Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirected from search engines


  • This topic is locked This topic is locked
53 replies to this topic

#1 Tom Jones

Tom Jones

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:02:15 AM

Posted 07 February 2012 - 08:36 PM

Hello,
Every time I search a term and click the result link on my Dell Studio Hybrid desktop running Windows Vista, I am redirected to ad or adult sites. Also, the Internet performance is extremely slow. I was told to re-post the issue in this forum after we tried to solve it here: http://www.bleepingcomputer.com/forums/topic439896.html/page__gopid__2588215#entry2588215

Enclosed are the aswMBR and DDS log. Attached are the Attach and ark files.

Your help is much appreciated,
Tom

aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-02-07 08:58:23
-----------------------------
08:58:23.669 OS Version: Windows 6.0.6002 Service Pack 2
08:58:23.669 Number of processors: 2 586 0x170A
08:58:23.669 ComputerName: STUDIO_HYBRID UserName: Cate
08:58:28.115 Initialize success
09:00:50.390 AVAST engine defs: 12020701
09:03:21.407 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-2
09:03:21.407 Disk 0 Vendor: ST9160314AS 0003DEM1 Size: 152627MB BusType: 3
09:03:21.422 Disk 0 MBR read successfully
09:03:21.438 Disk 0 MBR scan
09:03:21.438 Disk 0 Windows VISTA default MBR code
09:03:21.453 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 54 MB offset 63
09:03:21.469 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 15360 MB offset 112640
09:03:21.500 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 137211 MB offset 31569920
09:03:21.516 Disk 0 scanning sectors +312578048
09:03:21.594 Disk 0 scanning C:\Windows\system32\drivers
09:03:36.617 File: C:\Windows\system32\drivers\smb.sys **INFECTED** Win32:Sirefef-JQ [Trj]
09:03:40.610 Disk 0 trace - called modules:
09:03:40.626 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x961e2fc0]<<
09:03:40.626 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8601d1e0]
09:03:40.626 3 CLASSPNP.SYS[8b5a98b3] -> nt!IofCallDriver -> [0x881d8208]
09:03:40.626 \Driver\00004358[0x87e4d920] -> IRP_MJ_CREATE -> 0x961e2fc0
09:03:42.014 AVAST engine scan C:\Windows
09:03:46.647 AVAST engine scan C:\Windows\system32
09:09:03.657 AVAST engine scan C:\Windows\system32\drivers
09:09:26.777 File: C:\Windows\system32\drivers\smb.sys **INFECTED** Win32:Sirefef-JQ [Trj]
09:09:43.567 AVAST engine scan C:\Users\Cate
09:11:15.128 Disk 0 MBR has been saved successfully to "C:\Users\Cate\Desktop\MBR.dat"
09:11:15.130 The log file has been saved successfully to "C:\Users\Cate\Desktop\aswMBR.txt"




.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
Run by Cate at 11:17:59 on 2012-02-07
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.3318.1665 [GMT -8:00]
.
AV: Norton 360 *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton 360 *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton 360 *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Norton 360\Norton 360\Engine\5.2.0.13\ccSvcHst.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Norton 360\Norton 360\Engine\5.2.0.13\ccSvcHst.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Cate\Downloads\Defogger.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie9
uWindow Title = Windows Internet Explorer provided by Yahoo!
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie9
mURLSearchHooks: H - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\norton 360\engine\5.2.0.13\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\norton 360\engine\5.2.0.13\ips\IPSBHO.DLL
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\norton 360\engine\5.2.0.13\coIEPlg.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v3\WG111v3.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
LSP: mswsock.dll
DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} - hxxp://support.dell.com/systemprofiler/SysProExe.CAB
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
TCP: DhcpNameServer = 24.205.192.61 24.205.224.36 68.116.46.115
TCP: Interfaces\{0972A33D-56EC-4688-B623-F40ABC103117} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{2D6EA7C3-06B0-4627-9AE3-969CEF13E044} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{79D26457-8E01-4C8A-A269-2932571CF25C} : DhcpNameServer = 24.205.192.61 24.205.224.36 68.116.46.115
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
============= SERVICES / DRIVERS ===============
.
R0 rk_remover-boot;rk_remover-boot;c:\windows\system32\drivers\rk_remover.sys [2010-6-18 52736]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0502000.00d\symds.sys [2012-1-30 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0502000.00d\symefa.sys [2012-1-30 744568]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\definitions\bashdefs\20120121.002\BHDrvx86.sys [2012-1-21 820344]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\definitions\ipsdefs\20120203.002\IDSvix86.sys [2012-2-3 368248]
R1 RtlProt;Realtke RtlProt WLAN Utility Protocol Driver;c:\windows\system32\drivers\RtlProt.sys [2007-4-23 25896]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0502000.00d\ironx86.sys [2012-1-30 136312]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\n360\0502000.00d\symtdiv.sys [2012-1-30 331384]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 N360;Norton 360;c:\program files\norton 360\norton 360\engine\5.2.0.13\ccsvchst.exe [2012-1-30 130008]
R2 RtNdPt60;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt60.sys [2009-12-4 27648]
R3 DLXPDisplayName;DLXPDisplayName;c:\windows\system32\drivers\DLACPI.sys [2009-12-4 14392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-2-5 106104]
R3 RTL8187B;NETGEAR WG111v3 Wireless-G USB Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [2011-8-5 348160]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-1-31 20464]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-1-3 63928]
S4 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2009-12-4 73728]
S4 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-1-31 652360]
S4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\sitead~1\mcsacore.exe --> c:\progra~1\mcafee\sitead~1\mcsacore.exe [?]
S4 UMVPFSrv;UMVPFSrv;c:\program files\common files\logishrd\lvmvfm\UMVPFSrv.exe [2011-8-19 450848]
.
=============== Created Last 30 ================
.
2012-02-07 02:59:45 -------- d-----w- C:\TDSSKiller_Quarantine
2012-02-06 15:46:43 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-02-01 05:20:39 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-31 05:17:54 331384 ----a-w- c:\windows\system32\drivers\n360\0502000.00d\symtdiv.sys
2012-01-31 05:17:54 299640 ----a-w- c:\windows\system32\drivers\n360\0502000.00d\symnets.sys
2012-01-31 05:17:53 744568 ----a-r- c:\windows\system32\drivers\n360\0502000.00d\symefa.sys
2012-01-31 05:17:53 516216 ----a-r- c:\windows\system32\drivers\n360\0502000.00d\srtsp.sys
2012-01-31 05:17:53 50168 ----a-r- c:\windows\system32\drivers\n360\0502000.00d\srtspx.sys
2012-01-31 05:17:53 340088 ----a-r- c:\windows\system32\drivers\n360\0502000.00d\symds.sys
2012-01-31 05:17:53 136312 ----a-r- c:\windows\system32\drivers\n360\0502000.00d\ironx86.sys
2012-01-31 05:16:59 -------- d-----w- c:\windows\system32\drivers\n360\0502000.00D
2012-01-31 01:16:07 -------- d-----w- c:\program files\Origin
2012-01-30 19:24:03 -------- d-----w- C:\OEMSettings
2012-01-30 00:47:53 -------- d-----w- c:\windows\CheckSur
2012-01-29 16:33:55 377344 ----a-w- c:\windows\system32\winhttp.dll
2012-01-29 16:33:54 278528 ----a-w- c:\windows\system32\schannel.dll
2012-01-29 16:33:53 9728 ----a-w- c:\windows\system32\lsass.exe
2012-01-29 16:33:53 72704 ----a-w- c:\windows\system32\secur32.dll
2012-01-29 16:33:52 440192 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-29 16:33:52 1259008 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-28 03:07:25 -------- d-----w- c:\windows\pss
2012-01-26 04:32:50 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2012-01-26 04:32:50 -------- d-----w- c:\program files\Symantec
2012-01-26 04:32:17 -------- d-----w- c:\windows\system32\drivers\N360
2012-01-26 04:32:11 -------- d-----w- c:\program files\NortonInstaller
2012-01-26 04:05:06 27888 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-01-26 02:59:27 23552 ----a-w- c:\windows\system32\mciseq.dll
2012-01-26 02:59:27 189952 ----a-w- c:\windows\system32\winmm.dll
2012-01-26 02:59:23 1205064 ----a-w- c:\windows\system32\ntdll.dll
2012-01-26 02:56:25 66560 ----a-w- c:\windows\system32\packager.dll
2012-01-26 02:56:20 376320 ----a-w- c:\windows\system32\winsrv.dll
2012-01-26 02:56:05 497152 ----a-w- c:\windows\system32\qdvd.dll
2012-01-26 02:56:05 1314816 ----a-w- c:\windows\system32\quartz.dll
2012-01-26 02:36:32 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2012-01-17 04:31:27 -------- dc-h--w- c:\programdata\{0E5180DA-DACE-4845-8EA2-7A5331530348}
2012-01-17 00:06:47 -------- d-----w- C:\f45293cc1d35bfac7e3a970951lll
2012-01-16 20:39:26 -------- d-----w- C:\54f2922ee0f76b8dd66876777a
.
==================== Find3M ====================
.
2012-02-07 03:02:27 185856 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-01-26 03:52:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-12-23 00:55:06 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-23 13:37:27 2043904 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 11:18:50.53 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:15 AM

Posted 08 February 2012 - 06:33 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Tom Jones

Tom Jones
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:02:15 AM

Posted 09 February 2012 - 01:51 PM

Hello Gringo and thank you for your help.

I downloaded the Combofix and followed the instructions on how to disable Norton 360. Still, Combofix said the real-time scanner was active and it just wouldn't run. So, I uninstalled Norton and, voila, Combofix ran, see log below. Now, however, I can't access the Web from the PC, although the network connection seem to be OK.

Thanks,
Tom


ComboFix 12-02-08.02 - SYSTEM 02/08/2012 21:10:40.4.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.3318.2662 [GMT -8:00]
Running from: c:\users\Cate\Downloads\ComboFix.exe
AV: Norton 360 *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton 360 *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton 360 *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Shop to Win
c:\program files\Shop to Win\ShopToWin.exe
c:\programdata\Tarma Installer
c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setup.dll
c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll
c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.exe
c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.ico
c:\programdata\Tarma Installer\{DE3B7BF9-0770-4104-BC0B-B1CCCCE2F053}\_Setup.dll
c:\programdata\Tarma Installer\{DE3B7BF9-0770-4104-BC0B-B1CCCCE2F053}\_Setupx.dll
c:\programdata\Tarma Installer\{DE3B7BF9-0770-4104-BC0B-B1CCCCE2F053}\Setup.dat
c:\programdata\Tarma Installer\{DE3B7BF9-0770-4104-BC0B-B1CCCCE2F053}\Setup.exe
c:\programdata\Tarma Installer\{DE3B7BF9-0770-4104-BC0B-B1CCCCE2F053}\Setup.ico
c:\users\Cate\Documents\~WRL0226.tmp
c:\users\Cate\Documents\~WRL1358.tmp
c:\users\Emily\Documents\ShopToWin
c:\windows\$NtUninstallKB29227$\270230064\@
c:\windows\$NtUninstallKB29227$\270230064\cfg.ini
c:\windows\$NtUninstallKB29227$\270230064\Desktop.ini
c:\windows\$NtUninstallKB29227$\270230064\L\ogejidap
c:\windows\$NtUninstallKB29227$\4028648710
c:\windows\System32\FastUserSwitching.exe
c:\windows\system32\spool\prtprocs\w32x86\msonpppr.dll
.
c:\windows\system32\drivers\afd.sys was missing
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.22629_none_da4bc33774b91967\afd.sys
.
.
((((((((((((((((((((((((( Files Created from 2012-01-09 to 2012-02-09 )))))))))))))))))))))))))))))))
.
.
2012-02-09 05:23 . 2012-02-09 15:57 -------- d-----w- c:\users\Cate\AppData\Local\temp
2012-02-09 05:23 . 2012-02-09 05:23 -------- d-----w- c:\users\Ruby\AppData\Local\temp
2012-02-09 05:23 . 2012-02-09 05:23 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-02-09 05:23 . 2012-02-09 05:23 -------- d-----w- c:\users\Emily\AppData\Local\temp
2012-02-09 05:23 . 2012-02-09 05:23 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-09 05:23 . 2012-02-09 05:23 -------- d-----w- c:\users\Alf\AppData\Local\temp
2012-02-09 05:23 . 2011-04-21 13:28 273920 ----a-w- c:\windows\system32\drivers\afd.sys
2012-02-09 01:31 . 2012-02-09 01:31 -------- d-----w- c:\users\Cate\AppData\Roaming\Tific
2012-02-07 02:59 . 2012-02-07 02:59 -------- d-----w- C:\TDSSKiller_Quarantine
2012-02-06 15:46 . 2012-02-08 07:55 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-02-01 05:20 . 2011-12-10 23:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-31 01:16 . 2012-01-31 01:16 -------- d-----w- c:\program files\Origin
2012-01-30 19:24 . 2012-01-30 19:24 -------- d-----w- C:\OEMSettings
2012-01-30 00:47 . 2012-01-30 00:47 -------- d-----w- c:\windows\CheckSur
2012-01-29 16:33 . 2011-11-16 16:23 377344 ----a-w- c:\windows\system32\winhttp.dll
2012-01-29 16:33 . 2011-11-16 16:23 278528 ----a-w- c:\windows\system32\schannel.dll
2012-01-29 16:33 . 2011-11-16 16:23 72704 ----a-w- c:\windows\system32\secur32.dll
2012-01-29 16:33 . 2011-11-16 14:12 9728 ----a-w- c:\windows\system32\lsass.exe
2012-01-29 16:33 . 2011-11-17 06:48 440192 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-29 16:33 . 2011-11-16 16:21 1259008 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-27 01:54 . 2012-01-27 01:54 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Logitech® Webcam Software
2012-01-26 04:05 . 2011-07-06 20:44 27888 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-01-26 03:20 . 2012-01-26 03:20 -------- d-----w- c:\users\Alf\AppData\Local\Origin
2012-01-26 02:59 . 2011-10-14 16:03 189952 ----a-w- c:\windows\system32\winmm.dll
2012-01-26 02:59 . 2011-10-14 16:00 23552 ----a-w- c:\windows\system32\mciseq.dll
2012-01-26 02:59 . 2011-11-18 20:23 1205064 ----a-w- c:\windows\system32\ntdll.dll
2012-01-26 02:56 . 2011-11-18 17:47 66560 ----a-w- c:\windows\system32\packager.dll
2012-01-26 02:56 . 2011-11-25 15:59 376320 ----a-w- c:\windows\system32\winsrv.dll
2012-01-26 02:56 . 2011-10-25 15:58 1314816 ----a-w- c:\windows\system32\quartz.dll
2012-01-26 02:56 . 2011-10-25 15:58 497152 ----a-w- c:\windows\system32\qdvd.dll
2012-01-26 02:36 . 2011-12-01 15:21 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2012-01-24 22:00 . 2012-01-24 22:00 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\SanctionedMedia
2012-01-18 22:55 . 2012-01-18 22:57 -------- d-----w- c:\users\Administrator
2012-01-17 04:31 . 2012-01-17 04:31 -------- dc-h--w- c:\programdata\{0E5180DA-DACE-4845-8EA2-7A5331530348}
2012-01-17 00:06 . 2012-01-18 22:31 -------- d-----w- C:\f45293cc1d35bfac7e3a970951lll
2012-01-16 23:05 . 2012-01-16 23:05 -------- d-----w- c:\users\Alf\AppData\Local\Logitech® Webcam Software
2012-01-16 20:39 . 2012-01-16 20:39 -------- d-----w- C:\54f2922ee0f76b8dd66876777a
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-07 03:02 . 2009-12-13 15:30 185856 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-01-26 03:52 . 2007-03-22 04:33 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-12-23 00:55 . 2011-05-14 02:25 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-23 13:37 . 2011-12-14 20:32 2043904 ----a-w- c:\windows\system32\win32k.sys
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-04-11 04:45 . F8FA40F8E3B28B3C5AEFB0BD31CC3B46 . 72192 . . [------] . . c:\windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.0.6002.18005_none_ec294157d9377403\tdx.sys
[7] 2008-01-21 . D09276B1FAB033CE1D40DCBDF303D10F . 71680 . . [6.0.6001.18000] . . c:\windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.0.6001.18000_none_ea3dc84bdc15a8b7\tdx.sys
.
c:\windows\System32\drivers\tdx.sys ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
c:\users\Ruby\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\DELL\DellDock\DellDock.exe [N/A]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
NETGEAR WG111v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v3\WG111v3.exe [2009-11-6 2469888]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\DELL\DellDock\DellDock.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-12-04 17:50 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2010-12-15 00:17 47904 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dellsupportcenter]
2009-06-03 19:46 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Facebook Update]
2011-10-03 23:54 137536 ----atw- c:\users\Emily\AppData\Local\Facebook\Update\FacebookUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-08-12 18:36 136176 ----atw- c:\users\Alf\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 18:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2009-07-14 01:25 173592 ----a-w- c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-09 00:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2009-07-14 01:25 141848 ----a-w- c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-03-07 22:33 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Vid]
2010-10-29 20:06 5915480 ----a-w- c:\program files\Logitech\Vid HD\Vid.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LWS]
2011-08-12 19:18 205336 ----a-w- c:\program files\Logitech\LWS\Webcam Software\LWS.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Default Manager]
2009-07-17 16:12 288080 ----a-w- c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mouse Suite 98 Daemon]
2006-11-04 09:32 49152 ----a-w- c:\windows\System32\ICO.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2009-07-14 01:25 150552 ----a-w- c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-30 01:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2008-08-26 11:57 6246400 ----a-w- c:\windows\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-04-11 06:28 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-04-08 19:59 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-21 02:35 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-844312481-1219722352-42405095-1000]
"EnableNotificationsRef"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-844312481-1219722352-42405095-1001]
"EnableNotificationsRef"=dword:00000002
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-844312481-1219722352-42405095-1002]
"EnableNotificationsRef"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-844312481-1219722352-42405095-1003]
"EnableNotificationsRef"=dword:00000002
.
R4 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
R4 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2008-08-26 73728]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ntsyslog
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1db92904-e0cd-11de-949d-806e6f6e6963}]
\shell\AutoRun\command - E:\Autorun.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2011-06-29 00:19 114176 ----a-w- c:\windows\System32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-07 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-844312481-1219722352-42405095-1001Core.job
- c:\users\Emily\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-10-03 23:54]
.
2012-02-09 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-844312481-1219722352-42405095-1001UA.job
- c:\users\Emily\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-10-03 23:54]
.
2012-02-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-844312481-1219722352-42405095-1000Core.job
- c:\users\Alf\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-12 18:36]
.
2012-02-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-844312481-1219722352-42405095-1000UA.job
- c:\users\Alf\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-12 18:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie9
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
LSP: mswsock.dll
TCP: DhcpNameServer = 24.205.192.61 24.205.224.36 68.116.46.115
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-32181590.sys
SafeBoot-klmd23.sys
MSConfigStartUp-DellOSD - c:\windows\System32\FastUserSwitching.exe
MSConfigStartUp-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
MSConfigStartUp-IAAnotif - c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe
MSConfigStartUp-Norton Download Manager{N360S_prod_1.6.18_5.1.0 - c:\users\Public\Downloads\Norton\{N360S_prod_1.6.18_5.1.0.29}\N360Downloader.exe
MSConfigStartUp-Shop To Win - c:\program files\Shop To Win\ShopToWin.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
MSConfigStartUp-VirtualCloneDrive - c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
AddRemove-{889DF117-14D1-44EE-9F31-C5FB5D47F68B} - c:\progra~2\TARMAI~1\{889DF~1\Setup.exe
AddRemove-{C71C8FA8-806B-47F0-A095-9C30D9C8AD13}_is1 - c:\program files\Shop To Win\unins000.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-09 07:57
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\windows\$NtUninstallKB29227$:SummaryInformation 0 bytes hidden from API
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
Completion time: 2012-02-09 07:59:49 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-09 15:59
.
Pre-Run: 28,340,973,568 bytes free
Post-Run: 28,635,176,960 bytes free
.
- - End Of File - - 5E49257BA8B08A8B333531D19C52BC30

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:15 AM

Posted 09 February 2012 - 11:45 PM

Hello

Lets check your internet connection

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure all the boxes are checked
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Tom Jones

Tom Jones
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:02:15 AM

Posted 10 February 2012 - 04:21 PM

Here's the FSS log, Gringo.
Thanks,
Tom


Farbar Service Scanner Version: 10-02-2012
Ran by Cate (administrator) on 10-02-2012 at 13:18:05
Running from "C:\Users\Cate\Desktop"
Microsoft® Windows Vista™ Home Basic Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

tdx Service is not running. Checking service configuration:
The start type of tdx service is OK.
The ImagePath of tdx service is OK.


Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.

MpsSvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking LEGACY_MpsSvc: Attention! Unable to open LEGACY_MpsSvc\0000 registry key. The key does not exist.


Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall"=DWORD:0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

Windows Defender:
=============
WinDefend Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open WinDefend registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open WinDefend registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open WinDefend registry key. The service key does not exist.


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys
[2012-02-08 21:23] - [2011-04-21 05:28] - 0273920 ____A (Microsoft Corporation) 70EE0FC7A0F384DBD929A01384AEEB4B

Attention! C:\Windows\system32\Drivers\tdx.sys is missing.
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll
[2008-01-20 18:33] - [2008-01-20 18:33] - 0272952 ____A (Microsoft Corporation) 4575AA12561C5648483403541D0D7F2B

C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:15 AM

Posted 10 February 2012 - 04:42 PM

SystemLook:

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
:filefind
tdx.sys
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Tom Jones

Tom Jones
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:02:15 AM

Posted 10 February 2012 - 06:32 PM

Here's the log:

SystemLook 30.07.11 by jpshortstuff
Log created at 15:27 on 10/02/2012 by Cate
Administrator - Elevation successful

========== filefind ==========

Searching for "tdx.sys"
C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.0.6001.18000_none_ea3dc84bdc15a8b7\tdx.sys --a---- 71680 bytes [02:34 21/01/2008] [02:34 21/01/2008] D09276B1FAB033CE1D40DCBDF303D10F
C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.0.6002.18005_none_ec294157d9377403\tdx.sys --a---- 72192 bytes [15:30 13/12/2009] [04:45 11/04/2009] F8FA40F8E3B28B3C5AEFB0BD31CC3B46

-= EOF =-

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:15 AM

Posted 10 February 2012 - 06:41 PM

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

FCopy::
C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.0.6001.18000_none_ea3dc84bdc15a8b7\tdx.sys | C:\Windows\system32\Drivers\tdx.sys

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 Tom Jones

Tom Jones
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:02:15 AM

Posted 11 February 2012 - 01:04 AM

Two interesting things happened:
1) During the ComboFix process, the PC rebooted a couple of times. But when I logged on, the PC immediately rebooted again.
2) While ComboFix ran, it displayed a prompt saying "The Recycle Bin on C:\ is corrupt. Do you want to empty the Recycle Bin for this drive." First time I said No, when the prompt reappeared a few minutes later, I said Yes. It didn't appear again.

The Internet connection works now, but I am still being redirected. Actually, when I surf to a site, like ESPN.com, the browser automatically opens another window with some scam site.


Here's the ComboFix log:


ComboFix 12-02-08.02 - Cate 02/10/2012 18:01:15.5.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.3318.2628 [GMT -8:00]
Running from: c:\users\Cate\Desktop\ComboFix.exe
Command switches used :: c:\users\Cate\Desktop\CFScript.txt
AV: Norton 360 *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton 360 *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton 360 *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB29227$\270230064\@
c:\windows\$NtUninstallKB29227$\270230064\cfg.ini
c:\windows\$NtUninstallKB29227$\270230064\Desktop.ini
c:\windows\$NtUninstallKB29227$\270230064\L\ogejidap
c:\windows\$NtUninstallKB29227$\502284692
c:\windows\system32\config\systemprofile\AppData\Roaming\64dlls.exe
c:\windows\system32\config\systemprofile\AppData\Roaming\intel64.exe
c:\windows\system32\config\systemprofile\AppData\Roaming\Kernel32.exe
c:\windows\system32\config\systemprofile\AppData\Roaming\localsys64.exe
c:\windows\system32\config\systemprofile\AppData\Roaming\ntos.exe
c:\windows\system32\config\systemprofile\AppData\Roaming\oembios.exe
c:\windows\system32\config\systemprofile\AppData\Roaming\sdra64.exe
c:\windows\system32\config\systemprofile\AppData\Roaming\sdra73.exe
c:\windows\system32\config\systemprofile\AppData\Roaming\swin32.exe
c:\windows\system32\config\systemprofile\AppData\Roaming\twex.exe
c:\windows\system32\config\systemprofile\AppData\Roaming\twext.exe
c:\windows\system32\config\systemprofile\AppData\Roaming\wsnpoema.exe
.
c:\windows\system32\drivers\netbt.sys was missing
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.0.6001.18000_none_6064c861f7442765\netbt.sys
.
c:\windows\system32\drivers\cdrom.sys was missing
Restored copy from - c:\windows\System32\DriverStore\FileRepository\cdrom.inf_c949a5b6\cdrom.sys
.
.
--------------- FCopy ---------------
.
c:\windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.0.6001.18000_none_ea3dc84bdc15a8b7\tdx.sys --> c:\windows\system32\Drivers\tdx.sys
.
((((((((((((((((((((((((( Files Created from 2012-01-11 to 2012-02-11 )))))))))))))))))))))))))))))))
.
.
2012-02-11 02:10 . 2012-02-11 02:14 -------- d-----w- c:\users\Cate\AppData\Local\temp
2012-02-11 02:10 . 2012-02-11 02:10 -------- d-----w- c:\users\Ruby\AppData\Local\temp
2012-02-11 02:10 . 2012-02-11 02:10 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-02-11 02:10 . 2012-02-11 02:10 -------- d-----w- c:\users\Emily\AppData\Local\temp
2012-02-11 02:10 . 2012-02-11 02:10 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-11 02:10 . 2012-02-11 02:10 -------- d-----w- c:\users\Alf\AppData\Local\temp
2012-02-11 02:10 . 2009-04-11 04:39 67072 ----a-w- c:\windows\system32\drivers\cdrom.sys
2012-02-11 02:10 . 2008-01-21 02:34 184320 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-02-11 02:01 . 2008-01-21 02:34 71680 ----a-w- c:\windows\system32\drivers\tdx.sys
2012-02-09 05:23 . 2011-04-21 13:28 273920 ----a-w- c:\windows\system32\drivers\afd.sys
2012-02-09 01:31 . 2012-02-09 01:31 -------- d-----w- c:\users\Cate\AppData\Roaming\Tific
2012-02-07 02:59 . 2012-02-07 02:59 -------- d-----w- C:\TDSSKiller_Quarantine
2012-02-06 15:46 . 2012-02-08 07:55 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-02-01 05:20 . 2011-12-10 23:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-31 01:16 . 2012-01-31 01:16 -------- d-----w- c:\program files\Origin
2012-01-30 19:24 . 2012-01-30 19:24 -------- d-----w- C:\OEMSettings
2012-01-30 00:47 . 2012-01-30 00:47 -------- d-----w- c:\windows\CheckSur
2012-01-29 16:33 . 2011-11-16 16:23 377344 ----a-w- c:\windows\system32\winhttp.dll
2012-01-29 16:33 . 2011-11-16 16:23 278528 ----a-w- c:\windows\system32\schannel.dll
2012-01-29 16:33 . 2011-11-16 16:23 72704 ----a-w- c:\windows\system32\secur32.dll
2012-01-29 16:33 . 2011-11-16 14:12 9728 ----a-w- c:\windows\system32\lsass.exe
2012-01-29 16:33 . 2011-11-17 06:48 440192 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-29 16:33 . 2011-11-16 16:21 1259008 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-27 01:54 . 2012-01-27 01:54 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Logitech® Webcam Software
2012-01-26 04:05 . 2011-07-06 20:44 27888 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-01-26 03:20 . 2012-01-26 03:20 -------- d-----w- c:\users\Alf\AppData\Local\Origin
2012-01-26 02:59 . 2011-10-14 16:03 189952 ----a-w- c:\windows\system32\winmm.dll
2012-01-26 02:59 . 2011-10-14 16:00 23552 ----a-w- c:\windows\system32\mciseq.dll
2012-01-26 02:59 . 2011-11-18 20:23 1205064 ----a-w- c:\windows\system32\ntdll.dll
2012-01-26 02:56 . 2011-11-18 17:47 66560 ----a-w- c:\windows\system32\packager.dll
2012-01-26 02:56 . 2011-11-25 15:59 376320 ----a-w- c:\windows\system32\winsrv.dll
2012-01-26 02:56 . 2011-10-25 15:58 1314816 ----a-w- c:\windows\system32\quartz.dll
2012-01-26 02:56 . 2011-10-25 15:58 497152 ----a-w- c:\windows\system32\qdvd.dll
2012-01-26 02:36 . 2011-12-01 15:21 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2012-01-24 22:00 . 2012-01-24 22:00 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\SanctionedMedia
2012-01-18 22:55 . 2012-01-18 22:57 -------- d-----w- c:\users\Administrator
2012-01-17 04:31 . 2012-01-17 04:31 -------- dc-h--w- c:\programdata\{0E5180DA-DACE-4845-8EA2-7A5331530348}
2012-01-17 00:06 . 2012-01-18 22:31 -------- d-----w- C:\f45293cc1d35bfac7e3a970951lll
2012-01-16 23:05 . 2012-01-16 23:05 -------- d-----w- c:\users\Alf\AppData\Local\Logitech® Webcam Software
2012-01-16 20:39 . 2012-01-16 20:39 -------- d-----w- C:\54f2922ee0f76b8dd66876777a
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-26 03:52 . 2007-03-22 04:33 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-12-23 00:55 . 2011-05-14 02:25 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-23 13:37 . 2011-12-14 20:32 2043904 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
c:\users\Ruby\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\DELL\DellDock\DellDock.exe [N/A]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
NETGEAR WG111v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v3\WG111v3.exe [2009-11-6 2469888]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\DELL\DellDock\DellDock.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-12-04 17:50 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2010-12-15 00:17 47904 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dellsupportcenter]
2009-06-03 19:46 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Facebook Update]
2011-10-03 23:54 137536 ----atw- c:\users\Emily\AppData\Local\Facebook\Update\FacebookUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-08-12 18:36 136176 ----atw- c:\users\Alf\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 18:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2009-07-14 01:25 173592 ----a-w- c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-09 00:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2009-07-14 01:25 141848 ----a-w- c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-03-07 22:33 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Vid]
2010-10-29 20:06 5915480 ----a-w- c:\program files\Logitech\Vid HD\Vid.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LWS]
2011-08-12 19:18 205336 ----a-w- c:\program files\Logitech\LWS\Webcam Software\LWS.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Default Manager]
2009-07-17 16:12 288080 ----a-w- c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mouse Suite 98 Daemon]
2006-11-04 09:32 49152 ----a-w- c:\windows\System32\ICO.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2009-07-14 01:25 150552 ----a-w- c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-30 01:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2008-08-26 11:57 6246400 ----a-w- c:\windows\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-04-11 06:28 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-04-08 19:59 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-21 02:35 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-844312481-1219722352-42405095-1000]
"EnableNotificationsRef"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-844312481-1219722352-42405095-1001]
"EnableNotificationsRef"=dword:00000002
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-844312481-1219722352-42405095-1002]
"EnableNotificationsRef"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-844312481-1219722352-42405095-1003]
"EnableNotificationsRef"=dword:00000002
.
R4 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
R4 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2008-08-26 73728]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ntsyslog
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2011-06-29 00:19 114176 ----a-w- c:\windows\System32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-11 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-844312481-1219722352-42405095-1001Core.job
- c:\users\Emily\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-10-03 23:54]
.
2012-02-11 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-844312481-1219722352-42405095-1001UA.job
- c:\users\Emily\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-10-03 23:54]
.
2012-02-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-844312481-1219722352-42405095-1000Core.job
- c:\users\Alf\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-12 18:36]
.
2012-02-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-844312481-1219722352-42405095-1000UA.job
- c:\users\Alf\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-12 18:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie9
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
LSP: mswsock.dll
TCP: DhcpNameServer = 24.205.192.61 24.205.224.36 68.116.46.115
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WUDFHost.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2012-02-10 18:21:14 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-11 02:21
ComboFix2.txt 2012-02-09 15:59
.
Pre-Run: 28,010,692,608 bytes free
Post-Run: 27,955,163,136 bytes free
.
- - End Of File - - A875060ECEA7E3953EF03C8E1045247C

Edited by Tom Jones, 11 February 2012 - 01:05 AM.


#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:15 AM

Posted 11 February 2012 - 01:34 AM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 Tom Jones

Tom Jones
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:02:15 AM

Posted 11 February 2012 - 04:17 PM

Hi Gringo,
About to run TDSSKiller and aswMBR. However, wanted you to know that the network connection it out again. Will post logs in a few minutes.
Thanks,
Tom

#12 Tom Jones

Tom Jones
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:02:15 AM

Posted 11 February 2012 - 04:45 PM

OK, ran TDSSKiller and found a threat, which subsequently was cured. It then told me to reboot, which I did. However, when I logged on again, I got a message saying that "Windows Services failed to connect to User Profile Services." All desktop icons were gone and I couldn't open any programs. Nor could I find the TDSSKiller report.

For good measures, I rebooted only to be greeted by two messages: 1) "Windows Mail could not be started because MSOE.DLL could not be initialized," although I don't use MS Mail and 2) "Don't have permission to access this folder," although I haven't tried to open one.

There are four user accounts on the PC, and they all act the same way when I try to log on.

Rather than run aswMBR, I followed your advice and came back to let you know.

Thanks,
Tom

Edited by Tom Jones, 11 February 2012 - 05:27 PM.


#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:15 AM

Posted 12 February 2012 - 02:51 AM

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 Tom Jones

Tom Jones
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:02:15 AM

Posted 12 February 2012 - 02:37 PM

Hello,
I think I am back, but not by the prescribed way: I tried to use Advanced Booth Options, but got a single login icon called Other Users, which I couldn't access with any combination of UN and PW. So, I tried the installation disc, but never got the option to select command prompt. Instead, I was first asked if I wanted to go back to an ealier restore point, which I denied, then the repair process kept spinning for a few minutes before asking me to reboot. When I logged on again, everything seemed OK. The Internet connection speed is back to normal and there's no redirections, although you never know.

What do I do now? Run TDSSKiller and aswMBR again?

Thanks,
Tom

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:15 AM

Posted 12 February 2012 - 04:18 PM

Hello

Run TDSSKiller and aswMBR again?
Yes run them again
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users