Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect - Happili then Rocketnews.com


  • This topic is locked This topic is locked
17 replies to this topic

#1 xgoodyx

xgoodyx

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:57 AM

Posted 13 May 2012 - 10:10 AM

I am suffering from a Google Redirect that is affecting IE9, Firefox 12, and Google Chrome. It started with a redirect to a happili, and now it is directing all Google searches through rocketnews.com. I have run multiple anti-malware/antivirus programs and all of them are coming up clean. Any help would be appreciated.

BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:12:57 PM

Posted 13 May 2012 - 10:22 AM

Hello,



Please follow this topic. => Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help



Regards,
Georgi

cXfZ4wS.png


#3 xgoodyx

xgoodyx
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:57 AM

Posted 13 May 2012 - 12:44 PM

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.4.1
Run by Brett.Goodman at 11:45:43 on 2012-05-13
Microsoft Windows 7 Enterprise 6.1.7601.1.1252.1.1033.18.2985.1159 [GMT -4:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
FW: Symantec Endpoint Protection *Enabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\IDT\WDM\STacSV.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\rundll32.exe
C:\Windows\System32\svchost.exe -k NetworkService
C:\Program Files\IDT\WDM\aestsrv.exe
C:\Program Files\Dell\KACE\AMPAgent.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Windows\system32\DRIVERS\o2flash.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\STMicroelectronics\AccelerometerP11\FF_Protection.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrobat.exe
C:\Windows\System32\vds.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Users\brett.goodman\Desktop\gmer.exe
C:\Windows\system32\msiexec.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = https://connect.wolterskluwer.com/sites/proj-reso-CandG/default.aspx
uInternet Settings,ProxyOverride = <local>
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SysTrayApp] c:\program files\idt\wdm\sttray.exe
mRun: [NVHotkey] rundll32.exe c:\windows\system32\nvHotkey.dll,Start
mRun: [FreeFallProtection] c:\program files\stmicroelectronics\accelerometerp11\FF_Protection.exe
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [WKPopup] "c:\program files\wkinvtool\wkpopup.exe" /startup
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-ba7e-000000000003}\_SC_Acrobat.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobea~2.lnk - c:\program files\adobe\acrobat 8.0\acrobat\AdobeCollabSync.exe
uPolicies-explorer: ForceRunOnStartMenu = 1 (0x1)
mPolicies-explorer: NoOnlinePrintsWizard = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
mPolicies-system: EnableLinkedConnections = 1 (0x1)
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a}
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
Trusted Zone: bighammer.com\homedepot
Trusted Zone: wolterskluwer.com\connect
Trusted Zone: wolterskluwer.com\connect
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{E52F4028-CAC4-4723-A16E-1D987F8B8B94} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{E52F4028-CAC4-4723-A16E-1D987F8B8B94}\4646D2772747 : DhcpNameServer = 192.168.1.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\nvinit.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~1\office14\GROOVEEX.DLL
mASetup: {AC76BA86-7AD7-1033-7B44-A94000000001} - "c:\program files\adobe\reader 9.0\reader\copy.bat"
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\brett.goodman\appdata\roaming\mozilla\firefox\profiles\no5xqwte.default\
FF - plugin: c:\progra~1\micros~1\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~1\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll
FF - plugin: c:\program files\oracle\javafx 2.1 runtime\bin\plugin2\npjp2.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R0 nvpciflt;nvpciflt;c:\windows\system32\drivers\nvpciflt.sys [2012-3-19 20328]
R0 stdcfltn;Disk Class Filter Driver for Accelerometer;c:\windows\system32\drivers\stdcfltn.sys [2012-3-19 17904]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 AESTFilters;Andrea ST Filters Service;c:\program files\idt\wdm\AEstSrv.exe [2012-3-19 81920]
R2 AMPAgent;Dell KACE Agent;c:\program files\dell\kace\AMPAgent.exe [2012-1-16 2772072]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2010-8-23 1831024]
R3 Acceler;Accelerometer Service;c:\windows\system32\drivers\accelern.sys [2012-3-19 44144]
R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2012-3-19 45352]
R3 cvusbdrv;Dell ControlVault;c:\windows\system32\drivers\cvusbdrv.sys [2012-3-19 39656]
R3 e1cexpress;Intel® PRO/1000 PCI Express Network Connection Driver C;c:\windows\system32\drivers\e1c6232.sys [2011-7-20 268968]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-3-19 106104]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-5-13 40776]
R3 NETwNs32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\drivers\NETwNs32.sys [2012-3-19 7434240]
R3 O2MDFRDR;O2MDFRDR;c:\windows\system32\drivers\o2mdfw7.sys [2012-3-19 60904]
R3 O2SDJRDR;O2SDJRDR;c:\windows\system32\drivers\o2sdjw7.sys [2012-3-19 63976]
R3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2011-4-11 62464]
S3 IFCoEMP;IFCoEMP;c:\windows\system32\drivers\ifM52x32.sys [2011-8-23 264464]
S3 IFCoEVB;IFCoEVB;c:\windows\system32\drivers\ifP52x32.sys [2011-8-23 57616]
S3 MEI;Intel® Management Engine Interface;c:\windows\system32\drivers\HECI.sys [2011-8-23 41088]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2011-6-12 31125880]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-12 129976]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2012-3-19 139368]
S3 O2MDRRDR;O2MDRRDR;c:\windows\system32\drivers\O2MDRw7.sys [2012-3-19 62440]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 Synth3dVsc;Microsoft Virtual 3D Video Transport Driver;c:\windows\system32\drivers\Synth3dVsc.sys [2011-4-11 77184]
S3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2011-4-11 25600]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2010-11-20 52224]
S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
S3 tsusbhub;Remote Deskotop USB Hub;c:\windows\system32\drivers\tsusbhub.sys [2011-4-11 112640]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-8-23 1343400]
.
=============== Created Last 30 ================
.
2012-05-13 15:44:11 -------- d-----w- c:\windows\system32\appmgmt
2012-05-13 15:02:27 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-05-13 15:02:20 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-13 15:02:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-05-12 15:05:12 -------- d-----w- c:\users\brett.goodman\appdata\local\ElevatedDiagnostics
2012-05-12 14:32:34 -------- d-----w- c:\users\brett.goodman\appdata\local\temp
2012-05-12 14:28:47 -------- d-sh--w- C:\$RECYCLE.BIN
2012-05-12 14:23:25 -------- d-----w- C:\ComboFix
2012-05-12 14:20:32 9096 ----a-w- c:\windows\system32\drivers\DasBootI.SYS
2012-05-12 14:20:32 9096 ----a-w- c:\windows\system32\drivers\DasBootE.SYS
2012-05-12 14:20:32 59272 ----a-w- c:\windows\system32\drivers\DasBootF.SYS
2012-05-12 14:20:32 3072 ----a-w- c:\windows\system32\drivers\DasBootD.SYS
2012-05-12 14:20:32 27528 ----a-w- c:\windows\system32\drivers\DasBootK.SYS
2012-05-12 14:20:32 225664 ----a-w- c:\windows\system32\drivers\DasBootS.SYS
2012-05-12 14:20:32 20744 ----a-w- c:\windows\system32\drivers\DasBoot.SYS
2012-05-12 12:51:30 -------- d-----w- C:\ARK
2012-05-11 22:04:42 -------- d-----w- c:\program files\Trend Micro
2012-05-11 22:03:51 -------- d-----w- c:\program files\Oracle
2012-05-11 22:03:48 772504 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-05-10 00:49:20 1666978 ----a-w- C:\MGtools.exe
2012-05-10 00:48:06 -------- d-----w- C:\MGtools
2012-05-09 23:21:24 -------- d-----w- C:\sh4ldr
2012-05-09 23:21:24 -------- d-----w- c:\program files\Enigma Software Group
2012-05-09 23:21:14 -------- d-----w- c:\windows\4E0C6314A8B84026AC15084E8B63AFB5.TMP
2012-05-09 23:21:11 -------- d-----w- c:\program files\common files\Wise Installation Wizard
2012-05-02 13:25:25 -------- d-----w- c:\windows\system32\DBBK
2012-04-27 21:37:59 406896 ----a-w- c:\windows\system32\dsNcSmartCardProv.dll
2012-04-27 21:37:59 361840 ----a-w- c:\windows\system32\dsNcCredProv.dll
2012-04-27 21:37:25 -------- d-----w- c:\program files\Juniper Networks
2012-04-27 21:15:32 -------- d-----w- c:\users\brett.goodman\appdata\local\LogMeIn Rescue Applet
2012-04-20 21:28:49 -------- d-----w- c:\users\brett.goodman\appdata\local\Mozilla
.
==================== Find3M ====================
.
2012-03-30 11:35:27 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-24 01:51:25 133632 --sha-r- c:\windows\system32\cfgmgr32U.dll
2012-03-23 12:28:03 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2012-03-01 05:46:57 19824 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-03-01 05:37:41 172544 ----a-w- c:\windows\system32\wintrust.dll
2012-03-01 05:33:23 159232 ----a-w- c:\windows\system32\imagehlp.dll
2012-03-01 05:29:16 5120 ----a-w- c:\windows\system32\wmi.dll
2012-02-28 01:18:55 1799168 ----a-w- c:\windows\system32\jscript9.dll
2012-02-28 01:11:21 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-28 01:11:07 1127424 ----a-w- c:\windows\system32\wininet.dll
2012-02-28 01:03:16 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-02-24 14:36:44 185560 ----a-w- c:\windows\system32\drivers\PCTSD.sys
2012-02-17 05:34:22 919040 ----a-w- c:\windows\system32\rdpcorets.dll
2012-02-17 05:34:22 826880 ----a-w- c:\windows\system32\rdpcore.dll
2012-02-17 04:14:08 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-02-17 04:13:22 24576 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-02-14 16:09:44 1070352 ----a-w- c:\windows\system32\MSCOMCTL.OCX
.
============= FINISH: 11:46:42.38 ===============
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.4.1
Run by Brett.Goodman at 11:45:43 on 2012-05-13
Microsoft Windows 7 Enterprise 6.1.7601.1.1252.1.1033.18.2985.1159 [GMT -4:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
FW: Symantec Endpoint Protection *Enabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\IDT\WDM\STacSV.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\rundll32.exe
C:\Windows\System32\svchost.exe -k NetworkService
C:\Program Files\IDT\WDM\aestsrv.exe
C:\Program Files\Dell\KACE\AMPAgent.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Windows\system32\DRIVERS\o2flash.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\STMicroelectronics\AccelerometerP11\FF_Protection.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrobat.exe
C:\Windows\System32\vds.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Users\brett.goodman\Desktop\gmer.exe
C:\Windows\system32\msiexec.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = https://connect.wolterskluwer.com/sites/proj-reso-CandG/default.aspx
uInternet Settings,ProxyOverride = <local>
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SysTrayApp] c:\program files\idt\wdm\sttray.exe
mRun: [NVHotkey] rundll32.exe c:\windows\system32\nvHotkey.dll,Start
mRun: [FreeFallProtection] c:\program files\stmicroelectronics\accelerometerp11\FF_Protection.exe
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [WKPopup] "c:\program files\wkinvtool\wkpopup.exe" /startup
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-ba7e-000000000003}\_SC_Acrobat.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobea~2.lnk - c:\program files\adobe\acrobat 8.0\acrobat\AdobeCollabSync.exe
uPolicies-explorer: ForceRunOnStartMenu = 1 (0x1)
mPolicies-explorer: NoOnlinePrintsWizard = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
mPolicies-system: EnableLinkedConnections = 1 (0x1)
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a}
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
Trusted Zone: bighammer.com\homedepot
Trusted Zone: wolterskluwer.com\connect
Trusted Zone: wolterskluwer.com\connect
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{E52F4028-CAC4-4723-A16E-1D987F8B8B94} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{E52F4028-CAC4-4723-A16E-1D987F8B8B94}\4646D2772747 : DhcpNameServer = 192.168.1.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\nvinit.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~1\office14\GROOVEEX.DLL
mASetup: {AC76BA86-7AD7-1033-7B44-A94000000001} - "c:\program files\adobe\reader 9.0\reader\copy.bat"
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\brett.goodman\appdata\roaming\mozilla\firefox\profiles\no5xqwte.default\
FF - plugin: c:\progra~1\micros~1\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~1\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll
FF - plugin: c:\program files\oracle\javafx 2.1 runtime\bin\plugin2\npjp2.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R0 nvpciflt;nvpciflt;c:\windows\system32\drivers\nvpciflt.sys [2012-3-19 20328]
R0 stdcfltn;Disk Class Filter Driver for Accelerometer;c:\windows\system32\drivers\stdcfltn.sys [2012-3-19 17904]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 AESTFilters;Andrea ST Filters Service;c:\program files\idt\wdm\AEstSrv.exe [2012-3-19 81920]
R2 AMPAgent;Dell KACE Agent;c:\program files\dell\kace\AMPAgent.exe [2012-1-16 2772072]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2010-8-23 1831024]
R3 Acceler;Accelerometer Service;c:\windows\system32\drivers\accelern.sys [2012-3-19 44144]
R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2012-3-19 45352]
R3 cvusbdrv;Dell ControlVault;c:\windows\system32\drivers\cvusbdrv.sys [2012-3-19 39656]
R3 e1cexpress;Intel® PRO/1000 PCI Express Network Connection Driver C;c:\windows\system32\drivers\e1c6232.sys [2011-7-20 268968]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-3-19 106104]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-5-13 40776]
R3 NETwNs32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\drivers\NETwNs32.sys [2012-3-19 7434240]
R3 O2MDFRDR;O2MDFRDR;c:\windows\system32\drivers\o2mdfw7.sys [2012-3-19 60904]
R3 O2SDJRDR;O2SDJRDR;c:\windows\system32\drivers\o2sdjw7.sys [2012-3-19 63976]
R3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2011-4-11 62464]
S3 IFCoEMP;IFCoEMP;c:\windows\system32\drivers\ifM52x32.sys [2011-8-23 264464]
S3 IFCoEVB;IFCoEVB;c:\windows\system32\drivers\ifP52x32.sys [2011-8-23 57616]
S3 MEI;Intel® Management Engine Interface;c:\windows\system32\drivers\HECI.sys [2011-8-23 41088]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2011-6-12 31125880]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-12 129976]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2012-3-19 139368]
S3 O2MDRRDR;O2MDRRDR;c:\windows\system32\drivers\O2MDRw7.sys [2012-3-19 62440]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 Synth3dVsc;Microsoft Virtual 3D Video Transport Driver;c:\windows\system32\drivers\Synth3dVsc.sys [2011-4-11 77184]
S3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2011-4-11 25600]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2010-11-20 52224]
S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
S3 tsusbhub;Remote Deskotop USB Hub;c:\windows\system32\drivers\tsusbhub.sys [2011-4-11 112640]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-8-23 1343400]
.
=============== Created Last 30 ================
.
2012-05-13 15:44:11 -------- d-----w- c:\windows\system32\appmgmt
2012-05-13 15:02:27 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-05-13 15:02:20 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-13 15:02:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-05-12 15:05:12 -------- d-----w- c:\users\brett.goodman\appdata\local\ElevatedDiagnostics
2012-05-12 14:32:34 -------- d-----w- c:\users\brett.goodman\appdata\local\temp
2012-05-12 14:28:47 -------- d-sh--w- C:\$RECYCLE.BIN
2012-05-12 14:23:25 -------- d-----w- C:\ComboFix
2012-05-12 14:20:32 9096 ----a-w- c:\windows\system32\drivers\DasBootI.SYS
2012-05-12 14:20:32 9096 ----a-w- c:\windows\system32\drivers\DasBootE.SYS
2012-05-12 14:20:32 59272 ----a-w- c:\windows\system32\drivers\DasBootF.SYS
2012-05-12 14:20:32 3072 ----a-w- c:\windows\system32\drivers\DasBootD.SYS
2012-05-12 14:20:32 27528 ----a-w- c:\windows\system32\drivers\DasBootK.SYS
2012-05-12 14:20:32 225664 ----a-w- c:\windows\system32\drivers\DasBootS.SYS
2012-05-12 14:20:32 20744 ----a-w- c:\windows\system32\drivers\DasBoot.SYS
2012-05-12 12:51:30 -------- d-----w- C:\ARK
2012-05-11 22:04:42 -------- d-----w- c:\program files\Trend Micro
2012-05-11 22:03:51 -------- d-----w- c:\program files\Oracle
2012-05-11 22:03:48 772504 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-05-10 00:49:20 1666978 ----a-w- C:\MGtools.exe
2012-05-10 00:48:06 -------- d-----w- C:\MGtools
2012-05-09 23:21:24 -------- d-----w- C:\sh4ldr
2012-05-09 23:21:24 -------- d-----w- c:\program files\Enigma Software Group
2012-05-09 23:21:14 -------- d-----w- c:\windows\4E0C6314A8B84026AC15084E8B63AFB5.TMP
2012-05-09 23:21:11 -------- d-----w- c:\program files\common files\Wise Installation Wizard
2012-05-02 13:25:25 -------- d-----w- c:\windows\system32\DBBK
2012-04-27 21:37:59 406896 ----a-w- c:\windows\system32\dsNcSmartCardProv.dll
2012-04-27 21:37:59 361840 ----a-w- c:\windows\system32\dsNcCredProv.dll
2012-04-27 21:37:25 -------- d-----w- c:\program files\Juniper Networks
2012-04-27 21:15:32 -------- d-----w- c:\users\brett.goodman\appdata\local\LogMeIn Rescue Applet
2012-04-20 21:28:49 -------- d-----w- c:\users\brett.goodman\appdata\local\Mozilla
.
==================== Find3M ====================
.
2012-03-30 11:35:27 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-24 01:51:25 133632 --sha-r- c:\windows\system32\cfgmgr32U.dll
2012-03-23 12:28:03 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2012-03-01 05:46:57 19824 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-03-01 05:37:41 172544 ----a-w- c:\windows\system32\wintrust.dll
2012-03-01 05:33:23 159232 ----a-w- c:\windows\system32\imagehlp.dll
2012-03-01 05:29:16 5120 ----a-w- c:\windows\system32\wmi.dll
2012-02-28 01:18:55 1799168 ----a-w- c:\windows\system32\jscript9.dll
2012-02-28 01:11:21 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-28 01:11:07 1127424 ----a-w- c:\windows\system32\wininet.dll
2012-02-28 01:03:16 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-02-24 14:36:44 185560 ----a-w- c:\windows\system32\drivers\PCTSD.sys
2012-02-17 05:34:22 919040 ----a-w- c:\windows\system32\rdpcorets.dll
2012-02-17 05:34:22 826880 ----a-w- c:\windows\system32\rdpcore.dll
2012-02-17 04:14:08 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-02-17 04:13:22 24576 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-02-14 16:09:44 1070352 ----a-w- c:\windows\system32\MSCOMCTL.OCX
.
============= FINISH: 11:46:42.38 ===============
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.4.1
Run by Brett.Goodman at 11:45:43 on 2012-05-13
Microsoft Windows 7 Enterprise 6.1.7601.1.1252.1.1033.18.2985.1159 [GMT -4:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
FW: Symantec Endpoint Protection *Enabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\IDT\WDM\STacSV.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\rundll32.exe
C:\Windows\System32\svchost.exe -k NetworkService
C:\Program Files\IDT\WDM\aestsrv.exe
C:\Program Files\Dell\KACE\AMPAgent.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Windows\system32\DRIVERS\o2flash.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\STMicroelectronics\AccelerometerP11\FF_Protection.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrobat.exe
C:\Windows\System32\vds.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Users\brett.goodman\Desktop\gmer.exe
C:\Windows\system32\msiexec.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = https://connect.wolterskluwer.com/sites/proj-reso-CandG/default.aspx
uInternet Settings,ProxyOverride = <local>
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SysTrayApp] c:\program files\idt\wdm\sttray.exe
mRun: [NVHotkey] rundll32.exe c:\windows\system32\nvHotkey.dll,Start
mRun: [FreeFallProtection] c:\program files\stmicroelectronics\accelerometerp11\FF_Protection.exe
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [WKPopup] "c:\program files\wkinvtool\wkpopup.exe" /startup
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-ba7e-000000000003}\_SC_Acrobat.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobea~2.lnk - c:\program files\adobe\acrobat 8.0\acrobat\AdobeCollabSync.exe
uPolicies-explorer: ForceRunOnStartMenu = 1 (0x1)
mPolicies-explorer: NoOnlinePrintsWizard = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
mPolicies-system: EnableLinkedConnections = 1 (0x1)
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a}
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
Trusted Zone: bighammer.com\homedepot
Trusted Zone: wolterskluwer.com\connect
Trusted Zone: wolterskluwer.com\connect
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{E52F4028-CAC4-4723-A16E-1D987F8B8B94} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{E52F4028-CAC4-4723-A16E-1D987F8B8B94}\4646D2772747 : DhcpNameServer = 192.168.1.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\nvinit.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~1\office14\GROOVEEX.DLL
mASetup: {AC76BA86-7AD7-1033-7B44-A94000000001} - "c:\program files\adobe\reader 9.0\reader\copy.bat"
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\brett.goodman\appdata\roaming\mozilla\firefox\profiles\no5xqwte.default\
FF - plugin: c:\progra~1\micros~1\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~1\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll
FF - plugin: c:\program files\oracle\javafx 2.1 runtime\bin\plugin2\npjp2.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R0 nvpciflt;nvpciflt;c:\windows\system32\drivers\nvpciflt.sys [2012-3-19 20328]
R0 stdcfltn;Disk Class Filter Driver for Accelerometer;c:\windows\system32\drivers\stdcfltn.sys [2012-3-19 17904]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 AESTFilters;Andrea ST Filters Service;c:\program files\idt\wdm\AEstSrv.exe [2012-3-19 81920]
R2 AMPAgent;Dell KACE Agent;c:\program files\dell\kace\AMPAgent.exe [2012-1-16 2772072]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2010-8-23 1831024]
R3 Acceler;Accelerometer Service;c:\windows\system32\drivers\accelern.sys [2012-3-19 44144]
R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2012-3-19 45352]
R3 cvusbdrv;Dell ControlVault;c:\windows\system32\drivers\cvusbdrv.sys [2012-3-19 39656]
R3 e1cexpress;Intel® PRO/1000 PCI Express Network Connection Driver C;c:\windows\system32\drivers\e1c6232.sys [2011-7-20 268968]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-3-19 106104]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-5-13 40776]
R3 NETwNs32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\drivers\NETwNs32.sys [2012-3-19 7434240]
R3 O2MDFRDR;O2MDFRDR;c:\windows\system32\drivers\o2mdfw7.sys [2012-3-19 60904]
R3 O2SDJRDR;O2SDJRDR;c:\windows\system32\drivers\o2sdjw7.sys [2012-3-19 63976]
R3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2011-4-11 62464]
S3 IFCoEMP;IFCoEMP;c:\windows\system32\drivers\ifM52x32.sys [2011-8-23 264464]
S3 IFCoEVB;IFCoEVB;c:\windows\system32\drivers\ifP52x32.sys [2011-8-23 57616]
S3 MEI;Intel® Management Engine Interface;c:\windows\system32\drivers\HECI.sys [2011-8-23 41088]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2011-6-12 31125880]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-12 129976]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2012-3-19 139368]
S3 O2MDRRDR;O2MDRRDR;c:\windows\system32\drivers\O2MDRw7.sys [2012-3-19 62440]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 Synth3dVsc;Microsoft Virtual 3D Video Transport Driver;c:\windows\system32\drivers\Synth3dVsc.sys [2011-4-11 77184]
S3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2011-4-11 25600]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2010-11-20 52224]
S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
S3 tsusbhub;Remote Deskotop USB Hub;c:\windows\system32\drivers\tsusbhub.sys [2011-4-11 112640]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-8-23 1343400]
.
=============== Created Last 30 ================
.
2012-05-13 15:44:11 -------- d-----w- c:\windows\system32\appmgmt
2012-05-13 15:02:27 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-05-13 15:02:20 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-13 15:02:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-05-12 15:05:12 -------- d-----w- c:\users\brett.goodman\appdata\local\ElevatedDiagnostics
2012-05-12 14:32:34 -------- d-----w- c:\users\brett.goodman\appdata\local\temp
2012-05-12 14:28:47 -------- d-sh--w- C:\$RECYCLE.BIN
2012-05-12 14:23:25 -------- d-----w- C:\ComboFix
2012-05-12 14:20:32 9096 ----a-w- c:\windows\system32\drivers\DasBootI.SYS
2012-05-12 14:20:32 9096 ----a-w- c:\windows\system32\drivers\DasBootE.SYS
2012-05-12 14:20:32 59272 ----a-w- c:\windows\system32\drivers\DasBootF.SYS
2012-05-12 14:20:32 3072 ----a-w- c:\windows\system32\drivers\DasBootD.SYS
2012-05-12 14:20:32 27528 ----a-w- c:\windows\system32\drivers\DasBootK.SYS
2012-05-12 14:20:32 225664 ----a-w- c:\windows\system32\drivers\DasBootS.SYS
2012-05-12 14:20:32 20744 ----a-w- c:\windows\system32\drivers\DasBoot.SYS
2012-05-12 12:51:30 -------- d-----w- C:\ARK
2012-05-11 22:04:42 -------- d-----w- c:\program files\Trend Micro
2012-05-11 22:03:51 -------- d-----w- c:\program files\Oracle
2012-05-11 22:03:48 772504 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-05-10 00:49:20 1666978 ----a-w- C:\MGtools.exe
2012-05-10 00:48:06 -------- d-----w- C:\MGtools
2012-05-09 23:21:24 -------- d-----w- C:\sh4ldr
2012-05-09 23:21:24 -------- d-----w- c:\program files\Enigma Software Group
2012-05-09 23:21:14 -------- d-----w- c:\windows\4E0C6314A8B84026AC15084E8B63AFB5.TMP
2012-05-09 23:21:11 -------- d-----w- c:\program files\common files\Wise Installation Wizard
2012-05-02 13:25:25 -------- d-----w- c:\windows\system32\DBBK
2012-04-27 21:37:59 406896 ----a-w- c:\windows\system32\dsNcSmartCardProv.dll
2012-04-27 21:37:59 361840 ----a-w- c:\windows\system32\dsNcCredProv.dll
2012-04-27 21:37:25 -------- d-----w- c:\program files\Juniper Networks
2012-04-27 21:15:32 -------- d-----w- c:\users\brett.goodman\appdata\local\LogMeIn Rescue Applet
2012-04-20 21:28:49 -------- d-----w- c:\users\brett.goodman\appdata\local\Mozilla
.
==================== Find3M ====================
.
2012-03-30 11:35:27 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-24 01:51:25 133632 --sha-r- c:\windows\system32\cfgmgr32U.dll
2012-03-23 12:28:03 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2012-03-01 05:46:57 19824 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-03-01 05:37:41 172544 ----a-w- c:\windows\system32\wintrust.dll
2012-03-01 05:33:23 159232 ----a-w- c:\windows\system32\imagehlp.dll
2012-03-01 05:29:16 5120 ----a-w- c:\windows\system32\wmi.dll
2012-02-28 01:18:55 1799168 ----a-w- c:\windows\system32\jscript9.dll
2012-02-28 01:11:21 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-28 01:11:07 1127424 ----a-w- c:\windows\system32\wininet.dll
2012-02-28 01:03:16 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-02-24 14:36:44 185560 ----a-w- c:\windows\system32\drivers\PCTSD.sys
2012-02-17 05:34:22 919040 ----a-w- c:\windows\system32\rdpcorets.dll
2012-02-17 05:34:22 826880 ----a-w- c:\windows\system32\rdpcore.dll
2012-02-17 04:14:08 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-02-17 04:13:22 24576 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-02-14 16:09:44 1070352 ----a-w- c:\windows\system32\MSCOMCTL.OCX
.
============= FINISH: 11:46:42.38 ===============
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-05-13 13:40:54
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 TOSHIBA_ rev.MH00
Running: gmer.exe; Driver: C:\Users\BRETT~1.GOO\AppData\Local\Temp\kxliraob.sys


---- System - GMER 1.0.15 ----

SSDT 8843ECA8 ZwAlertResumeThread
SSDT 8843ED88 ZwAlertThread
SSDT 8843E3C0 ZwAllocateVirtualMemory
SSDT 8843E9F8 ZwCreateMutant
SSDT 88438658 ZwCreateThread
SSDT 8843E208 ZwFreeVirtualMemory
SSDT 8843EAE8 ZwImpersonateAnonymousToken
SSDT 8843EBC8 ZwImpersonateThread
SSDT 8843E128 ZwMapViewOfSection
SSDT 88444F08 ZwOpenEvent
SSDT 8843E490 ZwOpenProcessToken
SSDT 88442448 ZwOpenThreadToken
SSDT \??\C:\Windows\system32\drivers\wpsdrvnt.sys ZwProtectVirtualMemory [0x8FDD78B0]
SSDT 8843F250 ZwResumeThread
SSDT 88442368 ZwSetContextThread
SSDT 88442538 ZwSetInformationProcess
SSDT 88442278 ZwSetInformationThread
SSDT 88444E28 ZwSuspendProcess
SSDT 8843EED0 ZwSuspendThread
SSDT 88438738 ZwTerminateProcess
SSDT 8843EF90 ZwTerminateThread
SSDT 8843E068 ZwUnmapViewOfSection
SSDT 8843E2F0 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKey + 13C1 82A8B3D9 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82AC4D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!ObfDereferenceObject 82AC5CC3 8 Bytes [B8, 36, 2F, DA, 8A, FF, E0, ...] {MOV EAX, 0x8ada2f36; JMP EAX; NOP }
.text ntkrnlpa.exe!KeRemoveQueueEx + 10DB 82ACBDD0 8 Bytes [A8, EC, 43, 88, 88, ED, 43, ...]
.text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 82ACBDE8 4 Bytes [C0, E3, 43, 88]
.text ntkrnlpa.exe!KeRemoveQueueEx + 11CF 82ACBEC4 4 Bytes [F8, E9, 43, 88]
.text ntkrnlpa.exe!KeRemoveQueueEx + 1203 82ACBEF8 4 Bytes [58, 86, 43, 88] {POP EAX; XCHG [EBX-0x78], AL}
.text ntkrnlpa.exe!KeRemoveQueueEx + 12B3 82ACBFA8 4 Bytes [08, E2, 43, 88]
.text ...
PAGE ntkrnlpa.exe!IoConnectInterrupt 82BD42FF 8 Bytes [B8, 0C, 5F, DA, 8A, FF, E0, ...] {MOV EAX, 0x8ada5f0c; JMP EAX; NOP }
PAGE ntkrnlpa.exe!IoConnectInterruptEx 82C04912 8 Bytes [B8, EC, 5F, DA, 8A, FF, E0, ...] {MOV EAX, 0x8ada5fec; JMP EAX; NOP }
PAGE ntkrnlpa.exe!ObInsertObject + 27 82C71250 8 Bytes [B8, 98, 2D, DA, 8A, FF, E0, ...] {MOV EAX, 0x8ada2d98; JMP EAX; NOP }
PAGE ntkrnlpa.exe!ObCreateObject 82C722E3 8 Bytes [B8, F8, 1D, DA, 8A, FF, E0, ...] {MOV EAX, 0x8ada1df8; JMP EAX; NOP }
PAGE ntkrnlpa.exe!NtDuplicateObject 82C7F61A 8 Bytes JMP E0FF8AD9
PAGE ntkrnlpa.exe!ObOpenObjectByPointer 82C997A2 5 Bytes [B8, 7C, E9, D9, 8A] {MOV EAX, 0x8ad9e97c}
PAGE ntkrnlpa.exe!ObOpenObjectByPointer + 6 82C997A8 2 Bytes [E0, 90] {LOOPNZ 0xffffffffffffff92}
PAGE ntkrnlpa.exe!ZwSetSystemInformation 82C9C22C 8 Bytes [B8, 04, 30, DA, 8A, FF, E0, ...] {MOV EAX, 0x8ada3004; JMP EAX; NOP }
? C:\Users\BRETT~1.GOO\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[2884] kernel32.dll!CreateThread 76F0DCC2 5 Bytes JMP 6D2672FB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2884] USER32.dll!EnableWindow 75FB8D02 5 Bytes JMP 6D2A9A14 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2884] USER32.dll!CallNextHookEx 75FBABE1 5 Bytes JMP 6D2C7BB7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2884] USER32.dll!UnhookWindowsHookEx 75FBADF9 5 Bytes JMP 6D2EEB10 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2884] USER32.dll!DefWindowProcA 75FBBB1C 7 Bytes JMP 6D269525 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2884] USER32.dll!CreateWindowExA 75FBBF40 5 Bytes JMP 6D27335B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2884] USER32.dll!SetWindowsHookExW 75FBE30C 5 Bytes JMP 6D2A2194 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2884] USER32.dll!CreateWindowExW 75FBEC7C 5 Bytes JMP 6D2CFF8F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2884] USER32.dll!DefWindowProcW 75FC507D 7 Bytes JMP 6D2C7C1A C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2884] USER32.dll!DialogBoxParamW 75FD3B9B 5 Bytes JMP 6D20170B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2884] USER32.dll!DialogBoxIndirectParamW 75FE3B7F 5 Bytes JMP 6D3F640E C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2884] USER32.dll!DialogBoxParamA 75FFCF42 5 Bytes JMP 6D3F63A9 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2884] USER32.dll!DialogBoxIndirectParamA 75FFD274 5 Bytes JMP 6D3F6473 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2884] USER32.dll!MessageBoxIndirectA 7600E869 5 Bytes JMP 6D3F6330 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2884] USER32.dll!MessageBoxIndirectW 7600E963 5 Bytes JMP 6D3F62B7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2884] USER32.dll!MessageBoxExA 7600E9C9 5 Bytes JMP 6D3F6253 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2884] USER32.dll!MessageBoxExW 7600E9ED 5 Bytes JMP 6D3F61EF C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2884] ole32.dll!OleLoadFromStream 75B26143 5 Bytes JMP 6D3F6BE7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6056] USER32.dll!EnableWindow 75FB8D02 5 Bytes JMP 6D2A9A14 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6056] USER32.dll!DialogBoxParamW 75FD3B9B 5 Bytes JMP 6D20170B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6056] USER32.dll!DialogBoxIndirectParamW 75FE3B7F 5 Bytes JMP 6D3F640E C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6056] USER32.dll!DialogBoxParamA 75FFCF42 5 Bytes JMP 6D3F63A9 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6056] USER32.dll!DialogBoxIndirectParamA 75FFD274 5 Bytes JMP 6D3F6473 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6056] USER32.dll!MessageBoxIndirectA 7600E869 5 Bytes JMP 6D3F6330 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6056] USER32.dll!MessageBoxIndirectW 7600E963 5 Bytes JMP 6D3F62B7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6056] USER32.dll!MessageBoxExA 7600E9C9 5 Bytes JMP 6D3F6253 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6056] USER32.dll!MessageBoxExW 7600E9ED 5 Bytes JMP 6D3F61EF C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp wpsdrvnt.sys
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\BTHUSB \Device\00000085 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \Driver\ACPI_HAL \Device\0000005b halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Udp wpsdrvnt.sys

---- EOF - GMER 1.0.15 ----

Attached Files

  • Attached File  ark.txt   12.73KB   0 downloads
  • Attached File  DDS.txt   14.99KB   0 downloads


#4 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:12:57 PM

Posted 13 May 2012 - 09:42 PM

Hello,



Please download ComboFix from the link below:

Combofix

Save it to your Desktop <-- Important!!!

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.

  • Double click it & follow the prompts.
  • If you receive a UAC prompt asking if you want to continue running the program, you should press the Continue button.
  • When finished, it will produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.
  • Note: After running Combofix, you may receive an error about "illegal operation on a registry key that has been marked for deletion." If you receive this error, please reboot and it should disappear.
  • If you no longer have access to your Internet connection after running ComboFix, please reboot to restore it. If that does not restore the connection, then follow the instructions for Manually restoring the Internet connection provided in the "How to Guide" you printed out earlier.



-- Do not touch your mouse/keyboard until the ComboFix scan has completed, as this may cause the process to stall or the computer to lock.




Regards,
Georgi

cXfZ4wS.png


#5 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:12:57 PM

Posted 13 May 2012 - 09:45 PM

Also it seems that you used Combofix on your own, without being instructed, correct?

2012-05-12 14:23:25 -------- d-----w- C:\ComboFix


Copy the contents of both logs (the newest and the earliest) & post them in your next reply.



Regards,
Georgi

cXfZ4wS.png


#6 xgoodyx

xgoodyx
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:57 AM

Posted 14 May 2012 - 09:02 AM

Yes, I had run ComboFix before, however I can't find any of the logs from the previous run. Here is the most recent. Also, the way that my work set this computer up, I cannot fully disable Symantec even when I stop the processes.

ComboFix 12-05-14.02 - Brett.Goodman 05/14/2012 8:56.3.4 - x86
Microsoft Windows 7 Enterprise 6.1.7601.1.1252.1.1033.18.2985.2087 [GMT -4:00]
Running from: c:\users\brett.goodman\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
FW: Symantec Endpoint Protection *Enabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2012-04-14 to 2012-05-14 )))))))))))))))))))))))))))))))
.
.
2012-05-14 13:09 . 2012-05-14 13:09 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-05-14 13:09 . 2012-05-14 13:09 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-05-14 13:09 . 2012-05-14 13:09 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2012-05-12 15:05 . 2012-05-12 15:05 -------- d-----w- c:\users\brett.goodman\AppData\Local\ElevatedDiagnostics
2012-05-12 14:32 . 2012-05-14 13:09 -------- d-----w- c:\users\brett.goodman\AppData\Local\temp
2012-05-12 14:20 . 2012-03-22 16:17 225664 ----a-w- c:\windows\system32\drivers\DasBootS.SYS
2012-05-12 14:20 . 2012-01-17 20:55 9096 ----a-w- c:\windows\system32\drivers\DasBootI.SYS
2012-05-12 14:20 . 2012-01-17 20:55 27528 ----a-w- c:\windows\system32\drivers\DasBootK.SYS
2012-05-12 14:20 . 2012-01-17 20:55 9096 ----a-w- c:\windows\system32\drivers\DasBootE.SYS
2012-05-12 14:20 . 2012-01-17 20:55 59272 ----a-w- c:\windows\system32\drivers\DasBootF.SYS
2012-05-12 14:20 . 2012-01-17 20:55 20744 ----a-w- c:\windows\system32\drivers\DasBoot.SYS
2012-05-12 14:20 . 2010-05-04 01:37 3072 ----a-w- c:\windows\system32\drivers\DasBootD.SYS
2012-05-12 12:51 . 2012-05-12 12:52 -------- d-----w- C:\ARK
2012-05-12 12:39 . 2012-05-12 12:39 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-05-11 22:04 . 2012-05-11 22:04 -------- d-----w- c:\program files\Trend Micro
2012-05-11 22:04 . 2012-05-11 22:04 -------- d-----w- c:\program files\Common Files\Java
2012-05-11 22:03 . 2012-05-11 22:03 -------- d-----w- c:\program files\Oracle
2012-05-11 22:03 . 2012-04-04 22:47 772504 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-05-10 00:48 . 2012-05-13 14:29 -------- d-----w- C:\MGtools
2012-05-09 23:21 . 2012-05-09 23:34 -------- d-----w- C:\sh4ldr
2012-05-09 23:21 . 2012-05-09 23:21 -------- d-----w- c:\program files\Enigma Software Group
2012-05-09 23:21 . 2012-05-09 23:34 -------- d-----w- c:\windows\4E0C6314A8B84026AC15084E8B63AFB5.TMP
2012-05-09 23:21 . 2012-05-09 23:21 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2012-05-02 13:25 . 2012-05-14 13:00 -------- d-----w- c:\windows\system32\DBBK
2012-04-27 21:37 . 2012-04-27 21:37 -------- d-----w- c:\users\Public\Juniper Networks
2012-04-27 21:37 . 2011-04-12 20:41 406896 ----a-w- c:\windows\system32\dsNcSmartCardProv.dll
2012-04-27 21:37 . 2011-04-12 20:41 361840 ----a-w- c:\windows\system32\dsNcCredProv.dll
2012-04-27 21:37 . 2012-04-27 21:37 -------- d-----w- c:\program files\Juniper Networks
2012-04-27 21:15 . 2012-04-29 22:44 -------- d-----w- c:\users\brett.goodman\AppData\Local\LogMeIn Rescue Applet
2012-04-22 19:39 . 2012-04-22 19:39 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help
2012-04-20 21:28 . 2012-04-20 21:28 -------- d-----w- c:\users\brett.goodman\AppData\Local\Mozilla
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-13 14:29 . 2012-05-10 00:48 907184 ----a-w- C:\MGlogs.zip
2012-03-30 11:35 . 2012-03-30 11:35 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-28 00:29 . 2012-03-28 00:29 86528 ----a-w- c:\windows\system32\iesysprep.dll
2012-03-28 00:29 . 2012-03-28 00:29 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2012-03-28 00:29 . 2012-03-28 00:29 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2012-03-28 00:29 . 2012-03-28 00:29 74752 ----a-w- c:\windows\system32\iesetup.dll
2012-03-28 00:29 . 2012-03-28 00:29 63488 ----a-w- c:\windows\system32\tdc.ocx
2012-03-28 00:29 . 2012-03-28 00:29 48640 ----a-w- c:\windows\system32\mshtmler.dll
2012-03-28 00:29 . 2012-03-28 00:29 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-03-28 00:29 . 2012-03-28 00:29 367104 ----a-w- c:\windows\system32\html.iec
2012-03-28 00:29 . 2012-03-28 00:29 35840 ----a-w- c:\windows\system32\imgutil.dll
2012-03-28 00:29 . 2012-03-28 00:29 23552 ----a-w- c:\windows\system32\licmgr10.dll
2012-03-28 00:29 . 2012-03-28 00:29 161792 ----a-w- c:\windows\system32\msls31.dll
2012-03-28 00:29 . 2012-03-28 00:29 152064 ----a-w- c:\windows\system32\wextract.exe
2012-03-28 00:29 . 2012-03-28 00:29 150528 ----a-w- c:\windows\system32\iexpress.exe
2012-03-28 00:29 . 2012-03-28 00:29 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-03-28 00:29 . 2012-03-28 00:29 11776 ----a-w- c:\windows\system32\mshta.exe
2012-03-28 00:29 . 2012-03-28 00:29 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2012-03-28 00:29 . 2012-03-28 00:29 101888 ----a-w- c:\windows\system32\admparse.dll
2012-03-23 12:28 . 2011-08-23 21:54 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2012-02-24 14:36 . 2012-03-28 00:44 185560 ----a-w- c:\windows\system32\drivers\PCTSD.sys
2012-02-17 05:34 . 2012-03-29 11:19 919040 ----a-w- c:\windows\system32\rdpcorets.dll
2012-02-17 05:34 . 2012-03-29 11:19 826880 ----a-w- c:\windows\system32\rdpcore.dll
2012-02-17 04:14 . 2012-03-29 11:19 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-02-17 04:13 . 2012-03-29 11:19 24576 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-02-14 16:09 . 2012-02-14 16:09 1070352 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2012-04-21 01:19 . 2012-05-12 12:39 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-08-23 115560]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2011-11-11 505720]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-11-11 142616]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-11-11 177432]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-11-11 176408]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2011-11-11 536668]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2011-06-05 288872]
"FreeFallProtection"="c:\program files\STMicroelectronics\AccelerometerP11\FF_Protection.exe" [2011-07-25 686704]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-23 620152]
"WKPopup"="c:\program files\wkinvtool\wkpopup.exe" [2011-03-07 114688]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-BA7E-000000000003}\_SC_Acrobat.exe [2012-3-19 295606]
Adobe Acrobat Synchronizer.lnk - c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoOnlinePrintsWizard"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceRunOnStartMenu"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\nvinit.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-702074188-2833732907-241959117-151547\Scripts\Logon\0\0]
"Script"=windowsz.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-702074188-2833732907-241959117-151547\Scripts\Logon\1\0]
"Script"=tuner.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-702074188-2833732907-241959117-99018\Scripts\Logon\0\0]
"Script"=windowsz.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-702074188-2833732907-241959117-99018\Scripts\Logon\1\0]
"Script"=tuner.bat
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]
R3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [x]
R3 IFCoEMP;IFCoEMP;c:\windows\system32\drivers\ifM52x32.sys [2010-08-13 264464]
R3 IFCoEVB;IFCoEVB;c:\windows\system32\drivers\ifP52X32.sys [2010-08-13 57616]
R3 MEI;Intel® Management Engine Interface;c:\windows\system32\drivers\HECI.sys [2010-10-19 41088]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [2012-04-21 129976]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2011-11-11 139368]
R3 O2MDRRDR;O2MDRRDR;c:\windows\system32\drivers\O2MDRw7.sys [2011-11-11 62440]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 Synth3dVsc;Microsoft Virtual 3D Video Transport Driver;c:\windows\system32\drivers\Synth3dVsc.sys [2010-11-20 77184]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2010-11-20 25600]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
R3 tsusbhub;Remote Deskotop USB Hub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-20 112640]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-08-23 1343400]
S0 DasBoot;Panda AntiMalware Support;c:\windows\\SystemRoot\system32\drivers\DasBoot.SYS [x]
S0 DasBootF;Panda AntiMalware Support MF;c:\windows\\SystemRoot\system32\drivers\DasBootF.SYS [x]
S0 nvpciflt;nvpciflt;c:\windows\system32\DRIVERS\nvpciflt.sys [2011-11-11 20328]
S0 stdcfltn;Disk Class Filter Driver for Accelerometer;c:\windows\system32\DRIVERS\stdcfltn.sys [2011-07-16 17904]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\aestsrv.exe [2011-11-11 81920]
S2 AMPAgent;Dell KACE Agent;c:\program files\Dell\KACE\AMPAgent.exe [2012-01-16 2772072]
S3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\accelern.sys [2011-11-11 44144]
S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2011-11-11 45352]
S3 cvusbdrv;Dell ControlVault;c:\windows\system32\Drivers\cvusbdrv.sys [2011-11-11 39656]
S3 e1cexpress;Intel® PRO/1000 PCI Express Network Connection Driver C;c:\windows\system32\DRIVERS\e1c6232.sys [2011-07-20 268968]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-03-19 106104]
S3 NETwNs32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETwNs32.sys [2011-11-11 7434240]
S3 O2MDFRDR;O2MDFRDR;c:\windows\system32\DRIVERS\O2MDFw7.sys [2011-11-11 60904]
S3 O2SDJRDR;O2SDJRDR;c:\windows\system32\DRIVERS\o2sdjw7.sys [2011-11-11 63976]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{AC76BA86-7AD7-1033-7B44-A94000000001}]
2011-01-05 22:14 1537 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\copy.bat
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-14 c:\windows\Tasks\Wcbraecs.job
- c:\windows\system32\cfgmgr32U.dll [2012-03-24 01:51]
.
.
------- Supplementary Scan -------
.
uStart Page = https://connect.wolterskluwer.com/sites/proj-reso-CandG/default.aspx
uInternet Settings,ProxyOverride = <local>
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Trusted Zone: bighammer.com\homedepot
Trusted Zone: wolterskluwer.com\connect
Trusted Zone: wolterskluwer.com\connect
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\brett.goodman\AppData\Roaming\Mozilla\Firefox\Profiles\no5xqwte.default\
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-05-14 09:40:29
ComboFix-quarantined-files.txt 2012-05-14 13:40
ComboFix2.txt 2012-05-12 14:32
ComboFix3.txt 2012-05-11 00:02
ComboFix4.txt 2012-05-09 23:08
ComboFix5.txt 2012-05-14 12:17
.
Pre-Run: 288,494,530,560 bytes free
Post-Run: 288,481,918,976 bytes free
.
- - End Of File - - 4341307545F6137281D509204F0CBECC

Attached Files



#7 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:12:57 PM

Posted 14 May 2012 - 01:21 PM

Hello,



I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either Symantec Endpoint Protection or Microsoft Security Essentials.





We need to execute a CFScript to clean some remnants.


Please do this:


1. Open notepad => navigate to format and make sure that wordwrap is unchecked. <--- important !!!

2. Copy/paste the text in the codebox below into it: (include the link as well).

http://www.bleepingcomputer.com/forums/topic453481.html

Collect::
c:\windows\Tasks\Wcbraecs.job
c:\windows\system32\cfgmgr32U.dll
Registry::
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"==dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-702074188-2833732907-241959117-151547\Scripts\Logon\0\0]
"Script"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-702074188-2833732907-241959117-151547\Scripts\Logon\1\0]
"Script"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-702074188-2833732907-241959117-99018\Scripts\Logon\0\0]
"Script"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-702074188-2833732907-241959117-99018\Scripts\Logon\1\0]
"Script"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000000

Save this as CFScript.txt, in the same location as ComboFix.exe

3. Close any open browsers.

4. Referring to the picture below, drag CFScript into ComboFix.exe

Posted Image

5. When Combofix finishes running, the ComboFix log will open along with a message box. With the above script, ComboFix captured some files to submit for analysis.
  • Important: Ensure you are connected to the internet before clicking OK on the message box.
  • A blue-screen would appear auto-uploading the zipped file I requested.
  • After the uploading is done you should see a message near the bottom saying "Upload was Successful".

**NOTE**
  • IF for some reason Combofix fails to upload anything you will see that message:
    Posted Image
  • Please double-click this file: C:\CF-Submit.htm and follow the instructions there to upload that zipped file.


6. When Combifix finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



Regards,
Georgi

cXfZ4wS.png


#8 xgoodyx

xgoodyx
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:57 AM

Posted 14 May 2012 - 02:20 PM

ComboFix 12-05-14.03 - Brett.Goodman 05/14/2012 14:32:38.4.4 - x86
Microsoft Windows 7 Enterprise 6.1.7601.1.1252.1.1033.18.2985.1813 [GMT -4:00]
Running from: c:\users\brett.goodman\Desktop\ComboFix.exe
Command switches used :: c:\users\brett.goodman\Desktop\CFScript.txt
AV: Symantec Endpoint Protection *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
FW: Symantec Endpoint Protection *Enabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
file zipped: c:\windows\system32\cfgmgr32U.dll
file zipped: c:\windows\Tasks\Wcbraecs.job
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\cfgmgr32U.dll
c:\windows\Tasks\Wcbraecs.job
.
.
((((((((((((((((((((((((( Files Created from 2012-04-14 to 2012-05-14 )))))))))))))))))))))))))))))))
.
.
2012-05-14 19:11 . 2012-05-14 19:13 -------- d-----w- c:\users\brett.goodman\AppData\Local\temp
2012-05-14 19:11 . 2012-05-14 19:11 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-05-14 19:11 . 2012-05-14 19:11 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-05-14 19:11 . 2012-05-14 19:11 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2012-05-12 15:05 . 2012-05-12 15:05 -------- d-----w- c:\users\brett.goodman\AppData\Local\ElevatedDiagnostics
2012-05-12 14:20 . 2012-03-22 16:17 225664 ----a-w- c:\windows\system32\drivers\DasBootS.SYS
2012-05-12 14:20 . 2012-01-17 20:55 9096 ----a-w- c:\windows\system32\drivers\DasBootI.SYS
2012-05-12 14:20 . 2012-01-17 20:55 27528 ----a-w- c:\windows\system32\drivers\DasBootK.SYS
2012-05-12 14:20 . 2012-01-17 20:55 9096 ----a-w- c:\windows\system32\drivers\DasBootE.SYS
2012-05-12 14:20 . 2012-01-17 20:55 59272 ----a-w- c:\windows\system32\drivers\DasBootF.SYS
2012-05-12 14:20 . 2012-01-17 20:55 20744 ----a-w- c:\windows\system32\drivers\DasBoot.SYS
2012-05-12 14:20 . 2010-05-04 01:37 3072 ----a-w- c:\windows\system32\drivers\DasBootD.SYS
2012-05-12 12:51 . 2012-05-12 12:52 -------- d-----w- C:\ARK
2012-05-12 12:39 . 2012-05-12 12:39 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-05-11 22:04 . 2012-05-11 22:04 -------- d-----w- c:\program files\Trend Micro
2012-05-11 22:04 . 2012-05-11 22:04 -------- d-----w- c:\program files\Common Files\Java
2012-05-11 22:03 . 2012-05-11 22:03 -------- d-----w- c:\program files\Oracle
2012-05-11 22:03 . 2012-04-04 22:47 772504 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-05-10 00:48 . 2012-05-13 14:29 -------- d-----w- C:\MGtools
2012-05-09 23:21 . 2012-05-09 23:34 -------- d-----w- C:\sh4ldr
2012-05-09 23:21 . 2012-05-09 23:21 -------- d-----w- c:\program files\Enigma Software Group
2012-05-09 23:21 . 2012-05-09 23:34 -------- d-----w- c:\windows\4E0C6314A8B84026AC15084E8B63AFB5.TMP
2012-05-09 23:21 . 2012-05-09 23:21 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2012-05-02 13:25 . 2012-05-14 19:11 -------- d-----w- c:\windows\system32\DBBK
2012-04-27 21:37 . 2012-04-27 21:37 -------- d-----w- c:\users\Public\Juniper Networks
2012-04-27 21:37 . 2011-04-12 20:41 406896 ----a-w- c:\windows\system32\dsNcSmartCardProv.dll
2012-04-27 21:37 . 2011-04-12 20:41 361840 ----a-w- c:\windows\system32\dsNcCredProv.dll
2012-04-27 21:37 . 2012-04-27 21:37 -------- d-----w- c:\program files\Juniper Networks
2012-04-27 21:15 . 2012-04-29 22:44 -------- d-----w- c:\users\brett.goodman\AppData\Local\LogMeIn Rescue Applet
2012-04-22 19:39 . 2012-04-22 19:39 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help
2012-04-20 21:28 . 2012-04-20 21:28 -------- d-----w- c:\users\brett.goodman\AppData\Local\Mozilla
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-13 14:29 . 2012-05-10 00:48 907184 ----a-w- C:\MGlogs.zip
2012-03-30 11:35 . 2012-03-30 11:35 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-28 00:29 . 2012-03-28 00:29 86528 ----a-w- c:\windows\system32\iesysprep.dll
2012-03-28 00:29 . 2012-03-28 00:29 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2012-03-28 00:29 . 2012-03-28 00:29 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2012-03-28 00:29 . 2012-03-28 00:29 74752 ----a-w- c:\windows\system32\iesetup.dll
2012-03-28 00:29 . 2012-03-28 00:29 63488 ----a-w- c:\windows\system32\tdc.ocx
2012-03-28 00:29 . 2012-03-28 00:29 48640 ----a-w- c:\windows\system32\mshtmler.dll
2012-03-28 00:29 . 2012-03-28 00:29 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-03-28 00:29 . 2012-03-28 00:29 367104 ----a-w- c:\windows\system32\html.iec
2012-03-28 00:29 . 2012-03-28 00:29 35840 ----a-w- c:\windows\system32\imgutil.dll
2012-03-28 00:29 . 2012-03-28 00:29 23552 ----a-w- c:\windows\system32\licmgr10.dll
2012-03-28 00:29 . 2012-03-28 00:29 161792 ----a-w- c:\windows\system32\msls31.dll
2012-03-28 00:29 . 2012-03-28 00:29 152064 ----a-w- c:\windows\system32\wextract.exe
2012-03-28 00:29 . 2012-03-28 00:29 150528 ----a-w- c:\windows\system32\iexpress.exe
2012-03-28 00:29 . 2012-03-28 00:29 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-03-28 00:29 . 2012-03-28 00:29 11776 ----a-w- c:\windows\system32\mshta.exe
2012-03-28 00:29 . 2012-03-28 00:29 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2012-03-28 00:29 . 2012-03-28 00:29 101888 ----a-w- c:\windows\system32\admparse.dll
2012-03-23 12:28 . 2011-08-23 21:54 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2012-02-24 14:36 . 2012-03-28 00:44 185560 ----a-w- c:\windows\system32\drivers\PCTSD.sys
2012-02-17 05:34 . 2012-03-29 11:19 919040 ----a-w- c:\windows\system32\rdpcorets.dll
2012-02-17 05:34 . 2012-03-29 11:19 826880 ----a-w- c:\windows\system32\rdpcore.dll
2012-02-17 04:14 . 2012-03-29 11:19 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-02-17 04:13 . 2012-03-29 11:19 24576 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-04-21 01:19 . 2012-05-12 12:39 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-08-23 115560]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2011-11-11 505720]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-11-11 142616]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-11-11 177432]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-11-11 176408]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2011-11-11 536668]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2011-06-05 288872]
"FreeFallProtection"="c:\program files\STMicroelectronics\AccelerometerP11\FF_Protection.exe" [2011-07-25 686704]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-23 620152]
"WKPopup"="c:\program files\wkinvtool\wkpopup.exe" [2011-03-07 114688]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-BA7E-000000000003}\_SC_Acrobat.exe [2012-3-19 295606]
Adobe Acrobat Synchronizer.lnk - c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoOnlinePrintsWizard"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceRunOnStartMenu"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\nvinit.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
R3 CFcatchme;CFcatchme;c:\users\BRETT~1.GOO\AppData\Local\Temp\CFcatchme.sys [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]
R3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [x]
R3 IFCoEMP;IFCoEMP;c:\windows\system32\drivers\ifM52x32.sys [2010-08-13 264464]
R3 IFCoEVB;IFCoEVB;c:\windows\system32\drivers\ifP52X32.sys [2010-08-13 57616]
R3 MEI;Intel® Management Engine Interface;c:\windows\system32\drivers\HECI.sys [2010-10-19 41088]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [2012-04-21 129976]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2011-11-11 139368]
R3 O2MDRRDR;O2MDRRDR;c:\windows\system32\drivers\O2MDRw7.sys [2011-11-11 62440]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 Synth3dVsc;Microsoft Virtual 3D Video Transport Driver;c:\windows\system32\drivers\Synth3dVsc.sys [2010-11-20 77184]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2010-11-20 25600]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
R3 tsusbhub;Remote Deskotop USB Hub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-20 112640]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-08-23 1343400]
S0 DasBoot;Panda AntiMalware Support;c:\windows\\SystemRoot\system32\drivers\DasBoot.SYS [x]
S0 DasBootF;Panda AntiMalware Support MF;c:\windows\\SystemRoot\system32\drivers\DasBootF.SYS [x]
S0 nvpciflt;nvpciflt;c:\windows\system32\DRIVERS\nvpciflt.sys [2011-11-11 20328]
S0 stdcfltn;Disk Class Filter Driver for Accelerometer;c:\windows\system32\DRIVERS\stdcfltn.sys [2011-07-16 17904]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\aestsrv.exe [2011-11-11 81920]
S2 AMPAgent;Dell KACE Agent;c:\program files\Dell\KACE\AMPAgent.exe [2012-01-16 2772072]
S3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\accelern.sys [2011-11-11 44144]
S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2011-11-11 45352]
S3 cvusbdrv;Dell ControlVault;c:\windows\system32\Drivers\cvusbdrv.sys [2011-11-11 39656]
S3 e1cexpress;Intel® PRO/1000 PCI Express Network Connection Driver C;c:\windows\system32\DRIVERS\e1c6232.sys [2011-07-20 268968]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-03-19 106104]
S3 NETwNs32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETwNs32.sys [2011-11-11 7434240]
S3 O2MDFRDR;O2MDFRDR;c:\windows\system32\DRIVERS\O2MDFw7.sys [2011-11-11 60904]
S3 O2SDJRDR;O2SDJRDR;c:\windows\system32\DRIVERS\o2sdjw7.sys [2011-11-11 63976]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{AC76BA86-7AD7-1033-7B44-A94000000001}]
2011-01-05 22:14 1537 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\copy.bat
.
.
------- Supplementary Scan -------
.
uStart Page = https://connect.wolterskluwer.com/sites/proj-reso-CandG/default.aspx
uInternet Settings,ProxyOverride = <local>
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Trusted Zone: bighammer.com\homedepot
Trusted Zone: wolterskluwer.com\connect
Trusted Zone: wolterskluwer.com\connect
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\brett.goodman\AppData\Roaming\Mozilla\Firefox\Profiles\no5xqwte.default\
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\IDT\WDM\STacSV.exe
c:\program files\NVIDIA Corporation\Display\NvXDSync.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\windows\system32\rundll32.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\windows\system32\DRIVERS\o2flash.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\windows\servicing\TrustedInstaller.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\Apntex.exe
c:\windows\system32\conhost.exe
c:\program files\DellTPad\HidFind.exe
c:\program files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\windows\system32\sppsvc.exe
c:\windows\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2012-05-14 15:17:32 - machine was rebooted
ComboFix-quarantined-files.txt 2012-05-14 19:17
ComboFix2.txt 2012-05-14 13:40
ComboFix3.txt 2012-05-12 14:32
ComboFix4.txt 2012-05-11 00:02
ComboFix5.txt 2012-05-14 18:31
.
Pre-Run: 288,572,874,752 bytes free
Post-Run: 288,526,344,192 bytes free
.
- - End Of File - - DC168DAE8FBE70075BDF025D53AED13C
Upload was successful

Attached Files



#9 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:12:57 PM

Posted 14 May 2012 - 04:23 PM

Hi,



Did you read my warning about using two antivirus programs together ? :)
If this is just an orphan:

SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}


please let me know so we can repair the WMI cache.



Can you please go to C:\qoobox and right click the quarantine folder, select send to compressed(zip) folders that will make a zipped copy of the quarantine folder.
Then please upload that to http://www.bleepingcomputer.com/submit-malware.php?channel=122 so we can examine the files and submit to antivirus companies if needed.



Now Let's do a few more checks just to make sure:



STEP 1


  • Please download OTL from the link below:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • OTL should now start. Change the following settings:
    - Click on Scan All Users checkbox given at the top.Posted Image
    - Under File Scans, change File age to 90
    - Change Standard Registry to All
    - Check the boxes beside LOP Check and Purity Check
  • Copy and Paste the following code into the Posted Image textbox.
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    "%WinDir%\$NtUninstallKB*$." /30
    C:\Program Files\Common Files\ComObjects\*.* /s
    %SYSTEMDRIVE%\*.*
    %USERPROFILE%\*.*
    %USERPROFILE%\AppData\Local\*.*
    %USERPROFILE%\AppData\Roaming\*.*
    %ProgramData%\*.*
    %CommonProgramFiles%\*.*
    %PROGRAMFILES%\*.*
    %systemroot%\system32\config\systemprofile\AppData\Local\*.*
    %windir%\SysWOW64\config\systemprofile\AppData\Local\*.*
    %windir%\ServiceProfiles\LocalService\AppData\Local\Temp\*.*
    %windir%\ServiceProfiles\NetworkService\AppData\Local\Temp\*.*
    %windir%\temp\*.*
    %windir%\system32\*. 
    %windir%\sysnative\*.
    %Temp%\smtmp\1\*.*
    %Temp%\smtmp\2\*.*
    %Temp%\smtmp\3\*.*
    %Temp%\smtmp\4\*.*
    %systemroot%\system32\DBBK\*.* /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\syswow64\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /90
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\syswow64\drivers\*.sys /90
    %systemroot%\syswow64\drivers\*.sys /lockedfiles
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\*. /rp /s
    %systemroot%\assembly\tmp\*.* /S /MD5
    %systemroot%\assembly\temp\*.* /S /MD5
    %systemroot%\assembly\GAC_32\*.* /S /MD5
    %systemroot%\assembly\GAC_64\*.* /S /MD5
    %SystemRoot%\assembly\GAC_MSIL\*.* /S /MD5
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems /s
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DataBasePath /s
    >C:\commands.txt echo list vol /raw /hide /c
    /wait
    >C:\DiskReport.txt diskpart /s C:\commands.txt /raw /hide /c
    /wait
    type c:\diskreport.txt /c
    /wait
    erase c:\commands.txt /hide /c
    /wait
    erase c:\diskreport.txt /hide /c
    /md5start
    consrv.dll
    explorer.exe
    lsass.exe
    svchost.exe
    wininit.exe
    winlogon.exe
    userinit.exe
    atapi.sys
    iaStor.sys
    serial.sys
    volsnap.sys
    disk.sys
    redbook.sys
    i8042prt.sys
    afd.sys
    netbt.sys
    csc.sys
    tcpip.sys
    dfsc.sys
    hlp.dat
    /md5stop
    
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized



STEP 2



Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    Posted Image
  • Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

    Posted Image
  • Click the Start Scan button.

    Posted Image
  • If a suspicious object is detected, the default action will be Skip, click on Continue.

    Posted Image
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

    Posted Image

    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.



STEP 3



Please download aswMBR.exe to your desktop.



  • Double click the aswMBR.exe icon to run it.
  • The program will offers to download the latest antivirus definitions from Avast servers. Click YES to agree.
  • When it's done in the AV Scan drop down options choose C:\
    Posted Image
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.
Note - do NOT attempt any Fix or FixMBR yet.



How are things now.Still getting redirects ?



Regards,
Georgi

cXfZ4wS.png


#10 xgoodyx

xgoodyx
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:57 AM

Posted 14 May 2012 - 07:06 PM

The Microsoft Security Essentials program doesn't appear to even exist on my Computer anymore.

Problem.

Using the OTL I keep getting an error that reads "Cannot create file C:\Users\brett.goodman\Desktop\cmd.bat".

I'll wait for instruction before moving forward

#11 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:12:57 PM

Posted 14 May 2012 - 07:44 PM

Hello,



Click OK and see what happens.
If nothing, restart computer, disable your AV program and try OTL again.



Regards,
Georgi

cXfZ4wS.png


#12 xgoodyx

xgoodyx
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:57 AM

Posted 15 May 2012 - 07:20 AM

NO MORE REDIRECTS!!! All LOGS attached, it kept telling me the post was too long and the OTL log I zipped, because it was too big.

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-05-14 21:10:09
-----------------------------
21:10:09.125 OS Version: Windows 6.1.7601 Service Pack 1
21:10:09.125 Number of processors: 4 586 0x2A07
21:10:09.126 ComputerName: NY11LP508774 UserName:
21:10:10.113 Initialize success
21:10:41.105 AVAST engine defs: 12051401
21:10:51.516 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
21:10:51.517 Disk 0 Vendor: TOSHIBA_ MH00 Size: 305245MB BusType: 8
21:10:51.549 Disk 0 MBR read successfully
21:10:51.550 Disk 0 MBR scan
21:10:51.565 Disk 0 Windows 7 default MBR code
21:10:51.566 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 305243 MB offset 2048
21:10:51.570 Disk 0 scanning sectors +625139712
21:10:51.650 Disk 0 scanning C:\Windows\system32\drivers
21:11:02.895 Service scanning
21:11:22.410 Service Teefer2 C:\Windows\system32\DRIVERS\teefer2.sys **LOCKED** 32
21:11:25.727 Service WPS C:\Windows\system32\drivers\wpsdrvnt.sys **LOCKED** 32
21:11:25.768 Service WpsHelper C:\Windows\system32\drivers\WpsHelper.sys **LOCKED** 32
21:11:27.027 Modules scanning
21:11:27.653 Module: C:\Windows\system32\drivers\DasBootD.SYS **SUSPICIOUS**
21:11:35.889 Disk 0 trace - called modules:
21:11:35.904 ntkrnlpa.exe CLASSPNP.SYS disk.sys stdcfltn.sys iaStor.sys halmacpi.dll
21:11:35.906 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x88258030]
21:11:35.909 3 CLASSPNP.SYS[8b59259e] -> nt!IofCallDriver -> [0x88257648]
21:11:35.911 5 stdcfltn.sys[8b7dc854] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x86ad8028]
21:11:36.987 AVAST engine scan C:\
21:18:05.602 File: C:\Qoobox\Quarantine\C\Windows\System32\cfgmgr32U.dll.vir **INFECTED** Win32:Diller-DK [Trj]
21:19:15.689 Disk 0 MBR has been saved successfully to "C:\Users\brett.goodman\Desktop\MBR.dat"
21:19:15.694 The log file has been saved successfully to "C:\Users\brett.goodman\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-05-14 21:10:09
-----------------------------
21:10:09.125 OS Version: Windows 6.1.7601 Service Pack 1
21:10:09.125 Number of processors: 4 586 0x2A07
21:10:09.126 ComputerName: NY11LP508774 UserName:
21:10:10.113 Initialize success
21:10:41.105 AVAST engine defs: 12051401
21:10:51.516 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
21:10:51.517 Disk 0 Vendor: TOSHIBA_ MH00 Size: 305245MB BusType: 8
21:10:51.549 Disk 0 MBR read successfully
21:10:51.550 Disk 0 MBR scan
21:10:51.565 Disk 0 Windows 7 default MBR code
21:10:51.566 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 305243 MB offset 2048
21:10:51.570 Disk 0 scanning sectors +625139712
21:10:51.650 Disk 0 scanning C:\Windows\system32\drivers
21:11:02.895 Service scanning
21:11:22.410 Service Teefer2 C:\Windows\system32\DRIVERS\teefer2.sys **LOCKED** 32
21:11:25.727 Service WPS C:\Windows\system32\drivers\wpsdrvnt.sys **LOCKED** 32
21:11:25.768 Service WpsHelper C:\Windows\system32\drivers\WpsHelper.sys **LOCKED** 32
21:11:27.027 Modules scanning
21:11:27.653 Module: C:\Windows\system32\drivers\DasBootD.SYS **SUSPICIOUS**
21:11:35.889 Disk 0 trace - called modules:
21:11:35.904 ntkrnlpa.exe CLASSPNP.SYS disk.sys stdcfltn.sys iaStor.sys halmacpi.dll
21:11:35.906 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x88258030]
21:11:35.909 3 CLASSPNP.SYS[8b59259e] -> nt!IofCallDriver -> [0x88257648]
21:11:35.911 5 stdcfltn.sys[8b7dc854] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x86ad8028]
21:11:36.987 AVAST engine scan C:\
21:18:05.602 File: C:\Qoobox\Quarantine\C\Windows\System32\cfgmgr32U.dll.vir **INFECTED** Win32:Diller-DK [Trj]
21:19:15.689 Disk 0 MBR has been saved successfully to "C:\Users\brett.goodman\Desktop\MBR.dat"
21:19:15.694 The log file has been saved successfully to "C:\Users\brett.goodman\Desktop\aswMBR.txt"
21:36:33.929 File: C:\Windows\System32\DBBK\CC06E7D16CF6C9F850F7EE55B07AEAE5 **INFECTED** Win32:Diller-DK [Trj]
00:33:05.942 Scan finished successfully
08:19:20.252 Disk 0 MBR has been saved successfully to "C:\Users\brett.goodman\Desktop\MBR.dat"
08:19:20.272 The log file has been saved successfully to "C:\Users\brett.goodman\Desktop\aswMBR.txt"

Attached Files



#13 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:12:57 PM

Posted 15 May 2012 - 05:23 PM

Hello,

Great work. We are almost done here ! :)



We need to run an OTL Fix



  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word "Code"
    :OTL
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\BRETT~1.GOO\AppData\Local\Temp\CFcatchme.sys -- (CFcatchme)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\BRETT~1.GOO\AppData\Local\Temp\catchme.sys -- (catchme)
    O3 - HKU\S-1-5-21-702074188-2833732907-241959117-99018\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
    @Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:430C6D84
    @Alternate Data Stream - 109 bytes -> C:\ProgramData\TEMP:DFC5A2B2
    :files
    C:\Windows\System32\DBBK\CC06E7D16CF6C9F850F7EE55B07AEAE5
    dir /s /a "C:\Windows\Q824146Wrapper" /c
    :commands
    [emptytemp]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.
  • If a report is not shown please navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present.
  • Copy/paste the content of the log back here in your next post.




Also you forgot to attach the TDSSKiller log file?
Please run TDSSKiller as described above and post the log in your next reply.
In addition, please do this:



Run Scan with Malwarebytes


  • I see you have Malwarebytes' Anti-Malware installed on your computer.
  • Please start the application by double-click on it's icon.
  • Once the program has loaded go to the UPDATE tab and check for updates.
  • When the update is complete, select the Scanner tab
  • Select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad.
  • Please save it to a convenient location and post the results in your next reply.



I'd like us to scan your machine with ESET OnlineScan


  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Run ESET Online Scanner button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



Regards,
Georgi

cXfZ4wS.png


#14 xgoodyx

xgoodyx
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:57 AM

Posted 15 May 2012 - 07:12 PM

All processes killed
========== OTL ==========
Service CFcatchme stopped successfully!
Service CFcatchme deleted successfully!
File C:\Users\BRETT~1.GOO\AppData\Local\Temp\CFcatchme.sys not found.
Service catchme stopped successfully!
Service catchme deleted successfully!
File C:\Users\BRETT~1.GOO\AppData\Local\Temp\catchme.sys not found.
Registry value HKEY_USERS\S-1-5-21-702074188-2833732907-241959117-99018\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{472734EA-242A-422B-ADF8-83D1E48CC825} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{472734EA-242A-422B-ADF8-83D1E48CC825}\ not found.
ADS C:\ProgramData\TEMP:430C6D84 deleted successfully.
ADS C:\ProgramData\TEMP:DFC5A2B2 deleted successfully.
========== FILES ==========
C:\Windows\System32\DBBK\CC06E7D16CF6C9F850F7EE55B07AEAE5 moved successfully.
< dir /s /a "C:\Windows\Q824146Wrapper" /c >
Volume in drive C is OSDisk
Volume Serial Number is 9A56-C7DD
Directory of C:\Windows
03/23/2012 08:38 AM 1,724 Q824146Wrapper
1 File(s) 1,724 bytes
Total Files Listed:
1 File(s) 1,724 bytes
0 Dir(s) 287,981,457,408 bytes free
C:\Users\brett.goodman\Desktop\cmd.bat deleted successfully.
C:\Users\brett.goodman\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 470 bytes

User: All Users

User: brett.goodman
->Temp folder emptied: 61436261 bytes
->Temporary Internet Files folder emptied: 921834 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 215120965 bytes
->Flash cache emptied: 1818 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 1459951 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 41276 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 7163318 bytes

Total Files Cleaned = 273.00 mb


OTL by OldTimer - Version 3.2.43.0 log created on 05152012_184344

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

ESET
C:\MGtools\Process.exe Win32/PrcView application
C:\Qoobox\Quarantine.zip a variant of Win32/Ponmocup.BM trojan
C:\Qoobox\Quarantine\[4]-Submit_2012-05-14_14.32.25.zip a variant of Win32/Ponmocup.BM trojan
C:\Qoobox\Quarantine\C\Windows\System32\cfgmgr32U.dll.vir a variant of Win32/Ponmocup.BM trojan
C:\_OTL\MovedFiles\05152012_184344\C_Windows\System32\DBBK\CC06E7D16CF6C9F850F7EE55B07AEAE5 a variant of Win32/Ponmocup.BM trojan

Results of screen317's Security Check version 0.99.32
Windows 7 Service Pack 1 x86 (UAC is disabled!)
Internet Explorer 9
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
ESET Online Scanner v3
Symantec Endpoint Protection
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

JavaFX 2.1.0
Java™ 6 Update 24
Java™ 7 Update 4
Adobe Reader 9 Adobe Reader out of date!
Mozilla Firefox (12.0.)
````````````````````````````````
Process Check:
objlist.exe by Laurent

Norton ccSvcHst.exe
``````````End of Log````````````

Attached Files



#15 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:12:57 PM

Posted 16 May 2012 - 10:17 AM

Hello,



We need to run an OTL Fix



  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word "Code"
    :files
    C:\Windows\\Q824146Wrapper
    :commands
    [reboot]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.
  • If a report is not shown please navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present.
  • Copy/paste the content of the log back here in your next post.



Also since you already have Java™ 7 Update 4, please uninstall Java™ 6 Update 24 via Control Panel => Uninstall a program or update it to Java™ 6 Update 32 from the link below:
http://www.oracle.com/technetwork/java/javase/downloads/index.html



Your Adobe Reader is out of date.
Older versions may have vulnerabilities that malware can use to infect your system.
Please download Adobe Reader 10.1.3 to your PC's desktop.


  • Uninstall Adobe Reader 9 via Start => Control Panel > Uninstall a program
  • Install the new downloaded updated software.


Note: Note that the McAfee Security scan is prechecked. You may wish to uncheck it before downloading.
Posted Image

Note: Adobe Reader X is a large program and if you prefer a smaller program you can get Foxit Reader 5.3.0 Build 0423 instead.

Foxit Reader 5.3.0 Build 0423 offer 5 levels of security. Click Me for more information.

Note:When installing FoxitReader, be carefull not to install anything to do with AskBar.



After that I'll give you my final recommendations. :)



Regards,
Georgi

cXfZ4wS.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users