Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google and Yahoo Redirects with Occassional Computer Freezing


  • This topic is locked This topic is locked
24 replies to this topic

#1 Law23

Law23

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:56 AM

Posted 21 February 2013 - 11:17 PM

Hello,

 

I'm experiencing some problems surfing the web which is on Internet Explorer 9 on the Windows Vista System. This started yesterday using my neighboors wifi, everytime I try to use the Google or Yahoo search engines I keep getting redirected to other sites. I tried running Spybot search and destroy twice and then I tried running Malwarebytes Anti Malware which supposedly got rid of a infected file. But then when I rebooted the computer the problem still persists with the redirecting, my computer is starting to run slow with occassional freezing when I'm on the web. What do I do? Recently I got rid of a FBI virus off my computer and then not long after that the dreadful "blue screen."

 

I need advice on how to get rid of these problems and to better protect my computer on the web. Also, is there a need to clean and fix my registry?

 

Thanks for any advice and help.



BC AdBot (Login to Remove)

 


#2 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:56 AM

Posted 22 February 2013 - 02:48 PM

welcome.gif   My name is Jeff and would be happy to help.

 

 

Please download DDS from either of these links
 
 
and save it to your desktop.
  • Disable any antivirus programs during the scan (If you have difficulty properly disabling your protective programs, refer to this link here)
  • Double click dds to run the tool.
  • When done, two DDS.txt's will open.
  • Save both reports to your desktop.
  • ---------------------------------------------------
    Please include the contents of the following in your next reply:
     
    DDS.txt
     
    Attach.txt
    ----------

     

     

    Please download aswMBR to your desktop.
     
    • Double click the aswMBR icon to run it.
  • Click the Scan button to start scan.
  • If you are asked to update the Avast Virus database please allow it to do so.
  • When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply.
  •  
    Click the image to enlarge it
    ----------

    WFxJwA4.png
     
    mvp_horizontal_fullcolor-(copy2).jpeg
     


    #3 Law23

    Law23
    • Topic Starter

    • Members
    • 11 posts
    • OFFLINE
    •  
    • Gender:Female
    • Local time:09:56 AM

    Posted 24 February 2013 - 06:09 AM

    Hello Jeff,

     

    Thank you for responding, sorry it took me soo long to respond back.

     

    Okay hope I did this right.

     

    Here are the reports DDS.txt:

     

    DDS (Ver_2012-11-20.01) - NTFS_x86
    Internet Explorer: 9.0.8112.16464  BrowserJavaVersion: 10.9.2
    Run by officedepot at 3:55:20 on 2013-02-24
    Microsoft® Windows Vista™ Business   6.0.6002.2.1252.1.1033.18.2038.370 [GMT -5:00]
    .
    AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: Spybot - Search and Destroy *Disabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
    SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
    .
    ============== Running Processes ================
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\ibmpmsvc.exe
    c:\Program Files\Microsoft Security Client\MsMpEng.exe
    C:\Windows\system32\SLsvc.exe
    C:\Windows\System32\spoolsv.exe
    C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe
    C:\Windows\system32\IPSSVC.EXE
    C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
    C:\Windows\system32\CISVC.EXE
    C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
    C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe
    c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    c:\Program Files\Lenovo\System Update\SUService.exe
    C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Windows\System32\TpShocks.exe
    C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
    C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
    C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
    C:\Program Files\ThinkVantage\PrdCtr\LPMGR.EXE
    C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
    C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
    C:\Windows\System32\TPHDEXLG.exe
    C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
    C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
    C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
    C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
    c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
    C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\DRIVERS\xaudio.exe
    C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
    C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
    C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\Lenovo\Zoom\TpScrex.exe
    C:\Program Files\Apoint2K\ApMsgFwd.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Windows\system32\conime.exe
    C:\Windows\System32\mobsync.exe
    C:\Windows\system32\igfxext.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Users\officedepot\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe
    C:\ProgramData\Internet Helper Anti-phishing\internetHelper_antiphishing.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Real\RealPlayer\update\realsched.exe
    C:\Windows\system32\rundll32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\svchost.exe -k apphost
    C:\Windows\System32\svchost.exe -k ipripsvc
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\system32\svchost.exe -k iissvcs
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\system32\svchost.exe -k SDRSVC
    .
    ============== Pseudo HJT Report ===============
    .
    uProxyOverride = <local>
    uURLSearchHooks: {d4330680-c0ae-4226-8a21-0afe2fd1ac24} - <orphaned>
    uURLSearchHooks: {707db484-2428-402d-afb5-d85b387544c7} - <orphaned>
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>
    BHO: InfoAtoms: {103089DA-0F31-4A8B-843F-7D24A7FE8345} - c:\program files\infoatoms\ie32\InfoAtomsClientIE.dll
    BHO: OneTab Add-on: {16ADEA98-D215-4F51-80AF-5E5ED660B9C0} - c:\users\officedepot\appdata\roaming\onetab\OneTab.dll
    BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: RealNetworks Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\programdata\realnetworks\realdownloader\browserplugins\ie\rndlbrowserrecordplugin.dll
    BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
    BHO: DefaultTab Browser Helper: {7F6AFBF1-E065-4627-A2FD-810366367D01} - c:\users\officedepot\appdata\roaming\defaulttab\defaulttab\DefaultTabBHO.dll
    BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Coupon Savings: {C3F62D94-EEBB-11E1-B88F-CBBD4CC15727} - c:\program files\coupon savings\toolbar.dll
    BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
    BHO: CPwmIEBrowserHelper Object: {F040E541-A427-4CF7-85D8-75E3E0F476C5} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
    TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"  /MINIMIZED
    uRun: [internethelper] rundll32 "c:\users\officedepot\appdata\local\migwiz\internethelper\riqassyr.dll",DllRegisterServerW
    mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
    mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
    mRun: [TpShocks] TpShocks.exe
    mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
    mRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe"
    mRun: [AwaySch] c:\program files\lenovo\awaytask\AwaySch.EXE
    mRun: [LPManager] c:\progra~1\thinkv~2\prdctr\LPMGR.exe
    mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
    mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
    mRun: [LenovoOobeOffers] c:\swtools\lenovowelcome\lenovooobeoffers.exe /filepath="c:\swshare\firstrun.txt"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
    mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe"  -osboot
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [Internet Helper Anti-phishing] "c:\programdata\internet helper anti-phishing\internetHelper_antiphishing.exe"
    dRun: [internethelper] rundll32 "c:\users\officedepot\appdata\local\migwiz\internethelper\riqassyr.dll",DllRegisterServerW
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
    uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
    uPolicies-Explorer: HideSCAHealth = dword:1
    mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
    mPolicies-System: EnableLUA = dword:0
    mPolicies-System: DisableCAD = dword:1
    mPolicies-System: EnableUIADesktopToggle = dword:0
    IE: {0045D4BC-5189-4b67-969C-83BB1906C421} - {0FE81B52-73FA-425F-8F06-3F32451AC73F} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
    .
    INFO: HKCU has more than 50 listed domains.
    If you wish to scan all of them, select the 'Force scan all domains' option.
    .
    .
    INFO: HKLM has more than 50 listed domains.
       If you wish to scan all of them, select the 'Force scan all domains' option.
    .
    DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/_layouts/ClientBin/ieawsdc32.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: NameServer = 75.75.76.76 75.75.75.75
    TCP: Interfaces\{4A97C100-8FD4-416B-85C5-1156A4A5E529} : DHCPNameServer = 75.75.76.76 75.75.75.75
    TCP: Interfaces\{C0CC06B0-13E2-4240-A373-810A32E0D6E7} : DHCPNameServer = 192.168.2.1
    Filter: text/html - {95d9822c-c1c9-42d1-b9ef-482e869ae0e7} - <orphaned>
    Notify: igfxcui - igfxdev.dll
    Notify: psfus - c:\windows\system32\psqlpwd.dll
    LSA: Notification Packages =  scecli psqlpwd ACGina
    LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
    Hosts: 127.0.0.1 www.spywareinfo.com
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-3-20 171064]
    R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2007-3-2 19760]
    R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [2007-2-18 13744]
    R2 DefaultTabUpdate;DefaultTabUpdate;c:\users\officedepot\appdata\roaming\defaulttab\defaulttab\DTUpdate.exe [2013-2-23 107520]
    R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2009-9-4 21504]
    R2 iprip;RIP Listener;c:\windows\system32\svchost.exe -k ipripsvc [2009-9-4 21504]
    R2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files\realnetworks\realdownloader\rndlresolversvc.exe [2012-11-29 38608]
    R2 smihlp;SMI Helper Driver (smihlp);c:\program files\common files\thinkvantage fingerprint software\drivers\smihlp.sys [2007-3-15 11152]
    R2 TPHKSVC;On Screen Display;c:\program files\lenovo\hotkey\TPHKSVC.exe [2007-7-9 55936]
    R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\lenovo\rescue and recovery\rrpservice.exe [2007-1-8 569344]
    R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-9-4 179712]
    R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2006-9-13 35264]
    S3 Desura Install Service;Desura Install Service;c:\program files\common files\desura\desura_service.exe [2013-2-2 131912]
    S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2012-3-20 74112]
    S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2012-3-26 214952]
    SUnknown sdepscjc;sdepscjc; [x]
    .
    =============== Created Last 30 ================
    .
    2099-06-06 01:28:26 33104 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\msonpppr.dll
    2099-06-06 01:28:25 31640 ----a-w- c:\windows\system32\msonpmon.dll
    2013-02-24 07:56:52 6954968 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{e5d64692-9896-4cf1-9664-cb6a89600483}\mpengine.dll
    2013-02-24 03:12:24 -------- d-----w- c:\program files\InfoAtoms
    2013-02-24 03:12:05 -------- d-----w- c:\users\officedepot\appdata\local\internethelper
    2013-02-24 03:11:58 -------- d-----w- c:\programdata\Internet Helper Anti-phishing
    2013-02-24 03:10:37 -------- d-sh--w- c:\windows\system32\AI_RecycleBin
    2013-02-24 03:10:32 -------- d-----w- c:\programdata\Strongvault Online Backup
    2013-02-24 03:10:11 -------- d-sh--w- C:\AI_RecycleBin
    2013-02-24 03:08:58 -------- d-----w- c:\users\officedepot\appdata\roaming\DefaultTab
    2013-02-23 05:06:25 6954968 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
    2013-02-22 01:08:02 -------- d-----w- c:\programdata\Uniblue
    2013-02-19 21:44:03 -------- d-----w- c:\program files\Coupon Savings
    2013-02-15 05:52:30 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2013-02-15 05:51:19 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
    2013-02-14 08:02:32 2382848 ----a-w- c:\windows\system32\mshtml.tlb
    2013-02-14 08:01:58 768000 ----a-w- c:\program files\common files\microsoft shared\vgx\VGX.dll
    2013-02-14 03:22:29 6991832 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{3527b59e-092d-4a95-b794-1b30c9ff5697}\mpengine.dll
    2013-02-14 03:17:26 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
    2013-02-14 03:17:26 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
    2013-02-14 03:17:26 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
    2013-02-14 03:17:26 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
    2013-02-14 03:17:26 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
    2013-02-14 03:17:26 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
    2013-02-14 03:17:26 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
    2013-02-14 03:04:56 2048512 ----a-w- c:\windows\system32\win32k.sys
    2013-02-14 03:04:54 1314816 ----a-w- c:\windows\system32\quartz.dll
    2013-02-14 03:04:51 914792 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2013-02-14 03:04:50 31232 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
    2013-02-14 03:04:42 3550072 ----a-w- c:\windows\system32\ntoskrnl.exe
    2013-02-14 03:04:39 3602808 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2013-02-14 02:58:50 6991832 ------w- c:\programdata\microsoft\windows defender\definition updates\updates\mpengine.dll
    2013-02-09 00:13:45 -------- d-----w- c:\programdata\RightClick
    2013-02-04 07:23:30 -------- d-----w- c:\windows\system32\AGEIA
    2013-02-04 05:05:59 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
    2013-02-04 05:04:59 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
    2013-02-03 02:30:07 -------- d-----w- c:\users\officedepot\appdata\local\Desura
    2013-02-03 02:27:36 -------- d-----w- c:\program files\common files\Desura
    2013-02-02 10:44:49 -------- d-----w- c:\programdata\Desura
    2013-02-02 10:44:41 -------- d-----w- c:\program files\Desura
    .
    ==================== Find3M  ====================
    .
    2013-02-15 05:16:15 35 ----a-w- c:\users\officedepot\appdata\roaming\SetValue.bat
    2013-02-15 05:16:14 691 ----a-w- c:\users\officedepot\appdata\roaming\GetValue.vbs
    2013-02-15 05:16:14 4198 ----a-w- c:\windows\system32\tmp.reg
    2013-02-14 03:25:01 697712 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2013-02-14 03:25:00 74096 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2013-01-17 06:28:58 232336 ------w- c:\windows\system32\MpSigStub.exe
    2013-01-08 22:11:21 1800704 ----a-w- c:\windows\system32\jscript9.dll
    2013-01-08 22:03:20 1129472 ----a-w- c:\windows\system32\wininet.dll
    2013-01-08 22:03:12 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
    2013-01-08 21:59:02 142848 ----a-w- c:\windows\system32\ieUnatt.exe
    2013-01-08 21:58:29 420864 ----a-w- c:\windows\system32\vbscript.dll
    2012-12-16 13:12:54 34304 ----a-w- c:\windows\system32\atmlib.dll
    2012-12-16 10:50:29 293376 ----a-w- c:\windows\system32\atmfd.dll
    2012-11-27 10:31:15 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
    2012-11-27 10:31:00 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
    .
    ============= FINISH:  3:58:07.99 ===============
     

    And the Attach.txt report:

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2012-11-20.01)
    .
    Microsoft® Windows Vista™ Business
    Boot Device: \Device\HarddiskVolume2
    Install Date: 9/27/2007 13:43:17
    System Uptime: 2/23/2013 11:45:44 (16 hours ago)
    .
    Motherboard: LENOVO |  | 8932A17
    Processor: Intel® Core™2 Duo CPU     T5250  @ 1.50GHz | None | 1000/167mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 143 GiB total, 55.874 GiB free.
    D: is Removable
    E: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft ISATAP Adapter
    Device ID: ROOT\*ISATAP\0015
    Manufacturer: Microsoft
    Name: Microsoft ISATAP Adapter #15
    PNP Device ID: ROOT\*ISATAP\0015
    Service: tunnel
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft ISATAP Adapter
    Device ID: ROOT\*ISATAP\0028
    Manufacturer: Microsoft
    Name: Microsoft ISATAP Adapter #28
    PNP Device ID: ROOT\*ISATAP\0028
    Service: tunnel
    .
    ==== System Restore Points ===================
    .
    RP1235: 2/17/2013 12:21:26 - Windows Update
    RP1236: 2/21/2013 21:51:17 - Windows Update
    RP1237: 2/23/2013 03:05:59 - Scheduled Checkpoint
    RP1238: 2/23/2013 22:15:52 - Removed Strongvault Online Backup
    .
    ==== Installed Programs ======================
    .
    Adobe Flash Player 11 ActiveX
    Adobe Reader 9.5.3
    Apple Application Support
    Coupon Savings
    DefaultTab
    Desura
    Desura: Baby Blues
    Desura: Katabasis
    Desura: One Night
    Google Update Helper
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    InfoAtoms [Uninstall]
    Internet Helper Anti-phishing
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2742597)
    Microsoft .NET Framework 3.5 SP1
    Microsoft Office 2003 Web Components
    My Game Long Name
    NVIDIA PhysX
    QuickTime
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)
    .
    ==== Event Viewer Messages From Past Week ========
    .
    2/24/2013 03:33:37, Error: Service Control Manager [7031]  - The Spybot-S&D 2 Scanner Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
    2/24/2013 03:33:32, Error: Service Control Manager [7031]  - The Spybot-S&D 2 Updating Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
    2/24/2013 02:57:58, Error: Service Control Manager [7034]  - The MBAMService service terminated unexpectedly.  It has done this 1 time(s).
    2/24/2013 02:40:53, Error: TPM [13]  - The device driver for the Trusted Platform Module (TPM) encountered a non-recoverable error in the TPM hardware, which prevents TPM services (such as data encryption) from being used. For further help, please contact the computer manufacturer.
    2/24/2013 02:40:53, Error: Microsoft-Windows-TBS [516]  - An error occurred while communicating with the TPM.  The driver returned 0x8007045d.
    2/23/2013 02:34:22, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the TrkWks service.
    2/23/2013 02:33:52, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the SysMain service.
    2/23/2013 02:31:55, Error: Service Control Manager [7022]  - The Function Discovery Provider Host service hung on starting.
    2/23/2013 02:31:55, Error: Service Control Manager [7001]  - The PnP-X IP Bus Enumerator service depends on the Function Discovery Provider Host service which failed to start because of the following error:  After starting, the service hung in a start-pending state.
    2/23/2013 02:28:42, Error: Service Control Manager [7023]  - The Computer Browser service terminated with the following error:  The specified service does not exist as an installed service.
    2/23/2013 02:28:42, Error: Service Control Manager [7000]  - The sbapifs service failed to start due to the following error:  The system cannot find the file specified.
    2/23/2013 02:28:42, Error: Service Control Manager [7000]  - The Parallel port driver service failed to start due to the following error:  The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    2/23/2013 02:27:51, Error: EventLog [6008]  - The previous system shutdown at 2:25:41 AM on 2/23/2013 was unexpected.
    2/22/2013 23:53:09, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the CscService service.
    2/22/2013 23:52:09, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Netman service.
    2/22/2013 23:52:09, Error: Service Control Manager [7000]  - The Network Connections service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
    2/22/2013 23:52:09, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1053" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
    2/22/2013 23:51:39, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the AudioEndpointBuilder service.
    2/21/2013 21:31:46, Error: Microsoft-Windows-ResourcePublication [1002]  - Element Provider\Microsoft.Base.Publication/Publication/Computer failed to publish.  Ensure that both PKEY_PUBSVCS_METADATA and PKEY_PUBSVCS_TYPE are set properly on the function instance and there were no errors adding the function instance.
    2/21/2013 19:50:25, Error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures.   New Signature Version:    Previous Signature Version: 1.145.78.0   Update Source: Microsoft Update Server   Update Stage: Search   Source Path: Default URL   Signature Type: AntiVirus   Update Type: Full   User: NT AUTHORITY\SYSTEM   Current Engine Version:    Previous Engine Version: 1.1.9203.0   Error code: 0x8007043c   Error description: This service cannot be started in Safe Mode
    2/21/2013 19:50:25, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
    2/21/2013 19:41:17, Error: Service Control Manager [7001]  - The PnP-X IP Bus Enumerator service depends on the Function Discovery Provider Host service which failed to start because of the following error:  The dependency service or group failed to start.
    2/21/2013 19:39:51, Error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  lenovo.smi MpFilter spldr TPPWRIF Wanarpv6
    2/21/2013 19:39:51, Error: Service Control Manager [7001]  - The Computer Browser service depends on the Server service which failed to start because of the following error:  The dependency service or group failed to start.
    2/21/2013 19:39:43, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
    2/21/2013 19:39:41, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
    2/21/2013 19:39:34, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    2/21/2013 19:39:24, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
    2/21/2013 19:38:52, Error: EventLog [6008]  - The previous system shutdown at 7:37:29 PM on 2/21/2013 was unexpected.
    2/21/2013 14:56:56, Error: Schannel [36874]  - An SSL connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.
    2/21/2013 00:14:38, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the WPDBusEnum service.
    2/21/2013 00:14:08, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the EMDMgmt service.
    2/21/2013 00:12:05, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the IPBusEnum service.
    2/21/2013 00:12:05, Error: Service Control Manager [7000]  - The PnP-X IP Bus Enumerator service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
    2/21/2013 00:06:35, Error: EventLog [6008]  - The previous system shutdown at 12:03:06 AM on 2/21/2013 was unexpected.
    2/20/2013 18:28:26, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.
    2/20/2013 08:22:43, Error: EventLog [6008]  - The previous system shutdown at 8:21:21 AM on 2/20/2013 was unexpected.
    2/20/2013 00:10:41, Error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures.   New Signature Version:    Previous Signature Version: 1.143.2558.0   Update Source: Microsoft Update Server   Update Stage: Search   Source Path: http://www.microsoft.com   Signature Type: AntiVirus   Update Type: Full   User: NT AUTHORITY\SYSTEM   Current Engine Version:    Previous Engine Version: 1.1.9103.0   Error code: 0x8024402c   Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
    2/19/2013 23:58:32, Error: EventLog [6008]  - The previous system shutdown at 11:45:50 PM on 2/19/2013 was unexpected.
    2/19/2013 18:54:02, Error: EventLog [6008]  - The previous system shutdown at 6:51:58 PM on 2/19/2013 was unexpected.
    2/19/2013 00:38:55, Error: Service Control Manager [7031]  - The Spybot-S&D 2 Updating Service service terminated unexpectedly.  It has done this 2 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
    2/19/2013 00:38:48, Error: Service Control Manager [7031]  - The Spybot-S&D 2 Scanner Service service terminated unexpectedly.  It has done this 2 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
    2/19/2013 00:38:36, Error: Service Control Manager [7032]  - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Spybot-S&D 2 Scanner Service service, but this action failed with the following error:  An instance of the service is already running.
    2/19/2013 00:37:06, Error: Service Control Manager [7034]  - The Diskeeper service terminated unexpectedly.  It has done this 1 time(s).
    2/19/2013 00:16:22, Error: EventLog [6008]  - The previous system shutdown at 12:14:42 AM on 2/19/2013 was unexpected.
    2/18/2013 22:49:52, Error: EventLog [6008]  - The previous system shutdown at 10:47:40 PM on 2/18/2013 was unexpected.
    2/18/2013 20:35:50, Error: EventLog [6008]  - The previous system shutdown at 7:59:17 PM on 2/18/2013 was unexpected.
    .
    ==== End Of File ===========================
     

    And here's the Avast Virus logfile:

     

    aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software
    Run date: 2013-02-24 04:54:16
    -----------------------------
    04:54:16.515    OS Version: Windows 6.0.6002 Service Pack 2
    04:54:16.515    Number of processors: 2 586 0xF0D
    04:54:16.517    ComputerName: LEAHWRIGHT  UserName:
    04:54:17.828    Initialize success
    04:54:36.678    AVAST engine defs: 13022301
    04:55:36.144    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
    04:55:36.148    Disk 0 Vendor: HITACHI_ SB4I Size: 152627MB BusType: 3
    04:55:36.207    Disk 0 MBR read successfully
    04:55:36.218    Disk 0 MBR scan
    04:55:36.226    Disk 0 unknown MBR code
    04:55:36.241    Disk 0 Partition 1 00     27 Hidden NTFS WinRE NTFS         6700 MB offset 2048
    04:55:36.267    Disk 0 Partition 2 80 (A) 07    HPFS/NTFS NTFS       145925 MB offset 13723648
    04:55:36.290    Disk 0 scanning sectors +312578048
    04:55:36.425    Disk 0 scanning C:\Windows\system32\drivers
    04:56:07.599    Service scanning
    04:57:50.697    Modules scanning
    04:58:21.974    Disk 0 trace - called modules:
    04:58:22.028    ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll iaStor.sys
    04:58:22.399    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86e04ac8]
    04:58:22.407    3 CLASSPNP.SYS[895c58b3] -> nt!IofCallDriver -> [0x862e27c8]
    04:58:22.413    5 acpi.sys[8069a6bc] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x86296030]
    04:58:23.846    AVAST engine scan C:\Windows
    04:58:45.107    AVAST engine scan C:\Windows\system32
    05:06:59.027    AVAST engine scan C:\Windows\system32\drivers
    05:07:52.149    AVAST engine scan C:\Users\officedepot
    05:54:17.373    AVAST engine scan C:\ProgramData
    06:04:05.161    Scan finished successfully
    06:06:55.416    Disk 0 MBR has been saved successfully to "C:\Users\officedepot\Desktop\MBR.dat"
    06:06:55.436    The log file has been saved successfully to "C:\Users\officedepot\Desktop\aswMBR2.txt"


     

    Also a MBR.dat file was also saved not sure if I needed to post this as well or how if it mattered.

    Okay that's everything for now, what exactly does this do or tell you?



    #4 jeffce

    jeffce

      Bleepin' Super Saiyan


    • Malware Response Team
    • 3,442 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:USA
    • Local time:08:56 AM

    Posted 24 February 2013 - 01:47 PM

    I need to ask...is this a business computer?

    WFxJwA4.png
     
    mvp_horizontal_fullcolor-(copy2).jpeg
     


    #5 Law23

    Law23
    • Topic Starter

    • Members
    • 11 posts
    • OFFLINE
    •  
    • Gender:Female
    • Local time:09:56 AM

    Posted 25 February 2013 - 12:32 AM

    Yeah. I bought it a few years back at a office depot, why?

     

    I've also had another problem pop back up the "blue screen." Is this related to the redirects?


    Edited by Law23, 25 February 2013 - 12:35 AM.


    #6 jeffce

    jeffce

      Bleepin' Super Saiyan


    • Malware Response Team
    • 3,442 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:USA
    • Local time:08:56 AM

    Posted 25 February 2013 - 07:44 AM

    Yeah. I bought it a few years back at a office depot, why?

    Ok no problem.  Just had to check.  smile.png

    --------

     

    I've also had another problem pop back up the "blue screen." Is this related to the redirects?

    Could be a symptom of the overall infection.

    --------------

     

     

    ComboFix
     
    Download Combofix from the link below, and save it to your desktop.  
     
    **Note:  It is important that it is saved directly to your desktop**
     If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.
     
    --------------------------------------------------------------------
     
    IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
     
    --------------------------------------------------------------------
     
    Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.
    • When finished, it will produce a report for you.  


    • Please post the C:\ComboFix.txt for further review.

    ----------

     


    WFxJwA4.png
     
    mvp_horizontal_fullcolor-(copy2).jpeg
     


    #7 Law23

    Law23
    • Topic Starter

    • Members
    • 11 posts
    • OFFLINE
    •  
    • Gender:Female
    • Local time:09:56 AM

    Posted 25 February 2013 - 04:28 PM

    Hello,

     

    Here is the C:\ComboFix.txt:

     

    ComboFix 13-02-24.01 - officedepot 02/25/2013  15:09:22.1.2 - x86
    Running from: c:\users\officedepot\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
    SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\a
    c:\program files\Common Files\Uninstall
    c:\program files\LP
    c:\program files\LP\F5C5\D1A0.tmp
    c:\programdata\33wRaJ43.exe.b
    c:\programdata\DragToDiscUserNameE.txt
    c:\users\officedepot\AppData\Local\Bron.tok.A3.em.bin
    c:\users\officedepot\AppData\Local\Kosong.Bron.Tok.txt
    c:\users\officedepot\AppData\Local\MigWiz\internethelper\riqassyr.dll
    c:\users\officedepot\AppData\Roaming\DefaultTab\DefaultTab
    c:\users\officedepot\AppData\Roaming\DefaultTab\DefaultTab\DefaultTabBHO.dll
    c:\users\officedepot\AppData\Roaming\GetValue.vbs
    c:\users\officedepot\AppData\Roaming\Local
    c:\users\officedepot\AppData\Roaming\OneTab\OnETab.dll
    c:\users\officedepot\AppData\Roaming\Smart Engine
    c:\users\officedepot\AppData\Roaming\Smart Engine\cookies.sqlite
    c:\users\officedepot\AppData\Roaming\Smart Engine\Instructions.ini
    c:\windows\$NtUninstallKB39225$
    c:\windows\$NtUninstallKB39225$\1510768697
    c:\windows\$NtUninstallKB39225$\4291913448\@
    c:\windows\$NtUninstallKB39225$\4291913448\bckfg.tmp
    c:\windows\$NtUninstallKB39225$\4291913448\cfg.ini
    c:\windows\$NtUninstallKB39225$\4291913448\Desktop.ini
    c:\windows\$NtUninstallKB39225$\4291913448\keywords
    c:\windows\$NtUninstallKB39225$\4291913448\kwrd.dll
    c:\windows\$NtUninstallKB39225$\4291913448\L\vhtmwbun
    c:\windows\$NtUninstallKB39225$\4291913448\U\00000001.@
    c:\windows\$NtUninstallKB39225$\4291913448\U\00000002.@
    c:\windows\$NtUninstallKB39225$\4291913448\U\00000004.@
    c:\windows\$NtUninstallKB39225$\4291913448\U\80000000.@
    c:\windows\$NtUninstallKB39225$\4291913448\U\80000004.@
    c:\windows\$NtUninstallKB39225$\4291913448\U\80000032.@
    c:\windows\system32\jgaw400.dll
    c:\windows\system32\TPAPSLOG.LOG
    c:\windows\system32\TPHDLOG0.LOG
    c:\windows\system32\URTTemp
    c:\windows\system32\URTTemp\regtlib.exe
    .
    .
    (((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_RKHIT
    .
    .
    (((((((((((((((((((((((((   Files Created from 2013-01-25 to 2013-02-25  )))))))))))))))))))))))))))))))
    .
    .
    2099-06-06 01:28 . 2006-10-26 23:56 33104 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\msonpppr.dll
    2099-06-06 01:28 . 2009-02-27 08:42 31640 ----a-w- c:\windows\system32\msonpmon.dll
    2013-02-25 20:27 . 2013-02-25 20:40 -------- d-----w- c:\users\officedepot\AppData\Local\temp
    2013-02-25 20:27 . 2013-02-25 20:27 -------- d-----w- c:\users\Default\AppData\Local\temp
    2013-02-25 20:27 . 2013-02-25 20:27 -------- d-----w- c:\users\AbraGaia\AppData\Local\temp
    2013-02-25 19:34 . 2013-02-08 00:45 6954968 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9F58B99F-A4B0-4C4B-A342-C9B26EF5CBE4}\mpengine.dll
    2013-02-25 03:39 . 2013-02-25 03:39 -------- d-----w- c:\program files\Sophos
    2013-02-24 22:41 . 2013-02-24 22:41 -------- d-----w- c:\users\officedepot\AppData\Local\TrainYard
    2013-02-24 11:51 . 2013-02-08 00:45 6954968 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2013-02-24 03:12 . 2013-02-24 03:12 -------- d-----w- c:\users\officedepot\AppData\Local\internethelper
    2013-02-24 03:11 . 2013-02-24 03:12 -------- d-----w- c:\programdata\Internet Helper Anti-phishing
    2013-02-24 03:10 . 2013-02-24 03:17 -------- d-sh--w- c:\windows\system32\AI_RecycleBin
    2013-02-24 03:10 . 2013-02-24 03:17 -------- d-----w- c:\programdata\Strongvault Online Backup
    2013-02-24 03:10 . 2013-02-24 03:17 -------- d-----w- C:\AI_RecycleBin
    2013-02-24 03:08 . 2013-02-25 20:26 -------- d-----w- c:\users\officedepot\AppData\Roaming\DefaultTab
    2013-02-22 01:08 . 2013-02-22 01:08 -------- d-----w- c:\programdata\Uniblue
    2013-02-15 05:52 . 2013-02-24 08:23 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2013-02-15 05:11 . 2009-06-02 16:17 75776 ----a-w- c:\windows\system32\WS2Fix.exe
    2013-02-15 05:11 . 2008-12-12 06:57 78336 ----a-w- c:\windows\system32\Agent.OMZ.Fix.exe
    2013-02-15 05:11 . 2008-11-29 23:58 82944 ----a-w- c:\windows\system32\IEDFix.C.exe
    2013-02-15 05:11 . 2008-10-01 20:51 87552 ----a-w- c:\windows\system32\VACFix.exe
    2013-02-15 05:11 . 2008-09-20 17:45 80384 ----a-w- c:\windows\system32\o4Patch.exe
    2013-02-15 05:11 . 2008-08-18 17:19 82432 ----a-w- c:\windows\system32\404Fix.exe
    2013-02-15 05:11 . 2008-05-19 02:40 82944 ----a-w- c:\windows\system32\IEDFix.exe
    2013-02-15 05:11 . 2007-09-06 05:22 289144 ----a-w- c:\windows\system32\VCCLSID.exe
    2013-02-15 05:11 . 2004-07-31 23:50 51200 ----a-w- c:\windows\system32\dumphive.exe
    2013-02-15 05:11 . 2006-04-27 22:49 288417 ----a-w- c:\windows\system32\SrchSTS.exe
    2013-02-15 05:11 . 2003-06-06 02:13 53248 ----a-w- c:\windows\system32\Process.exe
    2013-02-14 08:01 . 2013-01-08 22:01 768000 ----a-w- c:\program files\Common Files\Microsoft Shared\vgx\VGX.dll
    2013-02-14 03:17 . 2013-02-14 03:17 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin7.dll
    2013-02-14 03:17 . 2013-02-14 03:17 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin6.dll
    2013-02-14 03:17 . 2013-02-14 03:17 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
    2013-02-14 03:17 . 2013-02-14 03:17 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
    2013-02-14 03:17 . 2013-02-14 03:17 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
    2013-02-14 03:17 . 2013-02-14 03:17 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
    2013-02-14 03:17 . 2013-02-14 03:17 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin.dll
    2013-02-14 03:16 . 2013-02-14 03:16 -------- d-----w- c:\programdata\Apple Computer
    2013-02-14 03:04 . 2013-01-04 01:38 2048512 ----a-w- c:\windows\system32\win32k.sys
    2013-02-14 03:04 . 2012-11-08 03:48 1314816 ----a-w- c:\windows\system32\quartz.dll
    2013-02-14 03:04 . 2013-01-04 11:28 914792 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2013-02-14 03:04 . 2013-01-04 01:55 31232 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
    2013-02-14 03:04 . 2013-01-05 05:26 3550072 ----a-w- c:\windows\system32\ntoskrnl.exe
    2013-02-14 03:04 . 2013-01-05 05:26 3602808 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2013-02-09 00:13 . 2013-02-09 00:13 -------- d-----w- c:\programdata\RightClick
    2013-02-04 07:23 . 2013-02-04 07:23 -------- d-----w- c:\windows\system32\AGEIA
    2013-02-04 07:23 . 2013-02-04 07:23 -------- d-----w- c:\program files\AGEIA Technologies
    2013-02-04 05:05 . 2009-09-04 22:29 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
    2013-02-04 05:04 . 2005-05-26 20:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
    2013-02-03 02:30 . 2013-02-21 19:55 -------- d-----w- c:\users\officedepot\AppData\Local\Desura
    2013-02-03 02:27 . 2013-02-03 02:27 -------- d-----w- c:\program files\Common Files\Desura
    2013-02-02 10:44 . 2013-02-02 10:44 -------- d-----w- c:\programdata\Desura
    2013-02-02 10:44 . 2013-02-08 11:20 -------- d-----w- c:\program files\Desura
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2013-02-15 05:16 . 2009-12-20 16:03 35 ----a-w- c:\users\officedepot\AppData\Roaming\SetValue.bat
    2013-02-15 05:16 . 2009-12-20 16:03 4198 ----a-w- c:\windows\system32\tmp.reg
    2013-02-14 03:25 . 2012-07-16 14:33 697712 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2013-02-14 03:25 . 2012-02-28 06:04 74096 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2013-01-18 17:17 . 2013-02-14 03:22 6991832 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{3527B59E-092D-4A95-B794-1B30C9FF5697}\mpengine.dll
    2013-01-17 06:28 . 2009-12-10 02:45 232336 ------w- c:\windows\system32\MpSigStub.exe
    2012-12-16 13:12 . 2013-01-24 08:02 34304 ----a-w- c:\windows\system32\atmlib.dll
    2012-12-16 10:50 . 2013-01-24 08:02 293376 ----a-w- c:\windows\system32\atmfd.dll
    .
    .
    (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2012-12-19 969104]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 66176]
    "Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-03-05 172032]
    "TpShocks"="TpShocks.exe" [2007-03-30 181808]
    "EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-03-28 243248]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-15 138008]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-15 154392]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-15 133912]
    "TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2007-01-09 536576]
    "DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-11-15 217176]
    "AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-07 91688]
    "LPManager"="c:\progra~1\THINKV~2\PrdCtr\LPMGR.exe" [2007-03-22 120368]
    "ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2007-07-05 419112]
    "ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-07-05 124200]
    "LenovoOobeOffers"="c:\swtools\LenovoWelcome\LenovoOobeOffers.exe" [2006-12-29 28672]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-12-19 41208]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-10-12 59280]
    "TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2012-12-21 295072]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-10-25 421888]
    "Internet Helper Anti-phishing"="c:\programdata\Internet Helper Anti-phishing\internetHelper_antiphishing.exe" [2012-10-26 222856]
    .
    c:\users\AbraGaia\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 384000]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-9-27 50688]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "DisableCAD"= 1 (0x1)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
    2007-03-15 05:17 89600 ----a-w- c:\windows\System32\psqlpwd.dll
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ    autocheck autochk *\0\0sdnclean.exe
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Notification Packages REG_MULTI_SZ    scecli psqlpwd
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2010-05-14 15:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceNoNetwork REG_MULTI_SZ    PLA DPS BFE mpssvc
    ipripsvc REG_MULTI_SZ    iprip
    LocalServiceAndNoImpersonation REG_MULTI_SZ    FontCache
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2013-02-25 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-16 03:25]
    .
    2013-02-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-01-06 00:59]
    .
    2013-02-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-01-06 00:59]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://lenovo.live.com
    mStart Page = hxxp://lenovo.live.com
    uInternet Settings,ProxyOverride = <local>
    TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    WebBrowser-{D4330680-C0AE-4226-8A21-0AFE2FD1AC24} - (no file)
    HKCU-Run-internethelper - c:\users\officedepot\AppData\Local\MigWiz\internethelper\riqassyr.dll
    HKU-Default-Run-internethelper - c:\users\officedepot\AppData\Local\MigWiz\internethelper\riqassyr.dll
    MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
    MSConfigStartUp-DivXUpdate - c:\program files\DivX\DivX Update\DivXUpdate.exe
    MSConfigStartUp-gstvg - c:\users\officedepot\AppData\Roaming\zsaurwo.dll
    MSConfigStartUp-IS CfgWiz - c:\program files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\cltUIStb.exe
    MSConfigStartUp-SCHelper - c:\program files\Spyware Cease\SCHelper.exe
    AddRemove-UDK-59975ed3-83e1-4bc5-9cf0-d0f5c1febe43 - c:\program files\Desura\Common\erie\Binaries\UnSetup.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2013-02-25 15:46
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ... 
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ... 
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MEMSWEEP2]
    "ImagePath"="\??\c:\windows\system32\38C6.tmp"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'lsass.exe'(680)
    c:\windows\system32\psqlpwd.dll
    c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
    c:\program files\ThinkVantage Fingerprint Software\infra.dll
    .
    - - - - - - - > 'Explorer.exe'(5048)
    c:\programdata\Internet Helper Anti-phishing\internethelper_antiphishing.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\ibmpmsvc.exe
    c:\program files\Microsoft Security Client\MsMpEng.exe
    c:\program files\ThinkVantage Fingerprint Software\upeksvr.exe
    c:\windows\system32\IPSSVC.EXE
    c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
    c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
    c:\windows\system32\CISVC.EXE
    c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
    c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
    c:\program files\RealNetworks\RealDownloader\rndlresolversvc.exe
    c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    c:\program files\Lenovo\System Update\SUService.exe
    c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
    c:\windows\System32\TPHDEXLG.exe
    c:\program files\LENOVO\HOTKEY\TPHKSVC.exe
    c:\program files\Lenovo\Client Security Solution\tvttcsd.exe
    c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe
    c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
    c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
    c:\program files\Lenovo\Rescue and Recovery\ADM\IUService.exe
    c:\windows\system32\DRIVERS\xaudio.exe
    c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
    c:\windows\system32\WUDFHost.exe
    c:\program files\Common Files\Lenovo\Logger\logmon.exe
    c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
    c:\windows\System32\TpShocks.exe
    c:\program files\ThinkPad\Utilities\EZEJMNAP.EXE
    c:\program files\ThinkVantage\PrdCtr\LPMGR.EXE
    c:\program files\Lenovo\HOTKEY\TPONSCR.exe
    c:\program files\Lenovo\Zoom\TpScrex.exe
    c:\windows\system32\wbem\unsecapp.exe
    c:\windows\system32\igfxsrvc.exe
    c:\program files\Apoint2K\ApMsgFwd.exe
    c:\program files\Apoint2K\Apntex.exe
    c:\windows\system32\conime.exe
    c:\windows\system32\RacAgent.exe
    .
    **************************************************************************
    .
    Completion time: 2013-02-25  15:50:47 - machine was rebooted
    ComboFix-quarantined-files.txt  2013-02-25 20:50
    .
    Pre-Run: 56,690,057,216 bytes free
    Post-Run: 55,744,966,656 bytes free
    .
    - - End Of File - - F0E96770B4FD00EF9E76CEC73BB11ECF

     



    #8 jeffce

    jeffce

      Bleepin' Super Saiyan


    • Malware Response Team
    • 3,442 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:USA
    • Local time:08:56 AM

    Posted 26 February 2013 - 07:53 AM

    Even though it looks that most if not all of the infection was just removed I need to give you the following warning...

     

     

    **WARNING**Unfortunately one or more of the infections I have identified are Backdoor Trojans, IRCBots or other Malware capable of stealing very important information. You need to stop using all Internet Banking sites, change passwords to all sites with sensitive information from a clean computer and phone your bank to inform them that you may be a victim of identify theft. More often than not, we advise users that a full reinstallation of their Operating System is the only way to ensure that their computer will ever be 100% clean again.
     
    Unfortunately I have found what is known as the ZeroAccess rootkit on your system. It is an especially nasty infection that can take quite some time to clean as well as may have damaged your system files itself. As a warning, during the cleaning (if you choose to do so) you may lose internet access with this computer and in the end we may need to reinstall the operating system anyway depending on the extent of the infection.
     
    If you would like to continue with the cleaning, please continue with the following instructions and I will be more than happy to help.  smile.png
    ----------
     

    Please go to: VirusTotal
    On the page you'll find a "Choose File" button.
    Click on the Choose File button.
    In the Choose File to Upload window which opens, copy and paste this into the File Name box.
     
    c:\windows\system32\WS2Fix.exe
     
    Next, click the Open button.
    Then click the "Scan It!" button just below.
    This will scan the file. Please be patient.
    If you get a message saying File has already been analyzed: click Reanalyze file now
    Once scanned, copy and paste the link to the results page in your next reply.
    ----------

     


    WFxJwA4.png
     
    mvp_horizontal_fullcolor-(copy2).jpeg
     


    #9 Law23

    Law23
    • Topic Starter

    • Members
    • 11 posts
    • OFFLINE
    •  
    • Gender:Female
    • Local time:09:56 AM

    Posted 26 February 2013 - 03:25 PM

    Hey,

     

    Thanks big time for the heads up its greatly appreciated. I knew there had to be a more serious underlying problem. Okay, just in case I do need to reinstall my operating system do you know where I can find it and/or obtain the most recent Windows Vista Business? And what do I do about the files I want to keep?

     

    Here's the Results Page link: https://www.virustotal.com/en/file/c8df36ad571c2fbdbc9545ea55fa1e5d4248e72a288386976c3d3104eb2b20e8/analysis/1361912443/


    Edited by Law23, 26 February 2013 - 04:03 PM.


    #10 jeffce

    jeffce

      Bleepin' Super Saiyan


    • Malware Response Team
    • 3,442 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:USA
    • Local time:08:56 AM

    Posted 26 February 2013 - 03:29 PM

    Hi,

    Ok....with your system I believe there is a hidden partition where you can restore to factory defaults. I need to find the information on that though (I seem to have misplaced it). Anyway...you can just save all of your personal files (that you made), photos, music and videos without worry. Just no software that you might have installed. Personally, I think we are through the worst of it though.

    When you get me the results from VirusTotal be sure to post that. smile.png

    WFxJwA4.png
     
    mvp_horizontal_fullcolor-(copy2).jpeg
     


    #11 Law23

    Law23
    • Topic Starter

    • Members
    • 11 posts
    • OFFLINE
    •  
    • Gender:Female
    • Local time:09:56 AM

    Posted 27 February 2013 - 05:36 PM

    Hello, 

     

    Here's the Results Page link from Virustotal: https://www.virustotal.com/en/file/c8df36ad571c2fbdbc9545ea55fa1e5d4248e72a288386976c3d3104eb2b20e8/analysis/1361912443/



    #12 jeffce

    jeffce

      Bleepin' Super Saiyan


    • Malware Response Team
    • 3,442 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:USA
    • Local time:08:56 AM

    Posted 27 February 2013 - 05:45 PM

    ComboFix
    •  
    • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the box below:
    ClearJavaCache:: 
    
    File::
    c:\windows\system32\WS2Fix.exec:\users\officedepot\AppData\Roaming\SetValue.bat 
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "DisableCAD"= 0 (0x0)
     
    • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
     
    CFScriptB-4.gif
     
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix may request an update; please allow it.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it shall produce a log for you. Post the contents of the log in your next reply.
     
    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

    Edited by jeffce, 27 February 2013 - 05:46 PM.

    WFxJwA4.png
     
    mvp_horizontal_fullcolor-(copy2).jpeg
     


    #13 Law23

    Law23
    • Topic Starter

    • Members
    • 11 posts
    • OFFLINE
    •  
    • Gender:Female
    • Local time:09:56 AM

    Posted 01 March 2013 - 06:39 PM

    Hey Jeff,

     

    Here's the log:

     

    ComboFix 13-03-01.01 - officedepot 03/01/2013  18:15:36.2.2 - x86
    Microsoft® Windows Vista™ Business   6.0.6002.2.1252.1.1033.18.2038.998 [GMT -5:00]
    Running from: c:\users\officedepot\Desktop\ComboFix.exe
    Command switches used :: c:\users\officedepot\Desktop\CFScript.txt
    AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
    SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    FILE ::
    "c:\windows\system32\WS2Fix.exec:\users\officedepot\AppData\Roaming\SetValue.bat"
    .
    .
    (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\system32\TPAPSLOG.LOG
    c:\windows\system32\TPHDLOG0.LOG
    .
    .
    (((((((((((((((((((((((((   Files Created from 2013-02-01 to 2013-03-01  )))))))))))))))))))))))))))))))
    .
    .
    2099-06-06 01:28 . 2006-10-26 23:56 33104 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\msonpppr.dll
    2099-06-06 01:28 . 2009-02-27 08:42 31640 ----a-w- c:\windows\system32\msonpmon.dll
    2013-03-01 23:28 . 2013-03-01 23:28 -------- d-----w- c:\users\Default\AppData\Local\temp
    2013-03-01 23:28 . 2013-03-01 23:28 -------- d-----w- c:\users\AbraGaia\AppData\Local\temp
    2013-03-01 02:41 . 2013-02-08 00:45 6954968 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{FBD3D423-2D92-4926-AE1F-229A4DCB727E}\mpengine.dll
    2013-02-28 01:20 . 2013-02-08 00:45 6954968 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2013-02-25 20:27 . 2013-03-01 23:29 -------- d-----w- c:\users\officedepot\AppData\Local\temp
    2013-02-25 03:39 . 2013-02-25 03:39 -------- d-----w- c:\program files\Sophos
    2013-02-24 22:41 . 2013-02-24 22:41 -------- d-----w- c:\users\officedepot\AppData\Local\TrainYard
    2013-02-24 03:12 . 2013-02-24 03:12 -------- d-----w- c:\users\officedepot\AppData\Local\internethelper
    2013-02-24 03:11 . 2013-03-01 15:22 -------- d-----w- c:\programdata\Internet Helper Anti-phishing
    2013-02-24 03:10 . 2013-02-24 03:17 -------- d-sh--w- c:\windows\system32\AI_RecycleBin
    2013-02-24 03:10 . 2013-02-24 03:17 -------- d-----w- c:\programdata\Strongvault Online Backup
    2013-02-24 03:10 . 2013-02-24 03:17 -------- d-----w- C:\AI_RecycleBin
    2013-02-24 03:08 . 2013-02-25 20:26 -------- d-----w- c:\users\officedepot\AppData\Roaming\DefaultTab
    2013-02-22 01:08 . 2013-02-22 01:08 -------- d-----w- c:\programdata\Uniblue
    2013-02-15 05:52 . 2013-02-24 08:23 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2013-02-15 05:11 . 2009-06-02 16:17 75776 ----a-w- c:\windows\system32\WS2Fix.exe
    2013-02-15 05:11 . 2008-12-12 06:57 78336 ----a-w- c:\windows\system32\Agent.OMZ.Fix.exe
    2013-02-15 05:11 . 2008-11-29 23:58 82944 ----a-w- c:\windows\system32\IEDFix.C.exe
    2013-02-15 05:11 . 2008-10-01 20:51 87552 ----a-w- c:\windows\system32\VACFix.exe
    2013-02-15 05:11 . 2008-09-20 17:45 80384 ----a-w- c:\windows\system32\o4Patch.exe
    2013-02-15 05:11 . 2008-08-18 17:19 82432 ----a-w- c:\windows\system32\404Fix.exe
    2013-02-15 05:11 . 2008-05-19 02:40 82944 ----a-w- c:\windows\system32\IEDFix.exe
    2013-02-15 05:11 . 2007-09-06 05:22 289144 ----a-w- c:\windows\system32\VCCLSID.exe
    2013-02-15 05:11 . 2004-07-31 23:50 51200 ----a-w- c:\windows\system32\dumphive.exe
    2013-02-15 05:11 . 2006-04-27 22:49 288417 ----a-w- c:\windows\system32\SrchSTS.exe
    2013-02-15 05:11 . 2003-06-06 02:13 53248 ----a-w- c:\windows\system32\Process.exe
    2013-02-14 08:01 . 2013-01-08 22:01 768000 ----a-w- c:\program files\Common Files\Microsoft Shared\vgx\VGX.dll
    2013-02-14 03:22 . 2013-01-18 17:17 6991832 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{3527B59E-092D-4A95-B794-1B30C9FF5697}\mpengine.dll
    2013-02-14 03:17 . 2013-02-14 03:17 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin7.dll
    2013-02-14 03:17 . 2013-02-14 03:17 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin6.dll
    2013-02-14 03:17 . 2013-02-14 03:17 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
    2013-02-14 03:17 . 2013-02-14 03:17 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
    2013-02-14 03:17 . 2013-02-14 03:17 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
    2013-02-14 03:17 . 2013-02-14 03:17 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
    2013-02-14 03:17 . 2013-02-14 03:17 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin.dll
    2013-02-14 03:16 . 2013-02-14 03:16 -------- d-----w- c:\programdata\Apple Computer
    2013-02-14 03:04 . 2013-01-04 01:38 2048512 ----a-w- c:\windows\system32\win32k.sys
    2013-02-14 03:04 . 2012-11-08 03:48 1314816 ----a-w- c:\windows\system32\quartz.dll
    2013-02-14 03:04 . 2013-01-04 11:28 914792 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2013-02-14 03:04 . 2013-01-04 01:55 31232 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
    2013-02-14 03:04 . 2013-01-05 05:26 3550072 ----a-w- c:\windows\system32\ntoskrnl.exe
    2013-02-14 03:04 . 2013-01-05 05:26 3602808 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2013-02-09 00:13 . 2013-02-09 00:13 -------- d-----w- c:\programdata\RightClick
    2013-02-04 07:23 . 2013-02-04 07:23 -------- d-----w- c:\windows\system32\AGEIA
    2013-02-04 07:23 . 2013-02-04 07:23 -------- d-----w- c:\program files\AGEIA Technologies
    2013-02-04 05:05 . 2009-09-04 22:29 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
    2013-02-04 05:04 . 2005-05-26 20:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
    2013-02-03 02:30 . 2013-02-21 19:55 -------- d-----w- c:\users\officedepot\AppData\Local\Desura
    2013-02-03 02:27 . 2013-02-03 02:27 -------- d-----w- c:\program files\Common Files\Desura
    2013-02-02 10:44 . 2013-02-02 10:44 -------- d-----w- c:\programdata\Desura
    2013-02-02 10:44 . 2013-02-08 11:20 -------- d-----w- c:\program files\Desura
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2013-02-27 08:25 . 2012-07-16 14:33 691568 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2013-02-27 08:25 . 2012-02-28 06:04 71024 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2013-02-15 05:16 . 2009-12-20 16:03 35 ----a-w- c:\users\officedepot\AppData\Roaming\SetValue.bat
    2013-02-15 05:16 . 2009-12-20 16:03 4198 ----a-w- c:\windows\system32\tmp.reg
    2013-01-17 06:28 . 2009-12-10 02:45 232336 ------w- c:\windows\system32\MpSigStub.exe
    2012-12-16 13:12 . 2013-01-24 08:02 34304 ----a-w- c:\windows\system32\atmlib.dll
    2012-12-16 10:50 . 2013-01-24 08:02 293376 ----a-w- c:\windows\system32\atmfd.dll
    .
    .
    (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2012-12-19 969104]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 66176]
    "Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-03-05 172032]
    "TpShocks"="TpShocks.exe" [2007-03-30 181808]
    "EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-03-28 243248]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-15 138008]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-15 154392]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-15 133912]
    "TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2007-01-09 536576]
    "DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-11-15 217176]
    "AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-07 91688]
    "LPManager"="c:\progra~1\THINKV~2\PrdCtr\LPMGR.exe" [2007-03-22 120368]
    "ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2007-07-05 419112]
    "ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-07-05 124200]
    "LenovoOobeOffers"="c:\swtools\LenovoWelcome\LenovoOobeOffers.exe" [2006-12-29 28672]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-12-19 41208]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-10-12 59280]
    "TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2012-12-21 295072]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-10-25 421888]
    "Internet Helper Anti-phishing"="c:\programdata\Internet Helper Anti-phishing\internetHelper_antiphishing.exe" [2012-10-26 222856]
    .
    c:\users\AbraGaia\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 384000]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-9-27 50688]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "DisableCAD"= 1 (0x1)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
    2007-03-15 05:17 89600 ----a-w- c:\windows\System32\psqlpwd.dll
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ    autocheck autochk *\0\0sdnclean.exe
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Notification Packages REG_MULTI_SZ    scecli psqlpwd
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2010-05-14 15:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceNoNetwork REG_MULTI_SZ    PLA DPS BFE mpssvc
    ipripsvc REG_MULTI_SZ    iprip
    LocalServiceAndNoImpersonation REG_MULTI_SZ    FontCache
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2013-03-01 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-16 08:25]
    .
    2013-03-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-01-06 00:59]
    .
    2013-03-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-01-06 00:59]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://lenovo.live.com
    mStart Page = hxxp://lenovo.live.com
    uInternet Settings,ProxyOverride = <local>
    TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2013-03-01 18:29
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ... 
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ... 
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MEMSWEEP2]
    "ImagePath"="\??\c:\windows\system32\38C6.tmp"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'lsass.exe'(744)
    c:\windows\system32\psqlpwd.dll
    c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
    c:\program files\ThinkVantage Fingerprint Software\infra.dll
    .
    Completion time: 2013-03-01  18:34:54
    ComboFix-quarantined-files.txt  2013-03-01 23:34
    ComboFix2.txt  2013-02-25 20:50
    .
    Pre-Run: 54,883,336,192 bytes free
    Post-Run: 56,129,101,824 bytes free
    .
    - - End Of File - - C5B233E21F535CBCEA971C205F2709E7
     



    #14 jeffce

    jeffce

      Bleepin' Super Saiyan


    • Malware Response Team
    • 3,442 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:USA
    • Local time:08:56 AM

    Posted 01 March 2013 - 11:11 PM

    How is your system running?  :)


    WFxJwA4.png
     
    mvp_horizontal_fullcolor-(copy2).jpeg
     


    #15 Law23

    Law23
    • Topic Starter

    • Members
    • 11 posts
    • OFFLINE
    •  
    • Gender:Female
    • Local time:09:56 AM

    Posted 02 March 2013 - 10:56 PM

    Hey,

     

    Well for the most part its running fine, but it still freezes on occassion when I'm on the internet then I have to restart. And there are these error messages that popup everytime I do restart it. I'll see to it that I post what these error messages say cause I can't remember at the moment.


    Edited by Law23, 02 March 2013 - 11:44 PM.





    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users