Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SystemRestore Virus


  • This topic is locked This topic is locked
17 replies to this topic

#1 kkamy

kkamy

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 04 November 2011 - 11:20 AM

Last night my computer suddenly became infected with the System Restore Virus. I followed the steps in the System Restore removal guide (rkill, tdsskiller, malwarebytes) and it seemed to remove all popups and visible traces of the virus on my computer (icons, notifications etc). I then ran the unhide program and that returned some of my icons. However my desktop is still missing many icons and while my start menus items have returned most of the folders appear as empty. Also I cannot enable my Windows Firewall. I'm not sure how to proceed. I have read the steps to complete prior to posting here and have run DDS.

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.6001.19154 BrowserJavaVersion: 1.6.0_29
Run by Kerri at 12:04:02 on 2011-11-04
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4056.1649 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Lenovo\OneKey App\System Repair\UpdateMonitor.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files (x86)\Lenovo\OnekeyDM\OnekeyDM.exe
C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe
C:\Program Files (x86)\Lenovo\Energy Management\utility.exe
C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files (x86)\Virtual Account Numbers\CitiVAN.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\SysWOW64\OBroker.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\taskeng.exe
C:\Windows\SysWOW64\ping.exe
C:\Windows\system32\msiexec.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://lenovo.live.com/
mDefault_Page_URL = hxxp://www.lenovo.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
BHO: Virtual Account Numbers Helper: {17424104-1444-4810-85d7-b4da413c5a9a} - C:\Program Files (x86)\Virtual Account Numbers\CitiVANHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - C:\Program Files (x86)\Windows Live Toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - C:\Program Files (x86)\Windows Live Toolbar\msntb.dll
TB: Virtual Account Numbers: {7a21a046-b886-4a62-9d69-ef2059b0a27b} - C:\Program Files (x86)\Virtual Account Numbers\CitiVANToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: {A057A204-BACC-4D26-8398-26FADCF27386} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
uRun: [ehTray.exe] C:\Windows\ehome\ehTray.exe
uRun: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
mRun: [OnekeyDM] C:\Program Files (x86)\Lenovo\OnekeyDM\OnekeyDM.exe
mRun: [VeriFaceManager] "C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe"
mRun: [UpdateP2GShortCut] "C:\Program Files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Lenovo\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\5.0"
mRun: [EnergyUtility] "C:\Program Files (x86)\Lenovo\Energy Management\utility.exe"
mRun: [Energy Management] "C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe"
mRun: [Google Quick Search Box] "C:\Program Files (x86)\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
mRun: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [BlackBerryAutoUpdate] C:\Program Files (x86)\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
mRun: [Citi Virtual Account Numbers] C:\PROGRA~2\VIRTUA~1\CitiVAN.exe /lang=en_RG /dontopenmycards
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
dRun: [<NO NAME>]
StartupFolder: C:\Users\Kerri\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\OPENOF~1.LNK - C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: Add to Google Photos Screensa&ver - C:\Windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
TCP: DhcpNameServer = 10.10.1.3 10.10.1.4
TCP: Interfaces\{AAF8E5AF-190E-4005-95E1-983BE0EDF558} : DhcpNameServer = 10.10.1.3 10.10.1.4
SubSystems: Windows = basesrv,1 winsrv:UserServerDllInitialization,3 consrv:ConServerDllInitialization,2
BHO-X64: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
BHO-X64: HP Print Enhancer - No File
BHO-X64: Virtual Account Numbers Helper: {17424104-1444-4810-85D7-B4DA413C5A9A} - C:\Program Files (x86)\Virtual Account Numbers\CitiVANHelper.dll
BHO-X64: Virtual Account Numbers Helper - No File
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
BHO-X64: Windows Live Toolbar Helper: {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files (x86)\Windows Live Toolbar\msntb.dll
BHO-X64: 0x1 - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
BHO-X64: HP Smart BHO Class - No File
TB-X64: Windows Live Toolbar: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files (x86)\Windows Live Toolbar\msntb.dll
TB-X64: Virtual Account Numbers: {7A21A046-B886-4A62-9D69-EF2059B0A27B} - C:\Program Files (x86)\Virtual Account Numbers\CitiVANToolbar.dll
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB-X64: {A057A204-BACC-4D26-8398-26FADCF27386} - No File
EB-X64: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File
mRun-x64: [OnekeyDM] C:\Program Files (x86)\Lenovo\OnekeyDM\OnekeyDM.exe
mRun-x64: [VeriFaceManager] "C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe"
mRun-x64: [UpdateP2GShortCut] "C:\Program Files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Lenovo\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\5.0"
mRun-x64: [EnergyUtility] "C:\Program Files (x86)\Lenovo\Energy Management\utility.exe"
mRun-x64: [Energy Management] "C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe"
mRun-x64: [Google Quick Search Box] "C:\Program Files (x86)\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
mRun-x64: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun-x64: [(Default)]
mRun-x64: [BlackBerryAutoUpdate] C:\Program Files (x86)\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
mRun-x64: [Citi Virtual Account Numbers] C:\PROGRA~2\VIRTUA~1\CitiVAN.exe /lang=en_RG /dontopenmycards
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Kerri\AppData\Roaming\Mozilla\Firefox\Profiles\01k64gvo.default\
FF - component: C:\Program Files (x86)\Virtual Account Numbers\components\SlimOrbAddonCitiVAN.dll
FF - component: C:\Users\Kerri\AppData\Roaming\Mozilla\Firefox\Profiles\01k64gvo.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: C:\Users\Kerri\AppData\Roaming\Mozilla\Firefox\Profiles\01k64gvo.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: C:\Program Files (x86)\Google\Google Updater\2.4.2432.1652\npCIDetect14.dll
FF - plugin: C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\plugins\nphpclipbook.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\NPcol400.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Users\Kerri\AppData\Roaming\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: C:\Users\Kerri\AppData\Roaming\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: C:\Users\Kerri\AppData\Roaming\Mozilla\Firefox\Profiles\01k64gvo.default\extensions\2020Player@2020Technologies.com\plugins\NP2020Player.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R1 funfrm;funfrm;C:\Windows\system32\drivers\funfrm.sys --> C:\Windows\system32\drivers\funfrm.sys [?]
R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R2 FontCache;Windows Font Cache Service;C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 System_Repair_UpdateMonitor;System Repair Windows Update Monitor;C:\Program Files\Lenovo\OneKey App\System Repair\UpdateMonitor.exe [2009-5-9 434176]
R2 tvtumon;tvtumon;C:\Windows\system32\DRIVERS\tvtumon.sys --> C:\Windows\system32\DRIVERS\tvtumon.sys [?]
R3 ACPIVPC;Lenovo Virtual Power Controller Driver;C:\Windows\system32\DRIVERS\AcpiVpc.sys --> C:\Windows\system32\DRIVERS\AcpiVpc.sys [?]
R3 enecir;ENE CIR Receiver;C:\Windows\system32\DRIVERS\enecir.sys --> C:\Windows\system32\DRIVERS\enecir.sys [?]
R3 enecirhid;ENE CIR HID Receiver;C:\Windows\system32\DRIVERS\enecirhid.sys --> C:\Windows\system32\DRIVERS\enecirhid.sys [?]
R3 enecirhidma;ENE CIR HIDmini Filter;C:\Windows\system32\DRIVERS\enecirhidma.sys --> C:\Windows\system32\DRIVERS\enecirhidma.sys [?]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;C:\Windows\system32\drivers\IntcHdmi.sys --> C:\Windows\system32\drivers\IntcHdmi.sys [?]
R3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\k57nd60a.sys --> C:\Windows\system32\DRIVERS\k57nd60a.sys [?]
R3 NETw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\system32\DRIVERS\NETw5v64.sys --> C:\Windows\system32\DRIVERS\NETw5v64.sys [?]
R3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-4-27 288272]
R3 usbsmi;Lenovo EasyCamera;C:\Windows\system32\DRIVERS\SMIksdrv.sys --> C:\Windows\system32\DRIVERS\SMIksdrv.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-2-13 135664]
S3 b57nd60a;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\b57nd60a.sys --> C:\Windows\system32\DRIVERS\b57nd60a.sys [?]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-2-13 135664]
S3 MEMSWEEP2;MEMSWEEP2;\??\C:\Windows\system32\47B.tmp --> C:\Windows\system32\47B.tmp [?]
S3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]
S3 WSDPrintDevice;WSD Print Support via UMB;C:\Windows\system32\DRIVERS\WSDPrint.sys --> C:\Windows\system32\DRIVERS\WSDPrint.sys [?]
S3 WSVD;WSVD;\??\C:\Windows\system32\drivers\WSVD.sys --> C:\Windows\system32\drivers\WSVD.sys [?]
S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-12-3 89920]
.
=============== File Associations ===============
.
JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
.
=============== Created Last 30 ================
.
2011-11-04 16:01:33 472808 ----a-w- C:\Windows\SysWow64\REN428B.tmp
2011-11-04 15:47:50 69000 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{85809A55-0376-4330-93A5-DA7AC9535994}\offreg.dll
2011-11-04 13:23:09 8570192 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{85809A55-0376-4330-93A5-DA7AC9535994}\mpengine.dll
2011-11-04 08:15:52 725200 ----a-w- C:\Windows\SysWow64\PerfStringBackup.TMP
2011-11-04 02:11:28 -------- d-----w- C:\Program Files\Malwarebytes' Anti-Malware
2011-11-04 00:38:31 0 ----a-w- C:\ProgramData\9lVK7dmpdonxRW.exe
2011-11-04 00:35:35 -------- d-----we C:\Windows\system64
2011-10-25 19:30:38 6144 ----a-w- C:\Program Files\Internet Explorer\iecompat.dll
2011-10-25 19:30:38 6144 ----a-w- C:\Program Files (x86)\Internet Explorer\iecompat.dll
2011-10-16 18:37:26 -------- d-----w- C:\Program Files\iPod
2011-10-16 18:37:16 -------- d-----w- C:\Program Files\iTunes
2011-10-16 18:31:49 -------- d-----w- C:\Program Files\Bonjour
2011-10-16 18:31:49 -------- d-----w- C:\Program Files (x86)\Bonjour
2011-10-13 01:54:57 2409784 ----a-w- C:\Program Files\Windows Mail\OESpamFilter.dat
2011-10-13 01:54:57 2409784 ----a-w- C:\Program Files (x86)\Windows Mail\OESpamFilter.dat
2011-10-13 01:54:55 375808 ----a-w- C:\Windows\System32\psisdecd.dll
2011-10-13 01:54:55 293376 ----a-w- C:\Windows\SysWow64\psisdecd.dll
2011-10-13 01:54:55 217088 ----a-w- C:\Windows\SysWow64\psisrndr.ax
2011-10-13 01:54:54 69632 ----a-w- C:\Windows\SysWow64\Mpeg2Data.ax
2011-10-13 01:54:54 289792 ----a-w- C:\Windows\System32\psisrndr.ax
2011-10-13 01:54:54 100352 ----a-w- C:\Windows\System32\Mpeg2Data.ax
2011-10-13 01:54:53 73216 ----a-w- C:\Windows\System32\MSDvbNP.ax
2011-10-13 01:54:53 57856 ----a-w- C:\Windows\SysWow64\MSDvbNP.ax
2011-10-11 19:24:21 917840 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{CC458279-8D62-4E2B-A3EF-D6B42A19EDB4}\gapaengine.dll
2011-10-09 13:14:16 466944 ----a-w- C:\Program Files (x86)\Mozilla Firefox\plugins\NPcol400.dll
2011-10-09 13:14:15 -------- d-----w- C:\Users\Kerri\AppData\Roaming\Catalina Marketing Corp
2011-10-09 13:14:12 485576 ----a-w- C:\Users\Kerri\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Catalina Marketing Corp\UninstallCouponActivator.exe
.
==================== Find3M ====================
.
2011-10-28 18:55:14 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-09-30 23:25:35 1147904 ----a-w- C:\Windows\System32\wininet.dll
2011-09-30 23:21:20 56832 ----a-w- C:\Windows\System32\licmgr10.dll
2011-09-30 23:21:00 1538560 ----a-w- C:\Windows\System32\inetcpl.cpl
2011-09-30 23:20:40 132096 ----a-w- C:\Windows\System32\iesysprep.dll
2011-09-30 23:20:39 77312 ----a-w- C:\Windows\System32\iesetup.dll
2011-09-30 23:06:24 916480 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-09-30 23:02:06 43520 ----a-w- C:\Windows\SysWow64\licmgr10.dll
2011-09-30 23:01:51 1469440 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2011-09-30 23:01:34 71680 ----a-w- C:\Windows\SysWow64\iesetup.dll
2011-09-30 23:01:34 109056 ----a-w- C:\Windows\SysWow64\iesysprep.dll
2011-09-30 22:29:23 479232 ----a-w- C:\Windows\System32\html.iec
2011-09-30 22:07:25 385024 ----a-w- C:\Windows\SysWow64\html.iec
2011-09-30 21:48:19 162816 ----a-w- C:\Windows\System32\ieUnatt.exe
2011-09-30 21:47:04 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2011-09-30 21:29:54 133632 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2011-09-30 21:28:36 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-09-06 13:56:50 2764288 ----a-w- C:\Windows\System32\win32k.sys
2011-08-31 21:00:50 25416 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-08-31 03:05:32 96104 ----a-w- C:\Windows\System32\dns-sd.exe
2011-08-31 03:05:32 85864 ----a-w- C:\Windows\System32\dnssd.dll
2011-08-31 03:05:04 83816 ----a-w- C:\Windows\SysWow64\dns-sd.exe
2011-08-31 03:05:04 73064 ----a-w- C:\Windows\SysWow64\dnssd.dll
2011-08-25 16:20:38 735744 ----a-w- C:\Windows\System32\UIAutomationCore.dll
2011-08-25 16:19:32 847360 ----a-w- C:\Windows\System32\oleaut32.dll
2011-08-25 16:19:32 332288 ----a-w- C:\Windows\System32\oleacc.dll
2011-08-25 16:15:04 555520 ----a-w- C:\Windows\SysWow64\UIAutomationCore.dll
2011-08-25 16:14:01 563712 ----a-w- C:\Windows\SysWow64\oleaut32.dll
2011-08-25 16:14:01 238080 ----a-w- C:\Windows\SysWow64\oleacc.dll
2011-08-25 13:54:14 4096 ----a-w- C:\Windows\System32\oleaccrc.dll
2011-08-25 13:31:01 4096 ----a-w- C:\Windows\SysWow64\oleaccrc.dll
.
============= FINISH: 12:04:57.75 ===============

BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,665 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:47 AM

Posted 09 November 2011 - 11:25 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/426308 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 kkamy

kkamy
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 09 November 2011 - 12:04 PM

As I posted previously, I was infected with the System Restore Virus last week. I followed the System Restore removal guide posted on the site. I ranrkill, tdsskiller, malwarebytes) and it seemed to remove all popups and visible traces of the virus on my computer (icons, notifications etc). I then ran the unhide program and that returned some of my icons. However my desktop is still missing many icons and while my start menus items have returned most of the folders appear as empty. Also I cannot enable my Windows Firewall. More recently (since my original post)I have begun to experience google redirects and ping.exe is constantly consuming 90% of memory. I can kill the process but within minutes it starts up again and its memory usage begins to climb again. I have re-run malwarebytes several times without it detecting anything while I was waiting. I will post DDS logs after they have run on my computer. I'm on work computer at the moment. I'm running a 64-bit version of Vista so won't be able to run GMER.

#4 kkamy

kkamy
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 09 November 2011 - 12:05 PM

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.6001.19154 BrowserJavaVersion: 1.6.0_29
Run by Kerri at 11:37:34 on 2011-11-09
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4056.2468 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Lenovo\OneKey App\System Repair\UpdateMonitor.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files (x86)\Lenovo\OnekeyDM\OnekeyDM.exe
C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe
C:\Program Files (x86)\Lenovo\Energy Management\utility.exe
C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files (x86)\Virtual Account Numbers\CitiVAN.exe
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Windows\SysWOW64\OBroker.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\msfeedssync.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://lenovo.live.com/
mDefault_Page_URL = hxxp://www.lenovo.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
BHO: Virtual Account Numbers Helper: {17424104-1444-4810-85d7-b4da413c5a9a} - C:\Program Files (x86)\Virtual Account Numbers\CitiVANHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - C:\Program Files (x86)\Windows Live Toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - C:\Program Files (x86)\Windows Live Toolbar\msntb.dll
TB: Virtual Account Numbers: {7a21a046-b886-4a62-9d69-ef2059b0a27b} - C:\Program Files (x86)\Virtual Account Numbers\CitiVANToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: {A057A204-BACC-4D26-8398-26FADCF27386} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
uRun: [ehTray.exe] C:\Windows\ehome\ehTray.exe
uRun: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
mRun: [OnekeyDM] C:\Program Files (x86)\Lenovo\OnekeyDM\OnekeyDM.exe
mRun: [VeriFaceManager] "C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe"
mRun: [UpdateP2GShortCut] "C:\Program Files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Lenovo\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\5.0"
mRun: [EnergyUtility] "C:\Program Files (x86)\Lenovo\Energy Management\utility.exe"
mRun: [Energy Management] "C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe"
mRun: [Google Quick Search Box] "C:\Program Files (x86)\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
mRun: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [BlackBerryAutoUpdate] C:\Program Files (x86)\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
mRun: [Citi Virtual Account Numbers] C:\PROGRA~2\VIRTUA~1\CitiVAN.exe /lang=en_RG /dontopenmycards
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
dRun: [<NO NAME>]
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: Add to Google Photos Screensa&ver - C:\Windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
TCP: DhcpNameServer = 10.10.1.3 10.10.1.4
TCP: Interfaces\{AAF8E5AF-190E-4005-95E1-983BE0EDF558} : DhcpNameServer = 10.10.1.3 10.10.1.4
SubSystems: Windows = basesrv,1 winsrv:UserServerDllInitialization,3 consrv:ConServerDllInitialization,2
BHO-X64: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
BHO-X64: HP Print Enhancer - No File
BHO-X64: Virtual Account Numbers Helper: {17424104-1444-4810-85D7-B4DA413C5A9A} - C:\Program Files (x86)\Virtual Account Numbers\CitiVANHelper.dll
BHO-X64: Virtual Account Numbers Helper - No File
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
BHO-X64: Windows Live Toolbar Helper: {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files (x86)\Windows Live Toolbar\msntb.dll
BHO-X64: 0x1 - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
BHO-X64: HP Smart BHO Class - No File
TB-X64: Windows Live Toolbar: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files (x86)\Windows Live Toolbar\msntb.dll
TB-X64: Virtual Account Numbers: {7A21A046-B886-4A62-9D69-EF2059B0A27B} - C:\Program Files (x86)\Virtual Account Numbers\CitiVANToolbar.dll
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB-X64: {A057A204-BACC-4D26-8398-26FADCF27386} - No File
EB-X64: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File
mRun-x64: [OnekeyDM] C:\Program Files (x86)\Lenovo\OnekeyDM\OnekeyDM.exe
mRun-x64: [VeriFaceManager] "C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe"
mRun-x64: [UpdateP2GShortCut] "C:\Program Files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Lenovo\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\5.0"
mRun-x64: [EnergyUtility] "C:\Program Files (x86)\Lenovo\Energy Management\utility.exe"
mRun-x64: [Energy Management] "C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe"
mRun-x64: [Google Quick Search Box] "C:\Program Files (x86)\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
mRun-x64: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun-x64: [(Default)]
mRun-x64: [BlackBerryAutoUpdate] C:\Program Files (x86)\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
mRun-x64: [Citi Virtual Account Numbers] C:\PROGRA~2\VIRTUA~1\CitiVAN.exe /lang=en_RG /dontopenmycards
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Kerri\AppData\Roaming\Mozilla\Firefox\Profiles\01k64gvo.default\
FF - component: C:\Program Files (x86)\Virtual Account Numbers\components\SlimOrbAddonCitiVAN.dll
FF - component: C:\Users\Kerri\AppData\Roaming\Mozilla\Firefox\Profiles\01k64gvo.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: C:\Users\Kerri\AppData\Roaming\Mozilla\Firefox\Profiles\01k64gvo.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: C:\Program Files (x86)\Google\Google Updater\2.4.2432.1652\npCIDetect14.dll
FF - plugin: C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\plugins\nphpclipbook.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\NPcol400.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Users\Kerri\AppData\Roaming\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: C:\Users\Kerri\AppData\Roaming\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: C:\Users\Kerri\AppData\Roaming\Mozilla\Firefox\Profiles\01k64gvo.default\extensions\2020Player@2020Technologies.com\plugins\NP2020Player.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R1 funfrm;funfrm;C:\Windows\system32\drivers\funfrm.sys --> C:\Windows\system32\drivers\funfrm.sys [?]
R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R2 FontCache;Windows Font Cache Service;C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 System_Repair_UpdateMonitor;System Repair Windows Update Monitor;C:\Program Files\Lenovo\OneKey App\System Repair\UpdateMonitor.exe [2009-5-9 434176]
R2 tvtumon;tvtumon;C:\Windows\system32\DRIVERS\tvtumon.sys --> C:\Windows\system32\DRIVERS\tvtumon.sys [?]
R3 ACPIVPC;Lenovo Virtual Power Controller Driver;C:\Windows\system32\DRIVERS\AcpiVpc.sys --> C:\Windows\system32\DRIVERS\AcpiVpc.sys [?]
R3 enecir;ENE CIR Receiver;C:\Windows\system32\DRIVERS\enecir.sys --> C:\Windows\system32\DRIVERS\enecir.sys [?]
R3 enecirhid;ENE CIR HID Receiver;C:\Windows\system32\DRIVERS\enecirhid.sys --> C:\Windows\system32\DRIVERS\enecirhid.sys [?]
R3 enecirhidma;ENE CIR HIDmini Filter;C:\Windows\system32\DRIVERS\enecirhidma.sys --> C:\Windows\system32\DRIVERS\enecirhidma.sys [?]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;C:\Windows\system32\drivers\IntcHdmi.sys --> C:\Windows\system32\drivers\IntcHdmi.sys [?]
R3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\k57nd60a.sys --> C:\Windows\system32\DRIVERS\k57nd60a.sys [?]
R3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]
R3 NETw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\system32\DRIVERS\NETw5v64.sys --> C:\Windows\system32\DRIVERS\NETw5v64.sys [?]
R3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-4-27 288272]
R3 usbsmi;Lenovo EasyCamera;C:\Windows\system32\DRIVERS\SMIksdrv.sys --> C:\Windows\system32\DRIVERS\SMIksdrv.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-2-12 135664]
S3 b57nd60a;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\b57nd60a.sys --> C:\Windows\system32\DRIVERS\b57nd60a.sys [?]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-2-12 135664]
S3 MEMSWEEP2;MEMSWEEP2;\??\C:\Windows\system32\47B.tmp --> C:\Windows\system32\47B.tmp [?]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]
S3 WSDPrintDevice;WSD Print Support via UMB;C:\Windows\system32\DRIVERS\WSDPrint.sys --> C:\Windows\system32\DRIVERS\WSDPrint.sys [?]
S3 WSVD;WSVD;\??\C:\Windows\system32\drivers\WSVD.sys --> C:\Windows\system32\drivers\WSVD.sys [?]
S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-12-3 89920]
.
=============== File Associations ===============
.
JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
.
=============== Created Last 30 ================
.
2011-11-09 16:36:19 69000 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{B9DEE435-EB74-44AE-8B30-00C5B2842E0A}\offreg.dll
2011-11-09 16:36:12 8570192 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{B9DEE435-EB74-44AE-8B30-00C5B2842E0A}\mpengine.dll
2011-11-04 20:29:42 -------- d-----w- C:\Users\Kerri\AppData\Roaming\SUPERAntiSpyware.com
2011-11-04 08:15:52 725200 ----a-w- C:\Windows\SysWow64\PerfStringBackup.TMP
2011-11-04 02:11:28 -------- d-----w- C:\Program Files\Malwarebytes' Anti-Malware
2011-11-04 00:38:31 0 ----a-w- C:\ProgramData\9lVK7dmpdonxRW.exe
2011-11-04 00:35:35 -------- d-----we C:\Windows\system64
2011-10-25 19:30:38 6144 ----a-w- C:\Program Files\Internet Explorer\iecompat.dll
2011-10-25 19:30:38 6144 ----a-w- C:\Program Files (x86)\Internet Explorer\iecompat.dll
2011-10-16 18:37:26 -------- d-----w- C:\Program Files\iPod
2011-10-16 18:37:16 -------- d-----w- C:\Program Files\iTunes
2011-10-16 18:31:49 -------- d-----w- C:\Program Files\Bonjour
2011-10-16 18:31:49 -------- d-----w- C:\Program Files (x86)\Bonjour
2011-10-13 01:54:57 2409784 ----a-w- C:\Program Files\Windows Mail\OESpamFilter.dat
2011-10-13 01:54:57 2409784 ----a-w- C:\Program Files (x86)\Windows Mail\OESpamFilter.dat
2011-10-13 01:54:55 375808 ----a-w- C:\Windows\System32\psisdecd.dll
2011-10-13 01:54:55 293376 ----a-w- C:\Windows\SysWow64\psisdecd.dll
2011-10-13 01:54:55 217088 ----a-w- C:\Windows\SysWow64\psisrndr.ax
2011-10-13 01:54:54 69632 ----a-w- C:\Windows\SysWow64\Mpeg2Data.ax
2011-10-13 01:54:54 289792 ----a-w- C:\Windows\System32\psisrndr.ax
2011-10-13 01:54:54 100352 ----a-w- C:\Windows\System32\Mpeg2Data.ax
2011-10-13 01:54:53 73216 ----a-w- C:\Windows\System32\MSDvbNP.ax
2011-10-13 01:54:53 57856 ----a-w- C:\Windows\SysWow64\MSDvbNP.ax
2011-10-11 19:24:21 917840 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{CC458279-8D62-4E2B-A3EF-D6B42A19EDB4}\gapaengine.dll
.
==================== Find3M ====================
.
2011-10-28 18:55:14 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-10-03 09:06:03 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2011-09-30 23:25:35 1147904 ----a-w- C:\Windows\System32\wininet.dll
2011-09-30 23:21:20 56832 ----a-w- C:\Windows\System32\licmgr10.dll
2011-09-30 23:21:00 1538560 ----a-w- C:\Windows\System32\inetcpl.cpl
2011-09-30 23:20:40 132096 ----a-w- C:\Windows\System32\iesysprep.dll
2011-09-30 23:20:39 77312 ----a-w- C:\Windows\System32\iesetup.dll
2011-09-30 23:06:24 916480 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-09-30 23:02:06 43520 ----a-w- C:\Windows\SysWow64\licmgr10.dll
2011-09-30 23:01:51 1469440 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2011-09-30 23:01:34 71680 ----a-w- C:\Windows\SysWow64\iesetup.dll
2011-09-30 23:01:34 109056 ----a-w- C:\Windows\SysWow64\iesysprep.dll
2011-09-30 22:29:23 479232 ----a-w- C:\Windows\System32\html.iec
2011-09-30 22:07:25 385024 ----a-w- C:\Windows\SysWow64\html.iec
2011-09-30 21:48:19 162816 ----a-w- C:\Windows\System32\ieUnatt.exe
2011-09-30 21:47:04 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2011-09-30 21:29:54 133632 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2011-09-30 21:28:36 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-09-06 13:56:50 2764288 ----a-w- C:\Windows\System32\win32k.sys
2011-08-31 21:00:50 25416 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-08-31 03:05:32 96104 ----a-w- C:\Windows\System32\dns-sd.exe
2011-08-31 03:05:32 85864 ----a-w- C:\Windows\System32\dnssd.dll
2011-08-31 03:05:04 83816 ----a-w- C:\Windows\SysWow64\dns-sd.exe
2011-08-31 03:05:04 73064 ----a-w- C:\Windows\SysWow64\dnssd.dll
2011-08-25 16:20:38 735744 ----a-w- C:\Windows\System32\UIAutomationCore.dll
2011-08-25 16:19:32 847360 ----a-w- C:\Windows\System32\oleaut32.dll
2011-08-25 16:19:32 332288 ----a-w- C:\Windows\System32\oleacc.dll
2011-08-25 16:15:04 555520 ----a-w- C:\Windows\SysWow64\UIAutomationCore.dll
2011-08-25 16:14:01 563712 ----a-w- C:\Windows\SysWow64\oleaut32.dll
2011-08-25 16:14:01 238080 ----a-w- C:\Windows\SysWow64\oleacc.dll
2011-08-25 13:54:14 4096 ----a-w- C:\Windows\System32\oleaccrc.dll
2011-08-25 13:31:01 4096 ----a-w- C:\Windows\SysWow64\oleaccrc.dll
.
============= FINISH: 11:40:25.51 ===============

Attached Files



#5 Jack&Jill

Jack&Jill

  • Malware Response Team
  • 385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South East Asia
  • Local time:02:47 PM

Posted 09 November 2011 - 07:27 PM

Hello and welcome to Bleeping Computer.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

I am currently assessing your situation and will be back with a fix for your problem as soon as possible.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this, click Watch Topic near the top of the page, then select Immediate Notification. Click on Proceed. If it shows Stop watching topic, it means you are already subscribed.

Please be patient with me during this time.

Meanwhile, please make a reply to this topic to acknowledge that you have read this and is still with me to tackle the problem until the end. If I do not get any response within 5 days, this topic will be closed. If you have since resolved the original problem you were having, we would appreciate you letting us know.

Jack&Jill
MRU Teacher of Malware Removal University.
Member of ASAP and UNITE.


#6 Jack&Jill

Jack&Jill

  • Malware Response Team
  • 385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South East Asia
  • Local time:02:47 PM

Posted 09 November 2011 - 07:32 PM

Hello kkamy :),

Welcome to Bleeping Computer. I am Jack&Jill, and I will be helping you out.

Before we go further, there are a few things that I would like to make clear so that we are share the same understanding.
  • Please observe and follow these Board Rules and Terms of Use.
  • Any advice is for your computer only and is taken at your own risk. Fixes sometimes will cause unexpected results, but I will do my best to assist you.
  • Please read the instructions carefully and follow them closely, in the order they are presented to you.
  • If you have any doubts or problems during the fix, please stop and ask.
  • All the tools that I will ask you to download and use are safe. Please allow if prompted by any of your security softwares.
  • Do not use or run any malware cleaning tools without supervision as they may cause more harm if improperly used.
  • Refrain from installing any new programs except those that I request during the fix to prevent interference to my diagnosis of the problem.
  • Lack of malware symptoms does not mean your computer is clean. Stick to this topic until I give the All Clear.
  • If you do not reply within 5 days, this topic will be closed.
If you are agreeable to the above, then everything should go smoothly :) . We may begin.

--------------------

Your computer has/had some serious infections with rootkit/backdoor capabilities.
Sorry for the bad news. Backdoors provide outsiders full access to your computer, enabling them to record key strokes, steal passwords, spread malwares, and even using it for other illegal activities.

If your computer has been used for important or sensitive data such as online banking, shopping or any other financial transactions, I strongly recommend you to do the following:
  • Disconnect from the Internet and any network immediately.
  • Inform your financial institutions that you may be a victim of identity theft and to put a watch on all your accounts or change them.
  • Change all your online passwords from a clean computer.
  • Take any other steps that you may think is necessary to prevent financial distress due to identity theft.

Due to the backdoor functionality, your computer is compromised and can no longer be fully trusted. Many experts in the security community believe that once tainted with this type of infections, the best course of action would be a reformat and reinstall of the OS. I too strongly recommend you to format your computer. We can still attempt to clean it if you wish, but due to the severity of the infections, I cannot guarantee it will be safe or clean afterwards. It is up to you to decide. Please let me know which course of action you wish to take.

Here are some read to help you decide:
How to respond to possible ID theft and Internet fraud
When should I reformat?

--------------------

Please post back:
1. how you want to proceed

Jack&Jill
MRU Teacher of Malware Removal University.
Member of ASAP and UNITE.


#7 kkamy

kkamy
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 09 November 2011 - 07:50 PM

Unfortunately my computer came preloaded and I do not have copies of Vitsa to reinstall. With that in mind my only option appears to be to try to clean the computer.

#8 Jack&Jill

Jack&Jill

  • Malware Response Team
  • 385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South East Asia
  • Local time:02:47 PM

Posted 10 November 2011 - 12:26 AM

Hello kkamy :),

What do you use the computer for?

I see that you have Virtual Account Numbers, so I hope you have taken the necessary precautions to prevent financial distress.

--------------------

We will start with a back up step.

This article; Windows 7 Backup and Restore, explain the whats and hows using the Windows built-in backup tool. Vista should have similar mechanism.

Some good and free alternative third party backup or imaging softwares that you can consider are Cobian Backup and Macrium Reflect. Tutorial for Cobian Backup can be found here and Macrium Reflect here.

For paid version, Acronis True Image Home is a good option.

To create a boot CD with alternative Operating System, you can try Puppy Linux or xPUD.

After you have done doing backup, please let me know so that we can continue.

Jack&Jill
MRU Teacher of Malware Removal University.
Member of ASAP and UNITE.


#9 kkamy

kkamy
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 10 November 2011 - 08:49 AM

It's my personal computer--used for internet browsing, shopping, etc. Virtual account numbers ensures I never enter my actual cc number when shopping online.

Am I supposed to be backing up my personal files? They are already backed up to external sources (I back up all personal files regularly). If there is something else I am supposed to be backing up or creating please let me know. Otherwise I am ready for the next step.

#10 Jack&Jill

Jack&Jill

  • Malware Response Team
  • 385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South East Asia
  • Local time:02:47 PM

Posted 10 November 2011 - 09:25 AM

Hello kkamy :),

Yes, I am referring to backing up data. It is a good practice.

--------------------

For Windows Vista or Seven, please use right click and select Run as administrator instead of double click to run all the tools I ask you to, or they may not work properly.

Please download ComboFix from one of the links below and save it to your desktop.

Link 1
Link 2

Do not mouse click on ComboFix while it is running. That may cause it to stall. ComboFix is a powerful tool and must not be used without supervision.

Run ComboFix
  • Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily when running ComboFix. They will interfere and may cause unexpected results.
  • If you need help to disable your protection programs see here and here.
  • Double click on ComboFix.exe and follow the prompts. Please run it in Normal Mode.
  • When finished, a log will be produced as C:\ComboFix.txt. Please post this log in your next reply.
  • If you lose Internet connection after running ComboFix, right click on the network icon at the system tray and select Repair, or you can reboot the computer.
  • Enable back your security softwares as soon as you completed the ComboFix steps.
A detailed step by step tutorial to run ComboFix can be found here if you need help.

--------------------

Please post back:
1. the ComboFix log

Jack&Jill
MRU Teacher of Malware Removal University.
Member of ASAP and UNITE.


#11 kkamy

kkamy
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 11 November 2011 - 10:41 PM

Sorry for the delay. I did some research about how to procure discs to reinstall Vista as you recommended to ensure security of my computer. Apparently Lenovo does not provide discs but does install One Key Recovery which enable you to wipe out everything to the factory settings. After backing up my personal files to a second external source to be extra cautious I utilized One Key Recover to reset my computer to factory settings. It is currently going through the process of updating Vista with the updates that have occurred since that time. I am under the impression from my research that this is equivalent to reinstalling Vista and that I should be safe now. Am I correct? Should I still run DDS and post a log to make sure?

#12 Jack&Jill

Jack&Jill

  • Malware Response Team
  • 385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South East Asia
  • Local time:02:47 PM

Posted 12 November 2011 - 02:10 AM

Hello kkamy :),

You are doing well :thumbsup:.

We should take a look at the latest DDS log to be sure. At the same time, I believe you will be able to judge how the computer is behaving after the recovery. If both yield positive results, then you are good to go.

Jack&Jill
MRU Teacher of Malware Removal University.
Member of ASAP and UNITE.


#13 kkamy

kkamy
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 12 November 2011 - 02:54 PM

So far the computer seems to be working without problems. No redirects or empty/hidden folders. So everything looks as it should. I ran DDS after Windows finished installing all of it's updates to bring it up to date. Here are the logs:

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Kerri at 14:48:12 on 2011-11-12
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4056.1796 [GMT -5:00]
.
AV: Norton Internet Security *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
FW: Norton Internet Security *Enabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files (x86)\Lenovo\ReadyComm\common\IGRS.exe
C:\Windows\SysWOW64\IgrsSvcs.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\Cyberlink\Shared files\RichVideo.exe
C:\Program Files (x86)\Secunia\PSI\PSIA.exe
C:\Windows\system32\taskeng.exe
c:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Lenovo\OneKey App\System Repair\UpdateMonitor.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\igfxsrvc.exe
C:\Program Files (x86)\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Program Files (x86)\DDNI\Lenovo Idea Notes\DDNIMSGService.exe
C:\Program Files (x86)\DDNI\DIBS\DDNIService.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\Lenovo\Lenovo Desktop Navigator\DesktopNavigator.exe
C:\Program Files (x86)\Secunia\PSI\psi_tray.exe
C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe
C:\Program Files (x86)\DDNI\Lenovo Idea Notes\DDNIMSGUser.exe
C:\Program Files (x86)\Lenovo\ReadyComm\ReadyComm.exe
C:\Program Files (x86)\Lenovo\OnekeyDM\OnekeyDM.exe
C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe
C:\Program Files (x86)\Lenovo\Energy Management\utility.exe
C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\Secunia\PSI\sua.exe
C:\PROGRA~2\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\msiexec.exe
C:\Program Files (x86)\Internet Explorer\IELowutil.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://lenovo.live.com/
mStart Page = hxxp://lenovo.live.com/
mDefault_Page_URL = hxxp://www.lenovo.com/
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - C:\Program Files (x86)\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\PROGRA~2\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - C:\Program Files (x86)\Windows Live Toolbar\msntb.dll
BHO: 1 (0x1) - No File
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - C:\Program Files (x86)\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - C:\Program Files (x86)\Windows Live Toolbar\msntb.dll
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
mRun: [MDS_Menu] "C:\Program Files (x86)\Lenovo\MediaShow\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Lenovo\MediaShow" UpdateWithCreateOnce "Software\CyberLink\MediaShow\4.1"
mRun: [ccApp] "C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe"
mRun: [CarboniteSetupLite] "C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe" /preinstalled
mRun: [IdeaNotesUser] C:\Program Files (x86)\DDNI\Lenovo Idea Notes\DDNIMSGUser.exe
mRun: [Readycomm] "C:\Program Files (x86)\Lenovo\ReadyComm\ReadyComm.exe"
mRun: [ISUSScheduler] "C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe" -start
mRun: [OnekeyDM] C:\Program Files (x86)\Lenovo\OnekeyDM\OnekeyDM.exe
mRun: [VeriFaceManager] "C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe"
mRun: [UpdateP2GShortCut] "C:\Program Files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Lenovo\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\5.0"
mRun: [EnergyUtility] "C:\Program Files (x86)\Lenovo\Energy Management\utility.exe"
mRun: [Energy Management] "C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
dRun: [<NO NAME>]
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\DESKTO~1.LNK - C:\Program Files (x86)\Lenovo\Lenovo Desktop Navigator\DesktopNavigator.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SECUNI~1.LNK - C:\Program Files (x86)\Secunia\PSI\psi_tray.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{AAF8E5AF-190E-4005-95E1-983BE0EDF558} : DhcpNameServer = 192.168.1.1
BHO-X64: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
BHO-X64: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll
BHO-X64: NCO 2.0 IE BHO - No File
BHO-X64: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~2\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
BHO-X64: Symantec Intrusion Prevention - No File
BHO-X64: Windows Live Toolbar Helper: {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files (x86)\Windows Live Toolbar\msntb.dll
BHO-X64: 0x1 - No File
TB-X64: Show Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
TB-X64: Windows Live Toolbar: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files (x86)\Windows Live Toolbar\msntb.dll
mRun-x64: [MDS_Menu] "C:\Program Files (x86)\Lenovo\MediaShow\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Lenovo\MediaShow" UpdateWithCreateOnce "Software\CyberLink\MediaShow\4.1"
mRun-x64: [ccApp] "C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe"
mRun-x64: [CarboniteSetupLite] "C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe" /preinstalled
mRun-x64: [IdeaNotesUser] C:\Program Files (x86)\DDNI\Lenovo Idea Notes\DDNIMSGUser.exe
mRun-x64: [Readycomm] "C:\Program Files (x86)\Lenovo\ReadyComm\ReadyComm.exe"
mRun-x64: [ISUSScheduler] "C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe" -start
mRun-x64: [OnekeyDM] C:\Program Files (x86)\Lenovo\OnekeyDM\OnekeyDM.exe
mRun-x64: [VeriFaceManager] "C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe"
mRun-x64: [UpdateP2GShortCut] "C:\Program Files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Lenovo\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\5.0"
mRun-x64: [EnergyUtility] "C:\Program Files (x86)\Lenovo\Energy Management\utility.exe"
mRun-x64: [Energy Management] "C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe"
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Kerri\AppData\Roaming\Mozilla\Firefox\Profiles\2qtbnapd.default\
FF - component: C:\Program Files (x86)\Mozilla Firefox\components\coFFPlgn.dll
FF - component: C:\Program Files (x86)\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
.
============= SERVICES / DRIVERS ===============
.
R1 funfrm;funfrm;C:\Windows\system32\drivers\funfrm.sys --> C:\Windows\system32\drivers\funfrm.sys [?]
R1 IDSvia64;Symantec Intrusion Prevention Driver;C:\PROGRA~3\Symantec\DEFINI~1\SymcData\ipsdefs\20111103.001\IDSvia64.sys [2011-11-11 383096]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
R2 DDNIMSGService;DDNIMSGService;C:\Program Files (x86)\DDNI\Lenovo Idea Notes\DDNIMSGService.exe [2008-10-6 185008]
R2 DDNIService;DDNIService;C:\Program Files (x86)\DDNI\DIBS\DDNIService.exe [2009-5-9 164528]
R2 FontCache;Windows Font Cache Service;C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 IGRS;IGRS;C:\Program Files (x86)\Lenovo\ReadyComm\common\IGRS.exe [2008-2-14 32768]
R2 IncSvc;Network Configuration;C:\Windows\System32\IgrsSvcs.exe -k IgrsSvcs --> C:\Windows\System32\IgrsSvcs.exe -k IgrsSvcs [?]
R2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files (x86)\Common Files\Symantec Shared\CCSVCHST.EXE [2008-2-6 149352]
R2 Secunia PSI Agent;Secunia PSI Agent;C:\Program Files (x86)\Secunia\PSI\psia.exe [2011-10-14 994360]
R2 Secunia Update Agent;Secunia Update Agent;C:\Program Files (x86)\Secunia\PSI\sua.exe [2011-10-14 399416]
R2 System_Repair_UpdateMonitor;System Repair Windows Update Monitor;C:\Program Files\Lenovo\OneKey App\System Repair\UpdateMonitor.exe [2009-5-9 434176]
R2 tvtumon;tvtumon;C:\Windows\system32\DRIVERS\tvtumon.sys --> C:\Windows\system32\DRIVERS\tvtumon.sys [?]
R3 ACPIVPC;Lenovo Virtual Power Controller Driver;C:\Windows\system32\DRIVERS\AcpiVpc.sys --> C:\Windows\system32\DRIVERS\AcpiVpc.sys [?]
R3 enecir;ENE CIR Receiver;C:\Windows\system32\DRIVERS\enecir.sys --> C:\Windows\system32\DRIVERS\enecir.sys [?]
R3 enecirhid;ENE CIR HID Receiver;C:\Windows\system32\DRIVERS\enecirhid.sys --> C:\Windows\system32\DRIVERS\enecirhid.sys [?]
R3 enecirhidma;ENE CIR HIDmini Filter;C:\Windows\system32\DRIVERS\enecirhidma.sys --> C:\Windows\system32\DRIVERS\enecirhidma.sys [?]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-11-11 138360]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;C:\Windows\system32\drivers\IntcHdmi.sys --> C:\Windows\system32\drivers\IntcHdmi.sys [?]
R3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\k57nd60a.sys --> C:\Windows\system32\DRIVERS\k57nd60a.sys [?]
R3 NETw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\system32\DRIVERS\NETw5v64.sys --> C:\Windows\system32\DRIVERS\NETw5v64.sys [?]
R3 PSI;PSI;C:\Windows\system32\DRIVERS\psi_mf.sys --> C:\Windows\system32\DRIVERS\psi_mf.sys [?]
R3 Symantec Core LC;Symantec Core LC;C:\PROGRA~2\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe [2009-5-9 1245064]
R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS --> C:\Windows\system32\Drivers\SYMNDISV.SYS [?]
R3 usbsmi;Lenovo EasyCamera;C:\Windows\system32\DRIVERS\SMIksdrv.sys --> C:\Windows\system32\DRIVERS\SMIksdrv.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60a;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\b57nd60a.sys --> C:\Windows\system32\DRIVERS\b57nd60a.sys [?]
S3 COH_Mon;COH_Mon;\??\C:\Windows\system32\Drivers\COH_Mon.sys --> C:\Windows\system32\Drivers\COH_Mon.sys [?]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]
S3 WSVD;WSVD;\??\C:\Windows\system32\drivers\WSVD.sys --> C:\Windows\system32\drivers\WSVD.sys [?]
S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2011-11-11 89920]
.
=============== File Associations ===============
.
JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
.
=============== Created Last 30 ================
.
2011-11-12 19:39:08 876032 ----a-w- C:\Windows\SysWow64\XpsPrint.dll
2011-11-12 19:39:08 1653760 ----a-w- C:\Windows\System32\XpsPrint.dll
2011-11-12 19:25:47 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{FB140620-FEAA-4FEE-8BEB-A79AC811092C}\offreg.dll
2011-11-12 18:32:02 -------- d-----w- C:\Windows\SysWow64\spool
2011-11-12 18:32:00 -------- d-----w- C:\Program Files (x86)\Windows Portable Devices
2011-11-12 18:31:58 -------- d-----w- C:\Program Files\Windows Portable Devices
2011-11-12 18:15:21 167424 ----a-w- C:\Program Files\Windows Portable Devices\sqmapi.dll
2011-11-12 17:53:08 92672 ----a-w- C:\Windows\SysWow64\UIAnimation.dll
2011-11-12 17:53:08 103424 ----a-w- C:\Windows\System32\UIAnimation.dll
2011-11-12 17:53:06 3815424 ----a-w- C:\Windows\System32\UIRibbon.dll
2011-11-12 17:53:06 3023360 ----a-w- C:\Windows\SysWow64\UIRibbon.dll
2011-11-12 17:53:06 1164800 ----a-w- C:\Windows\SysWow64\UIRibbonRes.dll
2011-11-12 17:53:06 1164800 ----a-w- C:\Windows\System32\UIRibbonRes.dll
2011-11-12 17:20:59 288768 ----a-w- C:\Windows\SysWow64\XpsGdiConverter.dll
2011-11-12 17:20:58 479744 ----a-w- C:\Windows\System32\XpsGdiConverter.dll
2011-11-12 17:20:57 1555968 ----a-w- C:\Windows\System32\DWrite.dll
2011-11-12 17:20:57 1149440 ----a-w- C:\Windows\System32\FntCache.dll
2011-11-12 17:20:57 1068544 ----a-w- C:\Windows\SysWow64\DWrite.dll
2011-11-12 17:20:20 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2011-11-12 17:20:20 2048 ----a-w- C:\Windows\System32\tzres.dll
2011-11-12 17:20:14 2409784 ----a-w- C:\Program Files\Windows Mail\OESpamFilter.dat
2011-11-12 17:20:14 2409784 ----a-w- C:\Program Files (x86)\Windows Mail\OESpamFilter.dat
2011-11-12 17:20:12 893440 ----a-w- C:\Program Files\Common Files\System\wab32.dll
2011-11-12 17:20:12 707584 ----a-w- C:\Program Files (x86)\Common Files\System\wab32.dll
2011-11-12 17:20:12 50688 ----a-w- C:\Program Files\Windows Mail\wabimp.dll
2011-11-12 17:19:27 4699536 ----a-w- C:\Windows\System32\ntoskrnl.exe
2011-11-12 17:19:10 316928 ----a-w- C:\Windows\System32\msshsq.dll
2011-11-12 17:19:10 231424 ----a-w- C:\Windows\SysWow64\msshsq.dll
2011-11-12 17:19:03 451072 ----a-w- C:\Windows\System32\winsrv.dll
2011-11-12 17:19:01 6144 ----a-w- C:\Program Files\Internet Explorer\iecompat.dll
2011-11-12 17:19:01 6144 ----a-w- C:\Program Files (x86)\Internet Explorer\iecompat.dll
2011-11-12 17:11:17 73216 ----a-w- C:\Windows\System32\MSDvbNP.ax
2011-11-12 17:11:17 69632 ----a-w- C:\Windows\SysWow64\Mpeg2Data.ax
2011-11-12 17:11:17 57856 ----a-w- C:\Windows\SysWow64\MSDvbNP.ax
2011-11-12 17:11:17 375808 ----a-w- C:\Windows\System32\psisdecd.dll
2011-11-12 17:11:17 293376 ----a-w- C:\Windows\SysWow64\psisdecd.dll
2011-11-12 17:11:17 289792 ----a-w- C:\Windows\System32\psisrndr.ax
2011-11-12 17:11:17 217088 ----a-w- C:\Windows\SysWow64\psisrndr.ax
2011-11-12 17:11:17 100352 ----a-w- C:\Windows\System32\Mpeg2Data.ax
2011-11-12 14:50:53 -------- d-----w- C:\Windows\SysWow64\vi-VN
2011-11-12 14:50:53 -------- d-----w- C:\Windows\SysWow64\eu-ES
2011-11-12 14:50:53 -------- d-----w- C:\Windows\SysWow64\ca-ES
2011-11-12 14:50:52 -------- d-----w- C:\Windows\System32\eu-ES
2011-11-12 14:50:52 -------- d-----w- C:\Windows\System32\ca-ES
2011-11-12 14:50:49 -------- d-----w- C:\Windows\System32\vi-VN
2011-11-12 14:29:45 -------- d-----w- C:\Windows\System32\EventProviders
2011-11-12 04:29:07 404640 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-11-12 04:15:23 -------- d-----w- C:\Users\Kerri\AppData\Local\WindowsUpdate
2011-11-12 03:57:25 -------- d-----w- C:\Users\Kerri\AppData\Local\Secunia PSI
2011-11-12 03:57:10 -------- d-----w- C:\Program Files (x86)\Secunia
2011-11-12 03:54:59 3108864 ----a-w- C:\Windows\System32\msi.dll
2011-11-12 03:53:59 1658368 ----a-w- C:\Windows\System32\CertEnroll.dll
2011-11-12 03:52:59 287744 ----a-w- C:\Windows\SysWow64\Wldap32.dll
2011-11-12 03:51:59 1548288 ----a-w- C:\Windows\SysWow64\WMVDECOD.DLL
2011-11-12 03:50:59 81408 ----a-w- C:\Windows\System32\fdWSD.dll
2011-11-12 03:49:48 218624 ----a-w- C:\Windows\SysWow64\wdscore.dll
2011-11-12 03:49:14 247808 ----a-w- C:\Windows\SysWow64\drvstore.dll
2011-11-12 03:49:08 83968 ----a-w- C:\Windows\SysWow64\wbem\wmiutils.dll
2011-11-12 03:49:07 614912 ----a-w- C:\Windows\SysWow64\wbem\fastprox.dll
2011-11-12 03:49:07 30208 ----a-w- C:\Windows\SysWow64\wbem\wbemprox.dll
2011-11-12 03:49:07 265728 ----a-w- C:\Windows\SysWow64\wbem\esscli.dll
2011-11-12 03:49:07 189440 ----a-w- C:\Windows\SysWow64\wbem\mofd.dll
2011-11-12 03:46:27 891392 ----a-w- C:\Windows\System32\wbem\fastprox.dll
2011-11-12 03:46:27 43520 ----a-w- C:\Windows\System32\wbem\wbemprox.dll
2011-11-12 03:46:27 1172992 ----a-w- C:\Windows\System32\wbem\wbemcore.dll
2011-11-12 03:46:21 936448 ----a-w- C:\Windows\System32\SmiEngine.dll
2011-11-12 03:46:12 293888 ----a-w- C:\Windows\System32\wdscore.dll
2011-11-12 03:46:12 138752 ----a-w- C:\Windows\System32\PkgMgr.exe
2011-11-12 03:45:46 315904 ----a-w- C:\Windows\System32\drvstore.dll
2011-11-12 03:43:43 28160 ----a-w- C:\Windows\System32\drivers\en-US\http.sys.mui
2011-11-12 03:43:15 442368 ----a-w- C:\Windows\System32\winhttp.dll
2011-11-12 03:43:15 377344 ----a-w- C:\Windows\SysWow64\winhttp.dll
2011-11-12 03:43:09 179712 ----a-w- C:\Windows\System32\srvsvc.dll
2011-11-12 03:43:08 9728 ----a-w- C:\Windows\SysWow64\sscore.dll
2011-11-12 03:43:08 17920 ----a-w- C:\Windows\SysWow64\netevent.dll
2011-11-12 03:43:08 17920 ----a-w- C:\Windows\System32\netevent.dll
2011-11-12 03:43:08 12288 ----a-w- C:\Windows\System32\sscore.dll
2011-11-12 03:34:56 -------- d-----w- C:\Users\Kerri\AppData\Local\Adobe
2011-11-12 02:58:24 4240384 ----a-w- C:\Windows\SysWow64\GameUXLegacyGDFs.dll
2011-11-12 02:58:24 32256 ----a-w- C:\Windows\System32\Apphlpdm.dll
2011-11-12 02:58:24 28672 ----a-w- C:\Windows\SysWow64\Apphlpdm.dll
2011-11-12 02:58:23 4240384 ----a-w- C:\Windows\System32\GameUXLegacyGDFs.dll
2011-11-12 02:18:24 -------- d-----w- C:\ProgramData\White Sky, Inc
2011-11-12 02:17:37 -------- d-----w- C:\Users\Kerri\AppData\Roaming\ID Vault
2011-11-12 02:13:19 99176 ----a-w- C:\Windows\SysWow64\PresentationHostProxy.dll
2011-11-12 02:13:19 49472 ----a-w- C:\Windows\SysWow64\netfxperf.dll
2011-11-12 02:13:19 297808 ----a-w- C:\Windows\SysWow64\mscoree.dll
2011-11-12 02:13:19 295264 ----a-w- C:\Windows\SysWow64\PresentationHost.exe
2011-11-12 02:13:18 48960 ----a-w- C:\Windows\System32\netfxperf.dll
2011-11-12 02:13:18 444752 ----a-w- C:\Windows\System32\mscoree.dll
2011-11-12 02:13:18 320352 ----a-w- C:\Windows\System32\PresentationHost.exe
2011-11-12 02:13:18 1942856 ----a-w- C:\Windows\System32\dfshim.dll
2011-11-12 02:13:18 1130824 ----a-w- C:\Windows\SysWow64\dfshim.dll
2011-11-12 02:13:18 109912 ----a-w- C:\Windows\System32\PresentationHostProxy.dll
2011-11-12 01:14:43 -------- d-----w- C:\Users\Kerri\AppData\Local\Microsoft Games
2011-11-12 01:10:11 537088 ----a-w- C:\Program Files\Internet Explorer\pdm.dll
2011-11-12 01:10:11 358904 ----a-w- C:\Program Files\Internet Explorer\msdbg2.dll
2011-11-12 01:10:11 355832 ----a-w- C:\Program Files (x86)\Internet Explorer\pdm.dll
2011-11-12 01:10:11 265720 ----a-w- C:\Program Files (x86)\Internet Explorer\msdbg2.dll
2011-11-11 22:36:30 32768 ----a-w- C:\Windows\System32\nshhttp.dll
2011-11-11 22:36:30 24064 ----a-w- C:\Windows\SysWow64\nshhttp.dll
2011-11-11 22:36:27 620032 ----a-w- C:\Windows\System32\drivers\http.sys
2011-11-11 22:36:27 33792 ----a-w- C:\Windows\System32\httpapi.dll
2011-11-11 22:36:26 30720 ----a-w- C:\Windows\SysWow64\httpapi.dll
2011-11-11 22:30:09 2048 ----a-w- C:\Windows\SysWow64\winrsmgr.dll
2011-11-11 22:30:09 2048 ----a-w- C:\Windows\System32\winrsmgr.dll
2011-11-11 22:30:08 13312 ----a-w- C:\Windows\System32\wsmplpxy.dll
2011-11-11 22:30:08 13312 ----a-w- C:\Windows\System32\winrssrv.dll
2011-11-11 22:30:05 10240 ----a-w- C:\Windows\SysWow64\wsmplpxy.dll
2011-11-11 22:30:05 10240 ----a-w- C:\Windows\SysWow64\winrssrv.dll
2011-11-11 22:18:49 32256 ----a-w- C:\Windows\System32\NETSTAT.EXE
2011-11-11 22:17:50 372736 ----a-w- C:\Windows\System32\unregmp2.exe
2011-11-11 22:17:50 1486848 ----a-w- C:\Program Files\Windows Media Player\setup_wm.exe
2011-11-11 22:17:50 1418752 ----a-w- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
2011-11-11 22:17:49 310784 ----a-w- C:\Windows\SysWow64\unregmp2.exe
2011-11-11 22:17:07 60416 ----a-w- C:\Windows\System32\rrinstaller.exe
2011-11-11 22:17:07 53248 ----a-w- C:\Windows\SysWow64\rrinstaller.exe
2011-11-11 22:17:07 24576 ----a-w- C:\Windows\SysWow64\mfpmp.exe
2011-11-11 22:17:06 2048 ----a-w- C:\Windows\SysWow64\mferror.dll
2011-11-11 22:17:06 2048 ----a-w- C:\Windows\System32\mferror.dll
2011-11-11 22:17:03 1797120 ----a-w- C:\Windows\System32\msxml6.dll
2011-11-11 22:17:03 1401856 ----a-w- C:\Windows\SysWow64\msxml6.dll
2011-11-11 22:14:59 1689600 ----a-w- C:\Windows\System32\lsasrv.dll
2011-11-11 22:12:02 368128 ----a-w- C:\Windows\System32\wmpdxm.dll
2011-11-11 22:12:02 313344 ----a-w- C:\Windows\SysWow64\wmpdxm.dll
2011-11-11 22:11:58 43520 ----a-w- C:\Windows\SysWow64\msdxm.tlb
2011-11-11 22:11:58 43520 ----a-w- C:\Windows\System32\msdxm.tlb
2011-11-11 22:11:58 18432 ----a-w- C:\Windows\SysWow64\amcompat.tlb
2011-11-11 22:11:58 18432 ----a-w- C:\Windows\System32\amcompat.tlb
2011-11-11 21:58:34 855040 ----a-w- C:\Windows\System32\schedsvc.dll
2011-11-11 21:47:09 25424 ----a-w- C:\Windows\System32\drivers\COH_Mon.sys
2011-11-11 21:43:19 3765288 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-11-11 21:43:01 8570192 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{FB140620-FEAA-4FEE-8BEB-A79AC811092C}\mpengine.dll
2011-11-11 21:42:55 270720 ------w- C:\Windows\System32\MpSigStub.exe
2011-11-11 21:40:46 36864 ----a-w- C:\Windows\System32\wuapp.exe
2011-11-11 21:40:46 33792 ----a-w- C:\Windows\SysWow64\wuapp.exe
2011-11-11 21:40:46 185416 ----a-w- C:\Windows\System32\wuwebv.dll
2011-11-11 21:40:46 171608 ----a-w- C:\Windows\SysWow64\wuwebv.dll
2011-11-11 20:37:45 -------- d-----w- C:\Users\Kerri\AppData\Local\Mozilla
2011-11-11 20:37:42 713560 ----a-w- C:\Program Files (x86)\Mozilla Firefox\uninstall\helper.exe
2011-11-11 20:37:42 324976 ----a-w- C:\Program Files (x86)\Mozilla Firefox\components\coFFPlgn.dll
2011-11-11 20:34:58 -------- d-----w- C:\Users\Kerri\AppData\Local\White_Sky,_Inc
2011-11-11 20:34:25 -------- d-----w- C:\Users\Kerri\AppData\Local\ID Vault
2011-11-11 20:34:13 -------- d-----w- C:\Users\Kerri\AppData\Roaming\Symantec
2011-11-11 20:34:07 -------- d-----w- C:\Users\Kerri\AppData\Roaming\LenovoDesktopNavigator
2011-11-11 20:33:56 -------- d-----w- C:\Users\Kerri\AppData\Roaming\Lenovo
2011-11-11 20:33:24 -------- d-----w- C:\Users\Kerri\AppData\Local\VirtualStore
.
==================== Find3M ====================
.
2011-11-11 21:52:03 172080 ----a-w- C:\Windows\System32\drivers\SYMEVENT64x86.SYS
2011-09-20 21:06:18 1426304 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2011-09-06 13:56:50 2764288 ----a-w- C:\Windows\System32\win32k.sys
2011-08-25 16:20:38 735744 ----a-w- C:\Windows\System32\UIAutomationCore.dll
2011-08-25 16:19:32 847360 ----a-w- C:\Windows\System32\oleaut32.dll
2011-08-25 16:19:32 332288 ----a-w- C:\Windows\System32\oleacc.dll
2011-08-25 16:15:04 555520 ----a-w- C:\Windows\SysWow64\UIAutomationCore.dll
2011-08-25 16:14:01 563712 ----a-w- C:\Windows\SysWow64\oleaut32.dll
2011-08-25 16:14:01 238080 ----a-w- C:\Windows\SysWow64\oleacc.dll
2011-08-25 13:54:14 4096 ----a-w- C:\Windows\System32\oleaccrc.dll
2011-08-25 13:31:01 4096 ----a-w- C:\Windows\SysWow64\oleaccrc.dll
.
============= FINISH: 14:49:48.02 ===============

Attached Files



#14 kkamy

kkamy
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 14 November 2011 - 09:05 AM

Just checking to see if you have had a chance to look over the latest DDS logs I posted. Thanks.

#15 Jack&Jill

Jack&Jill

  • Malware Response Team
  • 385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South East Asia
  • Local time:02:47 PM

Posted 14 November 2011 - 07:34 PM

Hello kkamy :),

Apologies for the delay. Was a bit tied up for the past few days. Things are looking good.

For your security set up, please disable Windows Defender to prevent conflict with your Norton package.

--------------------

Your Adobe Reader is outdated. Older versions have security vulnerabilities that can be exploited.

Please update your Adobe Reader to the latest.
It is important that you uninstall any previous versions by using Add/Remove Programs in your Control Panel before installing a newer version. Please uninstall:

Adobe Reader 8.3.1

  • Go to the Adobe download page. Click here.
  • If your OS is not the same as stated, click on Do you have a different language or operating system? link.
    • Under the Select an operating system title, choose the OS that you have.
    • Change the language at the Select a language title.
    • Next, select the version of the reader at the Select a Version title.
    • Uncheck (untick) to opt out of Google Chrome installation.
    • Click the Download now button to proceed. Allow if prompted and save the file to a convenient location.
    • Run the downloaded file to continue with the installation.
  • If your OS is the same, uncheck (untick) to opt out of McAfee Security Scan Plus installation.
  • Click Download to proceed. Allow if prompted and save the file to a convenient location.
  • Run the downloaded file to continue with the installation.

Alternatively, you can try Foxit Reader Portable or Nuance PDF Reader.

--------------------

Some tips to help you stay clean and safe:

1. Keep your Windows up to date. Enable Automatic Updates for Windows Vista to always update the latest security patches from Microsoft, or you can download from the Microsoft website. Otherwise, your computer will be vulnerable to new exploits or malwares.

2. Update your Antivirus program regularly, it is a must for constant protection against viruses. Please keep only one AV installed.

3. Install Malwarebytes' Anti-Malware if you haven't and use it occasionally. It is a new and powerful anti-malware tool, totally free but for real-time protection you will have to pay a small one-time fee.

4. Install WinPatrol, a great protection program that helps you monitor for unwanted files or applications.

5. Use a hosts file to block the access of bad sites from your computer. Get yourself a MVPS Hosts for this purpose.

6. Install Web of Trust (WOT). WOT keeps you from dangerous websites with warnings and blockings.

7. Protect your computer from removable or USB drive infections with MCShield, an effective method to prevent malware from spreading.

8. Keep all your softwares updated. You have Secunia PSI, make full use of it.

9. Also look up:
Computer Security - a short guide to staying safer online
PC Safety and Security - What Do I Need? By Glaswegian
How to prevent malware: By miekiemoes
So how did I get infected in the first place? By Tony Klein
Microsoft Online Safety

Stay safe.

Jack&Jill
MRU Teacher of Malware Removal University.
Member of ASAP and UNITE.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users