Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ZeroAccess has got me stumped!!


  • This topic is locked This topic is locked
36 replies to this topic

#1 PWalley

PWalley

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:20 AM

Posted 24 November 2012 - 02:41 PM

Hello,

This is my first post. Have read many excellent things about the help here and I'm hoping I can get assistance with my "little" problem. System is running Vista Home Premium SP2. System performance has been horrible and getting miscellaneous pop-ups (did not write any down). I ran the Norton Power Eraser tool and it's telling me that I have ZeroAccess infection associated to the "Netbt.sys". Norton provided a ZeroAccess removal tool, but this did not seem to work, so I'm kind of lost as how to proceed next. Unfortunatly the DDS tool is not providing any logs. I tried running it in both normal and safe boot (without network) modes. It starts and just sits at the "Please wait..." stage. When I look at task manager it's just sitting at zero CPU. I left it sit overnight just to make sure it was not running long. Looking for some help/guidnace on next steps... Thanks.

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:20 AM

Posted 24 November 2012 - 03:42 PM

Please do the following:

Download the appropriate version for your system of the Farbar Recovery Scan Tool and save it to a flash drive. (Choose the correct version depending on which architecture operating system you are using, 32bit (x86) or 64 (x64) bit)

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to the disclaimer.
[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there
[*]Press Scan button.
[*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:
services.exe
[*]now press the search button
[*]when the search is complete, search.txt will also be written to your USB
[*]type exit and reboot the computer normally
[*]please copy and paste both logs in your reply.(FRST.txt and Search.txt)[/list]

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 PWalley

PWalley
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:20 AM

Posted 26 November 2012 - 01:36 AM

Thanks for the help CatByte. The scan ran very quickly, but the search ran quite a long time. Here are the results of each.

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 23-11-2012
Ran by SYSTEM at 24-11-2012 15:13:23
Running from J:\
Windows Vista ™ Home Premium (X86) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter [x]
HKLM\...\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [128296 2008-02-26] (CyberLink Corp.)
HKLM\...\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [49152 2006-12-10] (Hewlett-Packard Co.)
HKLM\...\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [47392 2010-03-16] (Apple Inc.)
HKLM\...\Run: [HotSync] "C:\Program Files\PalmSource\Desktop\HotSync.exe" -AllUsers [x]
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2010-11-29] (Apple Inc.)
HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2011-11-01] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421736 2012-01-16] (Apple Inc.)
HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [38872 2012-07-31] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-11] (Adobe Systems Incorporated)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jaureg.exe" -u auto-update [239336 2011-04-08] (Sun Microsystems, Inc.)
HKLM\...\Run: [Ad-Aware Browsing Protection] "C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe" [540056 2012-08-08] (Lavasoft)
HKU\Randy\...\Run: [StrgSync.exe] C:\Program Files\StorageSync\StrgSync.exe -w [3032576 2005-10-07] ()
HKU\Randy\...\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-20] (Microsoft Corporation)
HKU\Randy\...\Run: [BIBLauncher] C:\Program Files\Business-in-a-Box\BIBLauncher.exe [901600 2011-03-15] ()
HKU\Susan\...\Run: [StrgSync.exe] C:\Program Files\StorageSync\StrgSync.exe -w [3032576 2005-10-07] ()
HKU\Susan\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [125952 2008-01-20] (Microsoft Corporation)
HKU\Susan\...\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-20] (Microsoft Corporation)
HKU\Susan\...\Run: [BIBLauncher] C:\Program Files\Business-in-a-Box\BIBLauncher.exe [901600 2011-03-15] ()
HKU\Susan\...\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\FlashUtil10t_ActiveX.exe -update activex [240288 2011-06-15] (Adobe Systems, Inc.)
HKLM\...\runonceex: [] [x]
Winlogon\Notify\axsefda: C:\Windows\system32\config\systemprofile\AppData\Local\axsefda.dll [X]
Tcpip\Parameters: [DhcpNameServer] 10.20.30.1
Startup: C:\Users\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
ShortcutTarget: HotSync Manager.lnk -> C:\Program Files\Palm\Hotsync.exe (PalmSource, Inc)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
ShortcutTarget: Kodak EasyShare software.lnk -> C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe (Eastman Kodak Company)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\TransactNOW Monitor.lnk
ShortcutTarget: TransactNOW Monitor.lnk -> C:\Program Files\AMS Services\TransactNOW\OALaunch.exe (Vertafore Inc. d/b/a AMS Services)
Startup: C:\Users\Randy\Start Menu\Programs\Startup\Dell Dock.lnk
ShortcutTarget: Dell Dock.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Susan\Start Menu\Programs\Startup\Dell Dock.lnk
ShortcutTarget: Dell Dock.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)

==================== Services (Whitelisted) ===================

2 AERTFilters; C:\Windows\System32\AERTSrv.exe [73728 2008-02-15] (Andrea Electronics Corporation)
2 DockLoginService; C:\Program Files\Dell\DellDock\DockLogin.exe [155648 2009-06-09] (Stardock Corporation)
2 Lavasoft Ad-Aware Service; "C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe" [1355968 2012-11-18] (Lavasoft)
2 N360; "C:\Program Files\Norton Security Suite\Engine\3.8.3.6\ccSvcHst.exe" /s "N360" /m "C:\Program Files\Norton Security Suite\Engine\3.8.3.6\diMaster.dll" /prefetch:1 [135024 2012-11-18] (Symantec Corporation)
2 FastUserSwitchingCompatibility; C:\Windows\system32\FastUv32.dll [x]
2 hpqwmiex; C:\Windows\System32\usbhub.dll [x]
2 SPService; C:\Windows\system32\config\systemprofile\AppData\Roaming\Apple Computer\sp.DLL [x]
4 Usb20Scan; C:\Windows\System32\SE2Ebus.dll [x]

==================== Drivers (Whitelisted) ====================

1 BHDrvx86; C:\Windows\System32\Drivers\N360\0308030.006\BHDrvx86.sys [259632 2012-11-18] (Symantec Corporation)
1 ccHP; C:\Windows\System32\Drivers\N360\0308030.006\ccHPx86.sys [467592 2011-10-11] (Symantec Corporation)
1 eeCtrl; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [376480 2012-11-17] (Symantec Corporation)
3 EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [106656 2012-11-17] (Symantec Corporation)
1 IDSVix86; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20121123.001\IDSvix86.sys [386720 2012-11-16] (Symantec Corporation)
0 Lbd; C:\Windows\System32\DRIVERS\Lbd.sys [64512 2012-11-18] (Lavasoft AB)
3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\mbamswissarmy.sys [40776 2012-11-18] (Malwarebytes Corporation)
3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20121123.020\NAVENG.SYS [92704 2012-11-17] (Symantec Corporation)
3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20121123.020\NAVEX15.SYS [1601184 2012-11-17] (Symantec Corporation)
1 netbt; C:\Windows\System32\DRIVERS\netbt.sys [185856 2012-11-18] ()
3 PalmUSBD; C:\Windows\System32\drivers\PalmUSBD.sys [16640 2007-12-04] (PalmSource, Inc.)
1 SRTSP; C:\Windows\System32\Drivers\N360\0308030.006\SRTSP.SYS [308272 2012-11-18] (Symantec Corporation)
1 SRTSPX; C:\Windows\system32\drivers\N360\0308030.006\SRTSPX.SYS [43696 2012-11-18] (Symantec Corporation)
0 SymEFA; C:\Windows\System32\drivers\N360\0308030.006\SYMEFA.SYS [310320 2012-11-18] (Symantec Corporation)
3 SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT.SYS [124976 2012-11-18] (Symantec Corporation)
3 SYMFW; C:\Windows\System32\Drivers\N360\0308030.006\SYMFW.SYS [89976 2011-10-11] (Symantec Corporation)
1 SymIM; C:\Windows\System32\DRIVERS\SymIMv.sys [25648 2012-11-18] (Symantec Corporation)
3 SYMNDISV; C:\Windows\System32\Drivers\N360\0308030.006\SYMNDISV.SYS [48760 2011-10-11] (Symantec Corporation)
1 SYMTDI; C:\Windows\System32\Drivers\N360\0308030.006\SYMTDI.SYS [217464 2011-10-11] (Symantec Corporation)
3 IntcAzAudAddService; C:\Windows\System32\drivers\RTKVHDA.sys [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
3 PCD5SRVC{3F6A8B78-EC003E00-05040104}; \??\C:\PROGRA~1\DELLSU~1\HWDiag\bin\PCD5SRVC.pkms [x]

==================== NetSvcs (Whitelisted) ===================

NETSVC: crystalaps -> No Registry Path.
NETSVC: snpstd -> No Registry Path.
NETSVC: mps9 -> No Registry Path.
NETSVC: btwrchid -> No Registry Path.
NETSVC: se44bus -> No Registry Path.
NETSVC: armoucfltr -> No Registry Path.
NETSVC: btcsrusb -> No Registry Path.
NETSVC: FlexBios -> No Registry Path.
NETSVC: hpqwmiex -> C:\Windows\system32\usbhub.dll ==> No File.
NETSVC: proxyserverservice -> No Registry Path.
NETSVC: Usb20Scan -> C:\Windows\system32\SE2Ebus.dll ==> No File.
NETSVC: PTDCBus -> No Registry Path.
NETSVC: ntrtscan -> No Registry Path.
NETSVC: avipbb -> No Registry Path.
NETSVC: p2k -> No Registry Path.
NETSVC: aiclient -> No Registry Path.

==================== One Month Created Files and Folders ========

2012-11-24 15:12 - 2012-11-24 15:12 - 00000000 ____D C:\FRST
2012-11-24 01:15 - 2012-11-23 23:56 - 00688992 ____R (Swearware) C:\Users\Randy\Desktop\dds.com
2012-11-24 00:33 - 2012-11-24 11:01 - 00000370 ____A C:\Windows\Tasks\Ad-Aware Update (Weekly).job
2012-11-19 00:43 - 2012-11-19 00:43 - 00000000 ____D C:\NPE
2012-11-18 22:14 - 2012-11-18 12:17 - 00025648 ___RA (Symantec Corporation) C:\Windows\System32\Drivers\SymIMV.sys
2012-11-18 20:30 - 2012-11-18 20:30 - 00000000 ____D C:\Users\All Users\Symantec
2012-11-18 17:53 - 2012-11-18 22:14 - 00002252 ____A C:\Users\Public\Desktop\Norton Security Suite.lnk
2012-11-18 14:03 - 2012-11-18 14:03 - 00000000 ____D C:\Users\Randy\AppData\Local\adawarebp
2012-11-18 13:56 - 2012-11-18 22:28 - 00000000 ____D C:\Users\Randy\AppData\Roaming\LavasoftStatistics
2012-11-18 13:56 - 2012-11-18 14:02 - 00000000 ____D C:\Program Files\Ad-Aware Antivirus
2012-11-18 13:55 - 2012-11-18 17:52 - 00000000 ____D C:\Users\All Users\Ad-Aware Browsing Protection
2012-11-18 13:55 - 2012-11-18 13:55 - 00000000 ____D C:\Users\Randy\AppData\Local\Downloaded Installations
2012-11-18 13:55 - 2012-11-18 13:55 - 00000000 ____D C:\Users\All Users\blekko toolbars
2012-11-18 13:55 - 2012-11-18 13:55 - 00000000 ____D C:\Program Files\adawaretb
2012-11-18 13:54 - 2012-11-18 13:54 - 00000000 ____D C:\Program Files\Toolbar Cleaner
2012-11-18 13:53 - 2012-11-18 13:54 - 00000000 ____D C:\Users\Randy\AppData\Roaming\Ad-Aware Antivirus
2012-11-18 13:40 - 2012-11-24 10:59 - 00002247 ____A C:\aaw7boot.log
2012-11-18 13:31 - 2012-11-18 13:31 - 00000000 ____D C:\Users\Randy\AppData\Roaming\FixZeroAccess
2012-11-18 13:30 - 2012-11-18 12:56 - 00015880 ____A C:\Windows\System32\lsdelete.exe
2012-11-18 12:56 - 2012-11-18 12:56 - 00095024 ____A (Sunbelt Software) C:\Windows\System32\Drivers\SBREDrv.sys
2012-11-18 12:56 - 2012-11-18 12:55 - 00064512 ____A (Lavasoft AB) C:\Windows\System32\Drivers\Lbd.sys
2012-11-18 12:51 - 2012-11-18 13:56 - 00000000 ____D C:\Users\All Users\Lavasoft
2012-11-18 12:51 - 2012-11-18 12:52 - 00000000 ____D C:\Program Files\Lavasoft
2012-11-18 12:50 - 2012-11-19 05:12 - 00000000 ___RD C:\Users\Randy\Desktop\Paul
2012-11-18 12:18 - 2012-11-18 12:17 - 00124976 ____A (Symantec Corporation) C:\Windows\System32\Drivers\SYMEVENT.SYS
2012-11-18 12:18 - 2012-11-18 12:17 - 00026600 ___RA (GEAR Software Inc.) C:\Windows\System32\Drivers\GEARAspiWDM.sys
2012-11-18 12:18 - 2012-11-18 12:17 - 00007456 ____A C:\Windows\System32\Drivers\SYMEVENT.CAT
2012-11-18 12:18 - 2012-11-18 12:16 - 00107368 ___RA (GEAR Software Inc.) C:\Windows\System32\GEARAspi.dll
2012-11-18 12:17 - 2012-11-18 13:05 - 00000000 ____D C:\Program Files\Common Files\Symantec Shared
2012-11-18 12:17 - 2012-11-18 12:18 - 00000000 ____D C:\Program Files\Symantec
2012-11-18 12:16 - 2012-11-18 22:50 - 00000000 ____D C:\Windows\System32\Drivers\N360
2012-11-18 12:16 - 2012-11-18 13:50 - 00000000 ____D C:\Users\All Users\Norton
2012-11-18 12:16 - 2012-11-18 12:52 - 00000000 __HDC C:\Users\All Users\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2012-11-18 12:16 - 2012-11-18 12:16 - 00000000 ____D C:\Program Files\Norton Security Suite
2012-11-18 10:37 - 2012-11-18 10:37 - 00000000 ____D C:\Users\Randy\AppData\Roaming\Malwarebytes
2012-11-18 06:34 - 2012-10-08 00:28 - 12320768 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-11-18 06:34 - 2012-10-08 00:02 - 09738240 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-11-18 06:34 - 2012-10-07 23:56 - 01800704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-11-18 06:34 - 2012-10-07 23:48 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-11-18 06:34 - 2012-10-07 23:48 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-11-18 06:34 - 2012-10-07 23:47 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-11-18 06:34 - 2012-10-07 23:46 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-11-18 06:34 - 2012-10-07 23:45 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-11-18 06:34 - 2012-10-07 23:44 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-11-18 06:34 - 2012-10-07 23:43 - 00717824 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-11-18 06:34 - 2012-10-07 23:43 - 00420864 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2012-11-18 06:34 - 2012-10-07 23:42 - 00607744 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-11-18 06:34 - 2012-10-07 23:41 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-11-18 06:34 - 2012-10-07 23:41 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-11-18 06:34 - 2012-10-07 23:40 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-11-18 06:34 - 2012-10-07 23:37 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-11-18 06:21 - 2012-11-18 06:21 - 00001876 ____A C:\Users\Susan\Desktop\HijackThis.lnk
2012-11-18 06:21 - 2012-11-18 06:21 - 00000000 ____D C:\Program Files\Trend Micro
2012-11-18 06:18 - 2012-09-25 08:19 - 00075776 ____A (Microsoft Corporation) C:\Windows\System32\synceng.dll
2012-11-18 06:17 - 2012-10-12 06:29 - 02047488 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-11-17 15:41 - 2012-11-18 07:48 - 00000000 ____D C:\NBRT
2012-11-17 13:12 - 2012-11-17 13:12 - 00315392 ____A (Realtek Semiconductor Corp.) C:\Windows\HideWin.exe

==================== One Month Modified Files and Folders ========

2012-11-24 15:12 - 2012-11-24 15:12 - 00000000 ____D C:\FRST
2012-11-24 12:39 - 2009-07-02 18:25 - 00007728 ____A C:\Users\Randy\AppData\Local\d3d9caps.dat
2012-11-24 11:01 - 2012-11-24 00:33 - 00000370 ____A C:\Windows\Tasks\Ad-Aware Update (Weekly).job
2012-11-24 10:59 - 2012-11-18 13:40 - 00002247 ____A C:\aaw7boot.log
2012-11-24 10:56 - 2008-01-20 17:35 - 01792538 ____A C:\Windows\WindowsUpdate.log
2012-11-24 10:56 - 2006-11-02 05:01 - 00032634 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-11-24 10:56 - 2006-11-02 05:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-11-24 10:56 - 2006-11-02 04:47 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-11-24 10:56 - 2006-11-02 04:47 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-11-24 01:16 - 2006-11-02 02:33 - 00707858 ____A C:\Windows\System32\PerfStringBackup.INI
2012-11-24 01:13 - 2009-07-02 22:35 - 00000000 ____D C:\Users\Randy\AppData\Roaming\OA
2012-11-23 23:56 - 2012-11-24 01:15 - 00688992 ____R (Swearware) C:\Users\Randy\Desktop\dds.com
2012-11-19 05:12 - 2012-11-18 12:50 - 00000000 ___RD C:\Users\Randy\Desktop\Paul
2012-11-19 00:43 - 2012-11-19 00:43 - 00000000 ____D C:\NPE
2012-11-18 23:11 - 2010-12-17 19:22 - 08301568 ___RA C:\Users\Public\Documents\ESBK.mbb
2012-11-18 23:11 - 2010-12-17 19:22 - 03926016 ___RA C:\Users\Public\Documents\ESBK.mb
2012-11-18 22:50 - 2012-11-18 12:16 - 00000000 ____D C:\Windows\System32\Drivers\N360
2012-11-18 22:50 - 2008-01-20 18:47 - 00026652 ____A C:\Windows\PFRO.log
2012-11-18 22:28 - 2012-11-18 13:56 - 00000000 ____D C:\Users\Randy\AppData\Roaming\LavasoftStatistics
2012-11-18 22:14 - 2012-11-18 17:53 - 00002252 ____A C:\Users\Public\Desktop\Norton Security Suite.lnk
2012-11-18 22:13 - 2012-04-02 20:43 - 00000000 __ASH C:\Windows\System32\dds_trash_log.cmd
2012-11-18 20:30 - 2012-11-18 20:30 - 00000000 ____D C:\Users\All Users\Symantec
2012-11-18 18:11 - 2009-07-02 18:25 - 00000000 ____D C:\Users\Randy\AppData\Local\VirtualStore
2012-11-18 17:52 - 2012-11-18 13:55 - 00000000 ____D C:\Users\All Users\Ad-Aware Browsing Protection
2012-11-18 14:40 - 2011-01-25 17:17 - 00040776 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamswissarmy.sys
2012-11-18 14:13 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\Microsoft.NET
2012-11-18 14:03 - 2012-11-18 14:03 - 00000000 ____D C:\Users\Randy\AppData\Local\adawarebp
2012-11-18 14:02 - 2012-11-18 13:56 - 00000000 ____D C:\Program Files\Ad-Aware Antivirus
2012-11-18 13:56 - 2012-11-18 12:51 - 00000000 ____D C:\Users\All Users\Lavasoft
2012-11-18 13:55 - 2012-11-18 13:55 - 00000000 ____D C:\Users\Randy\AppData\Local\Downloaded Installations
2012-11-18 13:55 - 2012-11-18 13:55 - 00000000 ____D C:\Users\All Users\blekko toolbars
2012-11-18 13:55 - 2012-11-18 13:55 - 00000000 ____D C:\Program Files\adawaretb
2012-11-18 13:54 - 2012-11-18 13:54 - 00000000 ____D C:\Program Files\Toolbar Cleaner
2012-11-18 13:54 - 2012-11-18 13:53 - 00000000 ____D C:\Users\Randy\AppData\Roaming\Ad-Aware Antivirus
2012-11-18 13:50 - 2012-11-18 12:16 - 00000000 ____D C:\Users\All Users\Norton
2012-11-18 13:31 - 2012-11-18 13:31 - 00000000 ____D C:\Users\Randy\AppData\Roaming\FixZeroAccess
2012-11-18 13:05 - 2012-11-18 12:17 - 00000000 ____D C:\Program Files\Common Files\Symantec Shared
2012-11-18 12:56 - 2012-11-18 13:30 - 00015880 ____A C:\Windows\System32\lsdelete.exe
2012-11-18 12:56 - 2012-11-18 12:56 - 00095024 ____A (Sunbelt Software) C:\Windows\System32\Drivers\SBREDrv.sys
2012-11-18 12:55 - 2012-11-18 12:56 - 00064512 ____A (Lavasoft AB) C:\Windows\System32\Drivers\Lbd.sys
2012-11-18 12:52 - 2012-11-18 12:51 - 00000000 ____D C:\Program Files\Lavasoft
2012-11-18 12:52 - 2012-11-18 12:16 - 00000000 __HDC C:\Users\All Users\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2012-11-18 12:37 - 2006-11-02 04:47 - 00301328 ____A C:\Windows\System32\FNTCACHE.DAT
2012-11-18 12:18 - 2012-11-18 12:17 - 00000000 ____D C:\Program Files\Symantec
2012-11-18 12:18 - 2009-07-02 18:25 - 00000000 ____D C:\users\Randy
2012-11-18 12:17 - 2012-11-18 22:14 - 00025648 ___RA (Symantec Corporation) C:\Windows\System32\Drivers\SymIMV.sys
2012-11-18 12:17 - 2012-11-18 12:18 - 00124976 ____A (Symantec Corporation) C:\Windows\System32\Drivers\SYMEVENT.SYS
2012-11-18 12:17 - 2012-11-18 12:18 - 00026600 ___RA (GEAR Software Inc.) C:\Windows\System32\Drivers\GEARAspiWDM.sys
2012-11-18 12:17 - 2012-11-18 12:18 - 00007456 ____A C:\Windows\System32\Drivers\SYMEVENT.CAT
2012-11-18 12:16 - 2012-11-18 12:18 - 00107368 ___RA (GEAR Software Inc.) C:\Windows\System32\GEARAspi.dll
2012-11-18 12:16 - 2012-11-18 12:16 - 00000000 ____D C:\Program Files\Norton Security Suite
2012-11-18 11:32 - 2009-12-17 14:17 - 00007168 ____A C:\Users\Randy\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-11-18 10:38 - 2011-01-25 17:17 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2012-11-18 10:37 - 2012-11-18 10:37 - 00000000 ____D C:\Users\Randy\AppData\Roaming\Malwarebytes
2012-11-18 10:19 - 2009-07-08 20:34 - 00000000 ____D C:\Users\Randy\AppData\Local\Apple Computer
2012-11-18 07:52 - 2009-07-02 20:10 - 00185856 ____A C:\Windows\System32\Drivers\netbt.sys
2012-11-18 07:48 - 2012-11-17 15:41 - 00000000 ____D C:\NBRT
2012-11-18 06:50 - 2009-07-13 17:22 - 00000000 ____D C:\Users\All Users\Microsoft Help
2012-11-18 06:36 - 2006-11-02 02:24 - 64010424 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2012-11-18 06:32 - 2006-11-02 02:23 - 00000254 ____A C:\Windows\win.ini
2012-11-18 06:21 - 2012-11-18 06:21 - 00001876 ____A C:\Users\Susan\Desktop\HijackThis.lnk
2012-11-18 06:21 - 2012-11-18 06:21 - 00000000 ____D C:\Program Files\Trend Micro
2012-11-18 06:03 - 2012-05-29 17:15 - 00001889 ____A C:\Users\Public\Desktop\Adobe Reader 9.lnk
2012-11-17 13:29 - 2009-07-02 18:59 - 00019502 ____A C:\Windows\System32\results.xml
2012-11-17 13:12 - 2012-11-17 13:12 - 00315392 ____A (Realtek Semiconductor Corp.) C:\Windows\HideWin.exe
2012-11-17 13:12 - 2009-07-02 18:42 - 00319456 ____A (Microsoft Corporation) C:\Windows\DIFxAPI.dll
2012-11-17 13:12 - 2009-07-02 18:42 - 00000000 ___HD C:\Program Files\InstallShield Installation Information
2012-11-17 13:12 - 2009-07-02 18:42 - 00000000 ____D C:\Windows\System32\RTCOM
2012-11-17 13:12 - 2009-07-02 18:42 - 00000000 ____D C:\Program Files\Realtek
2012-11-17 12:58 - 2006-11-02 04:52 - 00040840 ____A C:\Windows\setupact.log
2012-10-26 11:35 - 2009-08-27 16:18 - 00000000 ____D C:\Users\Susan\Desktop\Sues Scans


==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-09-09 21:25:13
Restore point made on: 2012-09-13 00:01:14
Restore point made on: 2012-09-15 09:23:54
Restore point made on: 2012-09-17 22:50:49
Restore point made on: 2012-09-21 20:54:23
Restore point made on: 2012-09-22 21:00:34
Restore point made on: 2012-09-23 00:00:35
Restore point made on: 2012-09-23 21:00:27
Restore point made on: 2012-09-24 21:00:33
Restore point made on: 2012-09-25 21:00:27
Restore point made on: 2012-09-28 03:08:36
Restore point made on: 2012-09-28 21:22:55
Restore point made on: 2012-10-03 23:13:52
Restore point made on: 2012-10-10 00:01:28
Restore point made on: 2012-10-11 01:51:56
Restore point made on: 2012-10-12 22:48:34
Restore point made on: 2012-10-22 23:30:00
Restore point made on: 2012-11-17 13:15:30
Restore point made on: 2012-11-17 13:17:29
Restore point made on: 2012-11-18 06:18:38
Restore point made on: 2012-11-18 06:30:48

==================== Memory info ===========================

Percentage of memory in use: 10%
Total physical RAM: 6012.38 MB
Available physical RAM: 5410.11 MB
Total Pagefile: 5756.51 MB
Available Pagefile: 5474.97 MB
Total Virtual: 2047.88 MB
Available Virtual: 1975.72 MB

==================== Partitions =============================

1 Drive c: (OS) (Fixed) (Total:581.12 GB) (Free:226.71 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (RECOVERY) (Fixed) (Total:15 GB) (Free:5.08 GB) NTFS
3 Drive e: (LRMCFRE_EN_DVD) (CDROM) (Total:2.49 GB) (Free:0 GB) UDF
8 Drive j: (CISCO512) (Removable) (Total:0.48 GB) (Free:0.17 GB) FAT
9 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 596 GB 437 KB
Disk 1 No Media 0 B 0 B
Disk 2 No Media 0 B 0 B
Disk 3 No Media 0 B 0 B
Disk 4 No Media 0 B 0 B
Disk 5 Online 490 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 55 MB 32 KB
Partition 2 Primary 15 GB 55 MB
Partition 3 Primary 581 GB 15 GB

=========================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 8 FAT Partition 55 MB Healthy Hidden

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 0 D RECOVERY NTFS Partition 15 GB Healthy

=========================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 7 C OS NTFS Partition 581 GB Healthy

=========================================================

Partitions of Disk 5:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
* Partition 1 Primary 490 MB 0 B

=========================================================

Disk: 5
There is no partition selected.

There is no partition selected.
Please select a partition and try again.

=========================================================

Last Boot: 2012-11-24 13:05

==================== End Of Log ============================


Farbar Recovery Scan Tool (x86) Version: 23-11-2012
Ran by SYSTEM at 2012-11-24 15:15:09
Running from J:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe
[2009-07-02 20:10] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
[2008-01-20 18:24] - [2008-01-20 18:24] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C

C:\Windows\System32\services.exe
[2009-07-02 20:10] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

=== End Of Search ===

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:20 AM

Posted 26 November 2012 - 08:25 AM

Please run the following

Refer to the ComboFix User's Guide

  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 PWalley

PWalley
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:20 AM

Posted 27 November 2012 - 01:35 AM

Hi CatByte. I followed the instructions for ComboFix, but I'm not sure it's doing anything. I ran it early this morning and when executed I saw an installer-like window come up and then disappear. I assumed that it was running or doing something in the background, so I left for work. When I got home this evening the computer was in the same state. I checked task manager and saw two things each running but using zero CPU. These items were "pev.3XE" and "cmd.3XE". I had my Norton disabled but then I realized that ad-aware may be causing some issue, so I uninstalled it and rebooted. I then made sure Norton was disabled again and executed ComboFix again. I am seeing the same result as I did this morning. An installer window came up (looks like it installed and then ran hiv backup) and then disappeared. I see the same two items in task manager sitting using zero CPU. How long should I wait to see if ComboFix comes back with a log? Thanks.

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:20 AM

Posted 27 November 2012 - 08:07 AM

sounds as though malware is shutting it down

try running it in safe mode


To Enter Safemode
  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY repeatedly,
  • this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode
  • Then press the Enter Key on your Keyboard
  • go into your usual account


if it still wont run, then move on to the following:

Please download Malwarebytes Anti-Rootkit and save it to your desktop.
  • Be sure to print out and follow the instructions provided on that same page for performing a scan.
  • Caution: This is a beta version so also read the disclaimer and back up all your data before using.
  • When the scan completes, click on the Cleanup button to remove any threats found and reboot the computer if prompted to do so.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • If there are problems with Internet access, Windows Update, Windows Firewall or other system issues, run the fixdamage tool located in the folder Malwarebytes Anti-Rootkit was run from and reboot your computer.
  • Two files (mbar-log-YYYY-MM-DD, system-log.txt) will be created and saved within that same folder.
  • Copy and paste the contents of these two log files in your next reply.
Note: Further documentation can be found in the ReadMe.rtf file which is located in the Malwarebytes Anti-Rootkit folder.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 PWalley

PWalley
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:20 AM

Posted 28 November 2012 - 06:47 PM

Hi CatByte. Wanted to provide an update. I started a backup (DriveImage XML) of my system yesterday and while the backup completed after a few hours, it's still sitting on the last step, writing out file names to a file. Then it hit me that I recall running a full AV scan of the system a week ago and it took so long, with file counts in the millions. I finally ended up cancelled the AV scan. System seemed to have millions of temporary internet files. I'm now thinking this is what may have been causing ComboFix to just appear to be sitting. I was noticing the hard drive LED is constantly on the whole time also. The users temporary internet files to not appear to be the issue. I'm guessing these are hidden files somewhere else. Any thoughts on this or how to proceed?

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:20 AM

Posted 28 November 2012 - 07:27 PM

try emptying all your temp files

please run the following:

Temp File Cleaner

Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 PWalley

PWalley
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:20 AM

Posted 30 November 2012 - 12:39 AM

Hi CatByte. Update: the TFC also stalled out, just like ComboFix and my system backup job. The millions of temporary files are located at "c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\temporary internet files\content.ie5\.." and I launched an administrative CMD window and am manually deleting them. This has been rolling along since Wednesday PM and continues to delete files. Is there a better way to get rid of all these files?

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:20 AM

Posted 30 November 2012 - 08:17 AM

give TFC another try, it may not be stalled, it may just be taking that long to clear the temp files

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 PWalley

PWalley
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:20 AM

Posted 02 December 2012 - 12:57 AM

Hi CatByte. Progress to report! 113Gb of temporary files have been removed! TFC ran in about 30 seconds and I rebooted afterwards. I am now running a system backup which should be completed in the AM. Please advise next steps.

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:20 AM

Posted 02 December 2012 - 09:09 AM

please give ComboFix another try

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 PWalley

PWalley
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:20 AM

Posted 04 December 2012 - 02:19 AM

Hi Catbyte, here is the ComboFix log:

ComboFix 12-12-02.01 - Randy 12/03/2012 8:46.1.4 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3196.2394 [GMT -6:00]
Running from: c:\users\Randy\Desktop\ComboFix.exe
AV: Norton Security Suite *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Security Suite *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Security Suite *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Randy\AppData\Local\assembly\tmp
c:\windows\$NtUninstallKB24772$\1825793772
c:\windows\$NtUninstallKB24772$\2827077701\@
c:\windows\$NtUninstallKB24772$\2827077701\cfg.ini
c:\windows\$NtUninstallKB24772$\2827077701\Desktop.ini
c:\windows\$NtUninstallKB24772$\2827077701\L\00000004.@
c:\windows\$NtUninstallKB24772$\2827077701\L\1afb2d56
c:\windows\$NtUninstallKB24772$\2827077701\L\201d3dde
c:\windows\$NtUninstallKB24772$\2827077701\L\55490ac4
c:\windows\$NtUninstallKB24772$\2827077701\L\qnbwvoto
c:\windows\$NtUninstallKB24772$\2827077701\oemid
c:\windows\$NtUninstallKB24772$\2827077701\U\00000001.@
c:\windows\$NtUninstallKB24772$\2827077701\U\00000002.@
c:\windows\$NtUninstallKB24772$\2827077701\U\00000004.@
c:\windows\$NtUninstallKB24772$\2827077701\U\80000000.@
c:\windows\$NtUninstallKB24772$\2827077701\U\80000004.@
c:\windows\$NtUninstallKB24772$\2827077701\U\80000032.@
c:\windows\$NtUninstallKB24772$\2827077701\version
c:\windows\system\svchost.exe
c:\windows\system32\avidstartup.dll
c:\windows\system32\bantext.dll
c:\windows\system32\certstore.dat
c:\windows\system32\ctljystk.dll
c:\windows\system32\dds_trash_log.cmd
c:\windows\system32\enethusb.dll
c:\windows\system32\generichidservice.dll
c:\windows\system32\mpfirewl.dll
c:\windows\system32\nvnforce.dll
c:\windows\system32\ose.dll
c:\windows\system32\parallel.dll
c:\windows\system32\VAIOMediaPlatform-MusicServer-UPnP.dll
c:\windows\system32\vstor2-ws60.dll
c:\windows\system32\winmgmt.dll
D:\Autorun.inf
c:\windows\$NtUninstallKB24772$ . . . . Failed to delete
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_SPService
-------\Service_mwstick
.
.
((((((((((((((((((((((((( Files Created from 2012-11-04 to 2012-12-04 )))))))))))))))))))))))))))))))
.
.
2012-12-03 14:59 . 2012-12-04 07:07 -------- d-----w- c:\users\Randy\AppData\Local\temp
2012-12-03 14:59 . 2012-12-03 14:59 -------- d-----w- c:\users\Susan\AppData\Local\temp
2012-11-24 23:12 . 2012-11-24 23:12 -------- d-----w- C:\FRST
2012-11-19 08:43 . 2012-11-19 08:43 -------- d-----w- C:\NPE
2012-11-19 06:14 . 2012-11-18 20:17 25648 ----a-r- c:\windows\system32\drivers\SymIMV.sys
2012-11-19 04:30 . 2012-11-19 04:30 -------- d-----w- c:\programdata\Symantec
2012-11-18 22:03 . 2012-11-18 22:03 -------- d-----w- c:\users\Randy\AppData\Local\adawarebp
2012-11-18 21:56 . 2012-11-19 06:28 -------- d-----w- c:\users\Randy\AppData\Roaming\LavasoftStatistics
2012-11-18 21:56 . 2012-11-18 22:02 -------- d-----w- c:\program files\Ad-Aware Antivirus
2012-11-18 21:55 . 2012-11-18 21:55 -------- d-----w- c:\users\Randy\AppData\Local\Downloaded Installations
2012-11-18 21:55 . 2012-11-18 21:55 -------- d-----w- c:\programdata\blekko toolbars
2012-11-18 21:55 . 2012-11-19 01:52 -------- d-----w- c:\programdata\Ad-Aware Browsing Protection
2012-11-18 21:55 . 2012-11-18 21:55 -------- d-----w- c:\program files\adawaretb
2012-11-18 21:54 . 2012-11-18 21:54 -------- d-----w- c:\program files\Toolbar Cleaner
2012-11-18 21:53 . 2012-11-18 21:54 -------- d-----w- c:\users\Randy\AppData\Roaming\Ad-Aware Antivirus
2012-11-18 21:31 . 2012-11-18 21:31 -------- d-----w- c:\users\Randy\AppData\Roaming\FixZeroAccess
2012-11-18 20:56 . 2012-11-18 20:56 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2012-11-18 20:51 . 2012-11-27 06:02 -------- d-----w- c:\programdata\Lavasoft
2012-11-18 20:51 . 2012-11-27 06:01 -------- d-----w- c:\program files\Lavasoft
2012-11-18 20:18 . 2012-11-18 20:17 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-11-18 20:18 . 2012-11-18 20:16 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2012-11-18 20:18 . 2012-11-18 20:17 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2012-11-18 20:17 . 2012-11-18 21:05 -------- d-----w- c:\program files\Common Files\Symantec Shared
2012-11-18 20:17 . 2012-11-18 20:18 -------- d-----w- c:\program files\Symantec
2012-11-18 20:16 . 2012-11-19 06:50 -------- d-----w- c:\windows\system32\drivers\N360
2012-11-18 20:16 . 2012-11-18 20:16 -------- d-----w- c:\program files\Norton Security Suite
2012-11-18 20:16 . 2012-11-18 21:50 -------- d-----w- c:\programdata\Norton
2012-11-18 20:16 . 2012-11-18 20:16 -------- d-----w- c:\program files\NortonInstaller
2012-11-18 18:37 . 2012-11-18 18:37 -------- d-----w- c:\users\Randy\AppData\Roaming\Malwarebytes
2012-11-18 14:21 . 2012-11-18 14:21 -------- d-----w- c:\program files\Trend Micro
2012-11-18 14:18 . 2012-09-25 16:19 75776 ----a-w- c:\windows\system32\synceng.dll
2012-11-18 14:17 . 2012-10-12 14:29 2047488 ----a-w- c:\windows\system32\win32k.sys
2012-11-17 23:41 . 2012-11-18 15:48 -------- d-----w- C:\NBRT
2012-11-17 21:12 . 2012-11-17 21:12 315392 ----a-w- c:\windows\HideWin.exe
2012-11-17 20:59 . 2012-11-17 20:59 -------- d--h--w- c:\program files\Temp
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-11-18 15:52 . 2009-07-03 04:10 185856 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-11-17 21:12 . 2009-07-03 02:42 319456 ----a-w- c:\windows\DIFxAPI.dll
2012-09-13 13:28 . 2012-10-09 20:58 2048 ----a-w- c:\windows\system32\tzres.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"StrgSync.exe"="c:\program files\StorageSync\StrgSync.exe" [2005-10-08 3032576]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"BIBLauncher"="c:\program files\Business-in-a-Box\BIBLauncher.exe" [2011-03-15 901600]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-07-31 38872]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-11 919008]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jaureg.exe" [2011-04-08 239336]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-16 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-16 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-16 145944]
.
c:\users\Randy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-6-16 1320288]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\Palm\Hotsync.exe [2008-1-3 1392640]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-2-20 282624]
TransactNOW Monitor.lnk - c:\program files\AMS Services\TransactNOW\OALaunch.exe [2009-5-8 165168]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"
.
S2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
NECUsb3 REG_MULTI_SZ NEC Usb3.0
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
crystalaps
snpstd
mps9
btwrchid
se44bus
armoucfltr
btcsrusb
FlexBios
ibmpmsvc
msvsmon90
mwstick
hpqwmiex
proxyserverservice
Usb20Scan
PTDCBus
ntrtscan
avipbb
p2k
aiclient
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://att.my.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: ams-benefits.com
Trusted Zone: ams-services.com
Trusted Zone: ams-support.com
Trusted Zone: ams360.com
Trusted Zone: ams360.com\www
Trusted Zone: amsservices.com
Trusted Zone: prevailnetwork.com
Trusted Zone: vertafore.com
TCP: DhcpNameServer = 10.20.30.1
DPF: {7823A620-9DD9-11CF-A662-00AA00C066D2} - hxxps://aqs.capitolindemnity.com/aqs.advantage.client/system/CAB/iemenu.cab
.
- - - - ORPHANS REMOVED - - - -
.
ShellIconOverlayIdentifiers-{96AFBE69-C3B0-4b00-8578-D933D2896EE2} - (no file)
HKLM-Run-dellsupportcenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
HKLM-Run-HotSync - c:\program files\PalmSource\Desktop\HotSync.exe
Notify-axsefda - c:\windows\system32\config\systemprofile\AppData\Local\axsefda.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-12-04 01:07
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\3.8.3.6\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\3.8.3.6\diMaster.dll\" /prefetch:1"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCD5SRVC{3F6A8B78-EC003E00-05040104}]
"ImagePath"="\??\c:\progra~1\DELLSU~1\HWDiag\bin\PCD5SRVC.pkms"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Dell\DellDock\DockLogin.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Norton Security Suite\Engine\3.8.3.6\ccSvcHst.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\DllHost.exe
c:\program files\Norton Security Suite\Engine\3.8.3.6\ccSvcHst.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
.
**************************************************************************
.
Completion time: 2012-12-04 01:10:30 - machine was rebooted
ComboFix-quarantined-files.txt 2012-12-04 07:10
.
Pre-Run: 451,515,748,352 bytes free
Post-Run: 455,089,553,408 bytes free
.
- - End Of File - - C6E5EF37A8AE99AF08466B63E595E434

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:20 AM

Posted 04 December 2012 - 06:43 PM

that's looking better but we still have some more work to do, please run the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Press the WinKey + R to open a run box, type Notepad > click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

Folder::
c:\windows\$NtUninstallKB24772$

Driver::
crystalaps
snpstd
mps9
btwrchid
se44bus
armoucfltr
btcsrusb
FlexBios
ibmpmsvc
msvsmon90
mwstick
hpqwmiex
proxyserverservice
Usb20Scan
PTDCBus
ntrtscan
avipbb
p2k
aiclient

NetSvc::
crystalaps
snpstd
mps9
btwrchid
se44bus
armoucfltr
btcsrusb
FlexBios
ibmpmsvc
msvsmon90
mwstick
hpqwmiex
proxyserverservice
Usb20Scan
PTDCBus
ntrtscan
avipbb
p2k
aiclient

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT

Please run the following:

Please download Junkware Removal Tool to your desktop.
  • Shutdown your antivirus to avoid any conflicts.
  • Right-mouse click JRT.exe and select Run as administrator
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message


NEXT


Download AdwCleaner from here and save it to your desktop.
  • Run AdwCleaner and select Delete
  • Once done it will ask to reboot, allow the reboot
  • On reboot a log will be produced, please attach the content of the log to your next reply


NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 PWalley

PWalley
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:20 AM

Posted 05 December 2012 - 10:34 AM

Hi CatByte. Results from ComboFix, JRT, AdwCleaner and ESETSCAN posted.

ComboFix 12-12-02.01 - Randy 12/05/2012 3:00.2.4 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3196.2438 [GMT -6:00]
Running from: c:\users\Randy\Desktop\ComboFix.exe
Command switches used :: c:\users\Randy\Desktop\CFScript.txt
AV: Norton Security Suite *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Security Suite *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Security Suite *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB24772$ . . . . Failed to delete
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_hpqwmiex
-------\Service_ibmpmsvc
-------\Service_msvsmon90
-------\Service_Usb20Scan
.
.
((((((((((((((((((((((((( Files Created from 2012-11-05 to 2012-12-05 )))))))))))))))))))))))))))))))
.
.
2012-12-05 09:10 . 2012-12-05 09:25 -------- d-----w- c:\users\Randy\AppData\Local\temp
2012-12-05 09:10 . 2012-12-05 09:10 -------- d-----w- c:\users\Susan\AppData\Local\temp
2012-12-05 09:10 . 2012-12-05 09:10 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-12-02 05:46 . 2012-12-02 05:46 -------- d-----w- c:\users\Randy\AppData\Local\Symantec
2012-11-24 23:12 . 2012-11-24 23:12 -------- d-----w- C:\FRST
2012-11-19 08:43 . 2012-11-19 08:43 -------- d-----w- C:\NPE
2012-11-19 06:14 . 2012-11-18 20:17 25648 ----a-r- c:\windows\system32\drivers\SymIMV.sys
2012-11-19 04:30 . 2012-11-19 04:30 -------- d-----w- c:\programdata\Symantec
2012-11-18 22:03 . 2012-11-18 22:03 -------- d-----w- c:\users\Randy\AppData\Local\adawarebp
2012-11-18 21:56 . 2012-11-19 06:28 -------- d-----w- c:\users\Randy\AppData\Roaming\LavasoftStatistics
2012-11-18 21:56 . 2012-11-18 22:02 -------- d-----w- c:\program files\Ad-Aware Antivirus
2012-11-18 21:55 . 2012-11-18 21:55 -------- d-----w- c:\users\Randy\AppData\Local\Downloaded Installations
2012-11-18 21:55 . 2012-11-18 21:55 -------- d-----w- c:\programdata\blekko toolbars
2012-11-18 21:55 . 2012-11-19 01:52 -------- d-----w- c:\programdata\Ad-Aware Browsing Protection
2012-11-18 21:55 . 2012-11-18 21:55 -------- d-----w- c:\program files\adawaretb
2012-11-18 21:54 . 2012-11-18 21:54 -------- d-----w- c:\program files\Toolbar Cleaner
2012-11-18 21:53 . 2012-11-18 21:54 -------- d-----w- c:\users\Randy\AppData\Roaming\Ad-Aware Antivirus
2012-11-18 21:31 . 2012-11-18 21:31 -------- d-----w- c:\users\Randy\AppData\Roaming\FixZeroAccess
2012-11-18 20:56 . 2012-11-18 20:56 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2012-11-18 20:51 . 2012-11-27 06:02 -------- d-----w- c:\programdata\Lavasoft
2012-11-18 20:51 . 2012-11-27 06:01 -------- d-----w- c:\program files\Lavasoft
2012-11-18 20:18 . 2012-11-18 20:17 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-11-18 20:18 . 2012-11-18 20:16 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2012-11-18 20:18 . 2012-11-18 20:17 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2012-11-18 20:17 . 2012-11-18 21:05 -------- d-----w- c:\program files\Common Files\Symantec Shared
2012-11-18 20:17 . 2012-11-18 20:18 -------- d-----w- c:\program files\Symantec
2012-11-18 20:16 . 2012-11-19 06:50 -------- d-----w- c:\windows\system32\drivers\N360
2012-11-18 20:16 . 2012-11-18 20:16 -------- d-----w- c:\program files\Norton Security Suite
2012-11-18 20:16 . 2012-11-18 21:50 -------- d-----w- c:\programdata\Norton
2012-11-18 20:16 . 2012-11-18 20:16 -------- d-----w- c:\program files\NortonInstaller
2012-11-18 18:37 . 2012-11-18 18:37 -------- d-----w- c:\users\Randy\AppData\Roaming\Malwarebytes
2012-11-18 14:21 . 2012-11-18 14:21 -------- d-----w- c:\program files\Trend Micro
2012-11-18 14:18 . 2012-09-25 16:19 75776 ----a-w- c:\windows\system32\synceng.dll
2012-11-18 14:17 . 2012-10-12 14:29 2047488 ----a-w- c:\windows\system32\win32k.sys
2012-11-17 23:41 . 2012-11-18 15:48 -------- d-----w- C:\NBRT
2012-11-17 21:12 . 2012-11-17 21:12 315392 ----a-w- c:\windows\HideWin.exe
2012-11-17 20:59 . 2012-11-17 20:59 -------- d--h--w- c:\program files\Temp
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-11-18 15:52 . 2009-07-03 04:10 185856 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-11-17 21:12 . 2009-07-03 02:42 319456 ----a-w- c:\windows\DIFxAPI.dll
2012-09-13 13:28 . 2012-10-09 20:58 2048 ----a-w- c:\windows\system32\tzres.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"StrgSync.exe"="c:\program files\StorageSync\StrgSync.exe" [2005-10-08 3032576]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"BIBLauncher"="c:\program files\Business-in-a-Box\BIBLauncher.exe" [2011-03-15 901600]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-07-31 38872]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-11 919008]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jaureg.exe" [2011-04-08 239336]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-16 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-16 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-16 145944]
.
c:\users\Randy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-6-16 1320288]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\Palm\Hotsync.exe [2008-1-3 1392640]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-2-20 282624]
TransactNOW Monitor.lnk - c:\program files\AMS Services\TransactNOW\OALaunch.exe [2009-5-8 165168]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"
.
S2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
NECUsb3 REG_MULTI_SZ NEC Usb3.0
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://att.my.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: ams-benefits.com
Trusted Zone: ams-services.com
Trusted Zone: ams-support.com
Trusted Zone: ams360.com
Trusted Zone: ams360.com\www
Trusted Zone: amsservices.com
Trusted Zone: prevailnetwork.com
Trusted Zone: vertafore.com
TCP: DhcpNameServer = 10.20.30.1
DPF: {7823A620-9DD9-11CF-A662-00AA00C066D2} - hxxps://aqs.capitolindemnity.com/aqs.advantage.client/system/CAB/iemenu.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-12-05 03:25
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\3.8.3.6\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\3.8.3.6\diMaster.dll\" /prefetch:1"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCD5SRVC{3F6A8B78-EC003E00-05040104}]
"ImagePath"="\??\c:\progra~1\DELLSU~1\HWDiag\bin\PCD5SRVC.pkms"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(4556)
c:\windows\system32\msiltcfg.dll
c:\windows\System32\netshell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Dell\DellDock\DockLogin.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Norton Security Suite\Engine\3.8.3.6\ccSvcHst.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Norton Security Suite\Engine\3.8.3.6\ccSvcHst.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\msiexec.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
.
**************************************************************************
.
Completion time: 2012-12-05 03:27:32 - machine was rebooted
ComboFix-quarantined-files.txt 2012-12-05 09:27
ComboFix2.txt 2012-12-04 07:10
.
Pre-Run: 450,402,004,992 bytes free
Post-Run: 450,367,610,880 bytes free
.
- - End Of File - - 4C14BEA7B9AB0EB49A99D02C75C7460E


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 3.8.5 (12.05.2012:1)
OS: Windows Vista ™ Home Premium x86
Ran by Randy on Wed 12/05/2012 at 3:43:55.89
Blog: http://thisisudax.blogspot.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys

Successfully deleted: [Registry Key] "hkey_local_machine\software\conduit"
Successfully deleted: [Registry Key] hkey_classes_root\clsid\{3c471948-f874-49f5-b338-4f214a2ee0b1}
Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{afbcb7e0-f91a-4951-9f31-58fee57a25c4}
Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{afbcb7e0-f91a-4951-9f31-58fee57a25c4}



~~~ Files



~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\blekko toolbars"
Successfully deleted: [Folder] "C:\Users\Randy\appdata\local\adawarebp"
Successfully deleted: [Folder] "C:\Users\Randy\appdata\locallow\adawaretb"
Successfully deleted: [Folder] "C:\Program Files\adawaretb"
Successfully deleted: [Folder] "C:\Program Files\conduit"
Successfully deleted: [Folder] "C:\Program Files\coupons"
Successfully deleted: [Folder] "C:\Program Files\oapps"



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 12/05/2012 at 3:46:11.09
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


# AdwCleaner v2.011 - Logfile created 12/05/2012 at 04:01:22
# Updated 02/12/2012 by Xplode
# Operating system : Windows Vista ™ Home Premium Service Pack 2 (32 bits)
# User : Randy - OFFICE-PC
# Boot Mode : Normal
# Running from : C:\Users\Randy\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Folder Deleted : C:\Users\Susan\AppData\Local\Conduit
Folder Deleted : C:\Users\Susan\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\Susan\AppData\LocalLow\PriceGong

***** [Registry] *****

Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3244149
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\kincjchfokkeneeofpeefomkikfkiedl
Key Deleted : HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Key Deleted : HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16455

[OK] Registry is clean.

*************************

AdwCleaner[S1].txt - [1074 octets] - [05/12/2012 04:01:22]

########## EOF - C:\AdwCleaner[S1].txt - [1134 octets] ##########

####### ESETSCAN #######
C:\Documents and Settings\Randy\Desktop\Paul\AD-Aware\Adaware_Installer.exe Win32/OpenCandy application
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\hstart.exe a variant of Win32/HiddenStart.A application
C:\Qoobox\Quarantine\C\Windows\system\svchost.exe.vir Win32/Depdisbo.A trojan
C:\Qoobox\Quarantine\C\Windows\System32\avidstartup.dll.vir Win32/Sirefef.ER trojan
C:\Qoobox\Quarantine\C\Windows\System32\bantext.dll.vir Win32/Sirefef.ER trojan
C:\Qoobox\Quarantine\C\Windows\System32\ctljystk.dll.vir Win32/Sirefef.ER trojan
C:\Qoobox\Quarantine\C\Windows\System32\enethusb.dll.vir Win32/Sirefef.ER trojan
C:\Qoobox\Quarantine\C\Windows\System32\generichidservice.dll.vir Win32/Sirefef.ER trojan
C:\Qoobox\Quarantine\C\Windows\System32\mpfirewl.dll.vir Win32/Sirefef.ER trojan
C:\Qoobox\Quarantine\C\Windows\System32\nvnforce.dll.vir Win32/Sirefef.ER trojan
C:\Qoobox\Quarantine\C\Windows\System32\ose.dll.vir Win32/Sirefef.ER trojan
C:\Qoobox\Quarantine\C\Windows\System32\parallel.dll.vir Win32/Sirefef.ER trojan
C:\Qoobox\Quarantine\C\Windows\System32\VAIOMediaPlatform-MusicServer-UPnP.dll.vir Win32/Sirefef.ER trojan
C:\Qoobox\Quarantine\C\Windows\System32\vstor2-ws60.dll.vir Win32/Sirefef.ER trojan
C:\Qoobox\Quarantine\C\Windows\System32\winmgmt.dll.vir Win32/Sirefef.ER trojan
C:\Users\Randy\Desktop\Paul\AD-Aware\Adaware_Installer.exe Win32/OpenCandy application
C:\Windows\System32\drivers\netbt.sys a variant of Win32/Rootkit.Kryptik.KW trojan
C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.0.6002.18005_none_6250416df465f2b1\netbt.sys a variant of Win32/Rootkit.Kryptik.KW trojan

####### End of ESETSCAN #######




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users