Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit.zero access .. Cant access the Internet


  • This topic is locked This topic is locked
3 replies to this topic

#1 Horace White

Horace White

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:43 AM

Posted 11 February 2012 - 07:35 AM

I believe I am infected with rootkit.zero access
I cant access the internet.
I have tried Restore, Malwarebytes,Rkill.
Nothing worked so far.

Need help badly.

Here is the 1 of 2 DDS log.............
Let me know if you need the second one.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_24
Run by Horace at 22:26:27 on 2012-02-11
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.1014.258 [GMT -5:00]
.
AV: AntiVir Desktop *Enabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Enabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Nitro PDF\Reader\NitroPDFReaderDriverService.exe
C:\Windows\system32\NLSSRV32.EXE
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TuneUp Utilities 2011\TuneUpUtilitiesService32.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\System32\igfxpers.exe
C:\Program Files\TuneUp Utilities 2011\TuneUpUtilitiesApp32.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: LastPass Browser Helper Object: {95d9ecf5-2a4d-4550-be49-70d42f71296e} - c:\program files\lastpass\LPBar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - c:\program files\lastpass\LPBar.dll
TB: FireShot: {6e6e744e-4d20-4ce3-9a7a-26dfffe22f68} -
EB: {CFCD3FD2-49BD-11DE-95B8-42D256D89593} - No File
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: LastPass - file://c:\program files\lastpass\context.html?cmd=lastpass
IE: LastPass Fill Forms - file://c:\program files\lastpass\context.html?cmd=fillforms
IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - c:\program files\lastpass\LPBar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: Interfaces\{4A498C08-744B-431F-B1A7-31AC9F0B8CAA}\34E4D2541676C65637 : DhcpNameServer = 10.9.0.18 10.9.2.18
TCP: Interfaces\{4A498C08-744B-431F-B1A7-31AC9F0B8CAA}\74575637470294E6475627E65647 : DhcpNameServer = 10.75.0.9 10.75.0.127
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
Hosts: 109.163.226.208 www.google-analytics.com.
Hosts: 109.163.226.208 ad-emea.doubleclick.net.
Hosts: 109.163.226.208 www.statcounter.com.
Hosts: 67.215.245.19 www.google-analytics.com.
Hosts: 67.215.245.19 ad-emea.doubleclick.net.
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\horace\appdata\roaming\mozilla\firefox\profiles\46xr2u6m.default\
FF - prefs.js: browser.search.selectedEngine - Facemoods Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, true
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2011-6-6 64952]
R2 NitroReaderDriverReadSpool;NitroPDFReaderDriverCreatorReadSpool;c:\program files\nitro pdf\reader\NitroPDFReaderDriverService.exe [2010-9-30 196912]
R2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [2011-11-2 68896]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\tuneup utilities 2011\TuneUpUtilitiesService32.exe [2010-10-27 1483072]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\tuneup utilities 2011\TuneUpUtilitiesDriver32.sys [2010-10-7 10064]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 TeamViewer6;TeamViewer 6;c:\users\horace\temp\teamviewer\version6\TeamViewer_Service.exe [2011-8-28 2358656]
S3 B-Service;B-Service;c:\users\horace\appdata\roaming\mikogo\B-Service.exe [2011-5-19 185640]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-3-5 52224]
S3 USBPNPA;USB PnP Sound Device Interface;c:\windows\system32\drivers\CM108.sys [2007-6-28 1310720]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-11-14 1343400]
.
=============== Created Last 30 ================
.
2012-02-11 23:42:07 -------- d-----w- c:\program files\Runtime Software
2012-02-11 12:39:51 -------- d-----w- c:\users\horace\appdata\roaming\SUPERAntiSpyware.com
2012-02-11 12:39:51 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-02-11 12:39:46 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-02-10 20:55:26 -------- d-sh--w- C:\$RECYCLE.BIN
2012-02-10 20:55:19 -------- d-----w- c:\users\horace\appdata\local\temp
2012-02-09 16:46:47 108544 ----a-w- c:\windows\system32\drivers\cdrom.sys
2012-02-09 16:46:43 187904 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-02-08 15:44:07 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-02-07 14:28:00 -------- d-----w- c:\program files\Audacity 1.3 Beta (Unicode)
2012-02-06 16:27:51 -------- d-----w- c:\users\horace\appdata\roaming\com.blueprintcentral.keywordblaze
2012-02-03 05:13:39 -------- d-----w- c:\users\horace\appdata\roaming\Free Audio Recorder
2012-01-29 17:41:11 -------- d-----w- c:\windows\system32\CallBurner
2012-01-29 17:41:11 -------- d-----w- c:\program files\CallBurner
2012-01-29 17:19:40 -------- d-----w- c:\program files\Athtek
2012-01-22 05:22:48 6600192 ----a-w- c:\windows\system32\LicProtector310.exe
2012-01-22 05:22:43 -------- d-----w- c:\users\horace\appdata\local\PackageAware
2012-01-22 05:22:23 -------- d-----w- c:\program files\ChicaLogic
2012-01-14 15:23:16 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-14 15:23:16 369352 ----a-w- c:\windows\system32\drivers\cng.sys
2012-01-14 15:23:16 314880 ----a-w- c:\windows\system32\webio.dll
2012-01-14 15:23:16 22528 ----a-w- c:\windows\system32\lsass.exe
2012-01-14 15:23:16 224768 ----a-w- c:\windows\system32\schannel.dll
2012-01-14 15:23:16 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-01-14 15:23:16 1038848 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-14 15:23:16 100352 ----a-w- c:\windows\system32\sspicli.dll
2012-01-14 15:23:15 22016 ----a-w- c:\windows\system32\secur32.dll
2012-01-14 15:23:15 15872 ----a-w- c:\windows\system32\sspisrv.dll
.
==================== Find3M ====================
.
2011-12-10 20:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-27 01:06:02 59 ----a-w- c:\windows\wpd99.drv
2011-11-27 01:02:59 51716 ----a-w- c:\windows\system32\pdf995mon.dll
2011-11-27 01:02:59 249856 ----a-w- c:\windows\system32\pdfmona.dll
2011-11-24 04:25:27 2342912 ----a-w- c:\windows\system32\win32k.sys
2011-11-19 14:01:00 67072 ----a-w- c:\windows\system32\packager.dll
2011-11-17 05:38:39 1288472 ----a-w- c:\windows\system32\ntdll.dll
.
============= FINISH: 22:27:35.39 ===============

EDIT: Topics and posts merged ~Budapest

Edited by Budapest, 13 February 2012 - 05:04 PM.


BC AdBot (Login to Remove)

 


#2 Horace White

Horace White
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:43 AM

Posted 12 February 2012 - 03:32 AM

Here is the "Combofix" log...

ComboFix 12-02-11.03 - Horace 02/12/2012 2:18.8.2 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.1014.412 [GMT -5:00]
Running from: E:\ComboFix.exe
AV: AntiVir Desktop *Enabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: AntiVir Desktop *Enabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB22595$ . . . . Failed to delete
.
.
((((((((((((((((((((((((( Files Created from 2012-01-12 to 2012-02-12 )))))))))))))))))))))))))))))))
.
.
2012-02-12 08:12 . 2012-02-12 08:12 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{B25BD74F-8BC3-422C-9195-EE637F860E7C}\offreg.dll
2012-02-12 08:11 . 2012-02-12 08:13 -------- d-----w- c:\users\Horace\AppData\Local\temp
2012-02-12 08:11 . 2012-02-12 08:11 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-11 23:42 . 2012-02-11 23:42 -------- d-----w- c:\program files\Runtime Software
2012-02-11 12:39 . 2012-02-11 12:39 -------- d-----w- c:\users\Horace\AppData\Roaming\SUPERAntiSpyware.com
2012-02-11 12:39 . 2012-02-11 12:39 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-02-11 12:39 . 2012-02-11 12:39 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-02-09 16:46 . 2010-11-20 08:38 108544 ----a-w- c:\windows\system32\drivers\cdrom.sys
2012-02-09 16:46 . 2009-07-13 23:12 187904 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-02-08 15:44 . 2012-02-09 12:47 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-02-07 14:28 . 2012-02-08 16:20 -------- d-----w- c:\users\Horace\AppData\Roaming\Audacity
2012-02-07 14:28 . 2012-02-07 14:28 -------- d-----w- c:\program files\Audacity 1.3 Beta (Unicode)
2012-02-06 16:27 . 2012-02-06 16:27 -------- d-----w- c:\users\Horace\AppData\Roaming\com.blueprintcentral.keywordblaze
2012-02-03 05:13 . 2012-02-03 05:20 -------- d-----w- c:\users\Horace\AppData\Roaming\Free Audio Recorder
2012-01-29 17:41 . 2012-01-29 17:41 -------- d-----w- c:\windows\system32\CallBurner
2012-01-29 17:41 . 2012-01-29 17:41 -------- d-----w- c:\program files\CallBurner
2012-01-29 17:19 . 2012-01-29 17:19 -------- d-----w- c:\program files\Athtek
2012-01-22 05:22 . 2011-12-30 20:32 6600192 ----a-w- c:\windows\system32\LicProtector310.exe
2012-01-22 05:22 . 2012-01-22 05:22 -------- d-----w- c:\users\Horace\AppData\Local\PackageAware
2012-01-22 05:22 . 2012-01-22 05:22 -------- d-----w- c:\program files\ChicaLogic
2012-01-14 15:23 . 2011-11-17 05:41 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-14 15:23 . 2011-11-17 05:41 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-01-14 15:23 . 2011-11-17 05:39 369352 ----a-w- c:\windows\system32\drivers\cng.sys
2012-01-14 15:23 . 2011-11-17 05:35 314880 ----a-w- c:\windows\system32\webio.dll
2012-01-14 15:23 . 2011-11-17 05:34 100352 ----a-w- c:\windows\system32\sspicli.dll
2012-01-14 15:23 . 2011-11-17 05:34 224768 ----a-w- c:\windows\system32\schannel.dll
2012-01-14 15:23 . 2011-11-17 05:32 1038848 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-14 15:23 . 2011-11-17 05:29 22528 ----a-w- c:\windows\system32\lsass.exe
2012-01-14 15:23 . 2011-11-17 05:34 15872 ----a-w- c:\windows\system32\sspisrv.dll
2012-01-14 15:23 . 2011-11-17 05:34 22016 ----a-w- c:\windows\system32\secur32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-10 20:24 . 2011-06-29 20:51 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-27 01:02 . 2011-11-27 01:02 51716 ----a-w- c:\windows\system32\pdf995mon.dll
2011-11-27 01:02 . 2011-11-27 01:02 249856 ----a-w- c:\windows\system32\pdfmona.dll
2011-11-26 05:38 . 2011-11-26 05:38 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2011-11-26 05:38 . 2011-11-26 05:38 161792 ----a-w- c:\windows\system32\msls31.dll
2011-11-26 05:38 . 2011-11-26 05:38 86528 ----a-w- c:\windows\system32\iesysprep.dll
2011-11-26 05:38 . 2011-11-26 05:38 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2011-11-26 05:38 . 2011-11-26 05:38 63488 ----a-w- c:\windows\system32\tdc.ocx
2011-11-26 05:38 . 2011-11-26 05:38 48640 ----a-w- c:\windows\system32\mshtmler.dll
2011-11-26 05:38 . 2011-11-26 05:38 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2011-11-26 05:38 . 2011-11-26 05:38 74752 ----a-w- c:\windows\system32\iesetup.dll
2011-11-26 05:38 . 2011-11-26 05:38 367104 ----a-w- c:\windows\system32\html.iec
2011-11-26 05:38 . 2011-11-26 05:38 23552 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-26 05:38 . 2011-11-26 05:38 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-11-26 05:38 . 2011-11-26 05:38 152064 ----a-w- c:\windows\system32\wextract.exe
2011-11-26 05:38 . 2011-11-26 05:38 150528 ----a-w- c:\windows\system32\iexpress.exe
2011-11-26 05:38 . 2011-11-26 05:38 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2011-11-26 05:38 . 2011-11-26 05:38 11776 ----a-w- c:\windows\system32\mshta.exe
2011-11-26 05:38 . 2011-11-26 05:38 101888 ----a-w- c:\windows\system32\admparse.dll
2011-11-26 05:38 . 2011-11-26 05:38 35840 ----a-w- c:\windows\system32\imgutil.dll
2011-11-24 04:25 . 2011-12-15 03:04 2342912 ----a-w- c:\windows\system32\win32k.sys
2011-11-21 10:47 . 2011-12-23 14:17 6823496 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{B25BD74F-8BC3-422C-9195-EE637F860E7C}\mpengine.dll
2011-11-19 14:01 . 2012-01-11 20:26 67072 ----a-w- c:\windows\system32\packager.dll
2011-11-17 05:38 . 2012-01-11 20:26 1288472 ----a-w- c:\windows\system32\ntdll.dll
2011-11-21 04:04 . 2012-02-10 20:13 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-10-13 17351304]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-10-25 2424560]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-24 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-24 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-24 150552]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"AppCallBurner"=c:\program files\CallBurner\callburner.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 TeamViewer6;TeamViewer 6;c:\users\Horace\temp\TeamViewer\Version6\TeamViewer_Service.exe [2011-08-17 2358656]
R3 B-Service;B-Service;c:\users\Horace\AppData\Roaming\Mikogo\B-Service.exe [2011-05-19 185640]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 USBPNPA;USB PnP Sound Device Interface;c:\windows\system32\drivers\CM108.sys [2007-06-28 1310720]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-11-14 1343400]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 NitroReaderDriverReadSpool;NitroPDFReaderDriverCreatorReadSpool;c:\program files\Nitro PDF\Reader\NitroPDFReaderDriverService.exe [2010-09-30 196912]
S2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [2011-11-02 68896]
S2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2011\TuneUpUtilitiesService32.exe [2010-10-27 1483072]
S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2011\TuneUpUtilitiesDriver32.sys [2010-10-07 10064]
.
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
rpcapd
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: LastPass - file://c:\program files\LastPass\context.html?cmd=lastpass
IE: LastPass Fill Forms - file://c:\program files\LastPass\context.html?cmd=fillforms
FF - ProfilePath - c:\users\Horace\AppData\Roaming\Mozilla\Firefox\Profiles\46xr2u6m.default\
FF - prefs.js: browser.search.selectedEngine - Facemoods Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, true
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\TuneUp Utilities 2011\TuneUpUtilitiesApp32.exe
c:\windows\system32\conhost.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\sppsvc.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2012-02-12 03:17:25 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-12 08:17
.
Pre-Run: 82,577,080,320 bytes free
Post-Run: 82,495,066,112 bytes free
.
- - End Of File - - 475863A1049E007F23B799524F0AD90D

#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,933 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:43 AM

Posted 15 February 2012 - 10:01 AM

Hello and :welcome: to BleepingComputer!

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,933 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:43 AM

Posted 25 February 2012 - 11:42 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users