Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit.Win32.Zaccess.e Infection


  • This topic is locked This topic is locked
23 replies to this topic

#1 Cendy

Cendy

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:29 PM

Posted 30 September 2011 - 12:09 AM

Hello!

I would be very grateful to receive any help on this problem that started a few days ago on Tuesday. Many thanks to boopme for setting me on the right track to get rid of this infection. I pasted the DDS log after the problem description.

Computer - basic info:

•Windows 7 Starter
•Service Pack 1
•32-bit OS
•Gateway LT20

The first problem that I noticed was, based on other posts on this forum, a Google Redirect virus. This problem appeared about a week ago, but I didn't do anything about it.

On Tuesday, I was surfing the web using Mozilla as usual. I stepped away from the comp for a little while, but when I came back, the Blue Screen of Death was up. I thought it was because I had too many tabs up and overloaded my computer, so I restarted it.

Upon restarting, it would load about halfway (no desktop, no task bar), and then BSOD. After several restarts, it loaded to the desktop, and I was able to save a few important documents. But after a few minutes, it would crash and BSOD would be up again.

I left it off for a few hours. When I turned it back on, the program OpenCloud Security appeared. After several minutes, my computer would crash again. I looked up how to remove this virus on another computer, so I downloaded and transferred Rkill and attempted to use it with no luck. It would keep shutting down. I went on SafeMode but OpenCloud no longer appeared. I ran Malwarebytes in SafeMode, and deleted 4 or 5 infections. I went back into Normal mode, OpenCloud still opened. Malwarebytes kept notifying that it blocked access to malicious websites, and I don't know how, but OpenCloud stopped running.

I then downloaded and used TDSS rootkit removing tool. It detected 2 threats, but was able to cure only 1. The one that remains is

Rootkit.Win32.ZAccess.e

Service: DfsC
Service type: File sytem drive (0x2)
Service start: System (0x1)
File: C:\Windows\system32\Drivers\dfsc.sys
MD5: 2077b7cb788948a9c94ee33216a16f96

The good news is that I don't have the Google redirect or OpenCloud problems anymore. However, I am worried about this infection and what it could be doing to my computer security-wise.

Other possible related info: Recycle bin is suddenly empty (I don't remember emptying it). I also kept getting messages from Windows that asked me for permission for certain applications to make changes to my computer. They popped up when OpenCloud was running but they no longer appear. They were always similar programs asking for permission: win_lotsof#s_.exe

I hope I gave enough detail to be able to get some help on this problem. Please let me know if you have any questions or suggestions. Thank you so much for your time and expertise!




.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_20
Run by Owner at 23:22:51 on 2011-09-29
Microsoft Windows 7 Starter 6.1.7601.1.1252.1.1033.18.1014.171 [GMT -4:00]
.
AV: McAfee VirusScan Enterprise *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee VirusScan Enterprise Antispyware Module *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Gateway\Gateway Power Management\ePowerSvc.exe
C:\Program Files\Gateway\Registration\GregHSRW.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Gateway\Gateway Power Management\ePowerTray.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Windows\system32\mfevtps.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\igfxext.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Gateway\Gateway Power Management\ePowerEvent.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\McAfee\VirusScan Enterprise\ShStat.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\Video Web Camera\traybar.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=lt20&r=27b50110x445l0394wwl5a4932u229
mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=lt20&r=27b50110x445l0394wwl5a4932u229
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO: Windows 7 Starter Helper: {d381ff29-7cfb-4d4e-b92a-c4eddc696614} - c:\program files\oceanis\systemsetting\StarterHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10q_ActiveX.exe -update activex
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe
mRun: [Acer ePower Management] c:\program files\gateway\gateway power management\ePowerTray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [LManager] c:\program files\launch manager\LManager.exe
mRun: [Camera Assistant Software] "c:\program files\video web camera\traybar.exe"
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\users\owner\appdata\roaming\micros~1\windows\startm~1\programs\startup\win211~1.lnk - c:\users\owner\appdata\local\temp\win2119b744.exe
StartupFolder: c:\users\owner\appdata\roaming\micros~1\windows\startm~1\programs\startup\_unins~1.lnk - c:\users\owner\appdata\local\temp\_uninst_86595282.bat
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
LSP: c:\program files\leahscape\foxyproxy video utility\FPServiceProvider.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {4D2D3A17-9B46-483C-A5F4-1DC471080009} - hxxps://nac2.wellesley.edu/auth/taweb.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 68.87.71.230 68.87.73.246
TCP: Interfaces\{5DC6E530-9FAA-4BDF-820F-774ECADA9A4B} : DhcpNameServer = 68.87.71.230 68.87.73.246
TCP: Interfaces\{5DC6E530-9FAA-4BDF-820F-774ECADA9A4B}\24341435351445 : DhcpNameServer = 192.168.1.156 200.24.191.11 200.62.191.11
TCP: Interfaces\{5DC6E530-9FAA-4BDF-820F-774ECADA9A4B}\35868686D49725F6F6D6D61647563744F6E647B4E6F677945487963747 : DhcpNameServer = 137.99.203.20 137.99.25.14 192.168.1.1
TCP: Interfaces\{5DC6E530-9FAA-4BDF-820F-774ECADA9A4B}\74D49402445607F647 : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{9581FFAD-0EC4-4968-B953-188E6CEE47AB} : DhcpNameServer = 200.48.225.130 200.48.225.146
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\owner\appdata\roaming\mozilla\firefox\profiles\28owc43x.default\
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\mozilla firefox\extensions\{82af8dca-6de9-405d-bd5e-43525bdad38a}\components\SkypeFfComponent.dll
FF - component: c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Kaspersky URL Advisor: linkfilter@kaspersky.ru - c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Click to call with Skype: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files\mozilla firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: PDF Download: {37E4D8EA-8BDA-4831-8EA1-89053939A250} - %profile%\extensions\{37E4D8EA-8BDA-4831-8EA1-89053939A250}
FF - Ext: Diccionario en Español para Venezuela: es-ve@dictionaries.addons.mozilla.org - %profile%\extensions\es-ve@dictionaries.addons.mozilla.org
FF - Ext: FoxyProxy Standard: foxyproxy@eric.h.jung - %profile%\extensions\foxyproxy@eric.h.jung
FF - Ext: FoxyProxy Basic: foxyproxy@eric.h.jung - %profile%\extensions\foxyproxy@eric.h.jung
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-9-4 343920]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 ePowerSvc;Acer ePower Service;c:\program files\gateway\gateway power management\ePowerSvc.exe [2009-10-27 727584]
R3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\drivers\L1C62x86.sys [2009-10-27 51712]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-9-4 20952]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-9-4 91832]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]
RUnknown 2212061drv;2212061drv; [x]
RUnknown 86595282;86595282; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 ICDUSB3;ICDUSB3;c:\windows\system32\drivers\ICDUSB3.sys [2010-3-2 11264]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-9-4 43288]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-9-4 66600]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2009-10-27 167424]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-6-26 52224]
.
=============== Created Last 30 ================
.
2011-09-29 03:38:36 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{7690bf20-b3e0-4976-8ff7-08b92ed2aa79}\offreg.dll
2011-09-29 03:15:49 -------- d-----w- c:\programdata\Kaspersky Lab
2011-09-28 18:09:35 -------- d-----w- C:\$RECYCLE.BIN
2011-09-28 18:03:37 -------- d-----w- c:\users\owner\appdata\local\temp
2011-09-28 17:12:59 80896 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-09-28 16:53:47 98816 ----a-w- c:\windows\sed.exe
2011-09-28 16:53:47 518144 ----a-w- c:\windows\SWREG.exe
2011-09-28 16:53:47 256000 ----a-w- c:\windows\PEV.exe
2011-09-28 16:53:47 208896 ----a-w- c:\windows\MBR.exe
2011-09-28 16:26:31 -------- d-----w- c:\users\owner\appdata\roaming\oDonG4HJEgq
2011-09-28 16:26:30 -------- d-----w- c:\users\owner\appdata\roaming\WaQH6WfLgZYwrNP
2011-09-28 07:17:24 -------- d-----w- c:\users\owner\appdata\roaming\HhTCIBrzi35Q6W7
2011-09-28 07:17:23 -------- d-----w- c:\users\owner\appdata\roaming\yIBrPyxAvoFGaWf
2011-09-28 05:11:28 -------- d-----w- c:\users\owner\appdata\roaming\U5aQJ9hTXjCkBzN
2011-09-28 05:11:27 -------- d-----w- c:\users\owner\appdata\roaming\NUCelIBrzNx1voF
2011-09-28 04:31:39 -------- d-----w- c:\users\owner\appdata\roaming\A0ycS1DF4m5W7E8
2011-09-28 04:31:38 -------- d-----w- c:\users\owner\appdata\roaming\Utx0ucS1iW7E8hC
2011-09-28 04:19:52 -------- d-----w- c:\users\owner\appdata\roaming\JH6dWK7fRgXYAuS
2011-09-28 04:19:51 -------- d-----w- c:\users\owner\appdata\roaming\RCekBrzOx0Sb3n5
2011-09-28 04:02:04 -------- d-----w- c:\users\owner\appdata\roaming\RJf8gCivE8hVtPy
2011-09-28 04:02:03 -------- d-----w- c:\users\owner\appdata\roaming\nOxA0uc7I0c1baH
2011-09-28 03:50:09 -------- d-----w- c:\users\owner\appdata\roaming\WCwkUVlOBx01DoF
2011-09-28 03:50:08 -------- d-----w- c:\users\owner\appdata\roaming\GonG4amH6W7E8Tq
2011-09-28 03:41:18 -------- d-----w- c:\users\owner\appdata\roaming\qP0ycivDYwBJdKX
2011-09-28 03:41:16 -------- d-----w- c:\users\owner\appdata\roaming\SELOBSivDm6JfLr
2011-09-28 03:19:27 -------- d-----w- c:\users\owner\appdata\roaming\pKNtxA0c2b3nQ6W
2011-09-28 03:19:26 -------- d-----w- c:\users\owner\appdata\roaming\xCekIBryx0v
2011-09-28 01:52:36 -------- d-----w- c:\users\owner\appdata\roaming\WqwkUVelOtPy
2011-09-28 01:52:35 -------- d-----w- c:\users\owner\appdata\roaming\gONt04amHsJ
2011-09-27 16:50:07 7269712 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{7690bf20-b3e0-4976-8ff7-08b92ed2aa79}\mpengine.dll
2011-09-08 13:37:11 411368 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-08 13:37:11 411368 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-09-07 15:56:24 -------- d-----w- c:\users\owner\appdata\local\BluetoothEventmon2
.
==================== Find3M ====================
.
2011-09-01 15:27:35 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-07 16:49:48 152576 ----a-w- c:\windows\system32\msclmd.dll
2011-07-22 04:54:18 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-07-16 04:27:30 290816 ----a-w- c:\windows\system32\KernelBase.dll
2011-07-16 02:17:19 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2011-07-16 02:17:19 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2011-07-16 02:17:19 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2011-07-16 02:17:19 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2011-07-09 04:29:46 2048 ----a-w- c:\windows\system32\tzres.dll
2011-07-09 02:30:00 223744 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
.
============= FINISH: 23:28:34.16 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,658 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:29 PM

Posted 05 October 2011 - 12:10 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/421219 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:29 AM

Posted 05 October 2011 - 03:40 PM

Hello and welcome to BleepingComputer! :)



I am Blind Faith and I will be helping you out with your problem. Firstly, you should know that we are working with specific tools which are destined to idetifying the possible threats present on your system so I will analyze the results they produce.


As a start we need to have some more up-to-date logs than the ones you have already provided. The current state of the files on your system might have changed so we need to get a clear look on that step. DO NOT bring any changes to the system except the ones I tell you to as that may produce more damage than helping us.

If you will encounter a delay of over 2 days from me, please don't hesitate and private message me.
Do not forget to check your topic periodically and subscribe to the topic so that you can receive notifications regarding my replies.



Please generate another DDS log (download it from here if you haven't already) and post it in your next reply along with other changes that may have occured since you last posted.
Also download and run GMER from this link: GMER download link.



Thank you very much for your patience.




Regards,

Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#4 Cendy

Cendy
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:29 PM

Posted 06 October 2011 - 12:05 AM

Hi Blindfaith,

Thank you so much for your help. I've attached the requested documents to this reply post. I had trouble running GMER this time around. The Blue Screen of Death occurred, which only happened on the first day I started having these virus problems. Since then, no other symptoms (no more google redirect, or BSODs, or OpenCloud), except when I tried running GMER again - a program called On Access Scan Messages, which seems like it's a virus. I noticed this last time as well, but seemed legitimate and part of the program, didn't realize it was not at all related to GMER!

BSOD data
STOP: 0x0000007F (0x00000008, 0x801A4000, 0x00000000, 0x00000000)

Below is the DDS file. Thank you again for your time!



.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_20
Run by Owner at 21:19:14 on 2011-10-05
Microsoft Windows 7 Starter 6.1.7601.1.1252.1.1033.18.1014.250 [GMT -4:00]
.
AV: McAfee VirusScan Enterprise *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
AV: Norton Security Suite *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee VirusScan Enterprise Antispyware Module *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Norton Security Suite *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Security Suite *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Gateway\Gateway Power Management\ePowerSvc.exe
C:\Program Files\Gateway\Registration\GregHSRW.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Gateway\Gateway Power Management\ePowerTray.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Windows\system32\mfevtps.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\igfxext.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Gateway\Gateway Power Management\ePowerEvent.exe
C:\Program Files\McAfee\VirusScan Enterprise\ShStat.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\Video Web Camera\traybar.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Program Files\Norton Security Suite\Engine\5.1.0.29\ccSvcHst.exe
C:\Program Files\Norton Security Suite\Engine\5.1.0.29\ccSvcHst.exe
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=lt20&r=27b50110x445l0394wwl5a4932u229
mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=lt20&r=27b50110x445l0394wwl5a4932u229
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\5.1.0.29\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\5.1.0.29\ips\IPSBHO.DLL
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO: Windows 7 Starter Helper: {d381ff29-7cfb-4d4e-b92a-c4eddc696614} - c:\program files\oceanis\systemsetting\StarterHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton security suite\engine\5.1.0.29\coIEPlg.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe
mRun: [Acer ePower Management] c:\program files\gateway\gateway power management\ePowerTray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [LManager] c:\program files\launch manager\LManager.exe
mRun: [Camera Assistant Software] "c:\program files\video web camera\traybar.exe"
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\users\owner\appdata\roaming\micros~1\windows\startm~1\programs\startup\win211~1.lnk - c:\users\owner\appdata\local\temp\win2119b744.exe
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
LSP: c:\program files\leahscape\foxyproxy video utility\FPServiceProvider.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {4D2D3A17-9B46-483C-A5F4-1DC471080009} - hxxps://nac2.wellesley.edu/auth/taweb.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 68.87.71.230 68.87.73.246
TCP: Interfaces\{5DC6E530-9FAA-4BDF-820F-774ECADA9A4B} : DhcpNameServer = 68.87.71.230 68.87.73.246
TCP: Interfaces\{5DC6E530-9FAA-4BDF-820F-774ECADA9A4B}\24341435351445 : DhcpNameServer = 192.168.1.156 200.24.191.11 200.62.191.11
TCP: Interfaces\{5DC6E530-9FAA-4BDF-820F-774ECADA9A4B}\35868686D49725F6F6D6D61647563744F6E647B4E6F677945487963747 : DhcpNameServer = 137.99.203.20 137.99.25.14 192.168.1.1
TCP: Interfaces\{5DC6E530-9FAA-4BDF-820F-774ECADA9A4B}\74D49402445607F647 : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{9581FFAD-0EC4-4968-B953-188E6CEE47AB} : DhcpNameServer = 200.48.225.130 200.48.225.146
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\owner\appdata\roaming\mozilla\firefox\profiles\28owc43x.default\
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\mozilla firefox\extensions\{82af8dca-6de9-405d-bd5e-43525bdad38a}\components\SkypeFfComponent.dll
FF - component: c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\coffplgn\components\coFFPlgn.dll
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Kaspersky URL Advisor: linkfilter@kaspersky.ru - c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Click to call with Skype: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files\mozilla firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: PDF Download: {37E4D8EA-8BDA-4831-8EA1-89053939A250} - %profile%\extensions\{37E4D8EA-8BDA-4831-8EA1-89053939A250}
FF - Ext: Diccionario en Español para Venezuela: es-ve@dictionaries.addons.mozilla.org - %profile%\extensions\es-ve@dictionaries.addons.mozilla.org
FF - Ext: FoxyProxy Standard: foxyproxy@eric.h.jung - %profile%\extensions\foxyproxy@eric.h.jung
FF - Ext: FoxyProxy Basic: foxyproxy@eric.h.jung - %profile%\extensions\foxyproxy@eric.h.jung
FF - Ext: Symantec IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\IPSFFPlgn
FF - Ext: Norton Toolbar: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62} - c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\coFFPlgn
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-9-4 343920]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\bashdefs\20110929.001\BHDrvx86.sys [2011-9-29 816760]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\ipsdefs\20111005.031\IDSvix86.sys [2011-10-5 368248]
R3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\drivers\L1C62x86.sys [2009-10-27 51712]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-9-4 20952]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-9-4 91832]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 ICDUSB3;ICDUSB3;c:\windows\system32\drivers\ICDUSB3.sys [2010-3-2 11264]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-9-4 43288]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-9-4 66600]
.
=============== Created Last 30 ================
.
2011-10-01 17:45:48 299640 ----a-w- c:\windows\system32\drivers\n360\0501000.01d\symnets.sys
2011-10-01 17:45:46 744568 ----a-w- c:\windows\system32\drivers\n360\0501000.01d\symefa.sys
2011-10-01 17:45:43 340088 ----a-w- c:\windows\system32\drivers\n360\0501000.01d\symds.sys
2011-10-01 17:45:42 50168 ----a-w- c:\windows\system32\drivers\n360\0501000.01d\srtspx.sys
2011-10-01 17:45:40 516216 ----a-w- c:\windows\system32\drivers\n360\0501000.01d\srtsp.sys
2011-10-01 17:45:37 136312 ----a-r- c:\windows\system32\drivers\n360\0501000.01d\ironx86.sys
2011-10-01 17:41:36 -------- d-----w- c:\windows\system32\drivers\n360\0501000.01D
2011-10-01 03:01:59 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2011-10-01 03:01:44 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-10-01 03:01:40 -------- d-----w- c:\program files\Symantec
2011-10-01 03:01:40 -------- d-----w- c:\program files\common files\Symantec Shared
2011-10-01 03:00:00 106928 ----a-w- c:\windows\system32\GEARAspi.dll
2011-10-01 02:58:19 -------- d-----w- c:\windows\system32\drivers\N360
2011-10-01 02:58:13 -------- d-----w- c:\program files\Norton Security Suite
2011-10-01 02:57:31 -------- d-----w- c:\program files\NortonInstaller
2011-09-30 17:32:09 7269712 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{d5516b46-c02d-4565-8d96-244f759d5fec}\mpengine.dll
2011-09-29 03:15:49 -------- d-----w- c:\programdata\Kaspersky Lab
2011-09-28 18:09:35 -------- d-----w- C:\$RECYCLE.BIN
2011-09-28 18:03:37 -------- d-----w- c:\users\owner\appdata\local\temp
2011-09-28 17:12:59 80896 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-09-28 16:53:47 98816 ----a-w- c:\windows\sed.exe
2011-09-28 16:53:47 518144 ----a-w- c:\windows\SWREG.exe
2011-09-28 16:53:47 256000 ----a-w- c:\windows\PEV.exe
2011-09-28 16:53:47 208896 ----a-w- c:\windows\MBR.exe
2011-09-28 16:26:31 -------- d-----w- c:\users\owner\appdata\roaming\oDonG4HJEgq
2011-09-28 16:26:30 -------- d-----w- c:\users\owner\appdata\roaming\WaQH6WfLgZYwrNP
2011-09-28 07:17:24 -------- d-----w- c:\users\owner\appdata\roaming\HhTCIBrzi35Q6W7
2011-09-28 07:17:23 -------- d-----w- c:\users\owner\appdata\roaming\yIBrPyxAvoFGaWf
2011-09-28 05:11:28 -------- d-----w- c:\users\owner\appdata\roaming\U5aQJ9hTXjCkBzN
2011-09-28 05:11:27 -------- d-----w- c:\users\owner\appdata\roaming\NUCelIBrzNx1voF
2011-09-28 04:31:39 -------- d-----w- c:\users\owner\appdata\roaming\A0ycS1DF4m5W7E8
2011-09-28 04:31:38 -------- d-----w- c:\users\owner\appdata\roaming\Utx0ucS1iW7E8hC
2011-09-28 04:19:52 -------- d-----w- c:\users\owner\appdata\roaming\JH6dWK7fRgXYAuS
2011-09-28 04:19:51 -------- d-----w- c:\users\owner\appdata\roaming\RCekBrzOx0Sb3n5
2011-09-28 04:02:04 -------- d-----w- c:\users\owner\appdata\roaming\RJf8gCivE8hVtPy
2011-09-28 04:02:03 -------- d-----w- c:\users\owner\appdata\roaming\nOxA0uc7I0c1baH
2011-09-28 03:50:09 -------- d-----w- c:\users\owner\appdata\roaming\WCwkUVlOBx01DoF
2011-09-28 03:50:08 -------- d-----w- c:\users\owner\appdata\roaming\GonG4amH6W7E8Tq
2011-09-28 03:41:18 -------- d-----w- c:\users\owner\appdata\roaming\qP0ycivDYwBJdKX
2011-09-28 03:41:16 -------- d-----w- c:\users\owner\appdata\roaming\SELOBSivDm6JfLr
2011-09-28 03:19:27 -------- d-----w- c:\users\owner\appdata\roaming\pKNtxA0c2b3nQ6W
2011-09-28 03:19:26 -------- d-----w- c:\users\owner\appdata\roaming\xCekIBryx0v
2011-09-28 01:52:36 -------- d-----w- c:\users\owner\appdata\roaming\WqwkUVelOtPy
2011-09-28 01:52:35 -------- d-----w- c:\users\owner\appdata\roaming\gONt04amHsJ
2011-09-08 13:37:11 411368 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-08 13:37:11 411368 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-09-07 15:56:24 -------- d-----w- c:\users\owner\appdata\local\BluetoothEventmon2
.
==================== Find3M ====================
.
2011-10-01 03:43:45 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-07 16:49:48 152576 ----a-w- c:\windows\system32\msclmd.dll
2011-07-22 04:54:18 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-07-16 04:27:30 290816 ----a-w- c:\windows\system32\KernelBase.dll
2011-07-16 02:17:19 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2011-07-16 02:17:19 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2011-07-16 02:17:19 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2011-07-16 02:17:19 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2011-07-09 04:29:46 2048 ----a-w- c:\windows\system32\tzres.dll
2011-07-09 02:30:00 223744 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
.
============= FINISH: 21:27:40.62 ===============

Attached Files



#5 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:29 AM

Posted 07 October 2011 - 04:33 PM

Hi there,


Firstly, I need to ask you several questions. :)



I see you ran a tool named ComboFix, did you run it while being supervised by a helper?

Also, I would like you to go to C:\ and open the latest Combofix.txt. Please copy/paste the content of the file into your next reply.





Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#6 Cendy

Cendy
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:29 PM

Posted 07 October 2011 - 05:52 PM

Hello,

No, I didn't run it with a helper's supervision. It was a program I found probably through googling, but I honestly can't remember. It looks like I ran it last week on the 28th. Here is a copy of the log! Thanks again for your help.

ComboFix 11-09-28.01 - Owner 09/28/2011 13:21:31.1.2 - x86
Microsoft Windows 7 Starter 6.1.7601.1.1252.1.1033.18.1014.475 [GMT -4:00]
Running from: c:\users\Owner\Desktop\shakeitup.exe
AV: McAfee VirusScan Enterprise *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: McAfee VirusScan Enterprise Antispyware Module *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Resident AV is active
.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Owner\AppData\Local\BluetoothEventmon2\NativeWebvga.dll
c:\users\Owner\AppData\Local\Temp\win2119b744.exe
c:\users\Owner\Documents\~WRL3265.tmp
c:\windows\$NtUninstallKB14188$\3790070717
c:\windows\system32\drivers\Svhost.exe
c:\windows\$NtUninstallKB14188$ . . . . Failed to delete
.
.
((((((((((((((((((((((((( Files Created from 2011-08-28 to 2011-09-28 )))))))))))))))))))))))))))))))
.
.
2011-09-28 18:03 . 2011-09-28 18:09 -------- d-----w- c:\users\Owner\AppData\Local\temp
2011-09-28 17:21 . 2011-09-28 17:21 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{7690BF20-B3E0-4976-8FF7-08B92ED2AA79}\offreg.dll
2011-09-28 17:12 . 2009-07-13 23:11 80896 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-09-28 16:26 . 2011-09-28 16:26 -------- d-----w- c:\users\Owner\AppData\Roaming\oDonG4HJEgq
2011-09-28 16:26 . 2011-09-28 16:26 -------- d-----w- c:\users\Owner\AppData\Roaming\WaQH6WfLgZYwrNP
2011-09-28 07:17 . 2011-09-28 07:17 -------- d-----w- c:\users\Owner\AppData\Roaming\HhTCIBrzi35Q6W7
2011-09-28 07:17 . 2011-09-28 07:17 -------- d-----w- c:\users\Owner\AppData\Roaming\yIBrPyxAvoFGaWf
2011-09-28 05:11 . 2011-09-28 05:11 -------- d-----w- c:\users\Owner\AppData\Roaming\U5aQJ9hTXjCkBzN
2011-09-28 05:11 . 2011-09-28 05:11 -------- d-----w- c:\users\Owner\AppData\Roaming\NUCelIBrzNx1voF
2011-09-28 04:31 . 2011-09-28 04:31 -------- d-----w- c:\users\Owner\AppData\Roaming\A0ycS1DF4m5W7E8
2011-09-28 04:31 . 2011-09-28 04:31 -------- d-----w- c:\users\Owner\AppData\Roaming\Utx0ucS1iW7E8hC
2011-09-28 04:19 . 2011-09-28 04:19 -------- d-----w- c:\users\Owner\AppData\Roaming\JH6dWK7fRgXYAuS
2011-09-28 04:19 . 2011-09-28 04:19 -------- d-----w- c:\users\Owner\AppData\Roaming\RCekBrzOx0Sb3n5
2011-09-28 04:02 . 2011-09-28 04:02 -------- d-----w- c:\users\Owner\AppData\Roaming\RJf8gCivE8hVtPy
2011-09-28 04:02 . 2011-09-28 04:02 -------- d-----w- c:\users\Owner\AppData\Roaming\nOxA0uc7I0c1baH
2011-09-28 03:50 . 2011-09-28 03:50 -------- d-----w- c:\users\Owner\AppData\Roaming\WCwkUVlOBx01DoF
2011-09-28 03:50 . 2011-09-28 03:50 -------- d-----w- c:\users\Owner\AppData\Roaming\GonG4amH6W7E8Tq
2011-09-28 03:41 . 2011-09-28 03:41 -------- d-----w- c:\users\Owner\AppData\Roaming\qP0ycivDYwBJdKX
2011-09-28 03:41 . 2011-09-28 03:41 -------- d-----w- c:\users\Owner\AppData\Roaming\SELOBSivDm6JfLr
2011-09-28 03:19 . 2011-09-28 03:19 -------- d-----w- c:\users\Owner\AppData\Roaming\pKNtxA0c2b3nQ6W
2011-09-28 03:19 . 2011-09-28 03:19 -------- d-----w- c:\users\Owner\AppData\Roaming\xCekIBryx0v
2011-09-28 01:52 . 2011-09-28 01:52 -------- d-----w- c:\users\Owner\AppData\Roaming\WqwkUVelOtPy
2011-09-28 01:52 . 2011-09-28 01:52 -------- d-----w- c:\users\Owner\AppData\Roaming\gONt04amHsJ
2011-09-27 16:50 . 2011-09-12 23:14 7269712 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{7690BF20-B3E0-4976-8FF7-08B92ED2AA79}\mpengine.dll
2011-09-08 13:38 . 2011-09-08 13:38 -------- d-----w- c:\program files\Common Files\Java
2011-09-08 13:37 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-08 13:37 . 2010-04-12 21:29 411368 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-09-07 15:56 . 2011-09-28 18:01 -------- d-----w- c:\users\Owner\AppData\Local\BluetoothEventmon2
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-01 15:27 . 2011-05-22 02:42 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-07 16:49 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
2011-07-22 04:54 . 2011-08-11 03:03 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-07-16 04:27 . 2011-08-11 03:03 290816 ----a-w- c:\windows\system32\KernelBase.dll
2011-07-16 04:15 . 2011-08-11 03:03 4096 ---ha-w- c:\windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 4096 ---ha-w- c:\windows\system32\api-ms-win-core-synch-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-string-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 5120 ---ha-w- c:\windows\system32\api-ms-win-core-file-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 4608 ---ha-w- c:\windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 4096 ---ha-w- c:\windows\system32\api-ms-win-core-misc-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-profile-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 3584 ---ha-w- c:\windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 3584 ---ha-w- c:\windows\system32\api-ms-win-core-memory-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 3584 ---ha-w- c:\windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-io-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 3584 ---ha-w- c:\windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 3584 ---ha-w- c:\windows\system32\api-ms-win-core-heap-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-handle-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-debug-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 3584 ---ha-w- c:\windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localization-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-console-l1-1-0.dll
2011-07-16 02:17 . 2011-08-11 03:03 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2011-07-16 02:17 . 2011-08-11 03:03 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2011-07-16 02:17 . 2011-08-11 03:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2011-07-16 02:17 . 2011-08-11 03:03 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2011-07-09 04:29 . 2011-08-23 21:29 2048 ----a-w- c:\windows\system32\tzres.dll
2011-07-09 02:30 . 2011-08-11 03:04 223744 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-03-25 18:07 . 2010-09-05 02:33 23864 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2010-11-20 . 866A43013535DC8587C258E43579C764 . 317440 . . [6.1.7601.17514] . . c:\windows\winsxs\x86_microsoft-windows-printing-spooler-core_31bf3856ad364e35_6.1.7601.17514_none_d8530d0d1fcade21\spoolsv.exe
[7] 2010-08-21 . D1BB750EB51694DE183E08B9C33BE5B2 . 316928 . . [6.1.7600.16661] . . c:\windows\winsxs\x86_microsoft-windows-printing-spooler-core_31bf3856ad364e35_6.1.7600.16661_none_d6339da722cfb4be\spoolsv.exe
[7] 2010-08-20 . 2FB4CE429488156B19C0D8E5C4552043 . 316928 . . [6.1.7600.20785] . . c:\windows\winsxs\x86_microsoft-windows-printing-spooler-core_31bf3856ad364e35_6.1.7600.20785_none_d6ab9bc23bf9f1c6\spoolsv.exe
[7] 2009-07-14 . 49B6DD6AB3715B7A67965F17194E98A9 . 316416 . . [6.1.7600.16385] . . c:\windows\winsxs\x86_microsoft-windows-printing-spooler-core_31bf3856ad364e35_6.1.7600.16385_none_d621f94522dc5a87\spoolsv.exe
.
c:\windows\System32\spoolsv.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-05 186904]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-07-06 7600672]
"Acer ePower Management"="c:\program files\Gateway\Gateway Power Management\ePowerTray.exe" [2009-09-30 703008]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"LManager"="c:\program files\Launch Manager\LManager.exe" [2009-08-18 1157128]
"Camera Assistant Software"="c:\program files\Video Web Camera\traybar.exe" [2009-08-05 630784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-09-03 1557800]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-23 173592]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-08-25 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2010-03-25 124224]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-11-29 963976]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-11-29 443728]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-11-29 963976]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
.
c:\users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
win2119b744.lnk - c:\users\Owner\AppData\Local\Temp\win2119b744.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"
.
[HKLM\~\startupfolder\C:^Users^Owner^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk]
backup=c:\windows\pss\OpenOffice.org 3.2.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CleverKeys]
2010-02-22 15:15 542208 ----a-w- c:\program files\Dictionary.com\CleverKeys\CK.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 ----a-w- c:\users\Owner\AppData\Roaming\Google\Google Talk\googletalk.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-17 19:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"Persistence"=c:\windows\system32\igfxpers.exe
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 ICDUSB3;ICDUSB3;c:\windows\system32\Drivers\ICDUSB3.sys [2008-08-18 11264]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-03-25 66600]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2009-06-24 167424]
R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 ePowerSvc;Acer ePower Service;c:\program files\Gateway\Gateway Power Management\ePowerSvc.exe [2009-09-30 727584]
S2 Greg_Service;GRegService;c:\program files\Gateway\Registration\GregHSRW.exe [2009-08-28 1150496]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2010-11-29 363344]
S2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\engineserver.exe [2010-03-25 22816]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-03-25 70728]
S2 Updater Service;Updater Service;c:\program files\Gateway\Gateway Updater\UpdaterService.exe [2009-07-04 240160]
S3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\DRIVERS\L1C62x86.sys [2009-07-27 51712]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-11-29 20952]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-28 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2011-08-07 13:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=lt20&r=27b50110x445l0394wwl5a4932u229
mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=lt20&r=27b50110x445l0394wwl5a4932u229
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
LSP: c:\program files\LeahScape\FoxyProxy Video Utility\FPServiceProvider.dll
TCP: DhcpNameServer = 68.87.71.230 68.87.73.246
DPF: {4D2D3A17-9B46-483C-A5F4-1DC471080009} - hxxps://nac2.wellesley.edu/auth/taweb.cab
FF - ProfilePath - c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\28owc43x.default\
FF - prefs.js: network.proxy.type - 4
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Kaspersky URL Advisor: linkfilter@kaspersky.ru - c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Click to call with Skype: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: PDF Download: {37E4D8EA-8BDA-4831-8EA1-89053939A250} - %profile%\extensions\{37E4D8EA-8BDA-4831-8EA1-89053939A250}
FF - Ext: Diccionario en Español para Venezuela: es-ve@dictionaries.addons.mozilla.org - %profile%\extensions\es-ve@dictionaries.addons.mozilla.org
FF - Ext: FoxyProxy Standard: foxyproxy@eric.h.jung - %profile%\extensions\foxyproxy@eric.h.jung
FF - Ext: FoxyProxy Basic: foxyproxy@eric.h.jung - %profile%\extensions\foxyproxy@eric.h.jung
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
HKCU-Run-NativeWebvga - c:\users\Owner\AppData\Local\BluetoothEventmon2\NativeWebvga.dll
HKLM-Run-aooo3mmG5aQJdKR8234A - c:\windows\system32\drivers\svhost.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLANExt.exe
c:\windows\system32\conhost.exe
c:\windows\system32\taskhost.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\McAfee\VirusScan Enterprise\mcshield.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\McAfee\VirusScan Enterprise\mfeann.exe
c:\windows\system32\conhost.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\conhost.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2011-09-28 16:23:53 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-28 20:23
.
Pre-Run: 193,198,456,832 bytes free
Post-Run: 193,998,360,576 bytes free
.
- - End Of File - - D4CD6E20140099129177029D01F64847

#7 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:29 AM

Posted 08 October 2011 - 03:46 PM

Hi there,



We do not support running ComboFix without being supervised by a helper as it is a very powerful tool and it might leave your machine unbootable at worst. Please take note of this advice. :)

====================================================================================================


We should get another ComboFix log to be sure the information stored into it is up to date.
But firstly, if you can still find the initial Combofix file, please delete it before downloading the new one.



Please download ComboFix from one of these locations:
Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.







Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#8 Cendy

Cendy
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:29 PM

Posted 08 October 2011 - 09:10 PM

Hi Blind Faith,

Does this program delete files in the Recycle Bin? I noticed files from my Recycle Bin were gone; this might have happened last time I ran Comboxfix too, but didn't notice. During the Combofix run, a program called pve.exe stopped running properly, so Windows shut it down automatically. I didn't realize some aspects of Norton security suite were still on after I closed all anti-virus, but some pop-ups showed that programs called pve.exe and hive3e were using a lot of system resources.

Thank you again for your help.


ComboFix 11-10-08.05 - Owner 10/08/2011 21:00:28.2.2 - x86
Microsoft Windows 7 Starter 6.1.7601.1.1252.1.1033.18.1014.410 [GMT -4:00]
Running from: c:\users\Owner\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
AV: Norton Security Suite *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Security Suite *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: McAfee VirusScan Enterprise Antispyware Module *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Norton Security Suite *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2011-09-09 to 2011-10-09 )))))))))))))))))))))))))))))))
.
.
2011-10-09 01:28 . 2011-10-09 01:28 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-10-09 00:42 . 2011-10-09 00:42 -------- d-----w- c:\users\Owner\AppData\Roaming\HPAppData
2011-10-06 02:30 . 2011-10-09 01:27 -------- d-----w- c:\users\Owner\AppData\Local\CrashDumps
2011-10-01 03:01 . 2010-08-21 04:59 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2011-10-01 03:01 . 2011-10-01 03:01 -------- dc----w- c:\windows\system32\DRVSTORE
2011-10-01 03:01 . 2011-10-01 17:45 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-10-01 03:01 . 2011-10-02 17:55 -------- d-----w- c:\program files\Common Files\Symantec Shared
2011-10-01 03:01 . 2011-10-01 17:47 -------- d-----w- c:\program files\Symantec
2011-10-01 03:00 . 2010-08-21 04:59 106928 ----a-w- c:\windows\system32\GEARAspi.dll
2011-10-01 02:58 . 2011-10-02 00:28 -------- d-----w- c:\windows\system32\drivers\N360
2011-10-01 02:58 . 2011-10-01 02:58 -------- d-----w- c:\program files\Norton Security Suite
2011-10-01 02:57 . 2011-10-01 02:57 -------- d-----w- c:\program files\NortonInstaller
2011-09-30 17:32 . 2011-09-12 23:14 7269712 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{D5516B46-C02D-4565-8D96-244F759D5FEC}\mpengine.dll
2011-09-29 03:15 . 2011-09-29 03:15 -------- d-----w- c:\programdata\Kaspersky Lab
2011-09-28 18:03 . 2011-10-09 01:28 -------- d-----w- c:\users\Owner\AppData\Local\temp
2011-09-28 17:12 . 2009-07-13 23:11 80896 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-09-28 16:26 . 2011-09-28 16:26 -------- d-----w- c:\users\Owner\AppData\Roaming\oDonG4HJEgq
2011-09-28 16:26 . 2011-09-28 16:26 -------- d-----w- c:\users\Owner\AppData\Roaming\WaQH6WfLgZYwrNP
2011-09-28 07:17 . 2011-09-28 07:17 -------- d-----w- c:\users\Owner\AppData\Roaming\HhTCIBrzi35Q6W7
2011-09-28 07:17 . 2011-09-28 07:17 -------- d-----w- c:\users\Owner\AppData\Roaming\yIBrPyxAvoFGaWf
2011-09-28 05:11 . 2011-09-28 05:11 -------- d-----w- c:\users\Owner\AppData\Roaming\U5aQJ9hTXjCkBzN
2011-09-28 05:11 . 2011-09-28 05:11 -------- d-----w- c:\users\Owner\AppData\Roaming\NUCelIBrzNx1voF
2011-09-28 04:31 . 2011-09-28 04:31 -------- d-----w- c:\users\Owner\AppData\Roaming\A0ycS1DF4m5W7E8
2011-09-28 04:31 . 2011-09-28 04:31 -------- d-----w- c:\users\Owner\AppData\Roaming\Utx0ucS1iW7E8hC
2011-09-28 04:19 . 2011-09-28 04:19 -------- d-----w- c:\users\Owner\AppData\Roaming\JH6dWK7fRgXYAuS
2011-09-28 04:19 . 2011-09-28 04:19 -------- d-----w- c:\users\Owner\AppData\Roaming\RCekBrzOx0Sb3n5
2011-09-28 04:02 . 2011-09-28 04:02 -------- d-----w- c:\users\Owner\AppData\Roaming\RJf8gCivE8hVtPy
2011-09-28 04:02 . 2011-09-28 04:02 -------- d-----w- c:\users\Owner\AppData\Roaming\nOxA0uc7I0c1baH
2011-09-28 03:50 . 2011-09-28 03:50 -------- d-----w- c:\users\Owner\AppData\Roaming\WCwkUVlOBx01DoF
2011-09-28 03:50 . 2011-09-28 03:50 -------- d-----w- c:\users\Owner\AppData\Roaming\GonG4amH6W7E8Tq
2011-09-28 03:41 . 2011-09-28 03:41 -------- d-----w- c:\users\Owner\AppData\Roaming\qP0ycivDYwBJdKX
2011-09-28 03:41 . 2011-09-28 03:41 -------- d-----w- c:\users\Owner\AppData\Roaming\SELOBSivDm6JfLr
2011-09-28 03:19 . 2011-09-28 03:19 -------- d-----w- c:\users\Owner\AppData\Roaming\pKNtxA0c2b3nQ6W
2011-09-28 03:19 . 2011-09-28 03:19 -------- d-----w- c:\users\Owner\AppData\Roaming\xCekIBryx0v
2011-09-28 01:52 . 2011-09-28 01:52 -------- d-----w- c:\users\Owner\AppData\Roaming\WqwkUVelOtPy
2011-09-28 01:52 . 2011-09-28 01:52 -------- d-----w- c:\users\Owner\AppData\Roaming\gONt04amHsJ
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-01 03:43 . 2011-05-22 02:42 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-07 16:49 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
2011-07-22 04:54 . 2011-08-11 03:03 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-07-16 04:27 . 2011-08-11 03:03 290816 ----a-w- c:\windows\system32\KernelBase.dll
2011-07-16 04:15 . 2011-08-11 03:03 4096 ---ha-w- c:\windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 4096 ---ha-w- c:\windows\system32\api-ms-win-core-synch-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-string-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 5120 ---ha-w- c:\windows\system32\api-ms-win-core-file-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 4608 ---ha-w- c:\windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 4096 ---ha-w- c:\windows\system32\api-ms-win-core-misc-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-profile-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 3584 ---ha-w- c:\windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 3584 ---ha-w- c:\windows\system32\api-ms-win-core-memory-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 3584 ---ha-w- c:\windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-io-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 3584 ---ha-w- c:\windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 3584 ---ha-w- c:\windows\system32\api-ms-win-core-heap-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-handle-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-debug-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 3584 ---ha-w- c:\windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localization-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-console-l1-1-0.dll
2011-07-16 02:17 . 2011-08-11 03:03 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2011-07-16 02:17 . 2011-08-11 03:03 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2011-07-16 02:17 . 2011-08-11 03:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2011-07-16 02:17 . 2011-08-11 03:03 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2010-03-25 18:07 . 2010-09-05 02:33 23864 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-05 186904]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-07-06 7600672]
"Acer ePower Management"="c:\program files\Gateway\Gateway Power Management\ePowerTray.exe" [2009-09-30 703008]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"LManager"="c:\program files\Launch Manager\LManager.exe" [2009-08-18 1157128]
"Camera Assistant Software"="c:\program files\Video Web Camera\traybar.exe" [2009-08-05 630784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-09-03 1557800]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-23 173592]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-08-25 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2010-03-25 124224]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-11-29 963976]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-11-29 443728]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-11-29 963976]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
.
c:\users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
win2119b744.lnk - c:\users\Owner\AppData\Local\Temp\win2119b744.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"
.
[HKLM\~\startupfolder\C:^Users^Owner^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk]
backup=c:\windows\pss\OpenOffice.org 3.2.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CleverKeys]
2010-02-22 15:15 542208 ----a-w- c:\program files\Dictionary.com\CleverKeys\CK.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 ----a-w- c:\users\Owner\AppData\Roaming\Google\Google Talk\googletalk.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-17 19:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"Persistence"=c:\windows\system32\igfxpers.exe
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 ICDUSB3;ICDUSB3;c:\windows\system32\Drivers\ICDUSB3.sys [2008-08-18 11264]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-03-25 66600]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2009-06-24 167424]
R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0501000.01D\SYMDS.SYS [2011-01-27 340088]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0501000.01D\SYMEFA.SYS [2011-03-15 744568]
S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20110929.001\BHDrvx86.sys [2011-09-29 816760]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20111007.030\IDSvix86.sys [2011-09-30 368248]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0501000.01D\Ironx86.SYS [2010-11-16 136312]
S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\N360\0501000.01D\SYMNETS.SYS [2011-07-08 299640]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 ePowerSvc;Acer ePower Service;c:\program files\Gateway\Gateway Power Management\ePowerSvc.exe [2009-09-30 727584]
S2 Greg_Service;GRegService;c:\program files\Gateway\Registration\GregHSRW.exe [2009-08-28 1150496]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2010-11-29 363344]
S2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\engineserver.exe [2010-03-25 22816]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-03-25 70728]
S2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\5.1.0.29\ccSvcHst.exe [2011-04-17 130008]
S2 Updater Service;Updater Service;c:\program files\Gateway\Gateway Updater\UpdaterService.exe [2009-07-04 240160]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-09-30 105592]
S3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\DRIVERS\L1C62x86.sys [2009-07-27 51712]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-11-29 20952]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-08 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2011-08-07 13:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=lt20&r=27b50110x445l0394wwl5a4932u229
mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=lt20&r=27b50110x445l0394wwl5a4932u229
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
LSP: c:\program files\LeahScape\FoxyProxy Video Utility\FPServiceProvider.dll
TCP: DhcpNameServer = 68.87.71.230 68.87.73.246
DPF: {4D2D3A17-9B46-483C-A5F4-1DC471080009} - hxxps://nac2.wellesley.edu/auth/taweb.cab
FF - ProfilePath - c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\28owc43x.default\
FF - prefs.js: network.proxy.type - 4
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Kaspersky URL Advisor: linkfilter@kaspersky.ru - c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Click to call with Skype: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: PDF Download: {37E4D8EA-8BDA-4831-8EA1-89053939A250} - %profile%\extensions\{37E4D8EA-8BDA-4831-8EA1-89053939A250}
FF - Ext: Diccionario en Español para Venezuela: es-ve@dictionaries.addons.mozilla.org - %profile%\extensions\es-ve@dictionaries.addons.mozilla.org
FF - Ext: FoxyProxy Standard: foxyproxy@eric.h.jung - %profile%\extensions\foxyproxy@eric.h.jung
FF - Ext: FoxyProxy Basic: foxyproxy@eric.h.jung - %profile%\extensions\foxyproxy@eric.h.jung
FF - Ext: Symantec IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\IPSFFPlgn
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\5.1.0.29\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\5.1.0.29\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(4776)
c:\program files\Gateway\Gateway Power Management\SysHook.dll
c:\windows\System32\SyncCenter.dll
.
Completion time: 2011-10-08 21:39:10
ComboFix-quarantined-files.txt 2011-10-09 01:39
ComboFix2.txt 2011-09-28 20:23
.
Pre-Run: 193,089,396,736 bytes free
Post-Run: 192,972,386,304 bytes free
.
- - End Of File - - 2DF6CD8366E9CBA0C88D83A10AF3441D

Attached Files



#9 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:29 AM

Posted 09 October 2011 - 02:41 PM

Hi there,


I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either Norton or McAfee.

=================================================================================================================


Does this program delete files in the Recycle Bin?


I am not aware of Combofix emptying the Recycle Bin, it can empty the Temp folder, reset the DNS cache but not empty Recycle Bin. It might have been another program, there are programs which empty your Recycle Bin on installation. :)


====================================================================================================================



1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\users\Owner\AppData\Local\Temp\win2119b744.exe
c:\users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win2119b744.lnk



Folder::
c:\users\Owner\AppData\Roaming\oDonG4HJEgq
c:\users\Owner\AppData\Roaming\WaQH6WfLgZYwrNP
c:\users\Owner\AppData\Roaming\HhTCIBrzi35Q6W7
c:\users\Owner\AppData\Roaming\yIBrPyxAvoFGaWf
c:\users\Owner\AppData\Roaming\U5aQJ9hTXjCkBzN
c:\users\Owner\AppData\Roaming\NUCelIBrzNx1voF
c:\users\Owner\AppData\Roaming\A0ycS1DF4m5W7E8
c:\users\Owner\AppData\Roaming\Utx0ucS1iW7E8hC
c:\users\Owner\AppData\Roaming\JH6dWK7fRgXYAuS
c:\users\Owner\AppData\Roaming\RCekBrzOx0Sb3n5
c:\users\Owner\AppData\Roaming\RJf8gCivE8hVtPy
c:\users\Owner\AppData\Roaming\nOxA0uc7I0c1baH
c:\users\Owner\AppData\Roaming\WCwkUVlOBx01DoF
c:\users\Owner\AppData\Roaming\GonG4amH6W7E8Tq
c:\users\Owner\AppData\Roaming\qP0ycivDYwBJdKX
c:\users\Owner\AppData\Roaming\SELOBSivDm6JfLr
c:\users\Owner\AppData\Roaming\pKNtxA0c2b3nQ6W
c:\users\Owner\AppData\Roaming\xCekIBryx0v
c:\users\Owner\AppData\Roaming\WqwkUVelOtPy
c:\users\Owner\AppData\Roaming\gONt04amHsJ


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.






Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#10 Cendy

Cendy
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:29 PM

Posted 10 October 2011 - 02:02 PM

Hi Blind Faith,

Thank you for answering my questions and for the advice. I decided to uninstall Norton if that makes any difference. I had trouble disabling Mcafee, as I could determine how to get to the part of the program that was still running. I ran Combofix anyway, hopefully it didn't affect the run. The log is below. Thanks again!

ComboFix 11-10-10.01 - Owner 10/10/2011 7:58.3.2 - x86
Microsoft Windows 7 Starter 6.1.7601.1.1252.1.1033.18.1014.372 [GMT -4:00]
Running from: c:\users\Owner\Desktop\ComboFix.exe
Command switches used :: c:\users\Owner\Desktop\CFScript.txt
AV: McAfee VirusScan Enterprise *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: McAfee VirusScan Enterprise Antispyware Module *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\users\Owner\AppData\Local\Temp\win2119b744.exe"
"c:\users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win2119b744.lnk"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Owner\AppData\Roaming\A0ycS1DF4m5W7E8
c:\users\Owner\AppData\Roaming\GonG4amH6W7E8Tq
c:\users\Owner\AppData\Roaming\gONt04amHsJ
c:\users\Owner\AppData\Roaming\HhTCIBrzi35Q6W7
c:\users\Owner\AppData\Roaming\JH6dWK7fRgXYAuS
c:\users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win2119b744.lnk
c:\users\Owner\AppData\Roaming\nOxA0uc7I0c1baH
c:\users\Owner\AppData\Roaming\NUCelIBrzNx1voF
c:\users\Owner\AppData\Roaming\oDonG4HJEgq
c:\users\Owner\AppData\Roaming\pKNtxA0c2b3nQ6W
c:\users\Owner\AppData\Roaming\qP0ycivDYwBJdKX
c:\users\Owner\AppData\Roaming\RCekBrzOx0Sb3n5
c:\users\Owner\AppData\Roaming\RJf8gCivE8hVtPy
c:\users\Owner\AppData\Roaming\SELOBSivDm6JfLr
c:\users\Owner\AppData\Roaming\U5aQJ9hTXjCkBzN
c:\users\Owner\AppData\Roaming\Utx0ucS1iW7E8hC
c:\users\Owner\AppData\Roaming\WaQH6WfLgZYwrNP
c:\users\Owner\AppData\Roaming\WCwkUVlOBx01DoF
c:\users\Owner\AppData\Roaming\WqwkUVelOtPy
c:\users\Owner\AppData\Roaming\xCekIBryx0v
c:\users\Owner\AppData\Roaming\yIBrPyxAvoFGaWf
.
.
((((((((((((((((((((((((( Files Created from 2011-09-10 to 2011-10-10 )))))))))))))))))))))))))))))))
.
.
2011-10-10 14:01 . 2011-10-10 14:02 -------- d-----w- c:\users\Owner\AppData\Local\temp
2011-10-10 14:01 . 2011-10-10 14:01 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-10-10 11:19 . 2011-10-10 11:19 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{1D82446F-6937-440F-89D9-F85AB4ABFE12}\offreg.dll
2011-10-10 04:05 . 2011-09-12 23:14 7269712 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{1D82446F-6937-440F-89D9-F85AB4ABFE12}\mpengine.dll
2011-10-06 02:30 . 2011-10-09 01:27 -------- d-----w- c:\users\Owner\AppData\Local\CrashDumps
2011-10-01 03:01 . 2011-10-10 04:00 -------- dc----w- c:\windows\system32\DRVSTORE
2011-09-29 03:15 . 2011-09-29 03:15 -------- d-----w- c:\programdata\Kaspersky Lab
2011-09-28 17:12 . 2009-07-13 23:11 80896 ----a-w- c:\windows\system32\drivers\i8042prt.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-01 03:43 . 2011-05-22 02:42 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-07 16:49 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
2011-07-22 04:54 . 2011-08-11 03:03 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-07-16 04:27 . 2011-08-11 03:03 290816 ----a-w- c:\windows\system32\KernelBase.dll
2011-07-16 04:15 . 2011-08-11 03:03 4096 ---ha-w- c:\windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 4096 ---ha-w- c:\windows\system32\api-ms-win-core-synch-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-string-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 5120 ---ha-w- c:\windows\system32\api-ms-win-core-file-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 4608 ---ha-w- c:\windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 4096 ---ha-w- c:\windows\system32\api-ms-win-core-misc-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-profile-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 3584 ---ha-w- c:\windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 3584 ---ha-w- c:\windows\system32\api-ms-win-core-memory-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 3584 ---ha-w- c:\windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-io-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 3584 ---ha-w- c:\windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 3584 ---ha-w- c:\windows\system32\api-ms-win-core-heap-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-handle-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-debug-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 3584 ---ha-w- c:\windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localization-l1-1-0.dll
2011-07-16 04:15 . 2011-08-11 03:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-console-l1-1-0.dll
2011-07-16 02:17 . 2011-08-11 03:03 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2011-07-16 02:17 . 2011-08-11 03:03 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2011-07-16 02:17 . 2011-08-11 03:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2011-07-16 02:17 . 2011-08-11 03:03 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2010-03-25 18:07 . 2010-09-05 02:33 23864 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-05 186904]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-07-06 7600672]
"Acer ePower Management"="c:\program files\Gateway\Gateway Power Management\ePowerTray.exe" [2009-09-30 703008]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"LManager"="c:\program files\Launch Manager\LManager.exe" [2009-08-18 1157128]
"Camera Assistant Software"="c:\program files\Video Web Camera\traybar.exe" [2009-08-05 630784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-09-03 1557800]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-23 173592]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-08-25 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2010-03-25 124224]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-11-29 963976]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-11-29 443728]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-11-29 963976]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"
.
[HKLM\~\startupfolder\C:^Users^Owner^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk]
backup=c:\windows\pss\OpenOffice.org 3.2.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CleverKeys]
2010-02-22 15:15 542208 ----a-w- c:\program files\Dictionary.com\CleverKeys\CK.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 ----a-w- c:\users\Owner\AppData\Roaming\Google\Google Talk\googletalk.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-17 19:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"Persistence"=c:\windows\system32\igfxpers.exe
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\engineserver.exe [2010-03-25 22816]
R3 ICDUSB3;ICDUSB3;c:\windows\system32\Drivers\ICDUSB3.sys [2008-08-18 11264]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-03-25 66600]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2009-06-24 167424]
R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 ePowerSvc;Acer ePower Service;c:\program files\Gateway\Gateway Power Management\ePowerSvc.exe [2009-09-30 727584]
S2 Greg_Service;GRegService;c:\program files\Gateway\Registration\GregHSRW.exe [2009-08-28 1150496]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2010-11-29 363344]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-03-25 70728]
S2 Updater Service;Updater Service;c:\program files\Gateway\Gateway Updater\UpdaterService.exe [2009-07-04 240160]
S3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\DRIVERS\L1C62x86.sys [2009-07-27 51712]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-11-29 20952]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-10 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2011-08-07 13:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=lt20&r=27b50110x445l0394wwl5a4932u229
mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=lt20&r=27b50110x445l0394wwl5a4932u229
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
LSP: c:\program files\LeahScape\FoxyProxy Video Utility\FPServiceProvider.dll
TCP: DhcpNameServer = 68.87.71.230 68.87.73.246
DPF: {4D2D3A17-9B46-483C-A5F4-1DC471080009} - hxxps://nac2.wellesley.edu/auth/taweb.cab
FF - ProfilePath - c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\28owc43x.default\
FF - prefs.js: network.proxy.type - 4
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Kaspersky URL Advisor: linkfilter@kaspersky.ru - c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Click to call with Skype: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: PDF Download: {37E4D8EA-8BDA-4831-8EA1-89053939A250} - %profile%\extensions\{37E4D8EA-8BDA-4831-8EA1-89053939A250}
FF - Ext: Diccionario en Español para Venezuela: es-ve@dictionaries.addons.mozilla.org - %profile%\extensions\es-ve@dictionaries.addons.mozilla.org
FF - Ext: FoxyProxy Standard: foxyproxy@eric.h.jung - %profile%\extensions\foxyproxy@eric.h.jung
FF - Ext: FoxyProxy Basic: foxyproxy@eric.h.jung - %profile%\extensions\foxyproxy@eric.h.jung
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-10-10 10:09:43
ComboFix-quarantined-files.txt 2011-10-10 14:09
ComboFix2.txt 2011-10-09 01:39
ComboFix3.txt 2011-09-28 20:23
.
Pre-Run: 194,105,413,632 bytes free
Post-Run: 193,684,127,744 bytes free
.
- - End Of File - - E649ACE71E5A4D3ABFFF07FF3B8866AE

#11 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:29 AM

Posted 12 October 2011 - 11:01 AM

Hi there :)


Please let us know how is your system working, what problems are still up to date so we get an idea about what we still have to fix. :)


============================================================================================================

Please open Malwarebytes' Anti-Malware and update it from the Update tab.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.
Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.





Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#12 Cendy

Cendy
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:29 PM

Posted 12 October 2011 - 12:57 PM

Hello! Is it ok to run TDSS as well? The last time Malwarebytes didn't detect the root infection, but TDSS did. Thanks!

#13 Cendy

Cendy
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:29 PM

Posted 12 October 2011 - 02:19 PM

Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 7929

Windows 6.1.7601 Service Pack 1
Internet Explorer 8.0.7601.17514

10/12/2011 2:57:33 PM
mbam-log-2011-10-12 (14-57-33).txt

Scan type: Quick scan
Objects scanned: 170026
Time elapsed: 24 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\Owner\AppData\Roaming\ldr.ini (Malware.Trace) -> Quarantined and deleted successfully.
c:\Windows\System32\config\systemprofile\AppData\Roaming\ldr.ini (Malware.Trace) -> Quarantined and deleted successfully.

#14 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:29 AM

Posted 14 October 2011 - 07:02 AM

Hi there,



I would like you to run TDSSKiller once more just to ensure the rootkit it had detected it isn't present in the system anymore.


Please follow the next instructions, just to be sure you run it correctly. :)



Download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.


Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#15 Cendy

Cendy
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:29 PM

Posted 14 October 2011 - 10:16 AM

Dear Blind Faith,

Thank you so much for your help throughout this process! The TDSS killer did not detect anymore infections! Yay! I can now catch up on the work I had before encountering this infection. I am so thankful for you and the help you extended. Thank you times a million! Please let me know if there is anything I can do in return! Can't guarantee I'll be as helpful as you, though! :)

Best wishes,
Leslie




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users