Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

www.qfind.net google redirect


  • Please log in to reply
98 replies to this topic

#1 gdingwall

gdingwall

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:11:48 AM

Posted 14 September 2012 - 05:54 AM

Hello

Previously, if I wrote a search word in the address bar for Firefox it would resolve to the website. For example, "bbc" would resolve to www.bbcnews.com however now it first redirects to www.qfind.net and then onto any other ad site. I checked in Internet Explorer too and it happens there. It doesn't seem to be affecting Chrome. It is possible also that my laptop is running slightly slower. Maybe too the internet speed is affected. Finally, it seems some personal settings are reset periodically.

Please note: I have manually added the following lines to my hosts file to curtail the effect of this on my browser:

127.0.0.1 qfind.net
127.0.0.1 www.qfind.net


DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 10.7.2
Run by xxx at 10:48:38 on 2012-09-13
Microsoft Windows 7 Enterprise 6.1.7601.1.1252.44.1033.18.3060.910 [GMT -5:00]
.
AV: Sophos Anti-Virus *Enabled/Updated* {65FBD860-96D8-75EF-C7ED-7BE27E6C498A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Sophos Anti-Virus *Enabled/Updated* {DE9A3984-B0E2-7A61-FD5D-409005EB0337}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\ibmpmsvc.exe
C:\windows\system32\nvvsvc.exe
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\WLANExt.exe
C:\windows\system32\conhost.exe
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\IBM\Lotus\Notes\nslsvice.exe
C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe
C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe
C:\PROGRA~1\Lenovo\HOTKEY\tpnumlk.exe
c:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\windows\SYSTEM32\DWRCS.EXE
C:\PROGRA~1\LANDesk\LDClient\collector.exe
C:\windows\system32\conhost.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
C:\windows\system32\nvvsvc.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\windows\system32\CBA\pds.exe
C:\PROGRA~1\LANDesk\LDCLient\issuser.exe
C:\Program Files\Common Files\Juniper Networks\JUNS\dsAccessService.exe
C:\Program Files\LANDesk\LDClient\policy.client.invoker.exe
C:\Program Files\LANDesk\LDCLient\tmcsvc.exe
C:\Program Files\LANDesk\LDClient\amtmon.exe
C:\Program Files\Lenovo\Communications Utility\CAMMUTE.exe
C:\Program Files\Lenovo\Communications Utility\TPKNRSVC.exe
C:\Program Files\IBM\Lotus\Notes\nsd.exe
C:\Program Files\IBM\WebSphere MQ\bin\amqsvc.exe
C:\Program Files\IBM\WebSphere MQ\bin\amqmsrvn.exe
c:\Program Files\QUALCOMM\QDLService2k\QDLService2kLenovo.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\LANDesk\LDCLient\softmon.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Sophos\Remote Management System\RouterNT.exe
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\Program Files\LANDesk\LDCLient\tracksvc.exe
C:\Program Files\Lenovo\Access Connections\AcSvc.exe
C:\windows\system32\wbem\unsecapp.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\windows\system32\taskhost.exe
C:\windows\system32\taskeng.exe
C:\windows\SYSTEM32\DWRCST.exe
C:\Program Files\LENOVO\HOTKEY\tposdsvc.exe
C:\PROGRA~1\Lenovo\HOTKEY\tpnumlkd.exe
C:\windows\system32\Dwm.exe
C:\Program Files\UnHackMe\hackmon.exe
C:\windows\Explorer.EXE
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Windows\System32\TpShocks.exe
C:\Windows\System32\rundll32.exe
C:\Windows\Samsung\PanelMgr\SSMMgr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lenovo\Communications Utility\TPKNRRES.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\IBM\WebSphere MQ\bin\amqmtbrn.exe
C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe
C:\Program Files\IBM\WebSphere MQ\bin\amqmsrvn.exe
C:\Users\xxx\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\SCHTASK.exe
C:\windows\system32\SearchIndexer.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE
C:\Program Files\Intel\Intel® Management Engine Components\IMSS\PrivacyIconClient.exe
C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe
C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe
C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe
C:\Program Files\IBM\Lotus\Notes\NLNOTES.EXE
C:\Program Files\IBM\Lotus\Notes\framework\rcp\eclipse\plugins\com.ibm.rcp.base_6.2.2.20110310-0045\win32\x86\notes2.exe
C:\Program Files\IBM\Lotus\Notes\ntaskldr.EXE
C:\PROGRA~1\LANDesk\LDCLient\rcgui.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
C:\Program Files\sqldeveloper-3.1.07.42\sqldeveloper\sqldeveloper.exe
C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
C:\windows\system32\SearchProtocolHost.exe
C:\windows\system32\notepad.exe
C:\Program Files\IBM\WebSphere MQ\eclipseSDK33\eclipse\eclipse.exe
C:\Program Files\IBM\WebSphere MQ\java\jre\bin\javaw.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_265.exe
C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_265.exe
C:\Program Files\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\windows\system32\SearchFilterHost.exe
C:\windows\system32\DllHost.exe
C:\windows\system32\DllHost.exe
C:\windows\system32\conhost.exe
C:\windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://eu1pmwu012/FILETODAY/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
mRun: [TpShocks] TpShocks.exe
mRun: [PWMTRV] rundll32 c:\progra~1\thinkpad\utilit~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
mRun: [AcWin7Hlpr] c:\program files\lenovo\access connections\AcTBenabler.exe
mRun: [SPEnroll] c:\windows\system32\SPEnroll.exe
mRun: [EKIJ5000StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
mRun: [Samsung PanelMgr] c:\windows\samsung\panelmgr\SSMMgr.exe /autorun
mRun: [IMSS] "c:\program files\intel\intel® management engine components\imss\PIconStartup.exe"
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [LENOVO.TPKNRRES] c:\program files\lenovo\communications utility\TPKNRRES.exe
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [Skytel] c:\program files\realtek\audio\hda\Skytel.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Sophos AutoUpdate Monitor] c:\program files\sophos\autoupdate\almon.exe
mRun: [DameWare MRC Agent] c:\windows\system32\DWRCST.exe
StartupFolder: c:\users\graham~1.din\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\xxx\appdata\roaming\dropbox\bin\Dropbox.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\websph~1.lnk - c:\program files\ibm\websphere mq\bin\amqmtbrn.exe
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
uPolicies-explorer: DisablePersonalDirChange = 1 (0x1)
uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
mPolicies-system: consentpromptbehavioradmin = 5 (0x5)
mPolicies-system: enableinstallerdetection = 0 (0x0)
mPolicies-system: enableuiadesktoptoggle = 0 (0x0)
mPolicies-system: SoftwareSASGeneration = 1 (0x1)
mPolicies-system: HideFastUserSwitching = 1 (0x1)
dPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
DPF: {71C201AB-CA7B-442C-8A0B-A37C90032514} - hxxp://i2.siebel.infoprint.com/htim_enu/20430/applets/SiebelAx_HI_Client.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://intercalleurope.webex.com/client/WBXclient-T27L10NSP25-10481/webex/ieatgpc1.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://juniper.net/dana-cached/setup/JuniperSetupSP1.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
TCP: DhcpNameServer = 200.48.225.130 200.48.225.146
TCP: Interfaces\{7C2BE3AF-5DE4-4296-88B7-63E25318DF94} : DhcpNameServer = 200.48.225.130 200.48.225.146
TCP: Interfaces\{7C2BE3AF-5DE4-4296-88B7-63E25318DF94}\744494E4747514C4C4 : DhcpNameServer = 200.48.225.130 200.48.225.146
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: qrev - {9DE24BAC-FC3C-42c4-9FC4-76B3FAFDBD90} - c:\progra~1\quests~1\toadfo~1\RNetPin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: c:\progra~1\sophos\sophos~1\sophos_detoured.dll,c:\progra~1\sophos\sophos~1\SOPHOS~1.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 172.22.5.171 wi1ua239
Hosts: 172.22.1.152 wi1ua144
Hosts: 172.22.1.153 wi1ua145
Hosts: 172.22.1.130 wi1ua146
Hosts: 172.22.1.131 wi1ua147
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\xxx\appdata\roaming\mozilla\firefox\profiles\qnwmnqz6.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&sourceid=navclient&gfns=1&q=
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dvstreaming.dll
FF - plugin: c:\users\xxx\appdata\local\google\update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: c:\users\xxx\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\xxx\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_4_402_265.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R0 DozeHDD;DozeHDD;c:\windows\system32\drivers\DOZEHDD.SYS [2011-10-20 25416]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2011-1-13 20592]
R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [2007-2-15 26624]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [2012-7-7 13680]
R1 pelmoubt;Mouse Suite Bluetooth Driver;c:\windows\system32\drivers\PELMoubt.SYS [2011-3-9 18432]
R1 SAVOnAccess;SAVOnAccess;c:\windows\system32\drivers\savonaccess.sys [2012-7-2 123680]
R1 SKMScan;SKMScan;c:\windows\system32\drivers\skmscan.sys [2012-7-2 31736]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-7-27 63960]
R2 CBA8;LANDesk® Management Agent;c:\program files\landesk\shared files\residentAgent.exe [2011-8-1 147456]
R2 rimspci;rimspci;c:\windows\system32\drivers\rimspe86.sys [2010-8-20 48640]
R2 SSPORT;SSPORT;c:\windows\system32\drivers\SSPORT.SYS [2012-1-6 5120]
R3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [2007-2-7 3712]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k6232.sys [2012-7-7 215208]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2010-8-20 132480]
R3 NETwNs32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\drivers\NETwNs32.sys [2011-10-31 7522304]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2012-7-7 139368]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-6-12 250056]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]
S3 DozeSvc;Lenovo Doze Mode Service;c:\program files\thinkpad\utilities\DOZESVC.EXE [2011-10-20 280640]
S3 GzTpHid;GUNZE Touch Screen Filter Driver;c:\windows\system32\drivers\GzTpHid.sys [2010-8-20 29184]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [2010-8-20 101120]
S3 iaNvStor;iaNvStor;c:\windows\system32\drivers\iaNvStor.sys [2010-8-20 232472]
S3 MEI;Intel® Management Engine Interface;c:\windows\system32\drivers\HECI.sys [2010-8-20 41088]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys [2011-5-23 62336]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys [2011-5-23 141440]
S3 pelbtm;Bluetooth Mouse Filter Driver;c:\windows\system32\drivers\pelbtm.sys [2011-3-9 13312]
S3 pelps2m;PS/2 Mouse Filter Driver;c:\windows\system32\drivers\PelPs2m.sys [2011-3-9 19818]
S3 pelvendr;Mouse Suite I/O Driver;c:\windows\system32\drivers\PELVENDR.SYS [2011-3-9 10240]
S3 QCFilterlno;Lenovo USB Composite Device Filter Driver;c:\windows\system32\drivers\qcfilterlno.sys [2010-8-20 8832]
S3 qcusbserlno;Lenovo USB Device for Legacy Serial Communication;c:\windows\system32\drivers\qcusbserlno.sys [2010-8-20 127104]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [2012-9-10 24416]
S3 risdxc;risdxc;c:\windows\system32\drivers\risdxc86.sys [2011-5-23 75264]
S3 rixdpcie;rixdpcie;c:\windows\system32\drivers\rixdpe86.sys [2010-8-20 38912]
S3 sdcfilter;sdcfilter;c:\windows\system32\drivers\sdcfilter.sys [2012-7-2 33696]
S3 Synth3dVsc;Microsoft Virtual 3D Video Transport Driver;c:\windows\system32\drivers\Synth3dVsc.sys [2010-11-20 77184]
S3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2010-11-20 25600]
S3 TN33statbus;TN33_NFC;c:\windows\system32\drivers\TN33_MultiFn.sys [2010-8-20 51200]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2010-11-20 52224]
S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
S3 tsusbhub;Remote Deskotop USB Hub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-20 112640]
S3 wacomhidfilter;Wacom HID Filter;c:\windows\system32\drivers\wacomhidfilter.sys [2011-5-23 14376]
S3 WacomVTHid;Virtual Touch Driver;c:\windows\system32\drivers\WacomVTHid.sys [2011-5-23 14320]
S3 wisdpen;Wacom Penabled MiniDriver;c:\windows\system32\drivers\wisdpen.sys [2010-8-20 30888]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2011-10-20 22536]
.
=============== Created Last 30 ================
.
2012-09-13 15:39:47 -------- d-----w- c:\program files\ESET
2012-09-13 14:20:45 -------- d-----w- c:\program files\common files\Cisco Systems
2012-09-13 14:20:44 30744 ----a-w- c:\windows\system32\SophosBootTasks.exe
2012-09-13 10:48:18 -------- d-----w- c:\users\xxx\appdata\roaming\smkits
2012-09-12 01:15:19 -------- d-sh--w- C:\$RECYCLE.BIN
2012-09-12 01:12:55 -------- d-----w- c:\users\xxx\appdata\local\temp
2012-09-12 01:03:12 98816 ----a-w- c:\windows\sed.exe
2012-09-12 01:03:12 518144 ----a-w- c:\windows\SWREG.exe
2012-09-12 01:03:12 256000 ----a-w- c:\windows\PEV.exe
2012-09-12 01:03:12 208896 ----a-w- c:\windows\MBR.exe
2012-09-12 01:03:08 -------- d-----w- C:\ComboFix
2012-09-12 00:34:47 -------- d-----w- c:\users\xxx\appdata\local\Sophos
2012-09-10 19:28:34 24416 ----a-w- c:\windows\system32\drivers\regguard.sys
2012-09-10 19:21:39 -------- d-----w- c:\programdata\RegRun
2012-09-10 19:21:34 39184 ----a-w- c:\windows\system32\Partizan.exe
2012-09-10 19:21:34 35816 ----a-w- c:\windows\system32\drivers\Partizan.sys
2012-09-10 19:21:09 2 --shatr- c:\windows\winstart.bat
2012-09-10 19:21:06 12800 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys
2012-09-10 19:20:58 -------- d-----w- c:\program files\UnHackMe
2012-09-08 20:23:06 -------- d-----w- c:\users\xxx\appdata\roaming\SUPERAntiSpyware.com
2012-09-08 20:03:44 388096 ----a-r- c:\users\xxx\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2012-09-08 20:03:43 -------- d-----w- c:\program files\Trend Micro
2012-09-08 17:44:45 -------- d-----w- c:\windows\pss
2012-09-08 16:54:51 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-09-08 15:48:12 -------- d-----w- c:\users\xxx\appdata\roaming\Malwarebytes
2012-09-08 15:48:01 -------- d-----w- c:\programdata\Malwarebytes
2012-09-08 15:48:00 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-08 15:47:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-09-05 13:40:30 -------- d-----w- c:\users\xxx\xxx_Hotfix_Int
2012-09-03 11:44:33 -------- d-----w- C:\CCRC
2012-09-02 16:03:17 -------- d-----w- c:\program files\SopCast
2012-09-01 16:20:55 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-08-28 19:01:18 393728 ----a-w- c:\windows\system32\drivers\bthport.sys
2012-08-28 17:05:01 48640 ----a-w- c:\windows\system32\libfdnvin.dll
.
==================== Find3M ====================
.
2012-09-01 16:20:48 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-09-01 16:20:48 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-08-21 21:37:46 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-21 21:37:46 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-18 17:47:53 2345984 ----a-w- c:\windows\system32\win32k.sys
2012-07-04 21:14:34 41984 ----a-w- c:\windows\system32\browcli.dll
2012-07-04 21:14:34 102912 ----a-w- c:\windows\system32\browser.dll
2012-07-02 15:10:10 33696 ----a-w- c:\windows\system32\drivers\sdcfilter.sys
2012-07-02 15:07:27 123680 ----a-w- c:\windows\system32\drivers\savonaccess.sys
2012-07-02 15:00:19 31736 ----a-w- c:\windows\system32\drivers\skmscan.sys
2012-07-02 14:56:52 131824 ----a-w- c:\windows\system32\sdccoinstaller.dll
2012-06-27 05:53:07 981504 ----a-w- c:\windows\system32\wininet.dll
2012-06-27 04:10:55 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2012-06-26 21:03:06 4659712 ----a-w- c:\windows\system32\Redemption.dll
.
============= FINISH: 10:57:37.08 ===============

Attached Files


Edited by gdingwall, 14 September 2012 - 05:56 AM.


BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:48 AM

Posted 14 September 2012 - 08:00 AM

Please run the following:

download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to the disclaimer.
[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there
[*]Press Scan button.
[*]type exit and reboot the computer normally
[*]FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.[/list]

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 gdingwall

gdingwall
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:11:48 AM

Posted 15 September 2012 - 02:35 PM

Hi CatByte

Thanks for helping out so quickly. FYI - I did not have the option to enter System Recovery Options strangely. But what I did do was boot in Safe Mode with Command Prompt. I was able to complete the instructions this way. I hope it is OK. I am copying the contents of the FRST.txt here:

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 15-09-2012 02
Ran by xxx at 15-09-2012 14:23:47
Running from E:\
Service Pack 1 (X86) OS Language: English(US)
Attention: Could not load system hive.ERROR: The process cannot access the file because it is being used by another process.

ATTENTION:=====> THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNCTION PROPERLY.


==================== One Month Created Files and Folders ========

2012-09-14 13:10 - 2012-09-14 13:10 - 00000000 ____D C:\Users\xxx\AppData\Roaming\smkits
2012-09-14 05:52 - 2012-09-14 05:52 - 00005318 ____A C:\Users\xxx\Desktop\Attach.zip
2012-09-14 05:51 - 2012-09-14 05:51 - 00000000 ____D C:\Program Files\7-Zip
2012-09-14 05:48 - 2012-09-14 05:50 - 01138397 ____A C:\Users\xxx\Downloads\7z922.exe
2012-09-14 05:12 - 2012-09-14 05:12 - 00110088 ____A C:\Users\xxx\Desktop\ark.txt
2012-09-14 05:10 - 2012-09-14 05:10 - 00000000 ____D C:\Program Files\Common Files\Cisco Systems
2012-09-14 05:10 - 2012-07-18 12:19 - 00030744 ____A (Sophos Limited) C:\Windows\System32\SophosBootTasks.exe
2012-09-13 19:53 - 2012-09-13 19:53 - 00166328 ____A C:\Windows\Minidump\091312-16380-01.dmp
2012-09-13 16:16 - 2012-09-13 16:16 - 00001126 ____A C:\AdwCleaner[R2].txt
2012-09-13 15:45 - 2012-09-13 15:45 - 00006369 ____A C:\AdwCleaner[S1].txt
2012-09-13 15:42 - 2012-09-13 15:42 - 00006007 ____A C:\AdwCleaner[R1].txt
2012-09-13 15:41 - 2012-09-13 15:41 - 00512399 ____A C:\Users\xxx\Desktop\adwcleaner.exe
2012-09-13 15:27 - 2012-09-13 19:52 - 718300821 ____A C:\Windows\MEMORY.DMP
2012-09-13 15:27 - 2012-09-13 15:27 - 00166352 ____A C:\Windows\Minidump\091312-18096-01.dmp
2012-09-13 11:22 - 2012-09-13 11:22 - 00020982 ____A C:\Users\xxx\Desktop\DDS.txt
2012-09-13 10:59 - 2012-09-13 10:59 - 00005226 ____A C:\Users\xxx\Desktop\Attach.rar
2012-09-13 10:58 - 2012-09-13 10:58 - 00019927 ____A C:\Users\xxx\Desktop\Attach.txt
2012-09-13 10:47 - 2012-09-13 10:47 - 00607260 ____R (Swearware) C:\Users\xxx\Desktop\dds.com
2012-09-13 10:47 - 2012-09-13 10:47 - 00302592 ____A C:\Users\xxx\Desktop\n7eeql84.exe
2012-09-13 10:46 - 2012-09-13 10:46 - 00050477 ____A C:\Users\xxx\Desktop\Defogger.exe
2012-09-13 10:39 - 2012-09-13 10:39 - 00000000 ____D C:\Program Files\ESET
2012-09-13 09:07 - 2012-09-13 09:07 - 00005019 ____A C:\Users\xxx\Desktop\MiddlewareRejectionsTracker -V1 2.xls.lnk
2012-09-11 20:19 - 2012-09-11 20:19 - 00026329 ____A C:\ComboFix.txt
2012-09-11 20:03 - 2009-04-19 23:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-09-11 20:02 - 2012-09-13 22:41 - 00000000 ____D C:\Windows\erdnt
2012-09-11 19:34 - 2012-09-11 19:34 - 00000000 ____D C:\Users\xxx\AppData\Local\Sophos
2012-09-11 18:54 - 2012-09-14 13:14 - 00005126 ____A C:\Windows\PFRO.log
2012-09-10 17:53 - 2012-09-13 22:26 - 00028924 ____A C:\Windows\Partizan.log
2012-09-10 17:51 - 2012-09-15 14:09 - 00001736 ____A C:\Windows\setupact.log
2012-09-10 17:51 - 2012-09-10 17:51 - 00000000 ____A C:\Windows\setuperr.log
2012-09-10 14:32 - 2012-09-13 22:25 - 00000262 ____A C:\Windows\System32\PARTIZAN.TXT
2012-09-10 14:21 - 2012-09-13 22:38 - 00000000 ____D C:\Users\All Users\RegRun
2012-09-10 14:21 - 2012-09-10 17:41 - 00000000 ____D C:\Users\xxx\Documents\RegRun2
2012-09-10 14:21 - 2012-09-10 14:21 - 00000002 RASHOT C:\Windows\winstart.bat
2012-09-10 14:20 - 2012-09-13 22:39 - 00000000 ____D C:\Program Files\UnHackMe
2012-09-08 15:23 - 2012-09-08 15:23 - 00000000 ____D C:\Users\xxx\AppData\Roaming\SUPERAntiSpyware.com
2012-09-08 15:03 - 2012-09-08 15:03 - 00003011 ____A C:\Users\xxx\Desktop\HiJackThis.lnk
2012-09-08 15:03 - 2012-09-08 15:03 - 00000000 ____D C:\Program Files\Trend Micro
2012-09-08 14:31 - 2012-09-11 20:29 - 00000000 ____D C:\Program Files\Mozilla Firefox
2012-09-08 14:26 - 2012-09-15 14:00 - 00428957 ____A C:\Windows\WindowsUpdate.log
2012-09-08 12:44 - 2012-09-11 20:49 - 00000000 ____D C:\Windows\pss
2012-09-08 11:54 - 2012-09-11 20:54 - 00000000 ____D C:\Program Files\Spybot - Search & Destroy
2012-09-08 10:48 - 2012-09-11 21:03 - 00001072 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-09-08 10:48 - 2012-09-08 10:48 - 00000000 ____D C:\Users\xxx\AppData\Roaming\Malwarebytes
2012-09-08 10:48 - 2012-09-08 10:48 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-09-08 10:48 - 2012-09-07 17:04 - 00022856 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-09-08 10:47 - 2012-09-11 21:03 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2012-09-05 13:16 - 2012-09-05 13:16 - 00000173 ____A C:\Users\xxx\Documents\times.txt
2012-09-03 06:44 - 2012-09-03 10:38 - 00000000 ____D C:\CCRC
2012-09-02 12:06 - 2012-09-02 12:06 - 00000098 ____A C:\Users\xxx\Documents\SOP.txt
2012-09-02 11:03 - 2012-09-02 11:03 - 00000954 ____A C:\Users\xxx\Desktop\SopCast.lnk
2012-09-02 11:03 - 2012-09-02 11:03 - 00000000 ____D C:\Program Files\SopCast
2012-09-01 14:26 - 2012-09-01 14:26 - 00000405 ____A C:\Users\xxx\Desktop\patterns.json
2012-09-01 11:23 - 2012-09-01 11:23 - 00000000 ____D C:\Program Files\Notepad++
2012-09-01 11:22 - 2012-09-01 11:25 - 00000000 ____D C:\Users\xxx\AppData\Roaming\Notepad++
2012-09-01 11:21 - 2012-09-01 11:21 - 00000000 ____D C:\Program Files\Common Files\Java
2012-09-01 11:21 - 2012-09-01 11:20 - 00246760 ____A (Oracle Corporation) C:\Windows\System32\javaws.exe
2012-09-01 11:20 - 2012-09-01 11:20 - 00093672 ____A (Oracle Corporation) C:\Windows\System32\WindowsAccessBridge.dll
2012-09-01 09:09 - 2012-09-01 09:12 - 09622688 ____A C:\Users\xxx\Desktop\SopCast-3.5.0.exe
2012-08-30 13:10 - 2012-08-30 13:10 - 00000735 ____A C:\Users\xxx\Desktop\ccccccc.txt
2012-08-29 10:29 - 2012-08-29 10:29 - 00002104 ____A C:\Users\xxx\Desktop\WebSphere Message Broker Toolkit 6.1.lnk
2012-08-28 14:01 - 2012-07-06 14:23 - 00393728 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\bthport.sys
2012-08-28 13:27 - 2012-07-18 12:47 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-08-28 13:27 - 2012-07-04 16:16 - 00057344 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll
2012-08-28 13:27 - 2012-07-04 16:14 - 00102912 ____A (Microsoft Corporation) C:\Windows\System32\browser.dll
2012-08-28 13:27 - 2012-07-04 16:14 - 00041984 ____A (Microsoft Corporation) C:\Windows\System32\browcli.dll
2012-08-28 13:27 - 2012-06-27 00:53 - 01231360 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-08-28 13:27 - 2012-06-27 00:53 - 00981504 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-08-28 13:27 - 2012-06-27 00:53 - 00132096 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-08-28 13:27 - 2012-06-27 00:51 - 06027776 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-08-28 13:27 - 2012-06-27 00:51 - 00627712 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-08-28 13:27 - 2012-06-27 00:51 - 00067584 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-08-28 13:27 - 2012-06-27 00:50 - 11020800 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-08-28 13:27 - 2012-06-27 00:50 - 02073600 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-08-28 13:27 - 2012-06-27 00:50 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-08-28 13:27 - 2012-06-27 00:50 - 00048128 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-08-28 13:27 - 2012-06-26 23:10 - 01638912 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-08-28 13:27 - 2012-05-13 23:33 - 00769024 ____A (Microsoft Corporation) C:\Windows\System32\localspl.dll
2012-08-28 13:27 - 2012-05-05 02:46 - 00400896 ____A (Microsoft Corporation) C:\Windows\System32\srcore.dll
2012-08-28 13:27 - 2012-02-11 00:43 - 00492032 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll
2012-08-28 13:27 - 2012-02-11 00:37 - 00317440 ____A (Microsoft Corporation) C:\Windows\System32\spoolsv.exe
2012-08-28 12:05 - 2012-08-28 12:05 - 00048640 ____A C:\Windows\System32\libfdnvin.dll
2012-08-28 12:05 - 2012-08-28 12:05 - 00000105 ____A C:\Users\All Users\.sdplic
2012-08-24 12:48 - 2012-08-24 12:48 - 00000558 ____A C:\Users\xxx\Desktop\bbbbbbbb.txt
2012-08-23 12:21 - 2012-08-23 12:34 - 00002797 ____A C:\Users\xxx\Desktop\Book1.csv
2012-08-23 10:12 - 2012-09-05 08:40 - 00000053 ____A C:\Users\xxx\.ccase_wvreg
2012-08-23 09:15 - 2012-08-23 09:15 - 00000029 ____A C:\Users\xxx\.server_reg
2012-08-23 09:15 - 2012-08-23 09:15 - 00000007 ____A C:\Users\xxx\.server_reg.created
2012-08-21 16:07 - 2012-09-15 13:37 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-08-20 13:38 - 2012-09-14 13:12 - 00000439 ____A C:\Users\xxx\Desktop\aaaaa.txt


==================== 3 Months Modified Files ==================

2012-09-15 14:12 - 2012-09-08 14:26 - 00428957 ____A C:\Windows\WindowsUpdate.log
2012-09-15 14:09 - 2012-09-10 17:51 - 00001736 ____A C:\Windows\setupact.log
2012-09-15 14:09 - 2009-07-13 23:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-09-15 13:43 - 2009-07-13 23:34 - 00019120 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-09-15 13:43 - 2009-07-13 23:34 - 00019120 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-09-15 13:37 - 2012-08-21 16:07 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-09-15 13:35 - 2009-07-13 23:53 - 00032620 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-09-15 13:28 - 2012-07-03 09:17 - 00000948 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3829815512-2678597626-704828700-51787UA.job
2012-09-15 13:16 - 2011-03-03 10:23 - 00666768 ____A C:\Windows\System32\perfh01D.dat
2012-09-15 13:16 - 2011-03-03 10:23 - 00145996 ____A C:\Windows\System32\perfc01D.dat
2012-09-15 13:16 - 2011-03-03 10:11 - 00727552 ____A C:\Windows\System32\perfh019.dat
2012-09-15 13:16 - 2011-03-03 10:11 - 00154002 ____A C:\Windows\System32\perfc019.dat
2012-09-15 13:16 - 2011-03-03 10:05 - 00732020 ____A C:\Windows\System32\prfh0816.dat
2012-09-15 13:16 - 2011-03-03 10:05 - 00156410 ____A C:\Windows\System32\prfc0816.dat
2012-09-15 13:16 - 2011-03-03 10:00 - 00743022 ____A C:\Windows\System32\perfh015.dat
2012-09-15 13:16 - 2011-03-03 10:00 - 00159122 ____A C:\Windows\System32\perfc015.dat
2012-09-15 13:16 - 2011-03-03 09:55 - 00497602 ____A C:\Windows\System32\perfh014.dat
2012-09-15 13:16 - 2011-03-03 09:55 - 00098804 ____A C:\Windows\System32\perfc014.dat
2012-09-15 13:16 - 2011-03-03 09:50 - 00420726 ____A C:\Windows\System32\perfh011.dat
2012-09-15 13:16 - 2011-03-03 09:50 - 00125772 ____A C:\Windows\System32\perfc011.dat
2012-09-15 13:16 - 2011-03-03 09:45 - 00742994 ____A C:\Windows\System32\perfh010.dat
2012-09-15 13:16 - 2011-03-03 09:45 - 00150338 ____A C:\Windows\System32\perfc010.dat
2012-09-15 13:16 - 2011-03-03 08:19 - 00746198 ____A C:\Windows\System32\perfh013.dat
2012-09-15 13:16 - 2011-03-03 08:19 - 00156438 ____A C:\Windows\System32\perfc013.dat
2012-09-15 13:16 - 2010-11-20 16:01 - 11679418 ____A C:\Windows\System32\PerfStringBackup.INI
2012-09-14 20:58 - 2012-07-03 09:17 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3829815512-2678597626-704828700-51787Core.job
2012-09-14 13:14 - 2012-09-11 18:54 - 00005126 ____A C:\Windows\PFRO.log
2012-09-14 13:12 - 2012-08-20 13:38 - 00000439 ____A C:\Users\xxx\Desktop\aaaaa.txt
2012-09-14 13:10 - 2011-10-20 09:29 - 00000007 ____A C:\Users\Public\Documents\autostart.txt
2012-09-14 12:00 - 2011-10-20 08:16 - 00001800 ____A C:\Windows\System32\config\netlogon.ftl
2012-09-14 05:52 - 2012-09-14 05:52 - 00005318 ____A C:\Users\xxx\Desktop\Attach.zip
2012-09-14 05:50 - 2012-09-14 05:48 - 01138397 ____A C:\Users\xxx\Downloads\7z922.exe
2012-09-14 05:12 - 2012-09-14 05:12 - 00110088 ____A C:\Users\xxx\Desktop\ark.txt
2012-09-13 22:26 - 2012-09-10 17:53 - 00028924 ____A C:\Windows\Partizan.log
2012-09-13 22:25 - 2012-09-10 14:32 - 00000262 ____A C:\Windows\System32\PARTIZAN.TXT
2012-09-13 19:53 - 2012-09-13 19:53 - 00166328 ____A C:\Windows\Minidump\091312-16380-01.dmp
2012-09-13 19:52 - 2012-09-13 15:27 - 718300821 ____A C:\Windows\MEMORY.DMP
2012-09-13 16:16 - 2012-09-13 16:16 - 00001126 ____A C:\AdwCleaner[R2].txt
2012-09-13 15:45 - 2012-09-13 15:45 - 00006369 ____A C:\AdwCleaner[S1].txt
2012-09-13 15:42 - 2012-09-13 15:42 - 00006007 ____A C:\AdwCleaner[R1].txt
2012-09-13 15:41 - 2012-09-13 15:41 - 00512399 ____A C:\Users\xxx\Desktop\adwcleaner.exe
2012-09-13 15:27 - 2012-09-13 15:27 - 00166352 ____A C:\Windows\Minidump\091312-18096-01.dmp
2012-09-13 14:10 - 2012-06-15 03:34 - 00000600 ____A C:\Users\xxx\AppData\Local\PUTTY.RND
2012-09-13 11:22 - 2012-09-13 11:22 - 00020982 ____A C:\Users\xxx\Desktop\DDS.txt
2012-09-13 10:59 - 2012-09-13 10:59 - 00005226 ____A C:\Users\xxx\Desktop\Attach.rar
2012-09-13 10:58 - 2012-09-13 10:58 - 00019927 ____A C:\Users\xxx\Desktop\Attach.txt
2012-09-13 10:47 - 2012-09-13 10:47 - 00607260 ____R (Swearware) C:\Users\xxx\Desktop\dds.com
2012-09-13 10:47 - 2012-09-13 10:47 - 00302592 ____A C:\Users\xxx\Desktop\n7eeql84.exe
2012-09-13 10:46 - 2012-09-13 10:46 - 00050477 ____A C:\Users\xxx\Desktop\Defogger.exe
2012-09-13 09:07 - 2012-09-13 09:07 - 00005019 ____A C:\Users\xxx\Desktop\MiddlewareRejectionsTracker -V1 2.xls.lnk
2012-09-13 09:01 - 2012-06-11 08:11 - 00002052 ____A C:\Users\xxx\Documents\Default.rdp
2012-09-13 09:00 - 2012-07-04 08:42 - 00013427 ____A C:\Users\xxx\Desktop\Time Worked Record.xlsx
2012-09-12 12:47 - 2012-06-12 09:43 - 00000600 ____A C:\Users\xxx\AppData\Roaming\winscp.rnd
2012-09-11 21:03 - 2012-09-08 10:48 - 00001072 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-09-11 20:19 - 2012-09-11 20:19 - 00026329 ____A C:\ComboFix.txt
2012-09-11 20:15 - 2009-07-13 21:04 - 00000215 ____A C:\Windows\system.ini
2012-09-11 20:13 - 2009-07-13 21:03 - 68419584 ____A C:\Windows\System32\config\SOFTWARE.bak
2012-09-11 20:13 - 2009-07-13 21:03 - 18612224 ____A C:\Windows\System32\config\SYSTEM.bak
2012-09-11 20:13 - 2009-07-13 21:03 - 00786432 ____A C:\Windows\System32\config\DEFAULT.bak
2012-09-11 20:13 - 2009-07-13 21:03 - 00262144 ____A C:\Windows\System32\config\SECURITY.bak
2012-09-11 15:23 - 2009-07-13 21:03 - 00262144 ____A C:\Windows\System32\config\SAM.bak
2012-09-10 17:51 - 2012-09-10 17:51 - 00000000 ____A C:\Windows\setuperr.log
2012-09-10 14:21 - 2012-09-10 14:21 - 00000002 RASHOT C:\Windows\winstart.bat
2012-09-10 14:21 - 2009-07-13 21:04 - 00002577 ____A C:\Windows\System32\config.nt
2012-09-10 14:21 - 2009-07-13 21:04 - 00001688 ____A C:\Windows\System32\autoexec.nt
2012-09-08 15:03 - 2012-09-08 15:03 - 00003011 ____A C:\Users\xxx\Desktop\HiJackThis.lnk
2012-09-07 17:04 - 2012-09-08 10:48 - 00022856 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-09-05 13:16 - 2012-09-05 13:16 - 00000173 ____A C:\Users\xxx\Documents\times.txt
2012-09-05 08:40 - 2012-08-23 10:12 - 00000053 ____A C:\Users\xxx\.ccase_wvreg
2012-09-05 05:31 - 2012-07-05 20:14 - 00002466 ____A C:\Users\xxx\Desktop\Google Chrome.lnk
2012-09-02 12:06 - 2012-09-02 12:06 - 00000098 ____A C:\Users\xxx\Documents\SOP.txt
2012-09-02 11:03 - 2012-09-02 11:03 - 00000954 ____A C:\Users\xxx\Desktop\SopCast.lnk
2012-09-01 14:26 - 2012-09-01 14:26 - 00000405 ____A C:\Users\xxx\Desktop\patterns.json
2012-09-01 11:20 - 2012-09-01 11:21 - 00246760 ____A (Oracle Corporation) C:\Windows\System32\javaws.exe
2012-09-01 11:20 - 2012-09-01 11:20 - 00093672 ____A (Oracle Corporation) C:\Windows\System32\WindowsAccessBridge.dll
2012-09-01 11:20 - 2012-06-14 09:25 - 00821736 ____A (Oracle Corporation) C:\Windows\System32\npDeployJava1.dll
2012-09-01 11:20 - 2011-10-21 06:09 - 00174056 ____A (Oracle Corporation) C:\Windows\System32\javaw.exe
2012-09-01 11:20 - 2011-10-21 06:09 - 00174056 ____A (Oracle Corporation) C:\Windows\System32\java.exe
2012-09-01 11:20 - 2011-03-07 09:04 - 00746984 ____A (Oracle Corporation) C:\Windows\System32\deployJava1.dll
2012-09-01 09:12 - 2012-09-01 09:09 - 09622688 ____A C:\Users\xxx\Desktop\SopCast-3.5.0.exe
2012-08-30 13:10 - 2012-08-30 13:10 - 00000735 ____A C:\Users\xxx\Desktop\ccccccc.txt
2012-08-29 10:29 - 2012-08-29 10:29 - 00002104 ____A C:\Users\xxx\Desktop\WebSphere Message Broker Toolkit 6.1.lnk
2012-08-28 20:15 - 2009-07-13 23:33 - 00339824 ____A C:\Windows\System32\FNTCACHE.DAT
2012-08-28 14:03 - 2011-10-20 08:50 - 59884088 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-08-28 12:05 - 2012-08-28 12:05 - 00048640 ____A C:\Windows\System32\libfdnvin.dll
2012-08-28 12:05 - 2012-08-28 12:05 - 00000105 ____A C:\Users\All Users\.sdplic
2012-08-24 12:48 - 2012-08-24 12:48 - 00000558 ____A C:\Users\xxx\Desktop\bbbbbbbb.txt
2012-08-23 12:34 - 2012-08-23 12:21 - 00002797 ____A C:\Users\xxx\Desktop\Book1.csv
2012-08-23 09:15 - 2012-08-23 09:15 - 00000029 ____A C:\Users\xxx\.server_reg
2012-08-23 09:15 - 2012-08-23 09:15 - 00000007 ____A C:\Users\xxx\.server_reg.created
2012-08-21 16:37 - 2012-06-12 05:58 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-08-21 16:37 - 2011-11-02 07:57 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-08-17 12:15 - 2011-03-07 08:45 - 00001990 ____A C:\Users\Public\Desktop\Adobe Reader X.lnk
2012-08-09 10:40 - 2012-06-11 08:20 - 00004071 ____A C:\Users\xxx\Desktop\commands.txt
2012-08-08 12:28 - 2012-06-11 08:20 - 00000044 ____A C:\Users\xxx\Desktop\Speed Dials.txt
2012-08-08 06:48 - 2012-08-08 06:48 - 00000447 ____A C:\Users\xxx\Desktop\daily_reports.txt
2012-08-07 14:02 - 2012-08-06 13:26 - 00000039 ____A C:\Windows\vbaddin.ini
2012-08-06 13:33 - 2012-06-08 07:20 - 00084888 ____A C:\Users\xxx\AppData\Local\GDIPFONTCACHEV1.DAT
2012-08-06 11:51 - 2012-06-11 08:20 - 00429343 ____A C:\Users\xxx\Desktop\QueryResult.txt
2012-08-03 12:19 - 2012-06-11 08:20 - 00001645 ____A C:\Users\xxx\Desktop\Stuff.txt
2012-07-28 12:05 - 2012-07-28 12:05 - 00001669 ____A C:\Users\xxx\Desktop\BarrancoFlat_Total.xlsx - Shortcut.lnk
2012-07-28 12:05 - 2012-07-28 12:05 - 00001660 ____A C:\Users\xxx\Desktop\BarrancoFlat_plan.xlsx - Shortcut.lnk
2012-07-28 12:05 - 2012-07-28 12:05 - 00001003 ____A C:\Users\xxx\Desktop\Barranco_Flat.mpp - Shortcut.lnk
2012-07-28 12:02 - 2012-07-28 12:02 - 00001012 ____A C:\Users\xxx\Desktop\Dropbox.lnk
2012-07-27 12:04 - 2012-07-23 15:13 - 00000263 ____A C:\Users\xxx\Desktop\TO_DO_TO_DO_TO_DO_TO_DO_TO_DO.txt
2012-07-24 07:09 - 2012-07-24 07:09 - 00081204 ____A C:\Users\xxx\Desktop\3041_Hotfix_Int.zip
2012-07-19 10:40 - 2012-06-13 03:27 - 00002135 ____A C:\Users\xxx\Desktop\WebSphere MQ Explorer.lnk
2012-07-18 15:39 - 2012-07-18 12:21 - 00000315 ____A C:\Users\xxx\Desktop\QM_SIEBEL_ALERTS.txt
2012-07-18 12:47 - 2012-08-28 13:27 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-18 12:19 - 2012-09-14 05:10 - 00030744 ____A (Sophos Limited) C:\Windows\System32\SophosBootTasks.exe
2012-07-16 06:26 - 2012-07-16 06:26 - 00001078 ____A C:\Users\xxx\Desktop\VoipCheap.lnk
2012-07-15 22:51 - 2012-07-12 18:24 - 00020896 ____A C:\Users\xxx\Desktop\Budget_2.xlsx
2012-07-15 22:51 - 2012-07-10 20:12 - 00012664 ____A C:\Users\xxx\Desktop\Budget.xlsx
2012-07-11 13:47 - 2012-07-11 13:47 - 00015126 ____A C:\Users\xxx\DC41_export.xlsx
2012-07-11 11:50 - 2012-07-11 11:50 - 00096894 ____A C:\Users\xxx\Desktop\5080PIF.zip
2012-07-06 14:23 - 2012-08-28 14:01 - 00393728 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\bthport.sys
2012-07-06 09:13 - 2012-07-06 09:07 - 00003370 ____A C:\Windows\System32\DWRCSAccess.log
2012-07-05 09:34 - 2012-06-11 08:20 - 00001357 ____A C:\Users\xxx\Desktop\Deployment Plan - MBFE replacement.doc.lnk
2012-07-05 09:34 - 2012-06-11 08:20 - 00001061 ____A C:\Users\xxx\Desktop\WMB Upgrade v6.1 Implementation Plan.doc.lnk
2012-07-05 09:34 - 2012-06-11 08:20 - 00001061 ____A C:\Users\xxx\Desktop\MQ Upgrade v7 Implementation Plan.doc.lnk
2012-07-05 09:34 - 2012-06-11 08:20 - 00001041 ____A C:\Users\xxx\Desktop\MQ v7 Fix Pack 1 Installation.doc.lnk
2012-07-05 09:34 - 2012-06-11 08:20 - 00000983 ____A C:\Users\xxx\Desktop\MW_REJECTIONS_CORRECTED.xls.lnk
2012-07-05 09:34 - 2012-06-11 08:20 - 00000918 ____A C:\Users\xxx\Desktop\2218 Unix Trialling Release Plan v1.4.doc.lnk
2012-07-05 09:34 - 2012-06-11 08:20 - 00000883 ____A C:\Users\xxx\Desktop\Oracle eBS Connector setup v01.doc.lnk
2012-07-05 09:34 - 2012-06-11 08:20 - 00000883 ____A C:\Users\xxx\Desktop\MW Non-Prod Server list.xlsx.lnk
2012-07-05 09:34 - 2012-06-11 08:20 - 00000858 ____A C:\Users\xxx\Desktop\Interface Owners_BO.xls.lnk
2012-07-05 09:34 - 2012-06-11 08:20 - 00000848 ____A C:\Users\xxx\Desktop\7013 Technical Overview.doc.lnk
2012-07-05 09:34 - 2012-06-11 08:20 - 00000838 ____A C:\Users\xxx\Desktop\Timesheet Weekly 2010.doc.lnk
2012-07-05 09:34 - 2012-06-11 08:20 - 00000838 ____A C:\Users\xxx\Desktop\project task template.dot.lnk
2012-07-05 09:34 - 2012-06-11 08:20 - 00000838 ____A C:\Users\xxx\Desktop\Connector_information.xls.lnk
2012-07-05 09:34 - 2012-06-11 08:20 - 00000803 ____A C:\Users\xxx\Desktop\Middleware E2E.vsd.lnk
2012-07-05 09:34 - 2012-06-11 08:20 - 00000778 ____A C:\Users\xxx\Desktop\MQ Backup.pdf.lnk
2012-07-04 16:16 - 2012-08-28 13:27 - 00057344 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll
2012-07-04 16:14 - 2012-08-28 13:27 - 00102912 ____A (Microsoft Corporation) C:\Windows\System32\browser.dll
2012-07-04 16:14 - 2012-08-28 13:27 - 00041984 ____A (Microsoft Corporation) C:\Windows\System32\browcli.dll
2012-07-02 10:10 - 2012-07-02 10:10 - 00033696 ____A (Sophos Limited) C:\Windows\System32\Drivers\sdcfilter.sys
2012-07-02 10:07 - 2012-07-02 10:07 - 00123680 ____A (Sophos Limited) C:\Windows\System32\Drivers\savonaccess.sys
2012-07-02 10:00 - 2012-07-02 10:00 - 00031736 ____A (Sophos Plc) C:\Windows\System32\Drivers\skmscan.sys
2012-07-02 09:56 - 2012-07-02 09:56 - 00131824 ____A (Sophos Plc) C:\Windows\System32\sdccoinstaller.dll
2012-06-28 13:12 - 2012-06-27 20:50 - 00000148 ____A C:\Users\xxx\Desktop\saxa.txt
2012-06-28 10:12 - 2012-06-28 10:12 - 00002503 ____A C:\Users\Public\Desktop\Skype.lnk
2012-06-27 00:53 - 2012-08-28 13:27 - 01231360 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-27 00:53 - 2012-08-28 13:27 - 00981504 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-27 00:53 - 2012-08-28 13:27 - 00132096 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-27 00:51 - 2012-08-28 13:27 - 06027776 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-27 00:51 - 2012-08-28 13:27 - 00627712 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-06-27 00:51 - 2012-08-28 13:27 - 00067584 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-27 00:50 - 2012-08-28 13:27 - 11020800 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-27 00:50 - 2012-08-28 13:27 - 02073600 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-27 00:50 - 2012-08-28 13:27 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-27 00:50 - 2012-08-28 13:27 - 00048128 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-26 23:10 - 2012-08-28 13:27 - 01638912 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-26 16:03 - 2012-07-15 15:24 - 04659712 ____A (Dmitry Streblechenko) C:\Windows\System32\Redemption.dll
2012-06-26 16:02 - 2012-06-26 16:02 - 00974848 ____A C:\Windows\System32\cis-2.4.dll
2012-06-26 16:02 - 2012-06-26 16:02 - 00569344 ____A (© MusicCity) C:\Windows\System32\muzdecode.ax
2012-06-26 16:02 - 2012-06-26 16:02 - 00491520 ____A (Musiccity Co.Ltd.) C:\Windows\System32\muzapp.dll
2012-06-26 16:02 - 2012-06-26 16:02 - 00352256 ____A (Sample Corporation) C:\Windows\System32\MSLUR71.dll
2012-06-26 16:02 - 2012-06-26 16:02 - 00258048 ____A (© PeeringPortal) C:\Windows\System32\muzoggsp.ax
2012-06-26 16:02 - 2012-06-26 16:02 - 00245760 ____A (Teruten Inc.) C:\Windows\System32\MSCLib.dll
2012-06-26 16:02 - 2012-06-26 16:02 - 00200704 ____A ( © MusicCity) C:\Windows\System32\muzwmts.dll
2012-06-26 16:02 - 2012-06-26 16:02 - 00172032 ____A (Musiccity Co.Ltd.) C:\Windows\System32\muzapp.exe
2012-06-26 16:02 - 2012-06-26 16:02 - 00155648 ____A (Teruten Inc.) C:\Windows\System32\MSFLib.dll
2012-06-26 16:02 - 2012-06-26 16:02 - 00143360 ____A C:\Windows\System32\3DAudio.ax
2012-06-26 16:02 - 2012-06-26 16:02 - 00135168 ____A (Musiccity Co.Ltd.) C:\Windows\System32\muzaf1.dll
2012-06-26 16:02 - 2012-06-26 16:02 - 00131072 ____A (© MusicCity) C:\Windows\System32\muzmpgsp.ax
2012-06-26 16:02 - 2012-06-26 16:02 - 00122880 ____A (© MUSICCITY) C:\Windows\System32\muzeffect.ax
2012-06-26 16:02 - 2012-06-26 16:02 - 00118784 ____A ((?)????) C:\Windows\System32\MaDRM.dll
2012-06-26 16:02 - 2012-06-26 16:02 - 00110592 ____A (© MusicCity) C:\Windows\System32\muzmp4sp.ax
2012-06-26 16:02 - 2012-06-26 16:02 - 00081920 ____A C:\Windows\System32\issacapi_bs-2.3.dll
2012-06-26 16:02 - 2012-06-26 16:02 - 00065536 ____A C:\Windows\System32\issacapi_pe-2.3.dll
2012-06-26 16:02 - 2012-06-26 16:02 - 00057344 ____A C:\Windows\System32\issacapi_se-2.3.dll
2012-06-26 16:02 - 2012-06-26 16:02 - 00057344 ____A (Marktek) C:\Windows\System32\MK_Lyric.dll
2012-06-26 16:02 - 2012-06-26 16:02 - 00057344 ____A (Marktek Inc.) C:\Windows\System32\MTXSYNCICON.dll
2012-06-26 16:02 - 2012-06-26 16:02 - 00049152 ____A ((?) ????) C:\Windows\System32\MaJGUILib.dll
2012-06-26 16:02 - 2012-06-26 16:02 - 00045320 ____A (MARKANY) C:\Windows\System32\MAMACExtract.dll
2012-06-26 16:02 - 2012-06-26 16:02 - 00045056 ____A ((?) ????) C:\Windows\System32\MaXMLProto.dll
2012-06-26 16:02 - 2012-06-26 16:02 - 00045056 ____A ((?) ????) C:\Windows\System32\MACXMLProto.dll
2012-06-26 16:02 - 2012-06-26 16:02 - 00040960 ____A (Telechips Inc.,) C:\Windows\System32\MTTELECHIP.dll
2012-06-26 16:02 - 2012-06-26 16:02 - 00024576 ____A ((?)????) C:\Windows\System32\MASetupCleaner.exe
2012-06-25 01:52 - 2012-06-25 01:52 - 00001012 ____A C:\Users\Public\Desktop\CCleaner.lnk
2012-06-23 02:02 - 2011-10-20 08:40 - 00076903 _RASH C:\Users\All Users\ntuser.pol
2012-06-22 02:57 - 2012-06-08 07:23 - 00775686 ____A C:\Users\xxx\EMREU-UK-jun.bmp
2012-06-22 02:56 - 2012-06-08 07:21 - 00006502 _RASH C:\Users\xxx\ntuser.pol
2012-06-21 11:19 - 2012-06-21 11:19 - 00047545 ____A C:\Users\xxx\Desktop\7013and70XX.zip
2012-06-21 03:56 - 2012-06-11 08:20 - 00041472 ____A C:\Users\xxx\Desktop\HULFT IDS.xls
2012-06-21 03:31 - 2012-06-21 03:31 - 00000165 ___AH C:\Users\xxx\Desktop\~$Approval_Requests.xlsx
2012-06-19 03:43 - 2012-06-19 03:43 - 00001367 ____A C:\Users\xxx\Desktop\Putty Connection Manager.lnk
2012-06-18 11:25 - 2012-06-18 11:25 - 00001291 ____A C:\Users\xxx\Desktop\SQL Developer.lnk
2012-06-18 03:52 - 2012-06-05 11:39 - 02674800 ____A (Sysinternals - www.sysinternals.com) C:\Users\xxx\Desktop\procexp.exe

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== Memory info ===========================

Percentage of memory in use: 16%
Total physical RAM: 3059.67 MB
Available physical RAM: 2559.73 MB
Total Pagefile: 6117.63 MB
Available Pagefile: 5649.79 MB
Total Virtual: 2047.88 MB
Available Virtual: 1946.56 MB

==================== Partitions =============================

1 Drive c: © (Fixed) (Total:297.6 GB) (Free:222.18 GB) NTFS
3 Drive e: (DONGLE) (Removable) (Total:3.77 GB) (Free:3.32 GB) FAT32

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 298 GB 0 B
Disk 1 Online 3875 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 500 MB 1024 KB
Partition 2 Primary 297 GB 501 MB

=========================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 System Rese NTFS Partition 500 MB Healthy System (partition with boot components)

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C C NTFS Partition 297 GB Healthy Boot

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3871 MB 4032 KB

=========================================================

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E DONGLE FAT32 Removable 3871 MB Healthy

=========================================================

Last Boot: 2012-09-07 07:58

==================== End Of Log ============================

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:48 AM

Posted 15 September 2012 - 02:49 PM

Please run the following

Refer to the ComboFix User's Guide

  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 gdingwall

gdingwall
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:11:48 AM

Posted 15 September 2012 - 04:32 PM

Hi

As requested here is the Combofix log, thanks:

ComboFix 12-09-15.02 - xxx 15/09/2012 16:15:54.2.4 - x86
Microsoft Windows 7 Enterprise 6.1.7601.1.1252.44.1033.18.3060.1907 [GMT -5:00]
Running from: c:\users\xxx\Desktop\ComboFix.exe
AV: Sophos Anti-Virus *Disabled/Updated* {65FBD860-96D8-75EF-C7ED-7BE27E6C498A}
SP: Sophos Anti-Virus *Disabled/Updated* {DE9A3984-B0E2-7A61-FD5D-409005EB0337}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-08-15 to 2012-09-15 )))))))))))))))))))))))))))))))
.
.
2012-09-15 21:23 . 2012-09-15 21:23 -------- d-----w- c:\users\MUSR_MQADMIN\AppData\Local\temp
2012-09-15 21:23 . 2012-09-15 21:23 -------- d-----w- c:\users\l1.george.jacomelli\AppData\Local\temp
2012-09-15 21:23 . 2012-09-15 21:23 -------- d-----w- c:\users\executive1\AppData\Local\temp
2012-09-15 21:23 . 2012-09-15 21:23 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-09-15 19:23 . 2012-09-15 19:23 -------- d-----w- C:\FRST
2012-09-14 18:10 . 2012-09-14 18:10 -------- d-----w- c:\users\xxx\AppData\Roaming\smkits
2012-09-14 10:51 . 2012-09-14 10:51 -------- d-----w- c:\program files\7-Zip
2012-09-14 10:10 . 2012-09-14 10:10 -------- d-----w- c:\program files\Common Files\Cisco Systems
2012-09-14 10:10 . 2012-07-18 17:19 30744 ----a-w- c:\windows\system32\SophosBootTasks.exe
2012-09-13 15:39 . 2012-09-13 15:39 -------- d-----w- c:\program files\ESET
2012-09-12 01:12 . 2012-09-15 21:23 -------- d-----w- c:\users\xxx\AppData\Local\temp
2012-09-12 00:34 . 2012-09-12 00:34 -------- d-----w- c:\users\xxx\AppData\Local\Sophos
2012-09-10 19:21 . 2012-09-14 03:38 -------- d-----w- c:\programdata\RegRun
2012-09-10 19:21 . 2012-09-10 19:21 2 --shatr- c:\windows\winstart.bat
2012-09-10 19:20 . 2012-09-14 03:39 -------- d-----w- c:\program files\UnHackMe
2012-09-08 20:23 . 2012-09-08 20:23 -------- d-----w- c:\users\xxx\AppData\Roaming\SUPERAntiSpyware.com
2012-09-08 20:03 . 2012-09-08 20:03 388096 ----a-r- c:\users\xxx\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-09-08 20:03 . 2012-09-08 20:03 -------- d-----w- c:\program files\Trend Micro
2012-09-08 16:54 . 2012-09-12 01:54 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-09-08 15:48 . 2012-09-08 15:48 -------- d-----w- c:\users\xxx\AppData\Roaming\Malwarebytes
2012-09-08 15:48 . 2012-09-08 15:48 -------- d-----w- c:\programdata\Malwarebytes
2012-09-08 15:48 . 2012-09-07 22:04 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-08 15:47 . 2012-09-12 02:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-09-03 11:44 . 2012-09-03 15:38 -------- d-----w- C:\CCRC
2012-09-02 16:03 . 2012-09-02 16:03 -------- d-----w- c:\program files\SopCast
2012-09-01 16:23 . 2012-09-01 16:23 -------- d-----w- c:\program files\Notepad++
2012-09-01 16:22 . 2012-09-01 16:25 -------- d-----w- c:\users\xxx\AppData\Roaming\Notepad++
2012-09-01 16:21 . 2012-09-01 16:21 -------- d-----w- c:\program files\Common Files\Java
2012-09-01 16:20 . 2012-09-01 16:20 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-08-28 19:01 . 2012-07-06 19:23 393728 ----a-w- c:\windows\system32\drivers\bthport.sys
2012-08-28 17:05 . 2012-08-28 17:05 48640 ----a-w- c:\windows\system32\libfdnvin.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-01 16:20 . 2012-06-14 14:25 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-09-01 16:20 . 2011-03-07 14:04 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-08-21 21:37 . 2012-06-12 10:58 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-21 21:37 . 2011-11-02 12:57 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-08 00:45 . 2012-07-08 00:45 53248 ----a-r- c:\users\xxx\AppData\Roaming\Microsoft\Installer\{6E6E7725-C7BC-4C39-8B3F-14B67331A120}\ARPPRODUCTICON.exe
2012-07-02 15:10 . 2012-07-02 15:10 33696 ----a-w- c:\windows\system32\drivers\sdcfilter.sys
2012-07-02 15:07 . 2012-07-02 15:07 123680 ----a-w- c:\windows\system32\drivers\savonaccess.sys
2012-07-02 15:00 . 2012-07-02 15:00 31736 ----a-w- c:\windows\system32\drivers\skmscan.sys
2012-07-02 14:56 . 2012-07-02 14:56 131824 ----a-w- c:\windows\system32\sdccoinstaller.dll
2012-06-26 21:03 . 2012-07-15 20:24 4659712 ----a-w- c:\windows\system32\Redemption.dll
2012-06-26 21:02 . 2012-06-26 21:02 974848 ----a-w- c:\windows\system32\cis-2.4.dll
2012-06-26 21:02 . 2012-06-26 21:02 81920 ----a-w- c:\windows\system32\issacapi_bs-2.3.dll
2012-06-26 21:02 . 2012-06-26 21:02 65536 ----a-w- c:\windows\system32\issacapi_pe-2.3.dll
2012-06-26 21:02 . 2012-06-26 21:02 57344 ----a-w- c:\windows\system32\MTXSYNCICON.dll
2012-06-26 21:02 . 2012-06-26 21:02 57344 ----a-w- c:\windows\system32\MK_Lyric.dll
2012-06-26 21:02 . 2012-06-26 21:02 57344 ----a-w- c:\windows\system32\issacapi_se-2.3.dll
2012-06-26 21:02 . 2012-06-26 21:02 569344 ----a-w- c:\windows\system32\muzdecode.ax
2012-06-26 21:02 . 2012-06-26 21:02 491520 ----a-w- c:\windows\system32\muzapp.dll
2012-06-26 21:02 . 2012-06-26 21:02 49152 ----a-w- c:\windows\system32\MaJGUILib.dll
2012-06-26 21:02 . 2012-06-26 21:02 45320 ----a-w- c:\windows\system32\MAMACExtract.dll
2012-06-26 21:02 . 2012-06-26 21:02 45056 ----a-w- c:\windows\system32\MaXMLProto.dll
2012-06-26 21:02 . 2012-06-26 21:02 45056 ----a-w- c:\windows\system32\MACXMLProto.dll
2012-06-26 21:02 . 2012-06-26 21:02 40960 ----a-w- c:\windows\system32\MTTELECHIP.dll
2012-06-26 21:02 . 2012-06-26 21:02 352256 ----a-w- c:\windows\system32\MSLUR71.dll
2012-06-26 21:02 . 2012-06-26 21:02 258048 ----a-w- c:\windows\system32\muzoggsp.ax
2012-06-26 21:02 . 2012-06-26 21:02 245760 ----a-w- c:\windows\system32\MSCLib.dll
2012-06-26 21:02 . 2012-06-26 21:02 24576 ----a-w- c:\windows\system32\MASetupCleaner.exe
2012-06-26 21:02 . 2012-06-26 21:02 200704 ----a-w- c:\windows\system32\muzwmts.dll
2012-06-26 21:02 . 2012-06-26 21:02 172032 ----a-w- c:\windows\system32\muzapp.exe
2012-06-26 21:02 . 2012-06-26 21:02 155648 ----a-w- c:\windows\system32\MSFLib.dll
2012-06-26 21:02 . 2012-06-26 21:02 143360 ----a-w- c:\windows\system32\3DAudio.ax
2012-06-26 21:02 . 2012-06-26 21:02 135168 ----a-w- c:\windows\system32\muzaf1.dll
2012-06-26 21:02 . 2012-06-26 21:02 131072 ----a-w- c:\windows\system32\muzmpgsp.ax
2012-06-26 21:02 . 2012-06-26 21:02 122880 ----a-w- c:\windows\system32\muzeffect.ax
2012-06-26 21:02 . 2012-06-26 21:02 118784 ----a-w- c:\windows\system32\MaDRM.dll
2012-06-26 21:02 . 2012-06-26 21:02 110592 ----a-w- c:\windows\system32\muzmp4sp.ax
2012-09-08 19:32 . 2012-09-08 19:32 266720 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-06-30 04:19 94208 ----a-w- c:\users\xxx\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-06-30 04:19 94208 ----a-w- c:\users\xxx\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-06-30 04:19 94208 ----a-w- c:\users\xxx\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TpShocks"="TpShocks.exe" [2011-01-14 337256]
"PWMTRV"="c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2012-05-16 4395104]
"AcWin7Hlpr"="c:\program files\Lenovo\Access Connections\AcTBenabler.exe" [2011-10-20 33344]
"SPEnroll"="c:\windows\system32\SPEnroll.exe" [2009-12-10 203776]
"EKIJ5000StatusMonitor"="c:\windows\system32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2010-09-02 1638400]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\SSMMgr.exe" [2010-06-07 618496]
"IMSS"="c:\program files\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe" [2010-05-03 112152]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2012-04-09 2350352]
"LENOVO.TPKNRRES"="c:\program files\Lenovo\Communications Utility\TPKNRRES.exe" [2010-07-27 62312]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-08-05 7703072]
"Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2009-08-05 1833504]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"Sophos AutoUpdate Monitor"="c:\program files\Sophos\AutoUpdate\almon.exe" [2012-07-02 900120]
"DameWare MRC Agent"="c:\windows\system32\DWRCST.exe" [2009-02-04 78848]
.
c:\users\xxx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\xxx\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-7-24 26909544]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
WebSphere MQ Task Bar.lnk - c:\program files\IBM\WebSphere MQ\bin\amqmtbrn.exe [2010-8-18 266816]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"consentpromptbehavioradmin"= 5 (0x5)
"enableinstallerdetection"= 0 (0x0)
"enableuiadesktoptoggle"= 0 (0x0)
"SoftwareSASGeneration"= 1 (0x1)
"HideFastUserSwitching"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"DisablePersonalDirChange"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Sophos\SOPHOS~1\sophos_detoured.dll c:\progra~1\Sophos\SOPHOS~1\sophos_detoured.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3829815512-2678597626-704828700-167674\Scripts\Logon\0\0]
"Script"=RISEV2-DOMAINLOGON-1.4.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3829815512-2678597626-704828700-167674\Scripts\Logon\1\0]
"Script"=Logon-EMREU-UK.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3829815512-2678597626-704828700-167680\Scripts\Logon\0\0]
"Script"=RISEV2-DOMAINLOGON-1.4.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3829815512-2678597626-704828700-167680\Scripts\Logon\1\0]
"Script"=Logon-EMREU-UK.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3829815512-2678597626-704828700-51787\Scripts\Logon\0\0]
"Script"=RISEV2-DOMAINLOGON-1.4.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3829815512-2678597626-704828700-51787\Scripts\Logon\1\0]
"Script"=Logon-EMREU-UK.vbs
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Google Update"="c:\users\xxx\AppData\Local\Google\Update\GoogleUpdate.exe" /c
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"Mouse Suite 98 Daemon"=ICO.EXE
"Conime"=%windir%\system32\conime.exe
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 ProcTrigger;LANDesk® Process Trigger Service;c:\program files\LANDesk\LDCLient\ProcTriggerSvc.exe [x]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [x]
R2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [x]
R2 swi_service;Sophos Web Intelligence Service;c:\program files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe [x]
R2 swi_update;Sophos Web Intelligence Update;c:\programdata\Sophos\Web Intelligence\swi_update.exe [x]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [x]
R3 DozeSvc;Lenovo Doze Mode Service;c:\program files\ThinkPad\Utilities\DOZESVC.EXE [x]
R3 GzTpHid;GUNZE Touch Screen Filter Driver;c:\windows\system32\drivers\GzTpHid.sys [x]
R3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [x]
R3 iaNvStor;iaNvStor;c:\windows\system32\drivers\iaNvStor.sys [x]
R3 LENPPALX;Golden Parallel Port Driver ;c:\windows\system32\drivers\lenppalx.sys [x]
R3 LENPSERX;Golden Series Port Driver ;c:\windows\system32\drivers\lenpserx.sys [x]
R3 MEI;Intel® Management Engine Interface;c:\windows\system32\drivers\HECI.sys [x]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x]
R3 NETw5s32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [x]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys [x]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [x]
R3 pelbtm;Bluetooth Mouse Filter Driver;c:\windows\system32\drivers\pelbtm.sys [x]
R3 pelps2m;PS/2 Mouse Filter Driver;c:\windows\system32\drivers\pelps2m.sys [x]
R3 pelvendr;Mouse Suite I/O Driver;c:\windows\system32\drivers\pelvendr.sys [x]
R3 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.EXE [x]
R3 PwmEWSvc;Cisco EnergyWise Enabler;c:\program files\ThinkPad\Utilities\PWMEWSVC.EXE [x]
R3 QCFilterlno;Lenovo USB Composite Device Filter Driver;c:\windows\system32\drivers\qcfilterlno.sys [x]
R3 qcusbserlno;Lenovo USB Device for Legacy Serial Communication;c:\windows\system32\drivers\qcusbserlno.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 risdxc;risdxc;c:\windows\system32\drivers\risdxc86.sys [x]
R3 rixdpcie;rixdpcie;c:\windows\system32\drivers\rixdpe86.sys [x]
R3 sdcfilter;sdcfilter;c:\windows\system32\DRIVERS\sdcfilter.sys [x]
R3 Synth3dVsc;Microsoft Virtual 3D Video Transport Driver;c:\windows\system32\drivers\Synth3dVsc.sys [x]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [x]
R3 TN33statbus;TN33_NFC;c:\windows\system32\drivers\TN33_MultiFn.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 tsusbhub;Remote Deskotop USB Hub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 wacomhidfilter;Wacom HID Filter;c:\windows\system32\drivers\wacomhidfilter.sys [x]
R3 WacomVTHid;Virtual Touch Driver;c:\windows\system32\drivers\WacomVTHid.sys [x]
R3 wisdpen;Wacom Penabled MiniDriver;c:\windows\system32\drivers\wisdpen.sys [x]
R4 SophosBootDriver;SophosBootDriver;c:\windows\system32\DRIVERS\SophosBootDriver.sys [x]
S0 DozeHDD;DozeHDD;c:\windows\System32\DRIVERS\DozeHDD.sys [x]
S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM86.sys [x]
S1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\DRIVERS\dwvkbd.sys [x]
S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiif32.sys [x]
S1 pelmoubt;Mouse Suite Bluetooth Driver;c:\windows\system32\drivers\pelmoubt.sys [x]
S1 SAVOnAccess;SAVOnAccess;c:\windows\system32\DRIVERS\savonaccess.sys [x]
S1 SKMScan;SKMScan;c:\windows\system32\DRIVERS\skmscan.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
S2 CBA8;LANDesk® Management Agent;c:\program files\LANDesk\Shared Files\residentagent.exe [x]
S2 JuniperAccessService;Juniper Unified Network Service;c:\program files\Common Files\Juniper Networks\JUNS\dsAccessService.exe [x]
S2 LANDesk Policy Invoker;LANDesk Policy Invoker;c:\program files\LANDesk\LDClient\policy.client.invoker.exe [x]
S2 LANDesk Targeted Multicast;LANDesk Targeted Multicast;c:\program files\LANDesk\LDCLient\tmcsvc.exe [x]
S2 LANDesk® Out-of-Band Monitor Service;LANDesk® Out-of-Band Monitor Service;c:\program files\LANDesk\LDClient\amtmon.exe [x]
S2 LENOVO.CAMMUTE;Lenovo Camera Mute;c:\program files\Lenovo\Communications Utility\CAMMUTE.exe [x]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [x]
S2 LENOVO.TPKNRSVC;Lenovo Keyboard Noise Reduction;c:\program files\Lenovo\Communications Utility\TPKNRSVC.exe [x]
S2 Lenovo.VIRTSCRLSVC;Lenovo Auto Scroll;c:\program files\LENOVO\VIRTSCRL\lvvsst.exe [x]
S2 Lotus Notes Diagnostics;Lotus Notes Diagnostics;c:\program files\IBM\Lotus\Notes\nsd.exe [x]
S2 MQSeriesServices;IBM MQSeries;c:\program files\IBM\WebSphere MQ\bin\amqsvc.exe [x]
S2 QDLService2kLenovo;Qualcomm Gobi 2000 Download Service (Lenovo);c:\program files\QUALCOMM\QDLService2k\QDLService2kLenovo.exe [x]
S2 rimspci;rimspci;c:\windows\system32\DRIVERS\rimspe86.sys [x]
S2 Softmon;LANDesk® Software Monitoring Service;c:\program files\LANDesk\LDCLient\softmon.exe [x]
S2 Sophos Web Control Service;Sophos Web Control Service;c:\program files\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe [x]
S2 SSPORT;SSPORT;c:\windows\system32\Drivers\SSPORT.sys [x]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]
S2 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\LENOVO\HOTKEY\TPHKLOAD.exe [x]
S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [x]
S2 tracksvc;LANDesk® Power Management Track Service;c:\program files\LANDesk\LDCLient\tracksvc.exe [x]
S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
S3 DwMirror;DwMirror;c:\windows\system32\DRIVERS\DamewareMini.sys [x]
S3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k6232.sys [x]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [x]
S3 NETwNs32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETwNs32.sys [x]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [x]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-15 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-12 21:37]
.
2012-09-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3829815512-2678597626-704828700-51787Core.job
- c:\users\xxx\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-03 14:17]
.
2012-09-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3829815512-2678597626-704828700-51787UA.job
- c:\users\xxx\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-03 14:17]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://eu1pmwu012/FILETODAY/
TCP: DhcpNameServer = 200.48.225.130 200.48.225.146
DPF: {71C201AB-CA7B-442C-8A0B-A37C90032514} - hxxp://i2.siebel.infoprint.com/htim_enu/20430/applets/SiebelAx_HI_Client.cab
FF - ProfilePath - c:\users\xxx\AppData\Roaming\Mozilla\Firefox\Profiles\qnwmnqz6.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&sourceid=navclient&gfns=1&q=
.
- - - - ORPHANS REMOVED - - - -
.
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\SUPERAntiSpyware\SASSEH.DLL
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Sophos Message Router]
"ImagePath"="\"c:\program files\Sophos\Remote Management System\RouterNT.exe\" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(4364)
c:\users\xxx\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
c:\program files\Lenovo\Access Connections\ACDeskBand.dll
c:\program files\Lenovo\Access Connections\AcLocSettings.dll
c:\program files\Lenovo\Access Connections\AcCryptHlpr.dll
c:\program files\Lenovo\Access Connections\ACHelper.dll
c:\program files\Lenovo\Access Connections\AcSvcStub.dll
.
Completion time: 2012-09-15 16:24:55
ComboFix-quarantined-files.txt 2012-09-15 21:24
ComboFix2.txt 2012-09-12 01:19
.
Pre-Run: 238,176,333,824 bytes free
Post-Run: 238,189,305,856 bytes free
.
- - End Of File - - AC4AEE6FB7256EB90585F44831A25CB4

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:48 AM

Posted 15 September 2012 - 08:58 PM

Please do the following:

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish


NEXT

Download AdwCleaner from here and save it to your desktop.
  • Run AdwCleaner and select Delete
  • Once done it will ask to reboot, allow the reboot
  • On reboot a log will be produced, please attach the content of the log to your next reply

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 gdingwall

gdingwall
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:11:48 AM

Posted 16 September 2012 - 09:57 AM

As requested:

Malwarebytes Anti-Malware 1.65.0.1400
www.malwarebytes.org

Database version: v2012.09.15.06

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 8.0.7601.17514
xxx :: UKLON10LR86MDKH [administrator]

15/09/2012 21:58:59
mbam-log-2012-09-15 (21-58-59).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 262904
Time elapsed: 7 minute(s), 11 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Attached Files



#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:48 AM

Posted 16 September 2012 - 10:13 AM

I suggest deleting this installer if you no longer need it as it is bundled with adware

C:\Users\xxx\Desktop\SopCast-3.5.0.exe


How is the computer running now, are there any outstanding issues?


please run the following:


  • Please download MiniToolBox and save it to your desktop and run it.

    Checkmark following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List installed programs.

Click Go and post the result (Result.txt) that pops up. A copy of result.txt will be saved in the same directory the tool is run.

NEXT


Please download Farbar Service Scanner to your desktop and run it.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 gdingwall

gdingwall
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:11:48 AM

Posted 16 September 2012 - 12:52 PM

Hi

I deleted that file completely and checked in Firefox and I still get redirected to qfind.net. I've attached the requested logs. Please note I previously added the following 2 entries to the hosts file to curtail a bit the impact of the redirection:

127.0.0.1 qfind.net
127.0.0.1 www.qfind.net

Farbar log:

Farbar Service Scanner Version: 06-08-2012
Ran by xxx (administrator) on 16-09-2012 at 12:45:49
Running from "C:\Users\xxx\Desktop"
Microsoft Windows 7 Enterprise Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Other Services:
==============


File Check:
========
C:\windows\system32\nsisvc.dll => MD5 is legit
C:\windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\windows\system32\dhcpcore.dll => MD5 is legit
C:\windows\system32\Drivers\afd.sys => MD5 is legit
C:\windows\system32\Drivers\tdx.sys => MD5 is legit
C:\windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\windows\system32\dnsrslvr.dll => MD5 is legit
C:\windows\system32\mpssvc.dll => MD5 is legit
C:\windows\system32\bfe.dll => MD5 is legit
C:\windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\windows\system32\SDRSVC.dll => MD5 is legit
C:\windows\system32\vssvc.exe => MD5 is legit
C:\windows\system32\wscsvc.dll => MD5 is legit
C:\windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\windows\system32\wuaueng.dll => MD5 is legit
C:\windows\system32\qmgr.dll => MD5 is legit
C:\windows\system32\es.dll => MD5 is legit
C:\windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\windows\system32\svchost.exe => MD5 is legit
C:\windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

Attached Files



#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:48 AM

Posted 16 September 2012 - 01:07 PM

there maybe a bad add-on with FireFox

please run the following:



Download OTL to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Select All Users
  • Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    explorer.exe
    winlogon.exe
    Userinit.exe
    svchost.exe
    services.exe
    /md5stop
    %systemroot%\*. /rp /s
    %systemdrive%\$Recycle.Bin|@;true;true;true
    DRIVES
    CREATERESTOREPOINT
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Post both logs

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 gdingwall

gdingwall
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:11:48 AM

Posted 16 September 2012 - 08:21 PM

Hi CatByte - Thanks for your continued efforts in tracking down this issue! Please find attached the 2 logs from OTL.

Attached Files



#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:48 AM

Posted 16 September 2012 - 09:19 PM

what can you tell me about the proxy servers

and did you set the custom hosts file?

[quote]FF - prefs.js..network.proxy.http: "88.208.203.129"
FF - prefs.js..network.proxy.http_port: 3128

Edited by CatByte, 17 September 2012 - 09:18 AM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 gdingwall

gdingwall
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:11:48 AM

Posted 17 September 2012 - 06:47 AM

Hi CatByte

I am not entirely sure about the proxy settings. The hosts file is fine. This is a laptop I use for work and those IPs are all valid servers. If possible could we remove them from this post?

Thank you.

Edited by gdingwall, 17 September 2012 - 06:47 AM.


#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:48 AM

Posted 17 September 2012 - 09:21 AM

ok

I will reset the proxy

is it fairly easy for you to add the custom host file back or not

as I'd like to reset it incase there is anything in there that shouldn't be, but we'll just do the proxy for now, let me know if that makes a difference



Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

    :OTL
    FF - prefs.js..network.proxy.http_port: 3128 
    
    :Files
    ipconfig /flushdns /c
    
    :Commands
    [emptytemp]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then post the OTL log

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 gdingwall

gdingwall
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:11:48 AM

Posted 17 September 2012 - 10:19 AM

Hi

I executed those instructions and the issue is still there. I did notice one interesting thing though. As I mentioned this is a laptop I use for work. When I VPN onto my work's network the issue does not occur.

I've no issue backing up my hosts file and modifying the existing one as you see fit.

Thanks.

All processes killed
========== OTL ==========
Prefs.js: 3128 removed from network.proxy.http_port
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\xxx\Desktop\cmd.bat deleted successfully.
C:\Users\xxx\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 294871 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 56478 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: executive1
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 294871 bytes
->Java cache emptied: 0 bytes

User: xxx
->Temp folder emptied: 1468055 bytes
->Temporary Internet Files folder emptied: 12948906 bytes
->Java cache emptied: 2241225 bytes
->FireFox cache emptied: 240057636 bytes
->Google Chrome cache emptied: 84063047 bytes
->Flash cache emptied: 67304 bytes

User: l1.george.jacomelli
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 294871 bytes
->Java cache emptied: 0 bytes

User: MUSR_MQADMIN
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 294871 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 56478 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 14575010 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 340.00 mb


OTL by OldTimer - Version 3.2.61.5 log created on 09172012_095557

Files\Folders moved on Reboot...
C:\Users\xxx\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
File\Folder C:\windows\temp\nsd_tmp_3016.tmp not found!

PendingFileRenameOperations files...

Registry entries deleted on Reboot...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users