme on removing the Security Protection virus/"software". That icon and the associated behaviors seem to have disappeared, but I am still having problems including the 'Google redirect' and random sounds/ads playing from my speakers. boopme asked me to run DDS and GMER and post the logs to this forum, which are below.


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_21
Run by wbrewer at 8:10:10 on 2011-09-10
Microsoft® Windows Vista™ Enterprise 6.0.6002.2.1252.1.1033.18.2035.658 [GMT -5:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
"C:\Windows\system32\svchost.exe"
"C:\Windows\system32\svchost.exe"
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_820ff26a\STacSV.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRYSVC.EXE
C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\rundll32.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_820ff26a\aestsrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\dlbucoms.exe
C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Windows\system32\mfevtps.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\ProgramData\Rpcnet\Bin\rpcld.exe
C:\Windows\System32\rpcnet.exe
C:\Program Files\SiteAdvisor\6173\SAService.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Xythos\Drive\XfsSvcCon.exe
C:\Program Files\Dell\Ambient Light Sensor\AlsSvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe
C:\Windows\system32\CCM\CcmExec.exe
C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\msiexec.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\SiteAdvisor\6173\SiteAdv.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRAY.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\SiteAdvisor\6173\SiteAdv.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell.exe
C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\WavXDocMgr.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\Program Files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Windows\System32\BKEXVGA.exe
C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe
C:\Program Files\CyberLink\Shared Files\brs.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Windows\System32\config\systemprofile\AppData\Local\Adobe\AdobeUpdate\Adobeupdt32.exe
C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Xythos\Drive\Xythos.exe
C:\Users\wbrewer\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\system32\AbtSvcHost_.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\config\systemprofile\AppData\Local\Xythos\XythosUpdate\Xythosupdt32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\SearchFilterHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: {06b0e1a0-ee40-49fd-8c26-826141c9c900} - c:\windows\temp\w7e9462.tmp.exe
BHO: {089fd14d-132b-48fc-8861-0048ae113215} - c:\program files\siteadvisor\6173\SiteAdv.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: McAfee SiteAdvisor: {0bf43445-2f28-4351-9252-17fe6e806aa0} - c:\program files\siteadvisor\6173\SiteAdv.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Google Update] "c:\users\wbrewer\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [XythosUpdate] c:\windows\system32\config\systemprofile\appdata\local\xythos\xythosupdate\Xythosupdt32.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [AdobeUpdate] c:\windows\system32\config\systemprofile\appdata\local\adobe\adobeupdate\Adobeupdt32.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Broadcom Wireless Manager UI] c:\program files\dell\dell wireless wlan card\WLTRAY.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NVHotkey] rundll32.exe c:\windows\system32\nvHotkey.dll,Start
mRun: [nwiz] nwiz.exe /install
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [SiteAdvisor] c:\program files\siteadvisor\6173\SiteAdv.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Dell Webcam Central] "c:\program files\dell webcam\dell webcam central\WebcamDell.exe" /mode2
mRun: [DellControlPoint] "c:\program files\dell\dell controlpoint\Dell.ControlPoint.exe"
mRun: [ChangeTPMAuth] c:\program files\wave systems corp\common\ChangeTPMAuth.exe /T:NTRU12
mRun: [WavXMgr] c:\program files\wave systems corp\services manager\docmgr\bin\WavXDocMgr.exe
mRun: [SecureUpgrade] "c:\program files\wave systems corp\SecureUpgrade.exe"
mRun: [EmbassySecurityCheck] "c:\program files\wave systems corp\embassy security setup\EMBASSYSecurityCheck.exe"
mRun: [USCService] c:\program files\dell\dell controlpoint\security manager\BcmDeviceAndTaskStatusService.exe
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [DLBUCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLBUtime.dll,_RunDLLEntry@16
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [BKEXVGA] c:\windows\system32\BKEXVGA.exe
mRun: [RemoteControl9] "c:\program files\cyberlink\powerdvd9\PDVD9Serv.exe"
mRun: [BDRegion] c:\program files\cyberlink\shared files\brs.exe
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [-1565467562] c:\windows\temp\\jucheck.exe
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
dRun: [XythosUpdate] c:\windows\system32\config\systemprofile\appdata\local\xythos\xythosupdate\Xythosupdt32.exe
dRun: [AdobeUpdate] c:\windows\system32\config\systemprofile\appdata\local\adobe\adobeupdate\Adobeupdt32.exe
dRun: [IntelNotifierNotifier] rundll32.exe "c:\programdata\IntelNotifierNotifier.dll",DllRegisterServer
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10h_ActiveX.exe -update activex
StartupFolder: c:\users\wbrewer\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\wbrewer\appdata\roaming\dropbox\bin\Dropbox.exe
StartupFolder: c:\users\wbrewer\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\dellco~1.lnk - c:\program files\dell\dell controlpoint\system manager\DCPSysMgr.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\xythos~1.lnk - c:\windows\installer\{5df9cc62-1a07-400b-af58-e15b24dc6294}\main.ico
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: SynchronousUserGroupPolicy = 0 (0x0)
dPolicies-explorer: HideSCAHealth = 1 (0x1)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~1\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 68.87.72.134 68.87.77.134
TCP: Interfaces\{58C6ECC5-864E-43B7-AF07-40A82E359C13} : DhcpNameServer = 68.87.72.134 68.87.77.134
TCP: Interfaces\{76D38D0D-F259-4277-8609-266F8728B547} : DhcpNameServer = 172.26.253.113 172.26.253.25 172.26.253.22
TCP: Interfaces\{AF91F583-38FD-49A6-B9C2-5FD0AA989E6C} : DhcpNameServer = 172.26.253.113 172.26.253.25 172.16.48.2
Handler: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - c:\program files\siteadvisor\6173\SiteAdv.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 wvauth
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\wbrewer\appdata\roaming\mozilla\firefox\profiles\cw3f3j9z.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\adobe\acrobat 9.0\acrobat\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60129.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\xythos\drive\NPItEm.dll
FF - plugin: c:\users\wbrewer\appdata\local\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\users\wbrewer\appdata\roaming\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\users\wbrewer\appdata\roaming\move networks\plugins\npqmp071705000014.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-7-27 340592]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R1 TDFSD;TDFSD;c:\program files\xythos\drive\tdfsd.sys [2008-6-25 1292672]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2010/03/12 16:11:35];c:\program files\cyberlink\powerdvd9\navfilter\000.fcl [2010-1-28 87536]
R2 AbtSvcHost;AbtSvcHost;c:\windows\system32\AbtSvcHost_.exe [2011-8-11 78768]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_820ff26a\AEstSrv.exe [2009-7-27 81920]
R2 alssvc;Ambient Light Sensor;c:\program files\dell\ambient light sensor\AlsSvc.exe [2008-6-3 382232]
R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\dell\dell controlpoint\DCPButtonSvc.exe [2008-12-29 320800]
R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostControlService.exe [2008-11-11 808296]
R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostStorageService.exe [2008-11-11 20840]
R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\dell\dell controlpoint\system manager\DCPSysMgrSvc.exe [2009-4-9 447264]
R3 BLKPCIEVGAEX;BLKPCIEVGAEX;c:\windows\system32\drivers\blkgrpex.sys [2010-1-13 254848]
R3 BLKPCIEVGAMR;BLKPCIEVGAMR;c:\windows\system32\drivers\blkgrpmr.sys [2010-1-13 253824]
R3 CCIDFILTER;Broadcom Smart Card Reader Filter Driver;c:\windows\system32\drivers\ccidflt.sys [2009-7-27 12840]
R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [2008-11-11 32808]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y6032.sys [2009-7-27 224384]
R3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\drivers\OA001Ufd.sys [2009-7-27 133632]
R3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\drivers\OA001Vid.sys [2009-7-27 280096]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-7-27 41272]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-7-27 90360]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-7-27 42424]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2009-7-27 64432]
S3 XGIGraphics;XGIGraphics;c:\windows\system32\drivers\xg20grp.sys [2010-1-13 282624]
.
=============== Created Last 30 ================
.
2011-09-10 13:07:51 111104 ----a-w- c:\programdata\IntelNotifierNotifier.dll
2011-09-06 20:15:34 -------- d-----w- c:\users\wbrewer\appdata\local\Adobe
2011-09-06 17:04:02 -------- d-----w- c:\users\wbrewer\appdata\local\Apple
2011-09-06 03:20:00 -------- d-----w- c:\users\wbrewer\appdata\local\Apple Computer
2011-09-05 22:03:41 -------- d-----r- c:\users\wbrewer\Dropbox
2011-09-05 22:01:32 -------- d-----w- c:\users\wbrewer\appdata\roaming\Dropbox
2011-09-05 21:08:40 0 ---ha-w- c:\windows\system32\bxfwyedcej.tmp
2011-09-04 22:52:37 -------- d-----w- c:\users\wbrewer\appdata\roaming\SUPERAntiSpyware.com
2011-09-04 22:52:23 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-09-04 18:31:56 0 ----a-w- c:\programdata\yoyx.exe
2011-09-04 18:31:56 0 ----a-w- c:\programdata\qunl.exe
2011-09-04 18:31:56 0 ----a-w- c:\programdata\onul.exe
2011-09-04 18:31:56 0 ----a-w- c:\programdata\kygq.exe
2011-09-04 16:23:38 239104 ----a-w- c:\windows\system32\wscui32.dll
2011-09-03 18:09:22 0 ----a-w- c:\programdata\wcmy.exe
2011-09-03 18:09:22 0 ----a-w- c:\programdata\nfbk.exe
2011-09-03 18:09:22 0 ----a-w- c:\programdata\jovf.exe
2011-09-03 18:09:22 0 ----a-w- c:\programdata\fbma.exe
2011-09-02 18:58:37 4194304 ----a-w- c:\windows\system32\awgizowa.dll
2011-09-01 06:57:45 7152464 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{6a632bed-b7ea-4b9d-a25e-fd6871f5c7d7}\mpengine.dll
2011-08-27 22:54:53 -------- d-----w- c:\program files\iPod
2011-08-27 22:54:51 -------- d-----w- c:\program files\iTunes
2011-08-16 19:58:40 -------- d-----w- c:\users\wbrewer\appdata\roaming\NCH Software
2011-08-14 04:44:45 -------- d-----w- c:\program files\Movie Rotator
2011-08-11 19:20:58 78768 ----a-w- c:\windows\system32\AbtSvcHost_.exe
.
==================== Find3M ====================
.
2011-09-10 13:02:25 17920 ----a-w- c:\windows\system32\rpcnetp.exe
2011-09-10 13:02:23 58288 ----a-w- c:\windows\system32\rpcnet.dll
2011-09-06 12:52:30 17920 ----a-w- c:\windows\system32\rpcnetp.dll
2011-09-02 20:32:00 66560 ----a-w- c:\windows\system32\drivers\smb.sys
2011-08-15 14:30:03 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-12 16:20:54 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-07-12 16:20:54 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-07-07 00:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-07 00:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-05 23:37:00 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-07-05 23:37:00 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-06-21 01:31:55 58288 ------w- c:\windows\system32\rpcnet.exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6002
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
.
Disk trace:
called modules: ntkrnlpa.exe >>UNKNOWN [0x8794BA0A]<<
_asm { MOV EDI, EDI; PUSH EBP; MOV EBP, ESP; PUSH EBX; MOV EBX, [EBP+0xc]; MOV EAX, [EBX+0x60]; MOV ECX, [EAX+0xc]; OR ECX, [EAX+0x10]; PUSH ESI; JNZ 0x94; MOV ESI, 0x200; CMP [EAX+0x4], ESI; JB 0x94; }
1 ntkrnlpa!IofCallDriver[0x82447962] -> \Device\Harddisk0\DR0[0x86985AC8]
\Driver\disk[0x86E08D10] -> IRP_MJ_READ -> 0x8794BA0A
kernel: MBR read successfully
_asm { NOP ; XOR AX, AX; NOP ; MOV DS, AX; MOV ES, AX; NOP ; MOV SS, AX; MOV SP, 0x7c00; MOV SI, 0x7c00; NOP ; MOV DI, 0x600; NOP ; MOV CX, 0x80; NOP ; CLD ; REP MOVSD ; NOP ; JMP FAR 0x0:0x626; }
user != kernel MBR !!!
copy of MBR has been found in sector 9 !
copy of MBR has been found in sector 61 !
copy of MBR has been found in sector 62 !
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
.
============= FINISH: 8:13:47.18 ===============


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-09-10 09:52:44
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 rev.
Running: gmer.exe; Driver: C:\Users\wbrewer\AppData\Local\Temp\kwdiifow.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS ZwTerminateProcess [0x8D74E640]

Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcess [0x8858EFF8]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x8858F00C]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetContextThread [0x8858F04A]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x8858F036]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8858EFE4]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateUserProcess [0x8858F022]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 621 824AFD84 4 Bytes [40, E6, 74, 8D]
PAGE ntkrnlpa.exe!ZwCreateUserProcess 825CCB82 5 Bytes JMP 8858F026 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 825F3DA3 5 Bytes JMP 8858EFE8 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 82617528 5 Bytes JMP 8858F03A \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 826948BF 5 Bytes JMP 8858EFFC \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 8269490A 7 Bytes JMP 8858F010 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 826953C7 5 Bytes JMP 8858F04E \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8CA0F340, 0x3EE2B7, 0xE8000020]
.text C:\Program Files\CyberLink\PowerDVD9\NavFilter\000.fcl section is writeable [0x9D781000, 0x2892, 0xE8000020]
.vmp2 C:\Program Files\CyberLink\PowerDVD9\NavFilter\000.fcl entry point in ".vmp2" section [0x9D7A4050]
? C:\Users\wbrewer\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[2160] USER32.dll!DialogBoxParamW 764B10B0 5 Bytes JMP 6BE9BFE7 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2160] USER32.dll!DialogBoxIndirectParamW 764B2EF5 5 Bytes JMP 6BFDBBB2 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2160] USER32.dll!DialogBoxParamA 764C8152 5 Bytes JMP 6BFDBB77 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2160] USER32.dll!DialogBoxIndirectParamA 764C847D 5 Bytes JMP 6BFDBBED C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2160] USER32.dll!MessageBoxIndirectA 764DD4D9 5 Bytes JMP 6BFDBB33 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2160] USER32.dll!MessageBoxIndirectW 764DD5D3 5 Bytes JMP 6BFDBAEF C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2160] USER32.dll!MessageBoxExA 764DD639 5 Bytes JMP 6BFDBAB5 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2160] USER32.dll!MessageBoxExW 764DD65D 5 Bytes JMP 6BFDBA7B C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2160] ole32.dll!OleLoadFromStream 760F1E12 5 Bytes JMP 6BFDBDAF C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[5472] ntdll.dll!LdrLoadDll 77599390 5 Bytes JMP 00321410 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Windows\System32\config\systemprofile\AppData\Local\Adobe\AdobeUpdate\Adobeupdt32.exe[5676] wininet.dll!HttpOpenRequestA 75E6FBBC 5 Bytes JMP 01A3A010
.text C:\Windows\System32\config\systemprofile\AppData\Local\Adobe\AdobeUpdate\Adobeupdt32.exe[5676] wininet.dll!InternetConnectA 75E70692 5 Bytes JMP 01A398C8
.text C:\Windows\System32\config\systemprofile\AppData\Local\Adobe\AdobeUpdate\Adobeupdt32.exe[5676] wininet.dll!HttpAddRequestHeadersA 75E71A68 5 Bytes JMP 01A3AEA0
.text C:\Windows\System32\config\systemprofile\AppData\Local\Adobe\AdobeUpdate\Adobeupdt32.exe[5676] wininet.dll!HttpQueryInfoA 75E71F2F 5 Bytes JMP 01A3DA50
.text C:\Windows\System32\config\systemprofile\AppData\Local\Adobe\AdobeUpdate\Adobeupdt32.exe[5676] wininet.dll!InternetCloseHandle 75E72DB8 5 Bytes JMP 01A3CBC0
.text C:\Windows\System32\config\systemprofile\AppData\Local\Adobe\AdobeUpdate\Adobeupdt32.exe[5676] wininet.dll!InternetReadFile 75E774B9 5 Bytes JMP 01A3C478
.text C:\Windows\System32\config\systemprofile\AppData\Local\Adobe\AdobeUpdate\Adobeupdt32.exe[5676] wininet.dll!HttpSendRequestA 75E7D3A0 5 Bytes JMP 01A3B5E8
.text C:\Windows\System32\config\systemprofile\AppData\Local\Adobe\AdobeUpdate\Adobeupdt32.exe[5676] wininet.dll!InternetOpenA 75E7D47D 5 Bytes JMP 01A39180
.text C:\Windows\System32\config\systemprofile\AppData\Local\Adobe\AdobeUpdate\Adobeupdt32.exe[5676] wininet.dll!HttpSendRequestW 75E8E1C9 5 Bytes JMP 01A3BD30
.text C:\Windows\System32\config\systemprofile\AppData\Local\Adobe\AdobeUpdate\Adobeupdt32.exe[5676] wininet.dll!InternetReadFileExA 75E91802 5 Bytes JMP 01A3A758
.text C:\Windows\System32\config\systemprofile\AppData\Local\Adobe\AdobeUpdate\Adobeupdt32.exe[5676] wininet.dll!InternetErrorDlg 75EEAD8D 5 Bytes JMP 01A3D308
.text C:\Windows\system32\config\systemprofile\AppData\Local\Xythos\XythosUpdate\Xythosupdt32.exe[7712] wininet.dll!HttpOpenRequestA 75E6FBBC 5 Bytes JMP 0104ADD0
.text C:\Windows\system32\config\systemprofile\AppData\Local\Xythos\XythosUpdate\Xythosupdt32.exe[7712] wininet.dll!InternetConnectA 75E70692 5 Bytes JMP 0104A688
.text C:\Windows\system32\config\systemprofile\AppData\Local\Xythos\XythosUpdate\Xythosupdt32.exe[7712] wininet.dll!HttpAddRequestHeadersA 75E71A68 5 Bytes JMP 0104BC60
.text C:\Windows\system32\config\systemprofile\AppData\Local\Xythos\XythosUpdate\Xythosupdt32.exe[7712] wininet.dll!HttpQueryInfoA 75E71F2F 5 Bytes JMP 0104E810
.text C:\Windows\system32\config\systemprofile\AppData\Local\Xythos\XythosUpdate\Xythosupdt32.exe[7712] wininet.dll!InternetCloseHandle 75E72DB8 5 Bytes JMP 0104D980
.text C:\Windows\system32\config\systemprofile\AppData\Local\Xythos\XythosUpdate\Xythosupdt32.exe[7712] wininet.dll!InternetReadFile 75E774B9 5 Bytes JMP 0104D238
.text C:\Windows\system32\config\systemprofile\AppData\Local\Xythos\XythosUpdate\Xythosupdt32.exe[7712] wininet.dll!HttpSendRequestA 75E7D3A0 5 Bytes JMP 0104C3A8
.text C:\Windows\system32\config\systemprofile\AppData\Local\Xythos\XythosUpdate\Xythosupdt32.exe[7712] wininet.dll!InternetOpenA 75E7D47D 5 Bytes JMP 01049F40
.text C:\Windows\system32\config\systemprofile\AppData\Local\Xythos\XythosUpdate\Xythosupdt32.exe[7712] wininet.dll!HttpSendRequestW 75E8E1C9 5 Bytes JMP 0104CAF0
.text C:\Windows\system32\config\systemprofile\AppData\Local\Xythos\XythosUpdate\Xythosupdt32.exe[7712] wininet.dll!InternetReadFileExA 75E91802 5 Bytes JMP 0104B518
.text C:\Windows\system32\config\systemprofile\AppData\Local\Xythos\XythosUpdate\Xythosupdt32.exe[7712] wininet.dll!InternetErrorDlg 75EEAD8D 5 Bytes JMP 0104E0C8

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)

AttachedDevice mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

Device fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device rdpdr.sys (Microsoft RDP Device redirector/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Driver\disk \Device\Harddisk0\DR0 8794BA0A
Device \Driver\disk \Device\Harddisk1\DR1 8794BA0A

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \Driver\00001390 \GLOBAL??\ACPI#PNP0303#2&da1a3ff&0 879C25E0
Device Fs_Rec.SYS (File System Recognizer Driver/Microsoft Corporation)

---- Processes - GMER 1.0.15 ----

Process C:\Program Files\Internet Explorer\iexplore.exe (*** hidden *** ) 2160

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00125a5a50b6
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\00125a5a50b6 (not active ControlSet)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\ED4A936B573A3D74983CDDFC899D297F\Usage@Main 1059724801

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 Whistler@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- Files - GMER 1.0.15 ----

File C:\Windows\$NtUninstallKB28827$\1386507085 0 bytes
File C:\Windows\$NtUninstallKB28827$\1932459082 0 bytes
File C:\Windows\$NtUninstallKB28827$\1932459082\L 0 bytes
File C:\Windows\$NtUninstallKB28827$\1932459082\U 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@spotxchange[2].txt 0 bytes

---- EOF - GMER 1.0.15 ----

Edited by Orange Blossom, 11 September 2011 - 10:18 PM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:36 AM

Posted 12 September 2011 - 01:35 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 jackmcgraw

jackmcgraw
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:03:36 AM

Posted 14 September 2011 - 05:38 PM

Thanks, Gringo.

I downloaded and ran ComboFix. Everything seemed to go fine; computer went through a few reboot cycles and ComboFix continued to run through various stages.

The only snag I ran into was during the last reboot before it generated the report, I could not log in normally. I would put in my password and it would say "Request not supported." After a few tries I gave up and rebooted in Safe Mode with Networking which seemed to work. Combo Fix generated the log, which I am posting below.

ComboFix 11-09-14.02 - wbrewer 09/14/2011 16:55:04.2.2 - x86
Microsoft® Windows Vista™ Enterprise 6.0.6002.2.1252.1.1033.18.2035.1182 [GMT -5:00]
Running from: c:\users\wbrewer\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\fbma.exe
c:\programdata\jovf.exe
c:\programdata\kygq.exe
c:\programdata\MouseProfileVerifier.dll
c:\programdata\nfbk.exe
c:\programdata\onul.exe
c:\programdata\qunl.exe
c:\programdata\wcmy.exe
c:\programdata\yoyx.exe
c:\users\ITS\AppData\Roaming\Mozilla\Firefox\Profiles\xs32i4uh.default\extensions\{0af3455a-808d-4f97-8cab-b54b6b4d4a0a}
c:\users\ITS\AppData\Roaming\Mozilla\Firefox\Profiles\xs32i4uh.default\extensions\{0af3455a-808d-4f97-8cab-b54b6b4d4a0a}\chrome.manifest
c:\users\ITS\AppData\Roaming\Mozilla\Firefox\Profiles\xs32i4uh.default\extensions\{0af3455a-808d-4f97-8cab-b54b6b4d4a0a}\chrome\xulcache.jar
c:\users\ITS\AppData\Roaming\Mozilla\Firefox\Profiles\xs32i4uh.default\extensions\{0af3455a-808d-4f97-8cab-b54b6b4d4a0a}\defaults\preferences\xulcache.js
c:\users\ITS\AppData\Roaming\Mozilla\Firefox\Profiles\xs32i4uh.default\extensions\{0af3455a-808d-4f97-8cab-b54b6b4d4a0a}\install.rdf
c:\users\ITS\AppData\Roaming\Mozilla\Firefox\Profiles\xs32i4uh.default\extensions\{15f35453-d36f-4bd1-99f2-3d7a4e06743e}
c:\users\ITS\AppData\Roaming\Mozilla\Firefox\Profiles\xs32i4uh.default\extensions\{15f35453-d36f-4bd1-99f2-3d7a4e06743e}\chrome.manifest
c:\users\ITS\AppData\Roaming\Mozilla\Firefox\Profiles\xs32i4uh.default\extensions\{15f35453-d36f-4bd1-99f2-3d7a4e06743e}\chrome\xulcache.jar
c:\users\ITS\AppData\Roaming\Mozilla\Firefox\Profiles\xs32i4uh.default\extensions\{15f35453-d36f-4bd1-99f2-3d7a4e06743e}\defaults\preferences\xulcache.js
c:\users\ITS\AppData\Roaming\Mozilla\Firefox\Profiles\xs32i4uh.default\extensions\{15f35453-d36f-4bd1-99f2-3d7a4e06743e}\install.rdf
c:\users\ITS\AppData\Roaming\Mozilla\Firefox\Profiles\xs32i4uh.default\extensions\{ae16b0ad-f14d-42b2-bb0c-0cbcd6e6c127}
c:\users\ITS\AppData\Roaming\Mozilla\Firefox\Profiles\xs32i4uh.default\extensions\{ae16b0ad-f14d-42b2-bb0c-0cbcd6e6c127}\chrome.manifest
c:\users\ITS\AppData\Roaming\Mozilla\Firefox\Profiles\xs32i4uh.default\extensions\{ae16b0ad-f14d-42b2-bb0c-0cbcd6e6c127}\chrome\xulcache.jar
c:\users\ITS\AppData\Roaming\Mozilla\Firefox\Profiles\xs32i4uh.default\extensions\{ae16b0ad-f14d-42b2-bb0c-0cbcd6e6c127}\defaults\preferences\xulcache.js
c:\users\ITS\AppData\Roaming\Mozilla\Firefox\Profiles\xs32i4uh.default\extensions\{ae16b0ad-f14d-42b2-bb0c-0cbcd6e6c127}\install.rdf
c:\users\ITS\AppData\Roaming\Mozilla\Firefox\Profiles\xs32i4uh.default\extensions\{daa38ca2-d713-4db0-824a-f0515f59d442}
c:\users\ITS\AppData\Roaming\Mozilla\Firefox\Profiles\xs32i4uh.default\extensions\{daa38ca2-d713-4db0-824a-f0515f59d442}\chrome.manifest
c:\users\ITS\AppData\Roaming\Mozilla\Firefox\Profiles\xs32i4uh.default\extensions\{daa38ca2-d713-4db0-824a-f0515f59d442}\chrome\xulcache.jar
c:\users\ITS\AppData\Roaming\Mozilla\Firefox\Profiles\xs32i4uh.default\extensions\{daa38ca2-d713-4db0-824a-f0515f59d442}\defaults\preferences\xulcache.js
c:\users\ITS\AppData\Roaming\Mozilla\Firefox\Profiles\xs32i4uh.default\extensions\{daa38ca2-d713-4db0-824a-f0515f59d442}\install.rdf
c:\users\ITS\AppData\Roaming\Mozilla\Firefox\Profiles\xs32i4uh.default\extensions\{fd4d1193-d9e4-49f6-bd13-6dab1a97bb86}
c:\users\ITS\AppData\Roaming\Mozilla\Firefox\Profiles\xs32i4uh.default\extensions\{fd4d1193-d9e4-49f6-bd13-6dab1a97bb86}\chrome.manifest
c:\users\ITS\AppData\Roaming\Mozilla\Firefox\Profiles\xs32i4uh.default\extensions\{fd4d1193-d9e4-49f6-bd13-6dab1a97bb86}\chrome\xulcache.jar
c:\users\ITS\AppData\Roaming\Mozilla\Firefox\Profiles\xs32i4uh.default\extensions\{fd4d1193-d9e4-49f6-bd13-6dab1a97bb86}\defaults\preferences\xulcache.js
c:\users\ITS\AppData\Roaming\Mozilla\Firefox\Profiles\xs32i4uh.default\extensions\{fd4d1193-d9e4-49f6-bd13-6dab1a97bb86}\install.rdf
c:\users\wbrewer\AppData\Roaming\Mozilla\Firefox\Profiles\cw3f3j9z.default\extensions\{0af3455a-808d-4f97-8cab-b54b6b4d4a0a}
c:\users\wbrewer\AppData\Roaming\Mozilla\Firefox\Profiles\cw3f3j9z.default\extensions\{0af3455a-808d-4f97-8cab-b54b6b4d4a0a}\chrome.manifest
c:\users\wbrewer\AppData\Roaming\Mozilla\Firefox\Profiles\cw3f3j9z.default\extensions\{0af3455a-808d-4f97-8cab-b54b6b4d4a0a}\chrome\xulcache.jar
c:\users\wbrewer\AppData\Roaming\Mozilla\Firefox\Profiles\cw3f3j9z.default\extensions\{0af3455a-808d-4f97-8cab-b54b6b4d4a0a}\defaults\preferences\xulcache.js
c:\users\wbrewer\AppData\Roaming\Mozilla\Firefox\Profiles\cw3f3j9z.default\extensions\{0af3455a-808d-4f97-8cab-b54b6b4d4a0a}\install.rdf
c:\users\wbrewer\AppData\Roaming\Mozilla\Firefox\Profiles\cw3f3j9z.default\extensions\{15f35453-d36f-4bd1-99f2-3d7a4e06743e}
c:\users\wbrewer\AppData\Roaming\Mozilla\Firefox\Profiles\cw3f3j9z.default\extensions\{15f35453-d36f-4bd1-99f2-3d7a4e06743e}\chrome.manifest
c:\users\wbrewer\AppData\Roaming\Mozilla\Firefox\Profiles\cw3f3j9z.default\extensions\{15f35453-d36f-4bd1-99f2-3d7a4e06743e}\chrome\xulcache.jar
c:\users\wbrewer\AppData\Roaming\Mozilla\Firefox\Profiles\cw3f3j9z.default\extensions\{15f35453-d36f-4bd1-99f2-3d7a4e06743e}\defaults\preferences\xulcache.js
c:\users\wbrewer\AppData\Roaming\Mozilla\Firefox\Profiles\cw3f3j9z.default\extensions\{15f35453-d36f-4bd1-99f2-3d7a4e06743e}\install.rdf
c:\users\wbrewer\AppData\Roaming\Mozilla\Firefox\Profiles\cw3f3j9z.default\extensions\{ae16b0ad-f14d-42b2-bb0c-0cbcd6e6c127}
c:\users\wbrewer\AppData\Roaming\Mozilla\Firefox\Profiles\cw3f3j9z.default\extensions\{ae16b0ad-f14d-42b2-bb0c-0cbcd6e6c127}\chrome.manifest
c:\users\wbrewer\AppData\Roaming\Mozilla\Firefox\Profiles\cw3f3j9z.default\extensions\{ae16b0ad-f14d-42b2-bb0c-0cbcd6e6c127}\chrome\xulcache.jar
c:\users\wbrewer\AppData\Roaming\Mozilla\Firefox\Profiles\cw3f3j9z.default\extensions\{ae16b0ad-f14d-42b2-bb0c-0cbcd6e6c127}\defaults\preferences\xulcache.js
c:\users\wbrewer\AppData\Roaming\Mozilla\Firefox\Profiles\cw3f3j9z.default\extensions\{ae16b0ad-f14d-42b2-bb0c-0cbcd6e6c127}\install.rdf
c:\users\wbrewer\AppData\Roaming\Mozilla\Firefox\Profiles\cw3f3j9z.default\extensions\{daa38ca2-d713-4db0-824a-f0515f59d442}
c:\users\wbrewer\AppData\Roaming\Mozilla\Firefox\Profiles\cw3f3j9z.default\extensions\{daa38ca2-d713-4db0-824a-f0515f59d442}\chrome.manifest
c:\users\wbrewer\AppData\Roaming\Mozilla\Firefox\Profiles\cw3f3j9z.default\extensions\{daa38ca2-d713-4db0-824a-f0515f59d442}\chrome\xulcache.jar
c:\users\wbrewer\AppData\Roaming\Mozilla\Firefox\Profiles\cw3f3j9z.default\extensions\{daa38ca2-d713-4db0-824a-f0515f59d442}\defaults\preferences\xulcache.js
c:\users\wbrewer\AppData\Roaming\Mozilla\Firefox\Profiles\cw3f3j9z.default\extensions\{daa38ca2-d713-4db0-824a-f0515f59d442}\install.rdf
c:\users\wbrewer\AppData\Roaming\Mozilla\Firefox\Profiles\cw3f3j9z.default\extensions\{fd4d1193-d9e4-49f6-bd13-6dab1a97bb86}
c:\users\wbrewer\AppData\Roaming\Mozilla\Firefox\Profiles\cw3f3j9z.default\extensions\{fd4d1193-d9e4-49f6-bd13-6dab1a97bb86}\chrome.manifest
c:\users\wbrewer\AppData\Roaming\Mozilla\Firefox\Profiles\cw3f3j9z.default\extensions\{fd4d1193-d9e4-49f6-bd13-6dab1a97bb86}\chrome\xulcache.jar
c:\users\wbrewer\AppData\Roaming\Mozilla\Firefox\Profiles\cw3f3j9z.default\extensions\{fd4d1193-d9e4-49f6-bd13-6dab1a97bb86}\defaults\preferences\xulcache.js
c:\users\wbrewer\AppData\Roaming\Mozilla\Firefox\Profiles\cw3f3j9z.default\extensions\{fd4d1193-d9e4-49f6-bd13-6dab1a97bb86}\install.rdf
c:\windows\$NtUninstallKB28827$\1386507085
c:\windows\system32\comct332.ocx
c:\windows\$NtUninstallKB28827$ . . . . Failed to delete
.
c:\windows\system32\drivers\csc.sys . . . is infected!! . . . Failed to find a valid replacement.
.
((((((((((((((((((((((((( Files Created from 2011-08-14 to 2011-09-14 )))))))))))))))))))))))))))))))
.
.
2011-09-14 22:09 . 2011-09-14 22:22 -------- d-----w- c:\users\wbrewer\AppData\Local\temp
2011-09-14 22:09 . 2011-09-14 22:09 -------- d-----w- c:\users\ITS\AppData\Local\temp
2011-09-14 22:09 . 2011-09-14 22:09 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-09-14 22:09 . 2011-09-14 22:09 -------- d-----w- c:\users\dayne.agnew\AppData\Local\temp
2011-09-14 22:09 . 2011-09-14 22:09 -------- d-----w- c:\users\csledge\AppData\Local\temp
2011-09-06 20:15 . 2011-09-06 20:16 -------- d-----w- c:\users\wbrewer\AppData\Local\Adobe
2011-09-06 17:04 . 2011-09-06 17:04 -------- d-----w- c:\users\wbrewer\AppData\Local\Apple
2011-09-06 03:20 . 2011-09-14 20:59 -------- d-----w- c:\users\wbrewer\AppData\Local\Apple Computer
2011-09-05 22:03 . 2011-09-14 14:02 -------- d-----r- c:\users\wbrewer\Dropbox
2011-09-05 22:01 . 2011-09-14 14:02 -------- d-----w- c:\users\wbrewer\AppData\Roaming\Dropbox
2011-09-05 21:08 . 2011-09-05 21:08 0 ---ha-w- c:\windows\system32\bxfwyedcej.tmp
2011-09-04 22:52 . 2011-09-04 22:52 -------- d-----w- c:\users\wbrewer\AppData\Roaming\SUPERAntiSpyware.com
2011-09-04 22:52 . 2011-09-04 22:52 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-09-04 16:23 . 2011-09-04 16:23 239104 ----a-w- c:\windows\system32\wscui32.dll
2011-09-02 18:58 . 2011-09-02 18:58 4194304 ----a-w- c:\windows\system32\awgizowa.dll
2011-09-01 06:57 . 2011-08-12 02:44 7152464 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{6A632BED-B7EA-4B9D-A25E-FD6871F5C7D7}\mpengine.dll
2011-08-27 22:54 . 2011-08-27 22:54 -------- d-----w- c:\program files\iPod
2011-08-27 22:54 . 2011-08-27 22:58 -------- d-----w- c:\program files\iTunes
2011-08-16 19:58 . 2011-08-16 19:58 -------- d-----w- c:\users\wbrewer\AppData\Roaming\NCH Software
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-14 22:15 . 2009-07-30 17:20 17920 ----a-w- c:\windows\system32\rpcnetp.exe
2011-09-14 22:15 . 2009-07-28 21:56 58288 ----a-w- c:\windows\system32\rpcnet.dll
2011-09-14 13:59 . 2009-08-25 00:00 0 ----a-w- c:\users\wbrewer\AppData\Local\WavXMapDrive.bat
2011-09-06 12:52 . 2009-07-30 17:20 17920 ----a-w- c:\windows\system32\rpcnetp.dll
2011-09-02 20:32 . 2009-04-11 13:15 66560 ----a-w- c:\windows\system32\drivers\smb.sys
2011-08-15 14:30 . 2011-06-23 15:13 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-12 16:20 . 2011-07-12 16:20 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-07-12 16:20 . 2011-07-12 16:20 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-07-07 00:52 . 2009-07-27 16:28 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-07 00:52 . 2009-07-27 16:28 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-05 23:37 . 2011-07-05 23:37 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-07-05 23:37 . 2011-07-05 23:37 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-06-21 01:31 . 2009-03-03 14:38 58288 ------w- c:\windows\system32\rpcnet.exe
2011-09-07 12:54 . 2011-06-29 15:30 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\wbrewer\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\wbrewer\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\wbrewer\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\wbrewer\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
@="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
[HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
2009-04-22 15:03 49152 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
@="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
[HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
2009-04-22 15:03 49152 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-08-12 4603264]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\program files\Dell\Dell Wireless WLAN Card\WLTRAY.exe" [2009-04-30 3888640]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-07-27 198160]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-12-21 200704]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-04-09 483428]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-09-29 124240]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-11 13605408]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-11 92704]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2009-03-11 96800]
"nwiz"="nwiz.exe" [2009-03-05 1657376]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-02-11 186904]
"SiteAdvisor"="c:\program files\SiteAdvisor\6173\SiteAdv.exe" [2007-08-28 36640]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
"Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" [2008-10-17 442536]
"DellControlPoint"="c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [2009-03-19 667648]
"ChangeTPMAuth"="c:\program files\Wave Systems Corp\Common\ChangeTPMAuth.exe" [2009-02-26 184320]
"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2008-12-22 134144]
"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2009-04-22 656696]
"EmbassySecurityCheck"="c:\program files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe" [2009-04-22 95544]
"USCService"="c:\program files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe" [2009-04-22 15360]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2011-06-08 40376]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-09-23 640440]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"DLBUCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\DLBUtime.dll" [2007-02-12 73728]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-06-01 1468296]
"BKEXVGA"="c:\windows\system32\BKEXVGA.exe" [2007-05-25 12570624]
"RemoteControl9"="c:\program files\CyberLink\PowerDVD9\PDVD9Serv.exe" [2009-07-06 87336]
"BDRegion"="c:\program files\Cyberlink\Shared files\brs.exe" [2010-01-28 75048]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-09-25 136512]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-11-02 8704]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10h_ActiveX.exe" [2010-07-27 231888]
.
c:\users\wbrewer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\wbrewer\AppData\Roaming\Dropbox\bin\Dropbox.exe [2011-9-1 24183152]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Dell ControlPoint System Manager.lnk - c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe [2009-4-9 1094944]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2010-4-20 813584]
SafeConnect.lnk - c:\program files\SafeConnect\scClient.exe [2009-3-31 296088]
Xythos Drive.lnk - c:\windows\Installer\{5DF9CC62-1A07-400B-AF58-E15B24DC6294}\main.ico [2010-1-5 4710]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)
"Backup_DisableCAD"= undefined
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer2"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2011-07-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2011-07-12 67664]
R1 TDFSD;TDFSD;c:\program files\Xythos\Drive\tdfsd.sys [2008-06-25 1292672]
R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2010/03/12 16:11];c:\program files\CyberLink\PowerDVD9\NavFilter\000.fcl [2010-01-28 23:48 87536]
R2 AbtSvcHost;AbtSvcHost;c:\windows\system32\AbtSvcHost_.exe [2010-09-09 78768]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_820ff26a\aestsrv.exe [2009-02-13 81920]
R2 alssvc;Ambient Light Sensor;c:\program files\Dell\Ambient Light Sensor\AlsSvc.exe [2008-06-03 382232]
R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\Dell\Dell ControlPoint\DCPButtonSvc.exe [2008-12-29 320800]
R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [2008-11-11 808296]
R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [2008-11-11 20840]
R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe [2009-04-09 447264]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [2008-09-29 19456]
R2 MCT_SERVICE;MCT_SERVICE;c:\windows\system32\MCTService.exe [x]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2008-09-29 67904]
R2 MSSQL$QSRNVIVO8;SQL Server (QSRNVIVO8);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-11-25 29263712]
R2 rpcld;Remote Procedure Call (RPC) LD;c:\programdata\Rpcnet\Bin\rpcld.exe [x]
R2 SCManager;SafeConnect Manager;c:\program files\SafeConnect\scManager.sys servicestart [x]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2009-06-17 434864]
R2 XyService;XD Filesystem;c:\program files\Xythos\Drive\XfsSvcCon.exe svcmanager [x]
R3 87202428;87202428; [x]
R3 ADM851X;ADM851X USB To Fast Ethernet Adapter;c:\windows\system32\DRIVERS\ADM851X.SYS [x]
R3 BLKPCIEVGAEX;BLKPCIEVGAEX;c:\windows\system32\DRIVERS\blkgrpex.sys [2007-03-21 254848]
R3 BLKPCIEVGAMR;BLKPCIEVGAMR;c:\windows\system32\DRIVERS\blkgrpmr.sys [2007-03-21 253824]
R3 CM1063264;C-Media CM106 Like Sound UDAX Interface;c:\windows\system32\drivers\CM106.sys [x]
R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\Drivers\cvusbdrv.sys [2008-11-11 32808]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-07-07 41272]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2008-09-29 64432]
R3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\DRIVERS\OA001Ufd.sys [2009-03-06 133632]
R3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\DRIVERS\OA001Vid.sys [2009-03-09 280096]
R3 XGIGraphics;XGIGraphics;c:\windows\system32\DRIVERS\xg20grp.sys [2007-03-21 282624]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-08-11 116608]
S3 CCIDFILTER;Broadcom Smart Card Reader Filter Driver;c:\windows\system32\DRIVERS\ccidflt.SYS [2008-11-11 12840]
S3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y6032.sys [2008-04-04 224384]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ECACHE
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1246430204-1277586786-1008150880-15417Core.job
- c:\users\wbrewer\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-31 21:18]
.
2011-09-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1246430204-1277586786-1008150880-15417UA.job
- c:\users\wbrewer\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-31 21:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 68.87.72.134 68.87.77.134
FF - ProfilePath - c:\users\wbrewer\AppData\Roaming\Mozilla\Firefox\Profiles\cw3f3j9z.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{06B0E1A0-EE40-49FD-8C26-826141C9C900} - c:\windows\TEMP\w7e962.tmp.exe
HKU-Default-Run-MouseProfileVerifier - c:\programdata\MouseProfileVerifier.dll
SafeBoot-80673370.sys
.
.
.
**************************************************************************
scanning hidden processes ...
.
c:\program files\Internet Explorer\iexplore.exe [2008] 0x86E1CA90
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBUCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\DLBUtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.csc]
"ImagePath"="\*"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{B154377D-700F-42cc-9474-23858FBDF4BD}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD9\NavFilter\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(656)
c:\program files\Xythos\Drive\XDNP.dll
.
- - - - - - - > 'Explorer.exe'(456)
c:\users\wbrewer\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
c:\program files\Xythos\Drive\TDShell.dll
c:\program files\Xythos\Drive\i18n.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\helppane.exe
.
**************************************************************************
.
Completion time: 2011-09-14 17:28:28 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-14 22:28
.
Pre-Run: 37,187,305,472 bytes free
Post-Run: 36,896,759,808 bytes free
.
- - End Of File - - BCCF1299D5401F6996DC3DA1737AF91C

#4 jackmcgraw

jackmcgraw
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:03:36 AM

Posted 14 September 2011 - 05:51 PM

T0 clarify, I did reboot again, just to see if things changed since ComboFix was finished. I was not able to logon normally. I rebooted into Safe Mode with Networking and was able to log on.

Obviously I will want to address that at some point!

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:36 AM

Posted 14 September 2011 - 06:09 PM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

File::
c:\windows\system32\bxfwyedcej.tmp
c:\windows\system32\wscui32.dll
c:\windows\system32\awgizowa.dll

Driver::
87202428


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 jackmcgraw

jackmcgraw
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:03:36 AM

Posted 14 September 2011 - 06:59 PM

Followed the instructions you posted. ComboFix ran. Computer rebooted but would not let me log on normally. Rebooted into Safe Mode with Networking. ComboFix generated log pasted below.

ComboFix 11-09-14.02 - wbrewer 09/14/2011 18:29:37.3.2 - x86 NETWORK
Microsoft® Windows Vista™ Enterprise 6.0.6002.2.1252.1.1033.18.2035.1354 [GMT -5:00]
Running from: c:\users\wbrewer\Desktop\ComboFix.exe
Command switches used :: c:\users\wbrewer\Desktop\cfscript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
FILE ::
"c:\windows\system32\awgizowa.dll"
"c:\windows\system32\bxfwyedcej.tmp"
"c:\windows\system32\wscui32.dll"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\awgizowa.dll
c:\windows\system32\bxfwyedcej.tmp
c:\windows\system32\wscui32.dll
.
c:\windows\system32\drivers\csc.sys . . . is infected!!
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_87202428
-------\Service_87202428
.
.
((((((((((((((((((((((((( Files Created from 2011-08-14 to 2011-09-14 )))))))))))))))))))))))))))))))
.
.
2011-09-14 23:42 . 2011-09-14 23:52 -------- d-----w- c:\users\wbrewer\AppData\Local\temp
2011-09-14 23:42 . 2011-09-14 23:42 -------- d-----w- c:\users\Public\AppData\Local\temp
2011-09-14 23:42 . 2011-09-14 23:42 -------- d-----w- c:\users\ITS\AppData\Local\temp
2011-09-14 23:42 . 2011-09-14 23:42 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-09-14 23:42 . 2011-09-14 23:42 -------- d-----w- c:\users\dayne.agnew\AppData\Local\temp
2011-09-14 23:42 . 2011-09-14 23:42 -------- d-----w- c:\users\csledge\AppData\Local\temp
2011-09-06 20:15 . 2011-09-06 20:16 -------- d-----w- c:\users\wbrewer\AppData\Local\Adobe
2011-09-06 17:04 . 2011-09-06 17:04 -------- d-----w- c:\users\wbrewer\AppData\Local\Apple
2011-09-06 03:20 . 2011-09-14 20:59 -------- d-----w- c:\users\wbrewer\AppData\Local\Apple Computer
2011-09-05 22:03 . 2011-09-14 22:52 -------- d-----r- c:\users\wbrewer\Dropbox
2011-09-05 22:01 . 2011-09-14 22:55 -------- d-----w- c:\users\wbrewer\AppData\Roaming\Dropbox
2011-09-04 22:52 . 2011-09-04 22:52 -------- d-----w- c:\users\wbrewer\AppData\Roaming\SUPERAntiSpyware.com
2011-09-04 22:52 . 2011-09-04 22:52 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-09-01 06:57 . 2011-08-12 02:44 7152464 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{6A632BED-B7EA-4B9D-A25E-FD6871F5C7D7}\mpengine.dll
2011-08-27 22:54 . 2011-08-27 22:54 -------- d-----w- c:\program files\iPod
2011-08-27 22:54 . 2011-08-27 22:58 -------- d-----w- c:\program files\iTunes
2011-08-16 19:58 . 2011-08-16 19:58 -------- d-----w- c:\users\wbrewer\AppData\Roaming\NCH Software
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-14 23:48 . 2009-07-30 17:20 17920 ----a-w- c:\windows\system32\rpcnetp.exe
2011-09-14 23:48 . 2009-07-28 21:56 58288 ----a-w- c:\windows\system32\rpcnet.dll
2011-09-14 23:44 . 2009-07-30 17:20 17920 ----a-w- c:\windows\system32\rpcnetp.dll
2011-09-14 13:59 . 2009-08-25 00:00 0 ----a-w- c:\users\wbrewer\AppData\Local\WavXMapDrive.bat
2011-09-02 20:32 . 2009-04-11 13:15 66560 ----a-w- c:\windows\system32\drivers\smb.sys
2011-08-15 14:30 . 2011-06-23 15:13 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-12 16:20 . 2011-07-12 16:20 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-07-12 16:20 . 2011-07-12 16:20 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-07-07 00:52 . 2009-07-27 16:28 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-07 00:52 . 2009-07-27 16:28 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-05 23:37 . 2011-07-05 23:37 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-07-05 23:37 . 2011-07-05 23:37 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-06-21 01:31 . 2009-03-03 14:38 58288 ------w- c:\windows\system32\rpcnet.exe
2011-09-07 12:54 . 2011-06-29 15:30 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\wbrewer\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\wbrewer\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\wbrewer\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\wbrewer\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
@="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
[HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
2009-04-22 15:03 49152 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
@="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
[HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
2009-04-22 15:03 49152 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-08-12 4603264]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\program files\Dell\Dell Wireless WLAN Card\WLTRAY.exe" [2009-04-30 3888640]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-07-27 198160]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-12-21 200704]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-04-09 483428]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-09-29 124240]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-11 13605408]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-11 92704]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2009-03-11 96800]
"nwiz"="nwiz.exe" [2009-03-05 1657376]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-02-11 186904]
"SiteAdvisor"="c:\program files\SiteAdvisor\6173\SiteAdv.exe" [2007-08-28 36640]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
"Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" [2008-10-17 442536]
"DellControlPoint"="c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [2009-03-19 667648]
"ChangeTPMAuth"="c:\program files\Wave Systems Corp\Common\ChangeTPMAuth.exe" [2009-02-26 184320]
"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2008-12-22 134144]
"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2009-04-22 656696]
"EmbassySecurityCheck"="c:\program files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe" [2009-04-22 95544]
"USCService"="c:\program files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe" [2009-04-22 15360]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2011-06-08 40376]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-09-23 640440]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"DLBUCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\DLBUtime.dll" [2007-02-12 73728]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-06-01 1468296]
"BKEXVGA"="c:\windows\system32\BKEXVGA.exe" [2007-05-25 12570624]
"RemoteControl9"="c:\program files\CyberLink\PowerDVD9\PDVD9Serv.exe" [2009-07-06 87336]
"BDRegion"="c:\program files\Cyberlink\Shared files\brs.exe" [2010-01-28 75048]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-09-25 136512]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-11-02 8704]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10h_ActiveX.exe" [2010-07-27 231888]
.
c:\users\wbrewer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\wbrewer\AppData\Roaming\Dropbox\bin\Dropbox.exe [2011-9-1 24183152]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Dell ControlPoint System Manager.lnk - c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe [2009-4-9 1094944]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2010-4-20 813584]
SafeConnect.lnk - c:\program files\SafeConnect\scClient.exe [2009-3-31 296088]
Xythos Drive.lnk - c:\windows\Installer\{5DF9CC62-1A07-400B-AF58-E15B24DC6294}\main.ico [2010-1-5 4710]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)
"Backup_DisableCAD"= undefined
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer2"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2011-07-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2011-07-12 67664]
R1 TDFSD;TDFSD;c:\program files\Xythos\Drive\tdfsd.sys [2008-06-25 1292672]
R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2010/03/12 16:11];c:\program files\CyberLink\PowerDVD9\NavFilter\000.fcl [2010-01-28 23:48 87536]
R2 AbtSvcHost;AbtSvcHost;c:\windows\system32\AbtSvcHost_.exe [2010-09-09 78768]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_820ff26a\aestsrv.exe [2009-02-13 81920]
R2 alssvc;Ambient Light Sensor;c:\program files\Dell\Ambient Light Sensor\AlsSvc.exe [2008-06-03 382232]
R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\Dell\Dell ControlPoint\DCPButtonSvc.exe [2008-12-29 320800]
R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [2008-11-11 808296]
R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [2008-11-11 20840]
R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe [2009-04-09 447264]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [2008-09-29 19456]
R2 MCT_SERVICE;MCT_SERVICE;c:\windows\system32\MCTService.exe [x]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2008-09-29 67904]
R2 MSSQL$QSRNVIVO8;SQL Server (QSRNVIVO8);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-11-25 29263712]
R2 rpcld;Remote Procedure Call (RPC) LD;c:\programdata\Rpcnet\Bin\rpcld.exe [x]
R2 SCManager;SafeConnect Manager;c:\program files\SafeConnect\scManager.sys servicestart [x]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2009-06-17 434864]
R2 XyService;XD Filesystem;c:\program files\Xythos\Drive\XfsSvcCon.exe svcmanager [x]
R3 ADM851X;ADM851X USB To Fast Ethernet Adapter;c:\windows\system32\DRIVERS\ADM851X.SYS [x]
R3 BLKPCIEVGAEX;BLKPCIEVGAEX;c:\windows\system32\DRIVERS\blkgrpex.sys [2007-03-21 254848]
R3 BLKPCIEVGAMR;BLKPCIEVGAMR;c:\windows\system32\DRIVERS\blkgrpmr.sys [2007-03-21 253824]
R3 CM1063264;C-Media CM106 Like Sound UDAX Interface;c:\windows\system32\drivers\CM106.sys [x]
R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\Drivers\cvusbdrv.sys [2008-11-11 32808]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-07-07 41272]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2008-09-29 64432]
R3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\DRIVERS\OA001Ufd.sys [2009-03-06 133632]
R3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\DRIVERS\OA001Vid.sys [2009-03-09 280096]
R3 XGIGraphics;XGIGraphics;c:\windows\system32\DRIVERS\xg20grp.sys [2007-03-21 282624]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-08-11 116608]
S3 CCIDFILTER;Broadcom Smart Card Reader Filter Driver;c:\windows\system32\DRIVERS\ccidflt.SYS [2008-11-11 12840]
S3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y6032.sys [2008-04-04 224384]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ECACHE
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1246430204-1277586786-1008150880-15417Core.job
- c:\users\wbrewer\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-31 21:18]
.
2011-09-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1246430204-1277586786-1008150880-15417UA.job
- c:\users\wbrewer\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-31 21:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 68.87.72.134 68.87.77.134
FF - ProfilePath - c:\users\wbrewer\AppData\Roaming\Mozilla\Firefox\Profiles\cw3f3j9z.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.
.
**************************************************************************
scanning hidden processes ...
.
c:\program files\Internet Explorer\iexplore.exe [2004] 0x86E940D8
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBUCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\DLBUtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.csc]
"ImagePath"="\*"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{B154377D-700F-42cc-9474-23858FBDF4BD}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD9\NavFilter\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(592)
c:\program files\Xythos\Drive\XDNP.dll
.
- - - - - - - > 'Explorer.exe'(1984)
c:\users\wbrewer\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
c:\program files\Xythos\Drive\TDShell.dll
c:\program files\Xythos\Drive\i18n.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\helppane.exe
.
**************************************************************************
.
Completion time: 2011-09-14 18:56:48 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-14 23:56
ComboFix2.txt 2011-09-14 22:28
.
Pre-Run: 36,985,458,688 bytes free
Post-Run: 37,023,260,672 bytes free
.
- - End Of File - - A5050CDE7907F12F22ACFE2DE9148400

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:36 AM

Posted 14 September 2011 - 09:36 PM

SystemLook:

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
:filefind
csc.sys
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 jackmcgraw

jackmcgraw
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:03:36 AM

Posted 14 September 2011 - 10:06 PM

Here you go:

SystemLook 30.07.11 by jpshortstuff
Log created at 22:04 on 14/09/2011 by wbrewer
Administrator - Elevation successful

========== filefind ==========

Searching for "csc.sys"
C:\Windows\System32\drivers\csc.sys --a---- 351744 bytes [13:15 11/04/2009] [13:15 11/04/2009] 58E907E42B960CA3E47E33048A50F665
C:\Windows\winsxs\x86_microsoft-windows-offlinefiles-core_31bf3856ad364e35_6.0.6002.18005_none_a033c1f359091562\csc.sys --a---- 351744 bytes [13:15 11/04/2009] [13:15 11/04/2009] 58E907E42B960CA3E47E33048A50F665

-= EOF =-

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:36 AM

Posted 15 September 2011 - 12:42 AM

Hello


Do you have another vista computer that we can copy a file from or a friend that has one?


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 jackmcgraw

jackmcgraw
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:03:36 AM

Posted 15 September 2011 - 10:55 AM

I do but it's 64 bit Home Premium and I am away from that computer until Sunday. I also will have limited access to the infected computer the next few days (business travel).

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:36 AM

Posted 15 September 2011 - 01:10 PM

If it is 64 bit - It will not work needs to be 32 bit


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 jackmcgraw

jackmcgraw
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:03:36 AM

Posted 15 September 2011 - 02:05 PM

Ok that won't help then and I do not have access to another 32 bit vista machine. Any suggestions?

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:36 AM

Posted 15 September 2011 - 03:06 PM

Hello


do you have any friends that may have vista?


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 jackmcgraw

jackmcgraw
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:03:36 AM

Posted 15 September 2011 - 03:17 PM

I do not believe so

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:36 AM

Posted 20 September 2011 - 12:49 PM

Hello


have you been able to find someone - we need to get a copy of that file - as I think that is the main problem



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users