Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with unknown virus/malware


  • Please log in to reply
6 replies to this topic

#1 Vanessa.Antler

Vanessa.Antler

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:40 AM

Posted 12 January 2013 - 03:44 PM

I'm on a laptop running Vista Home Premium SP1 32bit with 2GB of RAM. I have run several tools on this laptop already such as tdskiller, malwarebytes, combofix, etc and still have an infection. Please help!

DDS (Ver_2012-11-20.01) - NTFS_x86 NETWORK
Internet Explorer: 7.0.6001.18639
Run by Jackk at 14:35:48 on 2013-01-12
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2045.1525 [GMT -6:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F}
FW: McAfee Firewall *Enabled* {959DA8E2-3527-57D1-4915-924367AD4FE9}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com
BHO: HP Print Clips: {053F9267-DC04-4294-A72C-58F732D338C0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.6.0\bin\ssv.dll
BHO: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20121105205604.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
BHO: ZeonIEEventHelper Class: {DA986D7D-CCAF-47B2-84FE-BFA1549BEBF9} - c:\program files\nuance\pdf professional 5\bin\ZeonIEFavClient.dll
TB: &Google: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
TB: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
TB: Nuance PDF: {E3286BF1-E654-42FF-B4A6-5E111731DF6B} - c:\program files\nuance\pdf professional 5\bin\ZeonIEFavClient.dll
uRun: [TOSCDSPD] "c:\program files\toshiba\toscdspd\TOSCDSPD.exe"
uRun: [RunSpySweeperScheduleAtStartup] "c:\windows\system32\msfeedssync.exe" /ScheduleSweep=User_Feed_Synchronization-{D34EB522-9EB8-4812-A5F0-BA007DEF912B}
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_1_0
uRun: [SpriteService] "c:\program files\sprite software\sprite backup\SpriteService.exe"
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
uRun: [HP Officejet Pro 8600 (NET)] "c:\program files\hp\hp officejet pro 8600\bin\ScanToPCActivationApp.exe" -deviceID "CN23JBQ08R05KC:NW" -scfn "HP Officejet Pro 8600 (NET)" -AutoStart 1
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [ApplePhotoStreams] c:\program files\common files\apple\internet services\ApplePhotoStreams.exe
uRun: [com.apple.dav.bookmarks.daemon] c:\program files\common files\apple\internet services\BookmarkDAV_client.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [PSQLLauncher] "c:\program files\protector suite ql\launcher.exe" /startup
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TOSHIBA Volume Indicator] "c:\program files\toshiba\utilities\VolControl.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [TPwrMain] "c:\program files\toshiba\power saver\TPwrMain.EXE"
mRun: [HSON] "c:\program files\toshiba\tbs\HSON.exe"
mRun: [SmoothView] "c:\program files\toshiba\smoothview\SmoothView.exe"
mRun: [00TCrdMain] "c:\program files\toshiba\flashcards\TCrdMain.exe"
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [StrgSync.exe] "c:\program files\storagesync\StrgSync.exe" -w
mRun: [Windows Mobile Device Center] c:\windows\windowsmobile\wmdc.exe
mRun: [PDFHook] c:\program files\nuance\pdf professional 5\pdfpro5hook.exe
mRun: [PDF5 Registry Controller] c:\program files\nuance\pdf professional 5\RegistryController.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Nuance PDF Professional 5-reminder] "c:\program files\nuance\pdf professional 5\ereg\ereg.exe" -r "c:\programdata\nuance\pdf professional 5\ereg\Ereg.ini"
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup
mRun: [USB Storage Toolbox] c:\windows\umstor\Res.EXE
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Windows Mobile-based device management] c:\windows\windowsmobile\wmdSync.exe
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\users\jackk\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\wdquic~1.lnk - c:\program files\western digital\wd smartware\WDDMStatus.exe
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: DisableCAD = dword:1
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Append the content of the link to existing PDF file - c:\program files\nuance\pdf professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
IE: Append the content of the selected links to existing PDF file - c:\program files\nuance\pdf professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppendSelLinks.HTML
IE: Append to existing PDF file - c:\program files\nuance\pdf professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
IE: Create PDF file - c:\program files\nuance\pdf professional 5\bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
IE: Create PDF file from the content of the link - c:\program files\nuance\pdf professional 5\bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
IE: Create PDF files from the selected links - c:\program files\nuance\pdf professional 5\bin\ZeonIEFavClient.dll/ZeonIECaptureSelLinks.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Open with Nuance PDF Converter 5.11 - c:\program files\nuance\pdf professional 5\cnvres_eng.dll /100
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: mcafee.com
DPF: {04B6290C-97B8-49A1-B0A3-1312254F7C54} - hxxps://physician-shh.ascensionhealth.org/portal/applets/SharedSession.dll
DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {80AEEC0E-A2BE-4B8D-985F-350FE869DC40} - hxxp://h30155.www3.hp.com/ediags/dd/install/HPDriverDiagnosticsVista.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {A08D2318-19E6-4332-A741-87FBBD3984CD} - hxxps://physician-shh.ascensionhealth.org/portal/applets/mckapprun.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {DD27B264-20E6-4484-B098-8CADC7F1076D} - hxxps://imaging.sacred-heart.org/communicator/DRL.CAB
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {EB29B81A-7351-4890-8BCE-58127C3545F9} - hxxps://physician-shh.ascensionhealth.org/portal/applets/mckntauth.ocx
TCP: NameServer = 97.64.209.36 97.64.168.13 192.168.33.1
TCP: Interfaces\{94966F55-BF64-441C-9492-6EF5F2926E85} : DHCPNameServer = 68.105.28.16 68.105.29.16
TCP: Interfaces\{DD21F6F4-B857-4A4B-BE84-FAAC92FF949A} : DHCPNameServer = 97.64.209.36 97.64.168.13 192.168.33.1
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\program files\mcafee\msc\McSnIePl.dll
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: psfus - c:\windows\system32\psqlpwd.dll
AppInit_DLLs= c:\progra~1\google\google~1\GoogleDesktopNetwork3.dll
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli psqlpwd
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-6-27 565352]
R1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2012-12-4 210136]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2012-7-11 116608]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2012-11-11 167784]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-3-16 168880]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-3-16 167344]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-3-16 60480]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-3-16 362640]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-11-17 3668480]
S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2010-7-14 65584]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-3-16 210216]
S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2012-11-11 167784]
S2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2012-11-11 167784]
S2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-3-16 203400]
S2 Norton PC Checkup Application Launcher;Norton PC Checkup Application Launcher;c:\program files\norton pc checkup 3.0\SymcPCCULaunchSvc.exe [2012-12-4 132056]
S2 PCCUJobMgr;Common Client Job Manager Service;c:\program files\norton pc checkup\engine\2.0.15.91\ccSvcHst.exe [2012-11-25 126392]
S2 PDFProFiltSrv;PDFProFiltSrv;c:\program files\nuance\pdf professional 5\PDFProFiltSrv.exe [2008-7-31 144672]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-7-13 160944]
S2 WDDMService;WDDMService;c:\program files\western digital\wd smartware\WDDMService.exe [2011-8-1 263056]
S2 WDFMEService;WDFMEService;c:\program files\western digital\wd smartware\WDFME.exe [2011-8-1 1592208]
S2 WDRulesService;WDRulesService;c:\program files\western digital\wd smartware\WDRulesEngine.exe [2011-8-1 1091984]
S3 EZGYGLMTMB;EZGYGLMTMB;c:\users\jackk\appdata\local\temp\ezgyglmtmb.exe --> c:\users\jackk\appdata\local\temp\EZGYGLMTMB.exe [?]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-3-15 30192]
S3 HipShieldK;McAfee Inc. HipShieldK;c:\windows\system32\drivers\HipShieldK.sys [2012-11-11 146872]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-11-23 234824]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-11-23 65488]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-3-16 92192]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-11-23 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-11-23 40552]
S3 MSHUSBVideo;NX6000 Filter Driver;c:\windows\system32\drivers\nx6000.sys [2006-12-19 31512]
S3 MSW;Microsoft Broadband Networking Driver;c:\windows\system32\drivers\MN520-51.sys [2004-6-16 700800]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2011-2-16 11520]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-3-16 91168]
.
=============== File Associations ===============
.
ShellExec: ymp.exe: open="c:\program files\yahoo!\yahoo! music jukebox\YahooMusicEngine.exe" -play "%1"
ShellExec: ymp.exe: play="c:\program files\yahoo!\yahoo! music jukebox\YahooMusicEngine.exe" -play "%1"
.
=============== Created Last 30 ================
.
2013-01-07 22:25:59 252416 ----a-w- c:\windows\system32\WSManMigrationPlugin.dll
2013-01-07 22:25:59 246272 ----a-w- c:\windows\system32\WSManHTTPConfig.exe
2013-01-07 22:25:59 241152 ----a-w- c:\windows\system32\winrscmd.dll
2013-01-07 22:25:59 214016 ----a-w- c:\windows\system32\WsmWmiPl.dll
2013-01-07 22:25:59 145408 ----a-w- c:\windows\system32\WsmAuto.dll
2013-01-07 22:25:59 1181696 ----a-w- c:\windows\system32\WsmSvc.dll
2013-01-07 21:55:39 -------- d-----w- c:\users\jackk\appdata\local\temp
2013-01-07 21:42:20 -------- d-sh--w- C:\$RECYCLE.BIN
2013-01-07 17:05:39 -------- d-----w- c:\users\jackk\appdata\roaming\SUPERAntiSpyware.com
2013-01-07 17:05:26 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2013-01-07 17:05:26 -------- d-----w- c:\program files\SUPERAntiSpyware
2013-01-07 16:15:02 -------- d-----w- c:\users\jackk\DoctorWeb
2013-01-07 16:06:39 -------- d-----w- c:\users\jackk\appdata\roaming\EurekaLog
2013-01-07 15:24:53 -------- d-----w- c:\programdata\Kaspersky Lab
2013-01-07 15:03:03 -------- d-----w- c:\programdata\HitmanPro
2013-01-05 09:05:35 231936 ----a-w- c:\windows\system32\msshsq.dll
2013-01-04 21:51:26 98816 ----a-w- c:\windows\sed.exe
2013-01-04 21:51:26 256000 ----a-w- c:\windows\PEV.exe
2013-01-04 21:51:26 208896 ----a-w- c:\windows\MBR.exe
2013-01-04 20:51:01 -------- d-----w- C:\runcomborun
2013-01-02 19:14:13 -------- d-----w- c:\users\jackk\appdata\roaming\Malwarebytes
2013-01-02 19:14:03 -------- d-----w- c:\programdata\Malwarebytes
2013-01-02 19:14:00 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-01-02 19:14:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-01-02 19:13:38 -------- d-----w- C:\TDSSKiller_Quarantine
2013-01-02 19:03:15 174024 ----a-w- c:\program files\14res.dll
2013-01-02 19:02:35 175224 ----a-w- c:\program files\5mres.dll
2012-12-26 05:37:10 80896 ----a-w- c:\windows\system32\MSNP.ax
2012-12-26 05:37:06 293376 ----a-w- c:\windows\system32\psisdecd.dll
2012-12-26 05:37:05 217088 ----a-w- c:\windows\system32\psisrndr.ax
2012-12-26 03:08:32 -------- d-----w- C:\found.000
2012-12-18 18:55:45 -------- d-----w- c:\program files\iPod
2012-12-18 18:55:42 -------- d-----w- c:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E1
2012-12-18 18:55:42 -------- d-----w- c:\program files\iTunes
2012-12-17 03:29:08 -------- d-----w- c:\program files\Windows Easy Transfer 7
2012-12-16 23:10:35 -------- d-----w- C:\88dc57ec1a5668326e
2012-12-16 23:00:29 -------- dc----w- c:\users\jackk\appdata\local\MigWiz
2012-12-16 22:59:48 -------- d-----w- C:\0e0e70a0d143f13645ae9616e0d6b4
2012-12-15 01:26:44 3600272 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-12-15 01:26:44 3548048 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-12-15 01:26:44 1205080 ----a-w- c:\windows\system32\ntdll.dll
2012-12-13 21:33:39 168960 ----a-w- c:\program files\windows media player\wmplayer.exe
2012-12-13 21:33:34 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2012-12-13 21:32:02 125952 ----a-w- c:\windows\system32\srvsvc.dll
2012-12-13 21:32:00 17920 ----a-w- c:\windows\system32\netevent.dll
2012-12-13 21:31:04 501760 ----a-w- c:\windows\system32\usp10.dll
2012-12-13 21:29:59 833024 ----a-w- c:\windows\system32\wininet.dll
2012-12-13 21:28:33 1136640 ----a-w- c:\windows\system32\mfc42.dll
2012-12-13 21:28:32 1161728 ----a-w- c:\windows\system32\mfc42u.dll
2012-12-13 21:28:24 1616384 ----a-w- c:\program files\windows mail\msoe.dll
2012-12-13 21:28:17 81920 ----a-w- c:\windows\system32\iccvid.dll
2012-12-13 21:28:04 72192 ----a-w- c:\windows\system32\drivers\pacer.sys
2012-12-13 21:28:03 15360 ----a-w- c:\windows\system32\pacerprf.dll
2012-12-13 21:27:47 304640 ----a-w- c:\windows\system32\drivers\srv.sys
2012-12-13 21:27:36 213504 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2012-12-13 21:27:34 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2012-12-13 21:27:34 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2012-12-13 21:27:25 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
2012-12-13 21:27:23 25088 ----a-w- c:\windows\system32\dnscacheugc.exe
2012-12-13 21:27:13 67072 ----a-w- c:\windows\system32\asycfilt.dll
2012-12-13 21:26:55 1315840 ----a-w- c:\windows\system32\ole32.dll
2012-12-13 21:26:54 339968 ----a-w- c:\program files\windows nt\accessories\wordpad.exe
2012-12-13 21:26:34 126464 ----a-w- c:\windows\system32\spoolsv.exe
2012-12-13 21:26:21 157184 ----a-w- c:\windows\system32\t2embed.dll
2012-12-13 21:26:10 2042368 ----a-w- c:\windows\system32\win32k.sys
2012-12-13 21:25:57 273408 ----a-w- c:\windows\system32\drivers\afd.sys
2012-12-13 21:24:53 1169408 ----a-w- c:\windows\system32\sdclt.exe
2012-12-13 21:24:41 10926592 ----a-w- c:\program files\movie maker\MOVIEMK.dll
2012-12-13 21:24:38 150016 ----a-w- c:\program files\movie maker\MOVIEMK.exe
2012-12-13 21:24:31 146432 ----a-w- c:\windows\system32\drivers\srv2.sys
2012-12-13 21:24:30 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2012-12-13 21:24:22 766464 ----a-w- c:\program files\common files\microsoft shared\vgx\VGX.dll
2012-12-13 21:24:15 317952 ----a-w- c:\windows\system32\MP4SDECD.DLL
2012-12-13 21:24:07 430080 ----a-w- c:\windows\system32\vbscript.dll
2012-12-13 21:23:56 563200 ----a-w- c:\windows\system32\oleaut32.dll
2012-12-13 21:23:48 954752 ----a-w- c:\windows\system32\mfc40.dll
2012-12-13 21:23:48 954288 ----a-w- c:\windows\system32\mfc40u.dll
2012-12-13 21:23:39 36352 ----a-w- c:\windows\system32\rtutils.dll
2012-12-13 21:23:17 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2012-12-13 21:23:14 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2012-12-13 21:22:51 866816 ----a-w- c:\windows\system32\wmpmde.dll
2012-12-13 21:22:45 429056 ----a-w- c:\windows\system32\EncDec.dll
2012-12-13 21:22:44 323072 ----a-w- c:\windows\system32\sbe.dll
2012-12-13 21:22:44 177664 ----a-w- c:\windows\system32\mpg2splt.ax
2012-12-13 21:22:43 153088 ----a-w- c:\windows\system32\sbeio.dll
2012-12-13 21:22:27 1314816 ----a-w- c:\windows\system32\quartz.dll
2012-12-13 21:21:45 603648 ----a-w- c:\windows\system32\schedsvc.dll
2012-12-13 21:21:43 357376 ----a-w- c:\windows\system32\taskschd.dll
2012-12-13 21:21:41 345088 ----a-w- c:\windows\system32\wmicmiplugin.dll
2012-12-13 21:21:40 171520 ----a-w- c:\windows\system32\taskeng.exe
2012-12-13 21:21:39 270336 ----a-w- c:\windows\system32\taskcomp.dll
2012-12-13 21:21:26 738816 ----a-w- c:\windows\system32\inetcomm.dll
2012-12-13 21:21:15 81920 ----a-w- c:\windows\system32\consent.exe
2012-12-13 21:21:05 1257472 ----a-w- c:\windows\system32\msxml3.dll
2012-12-13 21:20:48 147456 ----a-w- c:\windows\system32\Faultrep.dll
2012-12-13 21:20:48 125952 ----a-w- c:\windows\system32\wersvc.dll
2012-12-13 21:20:37 565248 ----a-w- c:\windows\system32\emdmgmt.dll
2012-12-13 21:20:36 625152 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2012-12-13 21:20:35 45056 ----a-w- c:\windows\system32\dataclen.dll
2012-12-13 21:20:34 36864 ----a-w- c:\windows\system32\cdd.dll
2012-12-13 21:20:34 148480 ----a-w- c:\windows\system32\drivers\nwifi.sys
2012-12-13 21:19:12 2048 ----a-w- c:\windows\system32\tzres.dll
2012-12-13 21:00:19 276992 ----a-w- c:\windows\system32\schannel.dll
.
==================== Find3M ====================
.
2012-12-11 19:02:15 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2012-12-11 19:02:12 82432 ----a-w- c:\windows\system32\axaltocm.dll
2012-11-09 12:56:16 60480 ----a-w- c:\windows\system32\drivers\cfwids.sys
2012-11-09 12:53:32 210136 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2012-11-09 12:52:22 9648 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2012-11-09 12:52:12 92192 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2012-11-09 12:51:12 565352 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2012-11-09 12:50:20 362640 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2012-11-09 12:50:00 65488 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2012-11-09 12:49:40 234824 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2012-11-09 12:49:10 132912 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2012-10-31 21:10:14 773968 ----a-w- c:\windows\system32\msvcr100.dll
2012-10-31 21:10:14 138056 ----a-w- c:\windows\system32\atl100.dll
2012-10-25 09:12:26 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2012-10-25 09:12:26 69632 ----a-w- c:\windows\system32\QuickTime.qts
.
============= FINISH: 14:37:45.98 ===============
Attached File  attach.txt   9.33KB   0 downloads

BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,578 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:40 AM

Posted 15 January 2013 - 01:58 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall


Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html


Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Third party programs if not up to date can be the cause infiltration of an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).

Please post the logs for my review.

Please let me know what issues persists.

#3 Vanessa.Antler

Vanessa.Antler
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:40 AM

Posted 17 January 2013 - 12:22 PM

ComboFix 13-01-13.01 - Jackk 01/13/2013 14:08:41.2.2 - x86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2045.1277 [GMT -6:00]
Running from: c:\users\Jackk\Desktop\123ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892}
FW: McAfee Firewall *Enabled* {959DA8E2-3527-57D1-4915-924367AD4FE9}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2012-12-13 to 2013-01-13 )))))))))))))))))))))))))))))))
.
.
2013-01-13 20:14 . 2013-01-13 20:14 -------- d-----w- c:\users\Jackk\AppData\Local\temp
2013-01-13 20:14 . 2013-01-13 20:14 -------- d-----w- c:\users\Experience\AppData\Local\temp
2013-01-13 20:14 . 2013-01-13 20:14 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-01-13 06:58 . 2013-01-13 06:58 205072 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2013-01-12 21:53 . 2013-01-12 21:53 -------- d-----w- C:\26b4ef7a3f022438a9280a48571108
2013-01-07 22:25 . 2009-10-09 21:56 1181696 ----a-w- c:\windows\system32\WsmSvc.dll
2013-01-07 22:25 . 2009-10-09 21:56 214016 ----a-w- c:\windows\system32\WsmWmiPl.dll
2013-01-07 22:25 . 2009-10-09 21:56 241152 ----a-w- c:\windows\system32\winrscmd.dll
2013-01-07 22:25 . 2009-10-09 21:56 246272 ----a-w- c:\windows\system32\WSManHTTPConfig.exe
2013-01-07 22:25 . 2009-10-09 21:56 145408 ----a-w- c:\windows\system32\WsmAuto.dll
2013-01-07 22:25 . 2009-10-09 21:55 252416 ----a-w- c:\windows\system32\WSManMigrationPlugin.dll
2013-01-07 17:05 . 2013-01-07 17:05 -------- d-----w- c:\users\Jackk\AppData\Roaming\SUPERAntiSpyware.com
2013-01-07 17:05 . 2013-01-07 17:05 -------- d-----w- c:\program files\SUPERAntiSpyware
2013-01-07 17:05 . 2013-01-07 17:05 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2013-01-07 16:15 . 2013-01-07 16:15 -------- d-----w- c:\users\Jackk\DoctorWeb
2013-01-07 16:06 . 2013-01-13 06:57 -------- d-----w- c:\users\Jackk\AppData\Roaming\EurekaLog
2013-01-07 15:24 . 2013-01-07 15:24 -------- d-----w- c:\programdata\Kaspersky Lab
2013-01-07 15:03 . 2013-01-07 15:14 -------- d-----w- c:\programdata\HitmanPro
2013-01-05 09:05 . 2010-09-20 09:25 231936 ----a-w- c:\windows\system32\msshsq.dll
2013-01-04 20:51 . 2013-01-04 20:55 -------- d-----w- C:\runcomborun
2013-01-02 19:14 . 2013-01-02 19:14 -------- d-----w- c:\users\Jackk\AppData\Roaming\Malwarebytes
2013-01-02 19:14 . 2013-01-02 19:14 -------- d-----w- c:\programdata\Malwarebytes
2013-01-02 19:14 . 2013-01-02 19:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-01-02 19:14 . 2012-12-14 22:49 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-01-02 19:13 . 2013-01-04 18:57 -------- d-----w- C:\TDSSKiller_Quarantine
2013-01-02 19:03 . 2012-03-03 17:04 174024 ----a-w- c:\program files\14res.dll
2013-01-02 19:02 . 2012-11-12 23:54 175224 ----a-w- c:\program files\5mres.dll
2012-12-26 05:37 . 2010-04-14 17:46 80896 ----a-w- c:\windows\system32\MSNP.ax
2012-12-26 05:37 . 2010-04-14 17:47 293376 ----a-w- c:\windows\system32\psisdecd.dll
2012-12-26 05:37 . 2010-04-14 17:47 217088 ----a-w- c:\windows\system32\psisrndr.ax
2012-12-26 03:08 . 2012-12-26 03:08 -------- d-----w- C:\found.000
2012-12-26 02:18 . 2012-12-26 02:18 -------- d-----w- c:\programdata\WindowsSearch
2012-12-18 18:55 . 2012-12-18 18:55 -------- d-----w- c:\program files\iPod
2012-12-18 18:55 . 2012-12-18 18:57 -------- d-----w- c:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E1
2012-12-18 18:55 . 2012-12-18 18:57 -------- d-----w- c:\program files\iTunes
2012-12-17 03:29 . 2012-12-17 03:29 -------- d-----w- c:\program files\Windows Easy Transfer 7
2012-12-16 23:10 . 2012-12-16 23:10 -------- d-----w- C:\88dc57ec1a5668326e
2012-12-16 23:00 . 2012-12-17 14:33 -------- dc----w- c:\users\Jackk\AppData\Local\MigWiz
2012-12-16 22:59 . 2012-12-16 22:59 -------- d-----w- C:\0e0e70a0d143f13645ae9616e0d6b4
2012-12-15 01:26 . 2010-10-15 14:08 3600272 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-12-15 01:26 . 2010-10-15 14:08 3548048 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-12-15 01:26 . 2010-10-15 13:48 1205080 ----a-w- c:\windows\system32\ntdll.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-12-11 19:02 . 2006-11-02 10:32 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2012-12-11 19:02 . 2006-11-02 10:32 82432 ----a-w- c:\windows\system32\axaltocm.dll
2012-11-09 12:56 . 2010-03-16 17:22 60480 ----a-w- c:\windows\system32\drivers\cfwids.sys
2012-11-09 12:53 . 2012-12-04 14:36 210136 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2012-11-09 12:52 . 2010-03-16 17:22 9648 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2012-11-09 12:52 . 2010-03-16 17:22 92192 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2012-11-09 12:51 . 2008-06-27 12:08 565352 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2012-11-09 12:50 . 2010-03-16 17:22 362640 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2012-11-09 12:50 . 2008-11-23 16:26 65488 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2012-11-09 12:49 . 2008-11-23 16:26 234824 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2012-11-09 12:49 . 2010-03-16 17:22 132912 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2012-10-31 21:10 . 2012-10-31 21:10 773968 ----a-w- c:\windows\system32\msvcr100.dll
2012-10-31 21:10 . 2012-10-31 21:10 138056 ----a-w- c:\windows\system32\atl100.dll
2012-10-25 09:12 . 2012-10-25 09:12 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2012-10-25 09:12 . 2012-10-25 09:12 69632 ----a-w- c:\windows\system32\QuickTime.qts
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2006-12-04 00:03 2854912 ----a-w- c:\program files\Protector Suite QL\farchns.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2006-12-04 00:03 2854912 ----a-w- c:\program files\Protector Suite QL\farchns.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2006-11-10 417792]
"RunSpySweeperScheduleAtStartup"="c:\windows\system32\msfeedssync.exe" [2008-01-19 12800]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"SpriteService"="c:\program files\Sprite Software\Sprite Backup\SpriteService.exe" [2007-06-14 544768]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"HP Officejet Pro 8600 (NET)"="c:\program files\HP\HP Officejet Pro 8600\Bin\ScanToPCActivationApp.exe" [2011-09-09 1804648]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"ApplePhotoStreams"="c:\program files\Common Files\Apple\Internet Services\ApplePhotoStreams.exe" [2012-11-28 59280]
"com.apple.dav.bookmarks.daemon"="c:\program files\Common Files\Apple\Internet Services\BookmarkDAV_client.exe" [2012-11-28 59280]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-11-01 4763008]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2006-12-03 49168]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-27 815104]
"TOSHIBA Volume Indicator"="c:\program files\Toshiba\Utilities\VolControl.exe" [2006-10-31 94208]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-06-18 30192]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2006-12-20 411768]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-12-07 55416]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2006-12-12 448632]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2006-12-15 530552]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 2027792]
"StrgSync.exe"="c:\program files\StorageSync\StrgSync.exe" [2005-10-08 3032576]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"PDFHook"="c:\program files\Nuance\PDF Professional 5\pdfpro5hook.exe" [2008-07-31 795936]
"PDF5 Registry Controller"="c:\program files\Nuance\PDF Professional 5\RegistryController.exe" [2008-07-31 58656]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2007-03-26 210472]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"Nuance PDF Professional 5-reminder"="c:\program files\Nuance\PDF Professional 5\Ereg\Ereg.exe" [2007-08-31 328992]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2012-09-12 1278648]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2012-02-23 59240]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2010-10-12 304568]
"USB Storage Toolbox"="c:\windows\UMStor\Res.EXE" [2005-09-15 65536]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-10-25 421888]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2006-11-02 215552]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2006-12-19 90191]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-12-19 7766016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-12-19 81920]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-12-12 152544]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
.
c:\users\Jackk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
WD Quick View.lnk - c:\program files\Western Digital\WD SmartWare\WDDMStatus.exe [2011-8-1 3983760]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-12-03 23:50 90112 ----a-w- c:\windows\System32\psqlpwd.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 95524145
*NewlyCreated* - ECACHE
*Deregistered* - 95524145
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder
.
2013-01-07 c:\windows\Tasks\PC Checkup 3 Weekly Scan.job
- c:\program files\Norton PC Checkup 3.0\NLAppLauncher.exe [2012-12-04 22:49]
.
2013-01-12 c:\windows\Tasks\User_Feed_Synchronization-{D34EB522-9EB8-4812-A5F0-BA007DEF912B}.job
- c:\windows\system32\msfeedssync.exe [2008-09-18 07:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: Append the content of the link to existing PDF file - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
IE: Append the content of the selected links to existing PDF file - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppendSelLinks.HTML
IE: Append to existing PDF file - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
IE: Create PDF file - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
IE: Create PDF file from the content of the link - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
IE: Create PDF files from the selected links - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIECaptureSelLinks.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Open with Nuance PDF Converter 5.11 - c:\program files\Nuance\PDF Professional 5\cnvres_eng.dll /100
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 97.64.209.36 97.64.168.13 192.168.33.1
DPF: {04B6290C-97B8-49A1-B0A3-1312254F7C54} - hxxps://physician-shh.ascensionhealth.org/portal/applets/SharedSession.dll
DPF: {A08D2318-19E6-4332-A741-87FBBD3984CD} - hxxps://physician-shh.ascensionhealth.org/portal/applets/mckapprun.cab
DPF: {DD27B264-20E6-4484-B098-8CADC7F1076D} - hxxps://imaging.sacred-heart.org/communicator/DRL.CAB
DPF: {EB29B81A-7351-4890-8BCE-58127C3545F9} - hxxps://physician-shh.ascensionhealth.org/portal/applets/mckntauth.ocx
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-RunOnce-<NO NAME> - (no file)
SafeBoot-07148346.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-01-13 14:14
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\PCCUJobMgr]
"ImagePath"="\"c:\program files\Norton PC Checkup\Engine\2.0.15.91\ccSvcHst.exe\" /s \"PCCUJobMgr\" /m \"c:\program files\Norton PC Checkup\Engine\2.0.15.91\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(600)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infra.dll
.
- - - - - - - > 'Explorer.exe'(3404)
c:\program files\Protector Suite QL\farchns.dll
c:\program files\Protector Suite QL\infra.dll
.
Completion time: 2013-01-13 14:16:53
ComboFix-quarantined-files.txt 2013-01-13 20:16
ComboFix2.txt 2013-01-07 21:55
ComboFix3.txt 2013-01-04 22:31
.
Pre-Run: 102,510,911,488 bytes free
Post-Run: 102,668,947,456 bytes free
.
- - End Of File - - 4C84A322B372A6C546B39895689BFF65


Results of screen317's Security Check version 0.99.24
Windows Vista Service Pack 2 x86 (UAC is enabled)
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

CCleaner
````````````````````````````````
Process Check:
objlist.exe by Laurent

``````````End of Log````````````


# AdwCleaner v2.105 - Logfile created 01/17/2013 at 11:16:40
# Updated 08/01/2013 by Xplode
# Operating system : Windows Vista ™ Home Premium Service Pack 2 (32 bits)
# User : Jackk - ARVF7SN56Q
# Boot Mode : Normal
# Running from : C:\Users\Jackk\Desktop\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****

Key Found : HKCU\Software\AppDataLow\Software\Fun Web Products
Key Found : HKCU\Software\AppDataLow\Software\FunWebProducts
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{08858AF6-42AD-4914-95D2-AC3AB0DC8E28}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD79F359-E577-46DB-AA74-D6E6B8B45BA8}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{FD79F359-E577-46DB-AA74-D6E6B8B45BA8}

***** [Internet Browsers] *****

-\\ Internet Explorer v7.0.6002.18005

[OK] Registry is clean.

*************************

AdwCleaner[R1].txt - [985 octets] - [17/01/2013 11:16:40]

########## EOF - C:\AdwCleaner[R1].txt - [1044 octets] ##########

#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,578 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:40 AM

Posted 17 January 2013 - 02:25 PM

Open notepad and copy/paste the text in the quote box below into it:

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"=-



Save this as CFScript.txt on your desktop.

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
===

Remove the AdWare, PUP (Potentially Unwanted Program) installed on your computer.

  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Everything that was found will be deleted.
  • Follow the prompts to reboot the computer. A text file will open after the restart.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number)..

If the problem persists please run this tool.

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • alternate download link 2
    • Make sure you are connected to the Internet.
    • Double-click on Download_mbam-setup.exe to install the application.
    • When the installation begins, follow the prompts and do not make any changes to default settings.
    • When installation has finished, make sure you leave both of these checked:[list]
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Post back with the Malwarebytes Anti-Malware log once it's complete.
===


Let me know what problem persists.

#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,578 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:40 AM

Posted 23 January 2013 - 10:12 AM

Are you still with me?

#6 Vanessa.Antler

Vanessa.Antler
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:40 AM

Posted 23 January 2013 - 02:15 PM

# AdwCleaner v2.105 - Logfile created 01/17/2013 at 11:23:37
# Updated 08/01/2013 by Xplode
# Operating system : Windows Vista ™ Home Premium Service Pack 2 (32 bits)
# User : Jackk - ARVF7SN56Q
# Boot Mode : Normal
# Running from : C:\Users\Jackk\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software\Fun Web Products
Key Deleted : HKCU\Software\AppDataLow\Software\FunWebProducts
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{08858AF6-42AD-4914-95D2-AC3AB0DC8E28}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD79F359-E577-46DB-AA74-D6E6B8B45BA8}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{FD79F359-E577-46DB-AA74-D6E6B8B45BA8}

***** [Internet Browsers] *****

-\\ Internet Explorer v7.0.6002.18005

[OK] Registry is clean.

*************************

AdwCleaner[R1].txt - [1113 octets] - [17/01/2013 11:16:40]
AdwCleaner[R2].txt - [1174 octets] - [17/01/2013 11:23:19]
AdwCleaner[S1].txt - [1115 octets] - [17/01/2013 11:23:37]

########## EOF - C:\AdwCleaner[S1].txt - [1175 octets] ##########


ComboFix 13-01-17.03 - Jackk 01/17/2013 14:49:09.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2045.1121 [GMT -6:00]
Running from: c:\users\Jackk\Desktop\RunComboFix.exe
Command switches used :: d:\dr k\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-12-17 to 2013-01-17 )))))))))))))))))))))))))))))))
.
.
2013-01-17 21:06 . 2013-01-17 21:06 -------- d-----w- c:\users\Jackk\AppData\Local\temp
2013-01-17 21:06 . 2013-01-17 21:06 -------- d-----w- c:\users\Experience\AppData\Local\temp
2013-01-17 21:06 . 2013-01-17 21:06 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-01-16 19:36 . 2012-11-19 07:04 6812136 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{30438A3A-699F-4DDA-9481-70C4CF2A80EC}\mpengine.dll
2013-01-16 18:08 . 2012-06-02 22:19 53784 ----a-w- c:\windows\system32\wuauclt.exe
2013-01-16 18:08 . 2012-06-02 22:19 45080 ----a-w- c:\windows\system32\wups2.dll
2013-01-16 18:08 . 2012-06-02 22:12 2422272 ----a-w- c:\windows\system32\wucltux.dll
2013-01-16 18:08 . 2012-06-02 22:19 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2013-01-16 18:07 . 2012-06-02 22:19 35864 ----a-w- c:\windows\system32\wups.dll
2013-01-16 18:07 . 2012-06-02 22:19 577048 ----a-w- c:\windows\system32\wuapi.dll
2013-01-16 18:07 . 2012-06-02 22:12 88576 ----a-w- c:\windows\system32\wudriver.dll
2013-01-16 18:06 . 2012-06-02 21:19 171904 ----a-w- c:\windows\system32\wuwebv.dll
2013-01-16 18:06 . 2012-06-02 21:12 33792 ----a-w- c:\windows\system32\wuapp.exe
2013-01-14 20:42 . 2013-01-14 20:42 -------- d-----w- c:\windows\system32\ca-ES
2013-01-14 20:42 . 2013-01-14 20:42 -------- d-----w- c:\windows\system32\eu-ES
2013-01-14 20:42 . 2013-01-14 20:42 -------- d-----w- c:\windows\system32\vi-VN
2013-01-14 20:08 . 2013-01-14 20:08 -------- d-----w- c:\windows\system32\EventProviders
2013-01-14 18:03 . 2012-05-31 17:25 237072 ------w- c:\windows\system32\MpSigStub.exe
2013-01-14 16:56 . 2013-01-14 16:56 -------- d-----w- c:\program files\CCleaner
2013-01-14 03:10 . 2013-01-14 03:10 161 ----a-w- c:\windows\DelToolbox.bat
2013-01-13 06:58 . 2013-01-13 06:58 205072 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2013-01-12 21:53 . 2013-01-12 21:53 -------- d-----w- C:\26b4ef7a3f022438a9280a48571108
2013-01-07 22:25 . 2009-10-09 21:56 1181696 ----a-w- c:\windows\system32\WsmSvc.dll
2013-01-07 22:25 . 2009-10-09 21:56 214016 ----a-w- c:\windows\system32\WsmWmiPl.dll
2013-01-07 22:25 . 2009-10-09 21:56 241152 ----a-w- c:\windows\system32\winrscmd.dll
2013-01-07 22:25 . 2009-10-09 21:56 246272 ----a-w- c:\windows\system32\WSManHTTPConfig.exe
2013-01-07 22:25 . 2009-10-09 21:56 145408 ----a-w- c:\windows\system32\WsmAuto.dll
2013-01-07 22:25 . 2009-10-09 21:55 252416 ----a-w- c:\windows\system32\WSManMigrationPlugin.dll
2013-01-07 16:15 . 2013-01-07 16:15 -------- d-----w- c:\users\Jackk\DoctorWeb
2013-01-07 16:06 . 2013-01-13 06:57 -------- d-----w- c:\users\Jackk\AppData\Roaming\EurekaLog
2013-01-07 15:24 . 2013-01-07 15:24 -------- d-----w- c:\programdata\Kaspersky Lab
2013-01-07 15:03 . 2013-01-07 15:14 -------- d-----w- c:\programdata\HitmanPro
2013-01-04 20:51 . 2013-01-04 20:55 -------- d-----w- C:\runcomborun
2013-01-02 19:14 . 2013-01-02 19:14 -------- d-----w- c:\users\Jackk\AppData\Roaming\Malwarebytes
2013-01-02 19:14 . 2013-01-02 19:14 -------- d-----w- c:\programdata\Malwarebytes
2013-01-02 19:13 . 2013-01-04 18:57 -------- d-----w- C:\TDSSKiller_Quarantine
2013-01-02 19:03 . 2012-03-03 17:04 174024 ----a-w- c:\program files\14res.dll
2013-01-02 19:02 . 2012-11-12 23:54 175224 ----a-w- c:\program files\5mres.dll
2012-12-26 05:45 . 2008-05-27 04:59 18904 ----a-w- c:\windows\system32\StructuredQuerySchemaTrivial.bin
2012-12-26 03:08 . 2012-12-26 03:08 -------- d-----w- C:\found.000
2012-12-26 02:18 . 2012-12-26 02:18 -------- d-----w- c:\programdata\WindowsSearch
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-12-11 19:02 . 2006-11-02 10:32 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2012-12-11 19:02 . 2006-11-02 10:32 82432 ----a-w- c:\windows\system32\axaltocm.dll
2012-10-31 21:10 . 2012-10-31 21:10 773968 ----a-w- c:\windows\system32\msvcr100.dll
2012-10-31 21:10 . 2012-10-31 21:10 138056 ----a-w- c:\windows\system32\atl100.dll
2012-10-25 09:12 . 2012-10-25 09:12 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2012-10-25 09:12 . 2012-10-25 09:12 69632 ----a-w- c:\windows\system32\QuickTime.qts
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2006-12-04 00:03 2854912 ----a-w- c:\program files\Protector Suite QL\farchns.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2006-12-04 00:03 2854912 ----a-w- c:\program files\Protector Suite QL\farchns.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2006-11-10 417792]
"SpriteService"="c:\program files\Sprite Software\Sprite Backup\SpriteService.exe" [2007-06-14 544768]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"HP Officejet Pro 8600 (NET)"="c:\program files\HP\HP Officejet Pro 8600\Bin\ScanToPCActivationApp.exe" [2011-09-09 1804648]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"ApplePhotoStreams"="c:\program files\Common Files\Apple\Internet Services\ApplePhotoStreams.exe" [2012-11-28 59280]
"com.apple.dav.bookmarks.daemon"="c:\program files\Common Files\Apple\Internet Services\BookmarkDAV_client.exe" [2012-11-28 59280]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2006-12-03 49168]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-27 815104]
"TOSHIBA Volume Indicator"="c:\program files\Toshiba\Utilities\VolControl.exe" [2006-10-31 94208]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2006-12-20 411768]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-12-07 55416]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2006-12-12 448632]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2006-12-15 530552]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 2027792]
"StrgSync.exe"="c:\program files\StorageSync\StrgSync.exe" [2005-10-08 3032576]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"PDFHook"="c:\program files\Nuance\PDF Professional 5\pdfpro5hook.exe" [2008-07-31 795936]
"PDF5 Registry Controller"="c:\program files\Nuance\PDF Professional 5\RegistryController.exe" [2008-07-31 58656]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2007-03-26 210472]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"Nuance PDF Professional 5-reminder"="c:\program files\Nuance\PDF Professional 5\Ereg\Ereg.exe" [2007-08-31 328992]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2012-02-23 59240]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2010-10-12 304568]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2006-11-02 215552]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2006-12-19 90191]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-12-19 7766016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-12-19 81920]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-12-12 152544]
.
c:\users\Jackk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
WD Quick View.lnk - c:\program files\Western Digital\WD SmartWare\WDDMStatus.exe [2011-8-1 3983760]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-12-03 23:50 90112 ----a-w- c:\windows\System32\psqlpwd.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder
.
2013-01-17 c:\windows\Tasks\User_Feed_Synchronization-{D34EB522-9EB8-4812-A5F0-BA007DEF912B}.job
- c:\windows\system32\msfeedssync.exe [2008-09-18 07:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: Append the content of the link to existing PDF file - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
IE: Append the content of the selected links to existing PDF file - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppendSelLinks.HTML
IE: Append to existing PDF file - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
IE: Create PDF file - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
IE: Create PDF file from the content of the link - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
IE: Create PDF files from the selected links - c:\program files\Nuance\PDF Professional 5\bin\ZeonIEFavClient.dll/ZeonIECaptureSelLinks.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Open with Nuance PDF Converter 5.11 - c:\program files\Nuance\PDF Professional 5\cnvres_eng.dll /100
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 68.105.29.16 68.105.28.16
DPF: {04B6290C-97B8-49A1-B0A3-1312254F7C54} - hxxps://physician-shh.ascensionhealth.org/portal/applets/SharedSession.dll
DPF: {A08D2318-19E6-4332-A741-87FBBD3984CD} - hxxps://physician-shh.ascensionhealth.org/portal/applets/mckapprun.cab
DPF: {DD27B264-20E6-4484-B098-8CADC7F1076D} - hxxps://imaging.sacred-heart.org/communicator/DRL.CAB
DPF: {EB29B81A-7351-4890-8BCE-58127C3545F9} - hxxps://physician-shh.ascensionhealth.org/portal/applets/mckntauth.ocx
.
- - - - ORPHANS REMOVED - - - -
.
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-01-17 15:06
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(620)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infra.dll
.
- - - - - - - > 'Explorer.exe'(2944)
c:\program files\Protector Suite QL\farchns.dll
c:\program files\Protector Suite QL\infra.dll
.
Completion time: 2013-01-17 15:12:06
ComboFix-quarantined-files.txt 2013-01-17 21:11
ComboFix2.txt 2013-01-13 20:16
ComboFix3.txt 2013-01-07 21:55
ComboFix4.txt 2013-01-04 22:31
.
Pre-Run: 84,320,141,312 bytes free
Post-Run: 84,621,774,848 bytes free
.
- - End Of File - - 774FD822130967BF9C4E36A528C0EEE7


Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org

Database version: v2013.01.23.09

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Jackk :: ARVF7SN56Q [administrator]

1/23/2013 12:58:19 PM
mbam-log-2013-01-23 (12-58-19).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 241014
Time elapsed: 14 minute(s), 22 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,578 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:40 AM

Posted 23 January 2013 - 04:38 PM

Looking good.

Any remaining issues?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users