Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit ? after clean reinstall


  • This topic is locked This topic is locked
18 replies to this topic

#1 bwrighttwo

bwrighttwo

  • Members
  • 717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:16 AM

Posted 14 March 2012 - 10:33 PM

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by william at 23:17:38 on 2012-03-14
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3764.1972 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
AV: Norton 360 *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton 360 *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton 360 *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.[attachment=120597:Attach.zip]
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Users\william\SASCORE64.EXE
C:\Program Files\LSI SoftModem\agr64svc.exe
C:\Windows\system32\svchost.exe -k apphost
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Acer\Registration\GregHSRW.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Norton 360\Engine\6.1.1.8\ccSvcHst.exe
C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe
C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Acer\Acer Updater\UpdaterService.exe
C:\Windows\system32\svchost.exe -k iissvcs
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Norton 360\Engine\6.1.1.8\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\william\Desktop\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\aswMBR.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_5740&r=273603125116l0408z125t54n1d54o
mDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_5740&r=273603125116l0408z125t54n1d54o
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_5740&r=273603125116l0408z125t54n1d54o
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Norton Identity Protection: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - C:\Program Files (x86)\Norton 360\Engine\6.1.1.8\coIEPlg.dll
BHO: Norton Vulnerability Protection: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton 360\Engine\6.1.1.8\IPS\IPSBHO.DLL
BHO: Partner BHO Class: {83ff80f4-8c74-4b80-b5ba-c8ddd434e5c4} - C:\ProgramData\Partner\Partner.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - C:\Program Files (x86)\Norton 360\Engine\6.1.1.8\coIEPlg.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
mRun: [BackupManagerTray] "C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe" -h -k
mRun: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" UNATTENDED
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
StartupFolder: C:\Users\william\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{079E895E-A34A-44CA-AB30-B5385D4D0B79} : DhcpNameServer = 192.168.0.4
TCP: Interfaces\{88F20015-ADFB-4ECC-9DD4-655240790053} : DhcpNameServer = 192.168.1.1
mASetup: {2D46B6DC-2207-486B-B523-A557E6D54B47} - C:\Windows\system32\cmd.exe /D /C start C:\Windows\system32\ie4uinit.exe -ClearIconCache
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO-X64: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton 360\Engine\6.1.1.8\coIEPlg.dll
BHO-X64: Norton Identity Protection - No File
BHO-X64: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton 360\Engine\6.1.1.8\IPS\IPSBHO.DLL
BHO-X64: Norton Vulnerability Protection - No File
BHO-X64: Partner BHO Class: {83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4} - C:\ProgramData\Partner\Partner.dll
BHO-X64: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
TB-X64: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton 360\Engine\6.1.1.8\coIEPlg.dll
TB-X64: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
mRun-x64: [BackupManagerTray] "C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe" -h -k
mRun-x64: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" UNATTENDED
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
IE-X64: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;C:\Windows\system32\drivers\N360x64\0601010.008\SYMDS64.SYS --> C:\Windows\system32\drivers\N360x64\0601010.008\SYMDS64.SYS [?]
R0 SymEFA;Symantec Extended File Attributes;C:\Windows\system32\drivers\N360x64\0601010.008\SYMEFA64.SYS --> C:\Windows\system32\drivers\N360x64\0601010.008\SYMEFA64.SYS [?]
R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.1.2\Definitions\BASHDefs\20120302.001\BHDrvx64.sys [2012-3-2 1157240]
R1 ccSet_N360;Norton 360 Settings Manager;C:\Windows\system32\drivers\N360x64\0601010.008\ccSetx64.sys --> C:\Windows\system32\drivers\N360x64\0601010.008\ccSetx64.sys [?]
R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.1.2\Definitions\IPSDefs\20120313.001\IDSviA64.sys [2012-3-13 488568]
R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R1 SASDIFSV;SASDIFSV;C:\Users\william\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Users\william\saskutil64.sys [2011-7-12 12368]
R1 SymIRON;Symantec Iron Driver;C:\Windows\system32\drivers\N360x64\0601010.008\Ironx64.SYS --> C:\Windows\system32\drivers\N360x64\0601010.008\Ironx64.SYS [?]
R1 SymNetS;Symantec Network Security WFP Driver;C:\Windows\system32\Drivers\N360x64\0601010.008\SYMNETS.SYS --> C:\Windows\system32\Drivers\N360x64\0601010.008\SYMNETS.SYS [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 !SASCORE;SAS Core Service;C:\Users\william\SASCore64.exe [2011-8-11 140672]
R2 ePowerSvc;Acer ePower Service;C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe [2012-3-11 844320]
R2 Greg_Service;GRegService;C:\Program Files (x86)\Acer\Registration\GregHSRW.exe [2009-8-28 1150496]
R2 N360;Norton 360;C:\Program Files (x86)\Norton 360\Engine\6.1.1.8\ccsvchst.exe [2012-3-11 138232]
R2 NTI IScheduleSvc;NTI IScheduleSvc;C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe [2009-9-24 62720]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2009-6-17 144640]
R2 UNS;Intel® Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2009-11-4 2320920]
R2 Updater Service;Updater Service;C:\Program Files\Acer\Acer Updater\UpdaterService.exe [2009-11-4 240160]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-3-11 138360]
R3 HECIx64;Intel® Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
R3 Impcd;Impcd;C:\Windows\system32\DRIVERS\Impcd.sys --> C:\Windows\system32\DRIVERS\Impcd.sys [?]
R3 IntcDAud;Intel® Display Audio;C:\Windows\system32\DRIVERS\IntcDAud.sys --> C:\Windows\system32\DRIVERS\IntcDAud.sys [?]
R3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\k57nd60a.sys --> C:\Windows\system32\DRIVERS\k57nd60a.sys [?]
R3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-4-27 288272]
S2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-1-3 63928]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\PROGRA~2\mcafee\SITEAD~1\mcsacore.exe --> c:\PROGRA~2\mcafee\SITEAD~1\mcsacore.exe [?]
S3 AmUStor;AM USB Stroage Driver;C:\Windows\system32\drivers\AmUStor.SYS --> C:\Windows\system32\drivers\AmUStor.SYS [?]
S3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]
S3 NTIBackupSvc;NTI Backup Now 5 Backup Service;C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2009-6-17 50432]
S3 Partner Service;Partner Service;C:\ProgramData\Partner\Partner.exe [2009-11-4 332272]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2012-03-15 02:15:11 -------- d-----w- C:\Windows\SysWow64\BestPractices
2012-03-15 02:15:09 -------- d-----w- C:\Windows\System32\BestPractices
2012-03-15 02:15:04 -------- d-----w- C:\inetpub
2012-03-15 01:29:10 -------- d-----w- C:\Users\william\AppData\Local\Adobe
2012-03-14 02:31:06 -------- d-----w- C:\Users\william\AppData\Roaming\SUPERAntiSpyware.com
2012-03-14 02:30:52 -------- d-----w- C:\Users\william\Plugins
2012-03-14 02:30:52 -------- d-----w- C:\Users\william\Language
2012-03-14 02:30:49 -------- d-----w- C:\ProgramData\SUPERAntiSpyware.com
2012-03-14 02:12:21 3143168 ----a-w- C:\Windows\System32\win32k.sys
2012-03-14 02:12:17 739840 ----a-w- C:\Windows\SysWow64\d2d1.dll
2012-03-14 02:12:16 320512 ----a-w- C:\Windows\System32\d3d10_1core.dll
2012-03-14 02:12:16 218624 ----a-w- C:\Windows\SysWow64\d3d10_1core.dll
2012-03-14 02:12:16 197120 ----a-w- C:\Windows\System32\d3d10_1.dll
2012-03-14 02:12:16 1837568 ----a-w- C:\Windows\System32\d3d10warp.dll
2012-03-14 02:12:16 161792 ----a-w- C:\Windows\SysWow64\d3d10_1.dll
2012-03-14 02:12:16 1541120 ----a-w- C:\Windows\System32\DWrite.dll
2012-03-14 02:12:16 1074176 ----a-w- C:\Windows\SysWow64\DWrite.dll
2012-03-14 02:12:15 902656 ----a-w- C:\Windows\System32\d2d1.dll
2012-03-14 02:12:15 1170944 ----a-w- C:\Windows\SysWow64\d3d10warp.dll
2012-03-14 01:26:58 8643640 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{3C868D07-2816-4FD6-96DC-C85A6A030CF1}\mpengine.dll
2012-03-14 01:20:51 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe
2012-03-14 01:20:51 76288 ----a-w- C:\Windows\System32\rdpwsx.dll
2012-03-14 01:20:51 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll
2012-03-14 01:20:50 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
2012-03-14 01:20:49 826368 ----a-w- C:\Windows\SysWow64\rdpcore.dll
2012-03-14 01:20:49 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
2012-03-14 01:20:49 204800 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
2012-03-13 04:02:32 -------- d-----w- C:\Users\william\AppData\Roaming\GetRightToGo
2012-03-13 02:24:32 982912 ----a-w- C:\Windows\System32\drivers\dxgkrnl.sys
2012-03-13 01:36:00 -------- d-----w- C:\Users\william\AppData\Local\Apps
2012-03-13 00:58:48 -------- d-----w- C:\Windows\SysWow64\Wat
2012-03-13 00:58:48 -------- d-----w- C:\Windows\System32\Wat
2012-03-13 00:00:36 80384 ----a-w- C:\Windows\System32\drivers\BTHUSB.SYS
2012-03-13 00:00:36 552448 ----a-w- C:\Windows\System32\drivers\bthport.sys
2012-03-12 23:53:31 8643640 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-03-12 23:53:10 927800 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{1B3AD571-A1CD-4C35-8B74-A6AB80949408}\gapaengine.dll
2012-03-12 23:52:35 279656 ------w- C:\Windows\System32\MpSigStub.exe
2012-03-12 23:48:05 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client
2012-03-12 23:47:26 -------- d-----w- C:\Program Files\Microsoft Security Client
2012-03-12 23:47:10 374664 ----a-w- C:\Windows\System32\drivers\netio.sys
2012-03-12 23:21:58 -------- d-----w- C:\Users\william\AppData\Local\ElevatedDiagnostics
2012-03-12 22:49:33 -------- d-----w- C:\Users\william\AppData\Local\NPE
2012-03-12 03:50:30 -------- d-----w- C:\Windows\NAPP_Dism_Log
2012-03-12 03:49:46 -------- d-----w- C:\AcerSW
2012-03-12 03:47:05 311808 ----a-w- C:\Windows\System32\msv1_0.dll
2012-03-12 03:47:05 257024 ----a-w- C:\Windows\SysWow64\msv1_0.dll
2012-03-12 03:46:57 46592 ----a-w- C:\Windows\System32\msasn1.dll
2012-03-12 03:46:57 34816 ----a-w- C:\Windows\SysWow64\msasn1.dll
2012-03-12 03:46:25 1975296 ----a-w- C:\Windows\System32\CertEnroll.dll
2012-03-12 03:46:25 1320960 ----a-w- C:\Windows\SysWow64\CertEnroll.dll
2012-03-12 03:45:31 396072 ----a-w- C:\Windows\System32\SynCOM.dll
2012-03-12 03:45:31 292912 ----a-w- C:\Windows\System32\drivers\SynTP.sys
2012-03-12 03:45:31 263464 ----a-w- C:\Windows\System32\SynCtrl.dll
2012-03-12 03:45:31 206120 ----a-w- C:\Windows\SysWow64\SynCtrl.dll
2012-03-12 03:45:31 205608 ----a-w- C:\Windows\System32\SynTPAPI.dll
2012-03-12 03:45:31 1721576 ----a-w- C:\Windows\System32\WdfCoInstaller01009.dll
2012-03-12 03:45:31 169256 ----a-w- C:\Windows\SysWow64\SynCOM.dll
2012-03-12 03:45:31 147752 ----a-w- C:\Windows\System32\SynTPCo4.dll
2012-03-12 03:45:31 107816 ----a-w- C:\Windows\SysWow64\SynTPCOM.dll
2012-03-12 03:45:26 348680 ----a-w- C:\Windows\UNINST32.EXE
2012-03-12 03:45:26 25608 ----a-w- C:\Windows\SysWow64\drivers\DKbFltr.sys
2012-03-12 03:43:58 484128 ----a-w- C:\Windows\WisMvImg.exe
2012-03-12 03:43:58 274 ----a-w- C:\Windows\LAUNAPP.REG
2012-03-12 03:43:58 249856 ----a-w- C:\Windows\Wisi2Bat.exe
2012-03-12 03:43:58 176416 ----a-w- C:\Windows\PatchFul.exe
2012-03-12 03:43:56 388384 ----a-w- C:\Windows\WisGAPasx64.exe
2012-03-12 03:43:56 335872 ----a-w- C:\Windows\ParseModule_X64.exe
2012-03-12 03:43:55 326432 ----a-w- C:\Windows\WisGAPas.exe
2012-03-12 03:43:55 225280 ----a-w- C:\Windows\ParseModule_X86.exe
2012-03-12 02:56:55 -------- d-----w- C:\Program Files\LSI SoftModem
2012-03-12 02:56:52 -------- d-----w- C:\Program Files\Common Files\Intel
2012-03-12 02:56:52 -------- d-----w- C:\Program Files (x86)\Common Files\Intel
2012-03-12 02:40:27 99176 ----a-w- C:\Windows\SysWow64\PresentationHostProxy.dll
2012-03-12 02:40:27 49472 ----a-w- C:\Windows\SysWow64\netfxperf.dll
2012-03-12 02:40:27 48960 ----a-w- C:\Windows\System32\netfxperf.dll
2012-03-12 02:40:27 444752 ----a-w- C:\Windows\System32\mscoree.dll
2012-03-12 02:40:27 320352 ----a-w- C:\Windows\System32\PresentationHost.exe
2012-03-12 02:40:27 297808 ----a-w- C:\Windows\SysWow64\mscoree.dll
2012-03-12 02:40:27 295264 ----a-w- C:\Windows\SysWow64\PresentationHost.exe
2012-03-12 02:40:27 1942856 ----a-w- C:\Windows\System32\dfshim.dll
2012-03-12 02:40:27 1130824 ----a-w- C:\Windows\SysWow64\dfshim.dll
2012-03-12 02:40:27 109912 ----a-w- C:\Windows\System32\PresentationHostProxy.dll
2012-03-12 02:37:18 -------- d-----w- C:\Users\william\AppData\Local\Microsoft Help
2012-03-12 02:27:59 43640 ----a-r- C:\Windows\System32\drivers\SymIMV.sys
2012-03-12 02:22:59 633856 ----a-w- C:\Windows\System32\comctl32.dll
2012-03-12 02:21:11 422400 ----a-w- C:\Windows\System32\KernelBase.dll
2012-03-12 02:20:57 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2012-03-12 02:20:57 2048 ----a-w- C:\Windows\System32\tzres.dll
2012-03-12 02:20:44 954752 ----a-w- C:\Windows\SysWow64\mfc40.dll
2012-03-12 02:20:44 954288 ----a-w- C:\Windows\SysWow64\mfc40u.dll
2012-03-12 02:20:09 640896 ----a-w- C:\Windows\System32\winload.efi
2012-03-12 02:20:09 603976 ----a-w- C:\Windows\System32\winload.exe
2012-03-12 02:20:09 556928 ----a-w- C:\Windows\System32\winresume.efi
2012-03-12 02:20:09 518160 ----a-w- C:\Windows\System32\winresume.exe
2012-03-12 02:20:09 20352 ----a-w- C:\Windows\System32\kdusb.dll
2012-03-12 02:20:09 19328 ----a-w- C:\Windows\System32\kd1394.dll
2012-03-12 02:20:09 17792 ----a-w- C:\Windows\System32\kdcom.dll
2012-03-12 02:19:52 987136 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msado15.dll
2012-03-12 02:19:52 720896 ----a-w- C:\Windows\System32\odbc32.dll
2012-03-12 02:19:52 573440 ----a-w- C:\Windows\SysWow64\odbc32.dll
2012-03-12 02:19:52 495616 ----a-w- C:\Program Files\Common Files\System\ado\msadox.dll
2012-03-12 02:19:52 466944 ----a-w- C:\Program Files\Common Files\System\ado\msadomd.dll
2012-03-12 02:19:52 372736 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msadox.dll
2012-03-12 02:19:52 352256 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msadomd.dll
2012-03-12 02:19:52 258048 ----a-w- C:\Program Files\Common Files\System\msadc\msadco.dll
2012-03-12 02:19:52 208896 ----a-w- C:\Program Files (x86)\Common Files\System\msadc\msadco.dll
2012-03-12 02:19:52 1425408 ----a-w- C:\Program Files\Common Files\System\ado\msado15.dll
2012-03-12 02:19:11 1739160 ----a-w- C:\Windows\System32\ntdll.dll
2012-03-12 02:19:11 1292592 ----a-w- C:\Windows\SysWow64\ntdll.dll
2012-03-12 02:18:48 499200 ----a-w- C:\Windows\System32\drivers\afd.sys
2012-03-12 02:18:29 3138048 ----a-w- C:\Windows\System32\mstscax.dll
2012-03-12 02:18:29 2690560 ----a-w- C:\Windows\SysWow64\mstscax.dll
2012-03-12 02:18:29 1034240 ----a-w- C:\Windows\SysWow64\mstsc.exe
2012-03-12 02:18:28 1097216 ----a-w- C:\Windows\System32\mstsc.exe
2012-03-12 02:16:58 90624 ----a-w- C:\Windows\System32\drivers\bowser.sys
2012-03-12 02:16:56 976896 ----a-w- C:\Windows\System32\inetcomm.dll
2012-03-12 02:16:56 740864 ----a-w- C:\Windows\SysWow64\inetcomm.dll
2012-03-12 02:16:54 77312 ----a-w- C:\Windows\System32\packager.dll
2012-03-12 02:16:54 67072 ----a-w- C:\Windows\SysWow64\packager.dll
2012-03-12 02:16:52 112000 ----a-w- C:\Windows\System32\consent.exe
2012-03-12 02:16:14 -------- d-----w- C:\ProgramData\OEM_E471269A730D
2012-03-12 02:16:06 -------- d-----w- C:\Program Files (x86)\OEM
2012-03-12 01:58:28 -------- d-----w- C:\Program Files (x86)\Common Files\Symantec Shared
2012-03-12 01:56:51 4398360 ----a-w- C:\Windows\System32\d3dx9_32.dll
2012-03-12 01:56:51 3426072 ----a-w- C:\Windows\SysWow64\d3dx9_32.dll
2012-03-12 01:56:36 -------- d-----w- C:\Program Files (x86)\Microsoft SQL Server Compact Edition
2012-03-12 01:55:39 -------- d-----w- C:\Program Files (x86)\Microsoft
2012-03-12 01:55:02 -------- d-----w- C:\Program Files (x86)\Windows Live SkyDrive
2012-03-12 01:54:28 738936 ----a-r- C:\Windows\System32\drivers\N360x64\0601010.008\srtsp64.sys
2012-03-12 01:54:28 451192 ----a-r- C:\Windows\System32\drivers\N360x64\0601010.008\symds64.sys
2012-03-12 01:54:28 405624 ----a-r- C:\Windows\System32\drivers\N360x64\0601010.008\symnets.sys
2012-03-12 01:54:28 37496 ----a-r- C:\Windows\System32\drivers\N360x64\0601010.008\srtspx64.sys
2012-03-12 01:54:28 190072 ----a-r- C:\Windows\System32\drivers\N360x64\0601010.008\ironx64.sys
2012-03-12 01:54:28 167048 ----a-r- C:\Windows\System32\drivers\N360x64\0601010.008\ccsetx64.sys
2012-03-12 01:54:28 1092728 ----a-r- C:\Windows\System32\drivers\N360x64\0601010.008\symefa64.sys
2012-03-12 01:54:22 -------- d-----w- C:\Windows\System32\drivers\N360x64\0601010.008
2012-03-12 01:53:43 74520 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\f4731e8e1ccfff2\DSETUP.dll
2012-03-12 01:53:43 484632 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\f4731e8e1ccfff2\DXSETUP.exe
2012-03-12 01:53:43 1670936 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\f4731e8e1ccfff2\dsetup32.dll
2012-03-12 01:52:39 141402440 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\wlcAAF0.tmp
2012-03-12 01:52:22 -------- d-----w- C:\Program Files (x86)\Common Files\Windows Live
2012-03-12 01:52:12 175736 ----a-w- C:\Windows\System32\drivers\SYMEVENT64x86.SYS
2012-03-12 01:52:12 -------- d-----w- C:\Program Files\Symantec
2012-03-12 01:52:12 -------- d-----w- C:\Program Files\Common Files\Symantec Shared
2012-03-12 01:51:20 -------- d-----w- C:\Windows\System32\drivers\N360x64
2012-03-12 01:51:17 -------- d-----w- C:\Program Files (x86)\Norton 360
2012-03-12 01:47:44 -------- d-----w- C:\BOOK
2012-03-12 01:46:42 -------- d-----w- C:\ProgramData\NortonInstaller
2012-03-12 01:46:42 -------- d-----w- C:\Program Files (x86)\NortonInstaller
2012-03-12 01:45:26 -------- d-----w- C:\Program Files\Synaptics
2012-03-12 01:44:38 -------- d-----w- C:\Program Files (x86)\Launch Manager
2012-03-12 01:44:21 -------- d-----w- C:\ProgramData\Norton
2012-03-12 01:43:58 200704 ----a-w- C:\Windows\PLFSetI.exe
2012-03-12 01:43:57 106496 ----a-w- C:\Windows\FixUVC.exe
2012-03-12 01:42:29 -------- d-----w- C:\Program Files\WIDCOMM
2012-03-12 01:42:21 220672 ----a-w- C:\Windows\System32\wintrust.dll
2012-03-12 01:42:21 172032 ----a-w- C:\Windows\SysWow64\wintrust.dll
2012-03-12 01:42:20 139264 ----a-w- C:\Windows\System32\cabview.dll
2012-03-12 01:42:20 132608 ----a-w- C:\Windows\SysWow64\cabview.dll
2012-03-12 01:41:06 -------- d-----w- C:\Users\william\AppData\Local\Google
2012-03-07 21:28:08 4785536 ----a-w- C:\Users\william\SUPERAntiSpyware.exe
.
==================== Find3M ====================
.
2012-03-13 02:24:32 265088 ----a-w- C:\Windows\System32\drivers\dxgmms1.sys
2012-03-12 03:46:00 347648 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll
2012-03-12 03:46:00 135168 ----a-w- C:\Windows\apppatch\AppPatch64\AcXtrnal.dll
2012-01-11 23:04:14 455552 ----a-w- C:\Users\william\SSUpdate64.exe
2011-12-16 08:42:13 634368 ----a-w- C:\Windows\System32\msvcrt.dll
2011-12-16 07:59:17 690688 ----a-w- C:\Windows\SysWow64\msvcrt.dll
.
============= FINISH: 23:18:25.43 ===============


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-03-14 22:37:25
-----------------------------
22:37:25.804 OS Version: Windows x64 6.1.7600
22:37:25.805 Number of processors: 4 586 0x2502
22:37:25.806 ComputerName: WILLIAM-PC UserName: william
22:37:27.461 Initialize success
22:39:17.977 AVAST engine defs: 12031401
22:39:23.609 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
22:39:23.609 Disk 0 Vendor: Hitachi_ PB3O Size: 305245MB BusType: 3
22:39:23.718 Disk 0 MBR read successfully
22:39:23.733 Disk 0 MBR scan
22:39:23.733 Disk 0 Windows 7 default MBR code
22:39:23.796 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 13000 MB offset 2048
22:39:23.843 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 26626048
22:39:23.889 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 292143 MB offset 26830848
22:39:23.967 Disk 0 scanning C:\Windows\system32\drivers
22:39:35.293 Service scanning
22:40:19.379 Modules scanning
22:40:19.394 Disk 0 trace - called modules:
22:40:19.426 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
22:40:19.940 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004a40060]
22:40:19.940 3 CLASSPNP.SYS[fffff880017a643f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa800495c050]
22:40:21.251 AVAST engine scan C:\Windows
22:40:29.768 AVAST engine scan C:\Windows\system32
22:45:12.426 AVAST engine scan C:\Windows\system32\drivers
22:45:35.208 AVAST engine scan C:\Users\william
22:46:48.814 AVAST engine scan C:\ProgramData
22:47:37.316 Scan finished successfully
22:47:52.385 Disk 0 MBR has been saved successfully to "C:\Users\william\Desktop\MBR.dat"
22:47:52.385 The log file has been saved successfully to "C:\Users\william\Desktop\aswMBR.txt"

BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,680 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:16 AM

Posted 15 March 2012 - 08:06 PM

Hi bwrighttwo and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you!


===================================================


Ground Rules:

  • First, I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me about it.
  • When you post your reply, do not use the Posted Image button but use the Posted Image button instead.
  • In the upper right hand corner of the topic you will see the Posted Image button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:

===================================================


Please allow me some time to review the information you have provided. I will post back as soon as possible.

Please describe your current symptoms and also what you experienced prior to the clean reinstall.

Edited by Oh My, 15 March 2012 - 08:13 PM.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 bwrighttwo

bwrighttwo
  • Topic Starter

  • Members
  • 717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:16 AM

Posted 15 March 2012 - 10:36 PM

Hello, No symtoms right now. There is something hidden though. Originally one of my networks was compromised. This allowed them to place a lot of things. I now have the network secure i believe. It only lets two mac addresses through. My one at work is another story. I have not used it since the last install. I noticed at the end of the install there was a small blue window with several processes like cleanup and i do not remember but there was about 30 different jobs it did. I finally beat this process by getting a avtivirus in before it finished. There are still a lot of files that prmissions have been set and zipped files that cant be opened. I do not have any symtoms right now. I have had problems with Ebay discussion board moderators in the past and I think the are problably the culprit. I have had jscript problems. The other comp. that has been compromised is being looked at by boopme as we speak. Thanks for your help, Buck

#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,680 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:16 AM

Posted 16 March 2012 - 07:52 AM

Greetings bwrighttwo,


There are a couple of things I would like to do in this first step. One is to have you delete one of the two antivirus programs installed on your computer (explained below) and the other is to take a deeper look at your master boot record.

Please perform the following for me, if you would.


===================================================


Multiple Antivirus Programs

-------------------

I do not recommend that you have more than one anti virus product installed on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:

  • False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
  • System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either Microsoft Security Essentials or Norton 360.


===================================================


Panda USB Vaccine

--------------------

From a clean computer, please download and use Panda USB Vaccine.

Alternate download link 1
Alternate download link 2

  • Double-click on USBVaccineSetup.exe to install the program to C:\Program Files\Panda USB Vaccine.
  • Read and accept the license agreement, then click Next.
  • When setup completes, make sure "Launch Panda USB Vaccine" is checked and click Finish to open the program.
  • Click the Vaccinate computer button. It should now show a green checkmark and confirm Computer vaccinated.
  • Hold down the Shift key and insert your USB flash drive.
  • When the name of the drive appears in the dialog box, click the button to Vaccinate USB drive(s).
  • Exit the program when done
Note: Computer Vaccination will prevent any AutoRun file from running, regardless of whether the removable device is infected or not. USB Vaccination disables the autorun file so it cannot be read, modified or replaced and creates an AUTORUN_.INF as protection against malicious code. The Panda Resarch Blog advises that once USB drives have been vaccinated, they cannot be reversed except with a format. If you do this, be sure to back up your data files first or they will be lost during the formatting process.


===================================================


xPUD MBR Report

--------------------

Start this from a clean computer. You will need a USB drive with no less than 64 mb of space.

  • Insert your USB drive. Caution: The next step will remove all information from your USB device.
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Download xPUD 0.9.2 iso, saving the file to your Desktop.
  • Download UNetbootin and save it to your Desktop as well.
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded.
  • Press Run then OK. Note: If you receive the message "You must select a distribution to load" just follow the instructions/image below
  • Select the Diskimage Option then click the Browse Button located on the right side of the textbox field.


    Posted Image

  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will install a little bootable OS on your USB device
  • Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
  • After it has completed do not choose to reboot the clean computer simply close the installer
  • Right click this dumpit link, select "save link/target as", and save the file directly to your USB
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer
  • Press F12 and choose to boot from the USB
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • Click on sdb1 (sdb1 represents the USB drive). If it is not there remove the USB device for 5 seconds then reinsert.
  • Double click on the Dumpit file
  • A black window will pop-up and it will dump and zip the MBR to your USB drive.
  • Press Enter to exit the black window.
  • Click on HOME tab and choose Power Off to turn off xPUD.
  • Remove the USB drive and insert it back on your working computer.
  • Locate the mbr.zip file in your USB drive and attach it when you reply.

===================================================


Things I would like to see in your next reply. :thumbsup2:

  • Were you able to uninstall one of the two antivirus programs?
  • mbr.zip

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 bwrighttwo

bwrighttwo
  • Topic Starter

  • Members
  • 717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:16 AM

Posted 16 March 2012 - 07:07 PM

I will not have access to a clean pc until tomorrow. I will do it then. Thanks so much, Buck

#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,680 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:16 AM

Posted 17 March 2012 - 05:28 PM

Greetings bwrighttwo,

Please perform the following for me.


===================================================


Run Combofix

--------------------

  • Please download ComboFix from one of these locations:

    BleepingComputer

    ForoSpyware

  • Save Combofix.exe to your Desktop <-- Important!!!
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • When finished, it will produce a log. Please include the C:\Combofix.txt log in your next reply.

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • ComboFix.txt
  • How is your machine running?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#7 bwrighttwo

bwrighttwo
  • Topic Starter

  • Members
  • 717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:16 AM

Posted 17 March 2012 - 06:28 PM

Hi> I followed the instructions you gave in your first post and here is what is happening.
First my F12 was disabled and i enabled it throu the F2 at startup. When I rebooted with the usb in it first had list of Languages and a countdown to start. As soon as the list dissapeared it immediatley reappeared with some text and diassapeared again. Could not tell what the text was as it was there for 1/10 of a second. Then just a blank screen with flash pusing slow.

#8 bwrighttwo

bwrighttwo
  • Topic Starter

  • Members
  • 717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:16 AM

Posted 17 March 2012 - 06:51 PM

Ok i did the combofix but before i post the log i think my network may be compromised again. When i tried to save combo to desktop it seemed to be like normal except when i looked at desktop nothing was there. I did save the log to the desktop though. I noticed that i have 3 nortons in my log and only one was disabled. Why would that happen?

ComboFix 12-03-17.01 - william 03/17/2012 19:33:05.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3764.2411 [GMT -4:00]
Running from: c:\users\william\Desktop\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
AV: Norton 360 *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton 360 *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Norton 360 *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\william\SUPERAntiSpyware.exe
c:\users\william\Uninstall.exe
c:\windows\Temp\log.txt
.
.
((((((((((((((((((((((((( Files Created from 2012-02-17 to 2012-03-17 )))))))))))))))))))))))))))))))
.
.
2012-03-17 23:38 . 2012-03-17 23:38 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-17 00:24 . 2012-02-08 03:14 8643640 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{AA8744BB-720C-4ADB-8001-11E3C138B747}\mpengine.dll
2012-03-16 01:17 . 2012-03-16 01:17 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-03-15 04:18 . 2012-03-15 04:18 -------- d-----w- c:\programdata\Malwarebytes
2012-03-15 04:18 . 2012-03-15 04:18 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-03-15 04:18 . 2011-12-10 19:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-15 02:53 . 2012-03-15 02:53 -------- d-----w- c:\program files (x86)\Common Files\Adobe
2012-03-15 02:15 . 2012-03-15 02:15 -------- d-----w- c:\windows\SysWow64\BestPractices
2012-03-15 02:15 . 2012-03-15 02:15 -------- d-----w- c:\windows\system32\BestPractices
2012-03-15 02:15 . 2012-03-15 02:15 -------- d-----w- C:\inetpub
2012-03-14 03:59 . 2012-03-14 03:59 -------- d-----w- c:\windows\system32\Macromed
2012-03-14 02:30 . 2012-03-14 02:30 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-03-14 02:12 . 2012-02-03 04:16 3143168 ----a-w- c:\windows\system32\win32k.sys
2012-03-14 02:12 . 2012-02-10 05:41 739840 ----a-w- c:\windows\SysWow64\d2d1.dll
2012-03-14 02:12 . 2012-02-10 06:18 1541120 ----a-w- c:\windows\system32\DWrite.dll
2012-03-14 02:12 . 2012-02-10 06:17 1837568 ----a-w- c:\windows\system32\d3d10warp.dll
2012-03-14 02:12 . 2012-02-10 06:17 320512 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-03-14 02:12 . 2012-02-10 06:17 197120 ----a-w- c:\windows\system32\d3d10_1.dll
2012-03-14 02:12 . 2012-02-10 05:41 1074176 ----a-w- c:\windows\SysWow64\DWrite.dll
2012-03-14 02:12 . 2012-02-10 05:41 218624 ----a-w- c:\windows\SysWow64\d3d10_1core.dll
2012-03-14 02:12 . 2012-02-10 05:41 161792 ----a-w- c:\windows\SysWow64\d3d10_1.dll
2012-03-14 02:12 . 2012-02-10 06:17 902656 ----a-w- c:\windows\system32\d2d1.dll
2012-03-14 02:12 . 2012-02-10 05:41 1170944 ----a-w- c:\windows\SysWow64\d3d10warp.dll
2012-03-14 01:20 . 2012-01-25 06:27 76288 ----a-w- c:\windows\system32\rdpwsx.dll
2012-03-14 01:20 . 2012-01-25 06:27 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-03-14 01:20 . 2012-01-25 06:20 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-03-14 01:20 . 2012-02-15 06:27 1031680 ----a-w- c:\windows\system32\rdpcore.dll
2012-03-14 01:20 . 2012-02-15 05:44 826368 ----a-w- c:\windows\SysWow64\rdpcore.dll
2012-03-14 01:20 . 2012-02-15 04:47 204800 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-03-14 01:20 . 2012-02-15 04:46 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-03-13 02:24 . 2012-03-13 02:24 982912 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2012-03-13 00:58 . 2012-03-13 00:58 -------- d-----w- c:\windows\SysWow64\Wat
2012-03-13 00:58 . 2012-03-13 00:58 -------- d-----w- c:\windows\system32\Wat
2012-03-13 00:00 . 2011-04-28 03:58 552448 ----a-w- c:\windows\system32\drivers\bthport.sys
2012-03-13 00:00 . 2011-04-28 03:58 80384 ----a-w- c:\windows\system32\drivers\BTHUSB.SYS
2012-03-12 23:53 . 2012-02-08 03:14 8643640 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-03-12 23:53 . 2012-03-12 23:52 927800 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1B3AD571-A1CD-4C35-8B74-A6AB80949408}\gapaengine.dll
2012-03-12 23:52 . 2012-01-31 12:44 279656 ------w- c:\windows\system32\MpSigStub.exe
2012-03-12 23:48 . 2012-03-12 23:48 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2012-03-12 23:47 . 2012-03-12 23:48 -------- d-----w- c:\program files\Microsoft Security Client
2012-03-12 23:47 . 2010-04-09 11:06 374664 ----a-w- c:\windows\system32\drivers\netio.sys
2012-03-12 03:50 . 2012-03-12 03:50 -------- d-----w- c:\windows\NAPP_Dism_Log
2012-03-12 03:49 . 2012-03-12 03:49 -------- d-----w- C:\AcerSW
2012-03-12 03:47 . 2012-03-12 03:47 311808 ----a-w- c:\windows\system32\msv1_0.dll
2012-03-12 03:47 . 2012-03-12 03:47 257024 ----a-w- c:\windows\SysWow64\msv1_0.dll
2012-03-12 03:46 . 2012-03-12 03:46 46592 ----a-w- c:\windows\system32\msasn1.dll
2012-03-12 03:46 . 2012-03-12 03:46 34816 ----a-w- c:\windows\SysWow64\msasn1.dll
2012-03-12 03:46 . 2012-03-12 03:46 1975296 ----a-w- c:\windows\system32\CertEnroll.dll
2012-03-12 03:46 . 2012-03-12 03:46 1320960 ----a-w- c:\windows\SysWow64\CertEnroll.dll
2012-03-12 03:45 . 2009-09-18 04:12 292912 ----a-w- c:\windows\system32\drivers\SynTP.sys
2012-03-12 03:45 . 2009-09-18 04:09 107816 ----a-w- c:\windows\SysWow64\SynTPCOM.dll
2012-03-12 03:45 . 2009-09-18 04:09 205608 ----a-w- c:\windows\system32\SynTPAPI.dll
2012-03-12 03:45 . 2009-09-18 04:09 147752 ----a-w- c:\windows\system32\SynTPCo4.dll
2012-03-12 03:45 . 2009-09-18 04:09 263464 ----a-w- c:\windows\system32\SynCtrl.dll
2012-03-12 03:45 . 2009-09-18 04:09 206120 ----a-w- c:\windows\SysWow64\SynCtrl.dll
2012-03-12 03:45 . 2009-09-18 04:09 169256 ----a-w- c:\windows\SysWow64\SynCOM.dll
2012-03-12 03:45 . 2009-09-18 04:09 396072 ----a-w- c:\windows\system32\SynCOM.dll
2012-03-12 03:45 . 2009-08-07 17:49 1721576 ----a-w- c:\windows\system32\WdfCoInstaller01009.dll
2012-03-12 03:45 . 2009-09-09 22:41 348680 ----a-w- c:\windows\UNINST32.EXE
2012-03-12 03:45 . 2009-03-26 19:16 25608 ----a-w- c:\windows\SysWow64\drivers\DKbFltr.sys
2012-03-12 03:43 . 2009-11-04 12:25 484128 ----a-w- c:\windows\WisMvImg.exe
2012-03-12 03:43 . 2009-10-09 02:00 176416 ----a-w- c:\windows\PatchFul.exe
2012-03-12 03:43 . 2009-02-13 08:33 249856 ----a-w- c:\windows\Wisi2Bat.exe
2012-03-12 03:43 . 2006-11-02 06:21 274 ----a-w- c:\windows\LAUNAPP.REG
2012-03-12 03:43 . 2009-10-09 18:21 388384 ----a-w- c:\windows\WisGAPasx64.exe
2012-03-12 03:43 . 2009-05-25 18:27 335872 ----a-w- c:\windows\ParseModule_X64.exe
2012-03-12 03:43 . 2009-10-09 18:08 326432 ----a-w- c:\windows\WisGAPas.exe
2012-03-12 03:43 . 2009-05-25 18:27 225280 ----a-w- c:\windows\ParseModule_X86.exe
2012-03-12 02:56 . 2012-03-12 02:56 -------- d-----w- c:\program files\LSI SoftModem
2012-03-12 02:56 . 2012-03-12 02:56 -------- d-----w- c:\program files\Common Files\Intel
2012-03-12 02:56 . 2012-03-12 02:56 -------- d-----w- c:\program files (x86)\Common Files\Intel
2012-03-12 02:40 . 2009-11-25 16:47 99176 ----a-w- c:\windows\SysWow64\PresentationHostProxy.dll
2012-03-12 02:40 . 2009-11-25 16:47 49472 ----a-w- c:\windows\SysWow64\netfxperf.dll
2012-03-12 02:40 . 2009-11-25 16:47 48960 ----a-w- c:\windows\system32\netfxperf.dll
2012-03-12 02:40 . 2009-11-25 16:47 297808 ----a-w- c:\windows\SysWow64\mscoree.dll
2012-03-12 02:40 . 2009-11-25 16:47 295264 ----a-w- c:\windows\SysWow64\PresentationHost.exe
2012-03-12 02:40 . 2009-11-25 16:47 1130824 ----a-w- c:\windows\SysWow64\dfshim.dll
2012-03-12 02:40 . 2009-11-25 16:47 109912 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2012-03-12 02:40 . 2009-11-25 16:47 444752 ----a-w- c:\windows\system32\mscoree.dll
2012-03-12 02:40 . 2009-11-25 16:47 320352 ----a-w- c:\windows\system32\PresentationHost.exe
2012-03-12 02:40 . 2009-11-25 16:47 1942856 ----a-w- c:\windows\system32\dfshim.dll
2012-03-12 02:27 . 2011-11-24 02:23 43640 ----a-r- c:\windows\system32\drivers\SymIMV.sys
2012-03-12 02:22 . 2010-08-21 06:31 633856 ----a-w- c:\windows\system32\comctl32.dll
2012-03-12 02:21 . 2011-07-16 05:26 362496 ----a-w- c:\windows\system32\wow64win.dll
2012-03-12 02:20 . 2011-11-05 05:17 2048 ----a-w- c:\windows\system32\tzres.dll
2012-03-12 02:20 . 2011-11-05 04:30 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2012-03-12 02:20 . 2010-08-31 04:32 954752 ----a-w- c:\windows\SysWow64\mfc40.dll
2012-03-12 02:20 . 2010-08-31 04:32 954288 ----a-w- c:\windows\SysWow64\mfc40u.dll
2012-03-12 02:20 . 2011-02-05 12:41 556928 ----a-w- c:\windows\system32\winresume.efi
2012-03-12 02:20 . 2011-02-05 12:41 640896 ----a-w- c:\windows\system32\winload.efi
2012-03-12 02:20 . 2011-02-05 12:41 20352 ----a-w- c:\windows\system32\kdusb.dll
2012-03-12 02:20 . 2011-02-05 12:41 19328 ----a-w- c:\windows\system32\kd1394.dll
2012-03-12 02:20 . 2011-02-05 12:41 17792 ----a-w- c:\windows\system32\kdcom.dll
2012-03-12 02:20 . 2011-02-05 12:39 603976 ----a-w- c:\windows\system32\winload.exe
2012-03-12 02:20 . 2011-02-05 12:39 518160 ----a-w- c:\windows\system32\winresume.exe
2012-03-12 02:19 . 2010-10-16 05:17 720896 ----a-w- c:\windows\system32\odbc32.dll
2012-03-12 02:19 . 2010-10-16 05:16 495616 ----a-w- c:\program files\Common Files\System\ado\msadox.dll
2012-03-12 02:19 . 2010-10-16 05:16 466944 ----a-w- c:\program files\Common Files\System\ado\msadomd.dll
2012-03-12 02:19 . 2010-10-16 05:16 1425408 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
2012-03-12 02:19 . 2010-10-16 05:16 258048 ----a-w- c:\program files\Common Files\System\msadc\msadco.dll
2012-03-12 02:19 . 2010-10-16 04:34 573440 ----a-w- c:\windows\SysWow64\odbc32.dll
2012-03-12 02:19 . 2010-10-16 04:33 372736 ----a-w- c:\program files (x86)\Common Files\System\ado\msadox.dll
2012-03-12 02:19 . 2010-10-16 04:33 352256 ----a-w- c:\program files (x86)\Common Files\System\ado\msadomd.dll
2012-03-12 02:19 . 2010-10-16 04:33 987136 ----a-w- c:\program files (x86)\Common Files\System\ado\msado15.dll
2012-03-12 02:19 . 2010-10-16 04:33 208896 ----a-w- c:\program files (x86)\Common Files\System\msadc\msadco.dll
2012-03-12 02:19 . 2011-11-17 07:14 1739160 ----a-w- c:\windows\system32\ntdll.dll
2012-03-12 02:19 . 2011-11-17 05:41 1292592 ----a-w- c:\windows\SysWow64\ntdll.dll
2012-03-12 02:18 . 2011-12-28 03:59 499200 ----a-w- c:\windows\system32\drivers\afd.sys
2012-03-12 02:18 . 2010-12-18 06:12 3138048 ----a-w- c:\windows\system32\mstscax.dll
2012-03-12 02:18 . 2010-12-18 05:30 2690560 ----a-w- c:\windows\SysWow64\mstscax.dll
2012-03-12 02:18 . 2010-12-18 05:26 1034240 ----a-w- c:\windows\SysWow64\mstsc.exe
2012-03-12 02:18 . 2010-12-18 06:08 1097216 ----a-w- c:\windows\system32\mstsc.exe
2012-03-12 02:16 . 2011-02-23 05:15 90624 ----a-w- c:\windows\system32\drivers\bowser.sys
2012-03-12 02:16 . 2011-05-03 05:21 976896 ----a-w- c:\windows\system32\inetcomm.dll
2012-03-12 02:16 . 2011-05-03 04:50 740864 ----a-w- c:\windows\SysWow64\inetcomm.dll
2012-03-12 02:16 . 2011-11-19 15:07 77312 ----a-w- c:\windows\system32\packager.dll
2012-03-12 02:16 . 2011-11-19 14:06 67072 ----a-w- c:\windows\SysWow64\packager.dll
2012-03-12 02:16 . 2010-10-16 05:23 112000 ----a-w- c:\windows\system32\consent.exe
2012-03-12 02:16 . 2012-03-12 02:16 -------- d-----w- c:\programdata\OEM_E471269A730D
2012-03-12 02:16 . 2012-03-12 02:16 -------- d-----w- c:\program files (x86)\OEM
2012-03-12 01:58 . 2012-03-12 01:58 -------- d-----w- c:\program files (x86)\Common Files\Symantec Shared
2012-03-12 01:56 . 2006-11-29 17:06 4398360 ----a-w- c:\windows\system32\d3dx9_32.dll
2012-03-12 01:56 . 2006-11-29 17:06 3426072 ----a-w- c:\windows\SysWow64\d3dx9_32.dll
2012-03-12 01:56 . 2012-03-12 01:56 -------- d-----w- c:\program files (x86)\Microsoft SQL Server Compact Edition
2012-03-12 01:55 . 2012-03-12 01:55 -------- d-----w- c:\program files (x86)\Microsoft
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-12 03:46 . 2012-03-12 03:46 347648 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll
2012-03-12 03:46 . 2012-03-12 03:46 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll
2012-01-11 23:04 . 2012-01-11 23:04 455552 ----a-w- c:\users\william\SSUpdate64.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4}]
2009-11-05 00:49 433648 ----a-w- c:\programdata\Partner\Partner.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1475072]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"BackupManagerTray"="c:\program files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe" [2009-09-24 261888]
"NortonOnlineBackupReminder"="c:\program files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" [2009-07-25 588648]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
.
c:\users\william\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~2\mcafee\SITEAD~1\mcsacore.exe [x]
R3 AmUStor;AM USB Stroage Driver;c:\windows\system32\drivers\AmUStor.SYS [x]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 288272]
R3 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files (x86)\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2009-06-18 50432]
R3 Partner Service;Partner Service;c:\programdata\Partner\Partner.exe [2009-11-05 332272]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360x64\0601010.008\SYMDS64.SYS [x]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360x64\0601010.008\SYMEFA64.SYS [x]
S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.1.2\Definitions\BASHDefs\20120302.001\BHDrvx64.sys [2012-03-02 1157240]
S1 ccSet_N360;Norton 360 Settings Manager;c:\windows\system32\drivers\N360x64\0601010.008\ccSetx64.sys [x]
S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.1.2\Definitions\IPSDefs\20120316.005\IDSvia64.sys [2012-03-09 488568]
S1 SASDIFSV;SASDIFSV;c:\users\william\SASDIFSV64.SYS [2011-07-22 14928]
S1 SASKUTIL;SASKUTIL;c:\users\william\SASKUTIL64.SYS [2011-07-12 12368]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360x64\0601010.008\Ironx64.SYS [x]
S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\N360x64\0601010.008\SYMNETS.SYS [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 !SASCORE;SAS Core Service;c:\users\william\SASCORE64.EXE [2011-08-11 140672]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 ePowerSvc;Acer ePower Service;c:\program files\Acer\Acer ePower Management\ePowerSvc.exe [2009-09-30 844320]
S2 Greg_Service;GRegService;c:\program files (x86)\Acer\Registration\GregHSRW.exe [2009-08-28 1150496]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-13 652360]
S2 N360;Norton 360;c:\program files (x86)\Norton 360\Engine\6.1.1.8\ccSvcHst.exe [2012-01-17 138232]
S2 NTI IScheduleSvc;NTI IScheduleSvc;c:\program files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe [2009-09-24 62720]
S2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2009-06-18 144640]
S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2009-10-01 2320920]
S2 Updater Service;Updater Service;c:\program files\Acer\Acer Updater\UpdaterService.exe [2009-07-04 240160]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-03-09 138360]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [x]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [x]
S3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
iissvcs REG_MULTI_SZ w3svc was
apphost REG_MULTI_SZ apphostsvc
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{2D46B6DC-2207-486B-B523-A557E6D54B47}]
2009-07-14 01:14 301568 ----a-w- c:\windows\System32\cmd.exe
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4}]
2009-11-05 00:49 750064 ----a-w- c:\programdata\Partner\Partner64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AmIcoSinglun64"="c:\program files (x86)\AmIcoSingLun\AmIcoSinglun64.exe" [2009-07-22 323072]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-11-24 410136]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-10-29 8312352]
"Acer ePower Management"="c:\program files\Acer\Acer ePower Management\ePowerTray.exe" [2009-09-30 823840]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 1436736]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Unattend0000000001{A8125975-BD0D-4F01-8D64-0910B5C74BEE}"="c:\windows\system32\oem\ConfigAp.cmd" [2009-03-05 242]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_5740&r=273603125116l0408z125t54n1d54o
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
SafeBoot-mcmscsvc
SafeBoot-MCODS
Toolbar-Locked - (no file)
HKLM-Run-mwlDaemon - c:\program files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\N360]
"ImagePath"="\"c:\program files (x86)\Norton 360\Engine\6.1.1.8\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files (x86)\Norton 360\Engine\6.1.1.8\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11g_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11g_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-03-17 19:41:33
ComboFix-quarantined-files.txt 2012-03-17 23:41
.
Pre-Run: 262,765,432,832 bytes free
Post-Run: 263,320,612,864 bytes free
.
- - End Of File - - 0D8C56F0A93B2607B386CFB65C463934

#9 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,680 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:16 AM

Posted 18 March 2012 - 05:17 PM

Greetings bwrighttwo,


Were you able to uninstall one of the Antivirus programs? If not, I need you to do that before taking any further steps.

The one Norton program that was disabled is what we wanted, the antivirus portion.

Sometimes there are oddities with Combofix. Usually they are resolved upon reboot. If you are still missing icons please let me know and we will address that.

I am going to have you try a different program instead of xPUD.


===================================================


Farbar's Recovery Scan Tool

--------------------

I would like you to run Farbar's Recovery Scan Tool to check your MBR. For this you will need a USB flash drive.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC and we will enter the System Recovery Options one of the two following ways:

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
Once you are in the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

  • Select Command Prompt
  • In the command window type in Notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select Computer and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    • Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • Did you uninstall an Antivirus program?
  • FRST.txt
  • How is your machine running?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,680 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:16 AM

Posted 21 March 2012 - 06:17 PM

===================================================

72 Hour Bump

It has been more than 72 hours since my last post.

  • Do you still need help with this?
  • If after 48hrs you have not replied to this thread then it will have to be closed.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#11 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:16 AM

Posted 24 March 2012 - 09:23 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:16 AM

Posted 25 March 2012 - 02:14 PM

Re-opened per PM request.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,680 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:16 AM

Posted 25 March 2012 - 02:17 PM

Greetings bwrighttwo,

Welcome back.

Once you have posted the information requested here we will continue trying to make progress with your computer.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#14 bwrighttwo

bwrighttwo
  • Topic Starter

  • Members
  • 717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:16 AM

Posted 25 March 2012 - 07:25 PM

Hello. Sorry for the delay. I had to reinstall again. Here is what I believe is going on. Someone has gained complete access through a remote server they built in a vista 64bit config I think. I think they used Microsoft Visual to do it. I could be wrong as usual though. Tell me what you need. I am in safe mode at the present. Thanks, Buck

#15 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,680 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:16 AM

Posted 25 March 2012 - 08:01 PM

Please complete the steps in Post #9

Did you reformat the hard drive before you reinstalled?

Edited by Oh My, 25 March 2012 - 08:13 PM.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users