Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Persistent Redirect "Zero Access" rootkit


  • This topic is locked This topic is locked
21 replies to this topic

#1 Chili23

Chili23

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:19 PM

Posted 07 May 2012 - 01:23 PM

My computer has been acting strange for past few days. In IE, I open a webpage and then out of nowhere it would disappear and close. In Office and Word, I would be typing and "focus" would change so that only half of what I was typing got typed. Would have to reclick on cell or paragraph to start typing again. I had suspicion something was wrong so ran several things including Malwarebytes and Avast. They found several things and removed them.

I then downloaded Google Chrome so that I could have an alternate to IE. Now on about every 10th or so search, I get redirected to butterflysearch.net. From quick research, several sites said this was "Zero Access" rootkit. I tried as best as possible to follow some instructions from other Bleeping Computer posts related to this but problem still persists. IE seems better and not disappearing and closing anymore and it does not seem to get redirects. Word and Excel seem better. Google Chrome still redirecting though after everything I threw at it (including Combofix which said it found the Zero Access and was going to remove it).

Please help!

Best Regards,
Chili23

Attached File  Butterflysearch.net Redirect.jpg   59.9KB   6 downloads


"attach.txt" and the GMER "Ark.txt" are attached.

"dds.txt" log below:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.13
Run by 6070 at 15:19:52 on 2012-05-07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3057.2081 [GMT -5:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe
C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Services\IPT\jhi_service.exe
C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe
C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\SMART Technologies\Education Software\SMARTBoardService.exe
C:\Program Files\SMART Technologies\Education Software\UCService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\PROGRA~1\Lenovo\HOTKEY\tpnumlk.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Lenovo\Zoom\TPSCREX.EXE
C:\PROGRA~1\Lenovo\HOTKEY\TPONSCR.EXE
C:\PROGRA~1\Lenovo\HOTKEY\tpnumlkd.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Citrix\ICA Client\concentr.exe
C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Citrix\ICA Client\PNAMAIN.EXE
C:\Program Files\Citrix\ICA Client\WFCRUN32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://portal.corp.Company.com:7780/pls/portal
uInternet Settings,ProxyServer = 10.3.100.116:80
uInternet Settings,ProxyOverride = *.corp.Company.com;oscar;elmo.*;10.*;*.Company.ca;*.mro.aviation.ad;;<local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup
mRun: [IMSS] "c:\program files\intel\intel® management engine components\imss\PIconStartup.exe"
mRun: [IAStorIcon] c:\program files\intel\intel® rapid storage technology\IAStorIcon.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [LenovoAutoScrollUtility] c:\program files\lenovo\virtscrl\virtscrl.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [SMART Board Tools] "c:\program files\smart technologies\education software\SMARTBoardTools.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
dRunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32
StartupFolder: c:\docume~1\6070\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\6070\startm~1\programs\startup\pdanet~1.lnk - c:\program files\pdanet for android\PdaNetPC.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\online~1.lnk - c:\windows\installer\{0f1f7a90-e71b-4e45-a066-2891619f22e1}\pnaico.exe.20FBBF0A_A7E5_4BDE_9798_9811C3D135AC.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{14fcfe7c-ab86-428a-9d2e-bfb6f5a7aa6e}\Icon3E5562ED7.ico
uPolicies-explorer: NoSMMyPictures = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
uPolicies-explorer: NoSMBalloonTip = 1 (0x1)
uPolicies-explorer: NoWelcomeScreen = 1 (0x1)
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
mPolicies-system: consentpromptbehavioradmin = 0 (0x0)
mPolicies-system: enableinstallerdetection = 0 (0x0)
mPolicies-system: enablesecureuiapaths = 0 (0x0)
mPolicies-system: MaxGPOScriptWait = 60 (0x3c)
mPolicies-system: enablelua = 0 (0x0)
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
dPolicies-explorer: NoSMMyPictures = 1 (0x1)
dPolicies-explorer: NoSMHelp = 1 (0x1)
dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {2DAD3559-2923-4935-AD49-B673D2539944} - hxxp://support.lenovo.com/Resources/Lenovo/AutoDetect/acpir.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1307759342812
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://fp4-exostar.webex.com/client/T27L10NSP11EP14/webex/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 10.3.100.100 10.1.100.100 10.4.100.100
TCP: Interfaces\{D4E40D96-CE21-41E3-B706-F83C18B7FBAC} : DhcpNameServer = 10.3.100.100 10.1.100.100 10.4.100.100
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
.
============= SERVICES / DRIVERS ===============
.
R0 stmtpm;STM TPM Service;c:\windows\system32\drivers\stm_tpm.sys [2011-6-7 21504]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [2011-6-9 13680]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2010-11-15 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2010-11-15 108392]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\intel\intel® rapid storage technology\IAStorDataMgrSvc.exe [2011-6-7 13336]
R2 jhi_service;Intel® Identity Protection Technology Host Interface Service;c:\program files\intel\services\ipt\jhi_service.exe [2011-2-7 210896]
R2 Lenovo.micmute;Lenovo Microphone Mute;c:\program files\lenovo\hotkey\micmute.exe [2011-6-9 45496]
R2 risdxc;risdxc;c:\windows\system32\drivers\risdxc86.sys [2011-6-7 75264]
R2 SMART Display Controller;SMART Display Controller;c:\program files\smart technologies\education software\UCService.exe [2011-7-13 311664]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2010-11-15 1832072]
R2 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\lenovo\hotkey\tphkload.exe [2011-6-9 99328]
R2 TPHKSVC;On Screen Display;c:\program files\lenovo\hotkey\TPHKSVC.exe [2011-6-9 64440]
R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\intel\intel® management engine components\uns\UNS.exe [2011-6-7 2656280]
R3 5U877;USB Video Device;c:\windows\system32\drivers\5U877.sys [2011-6-7 132096]
R3 e1cexpress;Intel® PRO/1000 PCI Express Network Connection Driver C;c:\windows\system32\drivers\e1c5132.sys [2011-6-7 174248]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-2-10 106104]
R3 MEI;Intel® Management Engine Interface;c:\windows\system32\drivers\HECI.sys [2011-6-7 41088]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20120507.002\NAVENG.SYS [2012-5-7 86136]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20120507.002\NAVEX15.SYS [2012-5-7 1576312]
R3 NETwNx32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwNx32.sys [2011-6-7 7391104]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys [2011-6-7 62336]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys [2011-6-7 141440]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2011-6-9 118248]
R3 pneteth;PdaNet Broadband;c:\windows\system32\drivers\pneteth.sys [2011-11-2 13312]
R3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]
S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-2 253088]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2010-11-15 23888]
S3 DraftSight API Service;DraftSight API Service;c:\program files\dassault systemes\draftsight\bin\dsHttpApiService.exe [2012-1-24 78336]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2011-8-15 30192]
.
=============== Created Last 30 ================
.
2012-05-04 18:34:07 -------- d-sha-r- C:\cmdcons
2012-05-04 18:26:47 256000 ----a-w- c:\windows\PEV.exe
2012-05-04 18:26:47 208896 ----a-w- c:\windows\MBR.exe
2012-05-04 18:26:46 98816 ----a-w- c:\windows\sed.exe
2012-05-04 18:26:46 518144 ----a-w- c:\windows\SWREG.exe
2012-05-04 16:17:08 -------- d-----w- C:\TDSSKiller_Quarantine
2012-05-04 16:10:05 476960 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-05-02 22:00:59 -------- d-----w- c:\program files\ReliaSoft
2012-05-02 22:00:59 -------- d-----w- c:\program files\common files\ReliaSoft
2012-05-02 22:00:16 -------- d-----w- c:\program files\common files\Wise Installation Wizard
2012-05-02 21:48:59 662288 ----a-w- c:\windows\system32\Mscomct2.ocx
2012-05-02 21:48:59 -------- d-----w- C:\BlockSim6
2012-05-02 20:11:06 -------- d-----w- C:\VundoFix Backups
2012-05-02 19:55:49 -------- d-----w- c:\documents and settings\6070\local settings\application data\{CE6B60A1-9490-11E1-826D-B8AC6F996F26}
2012-05-02 19:39:14 -------- d-----w- c:\windows\system32\NtmsData
2012-04-25 17:08:53 -------- d-----w- c:\documents and settings\6070\local settings\application data\WebEx
2012-04-20 19:52:35 -------- d-----w- c:\documents and settings\6070\local settings\application data\CrashRpt
2012-04-20 19:51:32 -------- d-----w- c:\documents and settings\6070\application data\DraftSight
2012-04-20 19:51:28 -------- d-----w- c:\documents and settings\all users\application data\Dassault Systemes
2012-04-20 19:51:19 -------- d-----w- c:\program files\Dassault Systemes
2012-04-18 20:12:51 -------- d-----w- c:\documents and settings\6070\.MOOS
.
==================== Find3M ====================
.
2012-05-04 16:09:54 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-05-04 16:09:54 472864 ----a-w- c:\windows\system32\deployJava1.dll
2012-04-19 14:24:35 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-19 14:24:35 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-04 20:56:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
.
============= FINISH: 15:20:13.76 ===============

Attached Files


Edited by gringo_pr, 21 May 2012 - 12:42 PM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:19 PM

Posted 08 May 2012 - 11:48 AM

Hello and Welcome to Bleeping Computer!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Chili23

Chili23
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:19 PM

Posted 08 May 2012 - 02:59 PM

Hi Gringo,

Did as you instructed (Security Check, and ComboFix). Logs are below.

Reminder on my issue: Google Chrome occasionaly redirects to "butterflytsearch.net" I also ran ComboFix before asking for help on Bleeping Computer. It stated it found "Zero Access" rootkit and then removed yet redirecting still persisted. I ran ComboFix again as you requested (after running Security Check). This time it did not say anything about finding "Zero Access". Is something else causing redirect?... I did several searches with positive results (no redirects) yet I am hesitant as ComboFix did not correct first time.

(Quick Update after first posting of this.) this is a work provided computer and while I have most admin rights, I am not able to disable Symantec End Point Protection. I had to leave running when I ran ComboFix.
Your help much appreciated!

b/r,
Chili23

LOGS BELOW:

SECURITY CHECK LOG:

Results of screen317's Security Check version 0.99.32
Windows XP Service Pack 3 x86 (UAC is disabled!)
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
Symantec Endpoint Protection
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

Java™ 6 Update 22
Java™ 6 Update 32
Java version out of date!
Adobe Reader 9 Adobe Reader out of date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Norton ccSvcHst.exe
``````````End of Log````````````



COMBOFIX LOG:

ComboFix 12-05-08.02 - 6070 05/08/2012 13:08:52.3.8 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3057.2294 [GMT -5:00]
Running from: c:\documents and settings\6070\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2012-04-08 to 2012-05-08 )))))))))))))))))))))))))))))))
.
.
2012-05-04 16:17 . 2012-05-04 16:17 -------- d-----w- C:\TDSSKiller_Quarantine
2012-05-04 16:10 . 2012-05-04 16:10 -------- d-----w- c:\program files\Common Files\Java
2012-05-04 16:10 . 2012-05-04 16:09 476960 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-05-02 22:00 . 2012-05-02 22:13 -------- d-----w- c:\program files\Common Files\ReliaSoft
2012-05-02 22:00 . 2012-05-02 22:00 -------- d-----w- c:\program files\ReliaSoft
2012-05-02 22:00 . 2012-05-02 22:00 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2012-05-02 21:48 . 2012-05-02 21:54 -------- d-----w- C:\BlockSim6
2012-05-02 21:48 . 2004-03-09 05:00 662288 ----a-w- c:\windows\system32\Mscomct2.ocx
2012-05-02 20:11 . 2012-05-02 20:11 -------- d-----w- C:\VundoFix Backups
2012-05-02 19:55 . 2012-05-02 19:55 -------- d-----w- c:\documents and settings\6070\Local Settings\Application Data\{CE6B60A1-9490-11E1-826D-B8AC6F996F26}
2012-05-02 19:39 . 2012-05-02 19:39 -------- d-----w- c:\windows\system32\NtmsData
2012-04-25 17:08 . 2012-05-02 19:39 -------- d-----w- c:\documents and settings\6070\Local Settings\Application Data\WebEx
2012-04-20 19:52 . 2012-04-20 19:52 -------- d-----w- c:\documents and settings\6070\Local Settings\Application Data\CrashRpt
2012-04-20 19:51 . 2012-04-20 19:52 -------- d-----w- c:\documents and settings\6070\Application Data\DraftSight
2012-04-20 19:51 . 2012-04-20 19:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Dassault Systemes
2012-04-20 19:51 . 2012-04-20 19:51 -------- d-----w- c:\program files\Dassault Systemes
2012-04-18 20:12 . 2012-04-18 20:19 -------- d-----w- c:\documents and settings\6070\.MOOS
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-04 16:09 . 2011-07-03 00:57 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-05-04 16:09 . 2011-07-03 00:57 472864 ----a-w- c:\windows\system32\deployJava1.dll
2012-04-19 14:24 . 2012-04-02 13:40 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-19 14:24 . 2011-07-03 01:14 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-04 20:56 . 2011-08-07 22:27 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2010-02-22 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
.
[-] 2010-02-22 18:28 . F17F6226BDC0CD5F0BEF0DAF84D29BEC . 253952 . . [2001.12.4414.706] . . c:\windows\system32\es.dll
.
[-] 2010-02-23 . DA11D9D6ECBDF0F93436A4B7C13F7BEC . 991744 . . [5.1.2600.5781] . . c:\windows\system32\kernel32.dll
.
[-] 2010-02-22 . FCEE5FCB99F7C724593365C706D28388 . 245248 . . [5.1.2600.5625] . . c:\windows\system32\mswsock.dll
.
[-] 2010-02-22 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
[-] 2010-02-22 16:54 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\system32\mspmsnsv.dll
.
((((((((((((((((((((((((((((( SnapShot@2012-05-04_18.49.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-05-04 19:32 . 2012-05-04 19:32 16384 c:\windows\Temp\Perflib_Perfdata_940.dat
+ 2011-06-07 07:42 . 2012-05-04 18:53 66998 c:\windows\system32\perfc009.dat
- 2011-06-07 07:42 . 2012-05-04 18:44 66998 c:\windows\system32\perfc009.dat
- 2011-06-07 04:57 . 2012-04-30 19:43 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2011-06-07 04:57 . 2012-05-07 13:04 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2011-06-07 04:57 . 2012-04-30 19:43 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2011-06-07 04:57 . 2012-05-07 13:04 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2011-06-07 04:57 . 2012-04-30 19:43 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2012-05-07 13:04 . 2012-05-07 13:04 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2011-06-07 07:42 . 2012-05-04 18:53 430884 c:\windows\system32\perfh009.dat
- 2011-06-07 07:42 . 2012-05-04 18:44 430884 c:\windows\system32\perfh009.dat
+ 2011-06-09 22:43 . 2012-05-08 13:01 273429 c:\windows\system32\nvModes.dat
- 2011-06-09 22:43 . 2012-05-04 13:08 273429 c:\windows\system32\nvModes.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2011-04-01 2221352]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-11-15 115560]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2010-10-12 304568]
"IMSS"="c:\program files\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe" [2011-01-17 112152]
"IAStorIcon"="c:\program files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-11-06 283160]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-01-12 111208]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-01-12 13879912]
"LenovoAutoScrollUtility"="c:\program files\Lenovo\VIRTSCRL\virtscrl.exe" [2010-04-01 43960]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2011-08-15 30192]
"SMART Board Tools"="c:\program files\SMART Technologies\Education Software\SMARTBoardTools.exe" [2011-06-23 9800560]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_2"="shell32" [X]
"_nltide_3"="advpack.dll" [2011-08-17 124928]
.
c:\documents and settings\6070\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
PdaNet Desktop.lnk - c:\program files\PdaNet for Android\PdaNetPC.exe [2011-11-2 480880]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Online plug-in.lnk - c:\windows\Installer\{0F1F7A90-E71B-4E45-A066-2891619F22E1}\pnaico.exe.20FBBF0A_A7E5_4BDE_9798_9811C3D135AC.exe [2011-6-6 77824]
VPN Client.lnk - c:\windows\Installer\{14FCFE7C-AB86-428A-9D2E-BFB6F5A7AA6E}\Icon3E5562ED7.ico [2011-6-6 6144]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"consentpromptbehavioradmin"= 0 (0x0)
"enableinstallerdetection"= 0 (0x0)
"enablesecureuiapaths"= 0 (0x0)
"MaxGPOScriptWait"= 60 (0x3c)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3667212664-418810546-4285426712-10116\Scripts\Logon\0\0]
"Script"=\\Corp.Company.com\NETLOGON\SAL\BgInfo\Bginfo.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3667212664-418810546-4285426712-10116\Scripts\Logon\1\0]
"Script"=\\corp.Company.com\NETLOGON\VBscript\Repository\SATCitrixNeedToBoot.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3667212664-418810546-4285426712-10116\Scripts\Logon\2\0]
"Script"=\\Corp.Company.com\NETLOGON\VBscript\Repository\cleancitrixlocalcache.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3667212664-418810546-4285426712-10958\Scripts\Logon\0\0]
"Script"=\\Corp.Company.com\NETLOGON\SAL\BgInfo\Bginfo.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3667212664-418810546-4285426712-10958\Scripts\Logon\1\0]
"Script"=\\Corp.Company.com\NETLOGON\VBscript\Repository\cleancitrixlocalcache.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3667212664-418810546-4285426712-36640\Scripts\Logon\0\0]
"Script"=\\Corp.Company.com\NETLOGON\SAL\BgInfo\Bginfo.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3667212664-418810546-4285426712-36640\Scripts\Logon\1\0]
"Script"=\\Corp.Company.com\NETLOGON\VBscript\Repository\cleancitrixlocalcache.vbs
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Documents and Settings\\6070\\Local Settings\\Application Data\\Akamai\\netsession_win.exe"=
.
R0 stmtpm;STM TPM Service;c:\windows\system32\drivers\stm_tpm.sys [6/7/2011 2:36 AM 21504]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [6/9/2011 6:28 PM 13680]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [6/7/2011 10:12 AM 13336]
R2 jhi_service;Intel® Identity Protection Technology Host Interface Service;c:\program files\Intel\Services\IPT\jhi_service.exe [2/7/2011 4:15 PM 210896]
R2 Lenovo.micmute;Lenovo Microphone Mute;c:\program files\Lenovo\HOTKEY\micmute.exe [6/9/2011 6:28 PM 45496]
R2 risdxc;risdxc;c:\windows\system32\drivers\risdxc86.sys [6/7/2011 2:36 AM 75264]
R2 SMART Display Controller;SMART Display Controller;c:\program files\SMART Technologies\Education Software\UCService.exe [7/13/2011 10:14 PM 311664]
R2 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\Lenovo\HOTKEY\tphkload.exe [6/9/2011 6:28 PM 99328]
R2 TPHKSVC;On Screen Display;c:\program files\Lenovo\HOTKEY\TPHKSVC.exe [6/9/2011 6:28 PM 64440]
R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\Intel\Intel® Management Engine Components\UNS\UNS.exe [6/7/2011 9:52 AM 2656280]
R3 5U877;USB Video Device;c:\windows\system32\drivers\5U877.sys [6/7/2011 2:36 AM 132096]
R3 e1cexpress;Intel® PRO/1000 PCI Express Network Connection Driver C;c:\windows\system32\drivers\e1c5132.sys [6/7/2011 2:36 AM 174248]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/10/2012 9:18 AM 106104]
R3 MEI;Intel® Management Engine Interface;c:\windows\system32\drivers\HECI.sys [6/7/2011 2:37 AM 41088]
R3 NETwNx32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwNx32.sys [6/7/2011 2:35 AM 7391104]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys [6/7/2011 2:36 AM 62336]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys [6/7/2011 2:36 AM 141440]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [6/9/2011 5:39 PM 118248]
R3 pneteth;PdaNet Broadband;c:\windows\system32\drivers\pneteth.sys [11/2/2011 3:25 PM 13312]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/2/2012 8:40 AM 253088]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [11/15/2010 5:02 PM 23888]
S3 DraftSight API Service;DraftSight API Service;c:\program files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe [1/24/2012 11:25 AM 78336]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [8/15/2011 3:52 PM 30192]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 86644091
*NewlyCreated* - ASWMBR
*NewlyCreated* - FWLDQPOW
*Deregistered* - 86644091
*Deregistered* - aswMBR
*Deregistered* - fwldqpow
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-08 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-02 14:24]
.
2012-05-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3667212664-418810546-4285426712-10958Core.job
- c:\documents and settings\6070\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-04-30 20:30]
.
2012-05-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3667212664-418810546-4285426712-10958UA.job
- c:\documents and settings\6070\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-04-30 20:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://portal.corp.Company.com:7780/pls/portal
uInternet Settings,ProxyServer = 10.3.100.116:80
uInternet Settings,ProxyOverride = *.corp.Company.com;oscar;elmo.*;10.*;*.Company.ca;*.mro.aviation.ad;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 10.3.100.100 10.1.100.100 10.4.100.100
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-08 13:14
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1120)
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(4968)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
Completion time: 2012-05-08 13:16:18
ComboFix-quarantined-files.txt 2012-05-08 18:16
ComboFix2.txt 2012-05-04 20:12
ComboFix3.txt 2012-05-04 18:52
.
Pre-Run: 450,388,721,664 bytes free
Post-Run: 450,401,820,672 bytes free
.
- - End Of File - - 2D8A428532DDA7C00E322AD75AB549B2

Edited by gringo_pr, 21 May 2012 - 12:43 PM.


#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:19 PM

Posted 08 May 2012 - 03:18 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Chili23

Chili23
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:19 PM

Posted 08 May 2012 - 05:03 PM

Hi Gringo,

Rqstd logs below. Note, the Symantec Endpoint Protection gave aswMBR some problems towards end of scan (blocked 2 files and then deleted them). The logs for this will follow the 2 logs you requested.

TDSSKILLER LOG:

15:21:38.0942 5324 TDSS rootkit removing tool 2.7.34.0 May 2 2012 09:59:18
15:21:40.0129 5324 ============================================================
15:21:40.0129 5324 Current date / time: 2012/05/08 15:21:40.0129
15:21:40.0129 5324 SystemInfo:
15:21:40.0129 5324
15:21:40.0129 5324 OS Version: 5.1.2600 ServicePack: 3.0
15:21:40.0129 5324 Product type: Workstation
15:21:40.0129 5324 ComputerName: K06636
15:21:40.0129 5324 UserName: 6070
15:21:40.0129 5324 Windows directory: C:\WINDOWS
15:21:40.0129 5324 System windows directory: C:\WINDOWS
15:21:40.0129 5324 Processor architecture: Intel x86
15:21:40.0129 5324 Number of processors: 8
15:21:40.0129 5324 Page size: 0x1000
15:21:40.0129 5324 Boot type: Normal boot
15:21:40.0129 5324 ============================================================
15:21:41.0269 5324 Drive \Device\Harddisk0\DR0 - Size: 0x7470C06000 (465.76 Gb), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
15:21:41.0269 5324 ============================================================
15:21:41.0269 5324 \Device\Harddisk0\DR0:
15:21:41.0269 5324 MBR partitions:
15:21:41.0269 5324 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3EC1, BlocksNum 0x3A380D80
15:21:41.0269 5324 ============================================================
15:21:41.0316 5324 C: <-> \Device\Harddisk0\DR0\Partition0
15:21:41.0316 5324 ============================================================
15:21:41.0316 5324 Initialize success
15:21:41.0316 5324 ============================================================
15:22:05.0808 3156 ============================================================
15:22:05.0808 3156 Scan started
15:22:05.0808 3156 Mode: Manual;
15:22:05.0808 3156 ============================================================
15:22:06.0245 3156 5U877 (1875f492c399db858e77c1b29366d54b) C:\WINDOWS\system32\DRIVERS\5U877.sys
15:22:06.0245 3156 5U877 - ok
15:22:06.0245 3156 Abiosdsk - ok
15:22:06.0245 3156 abp480n5 - ok
15:22:06.0292 3156 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
15:22:06.0292 3156 ACPI - ok
15:22:06.0323 3156 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
15:22:06.0323 3156 ACPIEC - ok
15:22:06.0370 3156 AdobeFlashPlayerUpdateSvc (459ac130c6ab892b1cd5d7544626efc5) C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
15:22:06.0370 3156 AdobeFlashPlayerUpdateSvc - ok
15:22:06.0370 3156 adpu160m - ok
15:22:06.0402 3156 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
15:22:06.0417 3156 aec - ok
15:22:06.0464 3156 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
15:22:06.0464 3156 AFD - ok
15:22:06.0464 3156 Aha154x - ok
15:22:06.0464 3156 aic78u2 - ok
15:22:06.0464 3156 aic78xx - ok
15:22:06.0511 3156 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
15:22:06.0511 3156 Alerter - ok
15:22:06.0527 3156 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
15:22:06.0527 3156 ALG - ok
15:22:06.0527 3156 AliIde - ok
15:22:06.0527 3156 amsint - ok
15:22:06.0558 3156 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll
15:22:06.0558 3156 AppMgmt - ok
15:22:06.0573 3156 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
15:22:06.0573 3156 Arp1394 - ok
15:22:06.0573 3156 asc - ok
15:22:06.0589 3156 asc3350p - ok
15:22:06.0589 3156 asc3550 - ok
15:22:06.0636 3156 aspnet_state (0e5e4957549056e2bf2c49f4f6b601ad) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
15:22:06.0636 3156 aspnet_state - ok
15:22:06.0636 3156 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
15:22:06.0636 3156 AsyncMac - ok
15:22:06.0667 3156 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\drivers\atapi.sys
15:22:06.0667 3156 atapi - ok
15:22:06.0667 3156 Atdisk - ok
15:22:06.0683 3156 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
15:22:06.0683 3156 Atmarpc - ok
15:22:06.0698 3156 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
15:22:06.0698 3156 AudioSrv - ok
15:22:06.0698 3156 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
15:22:06.0698 3156 audstub - ok
15:22:06.0714 3156 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
15:22:06.0714 3156 Beep - ok
15:22:06.0776 3156 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
15:22:06.0776 3156 BITS - ok
15:22:06.0792 3156 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
15:22:06.0792 3156 Browser - ok
15:22:06.0808 3156 BTWUSB (7696f6f2e63086eeedb76b71bb7bb455) C:\WINDOWS\system32\Drivers\btwusb.sys
15:22:06.0808 3156 BTWUSB - ok
15:22:06.0808 3156 catchme - ok
15:22:06.0839 3156 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
15:22:06.0839 3156 cbidf2k - ok
15:22:06.0855 3156 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
15:22:06.0855 3156 CCDECODE - ok
15:22:06.0933 3156 ccEvtMgr (5e68928ba2412e60ff1c61441313cf8d) C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
15:22:06.0933 3156 ccEvtMgr - ok
15:22:06.0933 3156 ccSetMgr (5e68928ba2412e60ff1c61441313cf8d) C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
15:22:06.0933 3156 ccSetMgr - ok
15:22:06.0933 3156 cd20xrnt - ok
15:22:06.0948 3156 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
15:22:06.0948 3156 Cdaudio - ok
15:22:06.0964 3156 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
15:22:06.0964 3156 Cdfs - ok
15:22:06.0995 3156 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
15:22:06.0995 3156 Cdrom - ok
15:22:06.0995 3156 Changer - ok
15:22:07.0011 3156 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
15:22:07.0011 3156 CiSvc - ok
15:22:07.0026 3156 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
15:22:07.0026 3156 ClipSrv - ok
15:22:07.0058 3156 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
15:22:07.0058 3156 clr_optimization_v2.0.50727_32 - ok
15:22:07.0073 3156 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
15:22:07.0073 3156 CmBatt - ok
15:22:07.0073 3156 CmdIde - ok
15:22:07.0167 3156 CnxtHdAudService (108d22ae4b97307668ae5f951aed72d1) C:\WINDOWS\system32\drivers\CHDRT32.sys
15:22:07.0183 3156 CnxtHdAudService - ok
15:22:07.0198 3156 COH_Mon (a02dc932f3806d29b39ef3114ce00405) C:\WINDOWS\system32\Drivers\COH_Mon.sys
15:22:07.0214 3156 COH_Mon - ok
15:22:07.0214 3156 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
15:22:07.0214 3156 Compbatt - ok
15:22:07.0214 3156 COMSysApp - ok
15:22:07.0214 3156 Cpqarray - ok
15:22:07.0261 3156 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
15:22:07.0261 3156 CryptSvc - ok
15:22:07.0308 3156 CVirtA (b5ecadf7708960f1818c7fa015f4c239) C:\WINDOWS\system32\DRIVERS\CVirtA.sys
15:22:07.0308 3156 CVirtA - ok
15:22:07.0511 3156 CVPND (dad192d12dd0b4c92f6843203852829f) c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
15:22:07.0526 3156 CVPND - ok
15:22:07.0636 3156 CVPNDRVA (26deef07394624247d1f549bd94f0b15) c:\WINDOWS\system32\Drivers\CVPNDRVA.sys
15:22:07.0636 3156 CVPNDRVA - ok
15:22:07.0651 3156 dac2w2k - ok
15:22:07.0651 3156 dac960nt - ok
15:22:07.0714 3156 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
15:22:07.0714 3156 DcomLaunch - ok
15:22:07.0714 3156 DgiVecp - ok
15:22:07.0729 3156 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
15:22:07.0745 3156 Dhcp - ok
15:22:07.0745 3156 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
15:22:07.0745 3156 Disk - ok
15:22:07.0745 3156 dmadmin - ok
15:22:07.0823 3156 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
15:22:07.0823 3156 dmboot - ok
15:22:07.0839 3156 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
15:22:07.0839 3156 dmio - ok
15:22:07.0854 3156 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
15:22:07.0854 3156 dmload - ok
15:22:07.0854 3156 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
15:22:07.0854 3156 dmserver - ok
15:22:07.0885 3156 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
15:22:07.0885 3156 DMusic - ok
15:22:07.0901 3156 DNE (7b4fdfbe97c047175e613aa96f3de987) C:\WINDOWS\system32\DRIVERS\dne2000.sys
15:22:07.0901 3156 DNE - ok
15:22:07.0917 3156 Dnscache (474b4dc3983173e4b4c9740b0dac98a6) C:\WINDOWS\System32\dnsrslvr.dll
15:22:07.0917 3156 Dnscache - ok
15:22:07.0932 3156 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
15:22:07.0948 3156 Dot3svc - ok
15:22:07.0948 3156 dpti2o - ok
15:22:08.0120 3156 DraftSight API Service (f4beee27acab429fb6fcaf8d29325a7d) C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe
15:22:08.0120 3156 DraftSight API Service - ok
15:22:08.0135 3156 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
15:22:08.0135 3156 drmkaud - ok
15:22:08.0198 3156 e1cexpress (f1ebf5b469f38379285e79b043527cfd) C:\WINDOWS\system32\DRIVERS\e1c5132.sys
15:22:08.0198 3156 e1cexpress - ok
15:22:08.0214 3156 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
15:22:08.0214 3156 EapHost - ok
15:22:08.0323 3156 eeCtrl (579a6b6135d32b857faf0e3a974535d8) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
15:22:08.0323 3156 eeCtrl - ok
15:22:08.0370 3156 EraserUtilRebootDrv (028d50f059bd0d2ccb209e9011b9a9a4) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
15:22:08.0370 3156 EraserUtilRebootDrv - ok
15:22:08.0385 3156 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
15:22:08.0385 3156 ERSvc - ok
15:22:08.0432 3156 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
15:22:08.0432 3156 Eventlog - ok
15:22:08.0463 3156 EventSystem (f17f6226bdc0cd5f0bef0daf84d29bec) C:\WINDOWS\system32\es.dll
15:22:08.0463 3156 EventSystem - ok
15:22:08.0479 3156 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
15:22:08.0495 3156 Fastfat - ok
15:22:08.0542 3156 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
15:22:08.0542 3156 FastUserSwitchingCompatibility - ok
15:22:08.0573 3156 Fax (e97d6a8684466df94ff3bc24fb787a07) C:\WINDOWS\system32\fxssvc.exe
15:22:08.0573 3156 Fax - ok
15:22:08.0588 3156 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
15:22:08.0588 3156 Fdc - ok
15:22:08.0604 3156 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
15:22:08.0604 3156 Fips - ok
15:22:08.0604 3156 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
15:22:08.0604 3156 Flpydisk - ok
15:22:08.0651 3156 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
15:22:08.0666 3156 FltMgr - ok
15:22:08.0745 3156 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
15:22:08.0745 3156 FontCache3.0.0.0 - ok
15:22:08.0745 3156 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
15:22:08.0745 3156 Fs_Rec - ok
15:22:08.0760 3156 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
15:22:08.0776 3156 Ftdisk - ok
15:22:08.0885 3156 GoogleDesktopManager-051210-111108 (9f5f2f0fb0a7f5aa9f16b9a7b6dad89f) C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
15:22:08.0885 3156 GoogleDesktopManager-051210-111108 - ok
15:22:08.0901 3156 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
15:22:08.0901 3156 Gpc - ok
15:22:08.0916 3156 hamachi (833051c6c6c42117191935f734cfbd97) C:\WINDOWS\system32\DRIVERS\hamachi.sys
15:22:08.0916 3156 hamachi - ok
15:22:08.0963 3156 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
15:22:08.0963 3156 HDAudBus - ok
15:22:09.0041 3156 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
15:22:09.0041 3156 helpsvc - ok
15:22:09.0057 3156 HidServ (deb04da35cc871b6d309b77e1443c796) C:\WINDOWS\System32\hidserv.dll
15:22:09.0057 3156 HidServ - ok
15:22:09.0088 3156 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
15:22:09.0088 3156 HidUsb - ok
15:22:09.0119 3156 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
15:22:09.0119 3156 hkmsvc - ok
15:22:09.0135 3156 hpn - ok
15:22:09.0166 3156 HSFHWAZL (0d13842210353435fc1fb35ca7807644) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
15:22:09.0182 3156 HSFHWAZL - ok
15:22:09.0244 3156 HSF_DPV (8bc605518b1052db7011e5c4cc8417bf) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
15:22:09.0260 3156 HSF_DPV - ok
15:22:09.0291 3156 HTTP (937031c085718c1c04a9c0864625ec6b) C:\WINDOWS\system32\Drivers\HTTP.sys
15:22:09.0291 3156 HTTP - ok
15:22:09.0338 3156 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
15:22:09.0338 3156 HTTPFilter - ok
15:22:09.0338 3156 i2omgmt - ok
15:22:09.0354 3156 i2omp - ok
15:22:09.0369 3156 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
15:22:09.0385 3156 i8042prt - ok
15:22:09.0447 3156 iaStor (f4037a3fedb92dd97c95f320766ea5c9) C:\WINDOWS\system32\drivers\iaStor.sys
15:22:09.0447 3156 iaStor - ok
15:22:09.0510 3156 IAStorDataMgrSvc (8fff9083252c16fe3960173722605e9e) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
15:22:09.0510 3156 IAStorDataMgrSvc - ok
15:22:09.0526 3156 IBMPMDRV (fa3d0a6da7bb7968efe5c5bc267f0e55) C:\WINDOWS\system32\DRIVERS\ibmpmdrv.sys
15:22:09.0526 3156 IBMPMDRV - ok
15:22:09.0541 3156 IBMPMSVC (495f184a29b80b51735bcee91d84fe8f) C:\WINDOWS\system32\ibmpmsvc.exe
15:22:09.0541 3156 IBMPMSVC - ok
15:22:09.0682 3156 idsvc (c01ac32dc5c03076cfb852cb5da5229c) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
15:22:09.0697 3156 idsvc - ok
15:22:09.0729 3156 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
15:22:09.0729 3156 Imapi - ok
15:22:09.0744 3156 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
15:22:09.0744 3156 ImapiService - ok
15:22:09.0744 3156 ini910u - ok
15:22:09.0760 3156 IntelIde - ok
15:22:09.0791 3156 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
15:22:09.0791 3156 intelppm - ok
15:22:09.0807 3156 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
15:22:09.0807 3156 Ip6Fw - ok
15:22:09.0822 3156 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
15:22:09.0822 3156 IpFilterDriver - ok
15:22:09.0822 3156 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
15:22:09.0822 3156 IpInIp - ok
15:22:09.0854 3156 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
15:22:09.0854 3156 IpNat - ok
15:22:09.0869 3156 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
15:22:09.0869 3156 IPSec - ok
15:22:09.0885 3156 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
15:22:09.0885 3156 IRENUM - ok
15:22:09.0932 3156 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
15:22:09.0932 3156 isapnp - ok
15:22:09.0994 3156 JavaQuickStarterService (a38441ed570f190cc041a7be49488fa7) C:\Program Files\Java\jre6\bin\jqs.exe
15:22:09.0994 3156 JavaQuickStarterService - ok
15:22:10.0041 3156 jhi_service (6faf199fdffdd2376973143c3e012765) C:\Program Files\Intel\Services\IPT\jhi_service.exe
15:22:10.0041 3156 jhi_service - ok
15:22:10.0072 3156 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
15:22:10.0072 3156 Kbdclass - ok
15:22:10.0104 3156 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
15:22:10.0104 3156 kbdhid - ok
15:22:10.0150 3156 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
15:22:10.0150 3156 kmixer - ok
15:22:10.0197 3156 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
15:22:10.0197 3156 KSecDD - ok
15:22:10.0228 3156 LanmanServer (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
15:22:10.0228 3156 LanmanServer - ok
15:22:10.0260 3156 lanmanworkstation (3b9324d60dd321bab7bf6f77931d3fd1) C:\WINDOWS\System32\wkssvc.dll
15:22:10.0260 3156 lanmanworkstation - ok
15:22:10.0260 3156 lbrtfdc - ok
15:22:10.0307 3156 Lenovo.micmute (fce735941da27929dbfc1918f286ffd8) C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe
15:22:10.0307 3156 Lenovo.micmute - ok
15:22:10.0322 3156 lenovo.smi (9aac267a225f3caebb9e633f7eb16e4b) C:\WINDOWS\system32\DRIVERS\smiif32.sys
15:22:10.0322 3156 lenovo.smi - ok
15:22:10.0510 3156 LiveUpdate (6105b28f5d03c4affa7197b228768849) C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
15:22:10.0541 3156 LiveUpdate - ok
15:22:10.0666 3156 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
15:22:10.0666 3156 LmHosts - ok
15:22:10.0744 3156 LMS (97f9eaac985a663394cd8f54dcd3e73a) C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
15:22:10.0744 3156 LMS - ok
15:22:10.0806 3156 MDM (11f714f85530a2bd134074dc30e99fca) C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
15:22:10.0806 3156 MDM - ok
15:22:10.0822 3156 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
15:22:10.0822 3156 mdmxsdk - ok
15:22:10.0853 3156 MEI (d86ac00883b9c98b570e7643aaf8e554) C:\WINDOWS\system32\DRIVERS\HECI.sys
15:22:10.0853 3156 MEI - ok
15:22:10.0885 3156 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
15:22:10.0885 3156 Messenger - ok
15:22:10.0916 3156 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
15:22:10.0916 3156 mnmdd - ok
15:22:10.0931 3156 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
15:22:10.0931 3156 mnmsrvc - ok
15:22:10.0947 3156 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
15:22:10.0947 3156 Modem - ok
15:22:10.0978 3156 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
15:22:10.0978 3156 Mouclass - ok
15:22:11.0009 3156 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
15:22:11.0009 3156 mouhid - ok
15:22:11.0025 3156 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
15:22:11.0025 3156 MountMgr - ok
15:22:11.0025 3156 mraid35x - ok
15:22:11.0041 3156 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
15:22:11.0041 3156 MRxDAV - ok
15:22:11.0134 3156 MRxSmb (0ea4d8ed179b75f8afa7998ba22285ca) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
15:22:11.0134 3156 MRxSmb - ok
15:22:11.0181 3156 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe
15:22:11.0181 3156 MSDTC - ok
15:22:11.0181 3156 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
15:22:11.0181 3156 Msfs - ok
15:22:11.0181 3156 MSIServer - ok
15:22:11.0197 3156 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
15:22:11.0197 3156 MSKSSRV - ok
15:22:11.0197 3156 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
15:22:11.0197 3156 MSPCLOCK - ok
15:22:11.0213 3156 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
15:22:11.0213 3156 MSPQM - ok
15:22:11.0228 3156 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
15:22:11.0228 3156 mssmbios - ok
15:22:11.0244 3156 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
15:22:11.0244 3156 MSTEE - ok
15:22:11.0275 3156 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
15:22:11.0275 3156 Mup - ok
15:22:11.0291 3156 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
15:22:11.0291 3156 NABTSFEC - ok
15:22:11.0322 3156 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
15:22:11.0338 3156 napagent - ok
15:22:11.0431 3156 NAVENG (862f55824ac81295837b0ab63f91071f) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20120507.038\NAVENG.SYS
15:22:11.0431 3156 NAVENG - ok
15:22:11.0587 3156 NAVEX15 (529d571b551cb9da44237389b936f1ae) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20120507.038\NAVEX15.SYS
15:22:11.0603 3156 NAVEX15 - ok
15:22:11.0775 3156 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
15:22:11.0775 3156 NDIS - ok
15:22:11.0790 3156 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
15:22:11.0790 3156 NdisIP - ok
15:22:11.0822 3156 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
15:22:11.0822 3156 NdisTapi - ok
15:22:11.0822 3156 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
15:22:11.0822 3156 Ndisuio - ok
15:22:11.0853 3156 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
15:22:11.0853 3156 NdisWan - ok
15:22:11.0869 3156 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
15:22:11.0884 3156 NDProxy - ok
15:22:11.0884 3156 Net Driver HPZ12 - ok
15:22:11.0884 3156 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
15:22:11.0884 3156 NetBIOS - ok
15:22:11.0915 3156 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
15:22:11.0915 3156 NetBT - ok
15:22:11.0931 3156 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
15:22:11.0947 3156 NetDDE - ok
15:22:11.0947 3156 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
15:22:11.0947 3156 NetDDEdsdm - ok
15:22:11.0978 3156 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
15:22:11.0978 3156 Netlogon - ok
15:22:11.0994 3156 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
15:22:11.0994 3156 Netman - ok
15:22:12.0087 3156 NetTcpPortSharing (d34612c5d02d026535b3095d620626ae) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
15:22:12.0087 3156 NetTcpPortSharing - ok
15:22:12.0478 3156 NETwNx32 (32e6902485c5add8e4c6cd21545d5133) C:\WINDOWS\system32\DRIVERS\NETwNx32.sys
15:22:12.0540 3156 NETwNx32 - ok
15:22:12.0681 3156 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
15:22:12.0681 3156 NIC1394 - ok
15:22:12.0728 3156 Nla (fcee5fcb99f7c724593365c706d28388) C:\WINDOWS\System32\mswsock.dll
15:22:12.0743 3156 Nla - ok
15:22:12.0743 3156 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
15:22:12.0759 3156 Npfs - ok
15:22:12.0790 3156 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
15:22:12.0806 3156 Ntfs - ok
15:22:12.0806 3156 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
15:22:12.0806 3156 NtLmSsp - ok
15:22:12.0868 3156 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
15:22:12.0868 3156 NtmsSvc - ok
15:22:12.0884 3156 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
15:22:12.0884 3156 Null - ok
15:22:12.0900 3156 nusb3hub (f0cbf252811bc5fc49e7ecca3ee9519f) C:\WINDOWS\system32\DRIVERS\nusb3hub.sys
15:22:12.0900 3156 nusb3hub - ok
15:22:12.0915 3156 nusb3xhc (bdc5ff9b669b5475e3a6e47e5608205c) C:\WINDOWS\system32\DRIVERS\nusb3xhc.sys
15:22:12.0931 3156 nusb3xhc - ok
15:22:13.0524 3156 nv (81d812cdb372980208df99870335da46) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
15:22:13.0681 3156 nv - ok
15:22:13.0821 3156 NVHDA (9e0247a333da2e89f67884fa2e5ff424) C:\WINDOWS\system32\drivers\nvhda32.sys
15:22:13.0821 3156 NVHDA - ok
15:22:13.0837 3156 nvsvc (c98332b7ada11b0f90e93d668c0d8847) C:\WINDOWS\system32\nvsvc32.exe
15:22:13.0852 3156 nvsvc - ok
15:22:13.0868 3156 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
15:22:13.0868 3156 NwlnkFlt - ok
15:22:13.0868 3156 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
15:22:13.0868 3156 NwlnkFwd - ok
15:22:13.0899 3156 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
15:22:13.0899 3156 ohci1394 - ok
15:22:13.0962 3156 ose (7a56cf3e3f12e8af599963b16f50fb6a) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
15:22:13.0962 3156 ose - ok
15:22:14.0009 3156 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
15:22:14.0009 3156 Parport - ok
15:22:14.0009 3156 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
15:22:14.0009 3156 PartMgr - ok
15:22:14.0024 3156 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
15:22:14.0024 3156 ParVdm - ok
15:22:14.0040 3156 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
15:22:14.0055 3156 PCI - ok
15:22:14.0055 3156 PCIDump - ok
15:22:14.0055 3156 PCIIde - ok
15:22:14.0087 3156 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
15:22:14.0087 3156 Pcmcia - ok
15:22:14.0087 3156 PDCOMP - ok
15:22:14.0102 3156 PDFRAME - ok
15:22:14.0102 3156 PDRELI - ok
15:22:14.0102 3156 PDRFRAME - ok
15:22:14.0102 3156 perc2 - ok
15:22:14.0102 3156 perc2hib - ok
15:22:14.0149 3156 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
15:22:14.0149 3156 PlugPlay - ok
15:22:14.0149 3156 Pml Driver HPZ12 - ok
15:22:14.0196 3156 pneteth (28460e94ffdf40bb28efdb3d97e959e8) C:\WINDOWS\system32\DRIVERS\pneteth.sys
15:22:14.0196 3156 pneteth - ok
15:22:14.0196 3156 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
15:22:14.0196 3156 PolicyAgent - ok
15:22:14.0212 3156 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
15:22:14.0212 3156 PptpMiniport - ok
15:22:14.0227 3156 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
15:22:14.0227 3156 ProtectedStorage - ok
15:22:14.0227 3156 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
15:22:14.0227 3156 Ptilink - ok
15:22:14.0227 3156 ql1080 - ok
15:22:14.0227 3156 Ql10wnt - ok
15:22:14.0227 3156 ql12160 - ok
15:22:14.0243 3156 ql1240 - ok
15:22:14.0243 3156 ql1280 - ok
15:22:14.0243 3156 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
15:22:14.0243 3156 RasAcd - ok
15:22:14.0274 3156 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
15:22:14.0274 3156 RasAuto - ok
15:22:14.0305 3156 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
15:22:14.0305 3156 Rasl2tp - ok
15:22:14.0321 3156 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
15:22:14.0337 3156 RasMan - ok
15:22:14.0337 3156 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
15:22:14.0337 3156 RasPppoe - ok
15:22:14.0337 3156 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
15:22:14.0337 3156 Raspti - ok
15:22:14.0368 3156 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
15:22:14.0368 3156 Rdbss - ok
15:22:14.0383 3156 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
15:22:14.0383 3156 RDPCDD - ok
15:22:14.0415 3156 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
15:22:14.0415 3156 rdpdr - ok
15:22:14.0462 3156 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
15:22:14.0462 3156 RDPWD - ok
15:22:14.0508 3156 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
15:22:14.0508 3156 RDSessMgr - ok
15:22:14.0540 3156 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
15:22:14.0540 3156 redbook - ok
15:22:14.0586 3156 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
15:22:14.0586 3156 RemoteAccess - ok
15:22:14.0602 3156 RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) C:\WINDOWS\system32\regsvc.dll
15:22:14.0602 3156 RemoteRegistry - ok
15:22:14.0618 3156 risdxc (9ebc0f4b55ec20e91fe40ac83825836c) C:\WINDOWS\system32\DRIVERS\risdxc86.sys
15:22:14.0618 3156 risdxc - ok
15:22:14.0665 3156 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe
15:22:14.0665 3156 RpcLocator - ok
15:22:14.0711 3156 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\System32\rpcss.dll
15:22:14.0711 3156 RpcSs - ok
15:22:14.0758 3156 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
15:22:14.0758 3156 RSVP - ok
15:22:14.0774 3156 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
15:22:14.0774 3156 SamSs - ok
15:22:14.0805 3156 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
15:22:14.0805 3156 SCardSvr - ok
15:22:14.0852 3156 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
15:22:14.0852 3156 Schedule - ok
15:22:14.0868 3156 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
15:22:14.0868 3156 Secdrv - ok
15:22:14.0883 3156 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
15:22:14.0883 3156 seclogon - ok
15:22:14.0899 3156 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
15:22:14.0899 3156 SENS - ok
15:22:14.0914 3156 Serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
15:22:14.0914 3156 Serenum - ok
15:22:14.0914 3156 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
15:22:14.0914 3156 Serial - ok
15:22:14.0930 3156 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
15:22:14.0930 3156 Sfloppy - ok
15:22:14.0961 3156 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
15:22:14.0961 3156 SharedAccess - ok
15:22:15.0024 3156 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
15:22:15.0024 3156 ShellHWDetection - ok
15:22:15.0024 3156 Simbad - ok
15:22:15.0055 3156 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
15:22:15.0055 3156 SLIP - ok
15:22:15.0305 3156 SMART Board Service (29d8d391dcaee7a890cf2685d63aa005) C:\Program Files\SMART Technologies\Education Software\SMARTBoardService.exe
15:22:15.0321 3156 SMART Board Service - ok
15:22:15.0352 3156 SMART Display Controller (56c70f6aeb6c11cfeb324ced08541864) C:\Program Files\SMART Technologies\Education Software\UCService.exe
15:22:15.0352 3156 SMART Display Controller - ok
15:22:15.0571 3156 SmcService (a651bea60428fdd94fe21e2f5c0bbcac) C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
15:22:15.0586 3156 SmcService - ok
15:22:15.0664 3156 SNAC (90aee34be6f53f83db9e78344d1eec47) C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
15:22:15.0680 3156 SNAC - ok
15:22:15.0774 3156 Sparrow - ok
15:22:15.0867 3156 SPBBCDrv (e87cf104f12c92401c4d33c50a3d5dc8) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
15:22:15.0867 3156 SPBBCDrv - ok
15:22:15.0899 3156 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
15:22:15.0899 3156 splitter - ok
15:22:15.0945 3156 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
15:22:15.0945 3156 Spooler - ok
15:22:15.0992 3156 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
15:22:15.0992 3156 sr - ok
15:22:16.0024 3156 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
15:22:16.0024 3156 srservice - ok
15:22:16.0070 3156 SRTSP (5a293729e1f9fce3a2106d1f5dc5e98a) C:\WINDOWS\system32\Drivers\SRTSP.SYS
15:22:16.0070 3156 SRTSP - ok
15:22:16.0133 3156 SRTSPL (0ddb7fba32be09d8057063c0cee24137) C:\WINDOWS\system32\Drivers\SRTSPL.SYS
15:22:16.0133 3156 SRTSPL - ok
15:22:16.0164 3156 SRTSPX (a99719dfb61b61aa5026341bbb733c0a) C:\WINDOWS\system32\Drivers\SRTSPX.SYS
15:22:16.0164 3156 SRTSPX - ok
15:22:16.0195 3156 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
15:22:16.0211 3156 Srv - ok
15:22:16.0227 3156 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
15:22:16.0227 3156 SSDPSRV - ok
15:22:16.0242 3156 SSPORT - ok
15:22:16.0289 3156 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
15:22:16.0305 3156 stisvc - ok
15:22:16.0305 3156 stmtpm (8afa1b80366276f8345a6b61e0df2f3e) C:\WINDOWS\system32\DRIVERS\stm_tpm.sys
15:22:16.0305 3156 stmtpm - ok
15:22:16.0352 3156 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
15:22:16.0352 3156 streamip - ok
15:22:16.0383 3156 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
15:22:16.0383 3156 swenum - ok
15:22:16.0398 3156 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
15:22:16.0398 3156 swmidi - ok
15:22:16.0398 3156 SwPrv - ok
15:22:16.0680 3156 Symantec AntiVirus (d880fbd65b6f4885ac89628225b91398) C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
15:22:16.0695 3156 Symantec AntiVirus - ok
15:22:16.0758 3156 symc810 - ok
15:22:16.0758 3156 symc8xx - ok
15:22:16.0789 3156 SymEvent (e42a34e6f5ca71a84d4c2de620aad13d) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
15:22:16.0789 3156 SymEvent - ok
15:22:16.0820 3156 SYMREDRV (394b2368212114d538316812af60fddd) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
15:22:16.0820 3156 SYMREDRV - ok
15:22:16.0851 3156 SYMTDI (d46676bb414c7531bdffe637a33f5033) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
15:22:16.0851 3156 SYMTDI - ok
15:22:16.0851 3156 sym_hi - ok
15:22:16.0851 3156 sym_u3 - ok
15:22:16.0976 3156 SynTP (2185cc5be9922562108cf87f42e4bbaf) C:\WINDOWS\system32\DRIVERS\SynTP.sys
15:22:16.0976 3156 SynTP - ok
15:22:17.0039 3156 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
15:22:17.0039 3156 sysaudio - ok
15:22:17.0070 3156 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
15:22:17.0070 3156 SysmonLog - ok
15:22:17.0101 3156 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
15:22:17.0101 3156 TapiSrv - ok
15:22:17.0148 3156 Tcpip (ad978a1b783b5719720cff204b666c8e) C:\WINDOWS\system32\DRIVERS\tcpip.sys
15:22:17.0164 3156 Tcpip - ok
15:22:17.0211 3156 TcUsb (58e3eb5a5c78740c5870eee6648ccc46) C:\WINDOWS\system32\Drivers\tcusb.sys
15:22:17.0211 3156 TcUsb - ok
15:22:17.0226 3156 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
15:22:17.0226 3156 TDPIPE - ok
15:22:17.0242 3156 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
15:22:17.0242 3156 TDTCP - ok
15:22:17.0242 3156 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
15:22:17.0257 3156 TermDD - ok
15:22:17.0289 3156 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
15:22:17.0289 3156 TermService - ok
15:22:17.0336 3156 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
15:22:17.0336 3156 Themes - ok
15:22:17.0367 3156 TlntSvr (db7205804759ff62c34e3efd8a4cc76a) C:\WINDOWS\system32\tlntsvr.exe
15:22:17.0367 3156 TlntSvr - ok
15:22:17.0367 3156 TosIde - ok
15:22:17.0367 3156 TPHKDRV (8aef2188630f5ecd79ad9abba630630b) C:\WINDOWS\system32\DRIVERS\TPHKDRV.sys
15:22:17.0367 3156 TPHKDRV - ok
15:22:17.0445 3156 TPHKLOAD (88d609bfdeb7e013e9e491434190ba43) C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe
15:22:17.0445 3156 TPHKLOAD - ok
15:22:17.0445 3156 TPHKSVC (9e6e4a9789f76593cc5a6a5af8fc5929) C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
15:22:17.0461 3156 TPHKSVC - ok
15:22:17.0461 3156 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
15:22:17.0461 3156 TrkWks - ok
15:22:17.0492 3156 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
15:22:17.0492 3156 Udfs - ok
15:22:17.0492 3156 ultra - ok
15:22:17.0726 3156 UNS (a69cd6bdb82872999d2e46f9324ada83) C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe
15:22:17.0773 3156 UNS - ok
15:22:17.0929 3156 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
15:22:17.0929 3156 Update - ok
15:22:17.0960 3156 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
15:22:17.0976 3156 upnphost - ok
15:22:17.0976 3156 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
15:22:17.0992 3156 UPS - ok
15:22:18.0007 3156 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
15:22:18.0007 3156 usbccgp - ok
15:22:18.0054 3156 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
15:22:18.0054 3156 usbehci - ok
15:22:18.0054 3156 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
15:22:18.0054 3156 usbhub - ok
15:22:18.0085 3156 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
15:22:18.0085 3156 usbprint - ok
15:22:18.0117 3156 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
15:22:18.0117 3156 usbscan - ok
15:22:18.0117 3156 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
15:22:18.0117 3156 USBSTOR - ok
15:22:18.0148 3156 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
15:22:18.0148 3156 usbvideo - ok
15:22:18.0179 3156 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
15:22:18.0179 3156 VgaSave - ok
15:22:18.0179 3156 ViaIde - ok
15:22:18.0195 3156 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
15:22:18.0195 3156 VolSnap - ok
15:22:18.0304 3156 vsdatant (27b3dd12a19eec50220df15b64913dda) C:\WINDOWS\system32\vsdatant.sys
15:22:18.0304 3156 vsdatant - ok
15:22:18.0351 3156 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
15:22:18.0351 3156 VSS - ok
15:22:18.0382 3156 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
15:22:18.0382 3156 W32Time - ok
15:22:18.0398 3156 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
15:22:18.0398 3156 Wanarp - ok
15:22:18.0445 3156 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\Drivers\wdf01000.sys
15:22:18.0445 3156 Wdf01000 - ok
15:22:18.0445 3156 WDICA - ok
15:22:18.0460 3156 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
15:22:18.0476 3156 wdmaud - ok
15:22:18.0507 3156 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
15:22:18.0507 3156 WebClient - ok
15:22:18.0585 3156 winachsf (e08ca06bd56b66d6565123445adb37a6) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
15:22:18.0601 3156 winachsf - ok
15:22:18.0679 3156 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
15:22:18.0679 3156 winmgmt - ok
15:22:18.0726 3156 WinUSB (fd600b032e741eb6aab509fc630f7c42) C:\WINDOWS\system32\DRIVERS\WinUSB.sys
15:22:18.0726 3156 WinUSB - ok
15:22:18.0757 3156 WmdmPmSN (c51b4a5c05a5475708e3c81c7765b71d) C:\WINDOWS\system32\mspmsnsv.dll
15:22:18.0757 3156 WmdmPmSN - ok
15:22:18.0819 3156 Wmi (e76f8807070ed04e7408a86d6d3a6137) C:\WINDOWS\System32\advapi32.dll
15:22:18.0835 3156 Wmi - ok
15:22:18.0835 3156 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
15:22:18.0835 3156 WmiAcpi - ok
15:22:18.0898 3156 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
15:22:18.0898 3156 WmiApSrv - ok
15:22:19.0023 3156 WMPNetworkSvc (f74e3d9a7fa9556c3bbb14d4e5e63d3b) C:\Program Files\Windows Media Player\WMPNetwk.exe
15:22:19.0023 3156 WMPNetworkSvc - ok
15:22:19.0054 3156 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
15:22:19.0054 3156 WS2IFSL - ok
15:22:19.0069 3156 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
15:22:19.0085 3156 wscsvc - ok
15:22:19.0101 3156 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
15:22:19.0101 3156 WSTCODEC - ok
15:22:19.0116 3156 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
15:22:19.0116 3156 wuauserv - ok
15:22:19.0148 3156 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
15:22:19.0163 3156 WudfPf - ok
15:22:19.0179 3156 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
15:22:19.0179 3156 WudfRd - ok
15:22:19.0194 3156 WudfSvc (05231c04253c5bc30b26cbaae680ed89) C:\WINDOWS\System32\WUDFSvc.dll
15:22:19.0194 3156 WudfSvc - ok
15:22:19.0241 3156 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
15:22:19.0257 3156 WZCSVC - ok
15:22:19.0304 3156 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
15:22:19.0304 3156 xmlprov - ok
15:22:19.0319 3156 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
15:22:19.0647 3156 \Device\Harddisk0\DR0 - ok
15:22:19.0647 3156 Boot (0x1200) (55a3895ac720c086cc59f062818f6568) \Device\Harddisk0\DR0\Partition0
15:22:19.0647 3156 \Device\Harddisk0\DR0\Partition0 - ok
15:22:19.0647 3156 ============================================================
15:22:19.0647 3156 Scan finished
15:22:19.0647 3156 ============================================================
15:22:19.0663 4300 Detected object count: 0
15:22:19.0663 4300 Actual detected object count: 0
15:26:22.0242 5768 Deinitialize success


ASWMBR LOG

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-05-08 15:55:03
-----------------------------
15:55:03.709 OS Version: Windows 5.1.2600 Service Pack 3
15:55:03.709 Number of processors: 8 586 0x2A07
15:55:03.709 ComputerName: K06636 UserName: 6070
15:55:05.771 Initialize success
15:55:13.532 AVAST engine defs: 12050801
15:55:30.490 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
15:55:30.490 Disk 0 Vendor: ST950042 0003 Size: 476940MB BusType: 3
15:55:30.506 Disk 0 MBR read successfully
15:55:30.506 Disk 0 MBR scan
15:55:30.553 Disk 0 Windows XP default MBR code
15:55:30.568 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 476929 MB offset 16065
15:55:30.584 Disk 0 scanning sectors +976768065
15:55:30.771 Disk 0 scanning C:\WINDOWS\system32\drivers
15:55:48.089 Service scanning
15:56:04.735 Modules scanning
15:56:21.631 Disk 0 trace - called modules:
15:56:21.647 ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll iaStor.sys
15:56:21.647 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8aa80030]
15:56:21.647 3 CLASSPNP.SYS[b8108fd7] -> nt!IofCallDriver -> \Device\00000086[0x8aa81b28]
15:56:21.647 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x8aa82028]
15:56:28.471 AVAST engine scan C:\WINDOWS
15:56:51.613 AVAST engine scan C:\WINDOWS\system32
15:59:29.368 AVAST engine scan C:\WINDOWS\system32\drivers
15:59:53.814 AVAST engine scan C:\Documents and Settings\6070
16:08:08.595 AVAST engine scan C:\Documents and Settings\All Users
16:08:50.808 Scan finished successfully
16:51:51.040 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\6070\Desktop\MBR.dat"
16:51:51.040 The log file has been saved successfully to "C:\Documents and Settings\6070\Desktop\aswMBR.txt"


SYMANTEC ENDPOINT PROTECTION LOGS:

Scan type: Auto-Protect Scan
Event: Risk Found!
Security risk detected: Trojan.Gen.2
File: C:\Documents and Settings\6070\Local Settings\temp\_avast4_\unp37997698.tmp
Location: C:\Documents and Settings\6070\Local Settings\temp\_avast4_
Computer: K06636
User: 6070
Action taken: Pending Side Effects Analysis : Access denied
Date found: Tuesday, May 08, 2012 3:56:35 PM


Scan type: Auto-Protect Scan
Event: Security Risk Found!
Security risk detected: Trojan.Gen.2
File: C:\Documents and Settings\6070\Local Settings\temp\_avast4_\unp37997698.tmp
Location: Unknown Storage
Computer: K06636
User: 6070
Action taken: Delete succeeded : Access denied
Date found: Tuesday, May 08, 2012 3:56:45 PM


Scan type: Auto-Protect Scan
Event: Risk Found!
Security risk detected: Trojan.Gen.2
File: C:\Documents and Settings\6070\Local Settings\temp\_avast4_\unp64963355.tmp
Location: C:\Documents and Settings\6070\Local Settings\temp\_avast4_
Computer: K06636
User: 6070
Action taken: Pending Side Effects Analysis : Access denied
Date found: Tuesday, May 08, 2012 4:03:55 PM


Scan type: Auto-Protect Scan
Event: Security Risk Found!
Security risk detected: Trojan.Gen.2
File: C:\Documents and Settings\6070\Local Settings\temp\_avast4_\unp64963355.tmp
Location: Unknown Storage
Computer: K06636
User: 6070
Action taken: Delete succeeded : Access denied
Date found: Tuesday, May 08, 2012 4:04:05 PM

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:19 PM

Posted 08 May 2012 - 08:34 PM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Chili23

Chili23
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:19 PM

Posted 09 May 2012 - 01:19 PM

Hi Gringo,

When I dragged CFScript.txt to ComboFix, ComboFix launched and informed me there was a newer version of ComboFix and would I like to get? I answered yes. It downloaded intalled and restarted itself and then ran. It appears (from Rt click, Properties, Version) that what I ran yesterday was Ver 12.5.8.2 and what was downloaded today was 12.5.9.1. After restarting and running, not sure if it still applied CFSript.txt so I did again to be sure. Results of this are posted below.

Have not had any more redirects in Google Chrome to butterflysearch.net (before and after ComboFix's today) but hard to know if gone for sure since does not always redirect.

Thanks again,
Chili23

COMBOFIX LOG (Ver 12.5.9.1):

ComboFix 12-05-09.01 - 6070 05/09/2012 12:07:10.5.8 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3057.2063 [GMT -5:00]
Running from: c:\documents and settings\6070\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\6070\Desktop\CFScript.txt
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
.
((((((((((((((((((((((((( Files Created from 2012-04-09 to 2012-05-09 )))))))))))))))))))))))))))))))
.
.
2012-05-04 16:17 . 2012-05-04 16:17 -------- d-----w- C:\TDSSKiller_Quarantine
2012-05-04 16:10 . 2012-05-04 16:10 -------- d-----w- c:\program files\Common Files\Java
2012-05-04 16:10 . 2012-05-04 16:09 476960 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-05-02 22:00 . 2012-05-02 22:13 -------- d-----w- c:\program files\Common Files\ReliaSoft
2012-05-02 22:00 . 2012-05-02 22:00 -------- d-----w- c:\program files\ReliaSoft
2012-05-02 22:00 . 2012-05-02 22:00 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2012-05-02 21:48 . 2012-05-02 21:54 -------- d-----w- C:\BlockSim6
2012-05-02 21:48 . 2004-03-09 05:00 662288 ----a-w- c:\windows\system32\Mscomct2.ocx
2012-05-02 20:11 . 2012-05-02 20:11 -------- d-----w- C:\VundoFix Backups
2012-05-02 19:55 . 2012-05-02 19:55 -------- d-----w- c:\documents and settings\6070\Local Settings\Application Data\{CE6B60A1-9490-11E1-826D-B8AC6F996F26}
2012-05-02 19:39 . 2012-05-02 19:39 -------- d-----w- c:\windows\system32\NtmsData
2012-04-25 17:08 . 2012-05-02 19:39 -------- d-----w- c:\documents and settings\6070\Local Settings\Application Data\WebEx
2012-04-20 19:52 . 2012-04-20 19:52 -------- d-----w- c:\documents and settings\6070\Local Settings\Application Data\CrashRpt
2012-04-20 19:51 . 2012-04-20 19:52 -------- d-----w- c:\documents and settings\6070\Application Data\DraftSight
2012-04-20 19:51 . 2012-04-20 19:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Dassault Systemes
2012-04-20 19:51 . 2012-04-20 19:51 -------- d-----w- c:\program files\Dassault Systemes
2012-04-18 20:12 . 2012-04-18 20:19 -------- d-----w- c:\documents and settings\6070\.MOOS
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-04 16:09 . 2011-07-03 00:57 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-05-04 16:09 . 2011-07-03 00:57 472864 ----a-w- c:\windows\system32\deployJava1.dll
2012-04-19 14:24 . 2012-04-02 13:40 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-19 14:24 . 2011-07-03 01:14 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-04 20:56 . 2011-08-07 22:27 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2010-02-22 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
.
[-] 2010-02-22 18:28 . F17F6226BDC0CD5F0BEF0DAF84D29BEC . 253952 . . [2001.12.4414.706] . . c:\windows\system32\es.dll
.
[-] 2010-02-23 . DA11D9D6ECBDF0F93436A4B7C13F7BEC . 991744 . . [5.1.2600.5781] . . c:\windows\system32\kernel32.dll
.
[-] 2010-02-22 . FCEE5FCB99F7C724593365C706D28388 . 245248 . . [5.1.2600.5625] . . c:\windows\system32\mswsock.dll
.
[-] 2010-02-22 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
[-] 2010-02-22 16:54 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\system32\mspmsnsv.dll
.
((((((((((((((((((((((((((((( SnapShot@2012-05-04_18.49.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-05-04 19:32 . 2012-05-04 19:32 16384 c:\windows\Temp\Perflib_Perfdata_940.dat
- 2011-06-07 07:42 . 2012-05-04 18:44 66998 c:\windows\system32\perfc009.dat
+ 2011-06-07 07:42 . 2012-05-04 18:53 66998 c:\windows\system32\perfc009.dat
+ 2011-06-07 04:57 . 2012-05-07 13:04 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2011-06-07 04:57 . 2012-04-30 19:43 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2011-06-07 04:57 . 2012-05-07 13:04 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2011-06-07 04:57 . 2012-04-30 19:43 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2011-06-07 07:42 . 2012-05-04 18:53 430884 c:\windows\system32\perfh009.dat
- 2011-06-07 07:42 . 2012-05-04 18:44 430884 c:\windows\system32\perfh009.dat
+ 2011-06-09 22:43 . 2012-05-09 14:46 273429 c:\windows\system32\nvModes.dat
- 2011-06-09 22:43 . 2012-05-04 13:08 273429 c:\windows\system32\nvModes.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2011-04-01 2221352]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-11-15 115560]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2010-10-12 304568]
"IMSS"="c:\program files\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe" [2011-01-17 112152]
"IAStorIcon"="c:\program files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-11-06 283160]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-01-12 111208]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-01-12 13879912]
"LenovoAutoScrollUtility"="c:\program files\Lenovo\VIRTSCRL\virtscrl.exe" [2010-04-01 43960]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2011-08-15 30192]
"SMART Board Tools"="c:\program files\SMART Technologies\Education Software\SMARTBoardTools.exe" [2011-06-23 9800560]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_2"="shell32" [X]
"_nltide_3"="advpack.dll" [2011-08-17 124928]
.
c:\documents and settings\6070\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
PdaNet Desktop.lnk - c:\program files\PdaNet for Android\PdaNetPC.exe [2011-11-2 480880]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Online plug-in.lnk - c:\windows\Installer\{0F1F7A90-E71B-4E45-A066-2891619F22E1}\pnaico.exe.20FBBF0A_A7E5_4BDE_9798_9811C3D135AC.exe [2011-6-6 77824]
VPN Client.lnk - c:\windows\Installer\{14FCFE7C-AB86-428A-9D2E-BFB6F5A7AA6E}\Icon3E5562ED7.ico [2011-6-6 6144]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"consentpromptbehavioradmin"= 0 (0x0)
"enableinstallerdetection"= 0 (0x0)
"enablesecureuiapaths"= 0 (0x0)
"MaxGPOScriptWait"= 60 (0x3c)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3667212664-418810546-4285426712-10116\Scripts\Logon\0\0]
"Script"=\\Corp.Company.com\NETLOGON\SAL\BgInfo\Bginfo.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3667212664-418810546-4285426712-10116\Scripts\Logon\1\0]
"Script"=\\corp.Company.com\NETLOGON\VBscript\Repository\SATCitrixNeedToBoot.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3667212664-418810546-4285426712-10116\Scripts\Logon\2\0]
"Script"=\\Corp.Company.com\NETLOGON\VBscript\Repository\cleancitrixlocalcache.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3667212664-418810546-4285426712-10958\Scripts\Logon\0\0]
"Script"=\\Corp.Company.com\NETLOGON\SAL\BgInfo\Bginfo.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3667212664-418810546-4285426712-10958\Scripts\Logon\1\0]
"Script"=\\Corp.Company.com\NETLOGON\VBscript\Repository\cleancitrixlocalcache.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3667212664-418810546-4285426712-36640\Scripts\Logon\0\0]
"Script"=\\Corp.Company.com\NETLOGON\SAL\BgInfo\Bginfo.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3667212664-418810546-4285426712-36640\Scripts\Logon\1\0]
"Script"=\\Corp.Company.com\NETLOGON\VBscript\Repository\cleancitrixlocalcache.vbs
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Documents and Settings\\6070\\Local Settings\\Application Data\\Akamai\\netsession_win.exe"=
.
R0 stmtpm;STM TPM Service;c:\windows\system32\drivers\stm_tpm.sys [6/7/2011 2:36 AM 21504]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [6/9/2011 6:28 PM 13680]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [6/7/2011 10:12 AM 13336]
R2 jhi_service;Intel® Identity Protection Technology Host Interface Service;c:\program files\Intel\Services\IPT\jhi_service.exe [2/7/2011 4:15 PM 210896]
R2 Lenovo.micmute;Lenovo Microphone Mute;c:\program files\Lenovo\HOTKEY\micmute.exe [6/9/2011 6:28 PM 45496]
R2 risdxc;risdxc;c:\windows\system32\drivers\risdxc86.sys [6/7/2011 2:36 AM 75264]
R2 SMART Display Controller;SMART Display Controller;c:\program files\SMART Technologies\Education Software\UCService.exe [7/13/2011 10:14 PM 311664]
R2 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\Lenovo\HOTKEY\tphkload.exe [6/9/2011 6:28 PM 99328]
R2 TPHKSVC;On Screen Display;c:\program files\Lenovo\HOTKEY\TPHKSVC.exe [6/9/2011 6:28 PM 64440]
R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\Intel\Intel® Management Engine Components\UNS\UNS.exe [6/7/2011 9:52 AM 2656280]
R3 5U877;USB Video Device;c:\windows\system32\drivers\5U877.sys [6/7/2011 2:36 AM 132096]
R3 e1cexpress;Intel® PRO/1000 PCI Express Network Connection Driver C;c:\windows\system32\drivers\e1c5132.sys [6/7/2011 2:36 AM 174248]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/10/2012 9:18 AM 106104]
R3 MEI;Intel® Management Engine Interface;c:\windows\system32\drivers\HECI.sys [6/7/2011 2:37 AM 41088]
R3 NETwNx32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwNx32.sys [6/7/2011 2:35 AM 7391104]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys [6/7/2011 2:36 AM 62336]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys [6/7/2011 2:36 AM 141440]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [6/9/2011 5:39 PM 118248]
R3 pneteth;PdaNet Broadband;c:\windows\system32\drivers\pneteth.sys [11/2/2011 3:25 PM 13312]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/2/2012 8:40 AM 253088]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [11/15/2010 5:02 PM 23888]
S3 DraftSight API Service;DraftSight API Service;c:\program files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe [1/24/2012 11:25 AM 78336]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [8/15/2011 3:52 PM 30192]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 85560007
*NewlyCreated* - 86644091
*NewlyCreated* - ASWMBR
*NewlyCreated* - FWLDQPOW
*Deregistered* - 85560007
*Deregistered* - 86644091
*Deregistered* - aswMBR
*Deregistered* - fwldqpow
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-09 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-02 14:24]
.
2012-05-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3667212664-418810546-4285426712-10958Core.job
- c:\documents and settings\6070\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-04-30 20:30]
.
2012-05-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3667212664-418810546-4285426712-10958UA.job
- c:\documents and settings\6070\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-04-30 20:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://portal.corp.Company.com:7780/pls/portal
uInternet Settings,ProxyServer = 10.3.100.116:80
uInternet Settings,ProxyOverride = *.corp.Company.com;oscar;elmo.*;10.*;*.Company.ca;*.mro.aviation.ad;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 10.3.100.100 10.1.100.100 10.4.100.100
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-09 12:09
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1120)
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(4420)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2012-05-09 12:10:37
ComboFix-quarantined-files.txt 2012-05-09 17:10
ComboFix2.txt 2012-05-09 16:58
ComboFix3.txt 2012-05-08 18:16
ComboFix4.txt 2012-05-04 20:12
ComboFix5.txt 2012-05-09 17:06
.
Pre-Run: 450,349,412,352 bytes free
Post-Run: 450,337,583,104 bytes free
.
- - End Of File - - 5BE7A12A1A664B52D53A10C49D0C5585

Edited by gringo_pr, 21 May 2012 - 12:44 PM.


#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:19 PM

Posted 09 May 2012 - 03:10 PM

Greetings Chili23


You are doing a great job! But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

Programs to remove

Adobe Reader 9.2
Java™ 6 Update 22
[/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.

Update Adobe Reader

Recently there have been vulnerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be careful not to install anything to do with AskBar.
[/list]

Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 Chili23

Chili23
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:19 PM

Posted 10 May 2012 - 12:34 PM

Hi Gringo,

Completed your latest instructions with no issues. Uninstalled apps you requested with Revo, installed FoxIt Reader (vs Adobe Reader) and latest Java, Ran CCleaner with all selections you specified (and a few others that were default settings). Then updated MBam and ran it followed by HijackThis run. The 2 logs for this posted below:

Keep checking Google Chrome and still no redirects since working with you. Hopefully gone...

Thank you,
Chili23

MBAM LOG:

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.09.06

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 7.0.5730.13
6070 :: K06636 [administrator]

5/9/2012 6:55:36 PM
mbam-log-2012-05-09 (18-55-36).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 260223
Time elapsed: 5 minute(s), 19 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


HIJACKTHIS LOG:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:19:29 PM, on 5/9/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17103)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe
C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Intel\Services\IPT\jhi_service.exe
C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe
C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\SMART Technologies\Education Software\SMARTBoardService.exe
C:\Program Files\SMART Technologies\Education Software\UCService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\PROGRA~1\Lenovo\HOTKEY\tpnumlk.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Lenovo\Zoom\TPSCREX.EXE
C:\PROGRA~1\Lenovo\HOTKEY\TPONSCR.EXE
C:\PROGRA~1\Lenovo\HOTKEY\tpnumlkd.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Citrix\ICA Client\concentr.exe
C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Citrix\ICA Client\WFCRUN32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://portal.corp.Company.com:7780/pls/portal
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.3.100.116:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.corp.Company.com;oscar;elmo.*;10.*;*.Company.ca;*.mro.aviation.ad;<local>
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ConnectionCenter] "C:\Program Files\Citrix\ICA Client\concentr.exe" /startup
O4 - HKLM\..\Run: [IMSS] "C:\Program Files\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe"
O4 - HKLM\..\Run: [IAStorIcon] C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LenovoAutoScrollUtility] C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SMART Board Tools] "C:\Program Files\SMART Technologies\Education Software\SMARTBoardTools.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil32_11_2_202_233_ActiveX.exe -update activex
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - S-1-5-18 Startup: OpenOffice.org 3.3.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PdaNet Desktop.lnk = C:\Program Files\PdaNet for Android\PdaNetPC.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: OpenOffice.org 3.3.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe (User 'Default user')
O4 - .DEFAULT Startup: PdaNet Desktop.lnk = C:\Program Files\PdaNet for Android\PdaNetPC.exe (User 'Default user')
O4 - Startup: OpenOffice.org 3.3.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Startup: PdaNet Desktop.lnk = C:\Program Files\PdaNet for Android\PdaNetPC.exe
O4 - Global Startup: Online plug-in.lnk = ?
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - http://support.lenovo.com/Resources/Lenovo/AutoDetect/acpir.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1307759342812
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://fp4-exostar.webex.com/client/T27L10NSP11EP14/webex/ieatgpc.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = CORP.Company.COM
O17 - HKLM\Software\..\Telephony: DomainName = corp.Company.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = CORP.Company.COM
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = CORP.Company.COM
O18 - Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter hijack: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DraftSight API Service - Dassault Systèmes - C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe
O23 - Service: Google Desktop Manager 5.9.1005.12335 (GoogleDesktopManager-051210-111108) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Intel® Rapid Storage Technology (IAStorDataMgrSvc) - Intel Corporation - C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo. - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle Corporation - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
O23 - Service: Intel® Identity Protection Technology Host Interface Service (jhi_service) - Intel Corporation - C:\Program Files\Intel\Services\IPT\jhi_service.exe
O23 - Service: Lenovo Microphone Mute (Lenovo.micmute) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel® Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SMART Board Service - SMART Technologies - C:\Program Files\SMART Technologies\Education Software\SMARTBoardService.exe
O23 - Service: SMART Display Controller - SMART Technologies ULC - C:\Program Files\SMART Technologies\Education Software\UCService.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: Lenovo Hotkey Client Loader (TPHKLOAD) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe
O23 - Service: On Screen Display (TPHKSVC) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
O23 - Service: Intel® Management and Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe

--
End of file - 13037 bytes

Edited by gringo_pr, 21 May 2012 - 12:45 PM.


#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:19 PM

Posted 10 May 2012 - 02:59 PM

Greetings

You are doing a great job, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
      O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
      O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
      O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil32_11_2_202_233_ActiveX.exe -update activex
      O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
      O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
      O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
      O4 - S-1-5-18 Startup: OpenOffice.org 3.3.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe (User 'SYSTEM')
      O4 - S-1-5-18 Startup: PdaNet Desktop.lnk = C:\Program Files\PdaNet for Android\PdaNetPC.exe (User 'SYSTEM')
      O4 - .DEFAULT Startup: OpenOffice.org 3.3.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe (User 'Default user')
      O4 - .DEFAULT Startup: PdaNet Desktop.lnk = C:\Program Files\PdaNet for Android\PdaNetPC.exe (User 'Default user')
      O4 - Startup: OpenOffice.org 3.3.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
      O4 - Startup: PdaNet Desktop.lnk = C:\Program Files\PdaNet for Android\PdaNetPC.exe
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the ActiveX control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard or copy and paste the results here in this topic

Copy and paste that log as a reply to this topic

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:19 PM

Posted 12 May 2012 - 11:43 PM

Greetings


I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools




Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 Chili23

Chili23
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:19 PM

Posted 14 May 2012 - 07:59 AM

Hi Gringo,

Plan to finish next steps tomorrow and will reply when done.

Thanks,
Chili23

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:19 PM

Posted 14 May 2012 - 12:14 PM

OK thank you for letting me know


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 Chili23

Chili23
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:19 PM

Posted 15 May 2012 - 03:01 PM

Hi Gringo,

Re-ran HijackThis and removed items you listed above.

Then ran Eset online scanner per your instructions. Found 11 items.

Log is below for your review.

Thanks!
Chili23


ESET LOG:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.17103 (vista_gdr.110816-1000)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=4b471ce5787c5e428c2ebf27f1e5e6ba
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-05-15 07:51:24
# local_time=2012-05-15 02:51:24 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=61306
# found=11
# cleaned=0
# scan_time=7013
C:\Documents and Settings\6070\Desktop\Desk\KeyFinderInstaller Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\6070\Desktop\Desk\Bus Thumb Dump 2-9-2010\RootKit SmitFraud C Fix\2-SmitfraudFix.exe multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\6070\Desktop\Desk\Bus Thumb Dump 2-9-2010\RootKit SmitFraud C Fix\x-smitRem.exe Win32/PrcView application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\6070\Desktop\Desk\Bus Thumb Dump 2-9-2010\RootKit SmitFraud C Fix\SmitfraudFix\Process.exe Win32/PrcView application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\6070\Desktop\Desk\Bus Thumb Dump 2-9-2010\RootKit SmitFraud C Fix\SmitfraudFix\restart.exe Win32/Shutdown.NAA application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\6070\Desktop\Desk\Files\Freeware_PrimoPDF.exe Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\6070\Desktop\Desk\Software\InternationalPrimoPDF.exe Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\6070\Desktop\Software\cnet_InternationalPrimoPDF_exe.exe a variant of Win32/InstallCore.D application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\6070\Desktop\Software\infrarecorder_964.exe a variant of Win32/InstallIQ application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\6070\My Documents\InternationalPrimoPDF.exe Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\6070\My Documents\Downloads\KeyFinderInstaller.exe Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:19 PM

Posted 15 May 2012 - 09:00 PM

Hello

There are some minor things in your online scan that should be removed.


delete files

  • Copy all text in the quote box (below)...to Notepad.

    @echo off
    rd /s /q "C:\Documents and Settings\6070\Desktop\Desk\KeyFinderInstaller\"
    del /f /s /q "C:\Documents and Settings\6070\Desktop\Desk\Bus Thumb Dump 2-9-2010\RootKit SmitFraud C Fix\2-SmitfraudFix.exe"
    del /f /s /q "C:\Documents and Settings\6070\Desktop\Desk\Bus Thumb Dump 2-9-2010\RootKit SmitFraud C Fix\x-smitRem.exe"
    del /f /s /q "C:\Documents and Settings\6070\Desktop\Desk\Bus Thumb Dump 2-9-2010\RootKit SmitFraud C Fix\SmitfraudFix\Process.exe"
    del /f /s /q "C:\Documents and Settings\6070\Desktop\Desk\Bus Thumb Dump 2-9-2010\RootKit SmitFraud C Fix\SmitfraudFix\restart.exe"
    del /f /s /q "C:\Documents and Settings\6070\Desktop\Desk\Files\Freeware_PrimoPDF.exe"
    del /f /s /q "C:\Documents and Settings\6070\Desktop\Desk\Software\InternationalPrimoPDF.exe"
    del /f /s /q "C:\Documents and Settings\6070\Desktop\Software\cnet_InternationalPrimoPDF_exe.exe"
    del /f /s /q "C:\Documents and Settings\6070\Desktop\Software\infrarecorder_964.exe"
    del /f /s /q "C:\Documents and Settings\6070\My Documents\InternationalPrimoPDF.exe"
    del /f /s /q "C:\Documents and Settings\6070\My Documents\Downloads\KeyFinderInstaller.exe"
    del %0

  • Save the Notepad file on your desktop...as delfile.bat... save type as "All Files"
    It should look like this: Posted Image<--XPPosted Image<--vista
  • Double click on delfile.bat to execute it.
    A black CMD window will flash, then disappear...this is normal.
  • The files and folders, if found...will have been deleted and the "delfile.bat" file will also be deleted.


The rest of the Online scan is only reporting backups created during the course of this fix C:\Qoobox\Quarantine\, and/or items located in System Restore's cache C:\System Volume Information\, Whatever is in these folders can't harm you unless you choose to perform a manual restore. the following steps will remove these backups.




Very well done!! This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are.


:Why we need to remove some of our tools:

Some of the tools we have used to clean your computer were made by fellow malware fighters and are very powerful and if used incorrectly or at the wronge time can make the computer an expensive paper weight.
They are updated all the time and some of them more than once a day so by the time you are ready to use them again they will already be outdated.

The following procedures will implement some cleanup procedures to remove these tools. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.
:DeFogger:

Note** Defogger only needs to be run if it was run when we first started. If you have not already run it then skip this.

  • To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK.
Your Emulation drivers are now re-enabled.

:Uninstall ComboFix:

  • turn off all active protection software
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
  • Posted Image

:Remove the rest of our tools:

Please download OTCleanIt and save it to desktop. This tool will remove all the tools we used to clean your pc.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.
  • If asked to restart the computer, please do so
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

:The programs you can keep:

Some of the programs that we have used would be a good idea to keep and used often in helping to keep the computer clean. I use these programs on my computer.

Revo Uninstaller Free - this is the uninstaller that I had you download and works allot better than add/remove in windows and has saved me more than once from corrupted installs and uninstalls

CCleaner - This is a good program to clean out temp files, I would use this once a week or before any malware scan to remove unwanted temp files - It has a built in registry cleaner but I would leave that alone and not use any registry cleaner

Malwarebytes' Anti-Malware The Gold standerd today in antimalware scanners

:Security programs:

One of the questions I am asked all the time is "What programs do you use" I have at this time 4 computers in my home and I have this setup on all 4 of them.

  • Microsoft Security Essentials - provides real-time protection for your home PC that guards against viruses, spyware, and other malicious software.
  • WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
  • Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
    totally free but for real-time protection you will have to pay a small one-time fee. We used this to help clean your computer and recomend keeping it and using often. (I have upgraded to the paid version of MBAM and I am glad I did)


    Note** If you decide to install MSE you will need to uninstall your present Antivirus

:Security awareness:

The other question I am asked all the time is "How can I prevent this from happening again." and the short answer to that is to be aware of what is out there and how to start spotting dangers.

Here are some articles that are must reads and should be read by everybody in your household that uses the internet

internetsafety

Internet Safety for Kids

Here is some more reading for you from some of my colleges

PC Safety and Security - What Do I Need? from my friends at Tech Support Forum

COMPUTER SECURITY - a short guide to staying safer online from my friends at Malware Removal

quoted from Tech Support Forum

Conclusion

There is no such thing as ‘perfect security’. This applies to many things, not just computer systems. Using the above guide you should be able to take all the reasonable steps you can to prevent infection. However, the most important part of all this is you, the user. Surf sensibly and think before you download a file or click on a link. Take a few moments to assess the possible risks and you should be able to enjoy all the internet has to offer.


I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

I Will Keep This Open For About Three Days, If Anything Comes Up - Just Come Back And Let Me Know, after that time you will have to send me a PM

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users