Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

iexplore.exe virus


  • This topic is locked This topic is locked
12 replies to this topic

#1 tonyf666

tonyf666

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NY
  • Local time:08:44 PM

Posted 17 November 2011 - 01:54 PM

Hi,
I am running Windows XP SP3 and IE8. The iexplore.exe process keeps starting by itself and playing audio ads without even popping up a browser window. I have a backup Ghost image of just the C partition (I keep my data on seperate D partition). I restored the primary C partition and the virus is still there! How is that possible? Is it hidden in some boot sector that doesnt get overwritten with a new image?
I tried renaming the Internet Explorer folder just to see what kind of information error messages I get for clues as to whats causing it. I checked my event log and saw this message:

Unable to start a DCOM Server: {0002DF01-0000-0000-C000-000000000046}. The error:
"The system cannot find the file specified. "
Happened while starting this command:
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -Embedding

Also, it redirects any search result links I click on.

Anyway, Im at a loss and need some serious help! I've tried SuperAntispyware, Malwarebytes, and Spybot.

Not sure if this helps but I am attaching logs from RSIT,Hijackthis, DDS, and GMER.
Let me know what else I need to post.

Thanks!
Tony

Attached Files


Edited by tonyf666, 17 November 2011 - 08:31 PM.
Moved from XP to Malware Removal Logs.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:44 PM

Posted 19 November 2011 - 02:53 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 tonyf666

tonyf666
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NY
  • Local time:08:44 PM

Posted 21 November 2011 - 01:49 PM

Thank you for helping me, Gringo.
I have pasted the log from Combofix. It took about 20 mins to run and rebooted once during the process. It just finished so as far as how the computer is now, only time will tell, but right now it seems to be working fine. Does combofix actually remove any malware it finds, or does it just produce a report for you to review?

Tony

Heres the log from Combofix:

ComboFix 11-11-21.01 - tonyf 11/21/2011 12:21:54.1.8 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3063.2081 [GMT -5:00]
Running from: d:\downloads\admin tools\ComboFix.exe
AV: Symantec Endpoint Protection *Disabled/Outdated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\tonyf\Favorites\Thumbs.db
c:\windows\CSC\d6
c:\windows\pkunzip.pif
c:\windows\pkzip.pif
c:\windows\pthreadGC2.dll
c:\windows\system32\PowerToyReadme.htm
d:\my documents\vpnclient-win-is-4.0.3.F-k9.ZIP
.
.
((((((((((((((((((((((((( Files Created from 2011-10-21 to 2011-11-21 )))))))))))))))))))))))))))))))
.
.
2011-11-21 18:18 . 2011-11-21 18:18 -------- d-----w- c:\windows\LastGood
2011-11-19 08:00 . 2011-11-20 00:00 -------- d-----w- C:\571c7d3444aaf04b751bc6e8b2ec7438
2011-11-18 22:36 . 2011-11-18 22:36 -------- d-----w- c:\program files\VMware
2011-11-17 22:43 . 2005-10-04 20:06 5120 ----a-w- c:\windows\system32\escprint.dll
2011-11-17 22:43 . 2005-08-25 19:41 160256 ----a-w- c:\windows\system32\exchmem.dll
2011-11-17 22:43 . 2005-08-25 19:09 14645760 ----a-w- c:\windows\system32\maildsmx.dll
2011-11-17 22:43 . 2005-08-25 18:33 16384 ----a-w- c:\windows\system32\pttrace.dll
2011-11-17 22:43 . 2005-08-25 18:30 23552 ----a-w- c:\windows\system32\glblname.dll
2011-11-17 22:43 . 2005-08-25 18:26 19968 ----a-w- c:\windows\system32\address.dll
2011-11-17 19:29 . 2011-11-17 19:29 -------- d-----w- c:\program files\Exchange SDK
2011-11-17 18:06 . 2011-11-17 18:06 -------- d-----w- c:\program files\Support Tools
2011-11-17 18:02 . 2011-11-17 18:02 -------- d-----w- c:\windows\cluster
2011-11-17 18:02 . 2011-11-17 18:02 -------- d-----w- c:\program files\CMAK
2011-11-17 18:00 . 2011-11-17 18:00 -------- d-----w- c:\program files\VirtualDub
2011-11-17 17:48 . 2011-11-17 17:48 -------- d-----w- c:\program files\RADVideo
2011-11-17 17:42 . 2011-11-21 18:20 -------- d-----w- c:\program files\PeerBlock
2011-11-17 17:37 . 2011-11-17 17:37 -------- d-----w- c:\program files\Paint.NET
2011-11-17 17:36 . 2011-11-17 17:36 -------- d-----w- c:\program files\OpenVPN
2011-11-17 17:30 . 2011-11-17 17:31 -------- d-----w- c:\program files\Notepad++
2011-11-17 17:14 . 2011-11-17 17:14 -------- d-----w- c:\program files\HandBrake
2011-11-17 17:12 . 2011-11-17 17:13 -------- d-----w- c:\program files\FrostWire
2011-11-17 17:11 . 2011-11-17 17:11 -------- d-----w- c:\program files\Freeware PDF Unlocker
2011-11-17 17:04 . 2011-11-17 19:40 -------- d-----w- c:\documents and settings\All Users\Application Data\ElectricSheep
2011-11-17 17:04 . 2011-11-17 17:04 -------- d-----w- c:\program files\Electricsheep Screensaver
2011-11-17 16:59 . 2011-11-17 16:59 -------- d-----w- c:\program files\ExperimentalScene
2011-11-17 16:53 . 2011-11-18 18:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo
2011-11-17 16:53 . 2011-11-17 16:52 87104 ----a-w- c:\windows\system32\drivers\inspect.sys
2011-11-17 16:53 . 2011-11-17 16:52 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-11-17 16:53 . 2011-11-17 16:52 179792 ----a-w- c:\windows\system32\guard32.dll
2011-11-17 16:53 . 2011-11-17 16:52 132296 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2011-11-17 16:52 . 2011-11-17 16:52 -------- d-----w- c:\program files\COMODO
2011-11-17 16:35 . 2011-11-17 16:35 -------- d-----w- c:\program files\AnvSoft
2011-11-17 16:32 . 2011-11-17 16:32 -------- d-----w- c:\program files\Auction Sentry 4
2011-11-17 16:29 . 2011-11-17 16:29 -------- d-----w- c:\program files\AllToAVI
2011-11-16 23:25 . 2011-11-16 23:25 -------- d-----w- c:\program files\totalcmd
2011-11-16 23:25 . 2009-09-24 12:50 545 ----a-w- c:\windows\UC.PIF
2011-11-16 23:25 . 2009-09-24 12:50 545 ----a-w- c:\windows\RAR.PIF
2011-11-16 23:25 . 2009-09-24 12:50 545 ----a-w- c:\windows\NOCLOSE.PIF
2011-11-16 23:25 . 2009-09-24 12:50 545 ----a-w- c:\windows\LHA.PIF
2011-11-16 23:25 . 2009-09-24 12:50 545 ----a-w- c:\windows\ARJ.PIF
2011-11-16 23:21 . 2011-11-16 23:21 -------- d-----w- c:\program files\MP3ext
2011-11-16 23:19 . 2011-11-16 23:19 -------- d-----w- c:\program files\FileZilla FTP Client
2011-11-16 23:03 . 2011-11-16 23:03 -------- d-----w- c:\windows\Downloaded Installations
2011-11-16 23:02 . 2011-11-16 23:02 -------- d-----w- c:\program files\Audacity
2011-11-16 22:45 . 2011-11-16 22:45 -------- d-----w- c:\program files\AutoHotkey
2011-11-16 22:41 . 2011-11-16 22:41 -------- d-----w- c:\program files\FolderSize
2011-11-16 22:40 . 2011-11-16 22:40 -------- d-----w- c:\program files\Windows Resource Kits
2011-11-16 16:10 . 2011-11-16 16:10 -------- d-----w- c:\documents and settings\All Users\Application Data\LightScribe
2011-11-16 15:53 . 2011-11-16 15:54 -------- d-----w- c:\program files\Common Files\LightScribe
2011-11-16 15:51 . 2011-11-16 15:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Ahead
2011-11-16 15:48 . 2011-11-16 15:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2011-11-15 23:16 . 2011-11-18 17:55 -------- d-----w- C:\rsit
2011-11-15 23:16 . 2011-11-16 19:35 -------- d-----w- c:\program files\trend micro
2011-11-15 23:12 . 2011-11-15 23:12 -------- d-----w- c:\program files\WOT
2011-11-15 22:14 . 2011-11-15 22:14 -------- d-----w- c:\documents and settings\Administrator.WORKGROUP\Local Settings\Application Data\Apple Computer
2011-11-15 22:11 . 2011-11-15 22:11 -------- d-----w- c:\documents and settings\Administrator.WORKGROUP\Local Settings\Application Data\Identities
2011-11-15 22:11 . 2011-11-15 22:11 -------- d-----w- c:\documents and settings\Administrator.WORKGROUP\Application Data\Windows Desktop Search
2011-11-15 21:30 . 2011-11-17 14:42 -------- d-----w- c:\program files\Windows Desktop Search
2011-11-15 21:30 . 2011-11-15 21:30 -------- d-----w- c:\windows\system32\GroupPolicy
2011-11-15 21:26 . 2011-11-15 21:26 -------- d-----w- c:\program files\uTorrent
2011-11-15 21:25 . 2011-11-15 21:25 -------- d-----w- c:\program files\UltraVNC
2011-11-15 21:20 . 2011-11-21 17:58 -------- d-----w- c:\documents and settings\tonyf
2011-11-15 21:03 . 2008-04-14 05:16 25600 -c--a-w- c:\windows\system32\dllcache\hidbth.sys
2011-11-15 21:03 . 2008-04-14 05:16 25600 ----a-w- c:\windows\system32\drivers\hidbth.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-15 22:55 . 2011-05-17 13:19 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22 . 2009-06-16 20:53 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06 . 2008-04-14 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41 . 2008-07-29 23:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41 . 2008-04-14 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41 . 2008-04-14 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-06 13:20 . 2008-04-14 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-09-03 06:01 . 2011-11-16 23:18 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-11-15 39408]
"PeerBlock"="c:\program files\PeerBlock\peerblock.exe" [2010-11-07 1867888]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-21 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-21 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-21 137752]
"HDAudDeck"="c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2008-08-15 30003200]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-06-18 115560]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-10-03 38768]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-10-03 640376]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2011-03-18 30192]
"RTHDCPL"="RTHDCPL.EXE" [2008-11-07 17421824]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2008-11-06 36864]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2008-11-06 1970176]
"TurboV"="c:\program files\ASUS\TurboV\TurboV.exe" [2008-10-22 4040192]
"Six Engine"="c:\program files\ASUS\EPU-6 Engine\SixEngine.exe" [2008-11-14 5974528]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-03 13529088]
"nwiz"="nwiz.exe" [2008-05-03 1630208]
"WinSys2"="c:\windows\system32\winsys2.exe" [2008-01-18 208896]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-03 86016]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"UFWSRVMAN"="c:\program files\US Group\UltiPro for Windows\UFWSRVMan.exe" [2009-05-07 558080]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-03-17 570664]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-11-17 1799952]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Millennium Print Driver Server.lnk - c:\program files\Convergent EDM\Millennium 10\OmsPrntSvc.exe [2008-12-3 77824]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-515967899-220523388-1417001333-1108\Scripts\Logon\0\0]
"Script"=\\fileserver\nETLOGON\logon.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-515967899-220523388-1417001333-1112\Scripts\Logon\0\0]
"Script"=\\fileserver\nETLOGON\logon.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-515967899-220523388-1417001333-1379\Scripts\Logon\0\0]
"Script"=\\fileserver\nETLOGON\logon.bat
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Dell Remote Console Switch Software\\Dell Remote Console Switch Software.exe"=
"c:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [11/17/2011 11:53 AM 132296]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [11/17/2011 11:53 AM 25160]
R2 AsSysCtrlService;ASUS System Control Service;c:\program files\ASUS\AsSysCtrlService\1.00.00\AsSysCtrlService.exe [7/27/2009 3:36 PM 86016]
R2 DvmMDES;DeviceVM Meta Data Export Service;c:\asus.sys\config\DVMExportService.exe [11/26/2008 9:36 AM 323584]
R2 OMSNSD;OMSNSD;c:\program files\Common Files\Convergent EDM\Millennium 10\omsnsd.sys [12/29/2006 1:30 PM 5173]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/19/2009 10:28 AM 101936]
R3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [11/17/2011 12:42 PM 19056]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/15/2011 4:35 PM 136176]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [6/18/2009 3:36 PM 23888]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [6/19/2009 5:46 PM 30192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [11/15/2011 4:35 PM 136176]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\f:\ntglm7x.sys --> f:\NTGLM7X.sys [?]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [6/17/2009 11:02 AM 845184]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [12/2/2006 5:17 AM 2805000]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - PBFILTER
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 15:14 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-06 c:\windows\Tasks\Defrag C.job
- c:\windows\system32\defrag.exe [2008-04-14 12:00]
.
2011-11-06 c:\windows\Tasks\Defrag D.job
- c:\windows\system32\defrag.exe [2008-04-14 12:00]
.
2011-11-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-11-15 21:35]
.
2011-11-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-11-15 21:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: alcottgroup.com
Trusted Zone: citibank.com
TCP: DhcpNameServer = 192.168.1.1
DPF: {38681FBD-D4CC-4A59-A527-B3136DB711D3} - hxxps://st2.aetna.com/html/vcst_eu.CAB
FF - ProfilePath - c:\documents and settings\tonyf\Application Data\Mozilla\Firefox\Profiles\6awhb0rn.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
.
------- File Associations -------
.
txtfile="c:\program files\JGsoft\EditPadLite\EditPadLite.exe" "%1"
.txt=Notepad++_file
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
SafeBoot-Symantec Antvirus
AddRemove-KB955706_SQLTools9 - c:\windows\SQLTools9_KB955706_ENU\Hotfix.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-21 13:19
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HDAudDeck = c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(4132)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Microsoft Virtual PC\VPCShExH.DLL
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\COMODO\COMODO Internet Security\cmdagent.exe
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\FolderSize\FolderSizeSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Java\Java Update\jucheck.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2011-11-21 13:37:55 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-21 18:37
.
Pre-Run: 60,267,134,976 bytes free
Post-Run: 61,825,470,464 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 88385D36D97856ABC165DD7EF8DD9F83

#4 tonyf666

tonyf666
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NY
  • Local time:08:44 PM

Posted 21 November 2011 - 02:01 PM

UPDATE

Google searches are still being redirected when I click on a search result link.

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:44 PM

Posted 21 November 2011 - 06:40 PM

Hello

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 tonyf666

tonyf666
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NY
  • Local time:08:44 PM

Posted 22 November 2011 - 11:39 AM

I ran TDSSKiller about 2 hours ago, and so far so good! The Google search results are not being redirected. Keeping my fingers crossed! :)
Thanks for all your help Gringo!!

Here are the results from TDSSKiller:

10:28:20.0296 4684 TDSS rootkit removing tool 2.6.20.0 Nov 22 2011 12:05:55
10:28:20.0625 4684 ============================================================
10:28:20.0625 4684 Current date / time: 2011/11/22 10:28:20.0625
10:28:20.0625 4684 SystemInfo:
10:28:20.0625 4684
10:28:20.0625 4684 OS Version: 5.1.2600 ServicePack: 3.0
10:28:20.0625 4684 Product type: Workstation
10:28:20.0625 4684 ComputerName: B315
10:28:20.0625 4684 UserName: tonyf
10:28:20.0625 4684 Windows directory: C:\WINDOWS
10:28:20.0625 4684 System windows directory: C:\WINDOWS
10:28:20.0625 4684 Processor architecture: Intel x86
10:28:20.0625 4684 Number of processors: 8
10:28:20.0625 4684 Page size: 0x1000
10:28:20.0625 4684 Boot type: Normal boot
10:28:20.0625 4684 ============================================================
10:28:21.0250 4684 Initialize success
10:28:30.0750 6432 ============================================================
10:28:30.0750 6432 Scan started
10:28:30.0750 6432 Mode: Manual;
10:28:30.0750 6432 ============================================================
10:28:32.0406 6432 Abiosdsk - ok
10:28:32.0422 6432 abp480n5 - ok
10:28:32.0437 6432 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
10:28:32.0437 6432 ACPI - ok
10:28:32.0453 6432 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
10:28:32.0453 6432 ACPIEC - ok
10:28:32.0469 6432 adpu160m - ok
10:28:32.0484 6432 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
10:28:32.0484 6432 aec - ok
10:28:32.0516 6432 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
10:28:32.0516 6432 AFD - ok
10:28:32.0516 6432 Aha154x - ok
10:28:32.0516 6432 aic78u2 - ok
10:28:32.0531 6432 aic78xx - ok
10:28:32.0531 6432 AliIde - ok
10:28:32.0531 6432 amsint - ok
10:28:32.0562 6432 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
10:28:32.0562 6432 Arp1394 - ok
10:28:32.0562 6432 asc - ok
10:28:32.0562 6432 asc3350p - ok
10:28:32.0578 6432 asc3550 - ok
10:28:32.0594 6432 AsIO (2b4e66fac6503494a2c6f32bb6ab3826) C:\WINDOWS\system32\drivers\AsIO.sys
10:28:32.0594 6432 AsIO - ok
10:28:32.0609 6432 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
10:28:32.0609 6432 AsyncMac - ok
10:28:32.0625 6432 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
10:28:32.0625 6432 atapi - ok
10:28:32.0625 6432 Atdisk - ok
10:28:32.0641 6432 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
10:28:32.0641 6432 Atmarpc - ok
10:28:32.0656 6432 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
10:28:32.0656 6432 audstub - ok
10:28:32.0672 6432 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
10:28:32.0672 6432 Beep - ok
10:28:32.0687 6432 BthEnum (b279426e3c0c344893ed78a613a73bde) C:\WINDOWS\system32\DRIVERS\BthEnum.sys
10:28:32.0687 6432 BthEnum - ok
10:28:32.0703 6432 BthPan (80602b8746d3738f5886ce3d67ef06b6) C:\WINDOWS\system32\DRIVERS\bthpan.sys
10:28:32.0703 6432 BthPan - ok
10:28:32.0719 6432 BTHPORT (662bfd909447dd9cc15b1a1c366583b4) C:\WINDOWS\system32\Drivers\BTHport.sys
10:28:32.0719 6432 BTHPORT - ok
10:28:32.0750 6432 BTHUSB (61364cd71ef63b0f038b7e9df00f1efa) C:\WINDOWS\system32\Drivers\BTHUSB.sys
10:28:32.0750 6432 BTHUSB - ok
10:28:32.0766 6432 catchme - ok
10:28:32.0766 6432 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
10:28:32.0766 6432 cbidf2k - ok
10:28:32.0781 6432 cd20xrnt - ok
10:28:32.0797 6432 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
10:28:32.0797 6432 Cdaudio - ok
10:28:32.0828 6432 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
10:28:32.0828 6432 Cdfs - ok
10:28:32.0844 6432 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
10:28:32.0844 6432 Cdrom - ok
10:28:32.0844 6432 Changer - ok
10:28:32.0875 6432 cmdGuard (6521d2814d6ac4442f44a4acc3e11d98) C:\WINDOWS\system32\DRIVERS\cmdguard.sys
10:28:32.0875 6432 cmdGuard - ok
10:28:32.0891 6432 cmdHlp (f4ab264678ce8ee1cd7621d48efa0531) C:\WINDOWS\system32\DRIVERS\cmdhlp.sys
10:28:32.0891 6432 cmdHlp - ok
10:28:32.0891 6432 CmdIde - ok
10:28:32.0906 6432 COH_Mon (86a22dff16e8ca67601044efe6825537) C:\WINDOWS\system32\Drivers\COH_Mon.sys
10:28:32.0906 6432 COH_Mon - ok
10:28:32.0922 6432 Cpqarray - ok
10:28:32.0922 6432 dac2w2k - ok
10:28:32.0922 6432 dac960nt - ok
10:28:32.0937 6432 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
10:28:32.0937 6432 Disk - ok
10:28:32.0953 6432 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
10:28:32.0984 6432 dmboot - ok
10:28:33.0000 6432 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
10:28:33.0000 6432 dmio - ok
10:28:33.0000 6432 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
10:28:33.0000 6432 dmload - ok
10:28:33.0016 6432 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
10:28:33.0016 6432 DMusic - ok
10:28:33.0031 6432 dpti2o - ok
10:28:33.0031 6432 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
10:28:33.0031 6432 drmkaud - ok
10:28:33.0094 6432 eeCtrl (70aeac5d481b2904b40f2173e280b1b5) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
10:28:33.0109 6432 eeCtrl - ok
10:28:33.0109 6432 EraserUtilRebootDrv (00bd6fc4a873d3341dcf9aef2d3c841e) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
10:28:33.0109 6432 EraserUtilRebootDrv - ok
10:28:33.0125 6432 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
10:28:33.0141 6432 Fastfat - ok
10:28:33.0141 6432 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
10:28:33.0141 6432 Fdc - ok
10:28:33.0156 6432 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
10:28:33.0156 6432 Fips - ok
10:28:33.0172 6432 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
10:28:33.0172 6432 Flpydisk - ok
10:28:33.0187 6432 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
10:28:33.0187 6432 FltMgr - ok
10:28:33.0187 6432 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
10:28:33.0187 6432 Fs_Rec - ok
10:28:33.0187 6432 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
10:28:33.0203 6432 Ftdisk - ok
10:28:33.0203 6432 GMSIPCI - ok
10:28:33.0219 6432 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
10:28:33.0219 6432 Gpc - ok
10:28:33.0234 6432 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
10:28:33.0234 6432 HDAudBus - ok
10:28:33.0266 6432 HidBth (7bd2de4c85eb4241eed57672b16a7d8d) C:\WINDOWS\system32\DRIVERS\hidbth.sys
10:28:33.0266 6432 HidBth - ok
10:28:33.0281 6432 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
10:28:33.0281 6432 HidUsb - ok
10:28:33.0281 6432 hpn - ok
10:28:33.0312 6432 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
10:28:33.0312 6432 HTTP - ok
10:28:33.0312 6432 i2omgmt - ok
10:28:33.0312 6432 i2omp - ok
10:28:33.0344 6432 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
10:28:33.0344 6432 i8042prt - ok
10:28:33.0437 6432 ialm (cd32607f1cc8ac67224334ae123f7b98) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
10:28:33.0516 6432 ialm - ok
10:28:33.0516 6432 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
10:28:33.0516 6432 Imapi - ok
10:28:33.0531 6432 ini910u - ok
10:28:33.0547 6432 Inspect (5aef815853af3c17d06e8778783b79b2) C:\WINDOWS\system32\DRIVERS\inspect.sys
10:28:33.0547 6432 Inspect - ok
10:28:33.0625 6432 IntcAzAudAddService (12e9a40d13edbb63a61f6b3196452f0d) C:\WINDOWS\system32\drivers\RtkHDAud.sys
10:28:33.0687 6432 IntcAzAudAddService - ok
10:28:33.0687 6432 IntelIde - ok
10:28:33.0703 6432 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
10:28:33.0703 6432 intelppm - ok
10:28:33.0750 6432 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
10:28:33.0750 6432 Ip6Fw - ok
10:28:33.0766 6432 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
10:28:33.0766 6432 IpFilterDriver - ok
10:28:33.0781 6432 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
10:28:33.0781 6432 IpInIp - ok
10:28:33.0797 6432 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
10:28:33.0797 6432 IpNat - ok
10:28:33.0812 6432 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
10:28:33.0812 6432 IPSec - ok
10:28:33.0828 6432 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
10:28:33.0828 6432 IRENUM - ok
10:28:33.0844 6432 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
10:28:33.0844 6432 isapnp - ok
10:28:33.0859 6432 JRAID (a324485106f133e751f4b7f47c4be3ea) C:\WINDOWS\system32\DRIVERS\jraid.sys
10:28:33.0859 6432 JRAID - ok
10:28:33.0875 6432 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
10:28:33.0875 6432 Kbdclass - ok
10:28:33.0891 6432 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
10:28:33.0891 6432 kbdhid - ok
10:28:33.0906 6432 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
10:28:33.0906 6432 kmixer - ok
10:28:33.0937 6432 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
10:28:33.0937 6432 KSecDD - ok
10:28:33.0953 6432 L1e (93e64bab9dee162ca0ca5258d132a047) C:\WINDOWS\system32\DRIVERS\l1e51x86.sys
10:28:33.0953 6432 L1e - ok
10:28:33.0953 6432 lbrtfdc - ok
10:28:33.0969 6432 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
10:28:33.0969 6432 mnmdd - ok
10:28:34.0000 6432 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
10:28:34.0000 6432 Modem - ok
10:28:34.0031 6432 monfilt (9fa7207d1b1adead88ae8eed9cdbbaa5) C:\WINDOWS\system32\drivers\monfilt.sys
10:28:34.0062 6432 monfilt - ok
10:28:34.0062 6432 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
10:28:34.0062 6432 Mouclass - ok
10:28:34.0078 6432 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
10:28:34.0078 6432 mouhid - ok
10:28:34.0094 6432 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
10:28:34.0094 6432 MountMgr - ok
10:28:34.0094 6432 mraid35x - ok
10:28:34.0109 6432 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
10:28:34.0109 6432 MRxDAV - ok
10:28:34.0125 6432 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
10:28:34.0141 6432 MRxSmb - ok
10:28:34.0141 6432 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
10:28:34.0141 6432 Msfs - ok
10:28:34.0141 6432 MSICPL - ok
10:28:34.0172 6432 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
10:28:34.0172 6432 MSKSSRV - ok
10:28:34.0187 6432 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
10:28:34.0187 6432 MSPCLOCK - ok
10:28:34.0187 6432 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
10:28:34.0187 6432 MSPQM - ok
10:28:34.0219 6432 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
10:28:34.0219 6432 mssmbios - ok
10:28:34.0234 6432 MTsensor (d48659bb24c48345d926ecb45c1ebdf5) C:\WINDOWS\system32\DRIVERS\ASACPI.sys
10:28:34.0234 6432 MTsensor - ok
10:28:34.0250 6432 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
10:28:34.0250 6432 Mup - ok
10:28:34.0312 6432 NAVENG (7b87fe07b1b782efa931729fe3adb5ad) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090728.067\NAVENG.SYS
10:28:34.0312 6432 NAVENG - ok
10:28:34.0328 6432 NAVEX15 (b756abc1a20e951c89228970b7cad585) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090728.067\NAVEX15.SYS
10:28:34.0328 6432 NAVEX15 - ok
10:28:34.0359 6432 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
10:28:34.0359 6432 NDIS - ok
10:28:34.0375 6432 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
10:28:34.0375 6432 NdisTapi - ok
10:28:34.0406 6432 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
10:28:34.0406 6432 Ndisuio - ok
10:28:34.0406 6432 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
10:28:34.0406 6432 NdisWan - ok
10:28:34.0422 6432 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
10:28:34.0422 6432 NDProxy - ok
10:28:34.0422 6432 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
10:28:34.0422 6432 NetBIOS - ok
10:28:34.0453 6432 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
10:28:34.0453 6432 NetBT - ok
10:28:34.0484 6432 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
10:28:34.0484 6432 NIC1394 - ok
10:28:34.0500 6432 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
10:28:34.0500 6432 Npfs - ok
10:28:34.0500 6432 NTACCESS - ok
10:28:34.0516 6432 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
10:28:34.0531 6432 Ntfs - ok
10:28:34.0547 6432 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
10:28:34.0547 6432 Null - ok
10:28:34.0641 6432 nv (8e72e452b9cc1e455d19e3c9fa964d37) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
10:28:34.0734 6432 nv - ok
10:28:34.0766 6432 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
10:28:34.0766 6432 NwlnkFlt - ok
10:28:34.0766 6432 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
10:28:34.0766 6432 NwlnkFwd - ok
10:28:34.0781 6432 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
10:28:34.0781 6432 ohci1394 - ok
10:28:34.0812 6432 OMSNSD (e31f9b76a2b1734ee021dd3110f4cde0) C:\Program Files\Common Files\Convergent EDM\Millennium 10\omsnsd.sys
10:28:34.0812 6432 OMSNSD - ok
10:28:34.0844 6432 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
10:28:34.0844 6432 Parport - ok
10:28:34.0859 6432 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
10:28:34.0859 6432 PartMgr - ok
10:28:34.0875 6432 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
10:28:34.0875 6432 ParVdm - ok
10:28:34.0891 6432 pbfilter (61a5701e3f543861b21bbe0932c4cc03) C:\Program Files\PeerBlock\pbfilter.sys
10:28:34.0891 6432 pbfilter - ok
10:28:34.0906 6432 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
10:28:34.0906 6432 PCI - ok
10:28:34.0906 6432 PCIDump - ok
10:28:34.0906 6432 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
10:28:34.0906 6432 PCIIde - ok
10:28:34.0922 6432 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
10:28:34.0922 6432 Pcmcia - ok
10:28:34.0953 6432 PDCOMP - ok
10:28:34.0953 6432 PDFRAME - ok
10:28:34.0969 6432 PDRELI - ok
10:28:34.0984 6432 PDRFRAME - ok
10:28:34.0984 6432 perc2 - ok
10:28:34.0984 6432 perc2hib - ok
10:28:35.0000 6432 portio (ccf0d038e6d43bb5f5588d9b73a24016) C:\WINDOWS\system32\DRIVERS\memNT.sys
10:28:35.0000 6432 portio - ok
10:28:35.0016 6432 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
10:28:35.0016 6432 PptpMiniport - ok
10:28:35.0031 6432 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
10:28:35.0031 6432 PSched - ok
10:28:35.0031 6432 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
10:28:35.0031 6432 Ptilink - ok
10:28:35.0047 6432 ql1080 - ok
10:28:35.0047 6432 Ql10wnt - ok
10:28:35.0047 6432 ql12160 - ok
10:28:35.0047 6432 ql1240 - ok
10:28:35.0062 6432 ql1280 - ok
10:28:35.0062 6432 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
10:28:35.0062 6432 RasAcd - ok
10:28:35.0078 6432 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
10:28:35.0078 6432 Rasl2tp - ok
10:28:35.0094 6432 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
10:28:35.0094 6432 RasPppoe - ok
10:28:35.0094 6432 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
10:28:35.0094 6432 Raspti - ok
10:28:35.0109 6432 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
10:28:35.0109 6432 Rdbss - ok
10:28:35.0125 6432 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
10:28:35.0125 6432 RDPCDD - ok
10:28:35.0141 6432 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
10:28:35.0141 6432 rdpdr - ok
10:28:35.0156 6432 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
10:28:35.0156 6432 RDPWD - ok
10:28:35.0187 6432 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
10:28:35.0187 6432 redbook - ok
10:28:35.0203 6432 RFCOMM (851c30df2807fcfa21e4c681a7d6440e) C:\WINDOWS\system32\DRIVERS\rfcomm.sys
10:28:35.0203 6432 RFCOMM - ok
10:28:35.0234 6432 RTLE8023xp (f0a21c62b9b835e1c96268eaae31d239) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
10:28:35.0234 6432 RTLE8023xp - ok
10:28:35.0266 6432 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
10:28:35.0266 6432 Secdrv - ok
10:28:35.0297 6432 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
10:28:35.0297 6432 serenum - ok
10:28:35.0297 6432 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
10:28:35.0297 6432 Serial - ok
10:28:35.0312 6432 SetupNTGLM7X - ok
10:28:35.0328 6432 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
10:28:35.0328 6432 Sfloppy - ok
10:28:35.0344 6432 Simbad - ok
10:28:35.0359 6432 Sparrow - ok
10:28:35.0406 6432 SPBBCDrv (d7bb213566e16bca372e2cb517eda907) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
10:28:35.0406 6432 SPBBCDrv - ok
10:28:35.0437 6432 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
10:28:35.0437 6432 splitter - ok
10:28:35.0453 6432 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
10:28:35.0453 6432 sr - ok
10:28:35.0469 6432 SRTSP (522651a0e7dc6415e083317370b609cc) C:\WINDOWS\system32\Drivers\SRTSP.SYS
10:28:35.0469 6432 SRTSP - ok
10:28:35.0484 6432 SRTSPL (34e823b8d730099d032608fcccbc6a25) C:\WINDOWS\system32\Drivers\SRTSPL.SYS
10:28:35.0500 6432 SRTSPL - ok
10:28:35.0500 6432 SRTSPX (469006e15f5b0fe8ae94184a18a81586) C:\WINDOWS\system32\Drivers\SRTSPX.SYS
10:28:35.0500 6432 SRTSPX - ok
10:28:35.0531 6432 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
10:28:35.0531 6432 Srv - ok
10:28:35.0547 6432 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
10:28:35.0547 6432 swenum - ok
10:28:35.0562 6432 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
10:28:35.0562 6432 swmidi - ok
10:28:35.0578 6432 symc810 - ok
10:28:35.0578 6432 symc8xx - ok
10:28:35.0594 6432 SymEvent (e03ee3ef1037099554d17bed99545a5e) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
10:28:35.0594 6432 SymEvent - ok
10:28:35.0609 6432 SYMREDRV (be3c117150c055e50a4caf23e548c856) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
10:28:35.0609 6432 SYMREDRV - ok
10:28:35.0609 6432 SYMTDI (7b0af4e22b32f8c5bfba5a5d53522160) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
10:28:35.0609 6432 SYMTDI - ok
10:28:35.0625 6432 sym_hi - ok
10:28:35.0625 6432 sym_u3 - ok
10:28:35.0641 6432 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
10:28:35.0641 6432 sysaudio - ok
10:28:35.0672 6432 tap0901 (11d34fc869f5bda29949fe3858380894) C:\WINDOWS\system32\DRIVERS\tap0901.sys
10:28:35.0672 6432 tap0901 - ok
10:28:35.0687 6432 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
10:28:35.0687 6432 Tcpip - ok
10:28:35.0703 6432 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
10:28:35.0703 6432 TDPIPE - ok
10:28:35.0719 6432 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
10:28:35.0719 6432 TDTCP - ok
10:28:35.0719 6432 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
10:28:35.0719 6432 TermDD - ok
10:28:35.0734 6432 TosIde - ok
10:28:35.0766 6432 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
10:28:35.0766 6432 Udfs - ok
10:28:35.0781 6432 ultra - ok
10:28:35.0781 6432 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
10:28:35.0781 6432 Update - ok
10:28:35.0812 6432 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
10:28:35.0812 6432 usbccgp - ok
10:28:35.0828 6432 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
10:28:35.0828 6432 usbehci - ok
10:28:35.0844 6432 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
10:28:35.0844 6432 usbhub - ok
10:28:35.0859 6432 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
10:28:35.0859 6432 USBSTOR - ok
10:28:35.0875 6432 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
10:28:35.0875 6432 usbuhci - ok
10:28:35.0891 6432 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
10:28:35.0891 6432 VgaSave - ok
10:28:35.0922 6432 VIAHdAudAddService (51b24990850076f659d1d1daefbed6f1) C:\WINDOWS\system32\drivers\viahduaa.sys
10:28:35.0922 6432 VIAHdAudAddService - ok
10:28:35.0937 6432 ViaIde - ok
10:28:35.0953 6432 vmm (e41fef9e3056fe88c71e411f705be41e) C:\WINDOWS\system32\Drivers\vmm.sys
10:28:35.0953 6432 vmm - ok
10:28:35.0984 6432 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
10:28:35.0984 6432 VolSnap - ok
10:28:35.0984 6432 VPCNetS2 (f96a678debdccb0b4bb7f38cb2580589) C:\WINDOWS\system32\DRIVERS\VMNetSrv.sys
10:28:35.0984 6432 VPCNetS2 - ok
10:28:36.0000 6432 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
10:28:36.0000 6432 Wanarp - ok
10:28:36.0016 6432 WDICA - ok
10:28:36.0031 6432 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
10:28:36.0031 6432 wdmaud - ok
10:28:36.0078 6432 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
10:28:36.0078 6432 WudfPf - ok
10:28:36.0109 6432 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
10:28:36.0109 6432 WudfRd - ok
10:28:36.0125 6432 MBR (0x1B8) (6f9a1d528242bc09104b85e0becf5554) \Device\Harddisk0\DR0
10:28:36.0125 6432 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.a ) - infected
10:28:36.0125 6432 \Device\Harddisk0\DR0 - detected Rootkit.Boot.SST.a (0)
10:28:36.0141 6432 Boot (0x1200) (8ca411e4dcf59f1abe8a7ba2feb8d0e8) \Device\Harddisk0\DR0\Partition0
10:28:36.0141 6432 \Device\Harddisk0\DR0\Partition0 - ok
10:28:36.0141 6432 Boot (0x1200) (bfa0275472c6fd1479172274251b522c) \Device\Harddisk0\DR0\Partition1
10:28:36.0141 6432 \Device\Harddisk0\DR0\Partition1 - ok
10:28:36.0141 6432 Boot (0x1200) (1acbe5b8bad6d49b7330c1abf5c31704) \Device\Harddisk0\DR0\Partition2
10:28:36.0156 6432 \Device\Harddisk0\DR0\Partition2 - ok
10:28:36.0156 6432 ============================================================
10:28:36.0156 6432 Scan finished
10:28:36.0156 6432 ============================================================
10:28:36.0156 1484 Detected object count: 1
10:28:36.0156 1484 Actual detected object count: 1
10:29:07.0188 1484 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.a ) - will be cured on reboot
10:29:07.0188 1484 \Device\Harddisk0\DR0 - ok
10:29:07.0188 1484 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.a ) - User select action: Cure
10:29:31.0767 4492 Deinitialize success

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:44 PM

Posted 22 November 2011 - 12:40 PM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 tonyf666

tonyf666
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NY
  • Local time:08:44 PM

Posted 22 November 2011 - 12:58 PM

Heres the results of the Combofix:

ComboFix 11-11-21.01 - TonyF 11/22/2011 12:49:57.2.8 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3063.2114 [GMT -5:00]
Running from: c:\documents and settings\tonyf\Desktop\asdf234l.exe
Command switches used :: c:\documents and settings\tonyf\Desktop\CFScript.txt
AV: Symantec Endpoint Protection *Disabled/Outdated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\CSC\d6
.
.
((((((((((((((((((((((((( Files Created from 2011-10-22 to 2011-11-22 )))))))))))))))))))))))))))))))
.
.
2011-11-22 15:48 . 2011-11-22 15:48 -------- d-----w- c:\program files\Common Files\Java
2011-11-22 15:44 . 2011-11-22 15:45 -------- d-----w- C:\_AcroTemp
2011-11-22 15:32 . 2011-11-22 15:46 -------- d-----w- c:\windows\LastGood
2011-11-21 17:09 . 2011-11-22 17:47 -------- d-----w- C:\ComboFix
2011-11-19 08:00 . 2011-11-20 00:00 -------- d-----w- C:\571c7d3444aaf04b751bc6e8b2ec7438
2011-11-18 22:36 . 2011-11-18 22:36 -------- d-----w- c:\program files\VMware
2011-11-17 22:43 . 2005-10-04 20:06 5120 ----a-w- c:\windows\system32\escprint.dll
2011-11-17 22:43 . 2005-08-25 19:41 160256 ----a-w- c:\windows\system32\exchmem.dll
2011-11-17 22:43 . 2005-08-25 19:09 14645760 ----a-w- c:\windows\system32\maildsmx.dll
2011-11-17 22:43 . 2005-08-25 18:33 16384 ----a-w- c:\windows\system32\pttrace.dll
2011-11-17 22:43 . 2005-08-25 18:30 23552 ----a-w- c:\windows\system32\glblname.dll
2011-11-17 22:43 . 2005-08-25 18:26 19968 ----a-w- c:\windows\system32\address.dll
2011-11-17 19:29 . 2011-11-17 19:29 -------- d-----w- c:\program files\Exchange SDK
2011-11-17 18:06 . 2011-11-17 18:06 -------- d-----w- c:\program files\Support Tools
2011-11-17 18:02 . 2011-11-17 18:02 -------- d-----w- c:\windows\cluster
2011-11-17 18:02 . 2011-11-17 18:02 -------- d-----w- c:\program files\CMAK
2011-11-17 18:00 . 2011-11-17 18:00 -------- d-----w- c:\program files\VirtualDub
2011-11-17 17:48 . 2011-11-17 17:48 -------- d-----w- c:\program files\RADVideo
2011-11-17 17:42 . 2011-11-22 15:32 -------- d-----w- c:\program files\PeerBlock
2011-11-17 17:37 . 2011-11-17 17:37 -------- d-----w- c:\program files\Paint.NET
2011-11-17 17:36 . 2011-11-17 17:36 -------- d-----w- c:\program files\OpenVPN
2011-11-17 17:30 . 2011-11-17 17:31 -------- d-----w- c:\program files\Notepad++
2011-11-17 17:14 . 2011-11-17 17:14 -------- d-----w- c:\program files\HandBrake
2011-11-17 17:12 . 2011-11-17 17:13 -------- d-----w- c:\program files\FrostWire
2011-11-17 17:11 . 2011-11-17 17:11 -------- d-----w- c:\program files\Freeware PDF Unlocker
2011-11-17 17:04 . 2011-11-17 19:40 -------- d-----w- c:\documents and settings\All Users\Application Data\ElectricSheep
2011-11-17 17:04 . 2011-11-17 17:04 -------- d-----w- c:\program files\Electricsheep Screensaver
2011-11-17 16:59 . 2011-11-17 16:59 -------- d-----w- c:\program files\ExperimentalScene
2011-11-17 16:53 . 2011-11-18 18:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo
2011-11-17 16:53 . 2011-11-17 16:52 87104 ----a-w- c:\windows\system32\drivers\inspect.sys
2011-11-17 16:53 . 2011-11-17 16:52 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-11-17 16:53 . 2011-11-17 16:52 179792 ----a-w- c:\windows\system32\guard32.dll
2011-11-17 16:53 . 2011-11-17 16:52 132296 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2011-11-17 16:52 . 2011-11-17 16:52 -------- d-----w- c:\program files\COMODO
2011-11-17 16:35 . 2011-11-17 16:35 -------- d-----w- c:\program files\AnvSoft
2011-11-17 16:32 . 2011-11-17 16:32 -------- d-----w- c:\program files\Auction Sentry 4
2011-11-17 16:29 . 2011-11-17 16:29 -------- d-----w- c:\program files\AllToAVI
2011-11-16 23:25 . 2011-11-16 23:25 -------- d-----w- c:\program files\totalcmd
2011-11-16 23:25 . 2009-09-24 12:50 545 ----a-w- c:\windows\UC.PIF
2011-11-16 23:25 . 2009-09-24 12:50 545 ----a-w- c:\windows\RAR.PIF
2011-11-16 23:25 . 2009-09-24 12:50 545 ----a-w- c:\windows\NOCLOSE.PIF
2011-11-16 23:25 . 2009-09-24 12:50 545 ----a-w- c:\windows\LHA.PIF
2011-11-16 23:25 . 2009-09-24 12:50 545 ----a-w- c:\windows\ARJ.PIF
2011-11-16 23:21 . 2011-11-16 23:21 -------- d-----w- c:\program files\MP3ext
2011-11-16 23:19 . 2011-11-16 23:19 -------- d-----w- c:\program files\FileZilla FTP Client
2011-11-16 23:03 . 2011-11-16 23:03 -------- d-----w- c:\windows\Downloaded Installations
2011-11-16 23:02 . 2011-11-16 23:02 -------- d-----w- c:\program files\Audacity
2011-11-16 22:45 . 2011-11-16 22:45 -------- d-----w- c:\program files\AutoHotkey
2011-11-16 22:41 . 2011-11-16 22:41 -------- d-----w- c:\program files\FolderSize
2011-11-16 22:40 . 2011-11-16 22:40 -------- d-----w- c:\program files\Windows Resource Kits
2011-11-16 16:10 . 2011-11-16 16:10 -------- d-----w- c:\documents and settings\All Users\Application Data\LightScribe
2011-11-16 15:53 . 2011-11-16 15:54 -------- d-----w- c:\program files\Common Files\LightScribe
2011-11-16 15:51 . 2011-11-16 15:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Ahead
2011-11-16 15:48 . 2011-11-16 15:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2011-11-15 23:16 . 2011-11-22 16:41 -------- d-----w- C:\rsit
2011-11-15 23:16 . 2011-11-16 19:35 -------- d-----w- c:\program files\trend micro
2011-11-15 23:12 . 2011-11-15 23:12 -------- d-----w- c:\program files\WOT
2011-11-15 22:14 . 2011-11-15 22:14 -------- d-----w- c:\documents and settings\Administrator.WORKGROUP\Local Settings\Application Data\Apple Computer
2011-11-15 22:11 . 2011-11-15 22:11 -------- d-----w- c:\documents and settings\Administrator.WORKGROUP\Local Settings\Application Data\Identities
2011-11-15 22:11 . 2011-11-15 22:11 -------- d-----w- c:\documents and settings\Administrator.WORKGROUP\Application Data\Windows Desktop Search
2011-11-15 21:30 . 2011-11-17 14:42 -------- d-----w- c:\program files\Windows Desktop Search
2011-11-15 21:30 . 2011-11-15 21:30 -------- d-----w- c:\windows\system32\GroupPolicy
2011-11-15 21:26 . 2011-11-15 21:26 -------- d-----w- c:\program files\uTorrent
2011-11-15 21:25 . 2011-11-15 21:25 -------- d-----w- c:\program files\UltraVNC
2011-11-15 21:20 . 2011-11-22 15:30 -------- d-----w- c:\documents and settings\tonyf
2011-11-15 21:03 . 2008-04-14 05:16 25600 -c--a-w- c:\windows\system32\dllcache\hidbth.sys
2011-11-15 21:03 . 2008-04-14 05:16 25600 ----a-w- c:\windows\system32\drivers\hidbth.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-15 22:55 . 2011-05-17 13:19 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22 . 2009-06-16 20:53 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-03 10:06 . 2011-03-18 19:44 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-03 07:37 . 2009-07-16 18:12 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-09-28 07:06 . 2008-04-14 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41 . 2008-07-29 23:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41 . 2008-04-14 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41 . 2008-04-14 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-06 13:20 . 2008-04-14 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-09-03 06:01 . 2011-11-16 23:18 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-11-21_18.21.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-11-22 15:48 . 2011-11-22 15:48 16384 c:\windows\Temp\Perflib_Perfdata_318.dat
+ 2011-11-22 16:19 . 2011-11-22 16:19 16384 c:\windows\Temp\Perflib_Perfdata_1c4.dat
+ 2011-11-22 15:32 . 2003-02-14 15:40 15388 c:\windows\LastGood\system32\DRIVERS\memNT.sys
+ 2011-11-22 15:46 . 2009-08-20 04:50 22872 c:\windows\LastGood\system32\AdobePDFUI.dll
+ 2011-11-22 15:46 . 2009-08-20 04:50 46928 c:\windows\LastGood\system32\AdobePDF.dll
+ 2011-11-21 17:01 . 2011-11-22 15:46 25214 c:\windows\Installer\{AC76BA86-1033-F400-BA7E-000000000004}\_SC_Distiller.exe
- 2011-11-21 17:01 . 2011-11-21 17:01 25214 c:\windows\Installer\{AC76BA86-1033-F400-BA7E-000000000004}\_SC_Distiller.exe
- 2011-11-21 17:01 . 2011-11-21 17:01 36294 c:\windows\Installer\{AC76BA86-1033-F400-BA7E-000000000004}\_SC_Acrobat_Standard.exe
+ 2011-11-21 17:01 . 2011-11-22 15:46 36294 c:\windows\Installer\{AC76BA86-1033-F400-BA7E-000000000004}\_SC_Acrobat_Standard.exe
- 2011-11-21 17:01 . 2011-11-21 17:01 38926 c:\windows\Installer\{AC76BA86-1033-F400-BA7E-000000000004}\_SC_Acrobat_3D.exe
+ 2011-11-21 17:01 . 2011-11-22 15:46 38926 c:\windows\Installer\{AC76BA86-1033-F400-BA7E-000000000004}\_SC_Acrobat_3D.exe
+ 2011-11-21 17:01 . 2011-11-22 15:46 38926 c:\windows\Installer\{AC76BA86-1033-F400-BA7E-000000000004}\_SC_Acrobat.exe
- 2011-11-21 17:01 . 2011-11-21 17:01 38926 c:\windows\Installer\{AC76BA86-1033-F400-BA7E-000000000004}\_SC_Acrobat.exe
+ 2011-11-21 17:01 . 2011-11-22 15:46 7278 c:\windows\Installer\{AC76BA86-1033-F400-BA7E-000000000004}\_SC_ELEMENTS_DT.exe
- 2011-11-21 17:01 . 2011-11-21 17:01 7278 c:\windows\Installer\{AC76BA86-1033-F400-BA7E-000000000004}\_SC_ELEMENTS_DT.exe
+ 2011-11-15 21:01 . 2011-11-22 15:30 3351 c:\windows\bthservsdp.dat
- 2011-11-15 21:01 . 2011-11-21 17:58 3351 c:\windows\bthservsdp.dat
+ 2008-04-14 12:00 . 2011-11-22 15:36 577130 c:\windows\system32\perfh009.dat
- 2008-04-14 12:00 . 2011-11-21 18:21 577130 c:\windows\system32\perfh009.dat
+ 2008-04-14 12:00 . 2011-11-22 15:36 115642 c:\windows\system32\perfc009.dat
- 2008-04-14 12:00 . 2011-11-21 18:21 115642 c:\windows\system32\perfc009.dat
- 2011-03-18 19:44 . 2011-05-04 08:52 157472 c:\windows\system32\javaws.exe
+ 2011-11-22 15:48 . 2011-10-03 10:06 157472 c:\windows\system32\javaws.exe
+ 2011-11-22 15:48 . 2011-10-03 10:06 145184 c:\windows\system32\javaw.exe
- 2011-03-18 19:44 . 2011-05-04 08:52 145184 c:\windows\system32\javaw.exe
+ 2011-11-22 15:48 . 2011-10-03 10:06 145184 c:\windows\system32\java.exe
- 2011-03-18 19:44 . 2011-05-04 08:52 145184 c:\windows\system32\java.exe
+ 2011-11-22 15:48 . 2011-11-22 15:48 203776 c:\windows\Installer\b53ca.msi
+ 2011-11-22 08:02 . 2011-11-22 08:02 814080 c:\windows\Installer\303dca5.msi
+ 2010-04-04 09:14 . 2010-04-04 09:14 92859904 c:\windows\Installer\b53ae.msp
+ 2010-06-20 09:30 . 2010-06-20 09:30 93828096 c:\windows\Installer\b53ad.msp
+ 2010-09-23 16:05 . 2010-09-23 16:05 96142848 c:\windows\Installer\b53ac.msp
+ 2011-02-17 14:06 . 2011-02-17 14:06 84427776 c:\windows\Installer\b53ab.msp
+ 2011-06-08 08:05 . 2011-06-08 08:05 70169088 c:\windows\Installer\b53aa.msp
+ 2011-09-08 03:05 . 2011-09-08 03:05 55057920 c:\windows\Installer\b53a9.msp
+ 2010-01-05 01:02 . 2010-01-05 01:02 183439360 c:\windows\Installer\b53af.msp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-11-15 39408]
"PeerBlock"="c:\program files\PeerBlock\peerblock.exe" [2010-11-07 1867888]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-21 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-21 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-21 137752]
"HDAudDeck"="c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2008-08-15 30003200]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-06-18 115560]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2011-09-07 40376]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-09-22 640440]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2011-03-18 30192]
"RTHDCPL"="RTHDCPL.EXE" [2008-11-07 17421824]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2008-11-06 36864]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2008-11-06 1970176]
"TurboV"="c:\program files\ASUS\TurboV\TurboV.exe" [2008-10-22 4040192]
"Six Engine"="c:\program files\ASUS\EPU-6 Engine\SixEngine.exe" [2008-11-14 5974528]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-03 13529088]
"nwiz"="nwiz.exe" [2008-05-03 1630208]
"WinSys2"="c:\windows\system32\winsys2.exe" [2008-01-18 208896]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-03 86016]
"UFWSRVMAN"="c:\program files\US Group\UltiPro for Windows\UFWSRVMan.exe" [2009-05-07 558080]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-03-17 570664]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-11-17 1799952]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Millennium Print Driver Server.lnk - c:\program files\Convergent EDM\Millennium 10\OmsPrntSvc.exe [2008-12-3 77824]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-515967899-220523388-1417001333-1108\Scripts\Logon\0\0]
"Script"=\\fileserver\nETLOGON\logon.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-515967899-220523388-1417001333-1112\Scripts\Logon\0\0]
"Script"=\\fileserver\nETLOGON\logon.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-515967899-220523388-1417001333-1379\Scripts\Logon\0\0]
"Script"=\\fileserver\nETLOGON\logon.bat
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Dell Remote Console Switch Software\\Dell Remote Console Switch Software.exe"=
"c:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [11/17/2011 11:53 AM 132296]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [11/17/2011 11:53 AM 25160]
R2 DvmMDES;DeviceVM Meta Data Export Service;c:\asus.sys\config\DVMExportService.exe [11/26/2008 9:36 AM 323584]
R2 OMSNSD;OMSNSD;c:\program files\Common Files\Convergent EDM\Millennium 10\omsnsd.sys [12/29/2006 1:30 PM 5173]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/19/2009 10:28 AM 101936]
R3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [11/17/2011 12:42 PM 19056]
S2 AsSysCtrlService;ASUS System Control Service;c:\program files\ASUS\AsSysCtrlService\1.00.00\AsSysCtrlService.exe [7/27/2009 3:36 PM 86016]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/15/2011 4:35 PM 136176]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [6/18/2009 3:36 PM 23888]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [6/19/2009 5:46 PM 30192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [11/15/2011 4:35 PM 136176]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\f:\ntglm7x.sys --> f:\NTGLM7X.sys [?]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [6/17/2009 11:02 AM 845184]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [12/2/2006 5:17 AM 2805000]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - JAVAQUICKSTARTERSERVICE
*NewlyCreated* - PBFILTER
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 15:14 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-06 c:\windows\Tasks\Defrag C.job
- c:\windows\system32\defrag.exe [2008-04-14 12:00]
.
2011-11-06 c:\windows\Tasks\Defrag D.job
- c:\windows\system32\defrag.exe [2008-04-14 12:00]
.
2011-11-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-11-15 21:35]
.
2011-11-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-11-15 21:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: alcottgroup.com
Trusted Zone: citibank.com
Trusted Zone: salesforce.com
Trusted Zone: ultimatesoftware.com
TCP: DhcpNameServer = 192.168.1.1
DPF: {38681FBD-D4CC-4A59-A527-B3136DB711D3} - hxxps://st2.aetna.com/html/vcst_eu.CAB
FF - ProfilePath - c:\documents and settings\tonyf\Application Data\Mozilla\Firefox\Profiles\6awhb0rn.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-22 12:53
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HDAudDeck = c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(4504)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-11-22 12:55:13
ComboFix-quarantined-files.txt 2011-11-22 17:55
.
Pre-Run: 60,125,900,800 bytes free
Post-Run: 60,580,073,472 bytes free
.
- - End Of File - - B0FA807C1464DB8340C3FC3A12EC0DA9

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:44 PM

Posted 22 November 2011 - 01:17 PM

Hello

:P2P Warning!:

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realise. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.

FBI Cyber Education Letter
File sharing infects 500,000 computers
USAToday
infoworld


These logs are looking alot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..



Your Java is out of date.

It can be updated by the Java control panel
  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup) -> Update Tab -> Update Now.
  • An update should begin;
  • follow the prompts


TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.


If you have problems running Hijackthis.

sometimes we have to run it like this To run HijackThis as an administrator,
rightclick HijackThis.exe (located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 tonyf666

tonyf666
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NY
  • Local time:08:44 PM

Posted 22 November 2011 - 02:28 PM

MBAM:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8218

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/22/2011 2:25:08 PM
mbam-log-2011-11-22 (14-25-08).txt

Scan type: Quick scan
Objects scanned: 215049
Time elapsed: 2 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


----------------------------------------------------------------------------------------
HiJackThis:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:20:33 PM, on 11/22/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ASUS\AsSysCtrlService\1.00.00\AsSysCtrlService.exe
C:\ASUS.SYS\config\DVMExportService.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ASUS\TurboV\TurboV.exe
C:\Program Files\ASUS\EPU-6 Engine\SixEngine.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\US Group\UltiPro for Windows\UFWSRVMan.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\PeerBlock\peerblock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Convergent EDM\Millennium 10\OmsPrntSvc.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\trend micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlidOfficeUserRegSetup?clid=1033
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7018.1622\swg.dll
O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [TurboV] "C:\Program Files\ASUS\TurboV\TurboV.exe"
O4 - HKLM\..\Run: [Six Engine] "C:\Program Files\ASUS\EPU-6 Engine\SixEngine.exe" -r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinSys2] C:\WINDOWS\system32\winsys2.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [UFWSRVMAN] "C:\Program Files\US Group\UltiPro for Windows\UFWSRVMan.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [PeerBlock] C:\Program Files\PeerBlock\peerblock.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Millennium Print Driver Server.lnk = C:\Program Files\Convergent EDM\Millennium 10\OmsPrntSvc.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.alcott-iwr.com
O15 - Trusted Zone: *.allstate.com
O15 - Trusted Zone: *.citibank.com
O15 - Trusted Zone: http://www.cleverdot.com
O15 - Trusted Zone: *.dell.com
O15 - Trusted Zone: *.intuit.com
O15 - Trusted Zone: *.meritline.com
O15 - Trusted Zone: *.myciti.com
O15 - Trusted Zone: *.salesforce.com
O15 - Trusted Zone: http://*.slickdeals.net
O15 - Trusted Zone: *.sourceforge.net
O15 - Trusted Zone: *.symantec.com
O15 - Trusted Zone: http://*.turbotax.com
O15 - Trusted Zone: *.ultimatesoftware.com
O16 - DPF: {38681FBD-D4CC-4A59-A527-B3136DB711D3} (Tumbleweed SecureTransport FileTransfer English) - https://st2.aetna.com/html/vcst_eu.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1245257525000
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = alcottgroup.com
O17 - HKLM\Software\..\Telephony: DomainName = alcottgroup.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = alcottgroup.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = alcottgroup.com
O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: ASUS System Control Service (AsSysCtrlService) - Unknown owner - C:\Program Files\ASUS\AsSysCtrlService\1.00.00\AsSysCtrlService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: DeviceVM Meta Data Export Service (DvmMDES) - DeviceVM - C:\ASUS.SYS\config\DVMExportService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: Google Desktop Manager 5.9.1005.12335 (GoogleDesktopManager-051210-111108) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\OpenVPN\bin\openvpnserv.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

--
End of file - 13297 bytes

No problems so far, computer is doing great!
Thanks!




#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:44 PM

Posted 22 November 2011 - 05:42 PM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
      O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1
      O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
      O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
      O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
      O4 - HKLM\..\Run: [TurboV] "C:\Program Files\ASUS\TurboV\TurboV.exe"
      O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
      O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
      O4 - HKLM\..\Run: [WinSys2] C:\WINDOWS\system32\winsys2.exe
      O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
      O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
      O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
      O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
      O4 - HKCU\..\Run: [PeerBlock] C:\Program Files\PeerBlock\peerblock.exe
      O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the ActiveX control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard and paste the results here in this topic
  • you may also find here C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:44 PM

Posted 25 November 2011 - 09:47 PM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:44 PM

Posted 28 November 2011 - 01:26 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users