Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Really Infected - Help a newbie


  • This topic is locked This topic is locked
48 replies to this topic

#1 badlands23

badlands23

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 14 February 2012 - 07:21 PM

Attached is a link from my original post, in the wrong forum.

http://www.bleepingcomputer.com/forums/topic442619.html

I'm running Windows 7. Originally, I was infected by a w32 worm blaster virus or so i thought. Might have been a rogue.security virus.

now, I think I'm infected with the google redirect virus, i also think i have the search milk virus. on top of that, google asks for a captcha everytime i try to search it! aagh!

any help would be great. thanks in advance.

per the instructions from the other forum, I'm going to post my dds log and the others that I can.

DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_27
Run by Paul at 19:11:12 on 2012-02-14
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.1015.426 [GMT -5:00]
.
AV: Trend Micro Titanium *Enabled/Updated* {68F968AC-2AA0-091D-848C-803E83E35902}
SP: Trend Micro Titanium *Enabled/Updated* {D3988948-0C9A-0693-BE3C-BB4CF86413BF}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe
C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiWatchDog.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe
C:\Windows\system32\conhost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Windows\system32\lxdxcoms.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiSeAgnt.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Fisher-Price\iXL\iXL.Middleware.exe
C:\Program Files\Software Informer\softinfo.exe
C:\Program Files\Eye-Fi\Helper\EyeFiHelper.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Bar = Preserve
uSearch Page =
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant =
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: TmIEPlugInBHO Class: {1ca1377b-dc1d-4a52-9585-6e06050fac53} - c:\program files\trend micro\amsp\module\20004\1.5.1504\6.6.1088\TmIEPlg.dll
BHO: Microsoft.Search.HRSToolBar.InitToolbarBHO: {1d970ed5-3eda-438d-bffd-715931e2775d} - mscoree.dll
BHO: XBTB06823 Class: {38b3626f-b4f0-4964-9b7e-6bc5060c0f5a} - c:\progra~1\grabal~1\graball.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~3\office12\GR469A~1.DLL
BHO: TmBpIeBHO Class: {bbacbafd-fa5e-4079-8b33-00eb9f13d4ac} - c:\program files\trend micro\amsp\module\20002\6.6.1010\6.6.1010\TmBpIe32.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Bing HRS Toolbar: {c9a6357b-25cc-4bcf-96c1-78736985d414} - mscoree.dll
uRun: [Software Informer] "c:\program files\software informer\softinfo.exe" -autorun
uRun: [fsm]
uRun: [Eye-Fi] "c:\program files\eye-fi\helper\EyeFiHelper.exe"
uRun: [Google Update] "c:\users\paul\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Trend Micro Titanium] "c:\program files\trend micro\titanium\uiframework\uiWinMgr.exe" -set Silent "1" SplashURL ""
mRun: [Trend Micro Client Framework] "c:\program files\trend micro\uniclient\uifrmwrk\UIWatchDog.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [iXL_MiddleWare] c:\program files\fisher-price\ixl\iXL.Middleware.exe
uPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 167.206.254.1 167.206.254.2
TCP: Interfaces\{0E6ABB93-D5A8-4CE7-854E-D955A309114F} : DhcpNameServer = 167.206.254.1 167.206.254.2
TCP: Interfaces\{0E6ABB93-D5A8-4CE7-854E-D955A309114F}\D41686F6E6569784F6D656 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{0E6ABB93-D5A8-4CE7-854E-D955A309114F}\F4365616E63796465602C4962627162797022364 : DhcpNameServer = 10.10.10.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~3\office12\GRA32A~1.DLL
Handler: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - c:\program files\trend micro\amsp\module\20002\6.6.1010\6.6.1010\TmBpIe32.dll
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\program files\trend micro\amsp\module\20004\1.5.1504\6.6.1088\TmIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office12\GR469A~1.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 94.63.147.22 www.google.com
Hosts: 94.63.147.23 www.bing.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\paul\appdata\roaming\mozilla\firefox\profiles\3oq0kbv3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\trend micro\amsp\module\20004\1.5.1504\6.6.1088\firefoxextension\components\TmFFEx6.dll
FF - component: c:\program files\trend micro\amsp\module\20004\1.5.1504\6.6.1088\firefoxextension\components\TmFFExt.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\users\paul\appdata\local\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}
FF - Ext: Trend Micro NSC Firefox Extension: {22C7F6C6-8D67-4534-92B5-529A0EC09405} - c:\program files\trend micro\amsp\module\20004\1.5.1504\6.6.1088\firefoxextension
.
============= SERVICES / DRIVERS ===============
.
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [2009-6-29 13120]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 Amsp;Trend Micro Solution Platform;c:\program files\trend micro\amsp\coreServiceShell.exe [2010-11-1 188272]
R2 lxdx_device;lxdx_device;c:\windows\system32\lxdxcoms.exe -service --> c:\windows\system32\lxdxcoms.exe -service [?]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2010-11-1 64080]
R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
S2 lxdxCATSCustConnectService;lxdxCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdxserv.exe [2012-2-7 94208]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-11-4 1343400]
.
=============== Created Last 30 ================
.
2012-02-11 20:55:01 102400 ----a-w- c:\windows\RegBootClean.exe
2012-02-11 05:06:52 -------- d-----w- c:\windows\4E0C6314A8B84026AC15084E8B63AFB5.TMP
2012-02-11 04:38:41 -------- d-----w- C:\92deb1927c148fb436a928
2012-02-11 04:23:11 -------- d-----w- C:\2b707b739930a477a70760b0
2012-02-11 04:08:54 -------- d-----w- C:\46f0cd5c53c22edfc0004d69a28442
2012-02-11 04:08:01 -------- d-----w- C:\344291c8b259daf1bdaba2886a
2012-02-11 04:07:51 -------- d-----w- c:\programdata\SUPERSetup
2012-02-11 04:05:42 -------- d-----w- C:\96d90f0377e8111dd3da2fdc4085f9
2012-02-11 04:04:38 -------- d-----w- C:\76eacb6da3a39423b8f3c3cb2ef349
2012-02-11 04:04:19 -------- d-----w- C:\fd70a6f3e26c2f1c17348fdb1231
2012-02-11 03:48:19 56312 --sh--w- c:\users\paul\appdata\local\dplayx.dll
2012-02-07 22:18:26 -------- d-----w- c:\program files\Lexmark 3600-4600 Series
2012-02-07 22:17:28 147968 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\lxdxdrpp.dll
2012-02-07 22:14:34 81920 ----a-w- c:\windows\system32\lxdxcaps.dll
2012-02-07 22:14:34 782336 ----a-w- c:\windows\system32\lxdxdrs.dll
2012-02-07 22:14:34 77906 ----a-w- c:\windows\system32\lxdxcfg.dll
2012-02-07 22:14:33 69632 ----a-w- c:\windows\system32\lxdxcnv4.dll
2012-01-17 18:43:37 1735816 ----a-w- c:\programdata\SPL7151.tmp
.
==================== Find3M ====================
.
2011-12-10 20:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-29 22:12:15 52988 ----a-w- c:\programdata\SPL7A5.tmp
2011-11-24 04:23:31 2340352 ----a-w- c:\windows\system32\win32k.sys
2007-09-17 14:10:42 24576 ----a-w- c:\program files\Lexmark 3500-4500 Series
.
============= FINISH: 19:12:44.74 ===============

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-02-14 20:17:03
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 FUJITSU_MHW2080BH_PL rev.0040001D
Running: GMER.exe; Driver: C:\Users\Paul\AppData\Local\Temp\pxdirpod.sys


---- System - GMER 1.0.15 ----

SSDT A6CD4B00 ZwCreateKey
SSDT A6D14A60 ZwCreateMutant
SSDT A6CD3600 ZwCreateProcess
SSDT A6CD3900 ZwCreateProcessEx
SSDT A6D14E20 ZwCreateSymbolicLinkObject
SSDT A6D143A0 ZwCreateThread
SSDT A6D14580 ZwCreateThreadEx
SSDT A6CD3C00 ZwCreateUserProcess
SSDT A6CD5100 ZwDeleteKey
SSDT A6CD5A00 ZwDeleteValueKey
SSDT A6D15000 ZwDuplicateObject
SSDT A6D14760 ZwLoadDriver
SSDT A6CD3F00 ZwOpenProcess
SSDT A6D14020 ZwOpenSection
SSDT A6CD4200 ZwOpenThread
SSDT A6CD5400 ZwRenameKey
SSDT A6CD5700 ZwRestoreKey
SSDT A6D14C40 ZwSetSystemInformation
SSDT A6CD4E00 ZwSetValueKey
SSDT A6CD4500 ZwTerminateProcess
SSDT A6CD4800 ZwTerminateThread
SSDT A6D141C0 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwSaveKeyEx + 13B1 82C8B8A9 1 Byte [06]
.text ntoskrnl.exe!KiDispatchInterrupt + 5A2 82CAB2F2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntoskrnl.exe!KeRemoveQueueEx + 147F 82CB264C 4 Bytes [00, 4B, CD, A6] {ADD [EBX-0x33], CL; CMPSB }
.text ntoskrnl.exe!KeRemoveQueueEx + 148F 82CB265C 4 Bytes [60, 4A, D1, A6]
.text ntoskrnl.exe!KeRemoveQueueEx + 14A3 82CB2670 8 Bytes [00, 36, CD, A6, 00, 39, CD, ...] {ADD [ESI], DH; INT 0xa6; ADD [ECX], BH; INT 0xa6}
.text ntoskrnl.exe!KeRemoveQueueEx + 14BF 82CB268C 12 Bytes [20, 4E, D1, A6, A0, 43, D1, ...]
.text ntoskrnl.exe!KeRemoveQueueEx + 14DB 82CB26A8 4 Bytes [00, 3C, CD, A6]
.text ...
? C:\Users\Paul\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[4416] USER32.dll!CreateWindowExW 76650E51 5 Bytes JMP 695C810F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4416] USER32.dll!DialogBoxIndirectParamW 76674AA7 5 Bytes JMP 696F00C8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4416] USER32.dll!DialogBoxParamW 7667564A 5 Bytes JMP 694E4B87 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4416] USER32.dll!DialogBoxParamA 7668CF6A 5 Bytes JMP 696F0065 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4416] USER32.dll!DialogBoxIndirectParamA 7668D29C 5 Bytes JMP 696F012B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4416] USER32.dll!MessageBoxIndirectA 7669E8C9 5 Bytes JMP 696EFFFA C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4416] USER32.dll!MessageBoxIndirectW 7669E9C3 5 Bytes JMP 696EFF8F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4416] USER32.dll!MessageBoxExA 7669EA29 1 Byte [E9]
.text C:\Program Files\Internet Explorer\iexplore.exe[4416] USER32.dll!MessageBoxExA 7669EA29 5 Bytes JMP 696EFF2D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4416] USER32.dll!MessageBoxExW 7669EA4D 5 Bytes JMP 696EFECB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4480] USER32.dll!CreateDialogParamW 76649BFF 5 Bytes JMP 6951C590 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4480] USER32.dll!EnableWindow 7664A72E 5 Bytes JMP 6951C50B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4480] USER32.dll!GetAsyncKeyState 7664C09A 5 Bytes JMP 694DD6D1 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4480] USER32.dll!UnhookWindowsHookEx 7664CC7B 5 Bytes JMP 695D8345 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4480] USER32.dll!CallNextHookEx 7664CC8F 5 Bytes JMP 695B9D1C C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4480] USER32.dll!CreateWindowExW 76650E51 5 Bytes JMP 695C810F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4480] USER32.dll!SetWindowsHookExW 7665210A 5 Bytes JMP 6957460B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4480] USER32.dll!GetKeyState 76654FDA 5 Bytes JMP 6951D782 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4480] USER32.dll!IsDialogMessageW 76656F06 5 Bytes JMP 694E4264 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4480] USER32.dll!CreateDialogParamA 76663E79 5 Bytes JMP 696F0CBE C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4480] USER32.dll!IsDialogMessage 7666407A 5 Bytes JMP 696F055F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4480] USER32.dll!CreateDialogIndirectParamA 76669110 5 Bytes JMP 696F0CF5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4480] USER32.dll!CreateDialogIndirectParamW 766708AD 5 Bytes JMP 696F0D2C C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4480] USER32.dll!DialogBoxIndirectParamW 76674AA7 5 Bytes JMP 696F00C8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4480] USER32.dll!EndDialog 7667555C 5 Bytes JMP 694E5AC9 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4480] USER32.dll!DialogBoxParamW 7667564A 5 Bytes JMP 694E4B87 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4480] USER32.dll!SetKeyboardState 76676B52 5 Bytes JMP 696F08C4 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4480] USER32.dll!SendInput 76677055 5 Bytes JMP 696F1488 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4480] USER32.dll!SetCursorPos 7668C1D8 5 Bytes JMP 696F14E0 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4480] USER32.dll!DialogBoxParamA 7668CF6A 5 Bytes JMP 696F0065 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4480] USER32.dll!DialogBoxIndirectParamA 7668D29C 5 Bytes JMP 696F012B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4480] USER32.dll!MessageBoxIndirectA 7669E8C9 5 Bytes JMP 696EFFFA C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4480] USER32.dll!MessageBoxIndirectW 7669E9C3 5 Bytes JMP 696EFF8F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4480] USER32.dll!MessageBoxExA 7669EA29 1 Byte [E9]
.text C:\Program Files\Internet Explorer\iexplore.exe[4480] USER32.dll!MessageBoxExA 7669EA29 5 Bytes JMP 696EFF2D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4480] USER32.dll!MessageBoxExW 7669EA4D 5 Bytes JMP 696EFECB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4480] USER32.dll!keybd_event 7669EC9B 5 Bytes JMP 696F1813 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4480] SHELL32.dll!SHChangeNotification_Lock + 45BA 7545B3D8 4 Bytes [11, 36, 07, 6A]
.text C:\Program Files\Internet Explorer\iexplore.exe[4480] SHELL32.dll!SHChangeNotification_Lock + 45C2 7545B3E0 8 Bytes [5F, 35, 07, 6A, D0, 73, 06, ...]
.text C:\Program Files\Internet Explorer\iexplore.exe[4480] ole32.dll!OleLoadFromStream 76765BF6 5 Bytes JMP 696F041B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4480] ole32.dll!CoCreateInstance 767B590C 5 Bytes JMP 695C8BFD C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

Device \Driver\ACPI_HAL \Device\00000049 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \Driver\00000720 \GLOBAL??\a3c2b903 8566D880

---- Files - GMER 1.0.15 ----

File C:\Windows\$NtUninstallKB6849$\1957996993 0 bytes
File C:\Windows\$NtUninstallKB6849$\2747447555 0 bytes
File C:\Windows\$NtUninstallKB6849$\2747447555\Desktop.ini 4608 bytes
File C:\Windows\$NtUninstallKB6849$\2747447555\L 0 bytes
File C:\Windows\$NtUninstallKB6849$\2747447555\U 0 bytes

---- EOF - GMER 1.0.15 ----

Edited by boopme, 15 February 2012 - 08:13 PM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:45 PM

Posted 17 February 2012 - 01:28 AM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:45 PM

Posted 19 February 2012 - 11:37 PM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:45 PM

Posted 24 February 2012 - 12:28 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:45 PM

Posted 25 February 2012 - 09:19 AM

Re opened per PM..
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:45 PM

Posted 25 February 2012 - 12:56 PM

Thanks boopme


I will be waiting for the reports when they are ready


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 badlands23

badlands23
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 25 February 2012 - 04:07 PM

Gringo,

Thank you for letting me post my logs. I can't shut off my trend micro security. I try to right click it and select exit, but nothing happens. I have a yellow sign with an exclamation point in it and I can't use google to figure out how to get rid of that as I think I have the search milk virus.

I also tried the suggestion of going to the uninstaller and stopping the components via their instructions but nothing happened after I double clicked the uninstall and answering yes, to letting the computer make changes to it.

A lot of my files/folders are "locked" with padlocks on them as well. It's driving me nuts.

I'm running combofix anyway. I will post log asap.

#8 badlands23

badlands23
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 25 February 2012 - 04:10 PM

I didn't run combofix. Still trying to figure out how to remove trend micro.

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:45 PM

Posted 25 February 2012 - 06:09 PM

go ahead abd run run combofix for now

gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 badlands23

badlands23
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 25 February 2012 - 07:34 PM

i cant even uninstall trend micro. i will run combofix and post log

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:45 PM

Posted 25 February 2012 - 09:07 PM

OK I will be waiting


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 badlands23

badlands23
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 26 February 2012 - 11:43 AM

Gringo,

I ran combofix this morning. It just finished up. It detected rootkit.zero access. Said it was inserted into tcp/ip stack.

This is the log:

ComboFix 12-02-25.02 - Paul 02/26/2012 11:07:57.1.2 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.1015.433 [GMT -5:00]
Running from: c:\users\Paul\Desktop\ComboFix.exe
AV: Trend Micro Titanium *Enabled/Updated* {68F968AC-2AA0-091D-848C-803E83E35902}
SP: Trend Micro Titanium *Enabled/Updated* {D3988948-0C9A-0693-BE3C-BB4CF86413BF}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\SPL7151.tmp
c:\programdata\SPL7A5.tmp
c:\users\Paul\AppData\Local\dplayx.dll
c:\users\Paul\GoToAssistDownloadHelper.exe
c:\windows\$NtUninstallKB6849$\1957996993
c:\windows\$NtUninstallKB6849$\2747447555\Desktop.ini
.
.
((((((((((((((((((((((((( Files Created from 2012-01-26 to 2012-02-26 )))))))))))))))))))))))))))))))
.
.
2012-02-26 16:30 . 2012-02-26 16:32 -------- d-----w- c:\users\Paul\AppData\Local\temp
2012-02-26 16:30 . 2012-02-26 16:30 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-11 20:55 . 2012-02-18 23:36 102400 ----a-w- c:\windows\RegBootClean.exe
2012-02-11 05:06 . 2012-02-11 21:40 -------- d-----w- c:\windows\4E0C6314A8B84026AC15084E8B63AFB5.TMP
2012-02-11 04:38 . 2012-02-11 04:38 -------- d-----w- C:\92deb1927c148fb436a928
2012-02-11 04:23 . 2012-02-11 04:23 -------- d-----w- C:\2b707b739930a477a70760b0
2012-02-11 04:08 . 2012-02-11 04:08 -------- d-----w- C:\46f0cd5c53c22edfc0004d69a28442
2012-02-11 04:08 . 2012-02-11 04:08 -------- d-----w- C:\344291c8b259daf1bdaba2886a
2012-02-11 04:07 . 2012-02-13 03:54 -------- d-----w- c:\programdata\SUPERSetup
2012-02-11 04:05 . 2012-02-11 04:05 -------- d-----w- C:\96d90f0377e8111dd3da2fdc4085f9
2012-02-11 04:04 . 2012-02-11 04:04 -------- d-----w- C:\76eacb6da3a39423b8f3c3cb2ef349
2012-02-11 04:04 . 2012-02-11 04:04 -------- d-----w- C:\fd70a6f3e26c2f1c17348fdb1231
2012-02-07 22:18 . 2012-02-07 22:18 -------- d-----w- c:\program files\Lexmark 3600-4600 Series
2012-02-07 22:17 . 2009-10-16 23:12 147968 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\lxdxdrpp.dll
2012-02-07 22:14 . 2009-08-19 19:06 81920 ----a-w- c:\windows\system32\lxdxcaps.dll
2012-02-07 22:14 . 2009-08-19 19:06 782336 ----a-w- c:\windows\system32\lxdxdrs.dll
2012-02-07 22:14 . 2009-08-19 19:00 77906 ----a-w- c:\windows\system32\lxdxcfg.dll
2012-02-07 22:14 . 2009-08-19 19:00 69632 ----a-w- c:\windows\system32\lxdxcnv4.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-10 20:24 . 2011-12-12 00:37 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2007-09-17 14:10 . 2011-11-16 21:25 24576 ----a-w- c:\program files\Lexmark 3500-4500 Series
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1d970ed5-3eda-438d-bffd-715931e2775d}]
2009-11-25 16:47 297808 ----a-w- c:\windows\System32\mscoree.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{38B3626F-B4F0-4964-9B7E-6BC5060C0F5A}]
2005-04-15 20:19 524288 ----a-w- c:\progra~1\GRABAL~1\graball.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{c9a6357b-25cc-4bcf-96c1-78736985d414}"= "mscoree.dll" [2009-11-25 297808]
.
[HKEY_CLASSES_ROOT\clsid\{c9a6357b-25cc-4bcf-96c1-78736985d414}]
[HKEY_CLASSES_ROOT\Microsoft.Search.HRSToolBar.HRSToolbar]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Software Informer"="c:\program files\Software Informer\softinfo.exe" [2009-11-25 2011205]
"Eye-Fi"="c:\program files\Eye-Fi\Helper\EyeFiHelper.exe" [2011-12-22 3961464]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-02-11 4617600]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"Trend Micro Titanium"="c:\program files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" [2011-10-08 1111568]
"Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2011-02-10 116752]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2012-01-13 981680]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"iXL_MiddleWare"="c:\program files\Fisher-Price\iXL\iXL.Middleware.exe" [2011-08-04 56376]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
2008-03-20 06:22 320168 ----a-w- c:\program files\Lexmark Fax Solutions\fm3032.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-06-04 02:48 136176 ----atw- c:\users\Paul\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2009-09-23 23:30 173592 ----a-w- c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2009-09-23 23:30 141848 ----a-w- c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-06-07 21:51 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iXL_MiddleWare]
2011-08-04 14:57 56376 ----a-w- c:\program files\Fisher-Price\iXL\iXL.Middleware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Vid]
2010-10-29 20:06 5915480 ----a-w- c:\program files\Logitech\Vid HD\Vid.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2009-10-14 18:36 2793304 ----a-w- c:\program files\Logitech\Logitech WebCam Software\LWS.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2009-09-23 23:30 150552 ----a-w- c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
R2 lxdxCATSCustConnectService;lxdxCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxdxserv.exe [2009-10-16 94208]
R3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-11-03 1343400]
S0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\DRIVERS\Thpevm.SYS [2009-06-29 13120]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2011-07-22 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2011-07-12 67664]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-08-11 116608]
S2 Amsp;Trend Micro Solution Platform;c:\program files\Trend Micro\AMSP\coreServiceShell.exe coreFrameworkHost.exe [x]
S2 lxdx_device;lxdx_device;c:\windows\system32\lxdxcoms.exe [2009-10-16 589824]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\DRIVERS\tmevtmgr.sys [2010-11-01 64080]
S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc SensrSvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1226900711-2234508270-3871277346-1001Core.job
- c:\users\Paul\AppData\Local\Google\Update\GoogleUpdate.exe [2011-06-04 02:48]
.
2012-02-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1226900711-2234508270-3871277346-1001UA.job
- c:\users\Paul\AppData\Local\Google\Update\GoogleUpdate.exe [2011-06-04 02:48]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TCP: DhcpNameServer = 167.206.254.1 167.206.254.2
FF - ProfilePath - c:\users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\3oq0kbv3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}
FF - Ext: Trend Micro NSC Firefox Extension: {22C7F6C6-8D67-4534-92B5-529A0EC09405} - c:\program files\Trend Micro\AMSP\Module\20004\1.5.1504\6.6.1088\firefoxextension
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
ShellIconOverlayIdentifiers-{FB314EDC-A251-47B7-93E1-CDD82E34AF8B} - (no file)
HKCU-Run-fsm - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WUDFHost.exe
c:\program files\Trend Micro\AMSP\coreServiceShell.exe
c:\windows\system32\conhost.exe
c:\program files\Trend Micro\AMSP\coreFrameworkHost.exe
c:\windows\system32\conhost.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\sppsvc.exe
.
**************************************************************************
.
Completion time: 2012-02-26 11:38:59 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-26 16:38
.
Pre-Run: 14,390,222,848 bytes free
Post-Run: 17,115,205,632 bytes free
.
- - End Of File - - F2BAD01B1CCA97E7E3845A8F461C0154

#13 badlands23

badlands23
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 26 February 2012 - 11:54 AM

Quick question. Since I ran combofix, I don't think I have trend micro working. Do I re-install?

Thanks

#14 badlands23

badlands23
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 26 February 2012 - 11:56 AM

Also a little concerned that if I type something in url I can't go to it. I typed in hotmail.com and it never went anywhere. No progress, nothing. Just stayed in same spot.

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:45 PM

Posted 26 February 2012 - 01:04 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users