Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Constant Reboot & BSoD due to Windows Critical Error and Win32/Small.Ca Warning


  • This topic is locked This topic is locked
23 replies to this topic

#1 cmeas345

cmeas345

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:12 AM

Posted 03 March 2013 - 10:09 PM

Hello, I have been having many problems with my laptop and would really appreciate some help.

Quick List of Problems:
- Windows Vista booted normally will only last for ~5 minutes before Norton displays message about Tidserv v5 attack blocked and then Windows displays a message stating Win32/Small.ca detected. Then  a popup appears stating that Windows has encountered a critical error and will reboot in 1 minute
- Due to issue above, I was barely able to run DDS and save logs before computer shut down on me
- Chrome / Internet Explorer constantly crash and homepage goes directly to mysearchweb

Actions I have already taken:
- Ran MalwareBytes Anti-malware, Microsoft Malicious Removal Tool, Norton all in safe mode
- All detect 1 or 2 trojans/viruses but when I reboot the computer is still clearly not functional

Any help would be greatly appreciated. Thanks so much.

DDS LOG:


DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 7.0.6001.18248  BrowserJavaVersion: 1.6.0_18
Run by Bharati at 21:24:30 on 2013-03-03
Microsoft® Windows Vista™ Home Premium   6.0.6001.1.1252.1.1033.18.2038.991 [GMT -5:00]
.
AV: Norton Security Suite *Enabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Security Suite *Enabled/Outdated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Security Suite *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Norton Security Suite\Engine\5.2.2.3\ccSvcHst.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\PnkBstrB.exe
C:\Windows\system32\PSIService.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindService.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Sony\VAIO Event Service\VESMgrSub.exe
C:\Windows\system32\igfxext.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Norton Security Suite\Engine\5.2.2.3\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\WerCon.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Apoint\Apoint.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Apoint\Apntex.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://google.com/
uDefault_Page_URL = hxxp://www.sony.com/vaiopeople
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Symantec NCO BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\program files\norton security suite\engine\5.2.2.3\coieplg.dll
BHO: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\norton security suite\engine\5.2.2.3\ips\ipsbho.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.8313.1002\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton security suite\engine\5.2.2.3\coieplg.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton security suite\engine\5.2.2.3\coieplg.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\programs\partygaming\partypoker\RunApp.exe
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
TCP: NameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{B3FCF701-13CE-485C-8538-77F62F31CA27} : DHCPNameServer = 192.168.1.1 192.168.1.1
Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - 
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: igfxcui - igfxdev.dll
Notify: VESWinlogon - VESWinlogon.dll
AppInit_DLLs= KATRACK.DLL
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\bharati\appdata\roaming\mozilla\firefox\profiles\0t2up3qf.default\
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\coffplgn_2011_7_4_3\components\coFFPlgn.dll
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\programdata\id software\quakelive\npquakezero.dll
FF - plugin: c:\programdata\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\users\bharati\appdata\roaming\mozilla\firefox\profiles\0t2up3qf.default\extensions\{9eb34849-81d3-4841-939d-666d522b889a}\plugins\npSlingPlayer.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Symantec Intrusion Prevention: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\IPSFFPlgn
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: WebSlingPlayer: {9EB34849-81D3-4841-939D-666D522B889A} - %profile%\extensions\{9EB34849-81D3-4841-939D-666D522B889A}
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0502020.003\symds.sys [2012-7-19 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0502020.003\symefa.sys [2012-7-19 744568]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\bashdefs\20130116.013\BHDrvx86.sys [2013-1-15 997464]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\ipsdefs\20130124.001\IDSvix86.sys [2013-1-24 386720]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0502020.003\ironx86.sys [2012-7-19 136312]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\n360\0502020.003\symtdiv.sys [2012-7-19 331384]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-3-3 398184]
R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\5.2.2.3\ccsvchst.exe [2012-7-19 130008]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2011-6-10 1153368]
R2 StarWindService;StarWind iSCSI Service;c:\program files\alcohol soft\alcohol 52\starwind\StarWindService.exe [2005-4-1 217600]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-7-25 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-8-13 106656]
R3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\drivers\SFEP.sys [2008-3-31 9344]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2008-3-31 812544]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-6-10 682344]
S3 SOHCImp;VAIO Media plus Content Importer;c:\program files\sony\vaio media plus\SOHCImp.exe [2008-5-4 104288]
S3 SOHDms;VAIO Media plus Digital Media Server;c:\program files\sony\vaio media plus\SOHDms.exe [2008-5-4 350048]
S3 SOHDs;VAIO Media plus Device Searcher;c:\program files\sony\vaio media plus\SOHDs.exe [2008-5-4 63328]
S3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [2009-1-23 223128]
S3 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;c:\program files\sony\vcm intelligent analyzing manager\VcmIAlzMgr.exe [2008-3-31 333088]
S3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;c:\program files\common files\sony shared\vcmxml\VcmXmlIfHelper.exe [2008-3-31 87328]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== File Associations ===============
.
ShellExec: VCExporterLaunch.exe: open="c:\program files\sony\vaio vp utilities\VCELaunch.exe" "%1"
.
=============== Created Last 30 ================
.
2013-03-04 02:13:55    --------    d-----w-    c:\windows\pss
.
==================== Find3M  ====================
.
.
============= FINISH: 21:26:05.85 ===============


Edited by cmeas345, 03 March 2013 - 10:10 PM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:12 AM

Posted 03 March 2013 - 10:31 PM


Hello cmeas345

Welcome to The Forums!!

Around here they call me Gringo and I'll be glad to help you with your malware problems.


Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

How to tell > 32 or 64 bit

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
  • To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.
    On the System Recovery Options menu you will get the following options:

      • Startup Repair
        System Restore
        Windows Complete PC Restore
        Windows Memory Diagnostic Tool
        Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst64.exe or e:\frst.exe and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • First Press the Scan button.
    • It will make a log (FRST.txt)
    • Second Type the following in the edit box after "Search:". services.exe
    • Click the Search button
    • It will make a log (Search.txt)
    I want you to poste Both the FRST.txt report and the Search.txt into your reply to me

    Gringo




I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 cmeas345

cmeas345
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:12 AM

Posted 04 March 2013 - 03:11 PM

Hey Gringo, appreciate the quick response and your help. Here are the two logs that you requested.

 

FRST.txt Log:

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 04-03-2013 01
Ran by SYSTEM at 04-03-2013 15:03:32
Running from F:\
Windows Vista ™ Home Premium   (X86) OS Language: English(US) 
The current controlset is ControlSet001
 
==================== Registry (Whitelisted) ===================
 
HKLM\...\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe [122880 2008-02-22] (Alps Electric Co., Ltd.)
HKU\Divyang\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [125952 2008-01-20] (Microsoft Corporation)
HKU\Divyang\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2009-03-26] (Google Inc.)
HKU\Divyang\...\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp [49968 2009-05-18] (AOL LLC)
HKU\Divyang\...\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent [1242448 2010-12-18] (Valve Corporation)
HKU\Divyang\...\Run: [Google Update] "C:\Users\Divyang\AppData\Local\Google\Update\GoogleUpdate.exe" /c [133104 2008-09-02] (Google Inc.)
HKU\Divyang\...\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" -autorun [200136 2008-10-09] (DT Soft Ltd.)
HKU\Divyang\...\Run: [Vxisupiseriyovuz] rundll32.exe "C:\Users\Divyang\AppData\Local\KBDR102.dll",Startup [x]
HKU\Divyang\...\RunOnce: [Shockwave Updater] C:\Windows\System32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1103471 -"Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.12) Gecko/2009070611 Firefox/3.0.12" -"http://74.125.95.132/search?q=cache:XNqJRkJ7N7AJ:gpct.scottishappraisal.scot.nhs.uk/now/why_choose.html+why+go+to+medicine&cd=13&hl=en&ct=clnk&gl=us" [460216 2008-11-24] (Adobe Systems, Inc.)
HKU\Guest\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2009-03-26] (Google Inc.)
HKU\Rajesh\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2009-03-26] (Google Inc.)
HKU\Rajesh\...\Run: [Google Update] "C:\Users\Rajesh\AppData\Local\Google\Update\GoogleUpdate.exe" /c [x]
Winlogon\Notify\VESWinlogon: VESWinlogon.dll (Sony Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 192.168.1.1
AppInit_DLLs: KATRACK.DLL
Startup: C:\Users\Divyang\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
 
==================== Services (Whitelisted) ===================
 
2 CVPND; "C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe" [1528608 2008-06-19] (Cisco Systems, Inc.)
2 MBAMScheduler; "C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe" [398184 2012-12-14] (Malwarebytes Corporation)
2 MBAMService; "C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe" [682344 2012-12-14] (Malwarebytes Corporation)
2 N360; "C:\Program Files\Norton Security Suite\Engine\5.2.2.3\ccSvcHst.exe" /s "N360" /m "C:\Program Files\Norton Security Suite\Engine\5.2.2.3\diMaster.dll" /prefetch:1 [262584 2011-03-31] (Symantec Corporation)
2 NMSAccessU; C:\Program Files\CDBurnerXP\NMSAccessU.exe [71096 2008-06-15] ()
2 PnkBstrA; C:\Windows\system32\PnkBstrA.exe [75064 2009-03-15] ()
2 PnkBstrB; C:\Windows\system32\PnkBstrB.exe [189784 2009-03-15] ()
2 ProtexisLicensing; C:\Windows\system32\PSIService.exe [177704 2007-06-05] ()
2 SBSDWSCService; C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)
3 SOHCImp; "C:\Program Files\Sony\VAIO Media plus\SOHCImp.exe" [104288 2008-03-04] (Sony Corporation)
3 SOHDms; "C:\Program Files\Sony\VAIO Media plus\SOHDms.exe" [350048 2008-03-04] (Sony Corporation)
3 SOHDs; "C:\Program Files\Sony\VAIO Media plus\SOHDs.exe" [63328 2008-03-04] (Sony Corporation)
3 SPTISRV; "C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe" [77824 2007-11-28] (Sony Corporation)
2 StarWindService; C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindService.exe [217600 2005-04-01] (Rocket Division Software)
3 VAIO Entertainment TV Device Arbitration Service; "C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe" [73728 2008-02-15] (Sony Corporation)
2 VAIO Event Service; C:\Program Files\Sony\VAIO Event Service\VESMgr.exe [182392 2007-08-14] (Sony Corporation)
3 VcmIAlzMgr; "C:\Program Files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe" [333088 2008-03-03] (Sony Corporation)
3 Vcsw; C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe -RunBySCM [279848 2008-03-31] (Sony Corporation)
2 Viewpoint Manager Service; "C:\Program Files\Viewpoint\Common\ViewpointService.exe" [24652 2007-01-04] (Viewpoint Corporation)
2 VzCdbSvc; "C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe" [184320 2008-02-15] (Sony Corporation)
2 VzFw; C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe [147456 2008-02-15] (Sony Corporation)
 
==================== Drivers (Whitelisted) ====================
 
1 BHDrvx86; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20130116.013\BHDrvx86.sys [997464 2013-01-15] (Symantec Corporation)
3 CVirtA; C:\Windows\System32\DRIVERS\CVirtA.sys [5275 2007-01-18] (Cisco Systems, Inc.)
2 CVPNDRVA; \??\C:\Windows\system32\Drivers\CVPNDRVA.sys [306299 2008-06-19] (Cisco Systems, Inc.)
3 DNE; C:\Windows\System32\DRIVERS\dne2000.sys [125328 2008-03-29] (Deterministic Networks, Inc.)
1 eeCtrl; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [376480 2012-08-08] (Symantec Corporation)
3 EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [106656 2012-08-08] (Symantec Corporation)
1 IDSVix86; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20130124.001\IDSvix86.sys [386720 2013-01-18] (Symantec Corporation)
3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\VirusDefs\20130126.007\NAVENG.SYS [93296 2013-01-19] (Symantec Corporation)
3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\VirusDefs\20130126.007\NAVEX15.SYS [1603824 2013-01-19] (Symantec Corporation)
3 pgfilter; \??\C:\Program Files\PeerGuardian2\pgfilter.sys [8192 2007-06-02] ()
0 sptd; C:\Windows\System32\Drivers\sptd.sys [717296 2009-01-23] (Duplex Secure Ltd.)
3 SRTSP; C:\Windows\System32\Drivers\N360\0502020.003\SRTSP.SYS [516216 2011-03-30] (Symantec Corporation)
1 SRTSPX; C:\Windows\system32\drivers\N360\0502020.003\SRTSPX.SYS [50168 2011-03-30] (Symantec Corporation)
0 SymDS; C:\Windows\System32\drivers\N360\0502020.003\SYMDS.SYS [340088 2011-01-26] (Symantec Corporation)
0 SymEFA; C:\Windows\System32\drivers\N360\0502020.003\SYMEFA.SYS [744568 2011-03-14] (Symantec Corporation)
3 SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT.SYS [126584 2011-06-10] (Symantec Corporation)
1 SymIRON; C:\Windows\system32\drivers\N360\0502020.003\Ironx86.SYS [136312 2010-11-15] (Symantec Corporation)
1 SYMTDIv; C:\Windows\System32\Drivers\N360\0502020.003\SYMTDIV.SYS [331384 2011-04-20] (Symantec Corporation)
3 ti21sony; C:\Windows\System32\drivers\ti21sony.sys [812544 2007-06-05] (Texas Instruments)
3 vaxscsi; C:\Windows\System32\Drivers\vaxscsi.sys [223128 2009-01-23] (Alcohol Soft Co., Ltd.)
0 volsnap; C:\Windows\System32\drivers\volsnap.sys [227896 2008-01-20] ()
3 EagleNT; \??\C:\Windows\system32\drivers\EagleNT.sys [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
4 UIUSys; C:\Windows\System32\DRIVERS\UIUSYS.SYS [x]
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2013-03-03 18:58 - 2013-03-03 18:59 - 00021773 ____A C:\Users\Bharati\Desktop\New Text Document.txt
2013-03-03 18:26 - 2013-03-03 18:26 - 00013158 ____A C:\Users\Bharati\Desktop\dds.txt
2013-03-03 18:26 - 2013-03-03 18:26 - 00007688 ____A C:\Users\Bharati\Desktop\attach.txt
2013-03-03 18:21 - 2013-03-03 18:21 - 00002243 ____A C:\Windows\epplauncher.mif
2013-03-03 18:20 - 2013-03-03 18:20 - 11091432 ____A (Microsoft Corporation) C:\Users\Bharati\Downloads\mseinstall.exe
2013-03-03 18:19 - 2013-03-03 18:19 - 00688992 ____R (Swearware) C:\Users\Bharati\Desktop\dds.com
2013-03-03 18:17 - 2013-03-03 18:19 - 00218896 ____A (Swearware) C:\Users\Bharati\Downloads\Unconfirmed 330988.crdownload
2013-03-03 18:13 - 2013-03-03 18:13 - 00000000 ____D C:\Windows\pss
2013-03-03 17:53 - 2013-03-03 17:53 - 00134256 ____A C:\Windows\Minidump\Mini030313-01.dmp
2013-03-03 17:52 - 2013-03-03 17:52 - 02876864 ____A C:\Users\Bharati\Downloads\Unconfirmed 257354.crdownload
2013-03-03 15:59 - 2013-03-03 16:03 - 18456096 ____A (Microsoft Corporation) C:\Users\Bharati\Downloads\Windows-KB890830-V4.17.exe
2013-03-03 13:55 - 2013-03-03 13:55 - 00088208 ____A C:\Windows\System32\GDIPFONTCACHEV1.DAT
2013-03-03 12:49 - 2013-03-03 12:49 - 00000906 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-03-03 12:47 - 2013-03-03 12:48 - 10156344 ____A (Malwarebytes Corporation                                    ) C:\Users\Bharati\Downloads\mbam-setup-1.70.0.1100.exe
 
 
==================== One Month Modified Files and Folders ========
 
2013-03-04 15:03 - 2013-03-04 15:03 - 00000000 ____D C:\FRST
2013-03-04 11:53 - 2006-11-02 05:01 - 00032568 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2013-03-04 11:53 - 2006-11-02 05:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-03-04 11:51 - 2006-11-02 04:47 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2013-03-04 11:51 - 2006-11-02 04:47 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2013-03-04 11:45 - 2008-07-24 09:48 - 00000422 ___AH C:\Windows\Tasks\User_Feed_Synchronization-{2855FC1C-56C2-4A6F-AB4F-28D947D536FB}.job
2013-03-04 11:37 - 2010-02-06 08:04 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-03-04 11:14 - 2006-11-02 02:33 - 00703388 ____A C:\Windows\System32\PerfStringBackup.INI
2013-03-03 18:59 - 2013-03-03 18:58 - 00021773 ____A C:\Users\Bharati\Desktop\New Text Document.txt
2013-03-03 18:26 - 2013-03-03 18:26 - 00013158 ____A C:\Users\Bharati\Desktop\dds.txt
2013-03-03 18:26 - 2013-03-03 18:26 - 00007688 ____A C:\Users\Bharati\Desktop\attach.txt
2013-03-03 18:22 - 2010-02-06 08:04 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-03-03 18:21 - 2013-03-03 18:21 - 00002243 ____A C:\Windows\epplauncher.mif
2013-03-03 18:20 - 2013-03-03 18:20 - 11091432 ____A (Microsoft Corporation) C:\Users\Bharati\Downloads\mseinstall.exe
2013-03-03 18:19 - 2013-03-03 18:19 - 00688992 ____R (Swearware) C:\Users\Bharati\Desktop\dds.com
2013-03-03 18:19 - 2013-03-03 18:17 - 00218896 ____A (Swearware) C:\Users\Bharati\Downloads\Unconfirmed 330988.crdownload
2013-03-03 18:13 - 2013-03-03 18:13 - 00000000 ____D C:\Windows\pss
2013-03-03 18:12 - 2010-08-05 17:36 - 00007252 ____A C:\Windows\setupact.log
2013-03-03 18:08 - 2008-07-24 09:43 - 01382189 ____A C:\Windows\WindowsUpdate.log
2013-03-03 18:05 - 2009-06-30 19:40 - 00000916 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1218705420-1940685896-1041177209-1000UA.job
2013-03-03 18:04 - 2011-06-10 12:31 - 00000000 ____D C:\Users\Bharati\AppData\Local\CrashDumps
2013-03-03 17:53 - 2013-03-03 17:53 - 00134256 ____A C:\Windows\Minidump\Mini030313-01.dmp
2013-03-03 17:53 - 2011-06-29 03:51 - 296959080 ____A C:\Windows\MEMORY.DMP
2013-03-03 17:53 - 2011-06-10 09:52 - 00000916 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1218705420-1940685896-1041177209-1001UA.job
2013-03-03 17:53 - 2008-07-31 10:07 - 00000000 ____D C:\Windows\Minidump
2013-03-03 17:52 - 2013-03-03 17:52 - 02876864 ____A C:\Users\Bharati\Downloads\Unconfirmed 257354.crdownload
2013-03-03 16:03 - 2013-03-03 15:59 - 18456096 ____A (Microsoft Corporation) C:\Users\Bharati\Downloads\Windows-KB890830-V4.17.exe
2013-03-03 15:50 - 2011-06-10 09:52 - 00000864 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1218705420-1940685896-1041177209-1001Core.job
2013-03-03 13:55 - 2013-03-03 13:55 - 00088208 ____A C:\Windows\System32\GDIPFONTCACHEV1.DAT
2013-03-03 13:51 - 2010-07-28 06:09 - 00037890 ____A C:\Windows\PFRO.log
2013-03-03 13:51 - 2010-01-18 22:15 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-03-03 12:50 - 2011-01-05 18:46 - 00001356 ____A C:\Users\Bharati\AppData\Local\d3d9caps.dat
2013-03-03 12:49 - 2013-03-03 12:49 - 00000906 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-03-03 12:48 - 2013-03-03 12:47 - 10156344 ____A (Malwarebytes Corporation                                    ) C:\Users\Bharati\Downloads\mbam-setup-1.70.0.1100.exe
2013-02-04 19:29 - 2006-11-02 02:24 - 67823584 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
 
==================== Known DLLs (Whitelisted) =================
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys
[2008-01-20 18:23] - [2008-01-20 18:23] - 0227896 ____A () 0B91F93264B06EE3FCEBA84EF4676995
 
C:\Windows\System32\Drivers\volsnap.sys IS INFECTED. <===== ATTENTION!
 
 
==================== EXE ASSOCIATION =====================
 
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
 
==================== Restore Points  =========================
 
Restore point made on: 2012-04-01 08:49:56
Restore point made on: 2012-08-05 22:15:48
Restore point made on: 2012-08-07 06:51:25
Restore point made on: 2012-08-08 00:01:50
Restore point made on: 2012-08-08 20:02:50
 
==================== Memory info =========================== 
 
Percentage of memory in use: 19%
Total physical RAM: 2037.81 MB
Available physical RAM: 1645.13 MB
Total Pagefile: 1854.13 MB
Available Pagefile: 1713.74 MB
Total Virtual: 2047.88 MB
Available Virtual: 1975.72 MB
 
==================== Partitions =============================
 
1 Drive c: () (Fixed) (Total:178.87 GB) (Free:55.63 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
3 Drive e: (Recovery) (Fixed) (Total:7.44 GB) (Free:0.87 GB) NTFS ==>[System with boot components (obtained from reading drive)]
4 Drive f: (WIN_VISTA) (Removable) (Total:0.96 GB) (Free:0.84 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
 
  Disk ###  Status      Size     Free     Dyn  Gpt
  --------  ----------  -------  -------  ---  ---
  Disk 0    Online       186 GB   993 KB         
  Disk 1    Online       984 MB      0 B         
 
Partitions of Disk 0:
===============
 
  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    OEM               7619 MB  1024 KB
  Partition 2    Primary            179 GB  7620 MB
 
=========================================================
 
Disk: 0
Partition 1
Type  : 27
Hidden: Yes
Active: No
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 3     E   Recovery     NTFS   Partition   7619 MB  Healthy    Hidden  
 
=========================================================
 
Disk: 0
Partition 2
Type  : 07
Hidden: No
Active: Yes
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 0     C                NTFS   Partition    179 GB  Healthy            
 
=========================================================
 
Partitions of Disk 1:
===============
 
  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary            984 MB    64 KB
 
=========================================================
 
Disk: 1
Partition 1
Type  : 0B
Hidden: No
Active: Yes
 
  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 1     F   WIN_VISTA    FAT32  Removable    984 MB  Healthy            
 
=========================================================
 
Last Boot: 2013-03-03 18:46
 
==================== End Of Log ============================
 
 
 
 
 
 
 
Search.txt Log:
 
Farbar Recovery Scan Tool (x86) Version: 04-03-2013 01
Ran by SYSTEM at 2013-03-04 15:04:50
Running from F:\
 
================== Search: "services.exe" ===================
 
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
[2008-01-20 18:24] - [2008-01-20 18:24] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C
 
C:\Windows\System32\services.exe
[2008-01-20 18:24] - [2008-01-20 18:24] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C
 
C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe
[2009-10-20 10:23] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B
 
=== End Of Search ===


#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:12 AM

Posted 04 March 2013 - 03:14 PM

Hello

Ok lets see if we can find a replacement for the infected file

Boot back into the recovery Environment and run FRST like you did before

Type the following in the edit box after "Search:".

volsnap.sys

It then should look like:

Search: volsnap.sys

Click Search button and post the log (Search.txt) it makes to your reply.

Gringo

Edited by gringo_pr, 04 March 2013 - 03:14 PM.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 cmeas345

cmeas345
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:12 AM

Posted 04 March 2013 - 03:29 PM

Hey Gringo, thanks again for the quick response.

 

Here's the Search.txt Log:

 

Farbar Recovery Scan Tool (x86) Version: 04-03-2013 01
Ran by SYSTEM at 2013-03-04 15:23:26
Running from F:\
 
================== Search: "volsnap.sys" ===================
 
C:\Windows\winsxs\x86_volume.inf_31bf3856ad364e35_6.0.6001.18000_none_15b6b780fc14facd\volsnap.sys
[2008-01-20 18:23] - [2008-01-20 18:23] - 0227896 ____A (Microsoft Corporation) D8B4A53DD2769F226B3EB374374987C9
 
C:\Windows\System32\DriverStore\FileRepository\volume.inf_f53a1785\volsnap.sys
[2008-01-20 18:23] - [2008-01-20 18:23] - 0227896 ____A (Microsoft Corporation) D8B4A53DD2769F226B3EB374374987C9
 
C:\Windows\System32\DriverStore\FileRepository\volume.inf_9320b452\volsnap.sys
[2006-11-02 02:25] - [2006-11-02 01:51] - 0208488 ____A (Microsoft Corporation) 11EF6C1CAEF76B685233450A126125D6
 
C:\Windows\System32\drivers\volsnap.sys
[2008-01-20 18:23] - [2008-01-20 18:23] - 0227896 ____A () 0B91F93264B06EE3FCEBA84EF4676995
 
C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\x86_volume.inf_31bf3856ad364e35_6.0.6002.18005_none_17a2308cf936c619\volsnap.sys
[2009-10-20 10:23] - [2009-04-10 22:32] - 0226280 ____A (Microsoft Corporation) 147281C01FCB1DF9252DE2A10D5E7093
 
=== End Of Search ===

Edited by cmeas345, 04 March 2013 - 07:38 PM.


#6 cmeas345

cmeas345
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:12 AM

Posted 04 March 2013 - 11:00 PM

Sorry, I think I posted the wrong log above, here is the correct one:

 

 

[EDIT: My mistake, the log posted above is indeed correct.]

Edited by cmeas345, 04 March 2013 - 11:02 PM.


#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:12 AM

Posted 05 March 2013 - 12:11 AM

Hello cmeas345



Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flash drive as fixlist.txt

Replace: C:\Windows\winsxs\x86_volume.inf_31bf3856ad364e35_6.0.6001.18000_none_15b6b780fc14facd\volsnap.sys C:\Windows\System32\drivers\volsnap.sys
HKU\Divyang\...\Run: [Vxisupiseriyovuz] rundll32.exe "C:\Users\Divyang\AppData\Local\KBDR102.dll",Startup [x]
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.

Run FRST again like we did before but this time press the Fix button just once and wait.
The tool will make a log on the flash drive (Fixlog.txt) please post it to your reply.

Also boot the computer into normal mode and let me know how things are looking.

Gringo

Edited by gringo_pr, 05 March 2013 - 12:48 AM.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 cmeas345

cmeas345
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:12 AM

Posted 05 March 2013 - 12:30 AM

Hey Gringo,

 

I ran FRST fix and booted into normal mode. The computer showing the same symptoms as originally stated: Norton displays message about Tidserv Activity 5 attack blocked and then Windows Problems and Solutions window displays a message stating Win32/Small.ca detected. Then a popup appears stating that Windows has encountered a critical error and will reboot in 1 minute. In addition, Chrome and Internet Explorer still crash constantly. 

 

Thanks again for the help,

 

Chuck

 

The FixList.txt Log is below:

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 04-03-2013 01
Ran by SYSTEM at 2013-03-05 00:18:11 Run:1
Running from F:\
 
==============================================
 
Could not find [/codeC:\Windows\System32\drivers\volsnap.sys
Could not find [/codeC:\Windows\winsxs\x86_volume.inf_31bf3856ad364e35_6.0.6001.18000_none_15b6b780fc14facd\volsnap.sys
HKEY_USERS\Divyang\Software\Microsoft\Windows\CurrentVersion\Run\\Vxisupiseriyovuz Value deleted successfully.
 
==== End of Fixlog ====
 

[EDIT: Looking back on the results I think I may have copied too much into the fixlist.txt file because the codebox in your previous post is not showing up for me and I may have copied the code for that as well but I am not sure]

 

Edited by cmeas345, 05 March 2013 - 12:46 AM.


#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:12 AM

Posted 05 March 2013 - 12:49 AM

the forum messed up the fix - I have edited it and would like you to rerun it for me
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 cmeas345

cmeas345
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:12 AM

Posted 05 March 2013 - 01:02 AM

Hey Gringo, 

 

Ran it successfully this time. I booted normally and the laptop seems in much better shape. The Tidserv Activity 5 message from Norton and the critical error reboot from Windows no longer appear. In addition, Chrome and Internet Explorer are not crashing.

 

However,Windows Problems and Solutions is still displaying a message stating Win32/Small.ca detected.

 

Thanks,

 

Chuck

 

The Fixlog.txt log is below:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 04-03-2013 01

Ran by SYSTEM at 2013-03-05 00:54:29 Run:2
Running from F:\
 
==============================================
 
C:\Windows\System32\drivers\volsnap.sys moved successfully.
C:\Windows\winsxs\x86_volume.inf_31bf3856ad364e35_6.0.6001.18000_none_15b6b780fc14facd\volsnap.sys copied successfully to C:\Windows\System32\drivers\volsnap.sys
HKEY_USERS\Divyang\Software\Microsoft\Windows\CurrentVersion\Run\\Vxisupiseriyovuz Value not found.
 
==== End of Fixlog ====


#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:12 AM

Posted 05 March 2013 - 01:21 AM


Hello cmeas345


These are the programs I would like you to run next, if you have any problems with these just skip it and move on to the next one.


-AdwCleaner-
  • Please download AdwCleaner by Xplode onto your desktop.
    • Close all open programs and internet browsers.
    • Double click on AdwCleaner.exe to run the tool.
    • Click on Delete.
    • Confirm each time with Ok.
    • Your computer will be rebooted automatically. A text file will open after the restart.
    • Please post the content of that logfile with your next answer.
    • You can find the logfile at C:\AdwCleaner[S1].txt as well.
--RogueKiller--
  • Download & SAVE to your Desktop RogueKiller or from here
    • Quit all programs that you may have started.
    • Please disconnect any USB or external drives from the computer before you run this scan!
    • For Vista or Windows 7, right-click and select "Run as Administrator to start"
    • For Windows XP, double-click to start.
    • Wait until Prescan has finished ...
    • Then Click on "Scan" button
    • Wait until the Status box shows "Scan Finished"
    • click on "delete"
    • Wait until the Status box shows "Deleting Finished"
    • Click on "Report" and copy/paste the content of the Notepad into your next reply.
    • The log should be found in RKreport[1].txt on your Desktop
    • Exit/Close RogueKiller+
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 cmeas345

cmeas345
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:12 AM

Posted 05 March 2013 - 01:47 AM

Hey Gringo, 

 

Here are the two log files requested.

 

Thanks, 


Chuck

 

AdwCleaner:

 

 

# AdwCleaner v2.114 - Logfile created 03/05/2013 at 01:33:45
# Updated 05/03/2013 by Xplode
# Operating system : Windows Vista ™ Home Premium Service Pack 1 (32 bits)
# User : Bharati - VAIO-LAPTOP
# Boot Mode : Normal
# Running from : C:\Users\Bharati\Downloads\adwcleaner.exe
# Option [Delete]
 
 
***** [Services] *****
 
Stopped & Deleted : Viewpoint Manager Service
 
***** [Files / Folders] *****
 
File Deleted : C:\Program Files\Mozilla Firefox\.autoreg
Folder Deleted : C:\Program Files\Viewpoint
Folder Deleted : C:\ProgramData\Viewpoint
Folder Deleted : C:\Users\Divyang\AppData\LocalLow\Viewpoint
 
***** [Registry] *****
 
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ViewpointMediaPlayer
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\Software\MetaStream
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@viewpoint.com/VMP
Key Deleted : HKLM\Software\Viewpoint
 
***** [Internet Browsers] *****
 
-\\ Internet Explorer v7.0.6001.18248
 
[OK] Registry is clean.
 
-\\ Mozilla Firefox v3.6.25 (en-US)
 
File : C:\Users\Divyang\AppData\Roaming\Mozilla\Firefox\Profiles\ox8k7ih1.default\prefs.js
 
C:\Users\Divyang\AppData\Roaming\Mozilla\Firefox\Profiles\ox8k7ih1.default\user.js ... Deleted !
 
[OK] File is clean.
 
File : C:\Users\Bharati\AppData\Roaming\Mozilla\Firefox\Profiles\0t2up3qf.default\prefs.js
 
[OK] File is clean.
 
-\\ Google Chrome v24.0.1312.52
 
File : C:\Users\Divyang\AppData\Local\Google\Chrome\User Data\Default\Preferences
 
[OK] File is clean.
 
File : C:\Users\Bharati\AppData\Local\Google\Chrome\User Data\Default\Preferences
 
[OK] File is clean.
 
*************************
 
AdwCleaner[S1].txt - [2788 octets] - [05/03/2013 01:33:45]
 
########## EOF - C:\AdwCleaner[S1].txt - [2848 octets] ##########
 
 
 
 
 
RogueKiller:
 
RogueKiller V8.5.2 [Feb 23 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
 
Operating System : Windows Vista (6.0.6001 Service Pack 1) 32 bits version
Started in : Normal mode
User : Bharati [Admin rights]
Mode : Remove -- Date : 03/05/2013 01:41:58
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 1 ¤¤¤
[DLL] explorer.exe -- C:\Windows\explorer.exe : C:\Windows\KATRACK.DLL [x] -> UNLOADED
 
¤¤¤ Registry Entries : 5 ¤¤¤
[HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> DELETED
[HJPOL] HKCU\[...]\System : DisableRegistryTools (0) -> DELETED
[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> DELETED
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
 
¤¤¤ Particular Files / Folders: ¤¤¤
 
¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[13] : NtAlertResumeThread @ 0x82CE7931 -> HOOKED (Unknown @ 0x93FF0F70)
SSDT[14] : NtAlertThread @ 0x82C4CF55 -> HOOKED (Unknown @ 0x93FEE050)
SSDT[18] : NtAllocateVirtualMemory @ 0x82C84A88 -> HOOKED (Unknown @ 0x93FEE9C8)
SSDT[21] : NtAlpcConnectPort @ 0x82C3E17B -> HOOKED (Unknown @ 0x93EE5E68)
SSDT[42] : NtAssignProcessToJobObject @ 0x82C121C0 -> HOOKED (Unknown @ 0x93FF0718)
SSDT[67] : NtCreateMutant @ 0x82C88B97 -> HOOKED (Unknown @ 0x93FF0CC0)
SSDT[77] : NtCreateSymbolicLinkObject @ 0x82C2B08B -> HOOKED (Unknown @ 0x93FF0438)
SSDT[78] : NtCreateThread @ 0x82CE5FA4 -> HOOKED (Unknown @ 0x93FEEED0)
SSDT[116] : NtDebugActiveProcess @ 0x82CB9514 -> HOOKED (Unknown @ 0x93FF07F8)
SSDT[129] : NtDuplicateObject @ 0x82C4BE81 -> HOOKED (Unknown @ 0x93FEEB98)
SSDT[147] : NtFreeVirtualMemory @ 0x82AE3CB7 -> HOOKED (Unknown @ 0x93FEE780)
SSDT[156] : NtImpersonateAnonymousToken @ 0x82C0D237 -> HOOKED (Unknown @ 0x93FF0DB0)
SSDT[158] : NtImpersonateThread @ 0x82C1F924 -> HOOKED (Unknown @ 0x93FF0E90)
SSDT[165] : NtLoadDriver @ 0x82BC1AD2 -> HOOKED (Unknown @ 0x87B9CA70)
SSDT[177] : NtMapViewOfSection @ 0x82C7671E -> HOOKED (Unknown @ 0x93FEE680)
SSDT[184] : NtOpenEvent @ 0x82C380DF -> HOOKED (Unknown @ 0x93FF0BE0)
SSDT[194] : NtOpenProcess @ 0x82C63B06 -> HOOKED (Unknown @ 0x93FEED78)
SSDT[195] : NtOpenProcessToken @ 0x82C5F28F -> HOOKED (Unknown @ 0x93FEEAB8)
SSDT[197] : NtOpenSection @ 0x82C7A7C2 -> HOOKED (Unknown @ 0x93FF0A20)
SSDT[201] : NtOpenThread @ 0x82C541CA -> HOOKED (Unknown @ 0x93FEEC88)
SSDT[210] : NtProtectVirtualMemory @ 0x82C8889E -> HOOKED (Unknown @ 0x93FF0628)
SSDT[282] : NtResumeThread @ 0x82C53574 -> HOOKED (Unknown @ 0x93FEE130)
SSDT[289] : NtSetContextThread @ 0x82CE6C7B -> HOOKED (Unknown @ 0x93FEE3D0)
SSDT[305] : NtSetInformationProcess @ 0x82C86644 -> HOOKED (Unknown @ 0x93FEE4B0)
SSDT[317] : NtSetSystemInformation @ 0x82C49372 -> HOOKED (Unknown @ 0x93FF08D8)
SSDT[330] : NtSuspendProcess @ 0x82CE786B -> HOOKED (Unknown @ 0x93FF0B00)
SSDT[331] : NtSuspendThread @ 0x82CA4788 -> HOOKED (Unknown @ 0x93FEE210)
SSDT[334] : NtTerminateProcess @ 0x82C34F80 -> HOOKED (Unknown @ 0x93FEEFD0)
SSDT[335] : NtTerminateThread @ 0x82C61707 -> HOOKED (Unknown @ 0x93FEE2F0)
SSDT[348] : NtUnmapViewOfSection @ 0x82C76D75 -> HOOKED (Unknown @ 0x93FEE5A0)
SSDT[358] : NtWriteVirtualMemory @ 0x82C5FC47 -> HOOKED (Unknown @ 0x93FEE870)
SSDT[382] : NtCreateThreadEx @ 0x82C53BD2 -> HOOKED (Unknown @ 0x93FF0528)
S_SSDT[317] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x955850D0)
S_SSDT[397] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x955D6DB8)
S_SSDT[428] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x955D6CF8)
S_SSDT[430] : NtUserGetKeyState -> HOOKED (Unknown @ 0x955D6E78)
S_SSDT[442] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x955D6F38)
S_SSDT[479] : NtUserMessageCall -> HOOKED (Unknown @ 0x955D6A88)
S_SSDT[497] : NtUserPostMessage -> HOOKED (Unknown @ 0x955D6C28)
S_SSDT[498] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x955D6B58)
S_SSDT[573] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x95585190)
S_SSDT[576] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x95585260)
IRP[IRP_MJ_CREATE] : \SystemRoot\system32\DRIVERS\iaStor.sys -> HOOKED ([MAJOR] Unknown @ 0x858121F8)
IRP[IRP_MJ_CLOSE] : \SystemRoot\system32\DRIVERS\iaStor.sys -> HOOKED ([MAJOR] Unknown @ 0x858121F8)
IRP[IRP_MJ_DEVICE_CONTROL] : \SystemRoot\system32\DRIVERS\iaStor.sys -> HOOKED ([MAJOR] Unknown @ 0x858121F8)
IRP[IRP_MJ_INTERNAL_DEVICE_CONTROL] : \SystemRoot\system32\DRIVERS\iaStor.sys -> HOOKED ([MAJOR] Unknown @ 0x858121F8)
IRP[IRP_MJ_POWER] : \SystemRoot\system32\DRIVERS\iaStor.sys -> HOOKED ([MAJOR] Unknown @ 0x858121F8)
IRP[IRP_MJ_SYSTEM_CONTROL] : \SystemRoot\system32\DRIVERS\iaStor.sys -> HOOKED ([MAJOR] Unknown @ 0x858121F8)
IRP[IRP_MJ_PNP] : \SystemRoot\system32\DRIVERS\iaStor.sys -> HOOKED ([MAJOR] Unknown @ 0x858121F8)
 
¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts
 
127.0.0.1       localhost
::1             localhost
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: FUJITSU MHY2200BH +++++
--- User ---
[MBR] caee7a17dfecf7ac6b3e8b50350acd70
[BSP] 683aee47b6a763010d053d6dcbff5b22 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 7619 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 15605760 | Size: 183161 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
Finished : << RKreport[2]_D_03052013_02d0141.txt >>
RKreport[1]_S_03052013_02d0140.txt ; RKreport[2]_D_03052013_02d0141.txt
 
 
 


#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:12 AM

Posted 05 March 2013 - 02:52 AM


Hello cmeas345

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

  • Gringo




I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 cmeas345

cmeas345
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:12 AM

Posted 05 March 2013 - 03:39 AM

Hey Gringo,

 

ComboFix ran smoothly without any problems. The laptop is doing much better, there are not longer any more messages about viruses/malware from Windows or Norton; it appears to be functioning normally now.

 

Thanks,

 

Chuck

 

Here is the ComboFix Log:

 

 

ComboFix 13-03-05.01 - Bharati 03/05/2013   3:11.1.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6001.1.1252.1.1033.18.2038.988 [GMT -5:00]
Running from: c:\users\Bharati\Downloads\ComboFix.exe
AV: Norton Security Suite *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Security Suite *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Security Suite *Disabled/Outdated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\SecureW2
c:\program files\SecureW2\Uninstall.exe
c:\programdata\40886008
c:\programdata\9f6c42c7
c:\programdata\Microsoft\Windows\Start Menu\Programs\SecureW2
c:\programdata\Microsoft\Windows\Start Menu\Programs\SecureW2\TTLS Manager.lnk
c:\programdata\Microsoft\Windows\Start Menu\Programs\SecureW2\Uninstall.lnk
c:\users\Bharati\AppData\Roaming\5de855ed
c:\users\Divyang\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SecureW2
c:\users\Divyang\Desktop\Setup.exe
c:\users\Divyang\Documents\~WRL2029.tmp
c:\windows\system32\drivers\etc\hosts.ics
.
.
(((((((((((((((((((((((((   Files Created from 2013-02-05 to 2013-03-05  )))))))))))))))))))))))))))))))
.
.
2013-03-05 08:24 . 2013-03-05 08:25    --------    d-----w-    c:\users\Bharati\AppData\Local\temp
2013-03-05 08:24 . 2013-03-05 08:24    --------    d-----w-    c:\users\Rajesh\AppData\Local\temp
2013-03-05 08:24 . 2013-03-05 08:24    --------    d-----w-    c:\users\Guest\AppData\Local\temp
2013-03-05 08:24 . 2013-03-05 08:24    --------    d-----w-    c:\users\Divyang\AppData\Local\temp
2013-03-05 08:24 . 2013-03-05 08:24    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-03-04 23:03 . 2013-03-04 23:03    --------    d-----w-    C:\FRST
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AOLOverlayIcon]
@="{AB0C8BE3-041C-47d6-8195-E089D32B38DD}"
[HKEY_CLASSES_ROOT\CLSID\{AB0C8BE3-041C-47d6-8195-E089D32B38DD}]
2008-02-03 00:27    303104    ----a-w-    c:\ddi\OverIcon.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-05 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-05 154136]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-05 137752]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2008-02-23 122880]
.
c:\users\Divyang\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2007-08-15 03:05    98304    ----a-w-    c:\windows\System32\VESWinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\katrack.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^AOLDDI.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\AOLDDI.lnk
backup=c:\windows\pss\AOLDDI.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 19:57    948672    ----a-r-    c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-18 12:58    40368    ----a-w-    c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-06-10 17:52    136176    ----atw-    c:\users\Bharati\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2008-03-26 02:27    49152    ----a-w-    c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2008-03-13 14:34    81920    ----a-w-    c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISBMgr.exe]
2007-11-21 19:38    311296    ----a-w-    c:\program files\Sony\ISB Utility\ISBMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-12-13 22:16    421160    ----a-w-    c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38    421888    ----a-w-    c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2008-01-23 00:11    4718592    ----a-w-    c:\windows\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2008-01-21 02:23    1233920    ----a-w-    c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-11 19:21    246504    ----a-w-    c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-03-27 03:42    39408    ----a-w-    c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Help and Support Demo]
2007-08-28 00:54    290816    ----a-w-    c:\program files\Sony\VAIO Help and Support Demo\LaunchVHSD.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIOMyMemCenter]
2008-02-29 20:39    679936    ----a-w-    c:\program files\Sony\VAIO My Memory Center\VAIO MyMemCenter.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIORegistration]
2007-10-17 21:40    20480    ----a-w-    c:\program files\Sony\First Experience\WelcomeLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIOSurvey]
2007-07-20 22:30    577536    ----a-w-    c:\program files\Sony\VAIO Survey\Vista VAIO Survey.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VWLASU]
2008-02-19 18:25    24576    ----a-w-    c:\program files\Sony\VAIO Wireless Wizard\AutoLaunchWLASU.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:23    1008184    ----a-w-    c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12    REG_MULTI_SZ       Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt    REG_MULTI_SZ       hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2013-03-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 16:03]
.
2013-03-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 16:03]
.
2013-01-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1218705420-1940685896-1041177209-1000Core.job
- c:\users\Divyang\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-03 03:57]
.
2013-03-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1218705420-1940685896-1041177209-1000UA.job
- c:\users\Divyang\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-03 03:57]
.
2013-03-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1218705420-1940685896-1041177209-1001Core.job
- c:\users\Bharati\AppData\Local\Google\Update\GoogleUpdate.exe [2011-06-10 17:52]
.
2013-03-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1218705420-1940685896-1041177209-1001UA.job
- c:\users\Bharati\AppData\Local\Google\Update\GoogleUpdate.exe [2011-06-10 17:52]
.
2013-03-05 c:\windows\Tasks\User_Feed_Synchronization-{2855FC1C-56C2-4A6F-AB4F-28D947D536FB}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
FF - ProfilePath - c:\users\Bharati\AppData\Roaming\Mozilla\Firefox\Profiles\0t2up3qf.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Symantec Intrusion Prevention: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\IPSFFPlgn
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: WebSlingPlayer: {9EB34849-81D3-4841-939D-666D522B889A} - %profile%\extensions\{9EB34849-81D3-4841-939D-666D522B889A}
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-HitmanPro35 - c:\users\Bharati\Desktop\HitmanPro35.exe
AddRemove-SecureW2 EAP Suite - c:\program files\SecureW2\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-03-05 03:25
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\5.2.2.3\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\5.2.2.3\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2013-03-05  03:27:44
ComboFix-quarantined-files.txt  2013-03-05 08:27
.
Pre-Run: 59,609,952,256 bytes free
Post-Run: 59,188,228,096 bytes free
.
- - End Of File - - 31BCCFF3FCC5664501A706CA56B1301D

Edited by cmeas345, 05 March 2013 - 03:40 AM.


#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:12 AM

Posted 05 March 2013 - 12:44 PM


Hello cmeas345

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Please start by opening Notepad and copy/paste the text in the box into the window:
 ClearJavaCache:: 
Save it to your desktop as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe
CFScriptB-4.gif
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
    • report from Combofix
    • let me know of any problems you may have had
    • How is the computer doing now after running the script?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users