Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hacktoo.rootkit


  • This topic is locked This topic is locked
16 replies to this topic

#1 demo18c

demo18c

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:26 AM

Posted 22 July 2012 - 10:05 AM

Norton says it was blocked but still getting internet reroutes

DDS

.
DDS (Ver_2011-08-26.01) - NTFSAMD64 NETWORK
Internet Explorer: 9.0.8112.16421
Run by rashad at 10:58:03 on 2012-07-22
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4086.2640 [GMT -4:00]
.
AV: Norton Internet Security *Enabled/Outdated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Enabled/Outdated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
FW: Norton Internet Security *Enabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Windows\SysWOW64\svchost.exe" -k LocalServiceDns
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\rashad\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=crossfire&pf=cndt
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=crossfire&pf=cndt
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=crossfire&pf=cndt
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files (x86)\BitTorrentBar\prxtbBitT.dll
mURLSearchHooks: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files (x86)\BitTorrentBar\prxtbBitT.dll
mWinlogon: Userinit=userinit.exe,
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\Program Files (x86)\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\PROGRA~2\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~2\Office14\GROOVEEX.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files (x86)\BitTorrentBar\prxtbBitT.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~2\Office14\URLREDIR.DLL
BHO: ooVoo toolbar, powered by Ask.com: {d4027c7f-154a-4066-a1ad-4243d8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\Program Files (x86)\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
TB: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files (x86)\BitTorrentBar\prxtbBitT.dll
TB: ooVoo toolbar, powered by Ask.com: {d4027c7f-154a-4066-a1ad-4243d8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [HPSmartCenterBoot] C:\Program Files (x86)\Hewlett-Packard\TouchSmart\SmartCenter 2.0\SmartCenter.exe
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
uRun: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe
uRun: [iCloudServices] C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
uRun: [ehTray.exe] C:\Windows\ehome\ehTray.exe
uRun: [ooVoo.exe] C:\Program Files (x86)\ooVoo\oovoo.exe /minimized
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [OsdMaestro] c:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD64.exe
mRun: [HP KEYBOARD V1.4.7] "C:\Program Files (x86)\Hewlett-Packard\HP KEYBOARD\HPKEYBOARD.EXE"
mRun: [SoundMAX] "C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe" /tray
mRun: [Buttons & OSDs control application gen2] "C:\Program Files (x86)\HP\Buttons & OSDs control application gen2\MediaButtons.exe"
mRun: [TSMAgent] "c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe"
mRun: [CLMLServer for HP TouchSmart] "c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [HP Software Update] c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun: [ccApp] "c:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe"
mRun: [<NO NAME>]
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"
mRun: [PWRISOVM.EXE] "C:\Program Files (x86)\PowerISO\PWRISOVM.EXE"
mRun: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [SoundMAXPnP] C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
mRun: [tvncontrol] "C:\Program Files (x86)\TightVNC\tvnserver.exe" -controlservice -slave
mRun: [YouCam Service] "C:\Program Files (x86)\CyberLink\YouCam\YouCamService.exe" /s
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe"
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
StartupFolder: C:\Users\rashad\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\rashad\AppData\Roaming\Dropbox\bin\Dropbox.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: SoftwareSASGeneration = 1 (0x1)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~2\Office14\ONBttnIE.dll/105
IE: Send image to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{47BAE531-4A18-4C75-8B53-A2467ABF9FB8} : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{5102F710-4F18-47AA-907E-45F5D47F0F5B} : DhcpNameServer = 192.168.2.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~2\Office14\GROOVEEX.DLL
BHO-X64: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
BHO-X64: 0x1 - No File
BHO-X64: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
BHO-X64: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\Program Files (x86)\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll
BHO-X64: NCO 2.0 IE BHO - No File
BHO-X64: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~2\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
BHO-X64: Symantec Intrusion Prevention - No File
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~2\Office14\GROOVEEX.DLL
BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO-X64: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files (x86)\BitTorrentBar\prxtbBitT.dll
BHO-X64: BitTorrentBar - No File
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~2\Office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
BHO-X64: ooVoo toolbar, powered by Ask.com: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
BHO-X64: Ask Toolbar BHO - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
TB-X64: Show Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\Program Files (x86)\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
TB-X64: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files (x86)\BitTorrentBar\prxtbBitT.dll
TB-X64: ooVoo toolbar, powered by Ask.com: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
mRun-x64: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun-x64: [OsdMaestro] c:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD64.exe
mRun-x64: [HP KEYBOARD V1.4.7] "C:\Program Files (x86)\Hewlett-Packard\HP KEYBOARD\HPKEYBOARD.EXE"
mRun-x64: [SoundMAX] "C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe" /tray
mRun-x64: [Buttons & OSDs control application gen2] "C:\Program Files (x86)\HP\Buttons & OSDs control application gen2\MediaButtons.exe"
mRun-x64: [TSMAgent] "c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe"
mRun-x64: [CLMLServer for HP TouchSmart] "c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe"
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [HP Software Update] c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun-x64: [ccApp] "c:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe"
mRun-x64: [(Default)]
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"
mRun-x64: [PWRISOVM.EXE] "C:\Program Files (x86)\PowerISO\PWRISOVM.EXE"
mRun-x64: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [SoundMAXPnP] C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
mRun-x64: [tvncontrol] "C:\Program Files (x86)\TightVNC\tvnserver.exe" -controlservice -slave
mRun-x64: [YouCam Service] "C:\Program Files (x86)\CyberLink\YouCam\YouCamService.exe" /s
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe"
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
IE-X64: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~2\MICROS~2\Office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\rashad\AppData\Roaming\Mozilla\Firefox\Profiles\kkl0y6q1.default\
FF - plugin: C:\PROGRA~2\MICROS~2\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~2\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll
.
============= SERVICES / DRIVERS ===============
.
R3 ACPIService;Buttons and OSDs ACPI driver gen2;C:\Windows\system32\DRIVERS\OSDACPI.SYS --> C:\Windows\system32\DRIVERS\OSDACPI.SYS [?]
R3 netr28x;Ralink 802.11n Wireless Driver for Windows Vista;C:\Windows\system32\DRIVERS\netr28x.sys --> C:\Windows\system32\DRIVERS\netr28x.sys [?]
S1 IDSvia64;Symantec Intrusion Prevention Driver;C:\PROGRA~3\Symantec\DEFINI~1\SymcData\ipsdefs\20120614.001\IDSvia64.sys [2012-6-14 383096]
S2 CalendarSynchService;CalendarSynchService;C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\GCalService.exe [2008-5-6 21368]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 FontCache;Windows Font Cache Service;C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-5-21 116648]
S2 HP Touch Screen Enhance;HP Touch Screen Enhance;C:\Program Files (x86)\Hewlett-Packard\HP Touch Screen Enhance Service\HPTSEnSrv.EXE [2008-4-26 100864]
S2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe [2008-2-6 149864]
S2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-7-21 655944]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-4-5 158856]
S2 tvnserver;TightVNC Server;C:\Program Files (x86)\TightVNC\tvnserver.exe [2011-8-3 828944]
S2 WysePocketCloud;Wyse PocketCloud;C:\Program Files (x86)\Wyse\PocketCloud Windows Companion\PocketCloudService.exe [2012-3-20 175520]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\WINDOWS\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-4-24 253088]
S3 btwl2cap;Bluetooth L2CAP Service;C:\Windows\system32\DRIVERS\btwl2cap.sys --> C:\Windows\system32\DRIVERS\btwl2cap.sys [?]
S3 clwvd;CyberLink WebCam Virtual Driver;C:\Windows\system32\DRIVERS\clwvd.sys --> C:\Windows\system32\DRIVERS\clwvd.sys [?]
S3 COH_Mon;COH_Mon;\??\C:\Windows\system32\Drivers\COH_Mon.sys --> C:\Windows\system32\Drivers\COH_Mon.sys [?]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-6-1 138912]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-5-21 116648]
S3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE [2010-1-21 30963576]
S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-7-21 113120]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 PerfHost;Performance Counter DLL Host;C:\WINDOWS\SysWOW64\perfhost.exe [2008-1-20 19968]
S3 Symantec Core LC;Symantec Core LC;C:\PROGRA~2\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe [2008-8-20 1245064]
S3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS --> C:\Windows\system32\Drivers\SYMNDISV.SYS [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\system32\DRIVERS\wdcsam64.sys --> C:\Windows\system32\DRIVERS\wdcsam64.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]
S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\WINDOWS\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2012-5-11 89920]
.
=============== File Associations ===============
.
JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
.
=============== Created Last 30 ================
.
2012-07-22 12:22:27 -------- d-----w- C:\Program Files (x86)\ESET
2012-07-21 18:31:02 -------- d-----w- C:\Users\rashad\AppData\Roaming\Malwarebytes
2012-07-21 18:30:53 -------- d-----w- C:\ProgramData\Malwarebytes
2012-07-21 18:30:52 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-07-21 18:30:52 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-07-21 15:08:03 -------- d-----w- C:\Users\rashad\AppData\Local\Mozilla
2012-07-17 09:25:27 9133488 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{C676D760-C885-4134-96D8-FCB0DA0C4A24}\mpengine.dll
2012-07-12 11:55:05 -------- d-----w- C:\Users\rashad\AppData\Roaming\Downloaded Installations
2012-07-12 07:00:51 2769408 ----a-w- C:\Windows\System32\win32k.sys
2012-07-12 04:49:34 -------- d-----w- C:\Users\rashad\AppData\Roaming\ooVoo Details
2012-07-12 00:56:58 -------- d-----w- C:\Program Files (x86)\Ask.com
2012-07-12 00:56:07 -------- d-----w- C:\Program Files (x86)\ooVoo
.
==================== Find3M ====================
.
2012-06-05 16:47:28 1401856 ----a-w- C:\Windows\SysWow64\msxml6.dll
2012-06-05 16:47:27 1248768 ----a-w- C:\Windows\SysWow64\msxml3.dll
2012-06-05 16:22:47 1797120 ----a-w- C:\Windows\System32\msxml6.dll
2012-06-05 16:22:46 1869824 ----a-w- C:\Windows\System32\msxml3.dll
2012-06-04 15:29:59 516480 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
2012-06-02 22:15:31 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2012-06-02 22:15:08 99840 ----a-w- C:\Windows\System32\wudriver.dll
2012-06-02 22:12:13 88576 ----a-w- C:\Windows\SysWow64\wudriver.dll
2012-06-02 19:19:42 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2012-06-02 19:19:42 171904 ----a-w- C:\Windows\SysWow64\wuwebv.dll
2012-06-02 19:15:12 36864 ----a-w- C:\Windows\System32\wuapp.exe
2012-06-02 19:12:20 33792 ----a-w- C:\Windows\SysWow64\wuapp.exe
2012-06-02 12:12:17 2311680 ----a-w- C:\Windows\System32\jscript9.dll
2012-06-02 12:05:28 1392128 ----a-w- C:\Windows\System32\wininet.dll
2012-06-02 12:04:50 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-06-02 12:01:40 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2012-06-02 11:57:08 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-06-02 08:33:25 1800192 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-06-02 08:25:08 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-06-02 08:25:03 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-06-02 08:20:33 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2012-06-02 08:16:52 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-06-02 00:22:56 347136 ----a-w- C:\Windows\System32\schannel.dll
2012-06-02 00:22:10 254464 ----a-w- C:\Windows\System32\ncrypt.dll
2012-06-02 00:05:11 77312 ----a-w- C:\Windows\SysWow64\secur32.dll
2012-06-02 00:04:25 278528 ----a-w- C:\Windows\SysWow64\schannel.dll
2012-06-02 00:03:42 204288 ----a-w- C:\Windows\SysWow64\ncrypt.dll
2012-05-31 16:25:12 279656 ------w- C:\Windows\System32\MpSigStub.exe
2012-05-11 21:09:57 979456 ----a-w- C:\Windows\SysWow64\MFH264Dec.dll
2012-05-11 21:06:31 449024 ----a-w- C:\Windows\System32\WMPhoto.dll
2012-05-01 14:29:44 209920 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
2012-04-24 14:00:53 70304 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-04-24 14:00:53 418464 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-04-23 16:30:04 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2012-04-23 16:25:30 174592 ----a-w- C:\Windows\System32\cryptsvc.dll
2012-04-23 16:25:30 132096 ----a-w- C:\Windows\System32\cryptnet.dll
2012-04-23 16:25:30 1267200 ----a-w- C:\Windows\System32\crypt32.dll
2012-04-23 16:00:53 984064 ----a-w- C:\Windows\SysWow64\crypt32.dll
2012-04-23 16:00:53 98304 ----a-w- C:\Windows\SysWow64\cryptnet.dll
2012-04-23 16:00:53 133120 ----a-w- C:\Windows\SysWow64\cryptsvc.dll
.
============= FINISH: 10:59:02.80 ===============

BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 38,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:26 AM

Posted 22 July 2012 - 01:55 PM

Greetings demo18c and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you!


===================================================


Ground Rules:

  • First, I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me about it.
  • When you post your reply, do not use the Posted Image button but use the Posted Image button instead.
  • In the upper right hand corner of the topic you will see the Posted Image button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:

===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

I would like you to post back with some additional information. Please do the following:


===================================================


Posting Previous Malwarebytes Log

--------------------

  • Launch Malwarebytes
  • Select the Logs tab
  • Highlight the last scan entry, select Open, and a Notepad document will open on your desktop
  • Copy and paste the contents of the document in your reply

===================================================


ESET Online Scanner Log

--------------------

  • Please navigate to the below listed file location

    C:\Program Files\ESET\ESET Online Scanner\log.txt
  • Double click log.txt and a Notepad document will open
  • Copy and paste that information into your reply

===================================================


Locating and Posting Attach.txt in Windows 7/Vista

--------------------

  • Using Windows Explorer please navigate to the following location (*user* is your computer user name)

    C:\Users\*username*\AppData\Temp\Attach.txt
  • Double click on the file
  • Copy and paste the contents into your reply

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • MBAM log
  • ESET log
  • Attach.txt

While you are working on that I will be reviewing the information you have already posted.

Edited by Oh My, 22 July 2012 - 02:03 PM.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 demo18c

demo18c
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:26 AM

Posted 22 July 2012 - 06:25 PM

[size="5"][/size]ESET

C:\WINDOWS\Installer\{2a2511ef-a75e-ff2a-a0df-c6cc1174c08b}\U\00000008.@ Win64/Agent.BA trojan cleaned by deleting - quarantined
C:\WINDOWS\Installer\{2a2511ef-a75e-ff2a-a0df-c6cc1174c08b}\U\80000000.@ Win64/Sirefef.AE trojan cleaned by deleting - quarantined
C:\WINDOWS\Installer\{2a2511ef-a75e-ff2a-a0df-c6cc1174c08b}\U\80000032.@ a variant of Win32/Sirefef.FD trojan cleaned by deleting - quarantined
Operating memory multiple threats


MALWAREBYTE

Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.22.10

Windows Vista Service Pack 2 x64 NTFS
Internet Explorer 9.0.8112.16421
rashad :: RASHAD-PC [administrator]

Protection: Disabled

7/22/2012 5:59:51 PM
mbam-log-2012-07-22 (19-22-03).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 378066
Time elapsed: 1 hour(s), 17 minute(s), 2 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\$Recycle.Bin\S-1-5-21-2960534040-1311129878-4184310660-1000\$RBHA2DW.@ (Trojan.Dropper.BCMiner) -> No action taken.
C:\WINDOWS\Installer\{2a2511ef-a75e-ff2a-a0df-c6cc1174c08b}\U\00000008.@ (Trojan.Dropper.BCMiner) -> No action taken.

(end)


The ATTACH.txt is not on my computer. says it doesnt exist

#4 demo18c

demo18c
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:26 AM

Posted 22 July 2012 - 06:27 PM

Right when I hit submit reply a page opened up and routed to a wbesite

#5 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 38,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:26 AM

Posted 22 July 2012 - 06:31 PM

Greetings demo18c,

Please rerun DDS and post the Attach.txt log for me.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#6 demo18c

demo18c
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:26 AM

Posted 23 July 2012 - 07:53 AM

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 4/22/2012 8:18:12 PM
System Uptime: 7/23/2012 8:39:32 AM (0 hours ago)
.
Motherboard: PEGATRON CORPORATION. | | EVE
Processor: Intel® Core™2 Duo CPU T5750 @ 2.00GHz | CPU 1 | 2000/167mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 286 GiB total, 152.975 GiB free.
D: is FIXED (NTFS) - 12 GiB total, 1.564 GiB free.
E: is CDROM (CDFS)
F: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {36fc9e60-c465-11cf-8056-444553540000}
Description: eHome Infrared Receiver (USBCIR)
Device ID: USB\VID_1934&PID_0602\88636562727802
Manufacturer: Microsoft
Name: eHome Infrared Receiver (USBCIR)
PNP Device ID: USB\VID_1934&PID_0602\88636562727802
Service: usbcir
.
Class GUID: {4d36e97d-e325-11ce-bfc1-08002be10318}
Description: Consumer IR Devices
Device ID: ROOT\SYSTEM\0001
Manufacturer: Microsoft
Name: Consumer IR Devices
PNP Device ID: ROOT\SYSTEM\0001
Service: circlass
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
Adobe Reader 8.1.2
AppCore
Apple Application Support
Apple Software Update
Ask Toolbar
AVS Screen Capture version 2.0.1
AVS Update Manager 1.0
AVS Video Editor 6
AVS Video Recorder 2.4
AVS4YOU Software Navigator 1.4
BitTorrent
BitTorrentBar Toolbar
Buttons & OSDs control application gen2
ccCommon
Compatibility Pack for the 2007 Office system
Component Framework
CyberLink DVD Suite Deluxe
CyberLink PowerDirector
CyberLink YouCam 5
DirectX for Managed Code Update (Summer 2004)
Dropbox
ESET Online Scanner v3
Freemake Video Converter version 3.0.2
Google Drive
Google Update Helper
Graboid Video 3.05
Hardware Diagnostic Tools
Hewlett-Packard Active Check for Health Check
Hewlett-Packard Asset Agent for Health Check
Host OpenAL (ADI)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Active Support Library
HP Customer Experience Enhancements
HP Customer Feedback
HP KEYBOARD V1.4.7
HP Picasso Media Center Add-In
HP Total Care Advisor
HP Touch Screen Enhance Service
HP TouchSmart
HP TouchSmart Calendar
HP TouchSmart Media
HP TouchSmart Notes
HP Update
HPTCSSetup
iLivid
Java Auto Updater
Java™ 6 Update 31
Java™ SE Runtime Environment 6 Update 1
LabelPrint
LiveUpdate (Symantec Corporation)
Malwarebytes Anti-Malware version 1.62.0.1300
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Groove MUI (English) 2010
Microsoft Office InfoPath MUI (English) 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Professional Plus 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Word MUI (English) 2010
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Works
Mozilla Firefox 14.0.1 (x86 en-US)
Mozilla Maintenance Service
muvee autoProducer 6.1
My HP Games
Norton AntiVirus
Norton AntiVirus Help
Norton Confidential Core
Norton Internet Security
Norton Internet Security (Symantec Corporation)
Norton Protection Center
ooVoo
ooVoo toolbar, powered by Ask.com Updater
PocketCloud Windows Companion
Power2Go
PowerISO
Python 2.5
RegInOut System Utilities
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Skype™ 5.9
SoundMAX
TightVNC 2.0.4
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
VLC media player 1.0.1
Yahoo! Toolbar
.
==== Event Viewer Messages From Past Week ========
.
7/23/2012 8:41:51 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
7/23/2012 8:41:33 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: eeCtrl SCDEmu spldr SRTSPX SYMTDI Wanarpv6
7/23/2012 8:41:33 AM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.
7/23/2012 8:41:33 AM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.
7/23/2012 8:41:33 AM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
7/23/2012 8:40:50 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
7/23/2012 8:40:48 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
7/23/2012 8:40:47 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
7/23/2012 8:40:39 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
7/23/2012 8:40:10 AM, Error: EventLog [6008] - The previous system shutdown at 8:38:22 AM on 7/23/2012 was unexpected.
7/22/2012 7:44:28 AM, Error: EventLog [6008] - The previous system shutdown at 7:41:57 AM on 7/22/2012 was unexpected.
7/22/2012 5:49:51 PM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
7/22/2012 5:49:51 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Wyse PocketCloud service to connect.
7/22/2012 5:49:51 PM, Error: Service Control Manager [7000] - The Wyse PocketCloud service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
7/22/2012 2:44:38 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.2.6 for the Network Card with network address 001644F10FC3 has been denied by the DHCP server 192.168.2.1 (The DHCP Server sent a DHCPNACK message).
7/22/2012 2:44:31 PM, Error: EventLog [6008] - The previous system shutdown at 2:42:54 PM on 7/22/2012 was unexpected.
7/21/2012 10:29:34 AM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
7/21/2012 10:26:11 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD DfsC eeCtrl NetBIOS netbt nsiproxy PSched RasAcd rdbss SCDEmu Smb spldr SRTSPX SYMTDI tdx Wanarpv6
7/21/2012 10:26:11 AM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
7/21/2012 10:26:11 AM, Error: Service Control Manager [7001] - The WebDav Client Redirector Driver service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
7/21/2012 10:26:11 AM, Error: Service Control Manager [7001] - The WebClient service depends on the WebDav Client Redirector Driver service which failed to start because of the following error: The dependency service or group failed to start.
7/21/2012 10:26:11 AM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
7/21/2012 10:26:11 AM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
7/21/2012 10:26:11 AM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
7/21/2012 10:26:11 AM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
7/21/2012 10:26:11 AM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service service which failed to start because of the following error: A device attached to the system is not functioning.
7/21/2012 10:26:11 AM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
7/21/2012 10:26:11 AM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
7/21/2012 10:26:11 AM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
7/21/2012 10:25:34 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
7/21/2012 10:25:34 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
7/21/2012 10:24:39 AM, Error: EventLog [6008] - The previous system shutdown at 10:21:41 AM on 7/21/2012 was unexpected.
7/20/2012 5:59:54 PM, Error: EventLog [6008] - The previous system shutdown at 10:15:46 PM on 7/19/2012 was unexpected.
.
==== End Of File ===========================

#7 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 38,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:26 AM

Posted 23 July 2012 - 09:39 AM

Greetings demo18c,

Thank you for all the information you have provided. Our efforts are under the review of my mentor and I am awaiting their approval to post the instructions I have already prepared. As soon as I receive that approval there will be no delay in doing so.

Thank you for your understanding and patience.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 38,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:26 AM

Posted 23 July 2012 - 02:25 PM

Greetings demo18c,

Thank you for the information and especially your patience. As I am sure you can imagine things are quite busy these days.

Your symptoms and evidences in your logs confirm you are still infected. We are ready to get started but I must first advise you of the following.


===================================================


BACKDOOR WARNING!

--------------------

One or more of the identified infections is a Backdoor Trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation. Please let me know if you have already noticed evedences of financial institution irregularities.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


===================================================


Run Combofix in Vista/7

--------------------

Combofix is a very powerful tool and special attention must be taken to allow it to work properly. Please pay careful attention to the following instructions.

  • Please download ComboFix from one of these locations:

    BleepingComputer

    ForoSpyware

  • Save Combofix.exe to your Desktop <-- Important!!!
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts. It is important you do not mouseclick while the program is running or it may stall.

    Note #1: Often times it may appear as if ComboFix has stopped working. To verify it is still running please do one of the following below. Note #1: Often times it may appear as if ComboFix has stopped working. To verify it is still running please do one of the following below. If, based on the below, you have concluded ComboFix has stopped running please stop and advise me.

    • Check your computer clock. If it is still running then so is ComboFix
    • Open Task Manager and select the Applications Tab. If the status of AutoScan is Running, then ComboFix is running
    • Open Task Manager and select the Processes Tab. Under Image Name look for files ending in .3xe. If there are fluctuating numbers under CPU and Mem Usage then ComboFix is running
    Note #2: If you receive the following error "Illegal operation attempted on a registery key that has been marked for deletion" please just restart your computer to resolve this issue
  • When finished, it will produce a log. Please include the C:\Combofix.txt log in your next reply.

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • Combofix.txt
  • How is your computer running now?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#9 demo18c

demo18c
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:26 AM

Posted 23 July 2012 - 03:46 PM

Options 1: is to reformat and reinstall OS
Option 2: follow the above instructions

Is this correct if so i will reformat. But do i follow you instructions and then reformat or just skip to the reformat process?

Thank you for your help. Appreciate the time and effort

#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 38,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:26 AM

Posted 23 July 2012 - 06:52 PM

Greetings demo18c,

Assuming you will be transferring existing files back onto the newly reformatted hard drive the safest course of action is to clean your computer first. This will help to greatly minimize the potential for cross contamination.

We would be happy to continue the process of cleaning your computer so that you can reformat then repopulate your files with confidence. If you would like to do that simply run Combofix and post the results.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#11 demo18c

demo18c
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:26 AM

Posted 25 July 2012 - 01:58 PM

ComboFix 12-07-26.01 - rashad 07/25/2012 13:38:39.1.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4086.1760 [GMT -4:00]
Running from: C:\Users\rashad\Desktop\ComboFix.exe
AV: Norton Internet Security *Enabled/Outdated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
FW: Norton Internet Security *Enabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
SP: Norton Internet Security *Enabled/Outdated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF4

Still getting redirects to other websites from google search box. Malwarebyte notification keeps popping up saying "succesfully blocked access to potential malicious website:ip addresses(different ones)" then "Type:outgoing Port:######, Process:services.exe"

#12 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 38,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:26 AM

Posted 25 July 2012 - 06:55 PM

Greetings demo18c,

It appears part of the Combofix results are missing. Please double that all the information in C:\combofix.txt is posted.

We need to look for a valid copy of services.exe. Please perform the following.


===================================================


SystemLook by jpshortstuff

--------------------

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2
Download Mirror #3 For 64-bit users

  • Double-click SystemLook.exe to run it.
  • Vista\Windows 7 users:: Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following codebox into the main textfield:

    :filefind
    services.exe
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • Combofix.txt
  • SystemLook.txt

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#13 demo18c

demo18c
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:26 AM

Posted 28 July 2012 - 06:07 AM

So it took so long. Had 24 hour duty at work



ComboFix 12-07-26.01 - rashad 07/28/2012 6:43.3.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4086.1380 [GMT -4:00]
Running from: c:\users\rashad\Desktop\ComboFix.exe
AV: Norton Internet Security *Enabled/Outdated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
FW: Norton Internet Security *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
SP: Norton Internet Security *Enabled/Outdated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\Installer\{2a2511ef-a75e-ff2a-a0df-c6cc1174c08b}\@
c:\windows\Installer\{2a2511ef-a75e-ff2a-a0df-c6cc1174c08b}\L\00000004.@
c:\windows\Installer\{2a2511ef-a75e-ff2a-a0df-c6cc1174c08b}\L\1afb2d56
c:\windows\Installer\{2a2511ef-a75e-ff2a-a0df-c6cc1174c08b}\L\201d3dde
c:\windows\Installer\{2a2511ef-a75e-ff2a-a0df-c6cc1174c08b}\U\00000004.@
c:\windows\Installer\{2a2511ef-a75e-ff2a-a0df-c6cc1174c08b}\U\00000008.@
c:\windows\Installer\{2a2511ef-a75e-ff2a-a0df-c6cc1174c08b}\U\000000cb.@
c:\windows\Installer\{2a2511ef-a75e-ff2a-a0df-c6cc1174c08b}\U\80000000.@
c:\windows\Installer\{2a2511ef-a75e-ff2a-a0df-c6cc1174c08b}\U\80000032.@
c:\windows\Installer\{2a2511ef-a75e-ff2a-a0df-c6cc1174c08b}\U\80000064.@
.
c:\windows\system32\services.exe . . . is infected!!
.
.
((((((((((((((((((((((((( Files Created from 2012-06-28 to 2012-07-28 )))))))))))))))))))))))))))))))
.
.
2012-07-24 11:45 . 2012-07-24 11:45 -------- d-----w- c:\program files\Canon
2012-07-24 11:45 . 2012-07-24 11:45 -------- d--h--w- c:\programdata\CanonBJ
2012-07-24 11:45 . 2009-03-24 09:00 83968 ----a-w- c:\windows\system32\Spool\prtprocs\x64\CNMPPA0.DLL
2012-07-24 11:45 . 2009-03-24 09:00 28672 ----a-w- c:\windows\system32\Spool\prtprocs\x64\CNMPDA0.DLL
2012-07-24 11:45 . 2012-07-24 11:45 -------- d--h--w- c:\windows\system32\CanonIJ Uninstaller Information
2012-07-24 11:44 . 2009-04-03 20:01 1321984 ----a-w- c:\windows\system32\CNC560C.dll
2012-07-24 11:44 . 2009-04-03 20:00 92672 ----a-w- c:\windows\system32\CNC560I.dll
2012-07-24 11:44 . 2009-04-03 19:57 106496 ----a-w- c:\windows\SysWow64\CNC560U.dll
2012-07-24 11:44 . 2009-03-19 18:39 328192 ----a-w- c:\windows\system32\CNC560L.dll
2012-07-24 11:44 . 2009-03-19 18:38 303104 ----a-w- c:\windows\SysWow64\CNC560L.dll
2012-07-24 11:44 . 2008-08-25 22:02 17920 ----a-w- c:\windows\system32\CNHMCA6.dll
2012-07-24 11:44 . 2008-08-25 22:02 15872 ----a-w- c:\windows\SysWow64\CNHMCA.dll
2012-07-24 11:43 . 2009-03-24 09:00 336896 ----a-w- c:\windows\system32\CNMLMA0.DLL
2012-07-24 11:43 . 2009-02-04 13:18 104960 ----a-w- c:\windows\system32\CNC560O.dll
2012-07-24 11:43 . 2009-03-18 09:10 244736 ----a-w- c:\windows\system32\CNMIUA0.DLL
2012-07-24 11:42 . 2012-07-24 11:42 -------- d-----w- c:\windows\system32\STRING
2012-07-24 11:42 . 2009-04-03 16:51 144384 ----a-w- c:\windows\system32\CNMN6UI.DLL
2012-07-24 11:42 . 2009-04-03 16:51 336896 ----a-w- c:\windows\system32\CNMN6PPM.DLL
2012-07-24 11:42 . 2012-07-24 11:42 -------- d-----w- c:\windows\system32\CHM
2012-07-22 21:58 . 2012-07-22 21:58 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-07-22 21:58 . 2012-07-03 17:46 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-22 12:22 . 2012-07-22 12:22 -------- d-----w- c:\program files (x86)\ESET
2012-07-21 18:31 . 2012-07-21 18:31 -------- d-----w- c:\users\rashad\AppData\Roaming\Malwarebytes
2012-07-21 18:30 . 2012-07-21 18:30 -------- d-----w- c:\programdata\Malwarebytes
2012-07-21 15:08 . 2012-07-21 15:08 -------- d-----w- c:\users\rashad\AppData\Local\Mozilla
2012-07-21 15:07 . 2012-07-21 15:07 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service
2012-07-21 14:22 . 2012-07-21 14:22 -------- d-----w- c:\users\Default\{2bc204a0-352f-48c1-9790-dc9cc367160c}
2012-07-17 09:25 . 2012-06-29 10:04 9133488 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C676D760-C885-4134-96D8-FCB0DA0C4A24}\mpengine.dll
2012-07-12 12:18 . 2012-07-12 12:18 -------- d-----w- c:\users\rashad\AppData\Roaming\Nitro PDF
2012-07-12 11:56 . 2012-07-12 11:56 -------- d-----w- c:\programdata\Nitro PDF
2012-07-12 11:55 . 2012-07-12 11:55 -------- d-----w- c:\users\rashad\AppData\Roaming\Downloaded Installations
2012-07-12 07:00 . 2012-06-13 13:58 2769408 ----a-w- c:\windows\system32\win32k.sys
2012-07-12 04:49 . 2012-07-12 04:49 -------- d-----w- c:\users\rashad\AppData\Roaming\ooVoo Details
2012-07-12 00:56 . 2012-07-12 00:57 -------- d-----w- c:\program files (x86)\Ask.com
2012-07-12 00:56 . 2012-07-12 00:56 -------- d-----w- c:\program files (x86)\ooVoo
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-22 15:47 . 2008-08-21 03:34 172080 ----a-w- c:\windows\system32\drivers\SYMEVENT64x86.SYS
2012-07-12 07:02 . 2006-11-02 12:35 59701280 ----a-w- c:\windows\system32\mrt.exe
2012-06-02 22:19 . 2012-06-21 18:11 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-21 18:12 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-21 18:12 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-21 18:12 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-21 18:11 35864 ----a-w- c:\windows\SysWow64\wups.dll
2012-06-02 22:19 . 2012-06-21 18:11 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-21 18:11 577048 ----a-w- c:\windows\SysWow64\wuapi.dll
2012-06-02 22:15 . 2012-06-21 18:12 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-21 18:11 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 22:12 . 2012-06-21 18:11 88576 ----a-w- c:\windows\SysWow64\wudriver.dll
2012-06-02 19:19 . 2012-06-21 18:11 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 19:19 . 2012-06-21 18:11 171904 ----a-w- c:\windows\SysWow64\wuwebv.dll
2012-06-02 19:15 . 2012-06-21 18:11 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 19:12 . 2012-06-21 18:11 33792 ----a-w- c:\windows\SysWow64\wuapp.exe
2012-05-31 16:25 . 2012-04-23 07:18 279656 ------w- c:\windows\system32\MpSigStub.exe
2012-05-11 21:11 . 2012-05-11 21:11 76800 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe
2012-05-11 21:11 . 2012-05-11 21:11 74752 ----a-w- c:\windows\SysWow64\RegisterIEPKEYs.exe
2012-05-11 21:11 . 2012-05-11 21:11 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll
2012-05-11 21:11 . 2012-05-11 21:11 161792 ----a-w- c:\windows\SysWow64\msls31.dll
2012-05-11 21:11 . 2012-05-11 21:11 86528 ----a-w- c:\windows\SysWow64\iesysprep.dll
2012-05-11 21:11 . 2012-05-11 21:11 63488 ----a-w- c:\windows\SysWow64\tdc.ocx
2012-05-11 21:11 . 2012-05-11 21:11 367104 ----a-w- c:\windows\SysWow64\html.iec
2012-05-11 21:11 . 2012-05-11 21:11 74752 ----a-w- c:\windows\SysWow64\iesetup.dll
2012-05-11 21:11 . 2012-05-11 21:11 23552 ----a-w- c:\windows\SysWow64\licmgr10.dll
2012-05-11 21:11 . 2012-05-11 21:11 420864 ----a-w- c:\windows\SysWow64\vbscript.dll
2012-05-11 21:11 . 2012-05-11 21:11 152064 ----a-w- c:\windows\SysWow64\wextract.exe
2012-05-11 21:11 . 2012-05-11 21:11 150528 ----a-w- c:\windows\SysWow64\iexpress.exe
2012-05-11 21:11 . 2012-05-11 21:11 11776 ----a-w- c:\windows\SysWow64\mshta.exe
2012-05-11 21:11 . 2012-05-11 21:11 101888 ----a-w- c:\windows\SysWow64\admparse.dll
2012-05-11 21:11 . 2012-05-11 21:11 35840 ----a-w- c:\windows\SysWow64\imgutil.dll
2012-05-11 21:11 . 2012-05-11 21:11 110592 ----a-w- c:\windows\SysWow64\IEAdvpack.dll
2012-05-11 21:11 . 2012-05-11 21:11 222208 ----a-w- c:\windows\system32\msls31.dll
2012-05-11 21:11 . 2012-05-11 21:11 89088 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2012-05-11 21:11 . 2012-05-11 21:11 197120 ----a-w- c:\windows\system32\msrating.dll
2012-05-11 21:11 . 2012-05-11 21:11 12288 ----a-w- c:\windows\system32\mshta.exe
2012-05-11 21:11 . 2012-05-11 21:11 114176 ----a-w- c:\windows\system32\admparse.dll
2012-05-11 21:11 . 2012-05-11 21:11 49664 ----a-w- c:\windows\system32\imgutil.dll
2012-05-11 21:11 . 2012-05-11 21:11 267776 ----a-w- c:\windows\system32\ieaksie.dll
2012-05-11 21:11 . 2012-05-11 21:11 163840 ----a-w- c:\windows\system32\ieakui.dll
2012-05-11 21:11 . 2012-05-11 21:11 145920 ----a-w- c:\windows\system32\iepeers.dll
2012-05-11 21:11 . 2012-05-11 21:11 136192 ----a-w- c:\windows\system32\advpack.dll
2012-05-11 21:11 . 2012-05-11 21:11 91648 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2012-05-11 21:11 . 2012-05-11 21:11 55296 ----a-w- c:\windows\system32\msfeedsbs.dll
2012-05-11 21:11 . 2012-05-11 21:11 48640 ----a-w- c:\windows\system32\mshtmler.dll
2012-05-11 21:11 . 2012-05-11 21:11 160256 ----a-w- c:\windows\system32\ieakeng.dll
2012-05-11 21:11 . 2012-05-11 21:11 135168 ----a-w- c:\windows\system32\IEAdvpack.dll
2012-05-11 21:11 . 2012-05-11 21:11 111616 ----a-w- c:\windows\system32\iesysprep.dll
2012-05-11 21:11 . 2012-05-11 21:11 10752 ----a-w- c:\windows\system32\msfeedssync.exe
2012-05-11 21:11 . 2012-05-11 21:11 76800 ----a-w- c:\windows\system32\tdc.ocx
2012-05-11 21:11 . 2012-05-11 21:11 452608 ----a-w- c:\windows\system32\dxtmsft.dll
2012-05-11 21:11 . 2012-05-11 21:11 448512 ----a-w- c:\windows\system32\html.iec
2012-05-11 21:11 . 2012-05-11 21:11 282112 ----a-w- c:\windows\system32\dxtrans.dll
2012-05-11 21:11 . 2012-05-11 21:11 89088 ----a-w- c:\windows\system32\ie4uinit.exe
2012-05-11 21:11 . 2012-05-11 21:11 85504 ----a-w- c:\windows\system32\iesetup.dll
2012-05-11 21:11 . 2012-05-11 21:11 82432 ----a-w- c:\windows\system32\icardie.dll
2012-05-11 21:11 . 2012-05-11 21:11 534528 ----a-w- c:\windows\system32\ieapfltr.dll
2012-05-11 21:11 . 2012-05-11 21:11 403248 ----a-w- c:\windows\system32\iedkcs32.dll
2012-05-11 21:11 . 2012-05-11 21:11 39936 ----a-w- c:\windows\system32\iernonce.dll
2012-05-11 21:11 . 2012-05-11 21:11 3695416 ----a-w- c:\windows\system32\ieapfltr.dat
2012-05-11 21:11 . 2012-05-11 21:11 30720 ----a-w- c:\windows\system32\licmgr10.dll
2012-05-11 21:11 . 2012-05-11 21:11 249344 ----a-w- c:\windows\system32\webcheck.dll
2012-05-11 21:11 . 2012-05-11 21:11 697344 ----a-w- c:\windows\system32\msfeeds.dll
2012-05-11 21:11 . 2012-05-11 21:11 603648 ----a-w- c:\windows\system32\vbscript.dll
2012-05-11 21:11 . 2012-05-11 21:11 165888 ----a-w- c:\windows\system32\iexpress.exe
2012-05-11 21:11 . 2012-05-11 21:11 160256 ----a-w- c:\windows\system32\wextract.exe
2012-05-11 21:11 . 2012-05-11 21:11 103936 ----a-w- c:\windows\system32\inseng.dll
2012-05-11 21:11 . 2012-05-11 21:11 65024 ----a-w- c:\windows\system32\pngfilt.dll
2012-05-11 21:11 . 2012-05-11 21:11 149504 ----a-w- c:\windows\system32\occache.dll
2012-05-11 21:09 . 2012-05-11 21:09 979456 ----a-w- c:\windows\SysWow64\MFH264Dec.dll
2012-05-11 21:09 . 2012-05-11 21:09 357376 ----a-w- c:\windows\SysWow64\MFHEAACdec.dll
2012-05-11 21:09 . 2012-05-11 21:09 1257984 ----a-w- c:\windows\system32\MFH264Dec.dll
2012-05-11 21:09 . 2012-05-11 21:09 428544 ----a-w- c:\windows\system32\MFHEAACdec.dll
2012-05-11 21:09 . 2012-05-11 21:09 377344 ----a-w- c:\windows\system32\mfmp4src.dll
2012-05-11 21:09 . 2012-05-11 21:09 345088 ----a-w- c:\windows\system32\mfreadwrite.dll
2012-05-11 21:09 . 2012-05-11 21:09 302592 ----a-w- c:\windows\SysWow64\mfmp4src.dll
2012-05-11 21:09 . 2012-05-11 21:09 261632 ----a-w- c:\windows\SysWow64\mfreadwrite.dll
2012-05-11 21:09 . 2012-05-11 21:09 98816 ----a-w- c:\windows\SysWow64\mfps.dll
2012-05-11 21:09 . 2012-05-11 21:09 3548672 ----a-w- c:\windows\system32\mf.dll
2012-05-11 21:09 . 2012-05-11 21:09 34304 ----a-w- c:\windows\system32\mfpmp.exe
2012-05-11 21:09 . 2012-05-11 21:09 2873344 ----a-w- c:\windows\SysWow64\mf.dll
2012-05-11 21:09 . 2012-05-11 21:09 195072 ----a-w- c:\windows\system32\mfps.dll
2012-05-11 21:09 . 2012-05-11 21:09 278528 ----a-w- c:\windows\system32\mfplat.dll
2012-05-11 21:09 . 2012-05-11 21:09 209920 ----a-w- c:\windows\SysWow64\mfplat.dll
2012-05-11 21:09 . 2012-05-11 21:09 1204224 ----a-w- c:\windows\system32\shdocvw.dll
2012-05-11 21:09 . 2012-05-11 21:09 748544 ----a-w- c:\windows\system32\stobject.dll
2012-05-11 21:09 . 2012-05-11 21:09 586240 ----a-w- c:\windows\SysWow64\stobject.dll
2012-05-11 21:09 . 2012-05-11 21:09 231936 ----a-w- c:\windows\system32\XpsRasterService.dll
2012-05-11 21:09 . 2012-05-11 21:09 566272 ----a-w- c:\windows\system32\d3d10level9.dll
2012-05-11 21:09 . 2012-05-11 21:09 486400 ----a-w- c:\windows\SysWow64\d3d10level9.dll
2012-05-11 21:09 . 2012-05-11 21:09 287232 ----a-w- c:\windows\system32\d3d10core.dll
2012-05-11 21:09 . 2012-05-11 21:09 189952 ----a-w- c:\windows\SysWow64\d3d10core.dll
2012-05-11 21:09 . 2012-05-11 21:09 1268224 ----a-w- c:\windows\system32\d3d10.dll
2012-05-11 21:09 . 2012-05-11 21:09 1029120 ----a-w- c:\windows\SysWow64\d3d10.dll
2012-05-11 21:09 . 2012-05-11 21:09 900480 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2012-05-11 21:09 . 2012-05-11 21:09 625152 ----a-w- c:\windows\system32\dxgi.dll
2012-05-11 21:09 . 2012-05-11 21:09 478720 ----a-w- c:\windows\SysWow64\dxgi.dll
2012-05-11 21:09 . 2012-05-11 21:09 47104 ----a-w- c:\windows\system32\cdd.dll
2012-05-11 21:09 . 2012-05-11 21:09 366592 ----a-w- c:\windows\system32\winspool.drv
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2009-04-11 . 934E0B7D77FF78C18D9F8891221B6DE3 . 384512 . . [6.0.6002.18005] .. c:\windows\SoftwareDistribution\Download\fce438afafdfd7622141fad99a8dd451\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe
[7] 2009-04-11 . 934E0B7D77FF78C18D9F8891221B6DE3 . 384512 . . [6.0.6002.18005] .. c:\windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe
[7] 2008-01-21 . DFAC660F0F139276CC9299812DE42719 . 384512 . . [6.0.6001.18000] .. c:\windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_2b7e5beb85a67240\services.exe
[-] 2009-04-11 . BC81150939BD52DBC7A08C245F1FB229 . 384512 . . [6.0.6000.16386] .. c:\windows\system32\services.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{88c7f2aa-f93f-432c-8f0e-b7d85967a527}"= "c:\program files (x86)\BitTorrentBar\prxtbBitT.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
2011-05-09 08:49 176936 ----a-w- c:\program files (x86)\BitTorrentBar\prxtbBitT.dll
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2012-05-04 19:43 1519272 ----a-w- c:\program files (x86)\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{88c7f2aa-f93f-432c-8f0e-b7d85967a527}"= "c:\program files (x86)\BitTorrentBar\prxtbBitT.dll" [2011-05-09 176936]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2012-05-04 1519272]
.
[HKEY_CLASSES_ROOT\clsid\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32 94208 ----a-w- c:\users\rashad\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32 94208 ----a-w- c:\users\rashad\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32 94208 ----a-w- c:\users\rashad\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1555968]
"WindowsWelcomeCenter"="oobefldr.dll" [2009-04-11 2153472]
"HPSmartCenterBoot"="c:\program files (x86)\Hewlett-Packard\TouchSmart\SmartCenter 2.0\SmartCenter.exe" [2008-05-16 3590960]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2012-05-03 17355912]
"MobileDocuments"="c:\program files (x86)\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 59240]
"iCloudServices"="c:\program files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe" [2012-02-23 59240]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"ooVoo.exe"="c:\program files (x86)\ooVoo\oovoo.exe" [2012-05-29 25249400]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD64.exe" [2007-02-15 119296]
"HP KEYBOARD V1.4.7"="c:\program files (x86)\Hewlett-Packard\HP KEYBOARD\HPKEYBOARD.EXE" [2008-04-18 457728]
"Buttons & OSDs control application gen2"="c:\program files (x86)\HP\Buttons & OSDs control application gen2\MediaButtons.exe" [2008-04-18 2199552]
"TSMAgent"="c:\program files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe" [2008-04-24 1135912]
"CLMLServer for HP TouchSmart"="c:\program files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe" [2008-04-24 202024]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"ccApp"="c:\program files (x86)\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"PWRISOVM.EXE"="c:\program files (x86)\PowerISO\PWRISOVM.EXE" [2009-11-09 180224]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-01-21 91520]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
"SoundMAXPnP"="c:\program files (x86)\Analog Devices\Core\smax4pnp.exe" [2007-12-19 1314816]
"tvncontrol"="c:\program files (x86)\TightVNC\tvnserver.exe" [2011-08-03 828944]
"YouCam Service"="c:\program files (x86)\CyberLink\YouCam\YouCamService.exe" [2012-03-23 255208]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-06-07 421776]
"ApnUpdater"="c:\program files (x86)\Ask.com\Updater\Updater.exe" [2012-05-04 1561768]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
.
c:\users\rashad\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\rashad\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"SoftwareSASGeneration"= 1 (0x1)
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-24 253088]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - COMHOST
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Themes
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-28 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-24 14:00]
.
2012-07-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-05-21 16:13]
.
2012-07-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-05-21 16:13]
.
2012-07-24 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - rashad.job
- c:\program files (x86)\Norton Internet Security\Norton AntiVirus\Navw32.exe [2008-02-07 00:05]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32 97792 ----a-w- c:\users\rashad\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32 97792 ----a-w- c:\users\rashad\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32 97792 ----a-w- c:\users\rashad\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32 97792 ----a-w- c:\users\rashad\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2012-06-20 23:02 755224 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
2012-06-20 23:02 755224 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2012-06-20 23:02 755224 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2012-06-20 23:02 755224 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-04-01 138264]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-04-01 203288]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-04-01 167448]
"PocketCloud Location"="c:\program files (x86)\Wyse\PocketCloud Windows Companion\WyseBrowser.exe" [2012-03-20 881568]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-10-19 2185032]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=crossfire&pf=cndt
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~2\Office14\ONBttnIE.dll/105
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 192.168.2.1
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\rashad\AppData\Roaming\Mozilla\Firefox\Profiles\kkl0y6q1.default\
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{88C7F2AA-F93F-432C-8F0E-B7D85967A527} - (no file)
HKLM-Run-OsdMaestro - c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
HKLM-Run-HP Health Check Scheduler - [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
HKLM-Run-combofix - c:\combofix\CF26736.3XE
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_233_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_233_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
Completion time: 2012-07-28 06:55:56
ComboFix-quarantined-files.txt 2012-07-28 10:55
.
Pre-Run: 159,006,035,968 bytes free
Post-Run: 158,172,315,648 bytes free
.
- - End Of File - - 99181CDF74242681CD3E7C7F21140690

#14 demo18c

demo18c
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:26 AM

Posted 28 July 2012 - 06:41 AM

SystemLook 30.07.11 by jpshortstuff
Log created at 07:11 on 28/07/2012 by rashad
Administrator - Elevation successful

========== filefind ==========

Searching for "services.exe"
C:\WINDOWS\SoftwareDistribution\Download\fce438afafdfd7622141fad99a8dd451\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe --a---- 384512 bytes [22:36 30/04/2012] [07:10 11/04/2009] 934E0B7D77FF78C18D9F8891221B6DE3
C:\WINDOWS\SoftwareDistribution\Download\fce438afafdfd7622141fad99a8dd451\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe --a---- 279552 bytes [22:36 30/04/2012] [06:27 11/04/2009] D4E6D91C1349B7BFB3599A6ADA56851B
C:\WINDOWS\System32\services.exe --a---- 384512 bytes [19:54 11/05/2012] [04:10 11/04/2009] BC81150939BD52DBC7A08C245F1FB229
C:\WINDOWS\SysWOW64\services.exe --a---- 279552 bytes [19:54 11/05/2012] [03:28 11/04/2009] D4E6D91C1349B7BFB3599A6ADA56851B
C:\WINDOWS\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_2b7e5beb85a67240\services.exe --a---- 384512 bytes [02:49 21/01/2008] [02:49 21/01/2008] DFAC660F0F139276CC9299812DE42719
C:\WINDOWS\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe --a---- 384512 bytes [19:54 11/05/2012] [04:10 11/04/2009] 934E0B7D77FF78C18D9F8891221B6DE3
C:\WINDOWS\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe --a---- 279040 bytes [02:50 21/01/2008] [02:50 21/01/2008] 2B336AB6286D6C81FA02CBAB914E3C6C
C:\WINDOWS\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe --a---- 279552 bytes [19:54 11/05/2012] [03:28 11/04/2009] D4E6D91C1349B7BFB3599A6ADA56851B

-= EOF =-

#15 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 38,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:26 AM

Posted 28 July 2012 - 09:34 AM

Greetings demo18c,

We are going to replace an infected file and I would also like to provide you with information and a caution about a couple of programs on your computer.

Please perform and consider the following.


===================================================


Running Combofix Script

-------------------

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text below into the Notepad document

    FCopy::
    c:\windows\SoftwareDistribution\Download\fce438afafdfd7622141fad99a8dd451\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe | c:\windows\system32\services.exe

  • Save this on your desktop as CFScript.txt.


    Posted Image

  • Refering to the picture above, drag CFScript.txt into ComboFix.exe
  • When finished, it will create a log for you at C:\ComboFix.txt. Please copy/paste the information in your next reply.

===================================================


Uninstalling a Program using Add/Remove Program

--------------------

You have several toolbars installed on your computer. One in particular, Ask, should be removed.

  • Press windows key Posted Image + r on your keyboard at the same time
  • Type appwiz.cpl and press Enter
  • A list of programs installed will be displayed
  • Uninstall the following by clicking on the program(s) below and selecting Remove or Uninstall

    Ask Toolbar (or any variation of Ask)
    ooVoo Toolbar (associated with Ask.com)

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • Combofix.txt
  • How is your computer running?
  • Are you still planning on reformatting after we are done (if so we will skip some program updates)?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users