Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Happili


  • This topic is locked This topic is locked
17 replies to this topic

#1 richhgirl

richhgirl

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 24 November 2012 - 05:11 PM

My husband was having problems when he was googling in that he was being redirected. I ran my Norton and it came back with nothing. I was unable to download Malwarebytes under my husbands profile so I went into my profile and downloaded it, ran it and it found trojan.happili which I said to delete. We still had the problems. I then did some research and ran ComboFix. We are still having the redirect problem under my husbands profile. Attached are the logs from MalwarebytesAttached File  mbam-log-2012-11-23 (21-14-37).txt   1.93KB   2 downloads and ComboFix Attached File  ComboFix Log.txt   19.5KB   2 downloads. Please help! I don't know how to get rid of this. Thanks so much!

BC AdBot (Login to Remove)

 


#2 richhgirl

richhgirl
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 24 November 2012 - 05:21 PM

Sorry, just read instructions again - here is the DDS log: DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 8.0.7600.17115 BrowserJavaVersion: 10.9.2
Run by Sue at 16:14:29 on 2012-11-24
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3891.1002 [GMT -6:00]
.
AV: Norton Security Suite *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Security Suite *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Security Suite *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\WLANExt.exe
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Norton Security Suite\Engine\4.4.0.12\ccSvcHst.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\windows\system32\ThpSrv.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Program Files\TOSHIBA\TECO\TecoService.exe
C:\windows\system32\SearchIndexer.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\windows\system32\wbem\unsecapp.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\windows\system32\taskhost.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\ThpSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\TOSHIBA\TECO\Teco.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\TOSHIBA\BulletinBoard\TosNcCore.exe
C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
C:\Windows\System32\spool\drivers\x64\3\WrtMon.exe
C:\Windows\System32\rundll32.exe
C:\windows\SysWOW64\rundll32.exe
C:\Windows\System32\spool\drivers\x64\3\WrtProc.exe
C:\Program Files\TOSHIBA\FlashCards\Hotkey\TcrdKBB.exe
C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe
C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\windows\system32\igfxext.exe
C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\windows\system32\igfxsrvc.exe
C:\windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\windows\system32\wbem\unsecapp.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\windows\system32\taskhost.exe
C:\Program Files (x86)\Norton Security Suite\Engine\4.4.0.12\ccSvcHst.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\ThpSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\TOSHIBA\TECO\Teco.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\TOSHIBA\BulletinBoard\TosNcCore.exe
C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
C:\Windows\System32\spool\drivers\x64\3\WrtMon.exe
C:\Program Files (x86)\NewSoft\Presto! PageManager 8 for EP\PMSpeed.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE
C:\Windows\System32\spool\drivers\x64\3\WrtProc.exe
C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe
C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe
C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe
C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files\TOSHIBA\FlashCards\Hotkey\TcrdKBB.exe
C:\windows\system32\wbem\unsecapp.exe
C:\windows\system32\igfxext.exe
C:\windows\system32\igfxsrvc.exe
C:\windows\splwow64.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_110_ActiveX.exe
C:\windows\system32\LogonUI.exe
C:\windows\system32\wuauclt.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\windows\system32\taskeng.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\windows\system32\SearchFilterHost.exe
C:\windows\system32\SearchProtocolHost.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://sn144w.snt144.mail.live.com/default.aspx?wa=wsignin1.0
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Symantec NCO BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Security Suite\Engine\4.4.0.12\coieplg.dll
BHO: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Security Suite\Engine\4.4.0.12\ipsbho.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7529.1424\swg.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
BHO: TOSHIBA Media Controller Plug-in: {F3C88694-EFFA-4d78-B409-54B7B2535B14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security Suite\Engine\4.4.0.12\coieplg.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security Suite\Engine\4.4.0.12\coieplg.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
uRun: [PMSpeed] C:\Program Files (x86)\NewSoft\Presto! PageManager 8 for EP\PMSpeed.EXE
uRun: [OfficeSyncProcess] "C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE"
mRun: [KeNotify] C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe
mRun: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe hwSetUP
mRun: [SVPWUTIL] C:\Program Files (x86)\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL
mRun: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60
mRun: [TWebCamera] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun
mRun: [EEventManager] C:\PROGRA~2\EPSONS~1\EVENTM~1\EEventManager.exe
mRun: [FUFAXSTM] "C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe"
mRun: [ArcSoft Connection Service] C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MIF5BA~1\Office14\EXCEL.EXE/3000
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Se&nd to OneNote - C:\PROGRA~2\MIF5BA~1\Office14\ONBttnIE.dll/105
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} - hxxp://blizzard.buckhill.com:22222/SysCamInst.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {C345E174-3E87-4F41-A01C-B066A90A49B4} - hxxp://trial.trymicrosoftoffice.com/trialoaa/buymsoffice_assets/framework/microsoft/wrc32.ocx
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://akamaicdn.webex.com/client/WBXclient-T27L10NSP25-10481/webex/ieatgpc1.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com//activex/ractrl.cab?lmi=972
TCP: NameServer = 192.168.0.1 216.170.153.146
TCP: Interfaces\{29B09D78-A32F-4C7A-8E89-A41405DB3067} : DHCPNameServer = 100.100.0.101
TCP: Interfaces\{EB9A3DFC-4E03-440B-8676-C3A7C990F7F9} : DHCPNameServer = 192.168.0.1 216.170.153.146
TCP: Interfaces\{EB9A3DFC-4E03-440B-8676-C3A7C990F7F9}\37573716E6 : DHCPNameServer = 75.75.76.76 75.75.75.75
TCP: Interfaces\{EB9A3DFC-4E03-440B-8676-C3A7C990F7F9}\7596C64675F6F646 : DHCPNameServer = 10.0.0.1 74.40.74.40
TCP: Interfaces\{EB9A3DFC-4E03-440B-8676-C3A7C990F7F9}\7596C64675F6F646F58747 : DHCPNameServer = 10.0.0.1 74.40.74.40
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
x64-BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7529.1424\swg64.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-Run: [IgfxTray] C:\windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\windows\System32\igfxpers.exe
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [RtHDVBg] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe /FORPCEE3
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [ThpSrv] C:\windows\System32\thpsrv /logon
x64-Run: [TPwrMain] C:\Program Files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE
x64-Run: [HSON] C:\Program Files (x86)\TOSHIBA\TBS\HSON.exe
x64-Run: [SmoothView] C:\Program Files (x86)\Toshiba\SmoothView\SmoothView.exe
x64-Run: [00TCrdMain] C:\Program Files (x86)\TOSHIBA\FlashCards\TCrdMain.exe
x64-Run: [Teco] "C:\Program Files (x86)\TOSHIBA\TECO\Teco.exe" /r
x64-Run: [TosWaitSrv] C:\Program Files (x86)\TOSHIBA\TPHM\TosWaitSrv.exe
x64-Run: [SmartFaceVWatcher] C:\Program Files (x86)\Toshiba\SmartFaceV\SmartFaceVWatcher.exe
x64-Run: [IntelWireless] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray
x64-Run: [TosVolRegulator] C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe
x64-Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe
x64-Run: [TosNC] C:\Program Files (x86)\Toshiba\BulletinBoard\TosNcCore.exe
x64-Run: [TosReelTimeMonitor] C:\Program Files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
x64-Run: [WrtMon.exe] C:\windows\System32\spool\drivers\x64\3\WrtMon.exe
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/x64/ractrl.cab?lmi=100
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
x64-SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;C:\windows\System32\drivers\N360x64\0404000.00C\symds64.sys [2011-10-31 433200]
R0 SymEFA;Symantec Extended File Attributes;C:\windows\System32\drivers\N360x64\0404000.00C\symefa64.sys [2011-10-31 221304]
R0 Thpdrv;TOSHIBA HDD Protection Driver;C:\windows\System32\drivers\thpdrv.sys [2009-6-29 34880]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;C:\windows\System32\drivers\Thpevm.sys [2009-6-29 14784]
R0 tos_sps64;TOSHIBA tos_sps64 Service;C:\windows\System32\drivers\tos_sps64.sys [2010-7-7 482384]
R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20121106.001\BHDrvx64.sys [2012-10-23 1384608]
R1 ccHP;Symantec Hash Provider;C:\windows\System32\drivers\N360x64\0404000.00C\cchpx64.sys [2011-10-31 593544]
R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20121123.001\IDSviA64.sys [2012-11-23 513184]
R1 SymIRON;Symantec Iron Driver;C:\windows\System32\drivers\N360x64\0404000.00C\ironx64.sys [2011-10-31 150064]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;C:\windows\System32\drivers\N360x64\0404000.00C\symtdiv.sys [2011-10-31 451704]
R2 N360;Norton Security Suite;C:\Program Files (x86)\Norton Security Suite\Engine\4.4.0.12\ccsvchst.exe [2011-10-31 126400]
R2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;C:\Program Files\TOSHIBA\TECO\TecoService.exe [2010-4-6 258928]
R2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;C:\windows\System32\drivers\TVALZFL.sys [2009-6-19 14472]
R2 UNS;Intel® Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-7-7 2320920]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-8-16 138912]
R3 HECIx64;Intel® Management Engine Interface;C:\windows\System32\drivers\HECIx64.sys [2010-7-7 56344]
R3 Impcd;Impcd;C:\windows\System32\drivers\Impcd.sys [2010-2-26 158976]
R3 IntcDAud;Intel® Display Audio;C:\windows\System32\drivers\IntcDAud.sys [2010-2-3 271872]
R3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\windows\System32\drivers\NETw5s64.sys [2010-1-13 7675392]
R3 PGEffect;Pangu effect driver;C:\windows\System32\drivers\PGEffect.sys [2010-7-7 35008]
R3 RTL8167;Realtek 8167 NT Driver;C:\windows\System32\drivers\Rt64win7.sys [2010-7-7 331880]
R3 TMachInfo;TMachInfo;C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2010-7-7 51512]
R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-2-5 137560]
R3 TPCHSrv;TPCH Service;C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe [2010-2-23 835952]
R3 wdkmd;Intel WiDi KMD;C:\windows\System32\drivers\WDKMD.sys [2009-12-17 36760]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 acpials;ALS Sensor Filter;C:\windows\System32\drivers\acpials.sys [2009-7-14 9728]
S3 JMCR;JMCR;C:\windows\System32\drivers\jmcr.sys [2010-5-18 164464]
S3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [2010-1-19 315664]
S3 USBAAPL64;Apple Mobile USB Driver;C:\windows\System32\drivers\usbaapl64.sys [2010-4-19 50688]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\System32\Wat\WatAdminSvc.exe [2010-8-18 1255736]
.
=============== Created Last 30 ================
.
2012-11-24 18:46:35 -------- d-sh--w- C:\$RECYCLE.BIN
2012-11-24 17:52:44 98816 ----a-w- C:\windows\sed.exe
2012-11-24 17:52:44 256000 ----a-w- C:\windows\PEV.exe
2012-11-24 17:52:44 208896 ----a-w- C:\windows\MBR.exe
2012-11-24 17:13:41 16200 ----a-w- C:\windows\stinger.sys
2012-11-24 17:12:59 -------- d-----w- C:\Program Files (x86)\stinger
2012-11-24 03:43:38 -------- d-----w- C:\Users\Sue\AppData\Local\NPE
2012-11-24 03:13:47 -------- d-----w- C:\Users\Sue\AppData\Roaming\Malwarebytes
2012-11-24 03:13:33 -------- d-----w- C:\ProgramData\Malwarebytes
2012-11-24 03:13:31 25928 ----a-w- C:\windows\System32\drivers\mbam.sys
2012-11-24 03:13:31 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-11-23 20:40:29 821736 ----a-w- C:\windows\SysWow64\npDeployJava1.dll
2012-11-23 20:40:29 746984 ----a-w- C:\windows\SysWow64\deployJava1.dll
2012-11-23 20:40:08 95208 ----a-w- C:\windows\SysWow64\WindowsAccessBridge-32.dll
2012-11-15 10:48:45 9728 ----a-w- C:\windows\System32\Wdfres.dll
2012-11-15 10:48:45 785512 ----a-w- C:\windows\System32\drivers\Wdf01000.sys
2012-11-15 10:48:45 54376 ----a-w- C:\windows\System32\drivers\WdfLdr.sys
2012-11-15 10:48:45 2560 ----a-w- C:\windows\System32\drivers\en-US\wdf01000.sys.mui
2012-11-15 10:38:13 87040 ----a-w- C:\windows\System32\drivers\WUDFPf.sys
2012-11-15 10:38:13 84992 ----a-w- C:\windows\System32\WUDFSvc.dll
2012-11-15 10:38:13 198656 ----a-w- C:\windows\System32\drivers\WUDFRd.sys
2012-11-15 10:38:12 45056 ----a-w- C:\windows\System32\WUDFCoinstaller.dll
2012-11-15 10:38:12 194048 ----a-w- C:\windows\System32\WUDFPlatform.dll
2012-11-15 10:38:11 744448 ----a-w- C:\windows\System32\WUDFx.dll
2012-11-15 10:38:11 229888 ----a-w- C:\windows\System32\WUDFHost.exe
2012-11-14 10:59:50 3147264 ----a-w- C:\windows\System32\win32k.sys
2012-11-14 10:59:23 95744 ----a-w- C:\windows\System32\synceng.dll
2012-11-14 10:59:22 78336 ----a-w- C:\windows\SysWow64\synceng.dll
2012-11-08 21:52:28 -------- d-----w- C:\Users\Sue\AppData\Roaming\Tific
2012-11-08 21:52:27 -------- d-----w- C:\Users\Sue\AppData\Local\Symantec
2012-11-08 04:24:17 -------- d-----w- C:\Users\Sue\AppData\Local\ElevatedDiagnostics
.
==================== Find3M ====================
.
2012-11-21 16:01:42 73656 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-11-21 16:01:42 697272 ----a-w- C:\windows\SysWow64\FlashPlayerApp.exe
2012-09-14 19:23:40 2048 ----a-w- C:\windows\System32\tzres.dll
2012-09-14 18:30:38 2048 ----a-w- C:\windows\SysWow64\tzres.dll
2012-08-31 18:02:20 1656688 ----a-w- C:\windows\System32\drivers\ntfs.sys
2012-08-30 18:11:29 5505904 ----a-w- C:\windows\System32\ntoskrnl.exe
2012-08-30 17:18:33 3958128 ----a-w- C:\windows\SysWow64\ntkrnlpa.exe
2012-08-30 17:18:33 3902832 ----a-w- C:\windows\SysWow64\ntoskrnl.exe
.
============= FINISH: 16:15:03.70 ===============


And attached is the attach.logAttached File  attach.txt   10.79KB   1 downloads

#3 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:59 AM

Posted 25 November 2012 - 07:32 AM

Please do the following:

Download the appropriate version for your system of the Farbar Recovery Scan Tool and save it to a flash drive.


Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to the disclaimer.
[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there
[*]Press Scan button.
[*]type exit and reboot the computer normally
[*]FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.[/list]

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#4 richhgirl

richhgirl
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 25 November 2012 - 12:11 PM

Thanks for your quick response. Here is a copy of the log:

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 23-11-2012
Ran by SYSTEM at 25-11-2012 10:58:57
Running from F:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [10134560 2010-03-22] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe /FORPCEE3 [896032 2010-03-22] (Realtek Semiconductor)
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [x]
HKLM\...\Run: [ThpSrv] C:\windows\system32\thpsrv /logon [x]
HKLM\...\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE [x]
HKLM\...\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe [x]
HKLM\...\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe [x]
HKLM\...\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe [x]
HKLM\...\Run: [Teco] "%ProgramFiles%\TOSHIBA\TECO\Teco.exe" /r [x]
HKLM\...\Run: [TosWaitSrv] %ProgramFiles%\TOSHIBA\TPHM\TosWaitSrv.exe [x]
HKLM\...\Run: [SmartFaceVWatcher] %ProgramFiles%\Toshiba\SmartFaceV\SmartFaceVWatcher.exe [x]
HKLM\...\Run: [IntelWireless] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray [1926928 2010-01-19] (Intel® Corporation)
HKLM\...\Run: [TosVolRegulator] C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe [24376 2009-11-11] (TOSHIBA Corporation)
HKLM\...\Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe [709976 2010-02-05] (TOSHIBA Corporation)
HKLM\...\Run: [TosNC] %ProgramFiles%\Toshiba\BulletinBoard\TosNcCore.exe [x]
HKLM\...\Run: [TosReelTimeMonitor] %ProgramFiles%\TOSHIBA\ReelTime\TosReelTimeMonitor.exe [x]
HKLM\...\Run: [WrtMon.exe] C:\windows\system32\spool\drivers\x64\3\WrtMon.exe [26448 2008-05-24] (NewSoft Technology Corporation)
HKLM-x32\...\Run: [KeNotify] C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe [34160 2009-12-25] (TOSHIBA CORPORATION)
HKLM-x32\...\Run: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe hwSetUP [423936 2010-03-04] (TOSHIBA Electronics, Inc.)
HKLM-x32\...\Run: [SVPWUTIL] C:\Program Files (x86)\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL [352256 2010-02-22] (TOSHIBA CORPORATION)
HKLM-x32\...\Run: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60 [1294136 2009-10-06] (TOSHIBA Corporation)
HKLM-x32\...\Run: [TWebCamera] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun [2454840 2010-02-24] (TOSHIBA CORPORATION.)
HKLM-x32\...\Run: [EEventManager] C:\PROGRA~2\EPSONS~1\EVENTM~1\EEventManager.exe [673616 2009-04-07] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [FUFAXSTM] "C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe" [843776 2009-06-04] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [ArcSoft Connection Service] C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe [170496 2009-02-06] (ArcSoft Inc.)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2010-08-10] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421160 2010-09-01] (Apple Inc.)
HKLM-x32\...\Run: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-13] (Microsoft Corporation)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35760 2009-12-22] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [948672 2009-12-11] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)
HKU\Casey\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2010-05-28] (Google Inc.)
HKU\Jeff\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2010-05-28] (Google Inc.)
HKU\Jeff\...\Run: [Microsoft Games] rundll32.exe "C:\Users\Jeff\AppData\Local\Symantec\Microsoft Games\zknih.dll",DllRegisterServerW [329728 2012-11-22] (Free Software Foundation)
HKU\Sue\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2010-05-28] (Google Inc.)
HKU\Sue\...\Run: [PMSpeed] C:\Program Files (x86)\NewSoft\Presto! PageManager 8 for EP\PMSpeed.EXE [55120 2008-12-09] (NewSoft Technology Corporation)
HKU\Sue\...\Run: [OfficeSyncProcess] "C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE" [719672 2012-01-20] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1 216.170.153.146
Startup: C:\Users\Default\Start Menu\Programs\Startup\Best Buy Software Installer.lnk
ShortcutTarget: Best Buy Software Installer.lnk -> C:\Program Files\Best Buy Software Installer\Best Buy Software Installer.exe (Best Buy®)
Startup: C:\Users\Default User\Start Menu\Programs\Startup\Best Buy Software Installer.lnk
ShortcutTarget: Best Buy Software Installer.lnk -> C:\Program Files\Best Buy Software Installer\Best Buy Software Installer.exe (Best Buy®)

==================== Services (Whitelisted) ===================

2 ACDaemon; C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)
3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [315664 2010-01-19] ()
2 N360; "C:\Program Files (x86)\Norton Security Suite\Engine\4.4.0.12\ccSvcHst.exe" /s "N360" /m "C:\Program Files (x86)\Norton Security Suite\Engine\4.4.0.12\diMaster.dll" /prefetch:1 [135032 2010-04-29] (Symantec Corporation)

==================== Drivers (Whitelisted) =====================

1 BHDrvx64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20121106.001\BHDrvx64.sys [1384608 2012-10-23] (Symantec Corporation)
1 ccHP; C:\Windows\system32\drivers\N360x64\0404000.00C\ccHPx64.sys [593544 2011-08-03] (Symantec Corporation)
1 eeCtrl; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484512 2012-08-08] (Symantec Corporation)
3 EraserUtilRebootDrv; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [138912 2012-08-08] (Symantec Corporation)
1 IDSVia64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20121123.001\IDSvia64.sys [513184 2012-09-06] (Symantec Corporation)
3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20121124.005\ENG64.SYS [126112 2012-11-08] (Symantec Corporation)
3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20121124.005\EX64.SYS [2084000 2012-11-08] (Symantec Corporation)
3 SRTSP; C:\Windows\System32\Drivers\N360x64\0404000.00C\SRTSP64.SYS [505392 2010-04-21] (Symantec Corporation)
1 SRTSPX; C:\Windows\system32\drivers\N360x64\0404000.00C\SRTSPX64.SYS [32304 2010-04-21] (Symantec Corporation)
0 SymDS; C:\Windows\System32\drivers\N360x64\0404000.00C\SYMDS64.SYS [433200 2009-10-14] (Symantec Corporation)
0 SymEFA; C:\Windows\System32\drivers\N360x64\0404000.00C\SYMEFA64.SYS [221304 2011-08-21] (Symantec Corporation)
3 SymEvent; \??\C:\windows\system32\Drivers\SYMEVENT64x86.SYS [173104 2010-10-29] (Symantec Corporation)
1 SymIRON; C:\Windows\system32\drivers\N360x64\0404000.00C\Ironx64.SYS [150064 2010-04-28] (Symantec Corporation)
1 SYMTDIv; C:\Windows\System32\Drivers\N360x64\0404000.00C\SYMTDIV.SYS [451704 2011-08-21] (Symantec Corporation)
3 catchme; \??\C:\ComboFix\catchme.sys [x]

==================== NetSvcs (Whitelisted) ====================


==================== One Month Created Files and Folders ========

2012-11-25 10:58 - 2012-11-25 10:58 - 00000000 ____D C:\FRST
2012-11-24 14:15 - 2012-11-24 14:15 - 00023111 ____A C:\Users\Sue\Desktop\dds.txt
2012-11-24 14:15 - 2012-11-24 14:15 - 00011053 ____A C:\Users\Sue\Desktop\attach.txt
2012-11-24 14:13 - 2012-11-24 14:13 - 00688992 ____R (Swearware) C:\Users\Sue\Desktop\dds.com
2012-11-24 13:55 - 2012-11-24 13:55 - 00000000 ____D C:\Users\Sue\AppData\Roaming\Canon
2012-11-24 10:40 - 2012-11-24 10:40 - 00019973 ____A C:\ComboFix.txt
2012-11-24 09:52 - 2011-06-25 22:45 - 00256000 ____A C:\Windows\PEV.exe
2012-11-24 09:52 - 2010-11-07 09:20 - 00208896 ____A C:\Windows\MBR.exe
2012-11-24 09:52 - 2009-04-19 20:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-11-24 09:52 - 2000-08-30 16:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-11-24 09:52 - 2000-08-30 16:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-11-24 09:52 - 2000-08-30 16:00 - 00098816 ____A C:\Windows\sed.exe
2012-11-24 09:52 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe
2012-11-24 09:52 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe
2012-11-24 09:49 - 2012-11-24 10:41 - 00000000 ____D C:\Qoobox
2012-11-24 09:48 - 2012-11-24 10:30 - 00000000 ____D C:\Windows\erdnt
2012-11-24 09:40 - 2012-11-24 09:40 - 05006466 ____R (Swearware) C:\Users\Sue\Desktop\ComboFix.exe
2012-11-24 09:20 - 2012-11-24 09:20 - 00000037 ___RH C:\Users\Sue\Desktop\stinger.opt
2012-11-24 09:13 - 2012-11-24 09:13 - 00016200 ____A (McAfee, Inc.) C:\Windows\stinger.sys
2012-11-24 09:12 - 2012-11-24 09:20 - 00000000 ____D C:\Program Files (x86)\stinger
2012-11-24 09:12 - 2012-11-24 09:12 - 10521192 ____A (McAfee Inc.) C:\Users\Sue\Desktop\stinger.exe
2012-11-23 19:43 - 2012-11-24 08:56 - 00000000 ____D C:\Users\Sue\AppData\Local\NPE
2012-11-23 19:43 - 2012-11-23 19:43 - 02957840 ____A (Symantec Corporation) C:\Users\Sue\Desktop\NPE.exe
2012-11-23 19:29 - 2012-11-23 19:29 - 00000000 ____D C:\Users\Jeff\AppData\Roaming\Malwarebytes
2012-11-23 19:13 - 2012-11-23 19:13 - 00001120 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-11-23 19:13 - 2012-11-23 19:13 - 00000000 ____D C:\Users\Sue\AppData\Roaming\Malwarebytes
2012-11-23 19:13 - 2012-11-23 19:13 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-11-23 19:13 - 2012-11-23 19:13 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-11-23 19:13 - 2012-09-29 17:54 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-11-23 12:40 - 2012-11-23 12:40 - 00000000 ____D C:\Users\All Users\Sun
2012-11-23 12:40 - 2012-11-23 12:39 - 00821736 ____A (Oracle Corporation) C:\Windows\SysWOW64\npDeployJava1.dll
2012-11-23 12:40 - 2012-11-23 12:39 - 00746984 ____A (Oracle Corporation) C:\Windows\SysWOW64\deployJava1.dll
2012-11-23 12:40 - 2012-11-23 12:39 - 00246760 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2012-11-23 12:40 - 2012-11-23 12:39 - 00174056 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2012-11-23 12:40 - 2012-11-23 12:39 - 00174056 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2012-11-23 12:40 - 2012-11-23 12:39 - 00095208 ____A (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2012-11-23 12:38 - 2012-11-23 12:38 - 00000000 ____D C:\Users\All Users\McAfee
2012-11-15 02:48 - 2012-07-25 20:55 - 00785512 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\Wdf01000.sys
2012-11-15 02:48 - 2012-07-25 20:55 - 00054376 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\WdfLdr.sys
2012-11-15 02:48 - 2012-07-25 18:36 - 00009728 ____A (Microsoft Corporation) C:\Windows\System32\Wdfres.dll
2012-11-15 02:48 - 2012-06-02 06:35 - 00000003 ____A C:\Windows\System32\Drivers\MsftWdf_Kernel_01011_Inbox_Critical.Wdf
2012-11-15 02:38 - 2012-07-25 19:08 - 00744448 ____A (Microsoft Corporation) C:\Windows\System32\WUDFx.dll
2012-11-15 02:38 - 2012-07-25 19:08 - 00229888 ____A (Microsoft Corporation) C:\Windows\System32\WUDFHost.exe
2012-11-15 02:38 - 2012-07-25 19:08 - 00194048 ____A (Microsoft Corporation) C:\Windows\System32\WUDFPlatform.dll
2012-11-15 02:38 - 2012-07-25 19:08 - 00084992 ____A (Microsoft Corporation) C:\Windows\System32\WUDFSvc.dll
2012-11-15 02:38 - 2012-07-25 19:08 - 00045056 ____A (Microsoft Corporation) C:\Windows\System32\WUDFCoinstaller.dll
2012-11-15 02:38 - 2012-07-25 18:26 - 00198656 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\WUDFRd.sys
2012-11-15 02:38 - 2012-07-25 18:26 - 00087040 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\WUDFPf.sys
2012-11-15 02:38 - 2012-06-02 06:57 - 00000003 ____A C:\Windows\System32\Drivers\MsftWdf_User_01_11_00_Inbox_Critical.Wdf
2012-11-14 02:59 - 2012-10-18 10:18 - 03147264 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-11-14 02:59 - 2012-09-25 14:39 - 00095744 ____A (Microsoft Corporation) C:\Windows\System32\synceng.dll
2012-11-14 02:59 - 2012-09-25 13:55 - 00078336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\synceng.dll
2012-11-08 13:52 - 2012-11-08 13:52 - 00000000 ____D C:\Users\Sue\AppData\Roaming\Tific
2012-11-08 13:52 - 2012-11-08 13:52 - 00000000 ____D C:\Users\Sue\AppData\Local\Symantec
2012-11-08 10:19 - 2012-11-22 06:25 - 00000000 ____D C:\Users\Jeff\AppData\Local\Symantec
2012-10-26 19:27 - 2012-10-26 19:27 - 00042496 ____A C:\Users\Sue\Desktop\20012-13_Practice&Meet_Calendar(1).xls

==================== One Month Modified Files and Folders =======

2012-11-25 10:58 - 2012-11-25 10:58 - 00000000 ____D C:\FRST
2012-11-25 08:53 - 2010-07-07 10:20 - 01212431 ____A C:\Windows\WindowsUpdate.log
2012-11-25 08:51 - 2009-07-13 20:45 - 00016304 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-11-25 08:51 - 2009-07-13 20:45 - 00016304 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-11-25 08:24 - 2010-08-16 17:33 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-11-25 07:31 - 2010-08-16 17:33 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-11-24 14:15 - 2012-11-24 14:15 - 00023111 ____A C:\Users\Sue\Desktop\dds.txt
2012-11-24 14:15 - 2012-11-24 14:15 - 00011053 ____A C:\Users\Sue\Desktop\attach.txt
2012-11-24 14:13 - 2012-11-24 14:13 - 00688992 ____R (Swearware) C:\Users\Sue\Desktop\dds.com
2012-11-24 13:55 - 2012-11-24 13:55 - 00000000 ____D C:\Users\Sue\AppData\Roaming\Canon
2012-11-24 11:56 - 2009-07-13 21:13 - 00730354 ____A C:\Windows\System32\PerfStringBackup.INI
2012-11-24 10:57 - 2010-08-18 08:11 - 00000000 ____D C:\Users\Sue\AppData\Roaming\.oit
2012-11-24 10:46 - 2010-05-28 17:53 - 00726408 ____A C:\Windows\PFRO.log
2012-11-24 10:46 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-11-24 10:46 - 2009-07-13 20:51 - 00045809 ____A C:\Windows\setupact.log
2012-11-24 10:41 - 2012-11-24 09:49 - 00000000 ____D C:\Qoobox
2012-11-24 10:40 - 2012-11-24 10:40 - 00019973 ____A C:\ComboFix.txt
2012-11-24 10:30 - 2012-11-24 09:48 - 00000000 ____D C:\Windows\erdnt
2012-11-24 10:10 - 2009-07-13 18:34 - 00000215 ____A C:\Windows\system.ini
2012-11-24 09:40 - 2012-11-24 09:40 - 05006466 ____R (Swearware) C:\Users\Sue\Desktop\ComboFix.exe
2012-11-24 09:20 - 2012-11-24 09:20 - 00000037 ___RH C:\Users\Sue\Desktop\stinger.opt
2012-11-24 09:20 - 2012-11-24 09:12 - 00000000 ____D C:\Program Files (x86)\stinger
2012-11-24 09:13 - 2012-11-24 09:13 - 00016200 ____A (McAfee, Inc.) C:\Windows\stinger.sys
2012-11-24 09:12 - 2012-11-24 09:12 - 10521192 ____A (McAfee Inc.) C:\Users\Sue\Desktop\stinger.exe
2012-11-24 08:56 - 2012-11-23 19:43 - 00000000 ____D C:\Users\Sue\AppData\Local\NPE
2012-11-24 08:15 - 2010-07-07 10:57 - 00000000 ____D C:\Users\All Users\Norton
2012-11-24 07:42 - 2011-05-18 17:00 - 00001940 ____A C:\Users\Jeff\AppData\Local\{96C87F53-AC72-4604-A9CC-186A49F17F3C}.ini
2012-11-23 19:43 - 2012-11-23 19:43 - 02957840 ____A (Symantec Corporation) C:\Users\Sue\Desktop\NPE.exe
2012-11-23 19:29 - 2012-11-23 19:29 - 00000000 ____D C:\Users\Jeff\AppData\Roaming\Malwarebytes
2012-11-23 19:13 - 2012-11-23 19:13 - 00001120 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-11-23 19:13 - 2012-11-23 19:13 - 00000000 ____D C:\Users\Sue\AppData\Roaming\Malwarebytes
2012-11-23 19:13 - 2012-11-23 19:13 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-11-23 19:13 - 2012-11-23 19:13 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-11-23 12:40 - 2012-11-23 12:40 - 00000000 ____D C:\Users\All Users\Sun
2012-11-23 12:39 - 2012-11-23 12:40 - 00821736 ____A (Oracle Corporation) C:\Windows\SysWOW64\npDeployJava1.dll
2012-11-23 12:39 - 2012-11-23 12:40 - 00746984 ____A (Oracle Corporation) C:\Windows\SysWOW64\deployJava1.dll
2012-11-23 12:39 - 2012-11-23 12:40 - 00246760 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2012-11-23 12:39 - 2012-11-23 12:40 - 00174056 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2012-11-23 12:39 - 2012-11-23 12:40 - 00174056 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2012-11-23 12:39 - 2012-11-23 12:40 - 00095208 ____A (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2012-11-23 12:39 - 2010-05-28 17:34 - 00000000 ____D C:\Program Files (x86)\Java
2012-11-23 12:38 - 2012-11-23 12:38 - 00000000 ____D C:\Users\All Users\McAfee
2012-11-22 07:18 - 2012-09-26 18:23 - 00000000 ____D C:\Users\Jeff\Desktop\sky ski weekend 2012
2012-11-22 07:18 - 2012-06-27 19:03 - 00000000 ____D C:\Users\Jeff\Desktop\birds and animals
2012-11-22 07:18 - 2012-06-27 19:02 - 00000000 ____D C:\Users\Jeff\Desktop\camper id plate
2012-11-22 07:18 - 2012-02-26 07:11 - 00044463 ___AH C:\Users\Jeff\Desktop\ZbThumbnail.info
2012-11-22 07:13 - 2012-08-09 15:55 - 00000000 ____D C:\Users\Jeff\Desktop\sky ski cast
2012-11-22 06:25 - 2012-11-08 10:19 - 00000000 ____D C:\Users\Jeff\AppData\Local\Symantec
2012-11-21 08:01 - 2012-09-22 04:54 - 00697272 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-11-21 08:01 - 2011-06-10 15:22 - 00073656 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-11-21 08:01 - 2010-07-07 10:45 - 00000000 ____D C:\Users\All Users\Adobe
2012-11-15 15:46 - 2010-08-16 18:38 - 00111288 ____A C:\Users\Jeff\AppData\Local\GDIPFONTCACHEV1.DAT
2012-11-15 06:39 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache
2012-11-15 06:32 - 2010-08-16 16:52 - 00111288 ____A C:\Users\Sue\AppData\Local\GDIPFONTCACHEV1.DAT
2012-11-15 03:14 - 2009-07-13 20:45 - 00426840 ____A C:\Windows\System32\FNTCACHE.DAT
2012-11-15 02:55 - 2010-07-07 10:24 - 00000000 ____D C:\Users\All Users\Microsoft Help
2012-11-15 02:37 - 2009-07-13 18:34 - 00000478 ____A C:\Windows\win.ini
2012-11-08 13:52 - 2012-11-08 13:52 - 00000000 ____D C:\Users\Sue\AppData\Roaming\Tific
2012-11-08 13:52 - 2012-11-08 13:52 - 00000000 ____D C:\Users\Sue\AppData\Local\Symantec
2012-11-08 11:15 - 2010-08-16 17:40 - 00000000 ____D C:\users\Casey
2012-11-08 10:19 - 2010-08-16 17:45 - 00000000 ____D C:\users\Jeff
2012-11-08 05:55 - 2010-09-02 19:50 - 00000000 ____D C:\Program Files (x86)\iTunes
2012-11-08 05:55 - 2010-09-02 19:48 - 00000000 ____D C:\Program Files (x86)\Bonjour
2012-11-08 05:55 - 2010-07-07 10:21 - 00000000 ____D C:\Program Files (x86)\Microsoft Works
2012-11-08 05:55 - 2009-07-13 23:44 - 00000000 ___RD C:\Users\Public\Recorded TV
2012-11-08 05:54 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration
2012-11-08 03:57 - 2010-08-16 16:48 - 00000000 ____D C:\users\Sue
2012-11-07 20:21 - 2010-08-16 17:06 - 00000000 ____D C:\Users\Sue\AppData\Roaming\Toshiba
2012-10-26 19:27 - 2012-10-26 19:27 - 00042496 ____A C:\Users\Sue\Desktop\20012-13_Practice&Meet_Calendar(1).xls


==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-11-15 02:35:33
Restore point made on: 2012-11-22 21:50:09
Restore point made on: 2012-11-23 12:39:34

==================== Memory info ===========================

Percentage of memory in use: 14%
Total physical RAM: 3890.67 MB
Available physical RAM: 3318.95 MB
Total Pagefile: 3888.82 MB
Available Pagefile: 3302.35 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

==================== Partitions =============================

1 Drive c: (TI105835W0O) (Fixed) (Total:453.67 GB) (Free:344.38 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive d: (System) (Fixed) (Total:1.46 GB) (Free:1.27 GB) NTFS ==>[System with boot components (obtained from reading drive)]
4 Drive f: (TOSHIBA EXT) (Fixed) (Total:465.76 GB) (Free:421.65 GB) NTFS
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B
Disk 1 Online 465 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Recovery 1500 MB 1024 KB
Partition 2 Primary 453 GB 1501 MB
Partition 3 Primary 10 GB 455 GB

==================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D System NTFS Partition 1500 MB Healthy Hidden

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C TI105835W0O NTFS Partition 453 GB Healthy

=========================================================

Disk: 0
Partition 3
Type : 17 (Suspicious Type)
Hidden: Yes
Active: No

There is no volume associated with this partition.

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 465 GB 1024 KB

==================================================================================

Disk: 1
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F TOSHIBA EXT NTFS Partition 465 GB Healthy

=========================================================

Last Boot: 2012-11-06 05:34

==================== End Of Log =============================

#5 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:59 AM

Posted 25 November 2012 - 12:22 PM

Please do the following:


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
HKU\Jeff\...\Run: [Microsoft Games] rundll32.exe "C:\Users\Jeff\AppData\Local\Symantec\Microsoft Games\zknih.dll",DllRegisterServerW [329728 2012-11-22] (Free Software Foundation)
C:\Users\Jeff\AppData\Local\Symantec\Microsoft Games\zknih.dll
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.



NEXT



Please download Malwarebytes Anti-Rootkit and save it to your desktop.
  • Be sure to print out and follow the instructions provided on that same page for performing a scan.
  • Caution: This is a beta version so also read the disclaimer and back up all your data before using.
  • When the scan completes, click on the Cleanup button to remove any threats found and reboot the computer if prompted to do so.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • If there are problems with Internet access, Windows Update, Windows Firewall or other system issues, run the fixdamage tool located in the folder Malwarebytes Anti-Rootkit was run from and reboot your computer.
  • Two files (mbar-log-YYYY-MM-DD, system-log.txt) will be created and saved within that same folder.
  • Copy and paste the contents of these two log files in your next reply.
Note: Further documentation can be found in the ReadMe.rtf file which is located in the Malwarebytes Anti-Rootkit folder.



NEXT


please re-run ComboFix > allow it to update if it asks to do so, post the resulting log (make sure you remember to disable your security programs)

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#6 richhgirl

richhgirl
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 26 November 2012 - 08:53 PM

Sorry for the delay - I never got an e-mail notification that you had replied.

FixLog Text: Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 23-11-2012
Ran by SYSTEM at 2012-11-26 07:45:15 Run:1
Running from F:\

==============================================

HKEY_USERS\Jeff\Software\Microsoft\Windows\CurrentVersion\Run\\Microsoft Games Value deleted successfully.
C:\Users\Jeff\AppData\Local\Symantec\Microsoft Games\zknih.dll moved successfully.

==== End of Fixlog ====

MBAR Log:

Malwarebytes Anti-Rootkit 1.1.0.1009
www.malwarebytes.org

Database version: v2012.11.26.04

Windows 7 x64 NTFS
Internet Explorer 8.0.7600.16385
Jeff :: LAPTOP [administrator]

11/26/2012 8:13:37 AM
mbar-log-2012-11-26 (08-13-37).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: PUP | PUM | P2P
Objects scanned: 27926
Time elapsed: 13 minute(s), 16 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

System Log:

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.01.0.1009

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7600 Windows 7 x64

Account is Administrative

Internet Explorer version: 8.0.7600.16385

Java version: 1.6.0_17

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, E:\ DRIVE_FIXED
CPU speed: 2.261000 GHz
Memory total: 4079665152, free: 1731604480

------------ Kernel report ------------
11/26/2012 07:59:54
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\DRIVERS\ACPI.sys
\SystemRoot\system32\DRIVERS\WMILIB.SYS
\SystemRoot\system32\DRIVERS\msisadrv.sys
\SystemRoot\system32\DRIVERS\pci.sys
\SystemRoot\system32\DRIVERS\vdrvroot.sys
\SystemRoot\system32\DRIVERS\LPCFilter.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\DRIVERS\compbatt.sys
\SystemRoot\system32\DRIVERS\BATTC.SYS
\SystemRoot\system32\DRIVERS\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\DRIVERS\pciide.sys
\SystemRoot\system32\DRIVERS\PCIIDEX.SYS
\SystemRoot\system32\DRIVERS\iaStor.sys
\SystemRoot\system32\DRIVERS\atapi.sys
\SystemRoot\system32\DRIVERS\ataport.SYS
\SystemRoot\system32\DRIVERS\msahci.sys
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\N360x64\0404000.00C\SYMDS64.SYS
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\system32\drivers\N360x64\0404000.00C\SYMEFA64.SYS
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\DRIVERS\volsnap.sys
\SystemRoot\system32\DRIVERS\TVALZ_O.SYS
\SystemRoot\system32\DRIVERS\tos_sps64.sys
\SystemRoot\system32\DRIVERS\Thpevm.SYS
\SystemRoot\system32\DRIVERS\thpdrv.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\DRIVERS\disk.sys
\SystemRoot\system32\DRIVERS\CLASSPNP.SYS
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\System32\Drivers\N360x64\0404000.00C\SYMTDIV.SYS
\??\C:\windows\system32\Drivers\SYMEVENT64x86.SYS
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\drivers\ws2ifsl.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\vwififlt.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\drivers\N360x64\0404000.00C\Ironx64.SYS
\SystemRoot\system32\drivers\N360x64\0404000.00C\SRTSPX64.SYS
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20121123.001\IDSvia64.sys
\??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys
\??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\drivers\N360x64\0404000.00C\ccHPx64.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20121106.001\BHDrvx64.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\igdkmd64.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\DRIVERS\HECIx64.sys
\SystemRoot\system32\drivers\usbehci.sys
\SystemRoot\system32\drivers\USBPORT.SYS
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\Rt64win7.sys
\SystemRoot\system32\DRIVERS\NETw5s64.sys
\SystemRoot\system32\DRIVERS\vwifibus.sys
\SystemRoot\system32\DRIVERS\jmcr.sys
\SystemRoot\system32\DRIVERS\SCSIPORT.SYS
\SystemRoot\system32\DRIVERS\CmBatt.sys
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\SynTP.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\tdcmdpst.sys
\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
\SystemRoot\system32\DRIVERS\Impcd.sys
\SystemRoot\system32\DRIVERS\TVALZFL.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\CompositeBus.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\WDKMD.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\RTKVHD64.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\system32\DRIVERS\IntcDAud.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_iaStor.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\system32\DRIVERS\USBSTOR.SYS
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\System32\Drivers\usbvideo.sys
\SystemRoot\system32\DRIVERS\pgeffect.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\DRIVERS\vwifimp.sys
\SystemRoot\System32\Drivers\N360x64\0404000.00C\SRTSP64.SYS
\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20121125.006\EX64.SYS
\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20121125.006\ENG64.SYS
\SystemRoot\System32\cdd.dll
\??\C:\windows\system32\drivers\mbamchameleon.sys
\??\C:\windows\system32\drivers\mbamswissarmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
\Windows\System32\autochk.exe
\Windows\System32\imm32.dll
\Windows\System32\wininet.dll
\Windows\System32\gdi32.dll
\Windows\System32\ole32.dll
\Windows\System32\Wldap32.dll
\Windows\System32\clbcatq.dll
\Windows\System32\nsi.dll
\Windows\System32\psapi.dll
\Windows\System32\comdlg32.dll
\Windows\System32\ws2_32.dll
\Windows\System32\usp10.dll
\Windows\System32\shell32.dll
\Windows\System32\imagehlp.dll
\Windows\System32\shlwapi.dll
\Windows\System32\oleaut32.dll
\Windows\System32\rpcrt4.dll
\Windows\System32\normaliz.dll
\Windows\System32\user32.dll
\Windows\System32\setupapi.dll
\Windows\System32\msctf.dll
\Windows\System32\urlmon.dll
\Windows\System32\sechost.dll
\Windows\System32\lpk.dll
\Windows\System32\iertutil.dll
\Windows\System32\advapi32.dll
\Windows\System32\msvcrt.dll
\Windows\System32\difxapi.dll
\Windows\System32\kernel32.dll
\Windows\System32\devobj.dll
\Windows\System32\wintrust.dll
\Windows\System32\comctl32.dll
\Windows\System32\cfgmgr32.dll
\Windows\System32\crypt32.dll
\Windows\System32\KernelBase.dll
\Windows\System32\msasn1.dll
----------- End -----------
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR1
Upper Device Object: 0xfffffa800940e790
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\00000086\
Lower Device Object: 0xfffffa8009271b60
Lower Device Driver Name: \Driver\USBSTOR\
Driver name found: USBSTOR
DriverEntry returned 0x0
Function returned 0x0
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xfffffa8005297060
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IAAStorageDevice-1\
Lower Device Object: 0xfffffa8004fc4050
Lower Device Driver Name: \Driver\iaStor\
Driver name found: iaStor
DriverEntry returned 0x0
Function returned 0x0
Downloaded database version: v2012.11.26.04
Downloaded database version: v2012.11.19.01
Initializing...
Done!
Scanning directory: C:\windows\system32\drivers...
<<<2>>>
Device number: 0, partition: 2
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xfffffa8005297060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa8005297b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa8005297060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa8005296060, DeviceName: \Device\THPDRV1\, DriverName: \Driver\Thpdrv\
DevicePointer: 0xfffffa8004fc4050, DeviceName: \Device\Ide\IAAStorageDevice-1\, DriverName: \Driver\iaStor\
------------ End ----------
Upper DeviceData: 0xfffff8a00cfa9620, 0xfffffa8005297060, 0xfffffa800aa775d0
Lower DeviceData: 0xfffff8a0106ec410, 0xfffffa8004fc4050, 0xfffffa800754f340
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: E56E3D6C

Partition information:

Partition 0 type is Other (0x27)
Partition is ACTIVE.
Partition starts at LBA: 2048 Numsec = 3072000
Partition file system is NTFS
Partition is bootable

Partition 1 type is Primary (0x7)
Partition is NOT ACTIVE.
Partition starts at LBA: 3074048 Numsec = 951414784

Partition 2 type is HIDDEN (0x17)
Partition is NOT ACTIVE.
Partition starts at LBA: 954488832 Numsec = 22284288
Partition is not bootable
Hidden partition VBR is not infected.

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 500107862016 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-2047-976753168-976773168)...
Physical Sector Size: 512
Drive: 1, DevicePointer: 0xfffffa800940e790, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa8009276b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa800940e790, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa8009271b60, DeviceName: \Device\00000086\, DriverName: \Driver\USBSTOR\
------------ End ----------
Upper DeviceData: 0xfffff8a00c2447b0, 0xfffffa800940e790, 0xfffffa800aa56310
Lower DeviceData: 0xfffff8a00f29d930, 0xfffffa8009271b60, 0xfffffa800b23a090
Drive 1
Scanning MBR on drive 1...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: C7AC8D67

Partition information:

Partition 0 type is Primary (0x7)
Partition is NOT ACTIVE.
Partition starts at LBA: 2048 Numsec = 976769069

Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 500107860480 bytes
Sector size: 512 bytes

Done!
Performing system, memory and registry scan...
Read File: File "C:\ProgramData\{249B9E04-F0FC-434D-B0D8-12D3EDFF3B77}\Best Buy Software Installer Setup.dat" is compressed (flags = 1)
Read File: File "C:\ProgramData\{249B9E04-F0FC-434D-B0D8-12D3EDFF3B77}\instance.dat" is compressed (flags = 1)
Done!
Scan finished
=======================================


---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.01.0.1009

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7600 Windows 7 x64

Account is Administrative

Internet Explorer version: 8.0.7600.16385

Java version: 1.6.0_17

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, E:\ DRIVE_FIXED
CPU speed: 2.261000 GHz
Memory total: 4079665152, free: 1816682496


ComboFix Log Attached

Attached Files



#7 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:59 AM

Posted 26 November 2012 - 09:38 PM

Please run the following:

Please download Junkware Removal Tool to your desktop.
  • Shutdown your antivirus to avoid any conflicts.
  • Right-mouse click JRT.exe and select Run as administrator
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message


NEXT

Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

NEXT

Please advise how the computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#8 richhgirl

richhgirl
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 27 November 2012 - 07:02 PM

JRT Log:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 3.5.4 (11.26.2012)
OS: Windows 7 Home Premium x64
Ran by Jeff on Mon 11/26/2012 at 21:47:07.06
Blog: http://thisisudax.blogspot.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys



~~~ Files



~~~ Folders



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 11/26/2012 at 21:52:21.48
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ESETSCAN Log:
C:\FRST\Quarantine\zknih.dll Win32/TrojanDownloader.Tracur.V trojan

Internet Explorer is still redirecting. There were also some messages in my Norton Scan that I thought were odd.

Protecting your connection to a newly detected network on adapter "Teredo Tunneling Pseudo-Interface" (IP address: 2001::9d38:6ab8:2c4d:296c:b4b7:2c94 and

IP Address has disappeared from Teredo Tunneling Pseudo-Interface and is no longer being protected (IP address: fe80::2895:23dd:3f57:fe94%17 and

Unauthorized access blocked (Access Process Data).

These message are recurring and all started last Friday when we noticed the Internet Explorer redirection.

#9 richhgirl

richhgirl
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 27 November 2012 - 07:06 PM

I also just noticed in the Norton Security History from last Friday under Quarantine is the following:

370[1].exe (370[1].exe) detected by Download Insight. File: c:\users\jeff\appdata\local\microsoft\windows\temporary internet files\content.ie5\v10cxw7q\370[1].exe removed.

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:59 AM

Posted 27 November 2012 - 08:30 PM

please try the following:

  • Download RogueKiller and save it to your desktop.
  • Quit all other programs
  • Start RogueKiller.exe
  • Wait until the Prescan has finished ...
  • Click on Scan
    Posted Image
  • Wait for the end of the scan
  • A report will be created on your desktop.
  • Click on the Delete button
    Posted Image
  • Next click on the ShortcutsFix
    Posted Image
  • another report will be created on your desktop.

Please post: All RKreport.txt text files located on your desktop.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 richhgirl

richhgirl
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 27 November 2012 - 08:47 PM

RogueKiller V8.3.1 [Nov 26 2012] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7600 ) 64 bits version
Started in : Normal mode
User : Jeff [Admin rights]
Mode : Scan -- Date : 11/27/2012 19:42:17

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 6 ¤¤¤
[HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND
[HJPOL] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJPOL] HKLM\[...]\Wow6432Node\System : DisableRegistryTools (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\windows\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST9500420AS +++++
--- User ---
[MBR] 18270f0f2ea619415cb84c519027c111
[BSP] dfa557db9406c69d4d51ea72a4b05be7 : Windows Vista MBR Code
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 464558 Mo
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 954488832 | Size: 10881 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1]_S_11272012_02d1942.txt >>
RKreport[1]_S_11272012_02d1942.txt



RogueKiller V8.3.1 [Nov 26 2012] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7600 ) 64 bits version
Started in : Normal mode
User : Jeff [Admin rights]
Mode : Remove -- Date : 11/27/2012 19:43:09

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 5 ¤¤¤
[HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> DELETED
[HJPOL] HKCU\[...]\System : DisableRegistryTools (0) -> DELETED
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\windows\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST9500420AS +++++
--- User ---
[MBR] 18270f0f2ea619415cb84c519027c111
[BSP] dfa557db9406c69d4d51ea72a4b05be7 : Windows Vista MBR Code
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 464558 Mo
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 954488832 | Size: 10881 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2]_D_11272012_02d1943.txt >>
RKreport[1]_S_11272012_02d1942.txt ; RKreport[2]_D_11272012_02d1943.txt

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:59 AM

Posted 27 November 2012 - 09:04 PM

Please run the following:

Download AdwCleaner from here and save it to your desktop.
  • Run AdwCleaner and select Delete
  • Once done it will ask to reboot, allow the reboot
  • On reboot a log will be produced, please attach the content of the log to your next reply


any difference in how the computer is behaving?

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 richhgirl

richhgirl
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 27 November 2012 - 09:53 PM

# AdwCleaner v2.009 - Logfile created 11/27/2012 at 20:42:29
# Updated 24/11/2012 by Xplode
# Operating system : Windows 7 Home Premium (64 bits)
# User : Jeff - LAPTOP
# Boot Mode : Normal
# Running from : C:\Users\Jeff\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Folder Deleted : C:\ProgramData\Partner

***** [Registry] *****

Key Deleted : HKLM\SOFTWARE\Software

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.7600.16385

[OK] Registry is clean.

*************************

AdwCleaner[S1].txt - [578 octets] - [27/11/2012 20:42:29]

########## EOF - C:\AdwCleaner[S1].txt - [637 octets] ##########

Right now, I am unable to get Internet Explorer to redirect but it doesnt happen all the time. I will continue to test and let you know. Thanks so much.

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:59 AM

Posted 28 November 2012 - 08:05 AM

ok, use the computer as you would normally, then let me know if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:59 AM

Posted 30 November 2012 - 07:51 PM

how is the machine operating now

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users