Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AV Protection 2011 infection


  • This topic is locked This topic is locked
25 replies to this topic

#1 censored

censored

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 23 November 2011 - 09:12 PM

HP dv4-1365dx laptop
Windows Vista 64 bit

The original problem was an infection of AV Protection 2011, but the laptop owner tried to fix it himself and failed.

This machine will not boot normally nor in safe mode.
It will go into the "repair my computer" mode at which time it says it can't repair it.
I have tried the simple stuff like command prompt "bootrec /fixboot", but no joy.

Also, the owner of this machine had tried installing Norton without UNinstalling AVG first.
It was somewhere around this point that it failed to boot.
Instead of letting me fix a relatively easy but annoying malware infection, he tried to do it himself and effectively bricked his machine.
He handed it to me to get it fixed. I don't want to muck it up so I am asking for help.

Since it will not boot except to the repair options, the scans listed in the instructions are not directly available to me at this point.
I have an idea how to make them work, but at this point since it has already been "handled" by someone else, I don't want to risk further damage and would rather proceed with guided help.
I am in the process of backing up whatever the HP utility will save before proceeding.
Any help is greatly appreciated.

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,076 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:49 AM

Posted 24 November 2011 - 02:19 AM

Do you have a Vista disk at hand?

Can you try safe mode? Does that appear to start normally, or does it hang/reboot?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 censored

censored
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 24 November 2011 - 11:35 AM

Do you have a Vista disk at hand?

Can you try safe mode? Does that appear to start normally, or does it hang/reboot?

It will start to boot in normal mode and show the progress indicator, then reboot.
In safe mode, basically the same thing, I see the long list of drivers being loaded, then it just stalls for a bit and then reboots.

Yes I have a Vista disk available but it is a different version. The laptop has Vista Home Premium and my disk is Vista Ultimate.

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,076 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:49 AM

Posted 24 November 2011 - 11:39 AM

Lets first see if you get a blue screen message.

We Need to Diagnose Your BlueScreen
  • When you boot your machine, press F8 to list the startup options, exactly as you would if you were trying to enter Safe Mode
  • Select "Disable Automatic Restart on System Failure", as shown here:
    Posted Image
  • When your system BSODs, write down the STOP error code, as well as any written out error message back here. The STOP error will always appear, but the message may not. You are looking for this:
    Posted Image
Please post me the error(s).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 censored

censored
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 24 November 2011 - 08:56 PM

It has not been showing a blue screen, just stalls and reboots.

Following your last instruction to "Disable Automatic Restart on System Failure",
it did NOT show a blue screen.
It went through POST, showed the Windows Vista progress indicator,
then the screen went black and stayed that way but the machine did not power off.
I finally touched the power button to power it off after about 10 minutes of apparent inactivity.
*Edit*
After I posted this, I tried again to boot to "Disable Automatic Restart on System Failure" with the same result, no boot no blue screen; only this time I just left it on for several hours and still no blue screen.

Before I manually powered it off, I shined a flashlight all across the LCD to see if perhaps the backlight may be failing, but there is no evidence of any image where a Windows login image should be. And there is no light, as opposed to the backlight of the LCD being lit and showing an empty black screen. Screen appears to be off.
Also, the rudimentary HP hardware test shows the hard drive and memory are both good, but that is all it tests.

I should probably have mentioned this initially, but before asking for help, I had the hard drive out of this machine slaved into another machine (offline of course) and scanned it with Microsoft Security Essentials and Malwarebytes Anti-Malware, both free versions, fully updated.

The MSE scan cleaned:
Exploit:JS/Blacole.W
Rogue:Win32/FakeScanti
Backdoor:Win32/Cybot.G
Trojan:Win32.Sirefef.Q
Adware:Win32/Hotbar
PWS:Win32/Fareit.gen!C
Backdoor:Win32/Cybot.G
2011-11-23T01:43:58.968Z DETECTION Backdoor:Win32/Cycbot.G file:E:\Program Files (x86)\ED929\lvvm.exe->[Obfuscator.JM]->(UPX)
2011-11-23T02:06:13.281Z DETECTION Backdoor:Win32/Cycbot.G file:E:\Program Files (x86)\LP\218F\35A.exe->[Obfuscator.JM]->(UPX)
2011-11-23T02:06:16.671Z DETECTION PWS:Win32/Fareit.gen!C file:E:\Program Files (x86)\LP\218F\61BB.tmp
2011-11-23T02:08:23.984Z DETECTION Adware:Win32/Hotbar file:E:\Program Files (x86)\Mozilla Firefox\plugins\npclntax_HBLiteSA.dll
2011-11-23T02:40:17.468Z DETECTION Backdoor:Win32/Cycbot.G file:E:\Users\username\AppData\Local\Temp\dwme.exe->[Obfuscator.JM]->(UPX)
2011-11-23T02:40:39.375Z DETECTION Trojan:Win32/Sirefef.Q file:E:\Users\username\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\26\2696121a-2db43581
2011-11-23T02:41:00.125Z DETECTION Backdoor:Win32/Cycbot.G file:E:\Users\username\AppData\Roaming\dwme.exe->[Obfuscator.JM]->(UPX)
2011-11-23T02:43:52.453Z DETECTION Backdoor:Win32/Cycbot.G file:E:\Users\username\AppData\Roaming\F6BED\3AD21.exe->[Obfuscator.JM]->(UPX)
2011-11-23T02:45:19.812Z DETECTION Rogue:Win32/FakeScanti file:E:\Users\username\AppData\Roaming\V1iivvD2onF4\AV Protection 2011v121.exe->[Obfuscator.JM]->(UPX)
2011-11-23T02:46:31.859Z DETECTION Rogue:Win32/FakeScanti file:E:\Users\username\Documents\dvoh.exe->[Obfuscator.JM]->(UPX)
2011-11-23T03:20:18.265Z DETECTION Exploit:JS/Blacole.W file:E:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UHXXFROW\main[1].htm

after that,
MBAM found:
e:\program files (x86)\mozilla firefox\plugins\npclntax_hblitesa.dll (Adware.Hotbar) -> Quarantined and deleted successfully.
e:\$RECYCLE.BIN\s-1-5-21-3530880051-3625365798-890871634-1000\$RM27RYI.exe (Adware.OpenInstall) -> Quarantined and deleted successfully.

Both MSE & MBAM scans were run in safe mode on the "scanning machine" and were preceded with rkill, and tdsskiller, as per the instructions regarding the tutorial on this site for the AV Protection 2011 infection I was told the laptop had. The only edit to the log information above was to change the Windows username to "username" from the laptop owners actual name. The drive letter designation "E" is because the laptop's drive was slaved in a different computer.
The laptop still won't boot at all.

Thank you for your help and Happy Thanksgiving.

Edited by censored, 25 November 2011 - 08:22 AM.


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,076 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:49 AM

Posted 25 November 2011 - 11:58 AM

Please start your computer and tap F8, when the Advanced Boot Options menu comes up, let me know if you see the option Repair Windows. If so, select that and let me know if the Recovery Environment loads. When loaded, select Startup Repair and let me know if that fixes the issue.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 censored

censored
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 25 November 2011 - 01:09 PM

It will go into the "repair my computer" mode at which time it says it can't repair it.

I See the "Repair Windows" option,
and "Startup Repair" loads but still does not fix the problem.
And I have run it several times since you asked.

Problem signature:
Problem Event Name: StartupRepairV2
Problem Signature 01: AutoFailover
Problem Signature 02: 6.0.6001.18000.6.0.6001.18000
Problem Signature 03: 6
Problem Signature 04: 1441811
Problem Signature 05: NoRootCause
Problem Signature 06: NoRootCause
Problem Signature 07: 0
Problem Signature 08: 0
Problem Signature 09: unknown
Problem Signature 10: 1168
OS version: 6.0.6001.2.1.0.256.1
Locale ID: 1033

Edited by censored, 25 November 2011 - 01:36 PM.


#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,076 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:49 AM

Posted 25 November 2011 - 01:56 PM

Hi again,

Download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 censored

censored
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 25 November 2011 - 02:25 PM

FRST.txt log from infected laptop
bear with me, I didn't read it first and need to edit it slightly to remove the owner's name.

Okay, here is the FRST.txt with the owner's name replaced with the word username:

Scan result of Farbars's Recovery Tool (FRST written by farbar) Version 2.3.0
Ran by SYSTEM at 2011-11-25 13:16:47
Running from F:\
Windows Vista ™ Home Premium Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray64.exe [441344 2008-09-11] (IDT, Inc.)
HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [161304 2010-08-25] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [386584 2010-08-25] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [415256 2010-08-25] (Intel Corporation)
HKLM-x32\...\Run: [TSMAgent] "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe" [1316136 2008-12-25] (CyberLink Corp.)
HKLM-x32\...\Run: [CLMLServer for HP TouchSmart] "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe" [189736 2008-12-25] (CyberLink)
HKLM-x32\...\Run: [UCam_Menu] "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam" update "Software\Hewlett-Packard\Media\Webcam" [218408 2008-11-14] (CyberLink Corp.)
HKLM-x32\...\Run: [HP Mobile Broadband] c:\SWsetup\HPQWWAN\HPMobileBroadband.exe /TrayMode [455224 2009-01-09] (Hewlett-Packard Company)
HKLM-x32\...\Run: [coreworks] "C:\Program Files (x86)\HPQ\HP Connection Manager 2\bin\gbxapp.exe" runatstartup [780776 2009-01-30] (HP)
HKLM-x32\...\Run: [QlbCtrl.exe] "C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start [206128 2008-10-10] ( Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [WirelessAssistant] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [432432 2008-12-08] (Hewlett-Packard)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [305440 2009-09-21] (Apple Inc.)
HKLM-x32\...\Run: [TVAgent] "C:\Program Files (x86)\Hewlett-Packard\Media\TV\TVAgent.exe" [206120 2009-02-09] (CyberLink Corp.)
HKLM-x32\...\Run: [] [x]
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2010-09-08] (Apple Inc.)
HKLM-x32\...\Run: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe" [887976 2011-08-23] (Ask)
HKLM-x32\...\Run: [Z222obbF3pmGaQ6] C:\Users\username\AppData\Roaming\dwme.exe [x]
HKLM-x32\...\Run: [35A.exe] "C:\Program Files (x86)\LP\218F\35A.exe" [x]
HKU\Default\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2008-01-20] (Microsoft Corporation)
HKU\Default\...\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [966656 2008-11-18] (Hewlett-Packard)
HKU\Default User\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2008-01-20] (Microsoft Corporation)
HKU\Default User\...\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [966656 2008-11-18] (Hewlett-Packard)
HKU\username\...\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe [2144088 2009-01-26] (Safer Networking Limited)
HKU\username\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [138240 2008-01-20] (Microsoft Corporation)
HKU\username\...\Run: [ooVoo.exe] C:\Program Files (x86)\ooVoo\oovoo.exe /minimized [21975120 2011-08-14] (ooVoo LLC)
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.10.1
SubSystems: [Windows] ==> ZeroAccess

==================== Services (Whitelisted) ======

2 AESTFilters; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_5730ce9f\AESTSr64.exe [89088 2008-06-27] (Andrea Electronics Corporation)
2 AgereModemAudio; C:\Windows\system32\agr64svc.exe [15872 2007-12-11] (Agere Systems)
2 Apple Mobile Device; "C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe" [144672 2009-08-28] (Apple Inc.)
3 DFSR; C:\Windows\System32\DFSR.exe [3432960 2008-01-20] (Microsoft Corporation)
2 Dhcp; C:\Windows\System32\dhcpcsvc.dll [268288 2008-01-20] (Microsoft Corporation)
2 ehstart; C:\Windows\ehome\ehstart.dll [15360 2006-11-02] (Microsoft Corporation)
2 EMDMgmt; C:\Windows\System32\emdmgmt.dll [399872 2009-02-22] (Microsoft Corporation)
3 GameConsoleService; "C:\Program Files (x86)\HP Games\My HP Game Console\GameConsoleService.exe" [165416 2008-05-05] (WildTangent, Inc.)
2 hpsrv; C:\Windows\System32\Hpservice.exe [23040 2008-03-18] (Hewlett-Packard Corporation)
2 mdvauthsrv; C:\Program Files (x86)\HPQ\HP Connection Manager 2\bin\mdvauthsrv.exe [399848 2009-01-30] (HP)
2 mdvsrv; C:\Program Files (x86)\HPQ\HP Connection Manager 2\bin\mdvsrv.exe [281064 2009-01-30] (HP)
3 p2pimsvc; C:\Windows\System32\p2psvc.dll [837632 2008-01-20] (Microsoft Corporation)
3 PNRPAutoReg; C:\Windows\System32\p2psvc.dll [837632 2008-01-20] (Microsoft Corporation)
3 PNRPsvc; C:\Windows\System32\p2psvc.dll [837632 2008-01-20] (Microsoft Corporation)
2 QDLService; C:\QUALCOMM\QDLService\QDLService.exe [345336 2009-01-14] (QUALCOMM, Inc.)
2 Recovery Service for Windows; C:\Program Files (x86)\SMINST\BLService.exe [365952 2008-12-17] ()
2 RichVideo; "C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe" [241734 2008-09-15] ()
2 SBSDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)
2 slsvc; C:\Windows\System32\SLsvc.exe [2161664 2008-01-20] (Microsoft Corporation)
3 SLUINotify; C:\Windows\System32\SLUINotify.dll [71168 2008-01-20] (Microsoft Corporation)
2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_5730ce9f\STacSV64.exe [279040 2008-09-11] (IDT, Inc.)
2 Themes; C:\Windows\System32\shsvcs.dll [301568 2009-07-10] (Microsoft Corporation)
2 TVCapSvc; "C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe" [296320 2009-02-09] ()
2 TVSched; "C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe" [116096 2009-02-09] ()
3 WPFFontCache_v0400; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [1020768 2010-03-18] (Microsoft Corporation)
2 HP Health Check Service; "c:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe" [x]
2 NAV; "C:\Program Files (x86)\Norton AntiVirus\Engine\18.6.0.29\ccSvcHst.exe" /s "NAV" /m "C:\Program Files (x86)\Norton AntiVirus\Engine\18.6.0.29\diMaster.dll" /prefetch:1 [x]

========================== Drivers (Whitelisted) =============

3 Accelerometer; C:\Windows\System32\DRIVERS\Accelerometer.sys [40296 2008-03-27] (Hewlett-Packard Corporation)
0 adpu160m; C:\Windows\System32\drivers\adpu160m.sys [126520 2008-01-20] (Adaptec, Inc.)
3 AgereSoftModem; C:\Windows\System32\DRIVERS\agrsm64.sys [1252352 2008-02-29] (Agere Systems)
0 Ecache; C:\Windows\System32\drivers\ecache.sys [157240 2008-01-20] (Microsoft Corporation)
1 eeCtrl; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [482936 2011-11-18] (Symantec Corporation)
3 enecir; C:\Windows\System32\DRIVERS\enecir.sys [64000 2008-09-04] (ENE TECHNOLOGY INC.)
3 EraserUtilRebootDrv; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [138360 2011-11-18] (Symantec Corporation)
0 HpCISSs; C:\Windows\System32\drivers\hpcisss.sys [47672 2008-01-20] (Hewlett-Packard Company)
0 hpdskflt; C:\Windows\System32\DRIVERS\hpdskflt.sys [26984 2008-03-27] (Hewlett-Packard Corporation)
0 i2omp; C:\Windows\System32\drivers\i2omp.sys [35896 2008-01-20] (Microsoft Corporation)
0 iteatapi; C:\Windows\System32\drivers\iteatapi.sys [37480 2006-11-02] (Integrated Technology Express, Inc.)
0 iteraid; C:\Windows\System32\drivers\iteraid.sys [37480 2006-11-02] (Integrated Technology Express, Inc.)
3 JMCR; C:\Windows\System32\DRIVERS\jmcr.sys [145496 2008-07-21] (JMicron Technology Corporation)
0 Mraid35x; C:\Windows\System32\drivers\mraid35x.sys [39016 2006-11-02] (LSI Logic Corporation)
3 NETw3v64; C:\Windows\System32\DRIVERS\NETw3v64.sys [3154432 2008-01-20] (Intel Corporation)
3 RTL8169; C:\Windows\System32\DRIVERS\Rtlh64.sys [170496 2008-07-22] (Realtek Corporation )
0 SiSRaid2; C:\Windows\System32\drivers\sisraid2.sys [45624 2008-01-20] (Microsoft Corporation)
1 SRTSP; C:\Windows\System32\drivers\NAVx64\1205000.07D\SRTSP64.SYS [735864 2010-11-22] (Symantec Corporation)
1 SRTSPX; C:\Windows\System32\drivers\NAVx64\1206000.01D\SRTSPX64.SYS [40568 2011-03-30] (Symantec Corporation)
0 Symc8xx; C:\Windows\System32\drivers\symc8xx.sys [49256 2006-11-02] (LSI Logic)
0 SymDS; C:\Windows\System32\drivers\NAVx64\1206000.01D\SYMDS64.SYS [450680 2011-01-26] (Symantec Corporation)
0 SymEFA; C:\Windows\System32\drivers\NAVx64\1206000.01D\SYMEFA64.SYS [912504 2011-03-14] (Symantec Corporation)
3 SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [174200 2011-11-18] (Symantec Corporation)
1 SymIRON; C:\Windows\System32\drivers\NAVx64\1206000.01D\Ironx64.SYS [171128 2011-01-26] (Symantec Corporation)
3 SYMTDIv; C:\Windows\System32\drivers\NAVx64\1205000.07D\SYMTDIV.SYS [432760 2010-11-30] (Symantec Corporation)
0 Sym_hi; C:\Windows\System32\drivers\sym_hi.sys [44648 2006-11-02] (LSI Logic)
0 Sym_u3; C:\Windows\System32\drivers\sym_u3.sys [48232 2006-11-02] (LSI Logic)
3 tunmp; C:\Windows\System32\DRIVERS\tunmp.sys [18432 2008-01-20] (Microsoft Corporation)
0 uliahci; C:\Windows\System32\drivers\uliahci.sys [284728 2008-01-20] (ULi Electronics Inc.)
0 UlSata; C:\Windows\System32\drivers\ulsata.sys [148072 2006-11-02] (Promise Technology, Inc.)
0 ulsata2; C:\Windows\System32\drivers\ulsata2.sys [174696 2008-01-20] (Promise Technology, Inc.)
3 WpdUsb; C:\Windows\System32\DRIVERS\wpdusb.sys [46080 2008-01-20] (Microsoft Corporation)
3 yukonx64; C:\Windows\System32\DRIVERS\yk60x64.sys [273408 2006-10-03] (Marvell)
2 {55662437-DA8C-40c0-AADA-2C816A897A49}; \??\C:\Program Files (x86)\Hewlett-Packard\Media\DVD\000.fcl [146928 2008-11-28] (CyberLink Corp.)
1 BHDrvx64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.5.0.125\Definitions\BASHDefs\20111114.002\BHDrvx64.sys [x]
1 IDSVia64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.5.0.125\Definitions\IPSDefs\20111117.030\IDSvia64.sys [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 msiserver; C:\Windows\System32\msiexec /V [x]
3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.5.0.125\Definitions\VirusDefs\20111118.004\ENG64.SYS [x]
3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.5.0.125\Definitions\VirusDefs\20111118.004\EX64.SYS [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2011-11-23 17:20 - 2011-11-23 17:23 - 0000000 ____D C:\FRST
2011-11-23 14:53 - 2011-11-24 18:08 - 4193210368 __ASH C:\hiberfil.sys
2011-11-22 20:16 - 2011-11-22 20:16 - 0000000 ____D C:\New Folder
2011-11-18 12:25 - 2011-11-18 14:28 - 0174200 ____A (Symantec Corporation) C:\Windows\System32\Drivers\SYMEVENT64x86.SYS
2011-11-18 12:25 - 2011-11-18 14:28 - 0007488 ____A C:\Windows\System32\Drivers\SYMEVENT64x86.CAT
2011-11-18 12:25 - 2011-11-18 14:28 - 0000855 ____A C:\Windows\System32\Drivers\SYMEVENT64x86.INF
2011-11-18 12:25 - 2011-11-18 12:25 - 0000000 ____D C:\Program Files\Common Files\Symantec Shared
2011-11-18 12:24 - 2011-11-18 14:27 - 0000000 ____D C:\Windows\System32\Drivers\NAVx64
2011-11-18 12:17 - 2011-11-18 12:18 - 0000000 ____D C:\Users\All Users\MFAData
2011-11-18 12:17 - 2011-11-18 12:18 - 0000000 ____D C:\Users\All Users\Application Data\MFAData
2011-11-18 12:17 - 2011-11-18 12:18 - 0000000 ____D C:\ProgramData\MFAData
2011-11-18 09:37 - 2011-11-23 13:39 - 5382542 ____A C:\Windows\ntbtlog.txt
2011-11-18 06:48 - 2011-11-18 06:48 - 0017869 ____A C:\Users\username\Desktop\AVG AntiVirus Pro 2012 v1808 (32 Bit) By Cool Release.zip[1337x.org].torrent
2011-11-17 21:14 - 2011-11-17 21:15 - 1333687 ____A C:\Users\username\Desktop\IMG_1049.JPG
2011-11-17 21:14 - 2011-11-17 21:15 - 1273730 ____A C:\Users\username\Desktop\IMG_1053.JPG
2011-11-17 15:27 - 2011-11-17 15:27 - 0001926 ____A C:\Users\username\Desktop\AV Protection 2011.lnk
2011-11-17 15:27 - 2011-11-17 15:27 - 0000000 ____D C:\Windows\system64
2011-11-13 07:07 - 2011-11-13 07:07 - 0002239 ____A C:\Users\username\Downloads\photo - Shortcut.lnk
2011-11-13 07:06 - 2011-11-13 07:09 - 0145224 ____A C:\Users\username\Downloads\photo(1).JPG

============ 3 Months Modified Files and Folders =============

2011-11-24 18:08 - 2011-11-23 14:53 - 4193210368 __ASH C:\hiberfil.sys
2011-11-23 17:23 - 2011-11-23 17:20 - 0000000 ____D C:\FRST
2011-11-23 14:29 - 1999-03-30 10:17 - 0000000 ___HD C:\System.sav
2011-11-23 13:39 - 2011-11-18 09:37 - 5382542 ____A C:\Windows\ntbtlog.txt
2011-11-22 20:16 - 2011-11-22 20:16 - 0000000 ____D C:\New Folder
2011-11-18 14:31 - 2009-10-07 13:29 - 2082835 ____A C:\Windows\WindowsUpdate.log
2011-11-18 14:31 - 2009-02-22 20:22 - 0000012 ____A C:\Windows\bthservsdp.dat
2011-11-18 14:31 - 2006-11-02 07:42 - 0032624 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2011-11-18 14:31 - 2006-11-02 07:42 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2011-11-18 14:31 - 2006-11-02 07:22 - 0003216 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2011-11-18 14:31 - 2006-11-02 07:22 - 0003216 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2011-11-18 14:30 - 2009-10-07 16:31 - 0000000 ____D C:\Users\username\My Documents\Azureus Downloads
2011-11-18 14:30 - 2009-10-07 16:31 - 0000000 ____D C:\Users\username\Documents\Azureus Downloads
2011-11-18 14:28 - 2011-11-18 12:25 - 0174200 ____A (Symantec Corporation) C:\Windows\System32\Drivers\SYMEVENT64x86.SYS
2011-11-18 14:28 - 2011-11-18 12:25 - 0007488 ____A C:\Windows\System32\Drivers\SYMEVENT64x86.CAT
2011-11-18 14:28 - 2011-11-18 12:25 - 0000855 ____A C:\Windows\System32\Drivers\SYMEVENT64x86.INF
2011-11-18 14:27 - 2011-11-18 12:24 - 0000000 ____D C:\Windows\System32\Drivers\NAVx64
2011-11-18 13:43 - 2009-10-07 15:54 - 0021508 ____A C:\Users\All Users\HPWALog.txt
2011-11-18 13:43 - 2009-10-07 15:54 - 0021508 ____A C:\Users\All Users\Application Data\HPWALog.txt
2011-11-18 13:43 - 2009-10-07 15:54 - 0021508 ____A C:\ProgramData\HPWALog.txt
2011-11-18 13:29 - 2011-08-02 21:40 - 0000000 ____D C:\Program Files (x86)\Ask.com
2011-11-18 13:16 - 2010-07-14 22:07 - 0000000 ____D C:\Program Files (x86)\QuestDns
2011-11-18 12:42 - 2006-11-02 04:46 - 0703388 ____A C:\Windows\System32\PerfStringBackup.INI
2011-11-18 12:37 - 2009-10-24 18:54 - 0000000 ____D C:\Users\username\Application Data\LimeWire
2011-11-18 12:37 - 2009-10-24 18:54 - 0000000 ____D C:\Users\username\AppData\Roaming\LimeWire
2011-11-18 12:33 - 2009-10-07 16:29 - 0000000 ____D C:\Users\username\Application Data\Azureus
2011-11-18 12:33 - 2009-10-07 16:29 - 0000000 ____D C:\Users\username\AppData\Roaming\Azureus
2011-11-18 12:33 - 2009-10-07 16:26 - 0000000 ____D C:\Program Files (x86)\Vuze
2011-11-18 12:25 - 2011-11-18 12:25 - 0000000 ____D C:\Program Files\Common Files\Symantec Shared
2011-11-18 12:18 - 2011-11-18 12:17 - 0000000 ____D C:\Users\All Users\MFAData
2011-11-18 12:18 - 2011-11-18 12:17 - 0000000 ____D C:\Users\All Users\Application Data\MFAData
2011-11-18 12:18 - 2011-11-18 12:17 - 0000000 ____D C:\ProgramData\MFAData
2011-11-18 08:53 - 2010-07-29 19:16 - 0000052 ____A C:\Windows\SysWOW64\DOErrors.log
2011-11-18 06:48 - 2011-11-18 06:48 - 0017869 ____A C:\Users\username\Desktop\AVG AntiVirus Pro 2012 v1808 (32 Bit) By Cool Release.zip[1337x.org].torrent
2011-11-17 21:42 - 2010-07-11 12:15 - 0001336 ____A C:\Windows\setupact.log
2011-11-17 21:15 - 2011-11-17 21:14 - 1333687 ____A C:\Users\username\Desktop\IMG_1049.JPG
2011-11-17 21:15 - 2011-11-17 21:14 - 1273730 ____A C:\Users\username\Desktop\IMG_1053.JPG
2011-11-17 15:27 - 2011-11-17 15:27 - 0001926 ____A C:\Users\username\Desktop\AV Protection 2011.lnk
2011-11-17 15:27 - 2011-11-17 15:27 - 0000000 ____D C:\Windows\system64
2011-11-13 07:09 - 2011-11-13 07:06 - 0145224 ____A C:\Users\username\Downloads\photo(1).JPG
2011-11-13 07:07 - 2011-11-13 07:07 - 0002239 ____A C:\Users\username\Downloads\photo - Shortcut.lnk
2011-11-13 06:44 - 2009-10-08 12:09 - 0000000 ____D C:\Users\username\Desktop\College homework
2011-11-13 06:42 - 2009-10-10 15:23 - 0009002 ____A C:\Users\username\Application Data\wklnhst.dat
2011-11-13 06:42 - 2009-10-10 15:23 - 0009002 ____A C:\Users\Jimmy Chokbengboun\AppData\Roaming\wklnhst.dat
2011-11-11 01:00 - 2006-11-02 04:35 - 52174280 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2011-11-10 20:33 - 2010-01-11 12:16 - 0007052 ____A C:\Users\username\Local Settings\d3d9caps.dat
2011-11-10 20:33 - 2010-01-11 12:16 - 0007052 ____A C:\Users\username\Local Settings\Application Data\d3d9caps.dat
2011-11-10 20:33 - 2010-01-11 12:16 - 0007052 ____A C:\Users\username\AppData\Local\d3d9caps.dat
2011-11-10 20:33 - 2009-02-22 22:13 - 0000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2011-10-21 00:03 - 2009-02-22 21:51 - 0000000 ____D C:\Users\All Users\Microsoft Help
2011-10-21 00:03 - 2009-02-22 21:51 - 0000000 ____D C:\Users\All Users\Application Data\Microsoft Help
2011-10-21 00:03 - 2009-02-22 21:51 - 0000000 ____D C:\ProgramData\Microsoft Help
2011-10-20 20:46 - 2009-10-07 16:26 - 0000000 ____D C:\Program Files (x86)\Mozilla Firefox
2011-08-30 22:23 - 2009-10-24 13:08 - 0000000 ____D C:\Users\username\Desktop\Random pics
2011-08-30 22:15 - 2011-03-22 22:37 - 0000000 ____D C:\Users\username\My Documents\Webcam
2011-08-30 22:15 - 2011-03-22 22:37 - 0000000 ____D C:\Users\username\Documents\Webcam
2011-08-29 21:25 - 2011-08-29 21:25 - 0404640 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl


========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe
[2008-01-20 18:49] - [2008-01-20 18:49] - 0406016 ____A (Microsoft Corporation) 856491FCED98093D824B9EB2892F564A

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

========================= Memory info ======================

Percentage of memory in use: 17%
Total physical RAM: 3998.02 MB
Available physical RAM: 3289.14 MB
Total Pagefile: 3755.5 MB
Available Pagefile: 3299.25 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:219.64 GB) (Free:153.63 GB) NTFS ==>[System with boot components]
2 Drive d: (RECOVERY) (Fixed) (Total:13.24 GB) (Free:2.01 GB) NTFS ==>[System with boot components]
4 Drive f: () (Removable) (Total:1.92 GB) (Free:1.38 GB) FAT
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 233 GB 1024 KB
Disk 1 Online 1967 MB 0 B

Partitions of Disk 0:

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 220 GB 1024 KB
Partition 2 Primary 13 GB 220 GB

Disk: 0
Partition 1
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 220 GB Healthy

==========================================================

Last Boot: 2011-11-18 12:40

======================= End Of Log ==========================


Edited by censored, 25 November 2011 - 02:40 PM.


#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,076 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:49 AM

Posted 25 November 2011 - 03:02 PM

Hi again, looks like you have a zeroaccess rootkit infection.

On a working computer open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

SubSystems: [Windows] ==> ZeroAccess

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 censored

censored
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 25 November 2011 - 03:24 PM

Fixlog.txt file contents:

Fix result of Farbars's Recovery Tool (FRST written by farbar Version 2.3.0)
Ran by SYSTEM at 2011-11-25 14:19:17 R:1
Running from F:\

==============================================

HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows Value was restored.

==== End of Fixlog ====


I let it reboot normally, and it booted fine.
Thanks.

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,076 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:49 AM

Posted 25 November 2011 - 03:32 PM

I'm glad to hear that. Now lets see what else needs fixing.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 censored

censored
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 25 November 2011 - 04:39 PM

dds scan result:

.
DDS (Ver_2011-08-26.01) - NTFSAMD64 MINIMAL
Internet Explorer: 8.0.6001.19088 BrowserJavaVersion: 1.6.0_18
Run by username at 15:24:39 on 2011-11-25
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3998.3176 [GMT -6:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\Explorer.EXE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Bar = Preserve
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride = <local>
mURLSearchHooks: Winamp Search Class: {57bca5fa-5dbb-45a2-b558-1755c3f6253b} - C:\Program Files (x86)\Winamp Toolbar\winamptb.dll
mURLSearchHooks: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files (x86)\Vuze_Remote\tbVuze.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Winamp Toolbar Loader: {25cee8ec-5730-41bc-8b58-22ddc8ab8c20} - C:\Program Files (x86)\Winamp Toolbar\winamptb.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
BHO: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - No File
BHO: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files (x86)\Vuze_Remote\tbVuze.dll
BHO: ooVoo toolbar, powered by Ask.com: {d4027c7f-154a-4066-a1ad-4243d8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - C:\Program Files (x86)\Winamp Toolbar\winamptb.dll
TB: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files (x86)\Vuze_Remote\tbVuze.dll
TB: ooVoo toolbar, powered by Ask.com: {d4027c7f-154a-4066-a1ad-4243d8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
uRun: [ehTray.exe] C:\Windows\ehome\ehTray.exe
mRun: [TSMAgent] "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe"
mRun: [CLMLServer for HP TouchSmart] "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe"
mRun: [UCam_Menu] "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam" update "Software\Hewlett-Packard\Media\Webcam"
mRun: [HP Mobile Broadband] c:\SWsetup\HPQWWAN\HPMobileBroadband.exe /TrayMode
mRun: [coreworks] "C:\Program Files (x86)\HPQ\HP Connection Manager 2\bin\gbxapp.exe" runatstartup
mRun: [QlbCtrl.exe] "C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start
mRun: [WirelessAssistant] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
mRun: [TVAgent] "C:\Program Files (x86)\Hewlett-Packard\Media\TV\TVAgent.exe"
mRun: [<NO NAME>]
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MICROS~1.LNK - C:\Program Files (x86)\Microsoft Office\Office10\OSA.EXE
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
LSP: mswsock.dll
DPF: {40F576AD-8680-4F9E-9490-99D069CD665F} - hxxp://srtest-cdn.systemrequirementslab.com.s3.amazonaws.com/bin/sysreqlabdetect.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.10.1
TCP: Interfaces\{1F7C89F0-B650-4F61-B069-46099CCD2736} : DhcpNameServer = 192.168.10.1
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Winamp Toolbar Loader: {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files (x86)\Winamp Toolbar\winamptb.dll
BHO-X64: Winamp Toolbar Loader - No File
BHO-X64: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
BHO-X64: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - No File
BHO-X64: Symantec Intrusion Prevention - No File
BHO-X64: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files (x86)\Vuze_Remote\tbVuze.dll
BHO-X64: ooVoo toolbar, powered by Ask.com: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
BHO-X64: Ask Toolbar BHO - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: Winamp Toolbar: {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files (x86)\Winamp Toolbar\winamptb.dll
TB-X64: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files (x86)\Vuze_Remote\tbVuze.dll
TB-X64: ooVoo toolbar, powered by Ask.com: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
TB-X64: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
mRun-x64: [TSMAgent] "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe"
mRun-x64: [CLMLServer for HP TouchSmart] "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe"
mRun-x64: [UCam_Menu] "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam" update "Software\Hewlett-Packard\Media\Webcam"
mRun-x64: [HP Mobile Broadband] c:\SWsetup\HPQWWAN\HPMobileBroadband.exe /TrayMode
mRun-x64: [coreworks] "C:\Program Files (x86)\HPQ\HP Connection Manager 2\bin\gbxapp.exe" runatstartup
mRun-x64: [QlbCtrl.exe] "C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start
mRun-x64: [WirelessAssistant] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
mRun-x64: [TVAgent] "C:\Program Files (x86)\Hewlett-Packard\Media\TV\TVAgent.exe"
mRun-x64: [(Default)]
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\username\AppData\Roaming\Mozilla\Firefox\Profiles\b0d8j6po.default\
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npclntax_HBLiteSA.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;C:\Windows\system32\drivers\NAVx64\1206000.01D\SYMDS64.SYS --> C:\Windows\system32\drivers\NAVx64\1206000.01D\SYMDS64.SYS [?]
R0 SymEFA;Symantec Extended File Attributes;C:\Windows\system32\drivers\NAVx64\1206000.01D\SYMEFA64.SYS --> C:\Windows\system32\drivers\NAVx64\1206000.01D\SYMEFA64.SYS [?]
R3 enecir;ENE CIR Receiver;C:\Windows\system32\DRIVERS\enecir.sys --> C:\Windows\system32\DRIVERS\enecir.sys [?]
S1 SymIRON;Symantec Iron Driver;C:\Windows\system32\drivers\NAVx64\1206000.01D\Ironx64.SYS --> C:\Windows\system32\drivers\NAVx64\1206000.01D\Ironx64.SYS [?]
S2 {55662437-DA8C-40c0-AADA-2C816A897A49};Power Control [2009/10/07 14:46:08];C:\Program Files (x86)\Hewlett-Packard\Media\DVD\000.fcl [2008-11-28 146928]
S2 AESTFilters;Andrea ST Filters Service;C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_5730ce9f\AESTSr64.exe --> C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_5730ce9f\AESTSr64.exe [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 cpuz132;cpuz132;\??\C:\Windows\system32\drivers\cpuz132_x64.sys --> C:\Windows\system32\drivers\cpuz132_x64.sys [?]
S2 hpsrv;HP Service;C:\Windows\system32\Hpservice.exe --> C:\Windows\system32\Hpservice.exe [?]
S2 mdvauthsrv;HP Connectivity Authentication Service;C:\Program Files (x86)\HPQ\HP Connection Manager 2\bin\mdvauthsrv.exe [2009-1-30 399848]
S2 mdvsrv;HP Connection Manager Service;C:\Program Files (x86)\HPQ\HP Connection Manager 2\bin\mdvsrv.exe [2009-1-30 281064]
S2 NAV;Norton AntiVirus;"C:\Program Files (x86)\Norton AntiVirus\Engine\18.6.0.29\ccSvcHst.exe" /s "NAV" /m "C:\Program Files (x86)\Norton AntiVirus\Engine\18.6.0.29\diMaster.dll" /prefetch:1 --> C:\Program Files (x86)\Norton AntiVirus\Engine\18.6.0.29\ccSvcHst.exe [?]
S2 QDLService;Qualcomm Gobi Download Service;C:\QUALCOMM\QDLService\QDLService.exe [2009-1-14 345336]
S2 Recovery Service for Windows;Recovery Service for Windows;C:\Program Files (x86)\SMINST\BLService.exe [2009-2-23 365952]
S2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2010-7-11 1153368]
S2 TVCapSvc;TV Background Capture Service (TVBCS);C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe [2009-2-9 296320]
S2 TVSched;TV Task Scheduler (TVTS);C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe [2009-2-9 116096]
S3 Com4QLBEx;Com4QLBEx;C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2009-2-22 222512]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-11-18 138360]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;C:\Windows\system32\drivers\IntcHdmi.sys --> C:\Windows\system32\drivers\IntcHdmi.sys [?]
S3 JMCR;JMCR;C:\Windows\system32\DRIVERS\jmcr.sys --> C:\Windows\system32\DRIVERS\jmcr.sys [?]
S3 NETw3v64;Intel® PRO/Wireless 3945ABG Adapter Driver for Windows Vista 64 Bit;C:\Windows\system32\DRIVERS\NETw3v64.sys --> C:\Windows\system32\DRIVERS\NETw3v64.sys [?]
S3 NETw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\system32\DRIVERS\NETw5v64.sys --> C:\Windows\system32\DRIVERS\NETw5v64.sys [?]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]
S3 SYMTDIv;Symantec Vista Network Dispatch Driver;C:\Windows\system32\drivers\NAVx64\1205000.07D\SYMTDIV.SYS --> C:\Windows\system32\drivers\NAVx64\1205000.07D\SYMTDIV.SYS [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]
S3 yukonx64;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x64.sys --> C:\Windows\system32\DRIVERS\yk60x64.sys [?]
S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-10-10 93184]
.
=============== File Associations ===============
.
JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
.
=============== Created Last 30 ================
.
2011-11-24 01:20:59 -------- d-----w- C:\FRST
2011-11-23 04:16:18 -------- d-----w- C:\New Folder
2011-11-18 22:28:01 912504 ----a-w- C:\Windows\System32\drivers\NAVx64\1206000.01D\symefa64.sys
2011-11-18 22:28:01 432760 ----a-w- C:\Windows\System32\drivers\NAVx64\1206000.01D\symtdiv.sys
2011-11-18 22:28:01 382584 ----a-w- C:\Windows\System32\drivers\NAVx64\1206000.01D\symnets.sys
2011-11-18 22:28:00 744568 ----a-w- C:\Windows\System32\drivers\NAVx64\1206000.01D\srtsp64.sys
2011-11-18 22:28:00 450680 ----a-w- C:\Windows\System32\drivers\NAVx64\1206000.01D\symds64.sys
2011-11-18 22:28:00 40568 ----a-w- C:\Windows\System32\drivers\NAVx64\1206000.01D\srtspx64.sys
2011-11-18 22:28:00 171128 ----a-w- C:\Windows\System32\drivers\NAVx64\1206000.01D\ironx64.sys
2011-11-18 22:27:39 -------- d-----w- C:\Windows\System32\drivers\NAVx64\1206000.01D
2011-11-18 20:25:12 174200 ----a-w- C:\Windows\System32\drivers\SYMEVENT64x86.SYS
2011-11-18 20:25:11 -------- d-----w- C:\Program Files\Common Files\Symantec Shared
2011-11-18 20:24:44 432760 ----a-r- C:\Windows\System32\drivers\NAVx64\1205000.07D\symtdiv.sys
2011-11-18 20:24:43 802864 ----a-r- C:\Windows\System32\drivers\NAVx64\1205000.07D\SymEFA64.sys
2011-11-18 20:24:43 735864 ----a-r- C:\Windows\System32\drivers\NAVx64\1205000.07D\srtsp64.sys
2011-11-18 20:24:43 450608 ----a-r- C:\Windows\System32\drivers\NAVx64\1205000.07D\SymDS64.sys
2011-11-18 20:24:43 40568 ----a-r- C:\Windows\System32\drivers\NAVx64\1205000.07D\srtspx64.sys
2011-11-18 20:24:43 382072 ----a-r- C:\Windows\System32\drivers\NAVx64\1205000.07D\symnets.sys
2011-11-18 20:24:43 171128 ----a-r- C:\Windows\System32\drivers\NAVx64\1205000.07D\Ironx64.sys
2011-11-18 20:24:30 -------- d-----w- C:\Windows\System32\drivers\NAVx64\1205000.07D
2011-11-18 20:24:30 -------- d-----w- C:\Windows\System32\drivers\NAVx64
2011-11-18 20:18:32 -------- d--h--w- C:\ProgramData\Common Files
2011-11-18 20:17:27 -------- d-----w- C:\ProgramData\MFAData
2011-11-17 23:27:12 -------- d-----we C:\Windows\system64
2011-11-16 21:39:55 8570192 ------w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{08FA96AD-F7DC-4EE2-B4D1-CB04FF9FFD92}\mpengine.dll
.
==================== Find3M ====================
.
2011-08-30 05:25:43 404640 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
.
============= FINISH: 15:25:23.77 ===============


And the directions specifically said not to post the other scan unless asked specifically to do so.
So let me know if that other scan is required also.
Thanks

*Edit*
While waiting for your next instruction, I UNinstalled both Norton and AVG since they appeared to not be legitimate installations.
I am planning to hand it back to the owner with Microsoft Security Essentials installed.

Edited by censored, 25 November 2011 - 10:39 PM.


#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,076 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:49 AM

Posted 26 November 2011 - 04:29 AM

Please post also attach.txt :)

COMBOFIX
---------------
Please download ComboFix from one of these locations:
Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 censored

censored
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 26 November 2011 - 09:28 AM

results of Combofix log:

ComboFix 11-11-26.01 - username 11/26/2011 7:59.1.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3998.2467 [GMT -6:00]
Running from: F:\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\Mozilla Firefox\extensions\{C91E1C68-B60A-4C9F-B53B-AAAEF0E7EF97}
c:\program files (x86)\Mozilla Firefox\extensions\{C91E1C68-B60A-4C9F-B53B-AAAEF0E7EF97}\chrome.manifest
c:\program files (x86)\Mozilla Firefox\extensions\{C91E1C68-B60A-4C9F-B53B-AAAEF0E7EF97}\chrome\questdns.jar
c:\program files (x86)\Mozilla Firefox\extensions\{C91E1C68-B60A-4C9F-B53B-AAAEF0E7EF97}\defaults\preferences\prefs.js
c:\program files (x86)\Mozilla Firefox\extensions\{C91E1C68-B60A-4C9F-B53B-AAAEF0E7EF97}\install.rdf
c:\program files (x86)\QuestDns
.
.
((((((((((((((((((((((((( Files Created from 2011-10-26 to 2011-11-26 )))))))))))))))))))))))))))))))
.
.
2011-11-26 14:07 . 2011-11-26 14:07 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-11-26 03:11 . 2011-11-26 03:11 -------- d-----w- c:\programdata\NortonInstaller
2011-11-24 01:20 . 2011-11-25 21:17 -------- d-----w- C:\FRST
2011-11-23 04:16 . 2011-11-23 04:16 -------- d-----w- C:\New Folder
2011-11-18 20:25 . 2011-11-26 03:11 -------- d-----w- c:\program files\Common Files\Symantec Shared
2011-11-18 20:24 . 2011-11-18 22:27 -------- d-----w- c:\windows\system32\drivers\NAVx64
2011-11-18 20:18 . 2011-11-23 07:16 -------- d--h--w- c:\programdata\Common Files
2011-11-18 20:17 . 2011-11-18 20:18 -------- d-----w- c:\programdata\MFAData
2011-11-17 23:27 . 2011-11-17 23:27 -------- d-----we c:\windows\system64
2011-11-16 21:39 . 2011-10-07 04:16 8570192 ------w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{08FA96AD-F7DC-4EE2-B4D1-CB04FF9FFD92}\mpengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-30 05:25 . 2011-08-30 05:25 404640 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
2010-05-20 20:35 2675296 ----a-w- c:\program files (x86)\Vuze_Remote\tbVuze.dll
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2011-08-24 03:20 1515688 ----a-w- c:\program files (x86)\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files (x86)\Vuze_Remote\tbVuze.dll" [2010-05-20 2675296]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2011-08-24 1515688]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"TSMAgent"="c:\program files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe" [2008-12-25 1316136]
"CLMLServer for HP TouchSmart"="c:\program files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe" [2008-12-25 189736]
"UCam_Menu"="c:\program files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" [2008-11-15 218408]
"HP Mobile Broadband"="c:\swsetup\HPQWWAN\HPMobileBroadband.exe" [2009-01-09 455224]
"coreworks"="c:\program files (x86)\HPQ\HP Connection Manager 2\bin\gbxapp.exe" [2009-01-30 780776]
"QlbCtrl.exe"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-10-10 206128]
"WirelessAssistant"="c:\program files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-12-08 432432]
"TVAgent"="c:\program files (x86)\Hewlett-Packard\Media\TV\TVAgent.exe" [2009-02-10 206120]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files (x86)\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [x]
R3 NETw3v64;Intel® PRO/Wireless 3945ABG Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\NETw3v64.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 1020768]
R3 yukonx64;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk60x64.sys [x]
S2 {55662437-DA8C-40c0-AADA-2C816A897A49};Power Control [2009/10/07 14:46];c:\program files (x86)\Hewlett-Packard\Media\DVD\000.fcl [2008-11-29 01:04 146928]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_5730ce9f\AESTSr64.exe [x]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [x]
S2 mdvauthsrv;HP Connectivity Authentication Service;c:\program files (x86)\HPQ\HP Connection Manager 2\bin\mdvauthsrv.exe [2009-01-30 399848]
S2 mdvsrv;HP Connection Manager Service;c:\program files (x86)\HPQ\HP Connection Manager 2\bin\mdvsrv.exe [2009-01-30 281064]
S2 QDLService;Qualcomm Gobi Download Service;c:\qualcomm\QDLService\QDLService.exe [2009-01-14 345336]
S2 Recovery Service for Windows;Recovery Service for Windows;c:\program files (x86)\SMINST\BLService.exe [2008-12-18 365952]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 TVCapSvc;TV Background Capture Service (TVBCS);c:\program files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe [2009-02-10 296320]
S2 TVSched;TV Task Scheduler (TVTS);c:\program files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe [2009-02-10 116096]
S3 Com4QLBEx;Com4QLBEx;c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-11-19 222512]
S3 enecir;ENE CIR Receiver;c:\windows\system32\DRIVERS\enecir.sys [x]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [x]
S3 NETw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\NETw5v64.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 17:14 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 161304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 415256]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\system32\blank.htm
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride = <local>
TCP: DhcpNameServer = 192.168.10.1
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\username\AppData\Roaming\Mozilla\Firefox\Profiles\b0d8j6po.default\
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Notify-igfxcui - (no file)
WebBrowser-{BA14329E-9550-4989-B3F2-9732E92D17CC} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-SysTrayApp - c:\program files (x86)\IDT\WDM\sttray64.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{55662437-DA8C-40c0-AADA-2C816A897A49}]
"ImagePath"="\??\c:\program files (x86)\Hewlett-Packard\Media\DVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus\1]
@="131473"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2011-11-26 08:10:17
ComboFix-quarantined-files.txt 2011-11-26 14:10
.
Pre-Run: 163,159,371,776 bytes free
Post-Run: 163,734,982,656 bytes free
.
- - End Of File - - C05AE5FE1849281A1121D0A59C613E37

Attached Files


Edited by censored, 26 November 2011 - 09:30 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users