Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

No Internet access; BSOD 8E


  • This topic is locked This topic is locked
18 replies to this topic

#1 BigLou99

BigLou99

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:11:27 AM

Posted 16 June 2012 - 11:42 AM

I was directed to move my post to this forum. System is Vista Home Prem SP1.
Problem 1 - had a Zeroaccess root kit - this was resolved but now I cannot access the Internet in Safe Mode
Problem 2 - in Normal mode, system crashes with BSOD 8E shortly after desktop is displayed
I am working to resolve Problem 1 first. I have run multiple utilities based on instructions received on this forum from Broni.
Here is the link: http://www.bleepingcomputer.com/forums/topic456480.html/page__pid__2725708
I have run TDSS Killer - no malware found.
I have run the registry fix items in Vista.zip as directed - this seems to restore the tdx.sys keys - but on reboot - it is missing again.
Attached please find the DDS and GMER logs (as instructed).
Any help appreciated.

 


.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.19088 BrowserJavaVersion: 1.6.0_23
Run by DONNA at 11:22:50 on 2012-06-16
MicrosoftÆ Windows Vistaô Home Premium 6.0.6001.1.1252.1.1033.18.3518.2851 [GMT -5:00]
.
AV: Norton Internet Security *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page =
uStart Page = hxxp://www.foxnews.com/
uWindow Title = Internet Explorer, optimized for Bing and MSN
uDefault_Page_URL = hxxp://www.msn.com
uInternet Settings,ProxyOverride = *.local
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 9\SnagitBHO.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\18.7.1.3\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\18.7.1.3\ips\IPSBHO.DLL
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\18.7.1.3\coIEPlg.dll
TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 9\SnagitIEAddin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
TB: {795828A9-F271-43A8-8536-4484BB991D3D} - No File
TB: {37153479-1976-43C3-A1EE-557513977B64} - No File
TB: {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No File
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [MobileDocuments] c:\program files\common files\apple\internet services\ubd.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [<NO NAME>]
mRun: [iolo Startup] "c:\program files\iolo\common\lib\ioloLManager.exe"
mRun: [Carbonite Backup] c:\program files\carbonite\carbonite backup\CarboniteUI.exe
dRun: [dplaysvr] c:\windows\system32\config\systemprofile\appdata\local\dplaysvr.exe
StartupFolder: c:\users\donna\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
dPolicies-explorer: HideSCAHealth = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
Trusted Zone: chamberlain.edu\hub
Trusted Zone: devry.edu\my
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1 75.75.76.76 75.75.75.75
TCP: Interfaces\{B622C230-7294-453D-9BE5-259E63A18A24} : DhcpNameServer = 192.168.1.1 75.75.76.76 75.75.75.75
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\donna\appdata\roaming\mozilla\firefox\profiles\bh4iloqf.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2559647&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com/?pc=Z015&form=ZGAPHP
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z015&form=ZGAADF&q=
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.5.0.125\ipsffplgn\components\IPSFFPl.dll
FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
FF - component: c:\users\donna\appdata\roaming\mozilla\firefox\profiles\bh4iloqf.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\users\donna\appdata\roaming\mozilla\firefox\profiles\bh4iloqf.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
FF - component: c:\users\donna\appdata\roaming\mozilla\firefox\profiles\bh4iloqf.default\extensions\{37153479-1976-43c3-a1ee-557513977b64}\components\RadioWMPCoreGecko19.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\common files\oberon media\ncadapter\1.0.0.7\npapicomadapter.dll
FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\nos\bin\np_gp.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - c:\program files\mozilla firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Coupons.com Community Toolbar: {37153479-1976-43c3-a1ee-557513977b64} - %profile%\extensions\{37153479-1976-43c3-a1ee-557513977b64}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\real\realplayer\browserrecordplugin\firefox\Ext
FF - Ext: Symantec Intrusion Prevention: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.5.0.125\IPSFFPlgn
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1207010.003\symds.sys [2012-4-3 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1207010.003\symefa.sys [2012-4-3 744568]
S1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.5.0.125\definitions\bashdefs\20120507.001\BHDrvx86.sys [2012-4-2 821880]
S1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\ElRawDsk.sys [2012-4-8 27080]
S1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.5.0.125\definitions\ipsdefs\20120516.001\IDSvix86.sys [2012-5-16 368248]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1207010.003\ironx86.sys [2012-4-3 136312]
S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nis\1207010.003\symtdiv.sys [2012-4-3 331384]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 ioloSystemService;iolo System Service;"c:\program files\iolo\common\lib\ioloservicemanager.exe" --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]
S2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\18.7.1.3\ccsvchst.exe [2012-4-3 130008]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-4-6 106104]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\microsoft fix it center\Matsvc.exe [2011-6-13 267568]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-24 135664]
S4 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-3-24 135664]
S4 U2VSvr;U2VSvr;c:\windows\system32\u2vsvr.exe --> c:\windows\system32\U2VSvr.exe [?]
.
=============== Created Last 30 ================
.
2012-06-14 23:57:53 205072 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2012-06-14 16:27:01 -------- d-----w- c:\users\donna\appdata\local\Temp
2012-06-14 16:21:24 1172944 ------w- c:\users\donna\_iu14D2N.tmp
2012-06-10 13:42:36 711240 ----a-w- c:\windows\is-6290G.exe
2012-06-09 14:18:21 72192 ----a-w- c:\windows\system32\drivers\tdx.sys
2012-05-21 21:08:41 711240 ----a-w- c:\windows\is-H0FHF.exe
2012-05-21 21:05:43 -------- d-----w- C:\louis_util
2012-05-17 23:11:11 -------- d-----w- c:\users\donna\appdata\local\NPE
.
==================== Find3M ====================
.
2012-04-17 14:37:02 2095816 ----a-w- c:\windows\system32\Incinerator32.dll
2012-04-17 13:25:02 27080 ----a-w- c:\windows\system32\drivers\ElRawDsk.sys
2012-04-08 22:43:32 74703 ----a-w- c:\windows\system32\mfc45.dll
2012-04-08 22:42:57 18914168 ----a-w- C:\SystemMechanic.exe
2012-04-07 16:25:11 251392 ----a-w- C:\hijackthis_sfx.exe
2012-04-04 20:56:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-26 23:57:58 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 11:23:10.35 ===============



.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
MicrosoftÆ Windows Vistaô Home Premium
Boot Device: \Device\HarddiskVolume3
Install Date: 10/11/2007 8:02:49 PM
System Uptime: 6/14/2012 7:12:50 PM (40 hours ago)
.
Motherboard: Dell Inc. | | 0RY206
Processor: AMD Athlon™ 64 X2 Dual Core Processor 6000+ | Socket AM2 | 3013/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 288 GiB total, 209.646 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 4.732 GiB free.
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable
J: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
Update for Microsoft Office 2007 (KB2508958)
32 Bit HP CIO Components Installer
Adobe AIR
Adobe Digital Editions
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader 9.5.0
Adobe Shockwave Player 11.5
American Greetings CreataCard Select 6
APA PERRLA
AppGraffiti
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Bonjour
BufferChm
CanoScan Toolbox Ver4.1
Carbonite
Centra Client
Compatibility Pack for the 2007 Office system
Conexant D850 PCI V.92 Modem
CustomerResearchQFolder
D6100_D7100_D7300_Help
D7100
Dell DataSafe Online
Dell System Customization Wizard
DellSupport
Destinations
DeviceManagementQFolder
Digital Line Detect
eSupportQFolder
EZ Calendar (remove only)
Fonts
Frontline Systems Premium Solver Platform V8.0
Frontline Systems Risk Solver Engine V8.0
Games, Music, & Photos Launcher
Garmin City Navigator North America NT 2010.40
Garmin Communicator Plugin
Garmin USB Drivers
Google Chrome
Google Toolbar for Internet Explorer
Google Update Helper
HijackThis 1.99.1
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Customer Participation Program 8.0
HP Deskjet & Photosmart Printer Driver Software 8.0.A
HP Imaging Device Functions 8.0
HP Photosmart Essential
HP Solution Center 8.0
HPProductAssistant
HPSSupply
iCloud
iolo technologies' System Mechanic
iTunes
Java Auto Updater
Java™ 6 Update 23
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
Java™ SE Runtime Environment 6
Malwarebytes Anti-Malware version 1.60.1.1000
MarketResearch
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Corporation
Microsoft Fix it Center
Microsoft IntelliPoint 6.3
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Web Publishing Wizard 1.52
Microsoft Works
MobileMe Control Panel
Modem Diagnostic Tool
Mozilla Firefox (3.5)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MyScribe
Netflix Movie Viewer
NetWaiting
Network Recording Player
Norton Internet Security
Norton Security Scan
NVIDIA Drivers
NVIDIANetworkDiagnostic
OGA Notifier 2.0.0048.0
OpenOffice.org Installer 1.0
PERRLA
QuickTime
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
Realtek High Definition Audio Driver
RealUpgrade 1.1
Roxio Creator BDAV Plugin
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler
Roxio MyDVD DE
Roxio Update Manager
Safari
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
SF_CDA_ProductContext
SF_CDA_Software
Skype Click to Call
Skypeô 5.5
Snagit 9.1.3
SolutionCenter
Sonic Activation Module
Status
Toolbox
TrayApp
Uniblue DriverScanner 2009
Uniblue RegistryBooster 2010
Uniblue System Tweaker
UnloadSupport
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2597970) 32-Bit Edition
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
USB Display Device (Trigger 1+) 9.03.0401.0159
Visual C++ 8.0 ATL (x86) WinSXS MSM
Visual C++ 8.0 CRT (x86) WinSXS MSM
WebEx
WebReg
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (06/03/2009 2.3.0.0)
Windows Live ID Sign-in Assistant
WinZip 14.0
Word Whomp To Go
.
==== End Of File ===========================

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-06-16 11:19:51
Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\0000005b SAMSUNG_ rev.CP10
Running: s8gc1gwg.exe; Driver: C:\Users\DONNA\AppData\Local\Temp\ugloapog.sys


---- Devices - GMER 1.0.15 ----

Device \FileSystem\fastfat \Fat 8C1D9A7A

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Control@SystemStartOptions /NOEXECUTE=OPTIN /BOOTLOG IN/MINT
Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 736
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management@ExistingPageFiles \??\C:\pagefile.sys?
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BootId 269
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BaseTime 350575965
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@VideoInitTime 62
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID c9d6ff51-30f2-4f13-992a-f86690b
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog@FileCounter 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\Ecache\Parameters@LastBootStatus 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\Ecache\Parameters@ReadyBootPlanUsage 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters@ServiceDllUnloadOnStop 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2298896739-1891898438-2425375497-1000@State 0

---- EOF - GMER 1.0.15 ----

Attached Files


Edited by jntkwx, 18 June 2012 - 09:20 AM.
Including logs in post (easier to read)


BC AdBot (Login to Remove)

 


#2 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:01:27 PM

Posted 18 June 2012 - 09:23 AM

Hi BigLou99,

:welcome: to Bleeping Computer.

My name is Jason and I'll be helping you with your computer problems. You can call me by my screename jntkwx or Jason is fine.

Some things to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please do not attach logs or put logs in code boxes (unless explicitly asked to)
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can also help.
  • Do not run anything while running a fix.
  • If you don't understand a step, please ask for clarification before continuing with any future steps.

Click on the Watch Topic button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Note to others: The instructions here are intended for the person who began this topic. If you need help, please create your own topic in the appropriate forum.

 

We Need to Diagnose Your BlueScreen
  • When you boot your machine, press F8 to list the startup options, exactly as you would if you were trying to enter Safe Mode
  • Select "Disable Automatic Restart on System Failure", as shown here:
    Posted Image
  • When your system BSODs, write down the STOP error code, as well as any written out error message back here. The STOP error will always appear, but the message may not. You are looking for this:
    Posted Image
Please post me the error(s).
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#3 BigLou99

BigLou99
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:11:27 AM

Posted 18 June 2012 - 09:47 AM

Thanks for the help Jason.
Booted to Normal mode; desktop icons displayed for approx 1 minute; got the BSOD but it has no text description as in the upper red box in your example.
Here is the Stop info:
0x0000008E (0xC0000005, 0x82A85759, 0xA651E91C, 0x00000000)

#4 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:01:27 PM

Posted 18 June 2012 - 09:52 AM

BigLou99,

You're welcome, I'm glad I can help. :thumbup2:

Please download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

- OR -

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#5 BigLou99

BigLou99
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:11:27 AM

Posted 18 June 2012 - 10:51 AM

Jason-
Booting from the hard drive and selecting Repair, I got a login for "Other User" only - I could not logon.
I booted from a Vista CD (the second option you listed) was able to follow your instructions to run the scan.
Results below:
=============================================================

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 17-06-2012 02
Ran by SYSTEM at 18-06-2012 10:41:54
Running from J:\
Windows Vista ™ Home Premium (X86) OS Language: English(US)
The current controlset is ControlSet002

========================== Registry (Whitelisted) =============

HKLM\...\Run: [] [x]
HKLM\...\Run: [iolo Startup] "C:\Program Files\iolo\Common\Lib\ioloLManager.exe" [x]
HKLM\...\Run: [Carbonite Backup] C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe [1016464 2011-09-08] (Carbonite, Inc.)
HKU\admin\...\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup [460784 2007-03-15] (Gteko Ltd.)
HKU\Administrator\...\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup [460784 2007-03-15] (Gteko Ltd.)
HKU\Default\...\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup [460784 2007-03-15] (Gteko Ltd.)
HKU\Default User\...\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup [460784 2007-03-15] (Gteko Ltd.)
HKU\DONNA\...\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-18] (Microsoft Corporation)
HKU\DONNA\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2011-01-31] (Google Inc.)
HKU\DONNA\...\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized [17351304 2011-10-13] (Skype Technologies S.A.)
HKU\DONNA\...\Run: [MobileDocuments] C:\Program Files\Common Files\Apple\Internet Services\ubd.exe [59240 2012-02-23] (Apple Inc.)
HKU\DONNA\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [125952 2008-01-18] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 75.75.76.76 75.75.75.75
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
ShortcutTarget: Digital Line Detect.lnk -> C:\Program Files\Digital Line Detect\DLG.exe (Avanquest Software )
Startup: C:\Users\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files\hp\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\Users\DONNA\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)

================================ Services (Whitelisted) ==================

2 CarboniteService; "C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe" [3908752 2011-09-08] (Carbonite, Inc. (www.carbonite.com))
3 DFSR; C:\Windows\System32\DFSR.exe [2091520 2008-01-18] (Microsoft Corporation)
3 DSBrokerService; "C:\Program Files\DellSupport\brkrsvc.exe" [70656 2007-03-19] ()
2 ehstart; C:\Windows\ehome\ehstart.dll [13312 2006-11-02] (Microsoft Corporation)
2 Eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [21504 2008-01-18] (Microsoft Corporation)
3 hkmsvc; C:\Windows\System32\kmsvc.dll [68096 2008-01-18] (Microsoft Corporation)
3 MatSvc; "C:\Program Files\Microsoft Fix it Center\Matsvc.exe" [267568 2011-06-13] (Microsoft Corporation)
2 NIS; "C:\Program Files\Norton Internet Security\Engine\18.7.1.3\ccSvcHst.exe" /s "NIS" /m "C:\Program Files\Norton Internet Security\Engine\18.7.1.3\diMaster.dll" /prefetch:1 [262584 2011-03-31] (Symantec Corporation)
2 RapiMgr; C:\Windows\WindowsMobile\rapimgr.dll [167936 2008-01-18] (Microsoft Corporation)
2 WcesComm; C:\Windows\WindowsMobile\wcescomm.dll [365568 2008-01-18] (Microsoft Corporation)
2 ioloSystemService; "C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe" [x]
4 U2VSvr; C:\Windows\system32\U2VSvr.exe [x]

========================== Drivers (Whitelisted) =============

1 BHDrvx86; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\BASHDefs\20120507.001\BHDrvx86.sys [821880 2012-04-02] (Symantec Corporation)
3 DSproct; \??\C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys [4736 2006-10-05] (Gteko Ltd.)
1 eeCtrl; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [374392 2012-02-04] (Symantec Corporation)
1 ElRawDisk; \??\C:\Windows\system32\drivers\ElRawDsk.sys [27080 2012-04-17] (EldoS Corporation)
3 EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [106104 2012-02-04] (Symantec Corporation)
3 HSF_DPV; C:\Windows\System32\DRIVERS\HSX_DPV.sys [986624 2006-10-18] (Conexant Systems, Inc.)
3 HSXHWBS2; C:\Windows\System32\DRIVERS\HSXHWBS2.sys [258048 2006-10-18] (Conexant Systems, Inc.)
1 IDSVix86; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\IPSDefs\20120516.001\IDSvix86.sys [368248 2012-05-16] (Symantec Corporation)
4 iirsp; C:\Windows\system32\drivers\iirsp.sys [41576 2006-11-02] (Intel Corp./ICP vortex GmbH)
3 LVUVC; C:\Windows\System32\DRIVERS\lvuvc.sys [4333280 2011-04-01] (Logitech Inc.)
2 mdmxsdk; C:\Windows\System32\DRIVERS\mdmxsdk.sys [12672 2006-06-19] (Conexant)
3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\VirusDefs\20120516.017\NAVENG.SYS [87928 2012-05-17] (Symantec Corporation)
3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\VirusDefs\20120516.017\NAVEX15.SYS [1589752 2012-05-17] (Symantec Corporation)
3 NuidFltr; C:\Windows\System32\DRIVERS\NuidFltr.sys [14736 2009-05-08] (Microsoft Corporation)
1 SRTSP; C:\Windows\System32\Drivers\NIS\1207010.003\SRTSP.SYS [516216 2011-03-30] (Symantec Corporation)
1 SRTSPX; C:\Windows\system32\drivers\NIS\1207010.003\SRTSPX.SYS [50168 2011-03-30] (Symantec Corporation)
0 SymDS; C:\Windows\System32\drivers\NIS\1207010.003\SYMDS.SYS [340088 2011-01-26] (Symantec Corporation)
0 SymEFA; C:\Windows\System32\drivers\NIS\1207010.003\SYMEFA.SYS [744568 2011-03-14] (Symantec Corporation)
3 SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT.SYS [126584 2011-05-10] (Symantec Corporation)
1 SymIRON; C:\Windows\system32\drivers\NIS\1207010.003\Ironx86.SYS [136312 2011-01-26] (Symantec Corporation)
1 SYMTDIv; C:\Windows\System32\Drivers\NIS\1207010.003\SYMTDIV.SYS [331384 2011-04-20] (Symantec Corporation)
3 usb_rndisx; C:\Windows\System32\DRIVERS\usb8023x.sys [15872 2008-01-18] (Microsoft Corporation)
3 .afd; \? [x]
3 .dfsc; \? [x]
3 .tdx; \? [x]
4 blbdrive; C:\Windows\system32\drivers\blbdrive.sys [x]
3 catchme; \??\C:\Users\DONNA\AppData\Local\Temp\catchme.sys [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 lvpopflt; C:\Windows\System32\DRIVERS\lvpopflt.sys [x]
3 LVRS; C:\Windows\System32\DRIVERS\lvrs.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
0 SMR250; C:\Windows\System32\drivers\SMR250.SYS [x]
3 T1PExGrp; C:\Windows\System32\DRIVERS\T1PExGrp.sys [x]
3 T1PMrGrp; C:\Windows\System32\DRIVERS\T1PMrGrp.sys [x]
3 t1pusb; C:\Windows\System32\drivers\t1pusb.sys [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-06-18 06:35 - 2012-06-18 06:35 - 3689406464 __ASH C:\hiberfil.sys
2012-06-14 16:16 - 2012-06-14 16:16 - 00120858 ____A C:\TDSSKiller.2.7.39.0_14.06.2012_19.16.17_log.txt
2012-06-14 16:10 - 2012-06-14 16:11 - 00122142 ____A C:\TDSSKiller.2.7.39.0_14.06.2012_19.10.00_log.txt
2012-06-14 15:57 - 2012-06-14 15:57 - 00205072 ____A (Trend Micro Inc.) C:\Windows\System32\Drivers\tmcomm.sys
2012-06-14 08:21 - 2011-08-19 16:41 - 01172944 ____N C:\Users\DONNA\_iu14D2N.tmp
2012-06-13 06:56 - 2012-06-13 06:56 - 00000000 ____D C:\Program Files\7-Zip
2012-06-10 05:42 - 2012-06-10 05:42 - 00711240 ____A C:\Windows\is-6290G.exe
2012-06-10 05:42 - 2012-06-10 05:42 - 00010498 ____A C:\Windows\is-6290G.msg
2012-06-10 05:42 - 2012-06-10 05:42 - 00000424 ____A C:\Windows\is-6290G.lst
2012-06-08 06:56 - 2012-06-17 10:06 - 00889990 ____A C:\Windows\ntbtlog.txt
2012-05-24 15:25 - 2012-05-21 13:46 - 00607260 ____R (Swearware) C:\Users\DONNA\Desktop\dds.scr
2012-05-21 13:08 - 2012-05-21 13:08 - 00711240 ____A C:\Windows\is-H0FHF.exe
2012-05-21 13:08 - 2012-05-21 13:08 - 00010498 ____A C:\Windows\is-H0FHF.msg
2012-05-21 13:08 - 2012-05-21 13:08 - 00000412 ____A C:\Windows\is-H0FHF.lst
2012-05-21 13:05 - 2012-06-16 08:27 - 00000000 ____D C:\louis_util


============ 3 Months Modified Files and Folders ===============

2012-06-18 06:36 - 2010-05-13 20:23 - 00000000 ___HD C:\Users\DONNA\AppData\Roaming\Skype
2012-06-18 06:36 - 2010-03-23 21:18 - 00000880 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-06-18 06:36 - 2006-11-02 05:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-06-18 06:35 - 2012-06-18 06:35 - 3689406464 __ASH C:\hiberfil.sys
2012-06-18 06:35 - 2012-05-18 05:15 - 268435456 __ASH C:\Windows\System32\temppf.sys
2012-06-17 20:51 - 2011-07-19 13:24 - 00001356 ____A C:\Users\DONNA\AppData\Local\d3d9caps.dat
2012-06-17 10:06 - 2012-06-08 06:56 - 00889990 ____A C:\Windows\ntbtlog.txt
2012-06-17 09:35 - 2011-06-15 22:12 - 00273408 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\afd.sys
2012-06-17 09:35 - 2011-06-15 22:12 - 00075264 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dfsc.sys
2012-06-17 09:35 - 2008-06-13 16:40 - 00071680 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tdx.sys
2012-06-16 08:27 - 2012-05-21 13:05 - 00000000 ____D C:\louis_util
2012-06-16 08:21 - 2006-11-02 02:33 - 00707392 ____A C:\Windows\System32\PerfStringBackup.INI
2012-06-14 16:16 - 2012-06-14 16:16 - 00120858 ____A C:\TDSSKiller.2.7.39.0_14.06.2012_19.16.17_log.txt
2012-06-14 16:11 - 2012-06-14 16:10 - 00122142 ____A C:\TDSSKiller.2.7.39.0_14.06.2012_19.10.00_log.txt
2012-06-14 15:57 - 2012-06-14 15:57 - 00205072 ____A (Trend Micro Inc.) C:\Windows\System32\Drivers\tmcomm.sys
2012-06-14 15:50 - 2006-11-02 03:18 - 00000000 ____D C:\Windows
2012-06-14 08:24 - 2006-11-02 03:18 - 00000000 ___RD C:\Program Files
2012-06-14 08:21 - 2007-10-27 15:52 - 00000000 ____D C:\users\DONNA
2012-06-14 05:48 - 2012-01-28 07:32 - 00000010 ____A C:\Windows\System32\MTri1+.ini
2012-06-14 05:48 - 2007-11-24 07:25 - 00019536 ____A C:\Windows\DPINST.LOG
2012-06-13 06:56 - 2012-06-13 06:56 - 00000000 ____D C:\Program Files\7-Zip
2012-06-13 06:45 - 2012-04-08 14:43 - 00000000 ____D C:\Users\All Users\iolo
2012-06-13 06:41 - 2012-04-08 14:43 - 00000000 ____D C:\Users\DONNA\AppData\Roaming\iolo
2012-06-10 05:43 - 2012-04-01 14:15 - 00000000 ___HD C:\Program Files\Malwarebytes' Anti-Malware
2012-06-10 05:42 - 2012-06-10 05:42 - 00711240 ____A C:\Windows\is-6290G.exe
2012-06-10 05:42 - 2012-06-10 05:42 - 00010498 ____A C:\Windows\is-6290G.msg
2012-06-10 05:42 - 2012-06-10 05:42 - 00000424 ____A C:\Windows\is-6290G.lst
2012-06-09 07:03 - 2005-03-28 02:26 - 00000000 ____D C:\temporary
2012-06-08 15:03 - 2012-04-08 14:39 - 00000939 ____A C:\Users\DONNA\Desktop\BlueScreenView.cfg
2012-06-08 08:45 - 2012-04-01 05:03 - 00000000 ____D C:\Windows\pss
2012-06-08 06:30 - 2012-05-17 15:23 - 00451732 ____A C:\Windows\ntbtlog_060812.txt
2012-06-07 10:16 - 2012-04-08 08:43 - 00000586 ____A C:\Users\DONNA\Desktop\WhatInStartup.cfg
2012-05-24 15:17 - 2012-04-07 08:25 - 00000000 ____D C:\Program Files\HijackThis
2012-05-21 13:46 - 2012-05-24 15:25 - 00607260 ____R (Swearware) C:\Users\DONNA\Desktop\dds.scr
2012-05-21 13:08 - 2012-05-21 13:08 - 00711240 ____A C:\Windows\is-H0FHF.exe
2012-05-21 13:08 - 2012-05-21 13:08 - 00010498 ____A C:\Windows\is-H0FHF.msg
2012-05-21 13:08 - 2012-05-21 13:08 - 00000412 ____A C:\Windows\is-H0FHF.lst
2012-05-21 12:36 - 2012-04-22 17:00 - 00000000 ___SD C:\LouisCom_F_i_zx
2012-05-21 12:36 - 2010-01-17 14:39 - 00000000 ___HD C:\Users\DONNA\AppData\Local\CrashDumps
2012-05-21 12:36 - 2008-04-28 16:42 - 00000000 ___HD C:\Program Files\Mozilla Firefox
2012-05-21 12:36 - 2002-11-23 19:46 - 00000000 ____D C:\I386
2012-05-21 12:35 - 2010-04-17 15:12 - 00000000 ____D C:\Users\DONNA\Documents\My PERRLA Papers
2012-05-21 12:35 - 2009-01-28 04:43 - 00000000 ____D C:\Windows\Minidump
2012-05-20 15:32 - 2006-09-24 04:46 - 00000000 ____D C:\louis
2012-05-20 14:34 - 2006-11-02 03:18 - 00000000 ___SD C:\Windows\Downloaded Program Files
2012-05-20 14:15 - 2007-10-11 16:59 - 00000000 __SHD C:\System Volume Information
2012-05-18 05:12 - 2007-10-11 17:01 - 01824012 ____A C:\Windows\WindowsUpdate.log
2012-05-18 05:12 - 2006-11-02 05:01 - 00032656 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-05-18 05:12 - 2006-11-02 04:47 - 00003568 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-05-18 05:12 - 2006-11-02 04:47 - 00003568 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-05-18 05:01 - 2007-11-24 07:25 - 00000000 ___HD C:\Config.Msi
2012-05-18 05:01 - 2007-10-11 17:25 - 00000000 ___HD C:\Program Files\Microsoft Office
2012-05-17 21:18 - 2010-03-23 21:18 - 00000884 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-05-17 18:29 - 2012-04-09 08:37 - 00000000 ____D C:\Users\All Users\F4D56259000435DB000AB6BAEEC1FB6E
2012-05-17 15:34 - 2012-05-17 15:11 - 00000000 ____D C:\Users\DONNA\AppData\Local\NPE
2012-05-17 15:23 - 2007-10-12 00:50 - 4003012608 __ASH C:\pagefile.sys
2012-05-17 15:16 - 2012-05-17 15:15 - 14608581 ____A C:\Users\DONNA\AppData\Roaming\SMRBackup250.dat
2012-05-17 15:15 - 2009-12-15 20:35 - 00000000 ___HD C:\Users\All Users\Norton
2012-05-17 14:41 - 2007-10-11 17:30 - 00595938 ____A C:\Windows\PFRO.log
2012-05-17 06:00 - 2012-04-01 06:50 - 20300626 ____A C:\Windows\ntbtlog051712.txt
2012-05-15 17:35 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\tracing
2012-05-15 17:34 - 2006-11-02 03:18 - 00000000 ___HD C:\ProgramData
2012-05-15 15:54 - 2012-05-15 15:54 - 00000000 ___SD C:\LouisCom_F_i_zx27812L
2012-05-15 15:44 - 2012-05-15 15:44 - 00000000 ____D C:\Windows\System32\EventProviders
2012-05-15 15:34 - 2006-11-02 02:23 - 00000826 ____N C:\Windows\System32\Drivers\etc\hosts
2012-05-15 15:02 - 2012-05-15 15:02 - 00000000 ____D C:\Users\admin\AppData\Roaming\iolo
2012-04-22 17:09 - 2006-11-02 03:18 - 00000000 _SHDC C:\Windows\$NtUninstallKB35705$
2012-04-19 18:34 - 2012-04-19 18:34 - 00000000 ____D C:\Windows\ERDNT
2012-04-19 18:34 - 2012-04-19 18:32 - 00000000 ____D C:\Qoobox
2012-04-19 17:51 - 2011-12-22 06:36 - 00008192 ___AH C:\Users\DONNA\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-04-17 06:37 - 2012-04-08 14:45 - 02095816 ____A (iolo technologies, LLC) C:\Windows\System32\Incinerator32.dll
2012-04-17 05:25 - 2012-04-08 14:45 - 00027080 ____A (EldoS Corporation) C:\Windows\System32\Drivers\ElRawDsk.sys
2012-04-13 07:29 - 2008-09-11 14:16 - 00000000 ____D C:\PERRLA
2012-04-08 14:48 - 2012-04-08 14:48 - 00000000 ____D C:\Windows\System32\config\SM Registry Backup
2012-04-08 14:48 - 2012-04-08 14:48 - 00000000 ____D C:\Windows\System32\config\Before Compact
2012-04-08 14:45 - 2012-04-08 14:45 - 00000406 ____A C:\Windows\System32\ioloBootDefrag.cfg
2012-04-08 14:45 - 2012-04-08 14:45 - 00000000 ____D C:\Windows\System32\config\Original
2012-04-08 14:45 - 2006-11-02 04:37 - 00000000 ___HD C:\Program Files\Windows Sidebar
2012-04-08 14:45 - 2006-11-02 03:18 - 00000000 ___HD C:\Program Files\Common Files\microsoft shared
2012-04-08 14:43 - 2012-04-08 14:43 - 00074703 ____A C:\Windows\System32\mfc45.dll
2012-04-08 14:42 - 2012-04-08 14:42 - 18914168 ____A (iolo technologies, LLC ) C:\SystemMechanic.exe
2012-04-08 12:33 - 2012-04-08 12:33 - 00000000 _RASH C:\MSDOS.SYS
2012-04-08 12:33 - 2012-04-08 12:33 - 00000000 _RASH C:\IO.SYS
2012-04-07 08:25 - 2012-04-07 08:25 - 00251392 ____A C:\hijackthis_sfx.exe
2012-04-06 17:37 - 2007-11-22 10:17 - 00000534 ____A C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - DONNA.job
2012-04-06 16:14 - 2012-02-17 17:33 - 00000558 ____A C:\Windows\Tasks\Norton Security Scan for DONNA.job
2012-04-06 16:14 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\System32\LogFiles
2012-04-06 13:27 - 2009-12-26 07:42 - 00000000 ____D C:\Windows\System32\Drivers\NIS
2012-04-04 12:56 - 2012-04-01 14:15 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-04-01 21:31 - 2010-05-14 22:37 - 00000000 ____A C:\Windows\System32\Drivers\lvuvc.hs
2012-04-01 18:02 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\rescache
2012-04-01 17:33 - 2008-07-21 19:15 - 00000000 ___HD C:\Users\All Users\Microsoft Help
2012-04-01 17:02 - 2006-11-02 02:23 - 00000219 ____A C:\Windows\win.ini
2012-04-01 15:51 - 2011-06-24 21:26 - 00000000 ____D C:\Windows\MATS
2012-04-01 14:15 - 2012-04-01 14:15 - 00000000 ___HD C:\Users\DONNA\AppData\Roaming\Malwarebytes
2012-04-01 14:15 - 2012-04-01 14:15 - 00000000 ___HD C:\Users\All Users\Malwarebytes
2012-04-01 13:43 - 2006-11-02 04:47 - 00474360 ____A C:\Windows\System32\FNTCACHE.DAT
2012-04-01 06:44 - 2007-12-21 14:00 - 00000000 ____D C:\temp
2012-04-01 06:33 - 2009-08-22 14:30 - 00446892 ____A C:\Windows\ntbtlog_save.txt
2012-03-30 12:43 - 2012-03-30 12:43 - 00000928 ____A C:\{9A8152D7-DDDE-4A5D-A187-163E1CD2C149}
2012-03-29 17:38 - 2011-07-04 14:51 - 00000211 ____A C:\Users\DONNA\Desktop\Chamberlain College of Nursing.url
2012-03-26 16:07 - 2012-03-26 16:07 - 00016555 ____A C:\Windows\System32\hs_err_pid1124.log
2012-03-26 16:07 - 2012-03-26 16:07 - 00000000 ____D C:\Windows\Sun
2012-03-26 15:57 - 2011-05-24 16:21 - 00414368 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-03-26 15:26 - 2010-09-12 11:57 - 00000238 ____A C:\Users\DONNA\Desktop\Identify Synonyms, Identify Antonyms Thesaurus.com.url
2012-03-24 14:28 - 2010-06-29 15:23 - 00000000 ____D C:\Users\DONNA\AppData\Roaming\Canon
2012-03-22 15:56 - 2007-11-23 11:29 - 00000000 ____D C:\Users\DONNA\AppData\Roaming\Apple Computer


========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe
[2008-12-11 15:51] - [2008-10-28 22:29] - 2927104 ____A (Microsoft Corporation) 4F554999D7D5F05DAAEBBA7B5BA1089D

C:\Windows\System32\winlogon.exe
[2008-06-13 16:41] - [2008-01-18 23:33] - 0314880 ____A (Microsoft Corporation)

C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe
[2008-06-13 16:41] - [2008-01-18 23:33] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C

C:\Windows\System32\User32.dll
[2008-06-13 16:41] - [2008-01-18 23:36] - 0627200 ____A (Microsoft Corporation) B974D9F06DC7D1908E825DC201681269

C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys
[2008-06-13 16:41] - [2008-01-18 23:42] - 0227896 ____A (Microsoft Corporation) D8B4A53DD2769F226B3EB374374987C9


==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 12%
Total physical RAM: 4029.69 MB
Available physical RAM: 3522.78 MB
Total Pagefile: 3773.87 MB
Available Pagefile: 3596.18 MB
Total Virtual: 2047.88 MB
Available Virtual: 1983.72 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:288.05 GB) (Free:206.13 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (RECOVERY) (Fixed) (Total:10 GB) (Free:4.48 GB) NTFS
3 Drive e: (VISTA_32_PREMIUM) (CDROM) (Total:2.84 GB) (Free:0 GB) CDFS
8 Drive j: (Lexar) (Removable) (Total:1.87 GB) (Free:1.63 GB) FAT
9 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 298 GB 1142 KB
Disk 1 No Media 0 B 0 B
Disk 2 No Media 0 B 0 B
Disk 3 No Media 0 B 0 B
Disk 4 No Media 0 B 0 B
Disk 5 Online 1912 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 39 MB 32 KB
Partition 2 Primary 10 GB 40 MB
Partition 3 Primary 288 GB 10 GB

======================================================================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 8 FAT Partition 39 MB Healthy Hidden

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 0 D RECOVERY NTFS Partition 10 GB Healthy

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 C OS NTFS Partition 288 GB Healthy

======================================================================================================

Partitions of Disk 5:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1912 MB 16 KB

======================================================================================================

Disk: 5
Partition 1
Type : 06
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 J Lexar FAT Removable 1912 MB Healthy

======================================================================================================
==========================================================
TDL4: custom:26000022 <===== ATTENTION!


==========================================================

Last Boot: 2012-05-17 15:40

======================= End Of Log ==========================

#6 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:01:27 PM

Posted 18 June 2012 - 12:07 PM

BigLou99,

Great work so far. :thumbup2:

On your clean computer, open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

HKLM\...\Run: []
4 U2VSvr; C:\Windows\system32\U2VSvr.exe
3 .afd; \?
3 .dfsc; \?
3 .tdx; \?
4 blbdrive; C:\Windows\system32\drivers\blbdrive.sys
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys
3 lvpopflt; C:\Windows\System32\DRIVERS\lvpopflt.sys
3 LVRS; C:\Windows\System32\DRIVERS\lvrs.sys
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys
0 SMR250; C:\Windows\System32\drivers\SMR250.SYS
3 T1PExGrp; C:\Windows\System32\DRIVERS\T1PExGrp.sys
3 T1PMrGrp; C:\Windows\System32\DRIVERS\T1PMrGrp.sys
3 t1pusb; C:\Windows\System32\drivers\t1pusb.sys
TDL4: custom:26000022

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Please enter System Recovery Options, as we did previously.
Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#7 BigLou99

BigLou99
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:11:27 AM

Posted 18 June 2012 - 01:08 PM

Jason -
here is the log file:
==================================================

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 17-06-2012 02
Ran by SYSTEM at 2012-06-18 13:04:18 Run:1
Running from J:\

==============================================

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ Default Value restored successfully.
U2VSvr service deleted successfully.
.afd service deleted successfully.
.dfsc service deleted successfully.
.tdx service deleted successfully.
blbdrive service deleted successfully.
IpInIp service deleted successfully.
lvpopflt service deleted successfully.
LVRS service deleted successfully.
NwlnkFlt service deleted successfully.
NwlnkFwd service deleted successfully.
SMR250 service deleted successfully.
T1PExGrp service deleted successfully.
T1PMrGrp service deleted successfully.
t1pusb service deleted successfully.

The operation completed successfully.
The operation completed successfully.

==== End of Fixlog ====

#8 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:01:27 PM

Posted 18 June 2012 - 02:38 PM

BigLou99,

Please try starting your computer normally.

If you can start your computer, please download Combofix from one of these links. If you can't start your computer normally, please let me know what happens.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. If you do not know how to do this you can find out >here< or >here<
3. Double click on combofix.exe & follow the prompts.

Important:
  • Do not mouseclick combofix's window while it's running. That may cause it to stall.
  • If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

In your next reply, please include:
  • Combofix log
  • How is your computer running now? Please be as descriptive as possible. Include any word-for-word error messages that you may have, and/or screenshots of strange behavior.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#9 BigLou99

BigLou99
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:11:27 AM

Posted 18 June 2012 - 07:22 PM

Jason-
System booted in Normal Mode with no BSOD (WOW !!!).
Combofix found and fixed Rootkit.zeroaccess; it created a log.txt file and combofix.txt (which it will not let me open).
I copied both to my flash drive and have attached them to this post.
It appeared that Internet access had been restored (there was now a small globe on the tray icon of the 2 screens). When I clicked on Internet Explorer - nothing happend. I typed "cmd" in the search box and got an error about registry keys. I decided to reboot - the system now is caught in an "infinite loop" - it displays "configuring updates Step 3 of 3 0% complete" - "shutting down" - this just repeats continuously. I turned it off. Looks like we are close !


 



ComboFix 12-06-16.02 - DONNA 06/18/2012 18:02:43.1.2 - x86
MicrosoftÆ Windows Vistaô Home Premium 6.0.6001.1.1252.1.1033.18.3518.2790 [GMT -5:00]
Running from: c:\users\DONNA\Desktop\ComboFix.exe
AV: Norton Internet Security *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Internet Security *Disabled/Outdated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\admin\WINDOWS
c:\users\Administrator\WINDOWS
c:\users\DONNA\_iu14D2N.tmp
c:\users\DONNA\AppData\Roaming\Mozilla\Firefox\Profiles\bh4iloqf.default\searchplugins\bing-zugo.xml
c:\users\DONNA\WINDOWS
c:\users\Public\RemoveSGP0.exe
c:\windows\$NtUninstallKB35705$
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf
c:\windows\system32\zip32.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-05-18 to 2012-06-18 )))))))))))))))))))))))))))))))
.
.
2012-06-18 23:10 . 2012-06-18 23:14 -------- d-----w- c:\users\DONNA\AppData\Local\temp
2012-06-18 23:10 . 2012-06-18 23:10 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-06-18 23:10 . 2012-06-18 23:10 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2012-06-18 23:10 . 2012-06-18 23:10 -------- d-----w- c:\users\admin\AppData\Local\temp
2012-06-18 18:41 . 2012-06-18 18:42 -------- d-----w- C:\FRST
2012-06-14 23:57 . 2012-06-14 23:57 205072 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2012-06-13 14:56 . 2012-06-13 14:56 -------- d-----w- c:\program files\7-Zip
2012-06-10 13:42 . 2012-06-10 13:42 711240 ----a-w- c:\windows\is-6290G.exe
2012-05-21 21:08 . 2012-05-21 21:08 711240 ----a-w- c:\windows\is-H0FHF.exe
2012-05-21 21:05 . 2012-06-16 16:27 -------- d-----w- C:\louis_util
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-17 17:35 . 2011-06-16 06:12 75264 ----a-w- c:\windows\system32\drivers\dfsc.sys
2012-06-17 17:35 . 2011-06-16 06:12 273408 ----a-w- c:\windows\system32\drivers\afd.sys
2012-06-17 17:35 . 2008-06-14 00:40 71680 ----a-w- c:\windows\system32\drivers\tdx.sys
2012-04-17 14:37 . 2012-04-08 22:45 2095816 ----a-w- c:\windows\system32\Incinerator32.dll
2012-04-17 13:25 . 2012-04-08 22:45 27080 ----a-w- c:\windows\system32\drivers\ElRawDsk.sys
2012-04-08 22:43 . 2012-04-08 22:43 74703 ----a-w- c:\windows\system32\mfc45.dll
2012-04-08 22:42 . 2012-04-08 22:42 18914168 ----a-w- C:\SystemMechanic.exe
2012-04-07 16:25 . 2012-04-07 16:25 251392 ----a-w- C:\hijackthis_sfx.exe
2012-04-04 20:56 . 2012-04-01 22:15 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-26 23:57 . 2011-05-25 00:21 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2011-09-08 23:05 881808 ---ha-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2011-09-08 23:05 881808 ---ha-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2011-09-08 23:05 881808 ---ha-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-02-01 39408]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-10-13 17351304]
"MobileDocuments"="c:\program files\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 59240]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2011-09-08 1016464]
.
c:\users\DONNA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-10-11 50688]
HP Digital Imaging Monitor.lnk - c:\program files\hp\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ioloSystemService]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^DONNA^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\DONNA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-02 16:07 843712 ---ha-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-01-04 04:51 37296 ---ha-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2011-10-06 07:52 59240 ---ha-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-02-21 02:28 59240 ---ha-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2007-07-30 19:40 16384 ---ha-w- c:\dell\dsca.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
2007-05-25 06:03 17920 ---ha-w- c:\dell\E-Center\EULALauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2009-02-26 23:36 30040 ---ha-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-12-11 03:52 49152 ---ha-w- c:\program files\hp\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
2008-06-10 19:56 1406024 ---ha-w- c:\program files\Microsoft IntelliPoint\ipoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2006-10-03 16:35 221184 ---ha-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2006-10-03 16:37 81920 ---ha-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-03-07 00:05 421736 ---ha-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MobileDocuments]
2012-02-23 17:30 59240 ---ha-w- c:\program files\Common Files\Apple\Internet Services\ubd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 20:28 421888 ---ha-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2007-03-15 13:32 4390912 ----a-w- c:\windows\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2011-10-13 15:27 17351304 ---ha-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 17:44 248552 ---ha-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2011-02-01 02:55 39408 ---ha-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2012-01-09 23:57 296056 ---ha-w- c:\program files\real\RealPlayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX3000]
2010-03-12 23:41 762736 ----a-w- c:\windows\vVX3000.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Mobile-based device management]
2006-11-02 09:45 215552 ----a-w- c:\windows\WindowsMobile\wmdSync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - TDX
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-24 05:18]
.
2012-06-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-24 05:18]
.
2012-04-07 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - DONNA.job
- c:\program files\Norton Internet Security\Engine\18.7.1.3\navw32.exe [2012-04-03 22:38]
.
2012-04-07 c:\windows\Tasks\Norton Security Scan for DONNA.job
- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.3.0.44\Nss.exe [2012-02-18 01:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.foxnews.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: chamberlain.edu\hub
Trusted Zone: devry.edu\my
TCP: DhcpNameServer = 192.168.1.1 75.75.76.76 75.75.75.75
FF - ProfilePath - c:\users\DONNA\AppData\Roaming\Mozilla\Firefox\Profiles\bh4iloqf.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2559647&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com/?pc=Z015&form=ZGAPHP
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z015&form=ZGAADF&q=
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - c:\program files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Coupons.com Community Toolbar: {37153479-1976-43c3-a1ee-557513977b64} - %profile%\extensions\{37153479-1976-43c3-a1ee-557513977b64}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - Ext: Symantec Intrusion Prevention: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\IPSFFPlgn
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{795828A9-F271-43A8-8536-4484BB991D3D} - (no file)
WebBrowser-{37153479-1976-43C3-A1EE-557513977B64} - (no file)
HKLM-Run-iolo Startup - c:\program files\iolo\Common\Lib\ioloLManager.exe
MSConfigStartUp-23C3F5C0 - c:\users\donna\appdata\local\micros~1\windows\tempor~1\content.ie5\x2dfbwdw\speedu~1.exe
MSConfigStartUp-AmdAgent - c:\windows\Temp\temp68.exe
MSConfigStartUp-CGWGCnHLqP - c:\programdata\CGWGCnHLqP.exe
MSConfigStartUp-dplaysvr - c:\windows\system32\config\systemprofile\AppData\Local\dplaysvr.exe
MSConfigStartUp-iolo Startup - c:\program files\iolo\Common\Lib\ioloLManager.exe
MSConfigStartUp-Util - c:\windows\system32\Util.exe
AddRemove-{55FD1D5A-7AEF-4DA3-8FAF-A71B2A52FFC7}_is1 - c:\program files\iolo\System Mechanic\unins000.exe
AddRemove-{6F6A5334-78E9-4D9B-8182-8B41EA8C39EF}_is1 - c:\program files\AppGraffiti\unins000.exe
AddRemove-{81C5AD1D-C7C6-48AC-AC85-8F04293B1780} - c:\program files\InstallShield Installation Information\{81C5AD1D-C7C6-48AC-AC85-8F04293B1780}\setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-18 18:13
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\18.7.1.3\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\18.7.1.3\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a4,b8,47,fe,50,c4,1a,41,84,66,66,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a4,b8,47,fe,50,c4,1a,41,84,66,66,\
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="IE.AssocFile.HTM"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="IE.AssocFile.HTM"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="IE.AssocFile.MHT"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="IE.AssocFile.MHT"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.url\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="IE.AssocFile.URL"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(1892)
c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\rundll32.exe
c:\program files\Carbonite\Carbonite Backup\carboniteservice.exe
c:\program files\Norton Internet Security\Engine\18.7.1.3\ccSvcHst.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\WUDFHost.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Norton Internet Security\Engine\18.7.1.3\ccSvcHst.exe
c:\windows\system32\DllHost.exe
c:\windows\servicing\TrustedInstaller.exe
c:\program files\Google\Update\Install\{5720F13C-6375-41CA-AEF0-905F701244B4}\chrome_installer.exe
c:\windows\TEMP\CR_AA971.tmp\setup.exe
.
**************************************************************************
.
Completion time: 2012-06-18 18:33:04 - machine was rebooted
ComboFix-quarantined-files.txt 2012-06-18 23:33
.
Pre-Run: 219,565,568,000 bytes free
Post-Run: 221,127,598,080 bytes free
.
- - End Of File - - 15E2336235BAFBE41BCE13FE27D60944

Attached Files


Edited by jntkwx, 19 June 2012 - 07:27 AM.
Included log in post (easier to read)


#10 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:01:27 PM

Posted 19 June 2012 - 07:37 AM

BigLou99,

Try this...

With the Windows CD, boot into the Recovery Options (as we've done previously.)
Select the Command Prompt.

Type in:

C: (or whichever directory your system files are located, it may not be C. Let me know if you have any questions figuring out which drive letter is correct.)

Press Enter.

Type in:

cd windows/winsxs

Press Enter.

Type in:

del pending.xml


Press Enter, then type in Exit and try rebooting your computer normally.
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#11 BigLou99

BigLou99
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:11:27 AM

Posted 19 June 2012 - 09:45 AM

Jason-
You are a genius my friend !!
The system is running in Normal Mode, no problems seen after about 30 minutes. I have updated Norton and deleted some old software with no problem. There are alot of missing items in the Program Menu (ie: all MS Office menu items are missing) but I can live with that.
I plan to find and run the tool that checks for problems before the install of Vista SP2 - pending that result, I will upgrade to SP2 - unless you advise otherwise.
Where can I make a donation to you and/or Bleeping Computer - I really appreciate what you have done.
Thanks,
Louis

#12 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:01:27 PM

Posted 19 June 2012 - 07:27 PM

BigLou99,

I'm glad I could help. :thumbup2: See my signature for a donation link.

Is it just Microsoft Office icons missing?


:step1: Malwarebytes
Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

:step2: ESET
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.


In your next reply, please include:
  • Malwarebytes log
  • ESET log
  • Copy and paste the contents of C:\Qoobox\Add-Remove Programs.txt

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#13 BigLou99

BigLou99
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:11:27 AM

Posted 20 June 2012 - 07:19 PM

Jason-
The MS icons are not missing. It is the sub-menu items in the Program menu. For example, if you click: Start, All Programs, Microsoft Office - there are no menus items under MS Office - it should have Excel, Word, etc.

The log files you requested are attached. Looks like 5 items were processed by Eset.
Many thanks again.

 


Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.20.05

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
DONNA :: DONNA-PC [administrator]

6/20/2012 1:12:04 PM
mbam-log-2012-06-20 (13-12-04).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 253705
Time elapsed: 19 minute(s), 27 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)



C:\My Documents\My Received Files\santafree.exe multiple threats deleted - quarantined
C:\Program Files\Uniblue\RegistryBooster 2010\Launcher.exe a variant of Win32/RegistryBooster application cleaned by deleting - quarantined
C:\Program Files\Uniblue\RegistryBooster 2010\registrybooster.exe Win32/RegistryBooster application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\system32\Drivers\afd.sys.vir a variant of Win32/Rootkit.Kryptik.KR trojan cleaned by deleting - quarantined
C:\Users\DONNA\Downloads\Documents\My Received Files\santafree.exe multiple threats deleted - quarantined



Update for Microsoft Office 2007 (KB2508958)
32 Bit HP CIO Components Installer
Adobe AIR
Adobe Digital Editions
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader 9.5.0
Adobe Shockwave Player 11.5
American Greetings CreataCard Select 6
APA PERRLA
AppGraffiti
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Bonjour
BufferChm
CanoScan Toolbox Ver4.1
Carbonite
Centra Client
Compatibility Pack for the 2007 Office system
Conexant D850 PCI V.92 Modem
CustomerResearchQFolder
D6100_D7100_D7300_Help
D7100
Dell DataSafe Online
Dell System Customization Wizard
DellSupport
Destinations
DeviceManagementQFolder
Digital Line Detect
eSupportQFolder
EZ Calendar (remove only)
Fonts
Frontline Systems Premium Solver Platform V8.0
Frontline Systems Risk Solver Engine V8.0
Games, Music, & Photos Launcher
Garmin City Navigator North America NT 2010.40
Garmin Communicator Plugin
Garmin USB Drivers
Google Chrome
Google Toolbar for Internet Explorer
Google Update Helper
HijackThis 1.99.1
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Customer Participation Program 8.0
HP Deskjet & Photosmart Printer Driver Software 8.0.A
HP Imaging Device Functions 8.0
HP Photosmart Essential
HP Solution Center 8.0
HPProductAssistant
HPSSupply
iCloud
iolo technologies' System Mechanic
iTunes
Java Auto Updater
Java™ 6 Update 23
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
Java™ SE Runtime Environment 6
Malwarebytes Anti-Malware version 1.60.1.1000
MarketResearch
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Corporation
Microsoft Fix it Center
Microsoft IntelliPoint 6.3
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Web Publishing Wizard 1.52
Microsoft Works
MobileMe Control Panel
Modem Diagnostic Tool
Mozilla Firefox (3.5)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MyScribe
Netflix Movie Viewer
NetWaiting
Network Recording Player
Norton Internet Security
Norton Security Scan
NVIDIA Drivers
NVIDIANetworkDiagnostic
OGA Notifier 2.0.0048.0
OpenOffice.org Installer 1.0
PERRLA
QuickTime
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
Realtek High Definition Audio Driver
RealUpgrade 1.1
Roxio Creator BDAV Plugin
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler
Roxio MyDVD DE
Roxio Update Manager
Safari
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
SF_CDA_ProductContext
SF_CDA_Software
Skype Click to Call
Skypeô 5.5
Snagit 9.1.3
SolutionCenter
Sonic Activation Module
Status
Toolbox
TrayApp
Uniblue DriverScanner 2009
Uniblue RegistryBooster 2010
Uniblue System Tweaker
UnloadSupport
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2597970) 32-Bit Edition
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
USB Display Device (Trigger 1+) 9.03.0401.0159
Visual C++ 8.0 ATL (x86) WinSXS MSM
Visual C++ 8.0 CRT (x86) WinSXS MSM
WebEx
WebReg
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (06/03/2009 2.3.0.0)
Windows Live ID Sign-in Assistant
WinZip 14.0
Word Whomp To Go

Attached Files


Edited by jntkwx, 20 June 2012 - 09:34 PM.
Included logs in post (easier to read)


#14 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:01:27 PM

Posted 20 June 2012 - 09:49 PM

The MS icons are not missing. It is the sub-menu items in the Program menu. For example, if you click: Start, All Programs, Microsoft Office - there are no menus items under MS Office - it should have Excel, Word, etc.


That's strange. The easiest way to fix this is to insert your Office CD/DVD (if you have it, of course), and select the Repair option. If you don't have the CD/DVD, you may be able to restore the icons by going into the Control Panel, Programs and Features, and select Microsoft Office. Click on the Change button, and select Repair. Let me know if you have any questions.

Your computer looks clean! How is it running now?

Let's take some preventative steps to ensure you don't get infected again:


:step1: Uninstall Combofix
Hold down the Windows key Posted Image and press the R key.
In the Run window, type the following bolded text and click OK:

Combofix.exe /Uninstall

:step2: Please download OTCleanIt and save it to desktop.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.

:step3: Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 7 and save it to your desktop.
  • Look for "Java Platform, Standard Edition".
  • Click the "Download JRE" button to the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • From the list, select your OS and Platform (32-bit or 64-bit).
    64-bit OS users, should read: Which Java download should I choose for my 64-bit Windows operating system?
  • If a download for an Offline Installation is available, it is recommended to choose that and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Posted Image > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-7u5-windows-i586.exe (or jre-7u5-windows-x64.exe for 64-bit) to install the newest version.
  • If using Windows 7 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered any unwanted software or toolbars during installation, just uncheck the box before continuing unless you want it.
  • The McAfee Security Scan Plus tool is installed by default unless you uncheck the McAfee installation box when updating Java.
Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
To disable the JQS service if you don't want to use it:
  • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
  • Click Ok and reboot your computer.

:step4: Like Java, outdated versions of Adobe Flash, Adobe Reader, Adobe Air, Adobe Shockwave, Mozilla Firefox have vulnerabilities that malware can use to reinfect your computer. Please update to the latest, secure versions of each:

:step5: Make Internet Explorer more secure:
Hold down the Windows Key, and press the R key.
In the Run Dialog box, type: inetcpl.cpl & click OK
Click on the Security tab,
Click Reset all zones to default level
Next Click OK, then Apply button and then OK to exit the Internet Properties page.

:step6: Install the Latest Version of Common Software:
It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting http://secunia.com/vulnerability_scanning/online/ and http://www.calendarofupdates.com/updates/calendar.html.

I recommend FileHippo's update checker that scans your computer for programs it recognizes and allows you to easily download new versions of common software: http://filehippo.com/updatechecker/UpdateChecker.exe

:step7: Finally, read this tutorial and follow each of the steps:
http://www.bleepingcomputer.com/tutorials/tutorial82.html

Again, I'm glad I could help you fix your computer. Please feel free to post any future computer problems in the appropriate forum. Have a great day! :thumbup2:
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#15 BigLou99

BigLou99
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:11:27 AM

Posted 21 June 2012 - 11:52 AM

Jason-
A problem has returned: no Internet Access
I performed steps above with these exceptions:
* the OTClean would not run - Norton thinks it is a risk and deletes it after download
* I did not check the "common software" in step 6

I tried to run the Diagnose and Repair for the Internet connection and get a message that DHCP is not running (like before :-( )
Summary: the system was doing great until this last round of "cleanup".
Not sure what to do next.

Thanks,
Louis




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users