Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with AV Protection 2011, possible rootkit


  • This topic is locked This topic is locked
15 replies to this topic

#1 ambchop

ambchop

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:08 PM

Posted 23 November 2011 - 01:53 PM

Was infected with AV Protection 2011 which was causing false 'infection' (firefox.exe is infected and running of application is impossible) messages and prompting me to purchase a virus protection program. Have run RKill, MalwareBytes and Webroot. All were unsuccessful. Left computer off overnight and upon reboot in Normal Mode this morning was not able to run any applications at all except IE which was 'not responding' after the window opened. Rebooted in Safe Mode and was able to complete the steps in the Preparation Guide. Followed all instructions in the guide, ran into problems with the GMER (not sure if i have 64bit, but very likely)- the Rootkit/Malware tab does not let me select anything except Services, Registry, files, c:\ and ADS. When the scan completed it says "GMER hasn't found any system modifications"
.
DDS (Ver_2011-08-26.01) - NTFSAMD64 NETWORK
Internet Explorer: 8.0.7601.17514

BrowserJavaVersion: 1.6.0_26
Run by IvieSeale at 11:40:41 on 2011-11-23
Microsoft Windows 7 Home Premium

6.1.7601.1.1252.1.1033.18.5992.4889 [GMT -

6:00]
.
AV: Webroot AntiVirus with Spy Sweeper

*Enabled/Updated* {53211D91-0C31-95F2-E3A5-

7661FB22889E}
SP: Windows Defender *Enabled/Updated*

{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Spyware Doctor *Enabled/Outdated*

{94076BB2-F3DA-227F-9A1E-F060FF73600F}
SP: Webroot AntiVirus with Spy Sweeper

*Enabled/Updated* {E840FC75-2A0B-9A7C-D915-

4D1380A5C223}
.
============== Running Processes

===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\Program Files (x86)\Webroot\Security

\Current\Framework\WRConsumerService.exe
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k

LocalServiceNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k

LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k

LocalService
C:\windows\system32\svchost.exe -k

NetworkService
C:\windows\system32\svchost.exe -k

LocalServiceNoNetwork
C:\Program Files (x86)\Webroot\Security

\current\plugins\antimalware\AEI.exe
C:\windows\system32\svchost.exe -k

NetworkServiceNetworkRestricted
C:\windows\Explorer.EXE
C:\windows\system32\ctfmon.exe
C:\windows\system32\DllHost.exe
C:\windows\System32\svchost.exe -k secsvcs
C:\Program Files (x86)\Mozilla Firefox

\firefox.exe
C:\Program Files (x86)\Mozilla Firefox

\plugin-container.exe
C:\windows\system32\DllHost.exe
C:\windows\system32\DllHost.exe
C:\windows\SysWOW64\cmd.exe
C:\windows\system32\conhost.exe
C:\windows\SysWOW64\cscript.exe
C:\windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report

===============
.
uStart Page = hxxp://lenovo.msn.com
mStart Page = hxxp://lenovo.msn.com
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
mWinlogon: Userinit=userinit.exe,
BHO: Lexmark Toolbar: {1017a80c-6f09-4548-

a84d-edd6ac9525f0} - C:\Program Files\Lexmark

Toolbar\toolband.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-

4283-a596-fa578c2ebdc3} - C:\Program Files

(x86)\Common Files\Adobe\Acrobat\ActiveX

\AcroIEHelperShim.dll
BHO: jZip Toolbar: {1e48c56f-08cd-43aa-a6ef-

c1ec891551ab} - C:

\PROGRA~2\WIF0E7~1\Datamngr\ToolBar

\jzipdtx.dll
BHO: DivX Plus Web Player HTML5 <video>:

{326e768d-4182-46fd-9c16-1449a49795f4} - C:

\Program Files (x86)\DivX\DivX Plus Web

Player\ie\DivXHTML5\DivXHTML5.dll
BHO: UrlHelper Class: {41c4aa37-1ddd-4345-

b8dc-734e4b38414d} - C:

\PROGRA~2\WIF0E7~1\Datamngr\IEBHO.dll
BHO: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} -

No File
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -

No File
BHO: Windows Live ID Sign-in Helper:

{9030d464-4c02-4abf-8ecc-5164760863c6} - C:

\Program Files (x86)\Common Files\Microsoft

Shared\Windows Live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler:

{b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:

\PROGRA~2\MICROS~4\Office14\URLREDIR.DLL
BHO: Lexmark Printable Web: {d2c5e510-be6d-

42cc-9f61-e4f939078474} - C:\Program Files

\Lexmark Printable Web\bho.dll
BHO: Java™ Plug-In 2 SSV Helper:

{dbc80044-a445-435b-bc74-9c25c1c588a9} - C:

\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: {8dcb7100-df86-4384-8842-8fa844297b3f} -

No File
TB: jZip Toolbar: {1e48c56f-08cd-43aa-a6ef-

c1ec891551ab} - C:

\PROGRA~2\WIF0E7~1\Datamngr\ToolBar

\jzipdtx.dll
TB: Lexmark Toolbar: {1017a80c-6f09-4548-

a84d-edd6ac9525f0} - C:\Program Files\Lexmark

Toolbar\toolband.dll
uRun: [Best Buy pc app] "C:\Users\IvieSeale

\AppData\Roaming\Microsoft\Windows\Start

Menu\Programs\Best Buy\Best Buy pc

app.appref-ms"
mRun: [jmekey] "C:\Program Files

(x86)\jmesoft\hotkey.exe"
mRun: [UpdatePRCShortCut] "C:\Program Files

\Lenovo\OneKey App\Lenovo Rescue System

\MUITransfer\MUIStartMenu.exe" "C:\Program

Files\Lenovo\OneKey App\Lenovo Rescue System"

UpdateWithCreateOnce "Software\Lenovo\OneKey

App\OneKey Recovery"
mRun: [WebrootTrayApp] "C:\Program Files

(x86)\Webroot\Security\Current\Framework

\WRTray.exe"
mRun: [DATAMNGR] "C:

\PROGRA~2\WIF0E7~1\Datamngr\DATAMN~1.EXE"
mRun: [SunJavaUpdateSched] "C:\Program Files

(x86)\Common Files\Java\Java Update

\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "C:

\Program Files (x86)\Adobe\Reader 9.0\Reader

\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files

(x86)\Common Files\Adobe\ARM

\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "C:\Program Files

(x86)\QuickTime\QTTask.exe" -atboottime
mRun: [ArcSoft Connection Service] "C:

\Program Files (x86)\Common Files\ArcSoft

\Connection Service\Bin\ACDaemon.exe"
mRun: [Nikon Transfer Monitor] "C:\Program

Files (x86)\Common Files\Nikon\Monitor

\NkMonitor.exe"
mRun: [iTunesHelper] "C:\Program Files

(x86)\iTunes\iTunesHelper.exe"
mRun: [DivXUpdate] "C:\Program Files

(x86)\DivX\DivX Update\DivXUpdate.exe"

/CHECKNOW
mRun: [Malwarebytes' Anti-Malware (reboot)]

"C:\Program Files (x86)\Malwarebytes' Anti-

Malware\mbam.exe" /runcleanupscript
mRun: [zLL9VONNt0uc1bo8234A] C:\windows

\system32\AV Protection 2011v121.exe
mRun: [VsEYwBN1v2om56E] C:\Users\IvieSeale

\AppData\Roaming\dwme.exe
mRun: [LgTqYCekIVzOtAu8234A] "C:\Users

\IvieSeale\AppData\Roaming\trzzONyxAuvSi\AV

Protection 2011v121.exe"
mRun: [DiiD3on4HsJ] C:\Users\IvieSeale

\AppData\Roaming\dwme.exe
mRun: [ISTray] "C:\Program Files (x86)\PC

Tools Security\pctsGui.exe" /hideGUI
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin

= 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser =

3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0

(0x0)
IE: E&xport to Microsoft Excel - C:

\PROGRA~2\MICROS~4\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:

\PROGRA~2\MICROS~4\Office14\ONBttnIE.dll/105
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} -

{5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:

\Program Files (x86)\Windows Live\Writer

\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} -

{48E73304-E1D6-4330-914C-F5F514E3486C} - C:

\Program Files (x86)\Microsoft Office

\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} -

{FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:

\Program Files (x86)\Microsoft Office

\Office14\ONBttnIELinkedNotes.dll
LSP: C:\Program Files (x86)\Common Files\PC

Tools\Lsp\PCTLsp.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -

hxxp://java.sun.com/update/1.6.0/jinstall-

1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-

1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-

1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{4DF2A46B-AB71-4315-9D7D-

53E6AB8F5EE5} : DhcpNameServer = 192.168.2.1
Filter: text/xml - {807573E5-5146-11D5-A672-

00B0D022E945} - C:\Program Files (x86)\Common

Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-

83F89B8E6324} - C:\Program Files

(x86)\Windows Live\Photo Gallery

\AlbumDownloadProtocolHandler.dll
AppInit_DLLs: c:\progra~2\wif0e7~1\datamngr

\datamngr.dll c:\progra~2\wif0e7~1\datamngr

\iebho.dll
BHO-X64: Lexmark Toolbar: {1017A80C-6F09-

4548-A84D-EDD6AC9525F0} - C:\Program Files

\Lexmark Toolbar\toolband.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-

E8AD-4283-A596-FA578C2EBDC3} - C:\Program

Files (x86)\Common Files\Adobe\Acrobat

\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: jZip Toolbar: {1e48c56f-08cd-43aa-

a6ef-c1ec891551ab} - C:

\PROGRA~2\WIF0E7~1\Datamngr\ToolBar

\jzipdtx.dll
BHO-X64: jZip Toolbar - No File
BHO-X64: DivX Plus Web Player HTML5 <video>:

{326E768D-4182-46FD-9C16-1449A49795F4} - C:

\Program Files (x86)\DivX\DivX Plus Web

Player\ie\DivXHTML5\DivXHTML5.dll
BHO-X64: Increase performance and video

formats for your HTML5 <video> - No File
BHO-X64: UrlHelper Class: {41C4AA37-1DDD-

4345-B8DC-734E4B38414D} - C:

\PROGRA~2\WIF0E7~1\Datamngr\IEBHO.dll
BHO-X64: {6EBF7485-159F-4bff-A14F-

B9E3AAC4465B} - No File
BHO-X64: Search Helper - No File
BHO-X64: {761497BB-D6F0-462C-B6EB-

D4DAF1D92D43} - No File
BHO-X64: Windows Live ID Sign-in Helper:

{9030D464-4C02-4ABF-8ECC-5164760863C6} - C:

\Program Files (x86)\Common Files\Microsoft

Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Office Document Cache Handler:

{B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:

\PROGRA~2\MICROS~4\Office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
BHO-X64: Lexmark Printable Web: {D2C5E510-

BE6D-42CC-9F61-E4F939078474} - C:\Program

Files\Lexmark Printable Web\bho.dll
BHO-X64: Java™ Plug-In 2 SSV Helper:

{DBC80044-A445-435b-BC74-9C25C1C588A9} - C:

\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: {8dcb7100-df86-4384-8842-

8fa844297b3f} - No File
TB-X64: jZip Toolbar: {1e48c56f-08cd-43aa-

a6ef-c1ec891551ab} - C:

\PROGRA~2\WIF0E7~1\Datamngr\ToolBar

\jzipdtx.dll
TB-X64: Lexmark Toolbar: {1017A80C-6F09-4548

-A84D-EDD6AC9525F0} - C:\Program Files

\Lexmark Toolbar\toolband.dll
mRun-x64: [jmekey] "C:\Program Files

(x86)\jmesoft\hotkey.exe"
mRun-x64: [UpdatePRCShortCut] "C:\Program

Files\Lenovo\OneKey App\Lenovo Rescue System

\MUITransfer\MUIStartMenu.exe" "C:\Program

Files\Lenovo\OneKey App\Lenovo Rescue System"

UpdateWithCreateOnce "Software\Lenovo\OneKey

App\OneKey Recovery"
mRun-x64: [WebrootTrayApp] "C:\Program Files

(x86)\Webroot\Security\Current\Framework

\WRTray.exe"
mRun-x64: [DATAMNGR] "C:

\PROGRA~2\WIF0E7~1\Datamngr\DATAMN~1.EXE"
mRun-x64: [SunJavaUpdateSched] "C:\Program

Files (x86)\Common Files\Java\Java Update

\jusched.exe"
mRun-x64: [Adobe Reader Speed Launcher] "C:

\Program Files (x86)\Adobe\Reader 9.0\Reader

\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files

(x86)\Common Files\Adobe\ARM

\1.0\AdobeARM.exe"
mRun-x64: [QuickTime Task] "C:\Program Files

(x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [ArcSoft Connection Service] "C:

\Program Files (x86)\Common Files\ArcSoft

\Connection Service\Bin\ACDaemon.exe"
mRun-x64: [Nikon Transfer Monitor] "C:

\Program Files (x86)\Common Files\Nikon

\Monitor\NkMonitor.exe"
mRun-x64: [iTunesHelper] "C:\Program Files

(x86)\iTunes\iTunesHelper.exe"
mRun-x64: [DivXUpdate] "C:\Program Files

(x86)\DivX\DivX Update\DivXUpdate.exe"

/CHECKNOW
mRun-x64: [Malwarebytes' Anti-Malware

(reboot)] "C:\Program Files

(x86)\Malwarebytes' Anti-Malware\mbam.exe"

/runcleanupscript
mRun-x64: [zLL9VONNt0uc1bo8234A] C:\windows

\system32\AV Protection 2011v121.exe
mRun-x64: [VsEYwBN1v2om56E] C:\Users

\IvieSeale\AppData\Roaming\dwme.exe
mRun-x64: [LgTqYCekIVzOtAu8234A] "C:\Users

\IvieSeale\AppData\Roaming\trzzONyxAuvSi\AV

Protection 2011v121.exe"
mRun-x64: [DiiD3on4HsJ] C:\Users\IvieSeale

\AppData\Roaming\dwme.exe
mRun-x64: [ISTray] "C:\Program Files (x86)\PC

Tools Security\pctsGui.exe" /hideGUI
AppInit_DLLs-X64: c:

\progra~2\wif0e7~1\datamngr\datamngr.dll c:

\progra~2\wif0e7~1\datamngr\iebho.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\IvieSeale

\AppData\Roaming\Mozilla\Firefox\Profiles

\hdf331cb.default\
FF - prefs.js: browser.search.selectedEngine

- Google
FF - prefs.js: browser.startup.homepage -

hxxp://bt.etree.org/?searchss=phish&cat=0|

http://www.google.com/
FF - prefs.js: keyword.URL -

hxxp://dts.search-results.com/sr?

src=ffb&appid=0&systemid=102&q=
FF - component: C:\Program Files

(x86)\Windows jZip Toolbar\Datamngr

\FirefoxExtension\components

\DataMngrHlpFF3.dll
FF - component: C:\Users\IvieSeale\AppData

\Roaming\Mozilla\Firefox\Profiles

\hdf331cb.default\extensions\{1e48c56f-08cd-

43aa-a6ef-c1ec891551ab}\components

\dtTransparency.dll
FF - component: C:\Users\IvieSeale\AppData

\Roaming\Mozilla\Firefox\Profiles

\hdf331cb.default\extensions\{1e48c56f-08cd-

43aa-a6ef-c1ec891551ab}\components

\dtTransparency3.5.dll
FF - component: C:\Users\IvieSeale\AppData

\Roaming\Mozilla\Firefox\Profiles

\hdf331cb.default\extensions\{1e48c56f-08cd-

43aa-a6ef-c1ec891551ab}\components

\dtTransparency3.6.dll
FF - plugin: C:

\PROGRA~2\MICROS~4\Office14\NPAUTHZ.DLL
FF - plugin: C:

\PROGRA~2\MICROS~4\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe

\Reader 9.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX

OVS Helper\npovshelper.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX

Plus Web Player\npdivx32.dll
FF - plugin: C:\Program Files (x86)\Google

\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google

\Update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java

\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Logitech

\Harmony Remote Driver\NprtHarmonyPlugin.dll
FF - plugin: c:\Program Files (x86)\Microsoft

Silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla

Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Windows

Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\ProgramData\Best Buy pc app

\npBestBuyPcAppDetector.dll
FF - plugin: C:\windows\SysWOW64\Macromed

\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS

===============
.
R0 PCTCore;PCTools KDS;C:\windows

\system32\drivers\PCTCore64.sys --> C:

\windows\system32\drivers\PCTCore64.sys [?]
R0 pctDS;PC Tools Data Store;C:\windows

\system32\drivers\pctDS64.sys --> C:\windows

\system32\drivers\pctDS64.sys [?]
R0 pctEFA;PC Tools Extended File

Attributes;C:\windows\system32\drivers

\pctEFA64.sys --> C:\windows

\system32\drivers\pctEFA64.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:

\windows\system32\DRIVERS\vwififlt.sys -->

C:\windows\system32\DRIVERS\vwififlt.sys [?]
R2 WebrootSpySweeperService;Webroot Spy

Sweeper Engine;C:\Program Files

(x86)\Webroot\Security\Current\plugins

\antimalware\AEI.exe [2011-7-17 3997912]
R2 WRConsumerService;Webroot Client

Service;C:\Program Files (x86)\Webroot

\Security\Current\Framework

\WRConsumerService.exe [2011-11-10 3386840]
R3 e1cexpress;Intel® PRO/1000 PCI Express

Network Connection Driver C;C:\windows

\system32\DRIVERS\e1c62x64.sys --> C:

\windows\system32\DRIVERS\e1c62x64.sys [?]
R3 GeneStor;Genesys Logic Storage Driver;C:

\windows\system32\DRIVERS\GeneStor.sys -->

C:\windows\system32\DRIVERS\GeneStor.sys [?]
R3 MEIx64;Intel® Management Engine

Interface;C:\windows\system32\DRIVERS

\HECIx64.sys --> C:\windows\system32\DRIVERS

\HECIx64.sys [?]
R3 RTL8192su;%RTL8192su.DeviceDesc.DispName

%;C:\windows\system32\DRIVERS\RTL8192su.sys

--> C:\windows\system32\DRIVERS\RTL8192su.sys

[?]
R3 vwifimp;Microsoft Virtual WiFi Miniport

Service;C:\windows\system32\DRIVERS

\vwifimp.sys --> C:\windows\system32\DRIVERS

\vwifimp.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft

.NET Framework NGEN v4.0.30319_X86;C:

\Windows\Microsoft.NET\Framework

\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft

.NET Framework NGEN v4.0.30319_X64;C:

\Windows\Microsoft.NET

\Framework64\v4.0.30319\mscorsvw.exe [2010-3

-18 138576]
S2 gupdate;Google Update Service

(gupdate);C:\Program Files (x86)\Google

\Update\GoogleUpdate.exe [2011-7-24 136176]
S2 lxea_device;lxea_device;C:\windows

\system32\lxeacoms.exe -service --> C:

\windows\system32\lxeacoms.exe -service [?]
S2 sdAuxService;PC Tools Auxiliary

Service;C:\Program Files (x86)\PC Tools

Security\pctsAuxs.exe [2011-11-22 366840]
S2 sdCoreService;PC Tools Security

Service;C:\Program Files (x86)\PC Tools

Security\pctsSvc.exe [2011-11-22 1150936]
S2 ssfmonm;ssfmonm;C:\windows

\system32\DRIVERS\ssfmonm.sys --> C:\windows

\system32\DRIVERS\ssfmonm.sys [?]
S2 UNS;Intel® Management and Security

Application User Notification Service;C:

\Program Files (x86)\Intel\Intel®

Management Engine Components\UNS\UNS.exe

[2011-5-6 2655768]
S3 gupdatem;Google Update Service

(gupdatem);C:\Program Files (x86)\Google

\Update\GoogleUpdate.exe [2011-7-24 136176]
S3 IntcDAud;Intel® Display Audio;C:

\windows\system32\DRIVERS\IntcDAud.sys -->

C:\windows\system32\DRIVERS\IntcDAud.sys [?]
S3 osppsvc;Office Software Protection

Platform;C:\Program Files\Common Files

\Microsoft Shared

\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

[2010-1-9 4925184]
S3 TsUsbFlt;TsUsbFlt;C:\windows

\system32\drivers\tsusbflt.sys --> C:

\windows\system32\drivers\tsusbflt.sys [?]
S3 TsUsbGD;Remote Desktop Generic USB

Device;C:\windows\system32\drivers

\TsUsbGD.sys --> C:\windows\system32\drivers

\TsUsbGD.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:

\windows\system32\Drivers\usbaapl64.sys -->

C:\windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation

Technologies Service;C:\windows\system32\Wat

\WatAdminSvc.exe --> C:\windows\system32\Wat

\WatAdminSvc.exe [?]
S3 wsvd;wsvd;C:\windows\system32\DRIVERS

\wsvd.sys --> C:\windows\system32\DRIVERS

\wsvd.sys [?]
S3 yukonw7;NDIS6.2 Miniport Driver for

Marvell Yukon Ethernet Controller;C:\windows

\system32\DRIVERS\yk62x64.sys --> C:\windows

\system32\DRIVERS\yk62x64.sys [?]
S4 wlcrasvc;Windows Live Mesh remote

connections service;C:\Program Files\Windows

Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30

================
.
2011-11-23 17:19:18 69000 ----a-w-

C:\ProgramData\Microsoft\Windows Defender

\Definition Updates\{7A890BC8-5995-4F72-

B96F-491BA904F5B9}\offreg.dll
2011-11-23 00:40:17 816016 ----a-w-

C:\windows\System32\drivers\pctEFA64.sys
2011-11-23 00:40:17 452872 ----a-w-

C:\windows\System32\drivers\pctDS64.sys
2011-11-23 00:40:16 331368 ----a-w-

C:\windows\System32\drivers\pctgntdi64.sys
2011-11-23 00:40:16 136168 ----a-w-

C:\windows\System32\drivers

\pctwfpfilter64.sys
2011-11-23 00:40:09 257232 ----a-w-

C:\windows\System32\drivers\PCTCore64.sys
2011-11-23 00:40:01 92896 ----a-w-

C:\windows\System32\drivers\pctplsg64.sys
2011-11-23 00:39:50 --------

d-----w- C:\Users\IvieSeale\AppData

\Roaming\PC Tools
2011-11-23 00:39:50 --------

d-----w- C:\Program Files (x86)\PC

Tools Security
2011-11-23 00:39:50 --------

d-----w- C:\Program Files (x86)\Common

Files\PC Tools
2011-11-23 00:36:21 --------

d-----w- C:\ProgramData\PC Tools
2011-11-23 00:36:19 --------

d-----w- C:\Users\IvieSeale\AppData

\Roaming\TestApp
2011-11-23 00:32:57 --------

d-----w- C:\Users\IvieSeale\AppData

\Roaming\Vb3n4m6W7EgqCkV
2011-11-23 00:32:56 --------

d-----w- C:\Users\IvieSeale\AppData

\Roaming\ijjwIrOtPu
2011-11-23 00:32:42 --------

d-----w- C:\Users\IvieSeale\AppData

\Roaming\HLgZjwIrOx0
2011-11-23 00:32:40 --------

d-----w- C:\Users\IvieSeale\AppData

\Roaming\trzzONyxAuvSi
2011-11-23 00:32:40 --------

d-----w- C:\Users\IvieSeale\AppData

\Roaming\sFFF3mm5aQJ
2011-11-23 00:32:28 --------

d-----w- C:\Users\IvieSeale\AppData

\Roaming\Ivnm5JdLgRqYwVB
2011-11-22 10:42:38 8570192 ----a-w-

C:\ProgramData\Microsoft\Windows Defender

\Definition Updates\{7A890BC8-5995-4F72-

B96F-491BA904F5B9}\mpengine.dll
2011-11-14 22:20:06 --------

d-----w- C:\Program Files (x86)\Common

Files\PX Storage Engine
2011-11-14 22:19:32 --------

d-----w- C:\Program Files\DivX
2011-11-14 22:19:26 --------

d-----w- C:\Program Files (x86)\Common

Files\DivX Shared
2011-11-14 22:18:47 --------

d-----w- C:\Program Files (x86)\DivX
2011-11-14 22:17:32 --------

d-----w- C:\ProgramData\DivX
2011-11-09 14:51:57 886784 ----a-w-

C:\Program Files\Common Files\System

\wab32.dll
2011-11-09 14:51:57 708608 ----a-w-

C:\Program Files (x86)\Common Files\System

\wab32.dll
2011-11-09 14:51:55 1923952 ----a-w-

C:\windows\System32\drivers\tcpip.sys
2011-11-09 14:51:54 3144704 ----a-w-

C:\windows\System32\win32k.sys
2011-10-26 14:17:17 6144 ----a-w-

C:\Program Files\Internet Explorer

\iecompat.dll
2011-10-26 14:17:17 6144 ----a-w-

C:\Program Files (x86)\Internet Explorer

\iecompat.dll
.
==================== Find3M

====================
.
2011-11-20 16:59:05 414368 ----a-w-

C:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-10-20 23:26:22 94208 ----a-w-

C:\windows\SysWow64\dpl100.dll
2011-10-01 03:25:37 1638912 ----a-w-

C:\windows\System32\mshtml.tlb
2011-10-01 02:42:56 1638912 ----a-w-

C:\windows\SysWow64\mshtml.tlb
2011-09-28 06:28:20 106496 ----a-w-

C:\windows\SysWow64\ATL71.DLL
2011-08-31 23:00:50 25416 ----a-w-

C:\windows\System32\drivers\mbam.sys
2011-08-27 05:37:49 861696 ----a-w-

C:\windows\System32\oleaut32.dll
2011-08-27 05:37:48 331776 ----a-w-

C:\windows\System32\oleacc.dll
2011-08-27 04:26:27 571904 ----a-w-

C:\windows\SysWow64\oleaut32.dll
2011-08-27 04:26:27 233472 ----a-w-

C:\windows\SysWow64\oleacc.dll
.
============= FINISH: 11:41:22.37

===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:08 PM

Posted 28 November 2011 - 04:18 AM

Hi,

If help still needed re-run DDS. Make sure that notepad has word wrap disabled to get logs in readable format, please.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#3 ambchop

ambchop
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:08 PM

Posted 28 November 2011 - 11:00 AM

Yes, help is still needed. . .will re-run.

#4 ambchop

ambchop
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:08 PM

Posted 28 November 2011 - 11:06 AM

.
DDS (Ver_2011-08-26.01) - NTFSAMD64 NETWORK
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_26
Run by IvieSeale at 10:02:42 on 2011-11-28
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.5992.4971 [GMT -6:00]
.
AV: Webroot AntiVirus with Spy Sweeper *Enabled/Updated* {53211D91-0C31-95F2-E3A5-7661FB22889E}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Spyware Doctor *Enabled/Updated* {94076BB2-F3DA-227F-9A1E-F060FF73600F}
SP: Webroot AntiVirus with Spy Sweeper *Enabled/Updated* {E840FC75-2A0B-9A7C-D915-4D1380A5C223}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\Program Files (x86)\Webroot\Security\Current\Framework\WRConsumerService.exe
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Webroot\Security\current\plugins\antimalware\AEI.exe
C:\windows\Explorer.EXE
C:\windows\system32\ctfmon.exe
C:\windows\system32\DllHost.exe
C:\windows\System32\svchost.exe -k secsvcs
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\windows\system32\DllHost.exe
C:\windows\system32\DllHost.exe
C:\windows\SysWOW64\cmd.exe
C:\windows\system32\conhost.exe
C:\windows\SysWOW64\cscript.exe
C:\windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://lenovo.msn.com
mStart Page = hxxp://lenovo.msn.com
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
mWinlogon: Userinit=userinit.exe,
BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - C:\Program Files\Lexmark Toolbar\toolband.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: jZip Toolbar: {1e48c56f-08cd-43aa-a6ef-c1ec891551ab} - C:\PROGRA~2\WIF0E7~1\Datamngr\ToolBar\jzipdtx.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
BHO: UrlHelper Class: {41c4aa37-1ddd-4345-b8dc-734e4b38414d} - C:\PROGRA~2\WIF0E7~1\Datamngr\IEBHO.dll
BHO: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - No File
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~4\Office14\URLREDIR.DLL
BHO: Lexmark Printable Web: {d2c5e510-be6d-42cc-9f61-e4f939078474} - C:\Program Files\Lexmark Printable Web\bho.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: {8dcb7100-df86-4384-8842-8fa844297b3f} - No File
TB: jZip Toolbar: {1e48c56f-08cd-43aa-a6ef-c1ec891551ab} - C:\PROGRA~2\WIF0E7~1\Datamngr\ToolBar\jzipdtx.dll
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - C:\Program Files\Lexmark Toolbar\toolband.dll
uRun: [Best Buy pc app] "C:\Users\IvieSeale\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Best Buy\Best Buy pc app.appref-ms"
mRun: [jmekey] "C:\Program Files (x86)\jmesoft\hotkey.exe"
mRun: [UpdatePRCShortCut] "C:\Program Files\Lenovo\OneKey App\Lenovo Rescue System\MUITransfer\MUIStartMenu.exe" "C:\Program Files\Lenovo\OneKey App\Lenovo Rescue System" UpdateWithCreateOnce "Software\Lenovo\OneKey App\OneKey Recovery"
mRun: [WebrootTrayApp] "C:\Program Files (x86)\Webroot\Security\Current\Framework\WRTray.exe"
mRun: [DATAMNGR] "C:\PROGRA~2\WIF0E7~1\Datamngr\DATAMN~1.EXE"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [ArcSoft Connection Service] "C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe"
mRun: [Nikon Transfer Monitor] "C:\Program Files (x86)\Common Files\Nikon\Monitor\NkMonitor.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
mRun: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
mRun: [zLL9VONNt0uc1bo8234A] C:\windows\system32\AV Protection 2011v121.exe
mRun: [VsEYwBN1v2om56E] C:\Users\IvieSeale\AppData\Roaming\dwme.exe
mRun: [LgTqYCekIVzOtAu8234A] "C:\Users\IvieSeale\AppData\Roaming\trzzONyxAuvSi\AV Protection 2011v121.exe"
mRun: [DiiD3on4HsJ] C:\Users\IvieSeale\AppData\Roaming\dwme.exe
mRun: [ISTray] "C:\Program Files (x86)\PC Tools Security\pctsGui.exe" /hideGUI
mRunOnce: [GrpConv] "grpconv" -o
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~4\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~4\Office14\ONBttnIE.dll/105
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
LSP: C:\Program Files (x86)\Common Files\PC Tools\Lsp\PCTLsp.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{4DF2A46B-AB71-4315-9D7D-53E6AB8F5EE5} : DhcpNameServer = 192.168.2.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
AppInit_DLLs: c:\progra~2\wif0e7~1\datamngr\datamngr.dll c:\progra~2\wif0e7~1\datamngr\iebho.dll
BHO-X64: Lexmark Toolbar: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: jZip Toolbar: {1e48c56f-08cd-43aa-a6ef-c1ec891551ab} - C:\PROGRA~2\WIF0E7~1\Datamngr\ToolBar\jzipdtx.dll
BHO-X64: jZip Toolbar - No File
BHO-X64: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
BHO-X64: Increase performance and video formats for your HTML5 <video> - No File
BHO-X64: UrlHelper Class: {41C4AA37-1DDD-4345-B8DC-734E4B38414D} - C:\PROGRA~2\WIF0E7~1\Datamngr\IEBHO.dll
BHO-X64: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - No File
BHO-X64: Search Helper - No File
BHO-X64: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~4\Office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
BHO-X64: Lexmark Printable Web: {D2C5E510-BE6D-42CC-9F61-E4F939078474} - C:\Program Files\Lexmark Printable Web\bho.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: {8dcb7100-df86-4384-8842-8fa844297b3f} - No File
TB-X64: jZip Toolbar: {1e48c56f-08cd-43aa-a6ef-c1ec891551ab} - C:\PROGRA~2\WIF0E7~1\Datamngr\ToolBar\jzipdtx.dll
TB-X64: Lexmark Toolbar: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
mRun-x64: [jmekey] "C:\Program Files (x86)\jmesoft\hotkey.exe"
mRun-x64: [UpdatePRCShortCut] "C:\Program Files\Lenovo\OneKey App\Lenovo Rescue System\MUITransfer\MUIStartMenu.exe" "C:\Program Files\Lenovo\OneKey App\Lenovo Rescue System" UpdateWithCreateOnce "Software\Lenovo\OneKey App\OneKey Recovery"
mRun-x64: [WebrootTrayApp] "C:\Program Files (x86)\Webroot\Security\Current\Framework\WRTray.exe"
mRun-x64: [DATAMNGR] "C:\PROGRA~2\WIF0E7~1\Datamngr\DATAMN~1.EXE"
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [ArcSoft Connection Service] "C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe"
mRun-x64: [Nikon Transfer Monitor] "C:\Program Files (x86)\Common Files\Nikon\Monitor\NkMonitor.exe"
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
mRun-x64: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
mRun-x64: [zLL9VONNt0uc1bo8234A] C:\windows\system32\AV Protection 2011v121.exe
mRun-x64: [VsEYwBN1v2om56E] C:\Users\IvieSeale\AppData\Roaming\dwme.exe
mRun-x64: [LgTqYCekIVzOtAu8234A] "C:\Users\IvieSeale\AppData\Roaming\trzzONyxAuvSi\AV Protection 2011v121.exe"
mRun-x64: [DiiD3on4HsJ] C:\Users\IvieSeale\AppData\Roaming\dwme.exe
mRun-x64: [ISTray] "C:\Program Files (x86)\PC Tools Security\pctsGui.exe" /hideGUI
mRunOnce-x64: [GrpConv] "grpconv" -o
AppInit_DLLs-X64: c:\progra~2\wif0e7~1\datamngr\datamngr.dll c:\progra~2\wif0e7~1\datamngr\iebho.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\IvieSeale\AppData\Roaming\Mozilla\Firefox\Profiles\hdf331cb.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://bt.etree.org/?searchss=phish&cat=0|http://www.google.com/
FF - prefs.js: keyword.URL - hxxp://dts.search-results.com/sr?src=ffb&appid=0&systemid=102&q=
FF - component: C:\Program Files (x86)\Windows jZip Toolbar\Datamngr\FirefoxExtension\components\DataMngrHlpFF3.dll
FF - component: C:\Users\IvieSeale\AppData\Roaming\Mozilla\Firefox\Profiles\hdf331cb.default\extensions\{1e48c56f-08cd-43aa-a6ef-c1ec891551ab}\components\dtTransparency.dll
FF - component: C:\Users\IvieSeale\AppData\Roaming\Mozilla\Firefox\Profiles\hdf331cb.default\extensions\{1e48c56f-08cd-43aa-a6ef-c1ec891551ab}\components\dtTransparency3.5.dll
FF - component: C:\Users\IvieSeale\AppData\Roaming\Mozilla\Firefox\Profiles\hdf331cb.default\extensions\{1e48c56f-08cd-43aa-a6ef-c1ec891551ab}\components\dtTransparency3.6.dll
FF - plugin: C:\PROGRA~2\MICROS~4\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~4\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Logitech\Harmony Remote Driver\NprtHarmonyPlugin.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\ProgramData\Best Buy pc app\npBestBuyPcAppDetector.dll
FF - plugin: C:\windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R0 PCTCore;PCTools KDS;C:\windows\system32\drivers\PCTCore64.sys --> C:\windows\system32\drivers\PCTCore64.sys [?]
R0 pctDS;PC Tools Data Store;C:\windows\system32\drivers\pctDS64.sys --> C:\windows\system32\drivers\pctDS64.sys [?]
R0 pctEFA;PC Tools Extended File Attributes;C:\windows\system32\drivers\pctEFA64.sys --> C:\windows\system32\drivers\pctEFA64.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\windows\system32\DRIVERS\vwififlt.sys --> C:\windows\system32\DRIVERS\vwififlt.sys [?]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;C:\Program Files (x86)\Webroot\Security\Current\plugins\antimalware\AEI.exe [2011-7-17 3997912]
R2 WRConsumerService;Webroot Client Service;C:\Program Files (x86)\Webroot\Security\Current\Framework\WRConsumerService.exe [2011-11-10 3386840]
R3 e1cexpress;Intel® PRO/1000 PCI Express Network Connection Driver C;C:\windows\system32\DRIVERS\e1c62x64.sys --> C:\windows\system32\DRIVERS\e1c62x64.sys [?]
R3 GeneStor;Genesys Logic Storage Driver;C:\windows\system32\DRIVERS\GeneStor.sys --> C:\windows\system32\DRIVERS\GeneStor.sys [?]
R3 MEIx64;Intel® Management Engine Interface;C:\windows\system32\DRIVERS\HECIx64.sys --> C:\windows\system32\DRIVERS\HECIx64.sys [?]
R3 RTL8192su;%RTL8192su.DeviceDesc.DispName%;C:\windows\system32\DRIVERS\RTL8192su.sys --> C:\windows\system32\DRIVERS\RTL8192su.sys [?]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\windows\system32\DRIVERS\vwifimp.sys --> C:\windows\system32\DRIVERS\vwifimp.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-7-24 136176]
S2 lxea_device;lxea_device;C:\windows\system32\lxeacoms.exe -service --> C:\windows\system32\lxeacoms.exe -service [?]
S2 sdAuxService;PC Tools Auxiliary Service;C:\Program Files (x86)\PC Tools Security\pctsAuxs.exe [2011-11-22 366840]
S2 sdCoreService;PC Tools Security Service;C:\Program Files (x86)\PC Tools Security\pctsSvc.exe [2011-11-22 1150936]
S2 ssfmonm;ssfmonm;C:\windows\system32\DRIVERS\ssfmonm.sys --> C:\windows\system32\DRIVERS\ssfmonm.sys [?]
S2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-5-6 2655768]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-7-24 136176]
S3 IntcDAud;Intel® Display Audio;C:\windows\system32\DRIVERS\IntcDAud.sys --> C:\windows\system32\DRIVERS\IntcDAud.sys [?]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 TsUsbFlt;TsUsbFlt;C:\windows\system32\drivers\tsusbflt.sys --> C:\windows\system32\drivers\tsusbflt.sys [?]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\windows\system32\drivers\TsUsbGD.sys --> C:\windows\system32\drivers\TsUsbGD.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\windows\system32\Drivers\usbaapl64.sys --> C:\windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\system32\Wat\WatAdminSvc.exe --> C:\windows\system32\Wat\WatAdminSvc.exe [?]
S3 wsvd;wsvd;C:\windows\system32\DRIVERS\wsvd.sys --> C:\windows\system32\DRIVERS\wsvd.sys [?]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\windows\system32\DRIVERS\yk62x64.sys --> C:\windows\system32\DRIVERS\yk62x64.sys [?]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2011-11-28 15:56:32 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{7A890BC8-5995-4F72-B96F-491BA904F5B9}\offreg.dll
2011-11-23 00:40:17 816016 ----a-w- C:\windows\System32\drivers\pctEFA64.sys
2011-11-23 00:40:17 452872 ----a-w- C:\windows\System32\drivers\pctDS64.sys
2011-11-23 00:40:16 331368 ----a-w- C:\windows\System32\drivers\pctgntdi64.sys
2011-11-23 00:40:16 136168 ----a-w- C:\windows\System32\drivers\pctwfpfilter64.sys
2011-11-23 00:40:09 257232 ----a-w- C:\windows\System32\drivers\PCTCore64.sys
2011-11-23 00:40:01 92896 ----a-w- C:\windows\System32\drivers\pctplsg64.sys
2011-11-23 00:39:50 -------- d-----w- C:\Users\IvieSeale\AppData\Roaming\PC Tools
2011-11-23 00:39:50 -------- d-----w- C:\Program Files (x86)\PC Tools Security
2011-11-23 00:39:50 -------- d-----w- C:\Program Files (x86)\Common Files\PC Tools
2011-11-23 00:36:21 -------- d-----w- C:\ProgramData\PC Tools
2011-11-23 00:36:19 -------- d-----w- C:\Users\IvieSeale\AppData\Roaming\TestApp
2011-11-23 00:32:57 -------- d-----w- C:\Users\IvieSeale\AppData\Roaming\Vb3n4m6W7EgqCkV
2011-11-23 00:32:56 -------- d-----w- C:\Users\IvieSeale\AppData\Roaming\ijjwIrOtPu
2011-11-23 00:32:42 -------- d-----w- C:\Users\IvieSeale\AppData\Roaming\HLgZjwIrOx0
2011-11-23 00:32:40 -------- d-----w- C:\Users\IvieSeale\AppData\Roaming\trzzONyxAuvSi
2011-11-23 00:32:40 -------- d-----w- C:\Users\IvieSeale\AppData\Roaming\sFFF3mm5aQJ
2011-11-23 00:32:28 -------- d-----w- C:\Users\IvieSeale\AppData\Roaming\Ivnm5JdLgRqYwVB
2011-11-22 10:42:38 8570192 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{7A890BC8-5995-4F72-B96F-491BA904F5B9}\mpengine.dll
2011-11-14 22:20:06 -------- d-----w- C:\Program Files (x86)\Common Files\PX Storage Engine
2011-11-14 22:19:32 -------- d-----w- C:\Program Files\DivX
2011-11-14 22:19:26 -------- d-----w- C:\Program Files (x86)\Common Files\DivX Shared
2011-11-14 22:18:47 -------- d-----w- C:\Program Files (x86)\DivX
2011-11-14 22:17:32 -------- d-----w- C:\ProgramData\DivX
2011-11-09 14:51:57 886784 ----a-w- C:\Program Files\Common Files\System\wab32.dll
2011-11-09 14:51:57 708608 ----a-w- C:\Program Files (x86)\Common Files\System\wab32.dll
2011-11-09 14:51:55 1923952 ----a-w- C:\windows\System32\drivers\tcpip.sys
2011-11-09 14:51:54 3144704 ----a-w- C:\windows\System32\win32k.sys
.
==================== Find3M ====================
.
2011-11-20 16:59:05 414368 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-10-20 23:26:22 94208 ----a-w- C:\windows\SysWow64\dpl100.dll
2011-10-01 03:25:37 1638912 ----a-w- C:\windows\System32\mshtml.tlb
2011-10-01 02:42:56 1638912 ----a-w- C:\windows\SysWow64\mshtml.tlb
2011-09-28 06:28:20 106496 ----a-w- C:\windows\SysWow64\ATL71.DLL
2011-08-31 23:00:50 25416 ----a-w- C:\windows\System32\drivers\mbam.sys
.
============= FINISH: 10:03:25.24 ===============

Attached Files



#5 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:08 PM

Posted 28 November 2011 - 11:51 AM

Hi,

BitTornado

Above listed ones are P2P file sharing programs. P2P downloads are nowadays one of those things that most likely bring infection into the system. My recommendation is to uninstall these (and other if present) P2P file sharing programs.



Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  • Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#6 ambchop

ambchop
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:08 PM

Posted 28 November 2011 - 01:58 PM

Okay Combofix has been run - Report is Attached

DDS Attach.txt also attached

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_26
Run by IvieSeale at 12:51:03 on 2011-11-28
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.5992.4609 [GMT -6:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\windows\system32\lxeacoms.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\windows\system32\taskeng.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\windows\system32\taskhost.exe
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\windows\System32\rundll32.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Windows\SysWOW64\UMonit.exe
C:\Program Files (x86)\Lexmark S300-S400 Series\lxeamon.exe
C:\Program Files (x86)\Lexmark S300-S400 Series\ezprint.exe
C:\Program Files (x86)\jmesoft\hotkey.exe
C:\Program Files (x86)\Windows jZip Toolbar\Datamngr\datamngrUI.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files (x86)\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe
C:\windows\system32\SearchIndexer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\windows\system32\SearchProtocolHost.exe
C:\windows\system32\SearchFilterHost.exe
C:\windows\System32\svchost.exe -k LocalServicePeerNet
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\system32\DllHost.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\windows\system32\sppsvc.exe
C:\windows\System32\svchost.exe -k secsvcs
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\windows\system32\DllHost.exe
C:\windows\system32\DllHost.exe
C:\windows\SysWOW64\cmd.exe
C:\windows\system32\conhost.exe
C:\windows\SysWOW64\cscript.exe
C:\windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://lenovo.msn.com
mStart Page = hxxp://lenovo.msn.com
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - C:\Program Files\Lexmark Toolbar\toolband.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
BHO: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - No File
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~4\Office14\URLREDIR.DLL
BHO: Lexmark Printable Web: {d2c5e510-be6d-42cc-9f61-e4f939078474} - C:\Program Files\Lexmark Printable Web\bho.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: {8dcb7100-df86-4384-8842-8fa844297b3f} - No File
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - C:\Program Files\Lexmark Toolbar\toolband.dll
mRun: [jmekey] "C:\Program Files (x86)\jmesoft\hotkey.exe"
mRun: [UpdatePRCShortCut] "C:\Program Files\Lenovo\OneKey App\Lenovo Rescue System\MUITransfer\MUIStartMenu.exe" "C:\Program Files\Lenovo\OneKey App\Lenovo Rescue System" UpdateWithCreateOnce "Software\Lenovo\OneKey App\OneKey Recovery"
mRun: [DATAMNGR] "C:\PROGRA~2\WIF0E7~1\Datamngr\DATAMN~1.EXE"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [ArcSoft Connection Service] "C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe"
mRun: [Nikon Transfer Monitor] "C:\Program Files (x86)\Common Files\Nikon\Monitor\NkMonitor.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
mRun: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
mRun: [LgTqYCekIVzOtAu8234A] "C:\Users\IvieSeale\AppData\Roaming\trzzONyxAuvSi\AV Protection 2011v121.exe"
mRunOnce: [GrpConv] "grpconv" -o
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~4\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~4\Office14\ONBttnIE.dll/105
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{4DF2A46B-AB71-4315-9D7D-53E6AB8F5EE5} : DhcpNameServer = 192.168.2.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
AppInit_DLLs: c:\PROGRA~2\WIF0E7~1\Datamngr\datamngr.dll c:\PROGRA~2\WIF0E7~1\Datamngr\IEBHO.dll
BHO-X64: Lexmark Toolbar: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
BHO-X64: Increase performance and video formats for your HTML5 <video> - No File
BHO-X64: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - No File
BHO-X64: Search Helper - No File
BHO-X64: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~4\Office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
BHO-X64: Lexmark Printable Web: {D2C5E510-BE6D-42CC-9F61-E4F939078474} - C:\Program Files\Lexmark Printable Web\bho.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: {8dcb7100-df86-4384-8842-8fa844297b3f} - No File
TB-X64: Lexmark Toolbar: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
mRun-x64: [jmekey] "C:\Program Files (x86)\jmesoft\hotkey.exe"
mRun-x64: [UpdatePRCShortCut] "C:\Program Files\Lenovo\OneKey App\Lenovo Rescue System\MUITransfer\MUIStartMenu.exe" "C:\Program Files\Lenovo\OneKey App\Lenovo Rescue System" UpdateWithCreateOnce "Software\Lenovo\OneKey App\OneKey Recovery"
mRun-x64: [DATAMNGR] "C:\PROGRA~2\WIF0E7~1\Datamngr\DATAMN~1.EXE"
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [ArcSoft Connection Service] "C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe"
mRun-x64: [Nikon Transfer Monitor] "C:\Program Files (x86)\Common Files\Nikon\Monitor\NkMonitor.exe"
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
mRun-x64: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
mRun-x64: [LgTqYCekIVzOtAu8234A] "C:\Users\IvieSeale\AppData\Roaming\trzzONyxAuvSi\AV Protection 2011v121.exe"
mRunOnce-x64: [GrpConv] "grpconv" -o
AppInit_DLLs-X64: c:\PROGRA~2\WIF0E7~1\Datamngr\datamngr.dll c:\PROGRA~2\WIF0E7~1\Datamngr\IEBHO.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\IvieSeale\AppData\Roaming\Mozilla\Firefox\Profiles\hdf331cb.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://bt.etree.org/?searchss=phish&cat=0|http://www.google.com/
FF - prefs.js: keyword.URL - hxxp://dts.search-results.com/sr?src=ffb&appid=0&systemid=102&q=
FF - plugin: C:\PROGRA~2\MICROS~4\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~4\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Logitech\Harmony Remote Driver\NprtHarmonyPlugin.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\ProgramData\Best Buy pc app\npBestBuyPcAppDetector.dll
FF - plugin: C:\windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R1 vwififlt;Virtual WiFi Filter Driver;C:\windows\system32\DRIVERS\vwififlt.sys --> C:\windows\system32\DRIVERS\vwififlt.sys [?]
R2 lxea_device;lxea_device;C:\windows\system32\lxeacoms.exe -service --> C:\windows\system32\lxeacoms.exe -service [?]
R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-5-6 2655768]
R3 e1cexpress;Intel® PRO/1000 PCI Express Network Connection Driver C;C:\windows\system32\DRIVERS\e1c62x64.sys --> C:\windows\system32\DRIVERS\e1c62x64.sys [?]
R3 GeneStor;Genesys Logic Storage Driver;C:\windows\system32\DRIVERS\GeneStor.sys --> C:\windows\system32\DRIVERS\GeneStor.sys [?]
R3 IntcDAud;Intel® Display Audio;C:\windows\system32\DRIVERS\IntcDAud.sys --> C:\windows\system32\DRIVERS\IntcDAud.sys [?]
R3 MEIx64;Intel® Management Engine Interface;C:\windows\system32\DRIVERS\HECIx64.sys --> C:\windows\system32\DRIVERS\HECIx64.sys [?]
R3 RTL8192su;%RTL8192su.DeviceDesc.DispName%;C:\windows\system32\DRIVERS\RTL8192su.sys --> C:\windows\system32\DRIVERS\RTL8192su.sys [?]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\windows\system32\DRIVERS\vwifimp.sys --> C:\windows\system32\DRIVERS\vwifimp.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-7-24 136176]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-7-24 136176]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 TsUsbFlt;TsUsbFlt;C:\windows\system32\drivers\tsusbflt.sys --> C:\windows\system32\drivers\tsusbflt.sys [?]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\windows\system32\drivers\TsUsbGD.sys --> C:\windows\system32\drivers\TsUsbGD.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\windows\system32\Drivers\usbaapl64.sys --> C:\windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\system32\Wat\WatAdminSvc.exe --> C:\windows\system32\Wat\WatAdminSvc.exe [?]
S3 wsvd;wsvd;C:\windows\system32\DRIVERS\wsvd.sys --> C:\windows\system32\DRIVERS\wsvd.sys [?]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\windows\system32\DRIVERS\yk62x64.sys --> C:\windows\system32\DRIVERS\yk62x64.sys [?]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2011-11-28 18:50:33 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{6E86AC9C-0C83-4DAD-AA99-A98B96B42BF5}\offreg.dll
2011-11-28 18:39:46 -------- d-sh--w- C:\$RECYCLE.BIN
2011-11-28 18:30:01 -------- d-----w- C:\Users\IvieSeale\AppData\Local\temp
2011-11-28 18:20:23 98816 ----a-w- C:\windows\sed.exe
2011-11-28 18:20:23 518144 ----a-w- C:\windows\SWREG.exe
2011-11-28 18:20:23 256000 ----a-w- C:\windows\PEV.exe
2011-11-28 18:20:23 208896 ----a-w- C:\windows\MBR.exe
2011-11-28 17:09:21 8570192 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{6E86AC9C-0C83-4DAD-AA99-A98B96B42BF5}\mpengine.dll
2011-11-23 00:36:21 -------- d-----w- C:\ProgramData\PC Tools
2011-11-23 00:36:19 -------- d-----w- C:\Users\IvieSeale\AppData\Roaming\TestApp
2011-11-23 00:32:57 -------- d-----w- C:\Users\IvieSeale\AppData\Roaming\Vb3n4m6W7EgqCkV
2011-11-23 00:32:56 -------- d-----w- C:\Users\IvieSeale\AppData\Roaming\ijjwIrOtPu
2011-11-23 00:32:42 -------- d-----w- C:\Users\IvieSeale\AppData\Roaming\HLgZjwIrOx0
2011-11-23 00:32:40 -------- d-----w- C:\Users\IvieSeale\AppData\Roaming\trzzONyxAuvSi
2011-11-23 00:32:40 -------- d-----w- C:\Users\IvieSeale\AppData\Roaming\sFFF3mm5aQJ
2011-11-23 00:32:28 -------- d-----w- C:\Users\IvieSeale\AppData\Roaming\Ivnm5JdLgRqYwVB
2011-11-14 22:20:06 -------- d-----w- C:\Program Files (x86)\Common Files\PX Storage Engine
2011-11-14 22:19:32 -------- d-----w- C:\Program Files\DivX
2011-11-14 22:19:26 -------- d-----w- C:\Program Files (x86)\Common Files\DivX Shared
2011-11-14 22:18:47 -------- d-----w- C:\Program Files (x86)\DivX
2011-11-14 22:17:32 -------- d-----w- C:\ProgramData\DivX
2011-11-09 14:51:57 886784 ----a-w- C:\Program Files\Common Files\System\wab32.dll
2011-11-09 14:51:57 708608 ----a-w- C:\Program Files (x86)\Common Files\System\wab32.dll
2011-11-09 14:51:55 1923952 ----a-w- C:\windows\System32\drivers\tcpip.sys
2011-11-09 14:51:54 3144704 ----a-w- C:\windows\System32\win32k.sys
.
==================== Find3M ====================
.
2011-11-20 16:59:05 414368 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-10-20 23:26:22 94208 ----a-w- C:\windows\SysWow64\dpl100.dll
2011-10-01 03:25:37 1638912 ----a-w- C:\windows\System32\mshtml.tlb
2011-10-01 02:42:56 1638912 ----a-w- C:\windows\SysWow64\mshtml.tlb
2011-09-28 06:28:20 106496 ----a-w- C:\windows\SysWow64\ATL71.DLL
2011-08-31 23:00:50 25416 ----a-w- C:\windows\System32\drivers\mbam.sys
.
============= FINISH: 12:51:52.14 ===============

Attached Files



#7 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:08 PM

Posted 28 November 2011 - 03:44 PM

Hi again,


Open notepad and copy/paste the text in the quotebox below into it:

DDS::
BHO: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - No File
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
TB: {8dcb7100-df86-4384-8842-8fa844297b3f} - No File
mRun: [DATAMNGR] "C:\PROGRA~2\WIF0E7~1\Datamngr\DATAMN~1.EXE"
mRun: [LgTqYCekIVzOtAu8234A] "C:\Users\IvieSeale\AppData\Roaming\trzzONyxAuvSi\AV Protection 2011v121.exe"
AppInit_DLLs: c:\PROGRA~2\WIF0E7~1\Datamngr\datamngr.dll c:\PROGRA~2\WIF0E7~1\Datamngr\IEBHO.dll
BHO-X64: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - No File
BHO-X64: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
TB-X64: {8dcb7100-df86-4384-8842-8fa844297b3f} - No File
mRun-x64: [DATAMNGR] "C:\PROGRA~2\WIF0E7~1\Datamngr\DATAMN~1.EXE"
mRun-x64: [LgTqYCekIVzOtAu8234A] "C:\Users\IvieSeale\AppData\Roaming\trzzONyxAuvSi\AV Protection 2011v121.exe"
AppInit_DLLs-X64: c:\PROGRA~2\WIF0E7~1\Datamngr\datamngr.dll c:\PROGRA~2\WIF0E7~1\Datamngr\IEBHO.dll
Folder::
c:\users\Ambchop\AppData\Roaming\vjYYCwkIVlONx0c
c:\users\Ambchop\AppData\Roaming\CG44aQH6sK7fLgZ
c:\users\IvieSeale\AppData\Roaming\Vb3n4m6W7EgqCkV
c:\users\IvieSeale\AppData\Roaming\ijjwIrOtPu
c:\users\IvieSeale\AppData\Roaming\HLgZjwIrOx0
c:\users\IvieSeale\AppData\Roaming\trzzONyxAuvSi
c:\users\IvieSeale\AppData\Roaming\sFFF3mm5aQJ
c:\users\IvieSeale\AppData\Roaming\Ivnm5JdLgRqYwVB
c:\users\Ambchop\AppData\Roaming\NyxAAuuv2ib3pG
c:\users\Ambchop\AppData\Roaming\LaQHHddW7fR9TXj
c:\users\Ambchop\AppData\Roaming\ugTTXqqYCekVzNx
c:\users\Ambchop\AppData\Roaming\kA0uuSSibD3n4QH
c:\users\Ambchop\AppData\Roaming\o2iibD3pn4aQ6W7
c:\users\Ambchop\AppData\Roaming\mqqjYCwkIVlOtPu
c:\users\Ambchop\AppData\Roaming\qgRRZqhYXkUVlBz
c:\users\Ambchop\AppData\Roaming\mD33onF4aH5sJdL
c:\users\Ambchop\AppData\Roaming\D04A7
c:\users\Ambchop\AppData\Roaming\1E9D0
c:\users\Ambchop\AppData\Roaming\jJJ77dEEK8RZ9
c:\users\Ambchop\AppData\Roaming\eiiivDD2onFpmHs
c:\users\Ambchop\AppData\Roaming\C3oF44amH5sW7dL
c:\users\Ambchop\AppData\Roaming\BJJJ7ffL8gTqhCw
c:\users\Ambchop\AppData\Roaming\UOONNtxxPucS1b3


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Posted Image

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe (let the tool to update itself if prompted).
Then post the resultant log.


Uninstall old Adobe Reader versions and get the latest one (Adobe Reader 10.1 and separate 10.1.1 update for it) here or get Foxit Reader here. Make sure you don't (unless you want to) install toolbar if choose Foxit Reader! You may also check free readers introduced here.


Uninstall vulnerable Flash versions by following instructions here. Fresh version can be obtained here.


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 7 Update 1.
  • Click the
    Download
    button to the right.
  • Select Windows on platform combobox and check the box that says:
    Accept License Agreement. Click continue.
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-7u1-windows-i586.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.


* Go here to run an online scanner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is UNchecked and the option Scan unwanted applications is checkmarked.
  • Click Scan
  • Wait for the scan to finish.


Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#8 ambchop

ambchop
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:08 PM

Posted 29 November 2011 - 04:50 PM

The Combofix keeps stalling out.

#9 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:08 PM

Posted 30 November 2011 - 12:39 AM

Hi,

Give it a try in safe mode if possible and make sure antivirus protection is turned off.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#10 ambchop

ambchop
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:08 PM

Posted 30 November 2011 - 03:10 PM

Combofix Ran, restarted the computer yet there was no resultant log

#11 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:08 PM

Posted 30 November 2011 - 03:45 PM

Hi,

Please post fresh dds.txt log. Also, run ComboFix again by just double clicking its icon (let it update itself if prompted) and post back its log.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#12 ambchop

ambchop
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:08 PM

Posted 30 November 2011 - 04:30 PM

Hello, let me explain exactly what happens as again after 3 failed attempts I still do not have a ComboFix Report to provide. FYI, I am going to run the scan again as I believe that it is either corrupted or corrupting my computer further, thanks.
Open ComboFix
ComboFix Runs
ComboFix Restarts Computer
I select my user icon to log into the desktop
COmboFix runs and runs and runs, opening and closing several windows per second without ceasing.
I restart computer
No Log

I ran the eset scan which reported No Errors during it's scan

Here is the DDS log:
.
DDS (Ver_2011-08-26.01) - NTFSAMD64 NETWORK
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_26
Run by IvieSeale at 15:24:49 on 2011-11-30
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.5992.4683 [GMT -6:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\windows\Explorer.EXE
C:\windows\system32\ctfmon.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\windows\System32\svchost.exe -k secsvcs
C:\windows\system32\DllHost.exe
C:\windows\system32\DllHost.exe
C:\windows\SysWOW64\cmd.exe
C:\windows\system32\conhost.exe
C:\windows\SysWOW64\cscript.exe
C:\windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://lenovo.msn.com
mStart Page = hxxp://lenovo.msn.com
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - C:\Program Files\Lexmark Toolbar\toolband.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~4\Office14\URLREDIR.DLL
BHO: Lexmark Printable Web: {d2c5e510-be6d-42cc-9f61-e4f939078474} - C:\Program Files\Lexmark Printable Web\bho.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - C:\Program Files\Lexmark Toolbar\toolband.dll
mRun: [jmekey] "C:\Program Files (x86)\jmesoft\hotkey.exe"
mRun: [UpdatePRCShortCut] "C:\Program Files\Lenovo\OneKey App\Lenovo Rescue System\MUITransfer\MUIStartMenu.exe" "C:\Program Files\Lenovo\OneKey App\Lenovo Rescue System" UpdateWithCreateOnce "Software\Lenovo\OneKey App\OneKey Recovery"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [ArcSoft Connection Service] "C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe"
mRun: [Nikon Transfer Monitor] "C:\Program Files (x86)\Common Files\Nikon\Monitor\NkMonitor.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
mRun: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~4\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~4\Office14\ONBttnIE.dll/105
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{4DF2A46B-AB71-4315-9D7D-53E6AB8F5EE5} : DhcpNameServer = 192.168.2.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
BHO-X64: Lexmark Toolbar: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
BHO-X64: Increase performance and video formats for your HTML5 <video> - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~4\Office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
BHO-X64: Lexmark Printable Web: {D2C5E510-BE6D-42CC-9F61-E4F939078474} - C:\Program Files\Lexmark Printable Web\bho.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: Lexmark Toolbar: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
mRun-x64: [jmekey] "C:\Program Files (x86)\jmesoft\hotkey.exe"
mRun-x64: [UpdatePRCShortCut] "C:\Program Files\Lenovo\OneKey App\Lenovo Rescue System\MUITransfer\MUIStartMenu.exe" "C:\Program Files\Lenovo\OneKey App\Lenovo Rescue System" UpdateWithCreateOnce "Software\Lenovo\OneKey App\OneKey Recovery"
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [ArcSoft Connection Service] "C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe"
mRun-x64: [Nikon Transfer Monitor] "C:\Program Files (x86)\Common Files\Nikon\Monitor\NkMonitor.exe"
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
mRun-x64: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\IvieSeale\AppData\Roaming\Mozilla\Firefox\Profiles\hdf331cb.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://bt.etree.org/?searchss=phish&cat=0|http://www.google.com/
FF - prefs.js: keyword.URL - hxxp://dts.search-results.com/sr?src=ffb&appid=0&systemid=102&q=
FF - plugin: C:\PROGRA~2\MICROS~4\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~4\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Logitech\Harmony Remote Driver\NprtHarmonyPlugin.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\ProgramData\Best Buy pc app\npBestBuyPcAppDetector.dll
FF - plugin: C:\windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R1 vwififlt;Virtual WiFi Filter Driver;C:\windows\system32\DRIVERS\vwififlt.sys --> C:\windows\system32\DRIVERS\vwififlt.sys [?]
R3 e1cexpress;Intel® PRO/1000 PCI Express Network Connection Driver C;C:\windows\system32\DRIVERS\e1c62x64.sys --> C:\windows\system32\DRIVERS\e1c62x64.sys [?]
R3 GeneStor;Genesys Logic Storage Driver;C:\windows\system32\DRIVERS\GeneStor.sys --> C:\windows\system32\DRIVERS\GeneStor.sys [?]
R3 MEIx64;Intel® Management Engine Interface;C:\windows\system32\DRIVERS\HECIx64.sys --> C:\windows\system32\DRIVERS\HECIx64.sys [?]
R3 RTL8192su;%RTL8192su.DeviceDesc.DispName%;C:\windows\system32\DRIVERS\RTL8192su.sys --> C:\windows\system32\DRIVERS\RTL8192su.sys [?]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\windows\system32\DRIVERS\vwifimp.sys --> C:\windows\system32\DRIVERS\vwifimp.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-7-24 136176]
S2 lxea_device;lxea_device;C:\windows\system32\lxeacoms.exe -service --> C:\windows\system32\lxeacoms.exe -service [?]
S2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-5-6 2655768]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-7-24 136176]
S3 IntcDAud;Intel® Display Audio;C:\windows\system32\DRIVERS\IntcDAud.sys --> C:\windows\system32\DRIVERS\IntcDAud.sys [?]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 TsUsbFlt;TsUsbFlt;C:\windows\system32\drivers\tsusbflt.sys --> C:\windows\system32\drivers\tsusbflt.sys [?]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\windows\system32\drivers\TsUsbGD.sys --> C:\windows\system32\drivers\TsUsbGD.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\windows\system32\Drivers\usbaapl64.sys --> C:\windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\system32\Wat\WatAdminSvc.exe --> C:\windows\system32\Wat\WatAdminSvc.exe [?]
S3 wsvd;wsvd;C:\windows\system32\DRIVERS\wsvd.sys --> C:\windows\system32\DRIVERS\wsvd.sys [?]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\windows\system32\DRIVERS\yk62x64.sys --> C:\windows\system32\DRIVERS\yk62x64.sys [?]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== File Associations ===============
.
inffile=%SystemRoot%\SysWow64\NOTEPAD.EXE %1
VBEFile=%SystemRoot%\SysWow64\WScript.exe "%1" %*
VBSFile=%SystemRoot%\SysWow64\WScript.exe "%1" %*
.
=============== Created Last 30 ================
.
2011-11-30 21:23:49 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{3CEC9A57-CC79-4BF6-8E13-DDE468D13681}\offreg.dll
2011-11-30 20:55:22 -------- d-----w- C:\Users\IvieSeale\AppData\Local\temp
2011-11-30 20:52:25 -------- d-s---w- C:\ComboFix
2011-11-29 18:38:49 8570192 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{3CEC9A57-CC79-4BF6-8E13-DDE468D13681}\mpengine.dll
2011-11-28 19:10:29 -------- dc-h--w- C:\ProgramData\{13B9F5E8-C08A-4A36-853C-E98B1B218525}
2011-11-28 19:09:27 -------- d-----w- C:\ProgramData\Webroot
2011-11-28 18:39:46 -------- d-sh--w- C:\$RECYCLE.BIN
2011-11-28 18:20:23 98816 ----a-w- C:\windows\sed.exe
2011-11-28 18:20:23 518144 ----a-w- C:\windows\SWREG.exe
2011-11-28 18:20:23 256000 ----a-w- C:\windows\PEV.exe
2011-11-28 18:20:23 208896 ----a-w- C:\windows\MBR.exe
2011-11-23 00:36:21 -------- d-----w- C:\ProgramData\PC Tools
2011-11-23 00:36:19 -------- d-----w- C:\Users\IvieSeale\AppData\Roaming\TestApp
2011-11-14 22:20:06 -------- d-----w- C:\Program Files (x86)\Common Files\PX Storage Engine
2011-11-14 22:19:32 -------- d-----w- C:\Program Files\DivX
2011-11-14 22:19:26 -------- d-----w- C:\Program Files (x86)\Common Files\DivX Shared
2011-11-14 22:18:47 -------- d-----w- C:\Program Files (x86)\DivX
2011-11-14 22:17:32 -------- d-----w- C:\ProgramData\DivX
2011-11-09 14:51:57 886784 ----a-w- C:\Program Files\Common Files\System\wab32.dll
2011-11-09 14:51:57 708608 ----a-w- C:\Program Files (x86)\Common Files\System\wab32.dll
2011-11-09 14:51:55 1923952 ----a-w- C:\windows\System32\drivers\tcpip.sys
2011-11-09 14:51:54 3144704 ----a-w- C:\windows\System32\win32k.sys
.
==================== Find3M ====================
.
2011-11-20 16:59:05 414368 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-10-20 23:26:22 94208 ----a-w- C:\windows\SysWow64\dpl100.dll
2011-10-01 03:25:37 1638912 ----a-w- C:\windows\System32\mshtml.tlb
2011-10-01 02:42:56 1638912 ----a-w- C:\windows\SysWow64\mshtml.tlb
2011-09-28 06:28:20 106496 ----a-w- C:\windows\SysWow64\ATL71.DLL
.
============= FINISH: 15:25:25.07 ===============

#13 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:08 PM

Posted 01 December 2011 - 12:54 AM

Ok. We'll see if it runs better this time. Run also ESET scanner and do updating for those vulnerable programs.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#14 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:08 PM

Posted 12 December 2011 - 11:55 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#15 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:08 PM

Posted 15 December 2011 - 01:09 PM

This topic has been re-opened at the request of the person who originally posted.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users