Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

After TDSKiller no internet access


  • This topic is locked This topic is locked
14 replies to this topic

#1 dne

dne

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:10 AM

Posted 20 December 2012 - 09:10 PM

Hi all,

Was instructed by BC Advisor Broni post here. Issue first reported on Bleepingcomputer Am I Infected forum here http://www.bleepingcomputer.com/forums/topic478843.html


History of problem: First, infected by the System Progressive Protection fake anti-malware application.

Used Malwarebytes' Anti-Malware (mbam) via mbam-chameleon (based on info at http://forums.malwarebytes.org/index.php?showtopic=116246 "Removal instructions for System Pregressive Protection") which seemed to get rid of System Progressive Protection fake and connection to internet was working.

Direct links via Favorites worked fine but links via Google search seemed to redirect randomly.

Identified new problem as the Google redirect virus.

Used TDSSKiller to try to get rid of that virus.
(based on info at www.youtube.com/watch?v=TLVifFbLIso "Google Redirect Virus TDSS Virus Removal")

May have been successful but could not verify because after running TDSSKiller could not get an internet connection.
(So I could not do the last step of CCleaner)

It's possible that during the reboot process of TDSSKiller chkdsk kicked in (I know chkdsk ran at some point during this ordeal).

Checked network itself to see if it was working. Two other computers were attached wireless and were able to access the internet.

Tried 4 or 5 times to do a System Restore using different restore points but each attempt failed
(ran all the way through the process but after it completed it reported that it did not restore)

Ran sfc /scannow. Appeared to do a number of things but did not solve connection problem.

Found this website (http://www.bleepingcomputer.com/forums/topic436266.html "TDSSKiller, then no internet") and noticed similar problem. Registered, posted problem in Am I infected forum. Per instructions downloaded, ran, and posted results for:
Security Check
Farbar Service Scanner
MiniToolBox
MBAM
aswMBR
Malwarebytes Anti-Rootkit (Did NOT attempt Cleanup)

Was instructed to follow "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help" starting at step 6 (Download and Run DDS) and to post results in this Virus, Trojan, Spyware, and Malware Removal logs forum. Results are below.


Current status:
No internet connection.

Network and Sharing Center shows the name of the network as "Identifying...(Public Network)"

Checked services, DHCP Client and DNS Client services not running.
Attempt to start DHCP or DNS service results in "Error 1068: The dependency service or group failed to start."

Other services listed as Automatic Startup that are not running are Computer Browser, IKE and AuthIPsec Keying Modules, IPsecPolicy Agent,
and LiveUpdate Notice Service (a Norton service). Did not attempt to start any of them.

Task Manager under Applications constantly shows 2 tasks as running, both show "Navigation Canceled - Windows Internet Explorer"

Using a borrowed laptop that is only sporadically available for use so I may not be able to respond to answers as soon as I would like.

Results of DDS:
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16457
Run by David at 17:18:30 on 2012-12-20
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.958.339 [GMT -8:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\SLsvc.exe
c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Vongo\VongoService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Windows\system32\SearchProtocolHost.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=PRESARIO&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=PRESARIO&pf=laptop
BHO: Yahoo! Toolbar Helper: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: <No Name>: {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - c:\program files\common files\symantec shared\coshared\browser\1.5\NppBHO.dll
BHO: SSVHelper Class: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Show Norton Toolbar: {90222687-F593-4738-B738-FBEE9C7B26DF} - c:\program files\common files\symantec shared\coshared\browser\1.5\UIBHO.dll
TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [wmsbre] "c:\windows\system32\rundll32.exe" "c:\users\david\appdata\roaming\wmsbre.dll",DeprecationWarning
uRun: [apeti] "c:\windows\system32\rundll32.exe" "c:\users\david\appdata\roaming\apeti.dll",Member_SetOne
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [QlbCtrl] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRunOnce: [Launcher] c:\windows\sminst\launcher.exe
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 68.94.156.1 68.94.157.1 192.168.1.1
TCP: Interfaces\{33E3719A-76B1-48B1-9F31-BD3CBF2DBDDA} : DHCPNameServer = 68.94.156.1 68.94.157.1 192.168.1.1
TCP: Interfaces\{C571116B-05E2-402D-8B98-63FF187624EF} : DHCPNameServer = 192.168.0.1
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
.
============= SERVICES / DRIVERS ===============
.
R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\idsdefs\20071220.001\IDSvix86.sys [2007-12-22 180272]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-9-11 21504]
R3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2007-11-4 1252232]
R3 SYMNDISV;SYMNDISV;c:\windows\system32\drivers\symndisv.sys [2007-1-9 38200]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-12-15 21:30:48 -------- d-sh--w- C:\found.001
2012-12-15 20:29:49 -------- d-----w- C:\TDSSKiller_Quarantine
2012-12-15 06:05:43 314880 ----a-w- c:\users\david\appdata\roaming\apeti.dll
2012-12-15 06:05:40 -------- d-----w- c:\programdata\39C3D7C12F327844000039C39E027D30
2012-12-15 06:05:19 603648 ----a-w- c:\users\david\appdata\roaming\wmsbre.dll
2012-12-13 11:06:21 9728 ----a-w- c:\windows\system32\Wdfres.dll
2012-12-13 11:06:08 66560 ----a-w- c:\windows\system32\drivers\WUDFPf.sys
2012-12-13 11:06:08 155136 ----a-w- c:\windows\system32\drivers\WUDFRd.sys
2012-12-13 11:06:07 16896 ----a-w- c:\windows\system32\winusb.dll
2012-12-13 11:06:04 73216 ----a-w- c:\windows\system32\WUDFSvc.dll
2012-12-13 11:06:04 172032 ----a-w- c:\windows\system32\WUDFPlatform.dll
2012-12-13 11:06:03 526952 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
2012-12-13 11:06:03 47720 ----a-w- c:\windows\system32\drivers\WdfLdr.sys
2012-12-13 11:06:00 34944 ----a-w- c:\windows\system32\drivers\winusb.sys
2012-12-13 11:05:57 613888 ----a-w- c:\windows\system32\WUDFx.dll
2012-12-13 11:05:57 38912 ----a-w- c:\windows\system32\WUDFCoinstaller.dll
2012-12-13 11:05:57 196608 ----a-w- c:\windows\system32\WUDFHost.exe
2012-12-13 02:56:04 376320 ----a-w- c:\windows\system32\dpnet.dll
2012-12-13 02:56:03 23040 ----a-w- c:\windows\system32\dpnsvr.exe
2012-12-13 02:56:01 224640 ----a-w- c:\windows\system32\drivers\volsnap.sys
2012-12-13 02:55:58 2048000 ----a-w- c:\windows\system32\win32k.sys
2012-12-13 02:55:50 293376 ----a-w- c:\windows\system32\atmfd.dll
2012-12-13 02:55:49 34304 ----a-w- c:\windows\system32\atmlib.dll
2012-12-13 02:51:57 2048 ----a-w- c:\windows\system32\tzres.dll
2012-12-07 21:45:50 -------- d-----w- c:\users\david\appdata\roaming\NoteTab Light
2012-12-07 00:56:03 -------- d-----w- c:\program files\NoteTab Light
.
==================== Find3M ====================
.
2012-12-15 20:35:16 72192 ----a-w- c:\windows\system32\drivers\tdx.sys
2012-12-12 11:19:03 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-12-12 11:19:03 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-11-14 02:09:22 1800704 ----a-w- c:\windows\system32\jscript9.dll
2012-11-14 01:58:15 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-11-14 01:57:37 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-11-14 01:49:25 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-11-14 01:48:27 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-11-14 01:44:42 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-09-30 03:54:26 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-25 16:19:41 75776 ----a-w- c:\windows\system32\synceng.dll
.
============= FINISH: 17:25:59.57 ===============


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 7/7/2007 8:26:54 AM
System Uptime: 12/20/2012 5:01:47 PM (0 hours ago)
.
Motherboard: Quanta | | 30D3
Processor: AMD Athlon™ 64 X2 Dual-Core Processor TK-55 | Socket S1 | 1600/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 104 GiB total, 4.003 GiB free.
D: is FIXED (NTFS) - 8 GiB total, 1.754 GiB free.
E: is CDROM ()
F: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
Update for Microsoft Office 2007 (KB2508958)
32 Bit HP CIO Components Installer
A430
A430_Help
Activation Assistant for the 2007 Microsoft Office suites
ActiveCheck component for HP Active Support Library
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Reader X (10.1.4)
AppCore
Apple Software Update
AV
BufferChm
CameraDrivers
ccCommon
Cisco Connect
Conexant HD Audio
CustomerResearchQFolder
Destinations
DeviceManagementQFolder
ESU for Microsoft Vista
eSupportQFolder
Google Toolbar for Internet Explorer
Google Update Helper
HDAUDIO Soft Data Fax Modem with SmartCP
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Active Support Library
HP Active Support Library 32 bit components
HP Customer Experience Enhancements
HP Customer Participation Program 8.0
HP Deskjet & Photosmart Printer Driver Software 8.0.A
HP Driver Diagnostics
HP DVD Play 3.6
HP Easy Setup - Frontend
HP Help and Support
HP Imaging Device Functions 8.0
HP Photosmart Essential
HP Photosmart Essential 2.0
HP Photosmart Essential2.5
HP Quick Launch Buttons 6.20 D3
HP Solution Center 8.0
HP Total Care Advisor
HP Update
HP User Guides 0041
HP Wireless Assistant
HPAsset component for HP Active Support Library
HPNetworkAssistant
HPProductAssistant
HPSSupply
Japanese Fonts Support For Adobe Reader 8
Java Auto Updater
Java™ 6 Update 26
LightScribe 1.4.136.1
LiveUpdate 3.2 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Malwarebytes Anti-Malware version 1.65.1.1000
MarketResearch
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
MSCU for Microsoft Vista
MSN
MSRedist
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
muvee autoProducer 6.0
My HP Games
Norton AntiVirus
Norton Confidential Browser Component
Norton Confidential Web Protection Component
Norton Internet Security
Norton Internet Security (Symantec Corporation)
Norton Protection Center
NoteTab Light 7 (Remove only)
NVIDIA Drivers
PSSWCORE
QuickPlay SlingPlayer 0.4.4
QuickTime
QuickTransfer
Rhapsody
Rhapsody Player Engine
Roxio Activation Module
Roxio Creator Audio
Roxio Creator Basic v9
Roxio Creator Copy
Roxio Creator Data
Roxio Creator EasyArchive
Roxio Creator Tools
Roxio Express Labeler 3
Roxio MyDVD Basic v9
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft Office 2007 suites (KB2596615) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596856) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687311) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687441) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2760416) 32-Bit Edition
Security Update for Microsoft Office Excel 2007 (KB2687307) 32-Bit Edition
Security Update for Microsoft Office InfoPath 2007 (KB2687440) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Word 2007 (KB2760421) 32-Bit Edition
SF_CDA_ProductContext
SF_CDA_Software
SolutionCenter
SPBBC 32bit
Spelling Dictionaries Support For Adobe Reader 8
Status
Symantec Real Time Storage Protection Component
SymNet
Synaptics Pointing Device Driver
Toolbox
TrayApp
UnloadSupport
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 suites (KB2596660) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596848) 32-Bit Edition
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Vongo
WebReg
Yahoo! Toolbar
Yahoo! Toolbar for Internet Explorer
.
==== End Of File ===========================

BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:10 PM

Posted 21 December 2012 - 10:09 AM

Hi dne,

Welcome to the forum.

Please refrain from doing any fix or making any changes to the system from now on until we are done unless you decide you can do the rest on your own. Thank you.

  • Please download Attached File  tdx.reg   562bytes   16 downloads
    Save it to the flash drive.
    Insert the flash drive into infected computer.
    Double-click tdx.reg and confirm the prompt to allow to merge.
  • Important: Restart.
  • After restart check the internet connection. Also please post a fresh Farbar Service Scanner (FSS) log made while all the options are set.


#3 dne

dne
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:10 AM

Posted 21 December 2012 - 06:15 PM

Hi Farbar,

Thank you for the response and the welcome!

Downloaded tdx.reg to flash, ran it on the infected computer (only took seconds), restarted, and the internet connection has been restored (able to access google.com)!

Ran fss.exe and the results are below.

I am guessing however, that we are not finished? Should I now use the infected computer to continue this discussion or still use the borrowed ("uninfected") computer and transfer items with a flash drive?

Thanks!

FSS.TXT:
Farbar Service Scanner Version: 10-12-2012
Ran by David (administrator) on 21-12-2012 at 14:58:54
Running from "C:\Users\David\Desktop"
Windows Vista ™ Home Premium Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.

MpsSvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking LEGACY_MpsSvc: ATTENTION!=====> Unable to open LEGACY_MpsSvc\0000 registry key. The key does not exist.

bfe Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking LEGACY_bfe: ATTENTION!=====> Unable to open LEGACY_bfe\0000 registry key. The key does not exist.


Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking LEGACY_wscsvc: ATTENTION!=====> Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist.


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.


Other Services:
==============
Checking Start type of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.
Checking ImagePath of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.
Checking ServiceDll of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll
[2012-10-09 14:58] - [2012-06-01 16:02] - 0133120 ____A (Microsoft Corporation) F1E8C34892336D33EDDCDFE44E474F64

C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\ipnathlp.dll => MD5 is legit
C:\Windows\system32\iphlpsvc.dll
[2010-04-13 16:22] - [2010-02-18 05:30] - 0200704 ____A (Microsoft Corporation) 1998BD97F950680BB55F55A7244679C2

C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:10 PM

Posted 21 December 2012 - 08:49 PM

Great. :thumbup2:

As you already mentioned, we are no done yet. There are many vital services that we will restore the later on. But first we will clean the system from malware.

Since you having Vista I hope you can get to recovery mode to run the following tool.

  • Please download Farbar Recovery Scan Tool and save it to a flash drive.

    Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

    Plug the flashdrive into the infected PC.
  • If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.

    If you are using Vista or Windows 7 enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
    To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html


    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.
  • On the System Recovery Options menu you will get the following options:
    Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt


    Select Command Prompt

    Once in the Command Prompt:
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
[/list]

#5 dne

dne
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:10 AM

Posted 21 December 2012 - 09:29 PM

Whew! Instructions looked scary. In actuality process was fairly simple and appeared to run (FRST) successfully. Thanks for the detailed instructions.

Here is the log:
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 18-12-2012
Ran by SYSTEM at 21-12-2012 18:16:41
Running from F:\
Windows Vista ™ Home Premium (X86) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1045800 2008-03-28] (Synaptics, Inc.)
HKLM\...\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [115816 2007-01-10] (Symantec Corporation)
HKLM\...\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start [180224 2007-03-06] ( Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" [398728 2008-01-29] (Symantec Corporation)
HKLM\...\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe [75008 2008-06-16] (Hewlett-Packard)
HKLM\...\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart [86016 2007-11-06] (NVIDIA Corporation)
HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup [8534560 2007-11-06] (NVIDIA Corporation)
HKLM\...\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit [81920 2007-11-06] (NVIDIA Corporation)
HKLM\...\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [480560 2007-10-03] (Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-27] (Adobe Systems Incorporated)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" [x]
HKU\David\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [125952 2008-01-18] (Microsoft Corporation)
HKU\David\...\Run: [wmsbre] "C:\Windows\System32\rundll32.exe" "C:\Users\David\AppData\Roaming\wmsbre.dll",DeprecationWarning [603648 2012-12-14] (Fujitsu Component Limited)
HKU\David\...\Run: [apeti] "C:\Windows\System32\rundll32.exe" "C:\Users\David\AppData\Roaming\apeti.dll",Member_SetOne [314880 2012-12-14] (Fujitsu Component Limited)
HKU\Default\...\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun [1773568 2007-03-20] (Hewlett-Packard)
HKU\Default User\...\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun [1773568 2007-03-20] (Hewlett-Packard)
HKLM\...\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe [44128 2006-11-07] (soft thinks)
Tcpip\Parameters: [DhcpNameServer] 68.94.156.1 68.94.157.1 192.168.1.1

==================== Services (Whitelisted) ===================

2 Automatic LiveUpdate Scheduler; "C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe" [554352 2007-09-12] (Symantec Corporation)
3 Com4Qlb; "C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe" [110592 2007-03-05] (Hewlett-Packard Development Company, L.P.)
3 hpqcxs08; C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqcxs08.dll [225280 2007-02-28] (Hewlett-Packard Co.)
2 hpqddsvc; C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqddsvc.dll [131072 2007-02-28] (Hewlett-Packard Co.)
3 IDriverT; "C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe" [73728 2004-10-22] (Macrovision Corporation)
3 LiveUpdate; "C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE" [2999664 2007-09-12] (Symantec Corporation)
2 LiveUpdate Notice Service; "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll" [537992 2008-04-10] (Symantec Corporation)
3 Symantec Core LC; "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" [1252232 2007-11-04] ()
2 ccEvtMgr; "c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [x]
2 ccSetMgr; "c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [x]
2 CLTNetCnService; "c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon [x]
3 comHost; "c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe" [x]
2 HP Health Check Service; "c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe" [x]
3 ISPwdSvc; "c:\Program Files\Norton Internet Security\isPwdSvc.exe" [x]
2 LiveUpdate Notice Ex; "c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [x]
2 SymAppCore; "c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe" [x]

==================== Drivers (Whitelisted) ====================

1 eabfiltr; C:\Windows\System32\DRIVERS\eabfiltr.sys [8192 2006-11-30] (Hewlett-Packard Development Company, L.P.)
3 HdAudAddService; C:\Windows\System32\drivers\CHDART.sys [159232 2007-02-21] (Conexant Systems Inc.)
3 HPZid412; C:\Windows\System32\DRIVERS\HPZid412.sys [49664 2006-05-15] (HP)
3 HPZius12; C:\Windows\System32\DRIVERS\HPZius12.sys [21568 2006-05-15] (HP)
1 IDSvix86; \??\C:\PROGRA~2\Symantec\DEFINI~1\SymcData\idsdefs\20071220.001\IDSvix86.sys [180272 2007-11-06] (Symantec Corporation)
1 SPBBCDrv; \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys [418104 2007-04-14] (Symantec Corporation)
3 SRTSP; C:\Windows\System32\Drivers\SRTSP.SYS [278576 2007-09-18] (Symantec Corporation)
3 SRTSPL; C:\Windows\System32\Drivers\SRTSPL.SYS [317616 2007-09-18] (Symantec Corporation)
1 SRTSPX; C:\Windows\System32\Drivers\SRTSPX.SYS [43696 2007-09-18] (Symantec Corporation)
3 SYMDNS; C:\Windows\System32\Drivers\SYMDNS.SYS [12984 2007-01-09] (Symantec Corporation)
3 SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT.SYS [123952 2007-11-04] (Symantec Corporation)
3 SYMFW; C:\Windows\System32\Drivers\SYMFW.SYS [145976 2007-01-09] (Symantec Corporation)
3 SYMIDS; C:\Windows\System32\Drivers\SYMIDS.SYS [40120 2007-01-09] (Symantec Corporation)
3 SYMNDISV; C:\Windows\System32\Drivers\SYMNDISV.SYS [38200 2007-01-09] (Symantec Corporation)
3 SYMREDRV; C:\Windows\System32\Drivers\SYMREDRV.SYS [27576 2007-01-09] (Symantec Corporation)
1 SYMTDI; C:\Windows\System32\Drivers\SYMTDI.SYS [191544 2007-01-09] (Symantec Corporation)
3 .tdx; \? [x]
0 38163575; C:\Windows\System32\drivers\60184723.sys [x]
4 blbdrive; C:\Windows\system32\drivers\blbdrive.sys [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
2 MCSTRM; [x]
3 NAVENG; \??\C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20080103.002\NAVENG.SYS [x]
3 NAVEX15; \??\C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20080103.002\NAVEX15.SYS [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2012-12-21 18:16 - 2012-12-21 18:16 - 00000000 ____D C:\FRST
2012-12-21 14:58 - 2012-12-21 14:59 - 00004694 ____A C:\Users\David\Desktop\FSS.txt
2012-12-20 17:27 - 2012-12-20 17:27 - 00007606 ____A C:\Users\David\Desktop\attach.txt
2012-12-20 17:27 - 2012-12-20 17:25 - 00011001 ____A C:\Users\David\Desktop\dds.txt
2012-12-20 17:15 - 2012-12-20 17:13 - 00688992 ____R (Swearware) C:\Users\David\Desktop\dds.com
2012-12-19 21:38 - 2012-12-19 21:38 - 00000000 ____D C:\Users\David\Desktop\mbar-1.01.0.1011
2012-12-19 21:36 - 2012-12-19 21:29 - 13485902 ____A C:\Users\David\Desktop\mbar-1.01.0.1011.zip
2012-12-19 20:56 - 2012-12-18 18:18 - 00697869 ____A (Farbar) C:\Users\David\Desktop\FSS.exe
2012-12-19 20:55 - 2012-12-18 18:22 - 04732416 ____A (AVAST Software) C:\Users\David\Desktop\aswMBR.exe
2012-12-19 20:36 - 2012-12-19 20:36 - 00001002 ____A C:\Users\David\My Documents\mbam.txt
2012-12-19 20:36 - 2012-12-19 20:36 - 00001002 ____A C:\Users\David\Documents\mbam.txt
2012-12-18 21:38 - 2012-12-18 18:17 - 00856731 ____A C:\Users\David\Desktop\SecurityCheck.exe
2012-12-16 19:51 - 2012-12-16 16:21 - 41557571 ____A C:\Users\David\Desktop\CBS.log
2012-12-15 13:30 - 2012-12-15 13:30 - 00000000 __SHD C:\found.001
2012-12-15 12:29 - 2012-12-15 12:29 - 00000000 ____D C:\TDSSKiller_Quarantine
2012-12-15 12:23 - 2012-12-15 12:23 - 02213976 ____A (Kaspersky Lab ZAO) C:\Users\David\Downloads\tdsskiller.exe
2012-12-14 22:05 - 2012-12-21 15:16 - 00006523 ____A C:\Users\David\Local Settings\Application Data\06a30e25-c8bb-42a4-a625-7482d1902d99.crx
2012-12-14 22:05 - 2012-12-21 15:16 - 00006523 ____A C:\Users\David\Local Settings\06a30e25-c8bb-42a4-a625-7482d1902d99.crx
2012-12-14 22:05 - 2012-12-21 15:16 - 00006523 ____A C:\Users\David\AppData\Local\06a30e25-c8bb-42a4-a625-7482d1902d99.crx
2012-12-14 22:05 - 2012-12-15 02:34 - 00000000 ____D C:\Users\All Users\Application Data\39C3D7C12F327844000039C39E027D30
2012-12-14 22:05 - 2012-12-15 02:34 - 00000000 ____D C:\Users\All Users\39C3D7C12F327844000039C39E027D30
2012-12-14 22:05 - 2012-12-14 22:05 - 00603648 ____A (Fujitsu Component Limited) C:\Users\David\Application Data\wmsbre.dll
2012-12-14 22:05 - 2012-12-14 22:05 - 00603648 ____A (Fujitsu Component Limited) C:\Users\David\AppData\Roaming\wmsbre.dll
2012-12-14 22:05 - 2012-12-14 22:05 - 00314880 ____A (Fujitsu Component Limited) C:\Users\David\Application Data\apeti.dll
2012-12-14 22:05 - 2012-12-14 22:05 - 00314880 ____A (Fujitsu Component Limited) C:\Users\David\AppData\Roaming\apeti.dll
2012-12-13 03:10 - 2012-11-13 18:48 - 12320256 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-12-13 03:10 - 2012-11-13 18:14 - 09738240 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-12-13 03:10 - 2012-11-13 18:09 - 01800704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-12-13 03:10 - 2012-11-13 17:58 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-12-13 03:10 - 2012-11-13 17:57 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-12-13 03:10 - 2012-11-13 17:57 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-12-13 03:10 - 2012-11-13 17:55 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-12-13 03:10 - 2012-11-13 17:51 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-12-13 03:10 - 2012-11-13 17:49 - 00717824 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-12-13 03:10 - 2012-11-13 17:49 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-12-13 03:10 - 2012-11-13 17:48 - 00420864 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2012-12-13 03:10 - 2012-11-13 17:47 - 00607744 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-12-13 03:10 - 2012-11-13 17:46 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-12-13 03:10 - 2012-11-13 17:45 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-12-13 03:10 - 2012-11-13 17:44 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-12-13 03:10 - 2012-11-13 17:41 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-12-13 03:07 - 2012-06-02 06:57 - 00000003 ____A C:\Windows\System32\Drivers\MsftWdf_User_01_11_00_Inbox_Critical.Wdf
2012-12-13 03:07 - 2012-06-02 06:34 - 00000003 ____A C:\Windows\System32\Drivers\MsftWdf_Kernel_01011_Inbox_Critical.Wdf
2012-12-13 03:06 - 2012-07-25 19:39 - 00526952 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\Wdf01000.sys
2012-12-13 03:06 - 2012-07-25 19:39 - 00047720 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\WdfLdr.sys
2012-12-13 03:06 - 2012-07-25 19:20 - 00172032 ____A (Microsoft Corporation) C:\Windows\System32\WUDFPlatform.dll
2012-12-13 03:06 - 2012-07-25 19:20 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\WUDFSvc.dll
2012-12-13 03:06 - 2012-07-25 18:46 - 00009728 ____A (Microsoft Corporation) C:\Windows\System32\Wdfres.dll
2012-12-13 03:06 - 2012-07-25 18:33 - 00066560 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\WUDFPf.sys
2012-12-13 03:06 - 2012-07-25 18:32 - 00155136 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\WUDFRd.sys
2012-12-13 03:06 - 2009-07-14 04:12 - 00016896 ____A (Microsoft Corporation) C:\Windows\System32\winusb.dll
2012-12-13 03:06 - 2009-07-13 15:51 - 00034944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\winusb.sys
2012-12-13 03:05 - 2012-07-25 19:21 - 00196608 ____A (Microsoft Corporation) C:\Windows\System32\WUDFHost.exe
2012-12-13 03:05 - 2012-07-25 19:20 - 00613888 ____A (Microsoft Corporation) C:\Windows\System32\WUDFx.dll
2012-12-13 03:05 - 2012-07-25 19:20 - 00038912 ____A (Microsoft Corporation) C:\Windows\System32\WUDFCoinstaller.dll
2012-12-12 18:56 - 2012-11-02 02:18 - 00376320 ____A (Microsoft Corporation) C:\Windows\System32\dpnet.dll
2012-12-12 18:56 - 2012-11-02 00:26 - 00023040 ____A (Microsoft Corporation) C:\Windows\System32\dpnsvr.exe
2012-12-12 18:56 - 2012-08-21 03:47 - 00224640 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\volsnap.sys
2012-12-12 18:55 - 2012-11-12 17:36 - 02048000 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-12-12 18:55 - 2012-11-07 19:46 - 00034304 ____A (Adobe Systems) C:\Windows\System32\atmlib.dll
2012-12-12 18:55 - 2012-11-07 17:36 - 00293376 ____A (Adobe Systems Incorporated) C:\Windows\System32\atmfd.dll
2012-12-12 18:55 - 2012-09-28 08:11 - 00892928 ____A (Microsoft Corporation) C:\Windows\System32\kernel32.dll
2012-12-12 18:51 - 2012-11-12 17:29 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\tzres.dll
2012-12-07 13:45 - 2012-12-07 13:48 - 00000000 ____D C:\Users\David\Application Data\NoteTab Light
2012-12-07 13:45 - 2012-12-07 13:48 - 00000000 ____D C:\Users\David\AppData\Roaming\NoteTab Light
2012-12-06 16:56 - 2012-12-06 16:56 - 00000832 ____A C:\Users\David\Desktop\NoteTab Light.lnk
2012-12-06 16:56 - 2012-12-06 16:56 - 00000000 ____D C:\Program Files\NoteTab Light
2012-12-06 16:42 - 2012-12-06 16:42 - 02038984 ____A (Fookes Holding Ltd ) C:\Users\David\Downloads\NoteTab_Light_Setup.exe
2012-11-23 17:48 - 2012-11-23 17:48 - 00000000 ___AT C:\Users\David\My Documents\USB003
2012-11-23 17:48 - 2012-11-23 17:48 - 00000000 ___AT C:\Users\David\Documents\USB003

==================== One Month Modified Files and Folders ========

2012-12-21 18:11 - 2006-11-02 05:01 - 00032558 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-12-21 18:11 - 2006-11-02 05:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-12-21 18:11 - 2006-11-02 04:47 - 00003296 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-12-21 18:11 - 2006-11-02 04:47 - 00003296 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-12-21 18:10 - 2007-07-07 07:32 - 01417403 ____A C:\Windows\WindowsUpdate.log
2012-12-21 18:05 - 2009-06-08 18:45 - 00000000 ____D C:\Users\Public\Documents\Symantec
2012-12-21 18:05 - 2009-06-08 18:45 - 00000000 ____D C:\Users\All Users\Documents\Symantec
2012-12-21 15:16 - 2012-12-14 22:05 - 00006523 ____A C:\Users\David\Local Settings\Application Data\06a30e25-c8bb-42a4-a625-7482d1902d99.crx
2012-12-21 15:16 - 2012-12-14 22:05 - 00006523 ____A C:\Users\David\Local Settings\06a30e25-c8bb-42a4-a625-7482d1902d99.crx
2012-12-21 15:16 - 2012-12-14 22:05 - 00006523 ____A C:\Users\David\AppData\Local\06a30e25-c8bb-42a4-a625-7482d1902d99.crx
2012-12-21 14:59 - 2012-12-21 14:58 - 00004694 ____A C:\Users\David\Desktop\FSS.txt
2012-12-21 14:54 - 2007-11-04 04:25 - 00041662 ____A C:\Users\David\Application Data\nvModes.001
2012-12-21 14:54 - 2007-11-04 04:25 - 00041662 ____A C:\Users\David\AppData\Roaming\nvModes.001
2012-12-21 14:53 - 2011-02-25 02:39 - 00000880 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-12-21 14:53 - 2007-04-29 22:50 - 00000000 ____D C:\Windows\SMINST
2012-12-21 14:44 - 2012-04-06 13:55 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-12-20 18:37 - 2011-02-25 02:39 - 00000884 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-12-20 17:27 - 2012-12-20 17:27 - 00007606 ____A C:\Users\David\Desktop\attach.txt
2012-12-20 17:25 - 2012-12-20 17:27 - 00011001 ____A C:\Users\David\Desktop\dds.txt
2012-12-20 17:13 - 2012-12-20 17:15 - 00688992 ____R (Swearware) C:\Users\David\Desktop\dds.com
2012-12-19 21:38 - 2012-12-19 21:38 - 00000000 ____D C:\Users\David\Desktop\mbar-1.01.0.1011
2012-12-19 21:29 - 2012-12-19 21:36 - 13485902 ____A C:\Users\David\Desktop\mbar-1.01.0.1011.zip
2012-12-19 20:49 - 2006-11-02 02:33 - 00703388 ____A C:\Windows\System32\PerfStringBackup.INI
2012-12-19 20:39 - 2007-04-29 22:07 - 00063912 ____A C:\Windows\PFRO.log
2012-12-19 20:39 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\tapi
2012-12-19 20:36 - 2012-12-19 20:36 - 00001002 ____A C:\Users\David\My Documents\mbam.txt
2012-12-19 20:36 - 2012-12-19 20:36 - 00001002 ____A C:\Users\David\Documents\mbam.txt
2012-12-19 04:16 - 2009-07-08 18:35 - 00019556 ____A C:\Users\David\My Documents\grocery.txt
2012-12-19 04:16 - 2009-07-08 18:35 - 00019556 ____A C:\Users\David\Documents\grocery.txt
2012-12-18 18:22 - 2012-12-19 20:55 - 04732416 ____A (AVAST Software) C:\Users\David\Desktop\aswMBR.exe
2012-12-18 18:18 - 2012-12-19 20:56 - 00697869 ____A (Farbar) C:\Users\David\Desktop\FSS.exe
2012-12-18 18:17 - 2012-12-18 21:38 - 00856731 ____A C:\Users\David\Desktop\SecurityCheck.exe
2012-12-17 22:10 - 2007-11-04 23:49 - 00000546 ____A C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - David.job
2012-12-16 17:01 - 2006-11-02 04:47 - 00352584 ____A C:\Windows\System32\FNTCACHE.DAT
2012-12-16 16:21 - 2012-12-16 19:51 - 41557571 ____A C:\Users\David\Desktop\CBS.log
2012-12-15 13:30 - 2012-12-15 13:30 - 00000000 __SHD C:\found.001
2012-12-15 12:35 - 2012-01-10 23:52 - 00000000 ____D C:\Users\David\Local Settings\Application Data\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}
2012-12-15 12:35 - 2012-01-10 23:52 - 00000000 ____D C:\Users\David\Local Settings\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}
2012-12-15 12:35 - 2012-01-10 23:52 - 00000000 ____D C:\Users\David\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}
2012-12-15 12:35 - 2009-09-11 14:45 - 00072192 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tdx.sys
2012-12-15 12:35 - 2006-11-02 03:18 - 00000000 ___DC C:\Windows\$NtUninstallKB62280$
2012-12-15 12:29 - 2012-12-15 12:29 - 00000000 ____D C:\TDSSKiller_Quarantine
2012-12-15 12:23 - 2012-12-15 12:23 - 02213976 ____A (Kaspersky Lab ZAO) C:\Users\David\Downloads\tdsskiller.exe
2012-12-15 11:34 - 2009-09-16 02:05 - 00473450 ____A C:\Users\David\My Documents\grocery prices.txt
2012-12-15 11:34 - 2009-09-16 02:05 - 00473450 ____A C:\Users\David\Documents\grocery prices.txt
2012-12-15 07:22 - 2012-01-10 18:16 - 00000906 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-12-15 07:22 - 2012-01-10 18:16 - 00000906 ____A C:\Users\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2012-12-15 07:22 - 2011-12-13 15:28 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2012-12-15 02:34 - 2012-12-14 22:05 - 00000000 ____D C:\Users\All Users\Application Data\39C3D7C12F327844000039C39E027D30
2012-12-15 02:34 - 2012-12-14 22:05 - 00000000 ____D C:\Users\All Users\39C3D7C12F327844000039C39E027D30
2012-12-14 22:05 - 2012-12-14 22:05 - 00603648 ____A (Fujitsu Component Limited) C:\Users\David\Application Data\wmsbre.dll
2012-12-14 22:05 - 2012-12-14 22:05 - 00603648 ____A (Fujitsu Component Limited) C:\Users\David\AppData\Roaming\wmsbre.dll
2012-12-14 22:05 - 2012-12-14 22:05 - 00314880 ____A (Fujitsu Component Limited) C:\Users\David\Application Data\apeti.dll
2012-12-14 22:05 - 2012-12-14 22:05 - 00314880 ____A (Fujitsu Component Limited) C:\Users\David\AppData\Roaming\apeti.dll
2012-12-13 04:00 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\rescache
2012-12-13 03:15 - 2006-11-02 04:52 - 00030473 ____A C:\Windows\setupact.log
2012-12-13 03:09 - 2007-04-29 22:14 - 00000000 ____D C:\Users\All Users\Microsoft Help
2012-12-13 03:09 - 2007-04-29 22:14 - 00000000 ____D C:\Users\All Users\Application Data\Microsoft Help
2012-12-12 21:39 - 2011-07-06 17:08 - 00000322 ____A C:\Windows\Tasks\HPCeeScheduleForDavid.job
2012-12-12 15:35 - 2007-11-03 19:02 - 00000000 ____D C:\users\David
2012-12-12 15:33 - 2008-07-30 14:33 - 00000052 ____A C:\Windows\System32\DOErrors.log
2012-12-12 03:19 - 2012-04-06 13:55 - 00697272 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-12-12 03:19 - 2011-06-07 16:28 - 00073656 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-12-10 00:34 - 2007-11-04 04:25 - 00041662 ____A C:\Users\David\Application Data\nvModes.dat
2012-12-10 00:34 - 2007-11-04 04:25 - 00041662 ____A C:\Users\David\AppData\Roaming\nvModes.dat
2012-12-07 13:48 - 2012-12-07 13:45 - 00000000 ____D C:\Users\David\Application Data\NoteTab Light
2012-12-07 13:48 - 2012-12-07 13:45 - 00000000 ____D C:\Users\David\AppData\Roaming\NoteTab Light
2012-12-06 16:56 - 2012-12-06 16:56 - 00000832 ____A C:\Users\David\Desktop\NoteTab Light.lnk
2012-12-06 16:56 - 2012-12-06 16:56 - 00000000 ____D C:\Program Files\NoteTab Light
2012-12-06 16:42 - 2012-12-06 16:42 - 02038984 ____A (Fookes Holding Ltd ) C:\Users\David\Downloads\NoteTab_Light_Setup.exe
2012-12-06 02:59 - 2007-11-30 23:30 - 00053117 ____A C:\Users\David\My Documents\cell.txt
2012-12-06 02:59 - 2007-11-30 23:30 - 00053117 ____A C:\Users\David\Documents\cell.txt
2012-12-04 03:11 - 2010-05-14 04:11 - 00208528 ____A C:\Users\David\My Documents\best of.txt
2012-12-04 03:11 - 2010-05-14 04:11 - 00208528 ____A C:\Users\David\Documents\best of.txt
2012-11-25 13:43 - 2007-04-29 22:29 - 00000000 ____D C:\Users\All Users\Application Data\Adobe
2012-11-25 13:43 - 2007-04-29 22:29 - 00000000 ____D C:\Users\All Users\Adobe
2012-11-23 17:48 - 2012-11-23 17:48 - 00000000 ___AT C:\Users\David\My Documents\USB003
2012-11-23 17:48 - 2012-11-23 17:48 - 00000000 ___AT C:\Users\David\Documents\USB003


ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-1055404121-919610189-1741765639-1000\$ff24043d55f85ce9a20a8337d9b4b888
C:\$Recycle.Bin\S-1-5-21-1055404121-919610189-1741765639-1000\$ff24043d55f85ce9a20a8337d9b4b888\@
C:\$Recycle.Bin\S-1-5-21-1055404121-919610189-1741765639-1000\$ff24043d55f85ce9a20a8337d9b4b888\L
C:\$Recycle.Bin\S-1-5-21-1055404121-919610189-1741765639-1000\$ff24043d55f85ce9a20a8337d9b4b888\U
C:\$Recycle.Bin\S-1-5-21-1055404121-919610189-1741765639-1000\$ff24043d55f85ce9a20a8337d9b4b888\U\00000001.@
C:\$Recycle.Bin\S-1-5-21-1055404121-919610189-1741765639-1000\$ff24043d55f85ce9a20a8337d9b4b888\U\80000000.@
C:\$Recycle.Bin\S-1-5-21-1055404121-919610189-1741765639-1000\$ff24043d55f85ce9a20a8337d9b4b888\U\800000cb.@

ZeroAccess:
C:\Users\David\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}
C:\Users\David\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\L
C:\Users\David\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys
[2012-12-12 18:56] - [2012-08-21 03:47] - 0224640 ____A (Microsoft Corporation) 786DB5771F05EF300390399F626BF30A


==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-12-12 23:32:55
Restore point made on: 2012-12-13 03:02:03
Restore point made on: 2012-12-13 18:32:44
Restore point made on: 2012-12-15 18:41:36
Restore point made on: 2012-12-15 19:19:21
Restore point made on: 2012-12-15 19:49:33
Restore point made on: 2012-12-15 20:46:29

==================== Memory info ===========================

Percentage of memory in use: 45%
Total physical RAM: 958 MB
Available physical RAM: 518.69 MB
Total Pagefile: 725.15 MB
Available Pagefile: 583.09 MB
Total Virtual: 2047.88 MB
Available Virtual: 1975.55 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:103.68 GB) (Free:7.91 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (PRESARIO_RP) (Fixed) (Total:8.11 GB) (Free:1.75 GB) NTFS ==>[System with boot components (obtained from reading drive)]
4 Drive f: (Lexar) (Removable) (Total:7.45 GB) (Free:7.42 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 112 GB 1528 KB
Disk 1 Online 7648 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 104 GB 32 KB
Partition 2 Primary 8 GB 104 GB

=========================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 104 GB Healthy

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 D PRESARIO_RP NTFS Partition 8 GB Healthy

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 7647 MB 1096 KB

=========================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 0 F Lexar FAT32 Removable 7647 MB Healthy

=========================================================

Last Boot: 2012-12-21 15:00

==================== End Of Log ============================

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:10 PM

Posted 21 December 2012 - 09:50 PM

We are removing some malware.

FYI: It is too late here. We will continue tomorrow.

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
HKU\David\...\Run: [wmsbre] "C:\Windows\System32\rundll32.exe" "C:\Users\David\AppData\Roaming\wmsbre.dll",DeprecationWarning [603648 2012-12-14] (Fujitsu Component Limited)
C:\Users\David\AppData\Roaming\wmsbre.dll
HKU\David\...\Run: [apeti] "C:\Windows\System32\rundll32.exe" "C:\Users\David\AppData\Roaming\apeti.dll",Member_SetOne [314880 2012-12-14] (Fujitsu Component Limited)
C:\Users\David\AppData\Roaming\apeti.dll
3 .tdx; \? [x]
0 38163575; C:\Windows\System32\drivers\60184723.sys [x]
2012-12-14 22:05 - 2012-12-21 15:16 - 00006523 ____A C:\Users\David\Local Settings\Application Data\06a30e25-c8bb-42a4-a625-7482d1902d99.crx
2012-12-14 22:05 - 2012-12-21 15:16 - 00006523 ____A C:\Users\David\Local Settings\06a30e25-c8bb-42a4-a625-7482d1902d99.crx
2012-12-14 22:05 - 2012-12-21 15:16 - 00006523 ____A C:\Users\David\AppData\Local\06a30e25-c8bb-42a4-a625-7482d1902d99.crx
2012-12-14 22:05 - 2012-12-14 22:05 - 00603648 ____A (Fujitsu Component Limited) C:\Users\David\Application Data\wmsbre.dll
2012-12-14 22:05 - 2012-12-14 22:05 - 00314880 ____A (Fujitsu Component Limited) C:\Users\David\Application Data\apeti.dll
C:\$Recycle.Bin\S-1-5-21-1055404121-919610189-1741765639-1000\$ff24043d55f85ce9a20a8337d9b4b888
C:\Users\David\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}
Folder: C:\Windows\$NtUninstallKB62280$
end

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options and select Command Prompt.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

#7 dne

dne
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:10 AM

Posted 22 December 2012 - 01:04 AM

OK. Will check back for more instructions tomorrow.

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 18-12-2012
Ran by SYSTEM at 2012-12-21 21:52:52 Run:1
Running from F:\

==============================================

HKEY_USERS\David\Software\Microsoft\Windows\CurrentVersion\Run\\wmsbre Value deleted successfully.
C:\Users\David\AppData\Roaming\wmsbre.dll moved successfully.
HKEY_USERS\David\Software\Microsoft\Windows\CurrentVersion\Run\\apeti Value deleted successfully.
C:\Users\David\AppData\Roaming\apeti.dll moved successfully.
.tdx service deleted successfully.
38163575 service deleted successfully.
C:\Users\David\Local Settings\Application Data\06a30e25-c8bb-42a4-a625-7482d1902d99.crx moved successfully.
C:\Users\David\Local Settings\06a30e25-c8bb-42a4-a625-7482d1902d99.crx not found.
C:\Users\David\AppData\Local\06a30e25-c8bb-42a4-a625-7482d1902d99.crx not found.
C:\Users\David\Application Data\wmsbre.dll not found.
C:\Users\David\Application Data\apeti.dll not found.
C:\$Recycle.Bin\S-1-5-21-1055404121-919610189-1741765639-1000\$ff24043d55f85ce9a20a8337d9b4b888 moved successfully.
C:\Users\David\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888} moved successfully.

========================= Folder: C:\Windows\$NtUninstallKB62280$ ========================

2012-01-10 17:30 - 2012-01-10 17:30 - 0000000 ___DC () C:\Windows\$NtUninstallKB62280$\485945278
2012-01-10 17:30 - 2012-01-10 17:30 - 0000000 ___DC () C:\Windows\$NtUninstallKB62280$\485945278\L
2012-01-10 17:30 - 2012-01-10 17:30 - 0000000 ___DC () C:\Windows\$NtUninstallKB62280$\485945278\U

====== End of Folder: ======

==== End of Fixlog ====

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:10 PM

Posted 22 December 2012 - 06:51 AM

Hi again,

We are going to repair the services that are damaged by the malware.

  • Please download Attached File  fix.bat   344bytes   16 downloads
    Important: right-click and select "Run as administrator".
    A command window and then a log file (log00.txt) will open.
    Please post the content to your reply.
  • Please download ServicesRepair and save it to your desktop.

    • Double-click ServicesRepair.exe.
    • If security notifications appear, click Continue or Run and then click Yes when asked if you want to proceed.
    • Once the tool has finished, you will be prompted to restart your computer. Click Yes to restart.
  • After restart wait a couple of minutes until the system settles down, run Farbar Service Scanner and post the log it makes.


#9 dne

dne
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:10 AM

Posted 22 December 2012 - 06:19 PM

Hi Farbar,

Sorry for the delayed reply. Still using borrowed uninfected laptop and it was unavailble for use this morning.

Having a problem completing the last set of tasks.

Fix.bat appeared to run from flash drive successfully. Log is below.

Services repair is stuck in the "Copying 45 items (2.67 MB) from Services.zip (C:\...\Services.zip) to Pieces (C:\Users...\Pieces)" state with 3 minutes and 20 seconds remaining because the system is awaiting my answer to a messagebox from Norton Internet Security "The document C:\Users\Public\Desktop\CC
Support\Tools\ServicesRepair\Pieces\Vista\WinDefend.sddl is still infected. Do you want to delete this file?"

Getting to this point a number (6 or more) of "Norton Virus definitions are out of date" were displayed and I closed them (x in upper right hand corner) instead of responding. Just before the Services Repair stoppage what appeared to be a Norton Security Scan completion screen appeared with no threats detected and so I clicked "Finish" (In retrospect this was probably a mistake). I was not aware that Norton was still functioning on the machine since the trial subscription expired years ago.

Sorry for being a pain. Awaiting further instruction...

Log00.txt:
Start
Error: The file or directory is not a reparse point.

"C:\Windows\$NtUninstallKB62280$" deleted successfully.
End

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:10 PM

Posted 22 December 2012 - 06:40 PM

Thanks for the feedback.

Let's get rid of Norton.

  • Please go to start => Control Panel => open "Programs and Features" and uninstall all the following software (if present):

    Norton AntiVirus
    Norton Confidential Browser Component
    Norton Confidential Web Protection Component
    Norton Internet Security
    Norton Internet Security (Symantec Corporation)
    Norton Protection Center

  • To remove the leftovers please download and run the Norton Removal Tool.

    Note: Norton removal tool is one and the same for all versions named below. It doesn't matter which version you have.
  • You need to install an antivirus program to have a proper protection. I recommend this good free antivirus:

    Please download and install Microsoft Security Essentials.
    After installing please update it.
  • Now please proceed with the Step 2 an Step 3 from the previous post.


#11 dne

dne
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:10 AM

Posted 23 December 2012 - 03:36 AM

Hi Farbar,

Sorry again for the delayed response. Uninstall and install processes took a loooong time.

Uninstall of Norton did not work. Let procedure run for over 4 hours before I terminated the task via Task Manager. The whole time it appeared the task was running (according to Task Manager) and multiple processes were running, changing cpu and memory usage. Rebooted and tried to uninstall again and this time procedure reported an error and to wait as it collected information. This ran for an hour before I terminated the task.

Ran the Norton Removal tool and it ran quickly and appears to have worked properly.

Tried to install Microsoft Security Essentials by downloading it to a flash drive attached to this Windows 7 machine and then copying it to the desktop of the infected Vista machine but the attempt failed as the software reported it was the wrong version for that machine. Since the Vista machine now has internet access I went to the web site http://windows.microsoft.com/en-US/windows/security-essentials-download on that machine and downloaded directly to that machine. That install worked except that sometime during the process an attempt to activate the firewall failed. It also reported that an attempt to update failed due to an internet connection problem. Rebooted and attempted to manually update but the update process also tried to download a Micrsoft (Windows?) Malicious Software removal program which failed (hung). However, Microsoft Security Essentials now shows that it is updated.

Rebooted machine and ran ServicesRepair. It ran quickly with no problem.

Rebooted and waited about 1/2 hour. Ran FSS. Results posted below.

I may not be able to respond for a few days due to holiday travel (leaving the morning of the 23rd, returning the evening of the 26th...and I am not taking the misbehaving machine with me) but will look here for further instructions as soon as I can after returning. If I do not have another chance to respond before I leave, thanks for all your help and happy holidays!


FSS.TXT
Farbar Service Scanner Version: 10-12-2012
Ran by David (administrator) on 22-12-2012 at 23:41:43and
Running from "C:\Users\David\Desktop"
Windows Vista ™ Home Premium Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is OK.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll
[2012-10-09 14:58] - [2012-06-01 16:02] - 0133120 ____A (Microsoft Corporation) F1E8C34892336D33EDDCDFE44E474F64

C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\ipnathlp.dll => MD5 is legit
C:\Windows\system32\iphlpsvc.dll
[2010-04-13 16:22] - [2010-02-18 05:30] - 0200704 ____A (Microsoft Corporation) 1998BD97F950680BB55F55A7244679C2

C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:10 PM

Posted 23 December 2012 - 04:56 AM

I wish you happy holidays too. Please take your time and respond when ready.

As the FSS log shows those services are restored successfully so firewall and the Windows update issue should now be taken care of.

You may use the infected machine if needed. We are almost done. Let's run a full scan on the system to make sure no leftover is there. The ESET scan might take a very long time.

  • Please download AdwCleaner and save it to your desktop.
    • Close all open programs.
    • Double click on AdwCleaner.exe to run it.
    • Click on Delete and confirm the prompt.
    • After it is finished the computer will be restarted. A text file will open after the restart.
    • Please post the content of that log to your reply.
    • A copy of the log will be saved at C:\AdwCleaner[S1].txt.
  • You may download the latest x32 (x86) of Java from http://www.java.com/en/download/manual.jsp

    Uninstall the following older Java:

    Java 6 Update 26

    Then install the downloaded Java versions.
  • To Clear the Java Runtime Environment (JRE) cache, do this:
    • Click Start > Settings > Control Panel.
    • Double-click the Java icon.
      -The Java Control Panel appears.
    • Click "Settings" under Temporary Internet Files.
      -The Temporary Files Settings dialog box appears.
    • Click "Delete Files".
      -The Delete Temporary Files dialog box appears.
      -There are three options on this window to clear the cache.
    • Make sure all the options are checked.
    • Click "OK" on Delete Temporary Files window.
      -Note: This deletes all the Downloaded Applications and Applets from the cache.
    • Click "OK" on Temporary Files Settings window.
    • Close the Java Control Panel.
    You can also view these instructions along with screenshots here.
  • This small application you may want to keep and use to keep the computer clean.
    Download CCleaner from here http://www.ccleaner.com/

    • Run the installer to install the application.
    • When it gives you the option to install Yahoo toolbar or any other program uncheck the box next to it.
    • Run CCleaner. Under Application tab all the boxes should be checked except any option to remove saved passwords.
    • Click Run Cleaner.
    • Close CCleaner.
  • ESET Online Scanner:

    Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

    Vista and Windows 7 users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

    • Please go here then click on: Posted Image

      Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
      All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

    • Select the option YES, I accept the Terms of Use then click on: Posted Image
    • When prompted allow the Add-On/Active X to install.
    • Make sure that the option Remove found threats and the option Scan archives are checked.
    • Now click on Advanced Settings and select the following:
    • Enable Anti-Stealth Technology
    • Now click on: Posted Image
    • The virus signature database... will begin to download. Be patient this may take some time depending on the speed of your Internet Connection.
    • When completed the Online Scan will begin automatically.
    • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
    • When the scan completes, press the LIST OF THREATS FOUND button
    • Press EXPORT TO TEXT FILE , name the file ESET and save it to your desktop.
    • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
    • Now click on: Posted Image
    • Copy and paste that log as a reply to this topic.
    Note: Do not forget to re-enable your Anti-Virus application after running the above scan!


#13 dne

dne
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:10 AM

Posted 29 December 2012 - 05:18 PM

Hi Farbar,

Once again I am sorry for a delayed response. Holiday duties took longer than expected and you are correct, ESET scan took a LONG (more than 12 hours) time. Using infected machine all 5 tasks now completed. It looks like eset found 2 items it could not address. Logs below. Thanks for your patience!

AdwCleaner[S1].txt:
# AdwCleaner v2.103 - Logfile created 12/28/2012 at 02:28:50
# Updated 25/12/2012 by Xplode
# Operating system : Windows Vista ™ Home Premium Service Pack 2 (32 bits)
# User : David - DAVID-PC
# Boot Mode : Normal
# Running from : C:\Users\David\Downloads\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

File Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.lnk
File Deleted : C:\Users\Public\Desktop\eBay.lnk

***** [Registry] *****

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{761F6A83-F007-49E4-8EAC-CDB6808EF06F}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{97D69524-BB57-4185-9C7F-5F05593B771A}
Key Deleted : HKLM\SOFTWARE\Classes\S

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16457

[OK] Registry is clean.

*************************

AdwCleaner[S1].txt - [856 octets] - [28/12/2012 02:28:50]

########## EOF - C:\AdwCleaner[S1].txt - [915 octets] ##########



eset.txt:
C:\Users\All Users\Microsoft\Windows\DRM\5FB4.tmp a variant of Win32/Kryptik.ACJR trojan unable to clean
C:\Users\All Users\Microsoft\Windows\DRM\E33B.tmp a variant of Win32/Kryptik.AEGV trojan unable to clean
C:\FRST\Quarantine\06a30e25-c8bb-42a4-a625-7482d1902d99.crx JS/Redirector.NCG trojan deleted - quarantined
C:\FRST\Quarantine\apeti.dll a variant of Win32/Medfos.GV trojan cleaned by deleting - quarantined
C:\FRST\Quarantine\wmsbre.dll a variant of Win32/Medfos.GV trojan cleaned by deleting - quarantined
C:\ProgramData\Microsoft\Windows\DRM\5FB4.tmp a variant of Win32/Kryptik.ACJR trojan cleaned by deleting - quarantined
C:\ProgramData\Microsoft\Windows\DRM\E33B.tmp a variant of Win32/Kryptik.AEGV trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\15.12.2012_12.25.59\rtkt0000\svc0000\tsk0000.dta Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\15.12.2012_12.25.59\rtkt0000\zafs0000\tsk0001.dta Win32/Conedex.I trojan cleaned by deleting - quarantined
C:\Users\David\AppData\Local\ikjdxs.exe a variant of Win32/Kryptik.ACJI trojan cleaned by deleting - quarantined

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:10 PM

Posted 29 December 2012 - 08:46 PM

Hi dne,

No worries abut the delay.

Some of the items were already removed and moved to the quarantined folders (of FRST and TDSSKiller).
ESET could not remove those two (harmless) leftovers from All Users folder but it removed them from a mirror directory:

C:\ProgramData\Microsoft\Windows\DRM\5FB4.tmp a variant of Win32/Kryptik.ACJR trojan cleaned by deleting - quarantined
C:\ProgramData\Microsoft\Windows\DRM\E33B.tmp a variant of Win32/Kryptik.AEGV trojan cleaned by deleting - quarantined

So they are no more on the system.

Everything looks good. :thumbup2:

  • Please delete FRST tool as we don't need it any more. Also go to C:\FRST and delete the entire FRST folder.
  • You may delete any tool or log we used from your computer.
  • Remove the old restore points and create a new restore point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Setting a new restore point AFTER cleaning your system will enable your computer to "roll-back" to a clean working state if needed. :
  • Go to Start => Right-click "Computer" and select "Properties".
  • In the left pane select "System Protection".
  • Press "Configure".
  • Select "Delete". Then press "Continue" close and "OK".
  • Select your drive (drive C) and press "Create".
    Fill in a name for the restore point and press "Create".
    After finished press "Close".
Recommendations:
  • I recommend using Site Advisor for safe surfing. It is a free extension both for Internet Explorer and Firefox. When you search a site it gives you an indication of how safe a site is.
  • I recommend installing this small application for safe surfing: Javacools© SpywareBlaster
    SpywareBlaster will add a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
  • Download and install it.
  • Update it manually by clicking on Updates in the left pane and then Check for Updates.
  • Then enable all the protections by clicking on Protection Status on the left pane. Then click on Enable All Protection.
  • The free version doesn't have an automatic update. Update it once in two or three weeks and enable all protection again.
Take care. :thumbup2:

#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:10 PM

Posted 05 January 2013 - 07:20 PM

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a Private Message and I will reopen it for you.

If you should have a new issue, please start a new topic.

Every one else should start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users