Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect and LOP.com Virus?


  • This topic is locked This topic is locked
41 replies to this topic

#1 con1287

con1287

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:12:11 AM

Posted 25 October 2012 - 06:06 PM

Hello all,


About several days ago I went to Google and it would redirect me to pornographic, cooking, or make-money scheme websites. This has become a very annyoing hassle.

I also had the Premier Opinion virus thing and I got rid of that with Malwarebytes. However the redirect still remains and now I'm infested with this LOP.com thing. I have no idea how it got there because I have Norton 360 (which does not do anything) and I am a careful guy on the internet. I was doing my research and half of the people solved this problem using ComboFix. I'm not entirely certain I want to use that tool since I've heard it's very difficult to work with. I am asking for any solutions. I've used HitmanPro, Spyware Search and Destroy, Malwarebytes, Norton 360, and Spyhunter and yet I'm still not getting rid of this dang redirect and LOP.com virus.


Any help would be GREATLY appreciated. Thanks to all.


-con1287

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:11 AM

Posted 25 October 2012 - 06:13 PM

Please do the following:

Please download DDS from either of these links

LINK 1
LINK 2

and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds to run the tool.
  • When done, two DDS.txt's will open.
  • Save both reports to your desktop.
---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.


NEXT

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • When asked if you want to download Avast's virus definitions please select Yes.
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.
  • You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 con1287

con1287
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:12:11 AM

Posted 25 October 2012 - 06:45 PM

Here is the DDS Log I've also attached the attach.txt file and the MBR.zip to this reply as well.




DDS (Ver_2012-10-19.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16421
Run by Tim Shin at 16:19:13 on 2012-10-25
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3838.1165 [GMT -7:00]
.
AV: Norton 360 *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton 360 *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton 360 *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files (x86)\Norton 360\Engine\6.4.0.9\ccSvcHst.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Norton 360\Engine\6.4.0.9\ccSvcHst.exe
C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
C:\Program Files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files (x86)\Steam\Steam.exe
C:\Windows\System32\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe
C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
C:\Program Files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
C:\Program Files (x86)\hp\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\Common Files\BSD\AppUpdater\BSDChecker.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\taskeng.exe
c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\wuauclt.exe
C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter4.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton 360\Engine\6.4.0.9\coieplg.dll
BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton 360\Engine\6.4.0.9\ips\ipsbho.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files (x86)\MSN\Toolbar\3.0.0566.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton 360\Engine\6.4.0.9\coieplg.dll
TB: Microsoft Live Search Toolbar: {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files (x86)\MSN\Toolbar\3.0.0566.0\msneshellx.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton 360\Engine\6.4.0.9\coieplg.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
uRun: [HPAdvisorDock] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
uRun: [Steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent
uRun: [Temp] rundll32.exe "C:\Users\Tim Shin\AppData\Local\VirtualStore\Temp\tzadmjkqy.dll",fltInfoW
mRun: [hpsysdrv] c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe
mRun: [HP Remote Solution] C:\Program Files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe
mRun: [HP Software Update] c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" UNATTENDED
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [BSDAppUpdater] C:\Program Files (x86)\Common Files\BSD\AppUpdater\BSDChecker.exe
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
dRun: [Temp] rundll32.exe "C:\Users\Tim Shin\AppData\Local\VirtualStore\Temp\tzadmjkqy.dll",fltInfoW
StartupFolder: C:\Users\TIMSHI~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\OPENOF~1.LNK - C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\PICTUR~1.LNK - C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{39AB9243-AF0A-4AF5-95D3-0F8375C62AD1} : DHCPNameServer = 192.168.1.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-Run: [SmartMenu] C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe /background
x64-Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 SMR250;Symantec SMR Utility Service 2.5.0;C:\Windows\System32\drivers\SMR250.SYS [2012-5-29 96376]
R0 SymDS;Symantec Data Store;C:\Windows\System32\drivers\N360x64\0604000.009\symds64.sys [2012-10-1 451192]
R0 SymEFA;Symantec Extended File Attributes;C:\Windows\System32\drivers\N360x64\0604000.009\symefa64.sys [2012-10-1 1129120]
R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.1.2\Definitions\BASHDefs\20121005.002\BHDrvx64.sys [2012-10-5 1385632]
R1 ccSet_N360;Norton 360 Settings Manager;C:\Windows\System32\drivers\N360x64\0604000.009\ccsetx64.sys [2012-10-1 167072]
R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.1.2\Definitions\IPSDefs\20121024.001\IDSviA64.sys [2012-10-24 513184]
R1 SymIRON;Symantec Iron Driver;C:\Windows\System32\drivers\N360x64\0604000.009\ironx64.sys [2012-10-1 190072]
R1 SymNetS;Symantec Network Security WFP Driver;C:\Windows\System32\drivers\N360x64\0604000.009\symnets.sys [2012-10-1 405624]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-4-3 63928]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2012-1-4 822624]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-10-23 399432]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-10-23 676936]
R2 N360;Norton 360;C:\Program Files (x86)\Norton 360\Engine\6.4.0.9\ccsvchst.exe [2012-10-1 138272]
R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-6-19 1262400]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-1 508776]
R2 SpyHunter 4 Service;SpyHunter 4 Service;C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [2012-10-10 1021888]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-10-23 138912]
R3 esgiguard;esgiguard;C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [2011-3-2 13088]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2012-10-23 25928]
R3 Sftfs;Sftfs;C:\Windows\System32\drivers\Sftfslh.sys [2011-10-1 764264]
R3 Sftplay;Sftplay;C:\Windows\System32\drivers\Sftplaylh.sys [2011-10-1 268648]
R3 Sftredir;Sftredir;C:\Windows\System32\drivers\Sftredirlh.sys [2011-10-1 25960]
R3 Sftvol;Sftvol;C:\Windows\System32\drivers\Sftvollh.sys [2011-10-1 22376]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-1 219496]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-4-14 136176]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-4-14 250808]
S3 EsgScanner;EsgScanner;C:\Windows\System32\drivers\EsgScanner.sys [2012-10-25 22704]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-4-14 136176]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-7-9 52736]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-4-16 1255736]
.
=============== Created Last 30 ================
.
2012-10-25 22:22:51 22704 ----a-w- C:\Windows\System32\drivers\EsgScanner.sys
2012-10-25 22:22:43 110080 ----a-r- C:\Users\Tim Shin\AppData\Roaming\Microsoft\Installer\{83B952C7-F8F3-4CA3-B4C5-33C85B24E478}\IconF7A21AF7.exe
2012-10-25 22:22:43 110080 ----a-r- C:\Users\Tim Shin\AppData\Roaming\Microsoft\Installer\{83B952C7-F8F3-4CA3-B4C5-33C85B24E478}\IconD7F16134.exe
2012-10-25 22:22:43 110080 ----a-r- C:\Users\Tim Shin\AppData\Roaming\Microsoft\Installer\{83B952C7-F8F3-4CA3-B4C5-33C85B24E478}\Icon1226A4C5.exe
2012-10-25 22:22:42 -------- d-----w- C:\sh4ldr
2012-10-25 22:22:42 -------- d-----w- C:\Program Files\Enigma Software Group
2012-10-25 22:21:27 -------- d-----w- C:\Windows\83B952C7F8F34CA3B4C533C85B24E478.TMP
2012-10-25 22:21:25 -------- d-----w- C:\Program Files (x86)\Common Files\Wise Installation Wizard
2012-10-25 04:44:21 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy
2012-10-25 04:44:21 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy
2012-10-25 01:31:40 -------- d-----w- C:\ProgramData\HitmanPro
2012-10-24 23:17:05 -------- d-sh--w- C:\$RECYCLE.BIN
2012-10-24 01:07:06 -------- d-----w- C:\Users\Tim Shin\AppData\Roaming\Malwarebytes
2012-10-24 01:06:56 -------- d-----w- C:\ProgramData\Malwarebytes
2012-10-24 01:06:55 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-10-24 01:06:55 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-10-21 22:48:40 -------- d-----w- C:\Program Files (x86)\CandySoft
2012-10-15 01:57:34 33240 ----a-w- C:\Windows\System32\drivers\GEARAspiWDM.sys
2012-10-15 01:56:44 -------- d-----w- C:\Program Files\iPod
2012-10-15 01:56:43 -------- d-----w- C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2012-10-15 01:56:43 -------- d-----w- C:\Program Files\iTunes
2012-10-15 01:56:43 -------- d-----w- C:\Program Files (x86)\iTunes
2012-10-10 21:39:26 714752 ----a-w- C:\Windows\System32\kerberos.dll
2012-10-10 21:39:26 541184 ----a-w- C:\Windows\SysWow64\kerberos.dll
2012-10-10 21:39:06 182272 ----a-w- C:\Windows\System32\cryptsvc.dll
2012-10-10 21:39:06 1462784 ----a-w- C:\Windows\System32\crypt32.dll
2012-10-10 21:39:06 140288 ----a-w- C:\Windows\System32\cryptnet.dll
2012-10-10 21:39:06 139264 ----a-w- C:\Windows\SysWow64\cryptsvc.dll
2012-10-10 21:39:06 1157632 ----a-w- C:\Windows\SysWow64\crypt32.dll
2012-10-10 21:39:06 103936 ----a-w- C:\Windows\SysWow64\cryptnet.dll
2012-10-02 00:38:50 737952 ----a-w- C:\Windows\System32\drivers\N360x64\0604000.009\srtsp64.sys
2012-10-02 00:38:50 451192 ----a-r- C:\Windows\System32\drivers\N360x64\0604000.009\symds64.sys
2012-10-02 00:38:50 405624 ----a-r- C:\Windows\System32\drivers\N360x64\0604000.009\symnets.sys
2012-10-02 00:38:50 37536 ----a-w- C:\Windows\System32\drivers\N360x64\0604000.009\srtspx64.sys
2012-10-02 00:38:50 190072 ----a-r- C:\Windows\System32\drivers\N360x64\0604000.009\ironx64.sys
2012-10-02 00:38:50 167072 ----a-w- C:\Windows\System32\drivers\N360x64\0604000.009\ccsetx64.sys
2012-10-02 00:38:50 1129120 ----a-w- C:\Windows\System32\drivers\N360x64\0604000.009\symefa64.sys
2012-10-02 00:38:40 -------- d-----w- C:\Windows\System32\drivers\N360x64\0604000.009
.
==================== Find3M ====================
.
2012-10-09 02:45:29 73656 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-10-09 02:45:29 696760 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-09-14 19:23:40 2048 ----a-w- C:\Windows\System32\tzres.dll
2012-09-14 18:30:38 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2012-08-31 18:02:20 1656688 ----a-w- C:\Windows\System32\drivers\ntfs.sys
2012-08-30 18:11:29 5505904 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-08-30 17:18:33 3958128 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-08-30 17:18:33 3902832 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-08-24 18:05:28 220160 ----a-w- C:\Windows\System32\wintrust.dll
2012-08-24 17:10:47 172544 ----a-w- C:\Windows\SysWow64\wintrust.dll
2012-08-24 10:31:32 2312704 ----a-w- C:\Windows\System32\jscript9.dll
2012-08-24 10:21:18 1392128 ----a-w- C:\Windows\System32\wininet.dll
2012-08-24 10:20:11 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-08-24 10:14:45 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2012-08-24 10:13:29 599040 ----a-w- C:\Windows\System32\vbscript.dll
2012-08-24 10:09:42 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-08-24 06:59:17 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-08-24 06:51:27 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-08-24 06:51:02 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-08-24 06:47:26 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2012-08-24 06:47:12 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll
2012-08-24 06:43:58 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb


Here is the aswrMBR.txt

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-10-25 16:29:59
-----------------------------
16:29:59.960 OS Version: Windows x64 6.1.7600
16:29:59.960 Number of processors: 4 586 0x503
16:29:59.960 ComputerName: TIMSHIN-PC UserName: Tim Shin
16:30:03.579 Initialize success
16:31:08.814 AVAST engine defs: 12102502
16:31:16.536 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000062
16:31:16.536 Disk 0 Vendor: WDC_WD64 01.0 Size: 610480MB BusType: 3
16:31:16.552 Disk 0 MBR read successfully
16:31:16.568 Disk 0 MBR scan
16:31:16.568 Disk 0 unknown MBR code
16:31:16.583 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
16:31:16.614 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 598404 MB offset 206848
16:31:16.661 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 11974 MB offset 1225738240
16:31:16.708 Disk 0 scanning C:\Windows\system32\drivers
16:31:23.993 Service scanning
16:31:42.261 Modules scanning
16:31:42.276 Disk 0 trace - called modules:
16:31:42.292 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys storport.sys hal.dll nvstor64.sys
16:31:42.292 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004d8c060]
16:31:42.308 3 CLASSPNP.SYS[fffff8800160143f] -> nt!IofCallDriver -> [0xfffffa8003cb2c90]
16:31:42.308 5 ACPI.sys[fffff88000f4e781] -> nt!IofCallDriver -> \Device\00000062[0xfffffa8004b10060]
16:31:44.866 AVAST engine scan C:\Windows
16:31:48.360 AVAST engine scan C:\Windows\system32
16:34:43.970 AVAST engine scan C:\Windows\system32\drivers
16:35:05.685 AVAST engine scan C:\Users\Tim Shin
16:38:04.743 File: C:\Users\Tim Shin\AppData\Local\VirtualStore\Temp\tzadmjkqy.dll **INFECTED** Win32:BHO-AHJ [Trj]
16:41:19.540 AVAST engine scan C:\ProgramData
16:42:37.056 Scan finished successfully
16:42:58.335 Disk 0 MBR has been saved successfully to "C:\Users\Tim Shin\Desktop\MBR.dat"
16:42:58.335 The log file has been saved successfully to "C:\Users\Tim Shin\Desktop\aswMBR.txt"

Attached Files



#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:11 AM

Posted 25 October 2012 - 07:14 PM

Please run the following

Refer to the ComboFix User's Guide

  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 con1287

con1287
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:12:11 AM

Posted 25 October 2012 - 07:59 PM

How do I fully turn of Norton 360? It says I have to uninstall it to stop it. I turned off all the settings but combofix still says that it might damage my computer cause it's not off at all. How exactly do I do that before I proceed?

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:11 AM

Posted 25 October 2012 - 08:03 PM

If you right click the Norton icon in you system tray at the bottom right, you will see options to disable the functions.

then you should be ok to continue on with ComboFix > ok through the warnings

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 con1287

con1287
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:12:11 AM

Posted 25 October 2012 - 08:12 PM

Ok, and so if I OK through the warnings there will be no damage?

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:11 AM

Posted 26 October 2012 - 05:48 AM

as long as it's disabled in the system tray you should be OK

of you are not comfortable with that, then uninstall the program, you can reinstall it when we are done

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 con1287

con1287
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:12:11 AM

Posted 26 October 2012 - 09:15 AM

as long as it's disabled in the system tray you should be OK

of you are not comfortable with that, then uninstall the program, you can reinstall it when we are done



I personally have a bit of a problem with ComboFix and would like to use it as a last resort.

If you recommend that I absolutely have to use it now or the process would go a lot quicker if I used ComboFix now then I will do it. I just don't know what kind of problems might arise should I use a tool like ComboFix.

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:11 AM

Posted 26 October 2012 - 10:25 AM

perhaps you should take your machine to a repair shop, you might feel more comfortable

on line forum tech help isn't for everyone

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 con1287

con1287
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:12:11 AM

Posted 26 October 2012 - 05:05 PM

Well I would really prefer to do it online. I will delete my norton 360 and run combo fix soon. I will post back when I have some results.

#12 con1287

con1287
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:12:11 AM

Posted 26 October 2012 - 06:02 PM

OK! So I ran ComboFix and I have pasted the log result. Also, is it safe to re-install Norton 360 now?

ComboFix 12-10-26.05 - Tim Shin 10/26/2012 15:48:07.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3838.2340 [GMT -7:00]
Running from: c:\users\Tim Shin\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Tim Shin\AppData\Local\VirtualStore\Temp\tzadmjkqy.dll
c:\users\Tim Shin\Documents\~WRL0005.tmp
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_nvsvc
.
.
((((((((((((((((((((((((( Files Created from 2012-09-26 to 2012-10-26 )))))))))))))))))))))))))))))))
.
.
2012-10-25 22:22 . 2012-10-25 22:22 -------- d-----w- c:\program files\Enigma Software Group
2012-10-25 22:21 . 2012-10-25 23:23 -------- d-----w- c:\windows\83B952C7F8F34CA3B4C533C85B24E478.TMP
2012-10-25 22:21 . 2012-10-25 22:21 -------- d-----w- c:\program files (x86)\Common Files\Wise Installation Wizard
2012-10-25 04:44 . 2012-10-26 00:47 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
2012-10-25 04:44 . 2012-10-26 00:47 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-10-25 01:31 . 2012-10-25 01:33 -------- d-----w- c:\programdata\HitmanPro
2012-10-24 01:07 . 2012-10-24 01:07 -------- d-----w- c:\users\Tim Shin\AppData\Roaming\Malwarebytes
2012-10-24 01:06 . 2012-10-24 01:06 -------- d-----w- c:\programdata\Malwarebytes
2012-10-21 22:56 . 2012-10-21 22:56 -------- d-----w- c:\program files (x86)\7-Zip
2012-10-21 22:48 . 2012-10-21 22:48 -------- d-----w- c:\program files (x86)\CandySoft
2012-10-15 01:57 . 2012-08-21 20:01 33240 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-10-15 01:56 . 2012-10-15 01:56 -------- d-----w- c:\program files\iPod
2012-10-15 01:56 . 2012-10-15 01:57 -------- d-----w- c:\programdata\34BE82C4-E596-4e99-A191-52C6199EBF69
2012-10-15 01:56 . 2012-10-15 01:57 -------- d-----w- c:\program files\iTunes
2012-10-15 01:56 . 2012-10-15 01:57 -------- d-----w- c:\program files (x86)\iTunes
2012-10-10 21:39 . 2012-08-11 00:53 714752 ----a-w- c:\windows\system32\kerberos.dll
2012-10-10 21:39 . 2012-08-10 23:54 541184 ----a-w- c:\windows\SysWow64\kerberos.dll
2012-10-10 21:39 . 2012-06-02 05:25 182272 ----a-w- c:\windows\system32\cryptsvc.dll
2012-10-10 21:39 . 2012-06-02 05:25 1462784 ----a-w- c:\windows\system32\crypt32.dll
2012-10-10 21:39 . 2012-06-02 05:25 140288 ----a-w- c:\windows\system32\cryptnet.dll
2012-10-10 21:39 . 2012-06-02 04:45 139264 ----a-w- c:\windows\SysWow64\cryptsvc.dll
2012-10-10 21:39 . 2012-06-02 04:45 1157632 ----a-w- c:\windows\SysWow64\crypt32.dll
2012-10-10 21:39 . 2012-06-02 04:45 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-09 02:45 . 2012-04-14 19:42 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-10-09 02:45 . 2012-04-14 19:42 696760 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-08-24 11:15 . 2012-09-22 07:42 17810944 ----a-w- c:\windows\system32\mshtml.dll
2012-08-24 10:39 . 2012-09-22 07:42 10925568 ----a-w- c:\windows\system32\ieframe.dll
2012-08-24 10:31 . 2012-09-22 07:42 2312704 ----a-w- c:\windows\system32\jscript9.dll
2012-08-24 10:22 . 2012-09-22 07:42 1346048 ----a-w- c:\windows\system32\urlmon.dll
2012-08-24 10:21 . 2012-09-22 07:42 1392128 ----a-w- c:\windows\system32\wininet.dll
2012-08-24 10:20 . 2012-09-22 07:42 1494528 ----a-w- c:\windows\system32\inetcpl.cpl
2012-08-24 10:18 . 2012-09-22 07:42 237056 ----a-w- c:\windows\system32\url.dll
2012-08-24 10:17 . 2012-09-22 07:42 85504 ----a-w- c:\windows\system32\jsproxy.dll
2012-08-24 10:14 . 2012-09-22 07:42 173056 ----a-w- c:\windows\system32\ieUnatt.exe
2012-08-24 10:14 . 2012-09-22 07:42 816640 ----a-w- c:\windows\system32\jscript.dll
2012-08-24 10:13 . 2012-09-22 07:42 599040 ----a-w- c:\windows\system32\vbscript.dll
2012-08-24 10:12 . 2012-09-22 07:42 2144768 ----a-w- c:\windows\system32\iertutil.dll
2012-08-24 10:11 . 2012-09-22 07:42 729088 ----a-w- c:\windows\system32\msfeeds.dll
2012-08-24 10:10 . 2012-09-22 07:42 96768 ----a-w- c:\windows\system32\mshtmled.dll
2012-08-24 10:09 . 2012-09-22 07:42 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-08-24 10:04 . 2012-09-22 07:42 248320 ----a-w- c:\windows\system32\ieui.dll
2012-08-24 06:59 . 2012-09-22 07:42 1800704 ----a-w- c:\windows\SysWow64\jscript9.dll
2012-08-24 06:51 . 2012-09-22 07:42 1129472 ----a-w- c:\windows\SysWow64\wininet.dll
2012-08-24 06:51 . 2012-09-22 07:42 1427968 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2012-08-24 06:47 . 2012-09-22 07:42 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2012-08-24 06:47 . 2012-09-22 07:42 420864 ----a-w- c:\windows\SysWow64\vbscript.dll
2012-08-24 06:43 . 2012-09-22 07:42 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2012-08-21 20:01 . 2012-05-06 01:38 125872 ----a-w- c:\windows\system32\GEARAspi64.dll
2012-08-21 20:01 . 2012-05-06 01:38 106928 ----a-w- c:\windows\SysWow64\GEARAspi.dll
2012-08-18 11:19 . 2012-10-10 21:40 44032 ----a-w- c:\windows\apppatch\acwow64.dll
2012-08-09 05:53 . 2012-06-19 21:36 43520 ----a-w- c:\windows\SysWow64\CmdLineExt03.dll
2012-08-02 17:55 . 2012-09-12 00:06 574464 ----a-w- c:\windows\system32\d3d10level9.dll
2012-08-02 17:05 . 2012-09-12 00:06 490496 ----a-w- c:\windows\SysWow64\d3d10level9.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPAdvisorDock"="c:\program files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe" [2010-02-10 1712184]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2012-04-14 39408]
"Steam"="c:\program files (x86)\Steam\Steam.exe" [2012-08-04 1353080]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe" [2008-11-20 62768]
"HP Remote Solution"="c:\program files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe" [2009-08-25 656896]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"NortonOnlineBackupReminder"="c:\program files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" [2009-06-29 600936]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-27 30040]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-28 59280]
"BSDAppUpdater"="c:\program files (x86)\Common Files\BSD\AppUpdater\BSDChecker.exe" [2012-01-15 1660232]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-09-10 421776]
.
c:\users\Tim Shin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
PictureMover.lnk - c:\program files (x86)\PictureMover\Bin\PictureMover.exe [2009-6-3 430080]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]
@=""
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-04-14 136176]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-10-09 250808]
R3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-04-14 136176]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-07-09 52736]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-04-16 1255736]
S0 SMR250;Symantec SMR Utility Service 2.5.0;c:\windows\System32\drivers\SMR250.SYS [2012-05-29 96376]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-04-04 63928]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-05-15 1262400]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2011-10-01 764264]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2011-10-01 268648]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2011-10-01 25960]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2011-10-01 22376]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-26 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-14 02:45]
.
2012-10-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-04-14 19:42]
.
2012-10-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-04-14 19:42]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmartMenu"="c:\program files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [2009-09-14 610360]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-Temp - c:\users\Tim Shin\AppData\Local\VirtualStore\Temp\tzadmjkqy.dll
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
Wow6432Node-HKU-Default-Run-Temp - c:\users\Tim Shin\AppData\Local\VirtualStore\Temp\tzadmjkqy.dll
AddRemove-{319E272A-B5DB-4939-99D0-1F1F0C55699E} - c:\program files (x86)\InstallShield Installation Information\{319E272A-B5DB-4939-99D0-1F1F0C55699E}\setup.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
c:\program files (x86)\OpenOffice.org 3\program\soffice.exe
c:\program files (x86)\OpenOffice.org 3\program\soffice.bin
c:\program files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
.
**************************************************************************
.
Completion time: 2012-10-26 15:59:37 - machine was rebooted
ComboFix-quarantined-files.txt 2012-10-26 22:59
.
Pre-Run: 498,212,311,040 bytes free
Post-Run: 497,824,616,448 bytes free
.
- - End Of File - - 8E0E62B6F2BAFE422DA6BF84155FE0A5

#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:11 AM

Posted 26 October 2012 - 07:19 PM

you might want to wait till we are completely done to reinstall Norton, just don't surf without it.

Please run the following:

Navigate to the following folder > c:\windows\83B952C7F8F34CA3B4C533C85B24E478.TMP > right click and delete it if it is still there


NEXT


Download AdwCleaner from here and save it to your desktop.
  • Run AdwCleaner and select Delete
  • Once done it will ask to reboot, allow the reboot
  • On reboot a log will be produced, please attach the content of the log to your next reply


NEXT


  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#14 con1287

con1287
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:12:11 AM

Posted 26 October 2012 - 09:34 PM

OK! Here is the stuff you have requested:

Malwarebytes:


Malwarebytes Anti-Malware (Trial) 1.65.1.1000
www.malwarebytes.org

Database version: v2012.10.26.13

Windows 7 x64 NTFS
Internet Explorer 9.0.8112.16421
Tim Shin :: TIMSHIN-PC [administrator]

Protection: Disabled

10/26/2012 5:29:31 PM
mbam-log-2012-10-26 (17-29-31).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 225508
Time elapsed: 3 minute(s), 16 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)



ESETSCAN:

C:\Qoobox\Quarantine\C\Users\Tim Shin\AppData\Local\VirtualStore\Temp\tzadmjkqy.dll.vir a variant of Win32/Kryptik.ANSO trojan
C:\Users\Tim Shin\AppData\Local\Google\Chrome\User Data\Default\Default\aagdgggfdfgbdadadcdcdiggdedfdadi\background.html Win32/BHO.OEI trojan

AdwCleaner:

# AdwCleaner v2.005 - Logfile created 10/26/2012 at 17:23:27
# Updated 14/10/2012 by Xplode
# Operating system : Windows 7 Home Premium (64 bits)
# User : Tim Shin - TIMSHIN-PC
# Boot Mode : Normal
# Running from : C:\Users\Tim Shin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AVJSZ5CE\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

File Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.lnk
File Deleted : C:\Users\Public\Desktop\eBay.lnk

***** [Registry] *****

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Key Deleted : HKLM\SOFTWARE\Software

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[OK] Registry is clean.

-\\ Google Chrome v [Unable to get version]

File : C:\Users\Tim Shin\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [1134 octets] - [26/10/2012 17:23:27]

########## EOF - C:\AdwCleaner[S1].txt - [1194 octets] ##########

#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:11 AM

Posted 26 October 2012 - 09:57 PM

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Press the WinKey + R to open a run box, type Notepad > click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

File::
C:\Users\Tim Shin\AppData\Local\Google\Chrome\User Data\Default\Default\aagdgggfdfgbdadadcdcdiggdedfdadi\background.html 

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT


Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • when the window opens, click on Change Parameters
  • under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
  • click OK
  • Press Start Scan
    • If Malicious objects are found then ensure Cure is selected
    • If TDLFS File System/TDSS File system is found then ensure Cure is selected (if cure is not available, choose skip)
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users