Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bloodhound.pdf.38 & SONAR.Heuristics


  • This topic is locked This topic is locked
8 replies to this topic

#1 jwicklin

jwicklin

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:18 PM

Posted 30 May 2013 - 07:46 PM

Symantec identified test[1].pdf file and oavilak as the risk types in the subject line.  It says "quarantine" under type but says the status is infected.  I restored to a point 2 days prior to being infected.  However when I open Symantec I suspect it has been hijacked because it says there are multiple warnings (3) and "Download Insight is malfunctioning. Proactive Threat Protection is malfunctioning".  I started to run live update and it started downloading 7 files but I then thought the better of it and suspended the downloads until I received more advice in case this was just more of the problem.  Immediately following infection I couldn't get to Internet Explorer and instead a screen was presented for me to enter a credit card.  The restore allowed me to get Internet Explorer to launch so I could run DDS and send this.

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16483
Run by jwicklin at 17:29:06 on 2013-05-30
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.3977.1885 [GMT -5:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Symantec Endpoint Protection *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Symantec Endpoint Protection *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\lsm.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k RPCSS
C:\WINDOWS\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\IDT\WDM\STacSV64.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\SysWOW64\Prot_srv.exe
C:\Windows\system32\WUDFHost.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\System32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\WINDOWS\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\syswow64\AdminPassRandomizerService.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\IDT\WDM\AESTSr64.exe
C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files (x86)\Symantec\NetBackup DLO\DLO\DLOChangeLogSvcu.exe
C:\WINDOWS\SysWOW64\DWRCS.exe
C:\Program Files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe
C:\Program Files (x86)\iPass\iPassConnect Corporate\iPassPeriodicUpdateService.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\DRIVERS\o2flash.exe
C:\WINDOWS\SysWOW64\pstartSr.exe
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Dell\Dell System Manager\DCPSysMgrSvc.exe
C:\Program Files (x86)\iPass\iPassConnect Corporate\iPassPeriodicUpdateApp.exe
C:\WINDOWS\system32\svchost.exe -k bthsvcs
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin64\Smc.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\CCM\CcmExec.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\CCM\RemCtrl\CmRcService.exe
C:\WINDOWS\system32\taskhost.exe
C:\WINDOWS\SysWOW64\DWRCST.exe
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\ccSvcHst.exe
C:\WINDOWS\system32\Dwm.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\IDT\WDM\sttray64.exe
C:\Program Files (x86)\InterCall Unified Meeting\Modules\Launcher\mcLauncher.exe
C:\Program Files (x86)\Garmin\Express Tray\ExpressTray.exe
C:\Program Files (x86)\Garmin\ANT Agent\ANT Agent.exe
C:\Program Files\Dell\Dell System Manager\DCPSysMgr.exe
C:\Program Files (x86)\PrintKey2000\Printkey2000.exe
C:\Program Files (x86)\Symantec\NetBackup DLO\DLO\DLOClientu.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files (x86)\Common Files\Check Point\UIFramework\cptray.exe
C:\Program Files (x86)\Pointsec\Pointsec for PC\P95tray.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\CCM\SCNotification.exe
C:\Program Files (x86)\Symantec\NetBackup DLO\DLO\DLOvssRequestorU.exe
C:\WINDOWS\system32\vssvc.exe
C:\WINDOWS\System32\svchost.exe -k swprv
C:\WINDOWS\system32\AUDIODG.EXE
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\WINDOWS\SysWOW64\Macromed\Flash\FlashUtil32_11_7_700_202_ActiveX.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Page_URL = hxxp://www.commscope.com
mWinlogon: Userinit = userinit.exe
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\IPS\IPSBHO.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
uRun: [MeetingLauncher] "C:\Program Files (x86)\InterCall Unified Meeting\Modules\Launcher\mcLauncher.exe"
uRun: [GarminExpressTrayApp] "C:\Program Files (x86)\Garmin\Express Tray\ExpressTray.exe"
uRun: [ANT Agent] C:\Program Files (x86)\Garmin\ANT Agent\ANT Agent.exe
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
mRun: [Check Point Endpoint Tray Application] C:\Program Files (x86)\Common Files\Check Point\UIFramework\cptray.exe
mRun: [Pointsec Tray] C:\Program Files (x86)\Pointsec\Pointsec for PC\P95Tray.exe
mRun: [iPassConnect] "C:\Program Files (x86)\iPass\iPassConnect Corporate\iPassConnectGUI.exe" /S
mRun: [DameWare MRC Agent] C:\WINDOWS\SysWOW64\DWRCST.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\DELLSY~1.LNK - C:\Program Files\Dell\Dell System Manager\DCPSysMgr.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\PRINTK~1.LNK - C:\WINDOWS\Installer\{0E4DC6BA-F9E8-4051-B10E-7C39B3A12395}\VRT16B.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SYMANT~1.LNK - C:\Program Files (x86)\Symantec\NetBackup DLO\DLO\DLOClientu.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\VPNGUI~1.LNK - C:\WINDOWS\Installer\{467D5E81-8349-4892-9E81-C3674ED8E451}\Icon09DB8A851.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Windows\System: AllowX-ForestPolicy-and-RUP = dword:1
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
Trusted Zone: cdcsccm01
DPF: {538793D5-659C-4639-A56C-A179AD87ED44} - hxxps://cdcvpn.commscope.com/CACHE/stc/1/binaries/vpnweb.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {A08463E2-BF3E-4E78-9938-E4CC1981483B} - hxxps://install.mc.iconf.net/gcc_installer/IUM/mcInstall.cab
DPF: {A5A5E1FF-FFEF-3FEF-B592-C6D194F4383F} - hxxps://cdcvpn.commscope.com/CACHE/sdesktop/install/binaries/instweb.cab
DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} - hxxp://ak.imgag.com/imgag/cp/install/Crusher.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://commscopemeet.webex.com/client/WBXclient-T27L10NSP32EP5-14362/webex/ieatgpc1.cab
TCP: NameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{CBB1BA6B-5466-4F1B-8E5A-8C8D194A3CE8} : DHCPNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{CBB1BA6B-5466-4F1B-8E5A-8C8D194A3CE8}\36F6D6D63736F60756765756374777966696 : DHCPNameServer = 10.86.21.18
Handler: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files (x86)\SAP\FrontEnd\SAPgui\SAPHTMLP.DLL
Handler: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files (x86)\SAP\FrontEnd\SAPgui\SAPHTMLP.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Notify: SEP - C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\WinLogoutNotifier.dll
SSODL: WebCheck - <orphaned>
x64-BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
x64-Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
x64-Run: [Persistence] C:\WINDOWS\System32\igfxpers.exe
x64-Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/4.0.4.0/GarminAxControl_64.CAB
x64-DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
x64-Handler: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - <orphaned>
x64-Handler: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - <orphaned>
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
x64-SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
.
============= SERVICES / DRIVERS ===============
.
R0 prot_2k;prot_2k;C:\WINDOWS\System32\drivers\prot_2k.sys [2013-2-22 288976]
R0 stdcfltn;Disk Class Filter Driver for Accelerometer;C:\WINDOWS\System32\drivers\stdcfltn.sys [2013-2-22 22128]
R0 SymDS;Symantec Data Store;C:\WINDOWS\System32\drivers\SEP\0C01044D\0191.105\x64\SymDS64.sys [2012-9-19 451192]
R0 SymEFA;Symantec Extended File Attributes;C:\WINDOWS\System32\drivers\SEP\0C01044D\0191.105\x64\SymEFA64.sys [2012-9-19 932472]
R1 dwvkbd;DameWare Virtual Keyboard 64 bit Driver;C:\WINDOWS\System32\drivers\dwvkbd64.sys [2007-2-15 30720]
R1 IDSVia64;IDSVia64;C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Data\Definitions\IPSDefs\20130527.001\IDSviA64.sys [2013-5-28 513184]
R1 SymIRON;Symantec Iron Driver;C:\WINDOWS\System32\drivers\SEP\0C01044D\0191.105\x64\Ironx64.sys [2012-9-19 171128]
R1 SYMNETS;Symantec Network Security WFP Driver;C:\WINDOWS\System32\drivers\SEP\0C01044D\0191.105\x64\symnets.sys [2012-9-19 386168]
R2 AdminPassRandomizer;AdminPassRandomizer;C:\Windows\SysWOW64\AdminPassRandomizerService.exe [2009-5-12 27648]
R2 AESTFilters;Andrea ST Filters Service;C:\Program Files\IDT\WDM\AESTSr64.exe [2013-2-22 89600]
R2 CmRcService;Configuration Manager Remote Control;C:\Windows\CCM\RemCtrl\CmRcService.exe [2012-11-21 633952]
R2 dcpsysmgrsvc;Dell System Manager Service;C:\Program Files\Dell\Dell System Manager\DCPSysMgrSvc.exe [2011-4-8 517488]
R2 DLOChangeJournalSvc;Symantec NetBackup Desktop Agent Change Journal Reader;C:\Program Files (x86)\Symantec\NetBackup DLO\DLO\DLOChangeLogSvcu.exe [2011-12-7 976280]
R2 Garmin Core Update Service;Garmin Core Update Service;C:\Program Files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe [2013-3-27 185688]
R2 Pointsec;Pointsec;C:\Windows\SysWOW64\Prot_srv.exe [2012-1-19 655696]
R2 Pointsec_start;Pointsec Service Start;C:\Windows\SysWOW64\pstartSr.exe [2012-1-19 225616]
R2 SepMasterService;Symantec Endpoint Protection;C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\ccSvcHst.exe [2012-9-19 137208]
R3 Acceler;Accelerometer Service;C:\WINDOWS\System32\drivers\accelern.sys [2012-7-4 27760]
R3 cvusbdrv;Dell ControlVault;C:\WINDOWS\System32\drivers\cvusbdrv.sys [2012-7-4 45672]
R3 IntcDAud;Intel® Display Audio;C:\WINDOWS\System32\drivers\IntcDAud.sys [2012-7-4 317440]
R3 O2SDJRDR;O2SDJRDR;C:\WINDOWS\System32\drivers\o2sdjw7x64.sys [2012-7-4 83560]
S1 BHDrvx64;BHDrvx64;C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Data\Definitions\BASHDefs\20130502.011\BHDrvx64.sys [2013-5-8 1390680]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-2-28 161384]
S3 acsock;acsock;C:\WINDOWS\System32\drivers\acsock64.sys [2013-5-16 107432]
S3 d554gps;Dell Wireless  HSPA Mini-Card GPS Port;C:\WINDOWS\System32\drivers\d554gps64.sys [2012-7-4 102440]
S3 dmvsc;dmvsc;C:\WINDOWS\System32\drivers\dmvsc.sys [2010-11-21 71168]
S3 ecnssndis; Mobile Broadband Driver;C:\WINDOWS\System32\drivers\wwuss64.sys [2012-7-4 26664]
S3 ecnssndisfltr; Mobile Broadband Driver Filter;C:\WINDOWS\System32\drivers\wwussf64.sys [2012-7-4 29736]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2013-2-22 138912]
S3 Impcd;Impcd;C:\WINDOWS\System32\drivers\Impcd.sys [2012-7-4 158976]
S3 libusb0;libusb-win32 - Kernel Driver 04/08/2011 1.2.4.0;C:\WINDOWS\System32\drivers\libusb0.sys [2011-5-17 44480]
S3 lpasvc;Microsoft Policy Platform Local Authority;C:\Program Files\Microsoft Policy Platform\policyHost.exe [2012-8-2 50280]
S3 lppsvc;Microsoft Policy Platform Processor;C:\Program Files\Microsoft Policy Platform\policyHost.exe [2012-8-2 50280]
S3 Mbm3CBus;Dell Wireless 5530 HSPA Mini-Card Device (WDM);C:\WINDOWS\System32\drivers\Mbm3CBus.sys [2012-7-4 419400]
S3 Mbm3DevMt;Dell Wireless  HSPA Mini-Card Device Management Driver (WDM);C:\WINDOWS\System32\drivers\Mbm3DevMt.sys [2012-7-4 430664]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\WINDOWS\System32\drivers\nusb3hub.sys [2012-7-4 80384]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\WINDOWS\System32\drivers\nusb3xhc.sys [2012-7-4 181248]
S3 nwdelgobi3kfilter;Dell Wireless Gobi 3000 USB Composite Device Filter Driver;C:\WINDOWS\System32\drivers\nwdelgobi3kfilter.sys [2012-7-4 34304]
S3 nwdelserial;Dell Wireless Mobile Broadband Serial Driver;C:\WINDOWS\System32\drivers\nwdelserial.sys [2012-7-4 234112]
S3 O2MDFRDR;O2MDFRDR;C:\WINDOWS\System32\drivers\o2mdfw7x64.sys [2012-7-4 72808]
S3 O2MDRRDR;O2MDRRDR;C:\WINDOWS\System32\drivers\O2MDRw7x64.sys [2012-7-4 74984]
S3 StorSvc;Storage Service;C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
S3 SyDvCtrl;SyDvCtrl;C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin64\SyDvCtrl64.sys [2012-9-19 29664]
S3 TsUsbFlt;TsUsbFlt;C:\WINDOWS\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\WINDOWS\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\WINDOWS\System32\Wat\WatAdminSvc.exe [2012-3-20 1255736]
.
=============== Created Last 30 ================
.
2013-05-30 20:19:41 -------- d-----w- C:\Users\jwicklin\AppData\Roaming\Malwarebytes
2013-05-30 20:19:18 -------- d-----w- C:\ProgramData\Malwarebytes
2013-05-30 20:19:17 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-05-30 20:18:52 -------- d-----w- C:\Users\jwicklin\AppData\Local\Programs
2013-05-19 15:13:34 -------- d-----r- C:\Program Files (x86)\Skype
2013-05-17 12:34:19 983400 ----a-w- C:\WINDOWS\System32\drivers\dxgkrnl.sys
2013-05-17 12:34:19 265064 ----a-w- C:\WINDOWS\System32\drivers\dxgmms1.sys
2013-05-17 12:34:19 144384 ----a-w- C:\WINDOWS\System32\cdd.dll
2013-05-17 12:33:47 111448 ----a-w- C:\WINDOWS\System32\consent.exe
2013-05-17 12:33:41 70144 ----a-w- C:\WINDOWS\System32\appinfo.dll
2013-05-17 12:33:40 1930752 ----a-w- C:\WINDOWS\System32\authui.dll
2013-05-17 12:33:40 1796096 ----a-w- C:\WINDOWS\SysWow64\authui.dll
2013-05-17 12:33:28 1656680 ----a-w- C:\WINDOWS\System32\drivers\ntfs.sys
2013-05-17 12:32:52 3153920 ----a-w- C:\WINDOWS\System32\win32k.sys
2013-05-16 21:40:52 -------- d-----w- C:\Program Files\Common Files\Deterministic Networks
2013-05-16 21:36:11 107432 ----a-r- C:\WINDOWS\System32\drivers\acsock64.sys
2013-05-16 21:25:13 -------- d-----w- C:\WINDOWS\F3C1DE9E5E164BA9B8547B53A45E3579.TMP
2013-05-16 21:24:46 -------- d-----w- C:\Program Files (x86)\Cisco Systems
2013-05-13 15:50:04 -------- d-----w- C:\Program Files (x86)\Citrix
2013-05-13 15:49:52 -------- d-----w- C:\Users\jwicklin\AppData\Local\Citrix
2013-05-03 19:47:51 -------- d-----w- C:\Users\jwicklin\AppData\Roaming\Spark
2013-05-03 19:46:16 -------- d-----w- C:\Program Files (x86)\Spark
.
==================== Find3M  ====================
.
2013-05-15 23:41:30 71048 ----a-w- C:\WINDOWS\SysWow64\FlashPlayerCPLApp.cpl
2013-05-15 23:41:30 692104 ----a-w- C:\WINDOWS\SysWow64\FlashPlayerApp.exe
2013-05-05 21:16:13 2382848 ----a-w- C:\WINDOWS\System32\mshtml.tlb
2013-05-05 19:12:55 2382848 ----a-w- C:\WINDOWS\SysWow64\mshtml.tlb
2013-04-05 01:08:44 2312704 ----a-w- C:\WINDOWS\System32\jscript9.dll
2013-04-05 01:00:30 1392128 ----a-w- C:\WINDOWS\System32\wininet.dll
2013-04-05 00:59:24 1494528 ----a-w- C:\WINDOWS\System32\inetcpl.cpl
2013-04-05 00:56:16 173056 ----a-w- C:\WINDOWS\System32\ieUnatt.exe
2013-04-05 00:55:47 599040 ----a-w- C:\WINDOWS\System32\vbscript.dll
2013-04-04 22:11:34 1800704 ----a-w- C:\WINDOWS\SysWow64\jscript9.dll
2013-04-04 22:02:59 1427968 ----a-w- C:\WINDOWS\SysWow64\inetcpl.cpl
2013-04-04 22:02:17 1129472 ----a-w- C:\WINDOWS\SysWow64\wininet.dll
2013-04-04 21:58:51 142848 ----a-w- C:\WINDOWS\SysWow64\ieUnatt.exe
2013-04-04 21:57:45 420864 ----a-w- C:\WINDOWS\SysWow64\vbscript.dll
2013-03-19 06:04:06 5550424 ----a-w- C:\WINDOWS\System32\ntoskrnl.exe
2013-03-19 05:46:56 43520 ----a-w- C:\WINDOWS\System32\csrsrv.dll
2013-03-19 05:04:13 3968856 ----a-w- C:\WINDOWS\SysWow64\ntkrnlpa.exe
2013-03-19 05:04:10 3913560 ----a-w- C:\WINDOWS\SysWow64\ntoskrnl.exe
2013-03-19 04:47:50 6656 ----a-w- C:\WINDOWS\SysWow64\apisetschema.dll
2013-03-19 03:06:33 112640 ----a-w- C:\WINDOWS\System32\smss.exe
2010-06-09 14:49:02 626688 ----a-w- C:\Program Files (x86)\Common Files\sapconsaccess.dll
2010-06-09 14:49:02 40960 ----a-w- C:\Program Files (x86)\Common Files\DigitalSignature.ocx
2010-06-09 14:49:02 3149824 ----a-w- C:\Program Files (x86)\Common Files\sapxlhelper.dll
2010-06-09 14:49:02 192512 ----a-w- C:\Program Files (x86)\Common Files\sapconsr3.dll
.
============= FINISH: 17:29:25.78 ===============
 

Attached File  Attach.txt   19.35KB   0 downloads



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:18 PM

Posted 03 June 2013 - 09:09 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Search and delete the AdWare, PUP (Potentially Unwanted Program) installed on your computer.

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete tab follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).
===

thisisujrt.gif Please download
Junkware Removal Tool to your Desktop.
  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.
===

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Link 1
Link 2

IMPORTANT !!! Save ComboFix.exe to your Desktop

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe and follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note: Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Third party programs if not up to date can be the cause of infiltration an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please paste the logs in your next reply DO NOT ATTACH THEM.
Let me know what problem persists.

#3 jwicklin

jwicklin
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:18 PM

Posted 04 June 2013 - 09:55 PM

I followed the instructions however I was unable to run ComboFix, although saved to my desktop when I went to execute - it indicated it could not find the file.  I have Symantec and Malware bites on the computer both of which were disabled.  I attempted to disable the firewall however the instructions provided didn't match available selections on my Windows XP SP1 machine.  Following are the outputs from AdwCleaner, JRT, and Security Check.  Prior to recieving your instructions I was able to run MalWarebytes which found to files and quarantined them. 

 

# AdwCleaner v2.301 - Logfile created 06/04/2013 at 21:12:13
# Updated 16/05/2013 by Xplode
# Operating system : Windows 7 Professional Service Pack 1 (64 bits)
# User : jwicklin - ART-1B8W2Q1
# Boot Mode : Normal
# Running from : C:\Users\jwicklin\Desktop\adwcleaner.exe
# Option [Delete]

***** [Services] *****

***** [Files / Folders] *****

***** [Registry] *****

Key Deleted : HKLM\SOFTWARE\Classes\S

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16483

[OK] Registry is clean.

*************************

AdwCleaner[S1].txt - [563 octets] - [04/06/2013 21:12:13]

########## EOF - C:\AdwCleaner[S1].txt - [622 octets] ##########

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.9.4 (05.06.2013:1)
OS: Windows 7 Professional x64
Ran by jwicklin on Tue 06/04/2013 at 21:17:17.71
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

 

~~~ Registry Keys

 

~~~ Files

 

~~~ Folders

 

~~~ Event Viewer Logs were cleared

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Tue 06/04/2013 at 21:22:03.49
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 Results of screen317's Security Check version 0.99.64 
 Windows 7 Service Pack 1 x64 (UAC is enabled) 
 Internet Explorer 10 
``````````````Antivirus/Firewall Check:``````````````
 Windows Security Center service is not running! This report may not be accurate!
Symantec Endpoint Protection  
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 Malwarebytes Anti-Malware version 1.75.0.1300 
 Java™ 6 Update 31 
 Java version out of Date!
 Adobe Reader 10.1.4 Adobe Reader out of Date! 
````````Process Check: objlist.exe by Laurent```````` 
 Norton ccSvcHst.exe
 Malwarebytes Anti-Malware mbamservice.exe 
 Malwarebytes Anti-Malware mbamgui.exe 
 Malwarebytes' Anti-Malware mbamscheduler.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 3%
````````````````````End of Log``````````````````````



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:18 PM

Posted 05 June 2013 - 08:49 AM


--RogueKiller--
  • Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
  • ===

    Secure your system by updating 3rd party programs.

    Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

    Be careful not to install malware posing as Java update!
    Important read this blog.
    http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

    Quoted from the page.
    "In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
    http://www.oracle.com/technetwork/java/javase/downloads/index.html

    How to disable Java in your browsers
    http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

    You can manually check your present version and update as recommended.
    https://www.java.com/en/download/installed.jsp

    If present remove the old version(s) of Java using the Add/Remove Programs applet.

    Old versions....

    Note
    Java security update installs Ask Toolbar by default -- a single click in a multi-step installer.
    http://www.benedelman.org/images/iac-jan13/ask-iac-011613-small.png
    I suggest that your un-check the box "Install the Ask Toolbar" before proceeding.
    ===

    Get the latest version of the Adobe Reader.
    http://get.adobe.com/reader/
    Before your download I suggest you unckeck the box on the top right "Yes, install McAfee Security Scan Plus - optional" this is not required if you are not a McAfee subscriber. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

    When installed remove your old version of the Reader using the Add/Remove Programs applet if present.
    ===

    Let me know if Norton is still reporting a possible infection.

























#5 jwicklin

jwicklin
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:18 PM

Posted 05 June 2013 - 11:13 AM

All three steps completed successfully.

 

RogueKiller V8.5.4 _x64_ [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : jwicklin [Admin rights]
Mode : Remove -- Date : 06/05/2013 11:10:46
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 7 ¤¤¤
[HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> DELETED
[HJPOL] HKCU\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> REPLACED (1)
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 :  (C:\$Recycle.Bin\S-1-5-21-1343024091-839522115-1708537768-34240\$6ab1849533c9920732352bac71cdd405\n.) [x] -> REPLACED (C:\WINDOWS\system32\shell32.dll)
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 :  (C:\$Recycle.Bin\S-1-5-18\$6ab1849533c9920732352bac71cdd405\n.) [x] -> REPLACED (C:\WINDOWS\system32\wbem\fastprox.dll)

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-18\$6ab1849533c9920732352bac71cdd405\@ [-] --> REMOVED
[ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-21-1343024091-839522115-1708537768-34240\$6ab1849533c9920732352bac71cdd405\@ [-] --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\$recycle.bin\S-1-5-18\$6ab1849533c9920732352bac71cdd405\U --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\$recycle.bin\S-1-5-21-1343024091-839522115-1708537768-34240\$6ab1849533c9920732352bac71cdd405\U --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\$recycle.bin\S-1-5-18\$6ab1849533c9920732352bac71cdd405\L --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\$recycle.bin\S-1-5-21-1343024091-839522115-1708537768-34240\$6ab1849533c9920732352bac71cdd405\L --> REMOVED

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

 

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD2500BEKT-75PVMT0 +++++
--- User ---
[MBR] ae85c1a77cf3396c3a02cd4234b75b8e
[BSP] 810e2d8826f41c97f6d391e2f3c0bd8b : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 238473 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2]_D_06052013_02d1110.txt >>
RKreport[1]_S_06052013_02d1106.txt ; RKreport[2]_D_06052013_02d1110.txt



#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:18 PM

Posted 05 June 2013 - 12:51 PM

Now that the ZeroAccess infection has been removed run ComboFix again.
Post the log if you can.
===

I hope that this tool will reset your Security programs.
I think the infection is responsible for this.

Download and run this version of HimanPro.

HitmanPro 3.7.5 Build 198 BETA will clean this mse patch infection.
http://www.wilderssecurity.com/showpost.php?p=2233029&postcount=5345

Remove all this is found.

p.s. You may have to register the tool. Please do.

#7 jwicklin

jwicklin
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:18 PM

Posted 05 June 2013 - 09:13 PM

Here is the combofix output.  The problem appears to be fixed.

 

ComboFix 13-06-05.05 - jwicklin 06/05/2013  20:00:09.1.4 - x64
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.3977.2373 [GMT -5:00]
Running from: c:\users\jwicklin\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Symantec Endpoint Protection *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Symantec Endpoint Protection *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Microsoft\Windows\DRM\B3FF.tmp
c:\programdata\Microsoft\Windows\DRM\B48E.tmp
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\vpngui.exe.lnk
c:\windows\Installer\{0E4DC6BA-F9E8-4051-B10E-7C39B3A12395}\VRT16B.exe
c:\windows\Installer\{467D5E81-8349-4892-9E81-C3674ED8E451}\Icon09DB8A851.exe
.
.
(((((((((((((((((((((((((   Files Created from 2013-05-06 to 2013-06-06  )))))))))))))))))))))))))))))))
.
.
2013-06-05 02:17 . 2013-06-05 02:17 -------- d-----w- c:\windows\ERUNT
2013-06-05 02:16 . 2013-06-05 02:16 -------- d-----w- C:\JRT
2013-05-31 07:11 . 2013-04-04 19:50 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-05-30 20:19 . 2013-05-30 20:19 -------- d-----w- c:\users\jwicklin\AppData\Roaming\Malwarebytes
2013-05-30 20:19 . 2013-05-30 20:19 -------- d-----w- c:\programdata\Malwarebytes
2013-05-30 20:19 . 2013-05-31 07:11 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2013-05-30 20:18 . 2013-05-30 20:18 -------- d-----w- c:\users\jwicklin\AppData\Local\Programs
2013-05-17 12:34 . 2013-04-10 06:01 265064 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2013-05-17 12:34 . 2013-04-10 06:01 983400 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2013-05-17 12:34 . 2011-02-03 11:25 144384 ----a-w- c:\windows\system32\cdd.dll
2013-05-17 12:33 . 2013-02-27 06:02 111448 ----a-w- c:\windows\system32\consent.exe
2013-05-17 12:33 . 2013-02-27 05:52 197120 ----a-w- c:\windows\system32\shdocvw.dll
2013-05-17 12:33 . 2013-02-27 05:47 70144 ----a-w- c:\windows\system32\appinfo.dll
2013-05-17 12:33 . 2013-02-27 05:52 14172672 ----a-w- c:\windows\system32\shell32.dll
2013-05-17 12:33 . 2013-02-27 05:48 1930752 ----a-w- c:\windows\system32\authui.dll
2013-05-17 12:33 . 2013-02-27 04:49 1796096 ----a-w- c:\windows\SysWow64\authui.dll
2013-05-17 12:33 . 2013-04-12 14:45 1656680 ----a-w- c:\windows\system32\drivers\ntfs.sys
2013-05-17 12:32 . 2013-04-10 03:30 3153920 ----a-w- c:\windows\system32\win32k.sys
2013-05-16 21:40 . 2013-05-16 21:40 -------- d-----w- c:\program files\Common Files\Deterministic Networks
2013-05-16 21:36 . 2012-08-17 15:29 107432 ----a-r- c:\windows\system32\drivers\acsock64.sys
2013-05-16 21:25 . 2013-05-16 21:25 -------- d-----w- c:\windows\F3C1DE9E5E164BA9B8547B53A45E3579.TMP
2013-05-16 21:24 . 2013-05-16 21:24 -------- d-----w- c:\program files (x86)\Cisco Systems
2013-05-16 21:12 . 2013-05-30 21:45 -------- d-----w- c:\users\dacunningha
2013-05-13 15:50 . 2013-05-13 15:50 -------- d-----w- c:\program files (x86)\Citrix
2013-05-13 15:49 . 2013-05-13 15:49 -------- d-----w- c:\users\jwicklin\AppData\Local\Citrix
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-06-05 15:43 . 2013-02-22 16:46 788896 ----a-w- c:\windows\SysWow64\deployJava1.dll
2013-05-17 12:30 . 2012-03-20 16:45 75016696 ----a-w- c:\windows\system32\MRT.exe
2013-03-19 06:04 . 2013-04-20 15:47 5550424 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-19 05:46 . 2013-04-20 15:47 43520 ----a-w- c:\windows\system32\csrsrv.dll
2013-03-19 05:04 . 2013-04-20 15:47 3968856 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2013-03-19 05:04 . 2013-04-20 15:47 3913560 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2013-03-19 04:47 . 2013-04-20 15:47 6656 ----a-w- c:\windows\SysWow64\apisetschema.dll
2013-03-19 03:06 . 2013-04-20 15:47 112640 ----a-w- c:\windows\system32\smss.exe
2010-06-09 14:49 . 2013-02-22 16:51 626688 ----a-w- c:\program files (x86)\Common Files\sapconsaccess.dll
2010-06-09 14:49 . 2013-02-22 16:51 40960 ----a-w- c:\program files (x86)\Common Files\DigitalSignature.ocx
2010-06-09 14:49 . 2013-02-22 16:51 3149824 ----a-w- c:\program files (x86)\Common Files\sapxlhelper.dll
2010-06-09 14:49 . 2013-02-22 16:51 192512 ----a-w- c:\program files (x86)\Common Files\sapconsr3.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MeetingLauncher"="c:\program files (x86)\InterCall Unified Meeting\Modules\Launcher\mcLauncher.exe" [2011-09-06 515184]
"GarminExpressTrayApp"="c:\program files (x86)\Garmin\Express Tray\ExpressTray.exe" [2013-03-27 1098072]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Check Point Endpoint Tray Application"="c:\program files (x86)\Common Files\Check Point\UIFramework\cptray.exe" [2010-06-02 70144]
"Pointsec Tray"="c:\program files (x86)\Pointsec\Pointsec for PC\P95Tray.exe" [2012-01-19 856400]
"iPassConnect"="c:\program files (x86)\iPass\iPassConnect Corporate\iPassConnectGUI.exe" [2010-04-07 1474560]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-05-11 958576]
"DameWare MRC Agent"="c:\windows\SysWOW64\DWRCST.exe" [2009-02-04 78848]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Dell System Manager.lnk - c:\program files\Dell\Dell System Manager\DCPSysMgr.exe [2011-4-8 1552240]
PrintKey 2000.lnk - c:\windows\Installer\{0E4DC6BA-F9E8-4051-B10E-7C39B3A12395}\VRT16B.exe [N/A]
Symantec NetBackup Desktop Agent.lnk - c:\program files (x86)\Symantec\NetBackup DLO\DLO\DLOClientu.exe [2011-12-7 13272472]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"Allow-LogonScript-NetbiosDisabled"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R3 acsock;acsock;c:\windows\system32\DRIVERS\acsock64.sys;c:\windows\SYSNATIVE\DRIVERS\acsock64.sys [x]
R3 d554gps;Dell Wireless  HSPA Mini-Card GPS Port;c:\windows\system32\drivers\d554gps64.sys;c:\windows\SYSNATIVE\drivers\d554gps64.sys [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
R3 ecnssndis; Mobile Broadband Driver;c:\windows\System32\Drivers\wwuss64.sys;c:\windows\SYSNATIVE\Drivers\wwuss64.sys [x]
R3 ecnssndisfltr; Mobile Broadband Driver Filter;c:\windows\System32\Drivers\wwussf64.sys;c:\windows\SYSNATIVE\Drivers\wwussf64.sys [x]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys;c:\windows\SYSNATIVE\drivers\Impcd.sys [x]
R3 libusb0;libusb-win32 - Kernel Driver 04/08/2011 1.2.4.0;c:\windows\system32\DRIVERS\libusb0.sys;c:\windows\SYSNATIVE\DRIVERS\libusb0.sys [x]
R3 lpasvc;Microsoft Policy Platform Local Authority;c:\program files\Microsoft Policy Platform\policyHost.exe;c:\program files\Microsoft Policy Platform\policyHost.exe [x]
R3 lppsvc;Microsoft Policy Platform Processor;c:\program files\Microsoft Policy Platform\policyHost.exe;c:\program files\Microsoft Policy Platform\policyHost.exe [x]
R3 Mbm3CBus;Dell Wireless 5530 HSPA Mini-Card Device (WDM);c:\windows\system32\drivers\Mbm3CBus.sys;c:\windows\SYSNATIVE\drivers\Mbm3CBus.sys [x]
R3 Mbm3DevMt;Dell Wireless  HSPA Mini-Card Device Management Driver (WDM);c:\windows\system32\drivers\Mbm3DevMt.sys;c:\windows\SYSNATIVE\drivers\Mbm3DevMt.sys [x]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys;c:\windows\SYSNATIVE\drivers\nusb3hub.sys [x]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys;c:\windows\SYSNATIVE\drivers\nusb3xhc.sys [x]
R3 nwdelgobi3kfilter;Dell Wireless Gobi 3000 USB Composite Device Filter Driver;c:\windows\system32\drivers\nwdelgobi3kfilter.sys;c:\windows\SYSNATIVE\drivers\nwdelgobi3kfilter.sys [x]
R3 nwdelserial;Dell Wireless Mobile Broadband Serial Driver;c:\windows\system32\drivers\nwdelserial.sys;c:\windows\SYSNATIVE\drivers\nwdelserial.sys [x]
R3 O2MDFRDR;O2MDFRDR;c:\windows\system32\drivers\O2MDFw7x64.sys;c:\windows\SYSNATIVE\drivers\O2MDFw7x64.sys [x]
R3 O2MDRRDR;O2MDRRDR;c:\windows\system32\drivers\O2MDRw7x64.sys;c:\windows\SYSNATIVE\drivers\O2MDRw7x64.sys [x]
R3 SyDvCtrl;SyDvCtrl;c:\program files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin64\SyDvCtrl64.sys;c:\program files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin64\SyDvCtrl64.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S0 prot_2k;prot_2k; [x]
S0 stdcfltn;Disk Class Filter Driver for Accelerometer;c:\windows\system32\DRIVERS\stdcfltn.sys;c:\windows\SYSNATIVE\DRIVERS\stdcfltn.sys [x]
S0 SymDS;Symantec Data Store;c:\windows\system32\Drivers\SEP\0C01044D\0191.105\x64\SYMDS64.SYS;c:\windows\SYSNATIVE\Drivers\SEP\0C01044D\0191.105\x64\SYMDS64.SYS [x]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\Drivers\SEP\0C01044D\0191.105\x64\SYMEFA64.SYS;c:\windows\SYSNATIVE\Drivers\SEP\0C01044D\0191.105\x64\SYMEFA64.SYS [x]
S1 BHDrvx64;BHDrvx64;c:\programdata\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Data\Definitions\BASHDefs\20130521.011_5be\BHDrvx64.sys;c:\programdata\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Data\Definitions\BASHDefs\20130521.011_5be\BHDrvx64.sys [x]
S1 dwvkbd;DameWare Virtual Keyboard 64 bit Driver;c:\windows\system32\DRIVERS\dwvkbd64.sys;c:\windows\SYSNATIVE\DRIVERS\dwvkbd64.sys [x]
S1 IDSVia64;IDSVia64;c:\programdata\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Data\Definitions\IPSDefs\20130604.001\IDSvia64.sys;c:\programdata\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Data\Definitions\IPSDefs\20130604.001\IDSvia64.sys [x]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\Drivers\SEP\0C01044D\0191.105\x64\Ironx64.SYS;c:\windows\SYSNATIVE\Drivers\SEP\0C01044D\0191.105\x64\Ironx64.SYS [x]
S1 SYMNETS;Symantec Network Security WFP Driver;c:\windows\system32\Drivers\SEP\0C01044D\0191.105\x64\SYMNETS.SYS;c:\windows\SYSNATIVE\Drivers\SEP\0C01044D\0191.105\x64\SYMNETS.SYS [x]
S2 AdminPassRandomizer;AdminPassRandomizer;c:\windows\syswow64\AdminPassRandomizerService.exe;c:\windows\syswow64\AdminPassRandomizerService.exe [x]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe;c:\program files\IDT\WDM\AESTSr64.exe [x]
S2 CmRcService;Configuration Manager Remote Control;c:\windows\CCM\RemCtrl\CmRcService.exe;c:\windows\CCM\RemCtrl\CmRcService.exe [x]
S2 dcpsysmgrsvc;Dell System Manager Service;c:\program files\Dell\Dell System Manager\DCPSysMgrSvc.exe;c:\program files\Dell\Dell System Manager\DCPSysMgrSvc.exe [x]
S2 DLOChangeJournalSvc;Symantec NetBackup Desktop Agent Change Journal Reader;c:\program files (x86)\Symantec\NetBackup DLO\DLO\DLOChangeLogSvcu.exe;c:\program files (x86)\Symantec\NetBackup DLO\DLO\DLOChangeLogSvcu.exe [x]
S2 Garmin Core Update Service;Garmin Core Update Service;c:\program files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe;c:\program files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe [x]
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [x]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [x]
S2 Pointsec;Pointsec;c:\windows\SysWOW64\Prot_srv.exe;c:\windows\SysWOW64\Prot_srv.exe [x]
S2 Pointsec_start;Pointsec Service Start;c:\windows\SysWOW64\pstartSr.exe;c:\windows\SysWOW64\pstartSr.exe [x]
S2 SepMasterService;Symantec Endpoint Protection;c:\program files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\ccSvcHst.exe;c:\program files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\ccSvcHst.exe [x]
S3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\accelern.sys;c:\windows\SYSNATIVE\DRIVERS\accelern.sys [x]
S3 cvusbdrv;Dell ControlVault;c:\windows\system32\Drivers\cvusbdrv.sys;c:\windows\SYSNATIVE\Drivers\cvusbdrv.sys [x]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
S3 O2SDJRDR;O2SDJRDR;c:\windows\system32\DRIVERS\o2sdjw7x64.sys;c:\windows\SYSNATIVE\DRIVERS\o2sdjw7x64.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2013-06-06 c:\windows\Tasks\DLOClientu.exe-boend0.job
- c:\program files (x86)\Symantec\NetBackup DLO\DLO\DLOClientu.exe [2011-12-08 02:57]
.
2013-06-06 c:\windows\Tasks\DLOClientu.exe-bostart0.job
- c:\program files (x86)\Symantec\NetBackup DLO\DLO\DLOClientu.exe [2011-12-08 02:57]
.
2013-06-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-06-05 15:51]
.
2013-06-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-06-05 15:51]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2012-07-05 611192]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-07-05 167704]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-07-05 392472]
"Persistence"="c:\windows\system32\igfxpers.exe" [2012-07-05 416024]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2012-07-05 525312]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.yahoo.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: cdcsccm01
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
DPF: {538793D5-659C-4639-A56C-A179AD87ED44} - hxxps://cdcvpn.commscope.com/CACHE/stc/1/binaries/vpnweb.cab
DPF: {A08463E2-BF3E-4E78-9938-E4CC1981483B} - hxxps://install.mc.iconf.net/gcc_installer/IUM/mcInstall.cab
DPF: {A5A5E1FF-FFEF-3FEF-B592-C6D194F4383F} - hxxps://cdcvpn.commscope.com/CACHE/sdesktop/install/binaries/instweb.cab
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
Notify-SEP - c:\program files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\WinLogoutNotifier.dll
Toolbar-Locked - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SepMasterService]
"ImagePath"="\"c:\program files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\ccSvcHst.exe\" /s \"Symantec Endpoint Protection\" /m \"c:\program files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\sms.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SmcService]
"ImagePath"="\"c:\program files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin64\Smc.exe\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\CurrentVersion]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files (x86)\Cisco Systems\VPN Client\cvpnd.exe
c:\windows\SysWOW64\DWRCS.exe
c:\program files (x86)\iPass\iPassConnect Corporate\iPassPeriodicUpdateService.exe
c:\program files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\DRIVERS\o2flash.exe
c:\program files (x86)\iPass\iPassConnect Corporate\iPassPeriodicUpdateApp.exe
c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
c:\windows\CCM\SCNotification.exe
.
**************************************************************************
.
Completion time: 2013-06-05  20:44:01 - machine was rebooted
ComboFix-quarantined-files.txt  2013-06-06 01:43
.
Pre-Run: 164,982,366,208 bytes free
Post-Run: 165,007,630,336 bytes free
.
- - End Of File - - F20A386FE7B4FE068B9B8C2036C3991B
 



#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:18 PM

Posted 06 June 2013 - 08:42 AM

Looking good.

Did you have to run HitmanPro to enable your security programs?

If all is well:

Time for some housekeeping
  • The following will implement some cleanup procedures as well as reset System Restore points:
  • Click Start > Run and copy/paste the following bold text into the Run box and click OK:
  • ComboFix /Uninstall
===

To remove AdwCleaner.

Please double click on AdwCleaner.exe to run the tool.
Click on Uninstall.
Confirm with Yes.

If you decide to keep the AdwCleaner tool make sure to delete your version and download the latest before running it.

Delete the other tools we used.
You can Keep the DDS tool as most forum will ask to see a log before suggesting a fix.

Surf Safely, and Think Prevention!
===

#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:18 PM

Posted 12 June 2013 - 08:44 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users