Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Virus


  • This topic is locked This topic is locked
12 replies to this topic

#1 sea weasel

sea weasel

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:30 AM

Posted 21 October 2013 - 12:48 AM

Downloaded a program (unknown).  TrendMicro popup stated the 'dangerous' file was blocked but the virus/malware installed anyway.  Tried restore point.  Still infected.  Internet is slow.  Running quick scan of TrendMicro's ATTK doesn't identify anything.  Ran the full scan and after 32 hours later and only 96% complete it had only identified 8 threats and was hanging at HKLM\Software\wow6432node\...\clsid before I closed it.  No virus information (from the 8 threats indicated during the scan) was present in the log.  All this happened on 16 October 2013.  Thanks in advance!

 

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16720
Run by EV at 22:25:38 on 2013-10-20
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.8099.4560 [GMT -7:00]
.
AV: Trend Micro Titanium Maximum Security *Enabled/Updated* {5D349EF8-873B-C657-917F-F1D93E101A7C}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Trend Micro Titanium Maximum Security *Enabled/Updated* {E6557F1C-A101-C9D9-ABCF-CAAB459750C1}
.
============== Running Processes ===============
.
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\nvvsvc.exe
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\WLANExt.exe
C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
C:\windows\System32\spoolsv.exe
C:\windows\system32\nvvsvc.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiWatchDog.exe
C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe
C:\windows\SysWOW64\svchost.exe -k Akamai
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
C:\windows\system32\ThpSrv.exe
C:\windows\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
c:\Program Files (x86)\Common Files\Ulead Systems\UDSS\UDSS.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\TOSHIBA\TECO\TecoService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files (x86)\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\windows\system32\taskhost.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\ThpSrv.exe
C:\Program Files\TOSHIBA\TECO\Teco.exe
C:\Program Files\TOSHIBA\BulletinBoard\TosNcCore.exe
C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
C:\Windows\System32\spool\drivers\x64\3\WrtMon.exe
C:\Program Files\Trend Micro\Titanium\plugin\TMAS\TMAS_WLM\TMAS_WLMMon.exe
C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiSeAgnt.exe
C:\Windows\System32\spool\drivers\x64\3\WrtProc.exe
C:\Users\EV\AppData\Local\Akamai\netsession_win.exe
C:\Program Files\TOSHIBA\FlashCards\Hotkey\TcrdKBB.exe
C:\Users\EV\AppData\Local\Akamai\netsession_win.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\HP\HP Officejet Pro 8600\Bin\ScanToPCActivationApp.exe
C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\windows\system32\RunDll32.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\Toshiba\Utilities\KeNotify.exe
C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files (x86)\Toshiba\TOSHIBA Service Station\ToshibaServiceStation.exe
C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe
C:\Program Files (x86)\Trend Micro\RUBotted\RUBotSrv.exe
C:\Program Files (x86)\Trend Micro\RUBotted\RUBottedGUI.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\windows\system32\taskhost.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_9_900_117.exe
C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_9_900_117.exe
C:\windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\HP\HP Officejet Pro 8600\Bin\HPNetworkCommunicator.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\Program Files\HP\HP Officejet Pro 8600\bin\HPNetworkCommunicator.exe
C:\windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://start.toshiba.com/g/
uDefault_Page_URL = hxxp://start.toshiba.com/g/
uProxyOverride = <local>;127.0.0.1:9421
mWinlogon: Userinit = userinit.exe
BHO: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} -
BHO: TmIEPlugInBHO Class: {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files\Trend Micro\AMSP\module\20004\3.0.1251\6.8.1118\TmIEPlg32.dll
BHO: TSToolbarBHO: {43C6D902-A1C5-45c9-91F6-FD9E90337E18} - C:\Program Files\Trend Micro\Titanium\UIFramework\ToolbarIE.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: TmBpIeBHO Class: {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} -
BHO: Lexmark Printable Web: {D2C5E510-BE6D-42CC-9F61-E4F939078474} - C:\Program Files\Lexmark Printable Web\bho.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: TOSHIBA Media Controller Plug-in: {F3C88694-EFFA-4d78-B409-54B7B2535B14} - C:\Program Files (x86)\Toshiba\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll
BHO: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} -
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB: Trend Micro Toolbar: {CCAC5586-44D7-4c43-B64A-F042461A97D2} - C:\Program Files\Trend Micro\Titanium\UIFramework\ToolbarIE.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} -
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} -
uRun: [Akamai NetSession Interface] "C:\Users\EV\AppData\Local\Akamai\netsession_win.exe"
uRun: [Adobe Acrobat Synchronizer] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\AdobeCollabSync.exe"
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [HP Officejet Pro 8600 (NET)] "C:\Program Files\HP\HP Officejet Pro 8600\Bin\ScanToPCActivationApp.exe" -deviceID "CN27HBK1F905KD:NW" -scfn "HP Officejet Pro 8600 (NET)" -AutoStart 1
mRun: [SVPWUTIL] C:\Program Files (x86)\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL
mRun: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe hwSetUP
mRun: [KeNotify] "C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe" LPCM
mRun: [TSleepSrv] C:\Program Files (x86)\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe
mRun: [ToshibaAppPlace] "C:\Program Files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe"
mRun: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe" UNATTENDED
mRun: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60
mRun: [EEventManager] C:\PROGRA~2\EPSONS~1\EVENTM~1\EEventManager.exe
mRun: [Trend Micro RUBotted V2.0 Beta] C:\Program Files (x86)\Trend Micro\RUBotted\RUBottedGUI.exe
StartupFolder: C:\Users\EV\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\MONITO~1.LNK - C:\windows\System32\RunDll32.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\BLUETO~1.LNK - C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Append Link Target to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} -
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{17994009-2EB0-4792-BF8C-DDA923758E09} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{17994009-2EB0-4792-BF8C-DDA923758E09}\16474777966696 : DHCPNameServer = 192.168.4.1 64.134.255.2 64.134.255.10
TCP: Interfaces\{17994009-2EB0-4792-BF8C-DDA923758E09}\24F4F49514843555E4A425 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{17994009-2EB0-4792-BF8C-DDA923758E09}\35072796E64702E4564777F627B6 : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{17994009-2EB0-4792-BF8C-DDA923758E09}\445502C41434 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{17994009-2EB0-4792-BF8C-DDA923758E09}\44F677E647F677E6F584169777162746 : DHCPNameServer = 207.77.152.2 168.215.210.50
TCP: Interfaces\{17994009-2EB0-4792-BF8C-DDA923758E09}\46F6C6964747C6560296D6167696E616279657D6 : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{17994009-2EB0-4792-BF8C-DDA923758E09}\C696E6B6379737 : DHCPNameServer = 192.168.1.254 38.109.123.32 38.109.123.33
TCP: Interfaces\{EF890A83-2579-410A-916E-27B69FC01838} : DHCPNameServer = 107.16.141.1 64.134.255.2 64.134.255.10
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Handler: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} -
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\module\20004\3.0.1251\6.8.1118\TmIEPlg32.dll
Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - C:\Program Files\Trend Micro\Titanium\UIFramework\ToolbarIE.dll
Handler: tmtbim - {0B37915C-8B98-4B9E-80D4-464D2C830D10} - C:\Program Files\Trend Micro\Titanium\UIFramework\ProToolbarIMRatingActiveX.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
AppInit_DLLs= C:\windows\SysWOW64\nvinit.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
x64-BHO: TmIEPlugInBHO Class: {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files\Trend Micro\AMSP\module\20004\3.0.1251\6.8.1118\TmIEPlg.dll
x64-BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-BHO: TmBpIeBHO Class: {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} -
x64-BHO: TOSHIBA Media Controller Plug-in: {F3C88694-EFFA-4d78-B409-54B7B2535B14} - C:\Program Files (x86)\Toshiba\TOSHIBA Media Controller Plug-in\x64\TOSHIBAMediaControllerIE.dll
x64-Run: [IgfxTray] C:\windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\windows\System32\igfxpers.exe
x64-Run: [TPwrMain] C:\Program Files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE
x64-Run: [HSON] C:\Program Files (x86)\TOSHIBA\TBS\HSON.exe
x64-Run: [TCrdMain] C:\Program Files (x86)\TOSHIBA\FlashCards\TCrdMain.exe
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [RtHDVBg] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe /FORPCEE3 /MAXX3
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [ThpSrv] C:\windows\System32\thpsrv /logon
x64-Run: [Teco] "C:\Program Files (x86)\TOSHIBA\TECO\Teco.exe" /r
x64-Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe
x64-Run: [TosWaitSrv] C:\Program Files (x86)\TOSHIBA\TPHM\TosWaitSrv.exe
x64-Run: [TosVolRegulator] C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe
x64-Run: [TosNC] C:\Program Files (x86)\Toshiba\BulletinBoard\TosNcCore.exe
x64-Run: [TosReelTimeMonitor] C:\Program Files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
x64-Run: [Logitech Download Assistant] C:\windows\System32\rundll32.exe C:\windows\System32\LogiLDA.dll,LogiFetch
x64-Run: [WrtMon.exe] C:\windows\System32\spool\drivers\x64\3\WrtMon.exe
x64-Run: [Trend Micro Client Framework] "C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe"
x64-Run: [WLM] "C:\Program Files\Trend Micro\Titanium\Plugin\TMAS\TMAS_WLM\TMAS_WLMMon.exe"
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} -
x64-Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\module\20004\3.0.1251\6.8.1118\TmIEPlg.dll
x64-Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - <orphaned>
x64-Handler: tmtbim - {0B37915C-8B98-4B9E-80D4-464D2C830D10} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
x64-SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\EV\AppData\Roaming\Mozilla\Firefox\Profiles\iqql4pye.default-1371966597990\
FF - prefs.js: browser.startup.homepage - hxxp://www.utsandiego.com/
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Air\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll
FF - plugin: C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.165\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\7\NP_wtapp.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Program Files\Trend Micro\Titanium\UIFramework\Toolbar\firefoxextension\components\npToolbarChrome.dll
FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll
FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: C:\windows\SysWOW64\Macromed\Flash\NPSWF32_11_9_900_117.dll
.
============= SERVICES / DRIVERS ===============
.
R0 nvpciflt;nvpciflt;C:\windows\System32\drivers\nvpciflt.sys [2011-8-18 25960]
R0 Thpdrv;TOSHIBA HDD Protection Driver;C:\windows\System32\drivers\thpdrv.sys [2009-6-29 34880]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;C:\windows\System32\drivers\Thpevm.sys [2009-6-29 14784]
R0 TMEBC;TMEBC;C:\windows\System32\drivers\TMEBC64.sys [2013-9-27 50976]
R0 tos_sps64;TOSHIBA tos_sps64 Service;C:\windows\System32\drivers\tos_sps64.sys [2011-8-18 482384]
R1 tmevtmgr;tmevtmgr;C:\windows\System32\drivers\tmevtmgr.sys [2013-9-27 85424]
R2 Akamai;Akamai NetSession Interface;C:\windows\System32\svchost.exe -k Akamai [2011-5-12 27648]
R2 Amsp;Trend Micro Solution Platform;C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe [2013-9-27 305760]
R2 regi;regi;C:\windows\System32\drivers\regi.sys [2011-8-18 14112]
R2 RUBotSrv;Trend Micro RUBotted Service;C:\Program Files (x86)\Trend Micro\RUBotted\RUBotSrv.exe [2013-10-19 443416]
R2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;C:\Program Files\TOSHIBA\TECO\TecoService.exe [2011-4-7 294328]
R2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;C:\windows\System32\drivers\TVALZFL.sys [2009-6-19 14472]
R2 UDSS;UDSS;C:\Program Files (x86)\Common Files\Ulead Systems\UDSS\UDSS.exe [2011-3-11 30064]
R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-8-18 2656280]
R3 BtFilter;Bluetooth LowerFilter Class Filter Driver;C:\windows\System32\drivers\btfilter.sys [2011-8-18 42096]
R3 CeKbFilter;CeKbFilter;C:\windows\System32\drivers\CeKbFilter.sys [2011-8-18 20592]
R3 enecir;ENE CIR Receiver;C:\windows\System32\drivers\enecir.sys [2009-6-29 70656]
R3 enecirhid;ENE CIR HID Receiver;C:\windows\System32\drivers\enecirhid.sys [2009-5-19 14848]
R3 enecirhidma;ENE CIR HIDmini Filter;C:\windows\System32\drivers\enecirhidma.sys [2008-4-24 6656]
R3 IntcDAud;Intel® Display Audio;C:\windows\System32\drivers\IntcDAud.sys [2010-10-15 317440]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\windows\System32\drivers\nusb3hub.sys [2011-2-10 82432]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\windows\System32\drivers\nusb3xhc.sys [2011-2-10 181760]
R3 PGEffect;Pangu effect driver;C:\windows\System32\drivers\PGEffect.sys [2011-8-18 38096]
R3 RTL8167;Realtek 8167 NT Driver;C:\windows\System32\drivers\Rt64win7.sys [2011-8-18 413800]
R3 TMachInfo;TMachInfo;C:\Program Files (x86)\Toshiba\TOSHIBA Service Station\TMachInfo.exe [2011-8-18 54136]
R3 tmeevw;tmeevw;C:\windows\System32\drivers\tmeevw.sys [2013-9-27 100640]
R3 tmnciesc;tmnciesc;C:\windows\System32\drivers\tmnciesc.sys [2013-9-27 303392]
R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-12-8 137632]
R3 TPCHSrv;TPCH Service;C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe [2011-4-5 828336]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 lxebCATSCustConnectService;lxebCATSCustConnectService;C:\windows\System32\spool\drivers\x64\3\lxebserv.exe [2012-8-1 45736]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-6-7 160944]
S3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
S3 JMCR;JMCR;C:\windows\System32\drivers\jmcr.sys [2011-5-2 175192]
S3 silabenm;Super Tuner Serial Port Enumerator Driver;C:\windows\System32\drivers\silabenm.sys [2012-3-9 23040]
S3 silabser;Super Tuner Driver;C:\windows\System32\drivers\silabser.sys [2012-3-9 71168]
S3 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
S3 TsUsbFlt;TsUsbFlt;C:\windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
S3 USBAAPL64;Apple Mobile USB Driver;C:\windows\System32\drivers\usbaapl64.sys [2012-12-13 54784]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\System32\Wat\WatAdminSvc.exe [2011-8-25 1255736]
S4 lxeb_device;lxeb_device;C:\windows\System32\lxebcoms.exe -service --> C:\windows\System32\lxebcoms.exe -service [?]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2013-10-20 06:01:53    0    ----a-w-    C:\windows\System32\igd10umd32.dll
2013-10-20 04:55:55    --------    d-----w-    C:\Program Files (x86)\WinPcap
2013-10-16 05:54:32    --------    d-----w-    C:\Users\EV\AppData\Local\AVG SafeGuard toolbar
2013-10-16 05:54:07    --------    d-----w-    C:\ProgramData\Systweak
2013-10-16 05:54:07    --------    d-----w-    C:\ProgramData\AVG SafeGuard toolbar
2013-10-16 05:54:02    --------    d-----w-    C:\Program Files (x86)\Common Files\AVG Secure Search
2013-10-16 05:53:54    --------    d-----w-    C:\Program Files (x86)\AVG SafeGuard toolbar
2013-10-16 05:53:51    --------    d-----w-    C:\Users\EV\AppData\Local\GreatArcadeHits
2013-10-16 05:53:47    --------    d-----w-    C:\Users\EV\AppData\Roaming\Systweak
2013-10-16 05:53:43    --------    d-----w-    C:\Program Files (x86)\RegClean Pro
2013-10-16 05:53:40    --------    d-----w-    C:\Users\EV\AppData\Roaming\DigitalSite
2013-10-16 05:53:38    --------    d--h--w-    C:\ProgramData\Common Files
2013-10-09 05:00:05    633856    ----a-w-    C:\windows\System32\comctl32.dll
2013-10-09 04:59:55    1903552    ----a-w-    C:\windows\System32\drivers\tcpip.sys
2013-10-06 03:42:49    --------    d-----w-    C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-10-06 03:42:49    --------    d-----w-    C:\Program Files\iTunes
2013-10-06 03:42:49    --------    d-----w-    C:\Program Files\iPod
2013-10-06 03:42:49    --------    d-----w-    C:\Program Files (x86)\iTunes
2013-09-27 23:28:23    --------    d--h--w-    C:\TMRescueDisk
2013-09-27 23:23:47    303392    ----a-w-    C:\windows\System32\drivers\tmnciesc.sys
2013-09-27 23:23:47    105744    ----a-w-    C:\windows\System32\drivers\tmtdi.sys
2013-09-27 23:23:47    100640    ----a-w-    C:\windows\System32\drivers\tmeevw.sys
2013-09-27 23:23:45    85424    ----a-w-    C:\windows\System32\drivers\tmevtmgr.sys
2013-09-27 23:23:45    282624    ----a-w-    C:\windows\System32\drivers\tmcomm.sys
2013-09-27 23:23:45    116264    ----a-w-    C:\windows\System32\drivers\tmactmon.sys
2013-09-27 23:23:43    50976    ----a-w-    C:\windows\System32\drivers\TMEBC64.sys
2013-09-27 23:21:48    59    ----a-w-    C:\windows\System32\SupportTool.exe.bat
2013-09-27 23:20:58    --------    d-----w-    C:\Program Files\Trend Micro
.
==================== Find3M  ====================
.
2013-10-09 06:37:13    71048    ----a-w-    C:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-10-09 06:37:13    692616    ----a-w-    C:\windows\SysWow64\FlashPlayerApp.exe
2013-09-22 23:28:06    1767936    ----a-w-    C:\windows\SysWow64\wininet.dll
2013-09-22 23:27:49    2876928    ----a-w-    C:\windows\SysWow64\jscript9.dll
2013-09-22 23:27:48    61440    ----a-w-    C:\windows\SysWow64\iesetup.dll
2013-09-22 23:27:48    109056    ----a-w-    C:\windows\SysWow64\iesysprep.dll
2013-09-22 22:55:10    2241024    ----a-w-    C:\windows\System32\wininet.dll
2013-09-22 22:54:51    3959296    ----a-w-    C:\windows\System32\jscript9.dll
2013-09-22 22:54:50    67072    ----a-w-    C:\windows\System32\iesetup.dll
2013-09-22 22:54:50    136704    ----a-w-    C:\windows\System32\iesysprep.dll
2013-09-21 03:38:39    2706432    ----a-w-    C:\windows\System32\mshtml.tlb
2013-09-21 03:30:24    2706432    ----a-w-    C:\windows\SysWow64\mshtml.tlb
2013-09-21 02:48:36    89600    ----a-w-    C:\windows\System32\RegisterIEPKEYs.exe
2013-09-21 02:39:47    71680    ----a-w-    C:\windows\SysWow64\RegisterIEPKEYs.exe
2013-09-14 01:10:19    497152    ----a-w-    C:\windows\System32\drivers\afd.sys
2013-09-08 02:27:14    327168    ----a-w-    C:\windows\System32\mswsock.dll
2013-09-08 02:03:58    231424    ----a-w-    C:\windows\SysWow64\mswsock.dll
2013-09-04 12:12:11    343040    ----a-w-    C:\windows\System32\drivers\usbhub.sys
2013-09-04 12:11:51    325120    ----a-w-    C:\windows\System32\drivers\usbport.sys
2013-09-04 12:11:49    99840    ----a-w-    C:\windows\System32\drivers\usbccgp.sys
2013-09-04 12:11:43    52736    ----a-w-    C:\windows\System32\drivers\usbehci.sys
2013-09-04 12:11:43    30720    ----a-w-    C:\windows\System32\drivers\usbuhci.sys
2013-09-04 12:11:42    25600    ----a-w-    C:\windows\System32\drivers\usbohci.sys
2013-09-04 12:11:40    7808    ----a-w-    C:\windows\System32\drivers\usbd.sys
2013-08-29 02:17:48    5549504    ----a-w-    C:\windows\System32\ntoskrnl.exe
2013-08-29 02:16:35    1732032    ----a-w-    C:\windows\System32\ntdll.dll
2013-08-29 02:16:28    243712    ----a-w-    C:\windows\System32\wow64.dll
2013-08-29 02:16:14    859648    ----a-w-    C:\windows\System32\tdh.dll
2013-08-29 02:13:28    878080    ----a-w-    C:\windows\System32\advapi32.dll
2013-08-29 01:51:45    3969472    ----a-w-    C:\windows\SysWow64\ntkrnlpa.exe
2013-08-29 01:51:45    3914176    ----a-w-    C:\windows\SysWow64\ntoskrnl.exe
2013-08-29 01:50:31    5120    ----a-w-    C:\windows\SysWow64\wow32.dll
2013-08-29 01:50:30    1292192    ----a-w-    C:\windows\SysWow64\ntdll.dll
2013-08-29 01:50:16    619520    ----a-w-    C:\windows\SysWow64\tdh.dll
2013-08-29 01:48:17    640512    ----a-w-    C:\windows\SysWow64\advapi32.dll
2013-08-29 01:48:15    44032    ----a-w-    C:\windows\apppatch\acwow64.dll
2013-08-29 00:49:53    25600    ----a-w-    C:\windows\SysWow64\setup16.exe
2013-08-29 00:49:52    7680    ----a-w-    C:\windows\SysWow64\instnm.exe
2013-08-29 00:49:52    14336    ----a-w-    C:\windows\SysWow64\ntvdm64.dll
2013-08-29 00:49:49    2048    ----a-w-    C:\windows\SysWow64\user.exe
2013-08-28 01:21:06    3155968    ----a-w-    C:\windows\System32\win32k.sys
2013-08-28 01:12:33    461312    ----a-w-    C:\windows\System32\scavengeui.dll
2013-08-05 02:25:45    155584    ----a-w-    C:\windows\System32\drivers\ataport.sys
2013-08-02 02:14:57    215040    ----a-w-    C:\windows\System32\winsrv.dll
2013-08-02 02:13:34    424448    ----a-w-    C:\windows\System32\KernelBase.dll
2013-08-02 01:50:42    274944    ----a-w-    C:\windows\SysWow64\KernelBase.dll
2013-08-02 01:09:17    338432    ----a-w-    C:\windows\System32\conhost.exe
2013-08-02 00:59:09    112640    ----a-w-    C:\windows\System32\smss.exe
2013-08-02 00:43:05    6144    ---ha-w-    C:\windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2013-08-02 00:43:05    4608    ---ha-w-    C:\windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2013-08-02 00:43:05    3584    ---ha-w-    C:\windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2013-08-02 00:43:05    3072    ---ha-w-    C:\windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2013-08-01 12:09:36    983488    ----a-w-    C:\windows\System32\drivers\dxgkrnl.sys
2013-07-25 09:25:54    1888768    ----a-w-    C:\windows\System32\WMVDECOD.DLL
2013-07-25 08:57:27    1620992    ----a-w-    C:\windows\SysWow64\WMVDECOD.DLL
.
============= FINISH: 22:28:49.59 ===============

 

Attached Files



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:30 PM

Posted 21 October 2013 - 06:57 AM

Scan with Gmer rootkit scanner

Please download Gmer from here by clicking on the "Download EXE" Button.

  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Show All ( should be unchecked by default )
  • Leave everything else as it is.
  • Close all other running programs as well as your Browser.
  • Click the Scan button & wait for it to finish.
  • Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.
  • Please post the content of the ark.txt here.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 sea weasel

sea weasel
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:30 AM

Posted 22 October 2013 - 01:29 AM

Thanks for your reply.  Attached is the content of the scan:

 

GMER 2.1.19163 - http://www.gmer.net
Rootkit scan 2013-10-21 23:17:16
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Seagate_ rev.TD27 465.76GB
Running: po8fhvt8.exe; Driver: C:\Users\EV\AppData\Local\Temp\kwryyuoc.sys


---- Threads - GMER 2.1 ----

Thread  C:\Program Files\Windows Media Player\wmpnetwk.exe [5356:1132]                                                                               000007fefbaa2a7c
Thread  C:\Program Files\Windows Media Player\wmpnetwk.exe [5356:5548]                                                                               000007fee606d618
Thread  C:\Program Files\Windows Media Player\wmpnetwk.exe [5356:5572]                                                                               000007fef8fb5124
Thread  C:\Program Files\Windows Media Player\wmpnetwk.exe [5356:7392]                                                                               000007fee6009730
Thread  C:\Program Files\Windows Media Player\wmpnetwk.exe [5356:3604]                                                                               000007fee606d618

---- Registry - GMER 2.1 ----

Reg     HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{9D5CDBFA-467B-4230-B3B5-5D6CA669150C}\Connection@Name  isatap.{D824C5D0-5ADA-47D0-A886-BB862FBC866C}
Reg     HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Bind     \Device\{F3138A56-EB27-494D-B14C-FE50171C4168}?\Device\{A8D2B759-8003-41AC-B774-962194C41B31}?\Device\{9D5CDBFA-467B-4230-B3B5-5D6CA669150C}?\Device\{EFD7A075-C626-4AE3-9607-F90AFF8B84C7}?\Device\{20C3A53A-FB97-442B-B2D9-E0E701056AD3}?\Device\{A4550746-5FEB-4852-8CD4-5CF372F54D2F}?
Reg     HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Route    "{F3138A56-EB27-494D-B14C-FE50171C4168}"?"{A8D2B759-8003-41AC-B774-962194C41B31}"?"{9D5CDBFA-467B-4230-B3B5-5D6CA669150C}"?"{EFD7A075-C626-4AE3-9607-F90AFF8B84C7}"?"{20C3A53A-FB97-442B-B2D9-E0E701056AD3}"?"{A4550746-5FEB-4852-8CD4-5CF372F54D2F}"?
Reg     HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Export   \Device\TCPIP6TUNNEL_{F3138A56-EB27-494D-B14C-FE50171C4168}?\Device\TCPIP6TUNNEL_{A8D2B759-8003-41AC-B774-962194C41B31}?\Device\TCPIP6TUNNEL_{9D5CDBFA-467B-4230-B3B5-5D6CA669150C}?\Device\TCPIP6TUNNEL_{EFD7A075-C626-4AE3-9607-F90AFF8B84C7}?\Device\TCPIP6TUNNEL_{20C3A53A-FB97-442B-B2D9-E0E701056AD3}?\Device\TCPIP6TUNNEL_{A4550746-5FEB-4852-8CD4-5CF372F54D2F}?
Reg     HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\68a3c4e0ab04                                                                  
Reg     HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{9D5CDBFA-467B-4230-B3B5-5D6CA669150C}@InterfaceName                       isatap.{D824C5D0-5ADA-47D0-A886-BB862FBC866C}
Reg     HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{9D5CDBFA-467B-4230-B3B5-5D6CA669150C}@ReusableType                        0
Reg     HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch                                                                             10707
Reg     HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\68a3c4e0ab04 (not active ControlSet)                                              

---- EOF - GMER 2.1 ----
 



#4 sea weasel

sea weasel
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:30 AM

Posted 22 October 2013 - 01:31 AM

I've also had two instances of BODs since executing GMER.

 

First:

Problem signature:
  Problem Event Name:    BlueScreen
  OS Version:    6.1.7601.2.1.0.768.3
  Locale ID:    1033

Additional information about the problem:
  BCCode:    3b
  BCP1:    00000000C0000005
  BCP2:    FFFFF80003111BC9
  BCP3:    FFFFF88007A87EE0
  BCP4:    0000000000000000
  OS Version:    6_1_7601
  Service Pack:    1_0
  Product:    768_1

Files that help describe the problem:
  C:\Windows\Minidump\102113-14742-01.dmp
  C:\Users\EV\AppData\Local\Temp\WER-42385-0.sysdata.xml
 

Seond:

Problem signature:
  Problem Event Name:    BlueScreen
  OS Version:    6.1.7601.2.1.0.768.3
  Locale ID:    1033

Additional information about the problem:
  BCCode:    3b
  BCP1:    00000000C0000005
  BCP2:    FFFFF80003119BC9
  BCP3:    FFFFF8800960FEE0
  BCP4:    0000000000000000
  OS Version:    6_1_7601
  Service Pack:    1_0
  Product:    768_1

Files that help describe the problem:
  C:\Windows\Minidump\102113-14898-01.dmp
  C:\Users\EV\AppData\Local\Temp\WER-63274-0.sysdata.xml
 



#5 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:30 PM

Posted 22 October 2013 - 01:39 AM

Combofix

Combofix should only be run when adviced by a team member!

Link


Important - Save the file to your desktop!


  • Deactivate any and all of your antivirus programs /spyware scanners - they can prevent CF from doing its work.
  • Run Combofix.exe


When finished, Combofix creates a log file named C:\Combofix.txt. Please post its content in your next reply.

Note: When receiving an error message containing ""Illegal operation attempted on a registry key that has been marked for deletion" simply restart your computer to fix this.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#6 sea weasel

sea weasel
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:30 AM

Posted 22 October 2013 - 03:18 AM

ComboFix 13-10-21.01 - EV 10/22/2013   1:04.1.8 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.8099.5713 [GMT -7:00]
Running from: c:\users\EV\Saved Games\Downloads\ComboFix.exe
AV: Trend Micro Titanium Maximum Security *Disabled/Updated* {5D349EF8-873B-C657-917F-F1D93E101A7C}
SP: Trend Micro Titanium Maximum Security *Disabled/Updated* {E6557F1C-A101-C9D9-ABCF-CAAB459750C1}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\SysWow64\dwm.exe
c:\windows\SysWow64\hkcmd.exe
c:\windows\SysWow64\igfxpers.exe
c:\windows\SysWow64\igfxtray.exe
c:\windows\SysWow64\lsm.exe
c:\windows\SysWow64\nvvsvc.exe
c:\windows\SysWow64\spoolsv.exe
c:\windows\SysWow64\taskhost.exe
c:\windows\SysWow64\ThpSrv.exe
c:\windows\SysWow64\TODDSrv.exe
.
.
(((((((((((((((((((((((((   Files Created from 2013-09-22 to 2013-10-22  )))))))))))))))))))))))))))))))
.
.
2013-10-22 08:12 . 2013-10-22 08:12    --------    d-----w-    c:\users\UpdatusUser\AppData\Local\temp
2013-10-22 08:12 . 2013-10-22 08:12    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-10-20 06:01 . 2013-10-20 06:01    0    ----a-w-    c:\windows\system32\igd10umd32.dll
2013-10-20 04:55 . 2013-10-20 04:55    --------    d-----w-    c:\program files (x86)\WinPcap
2013-10-19 03:54 . 2013-10-19 03:54    0    ----a-w-    c:\windows\SysWow64\winlogon.exe
2013-10-19 03:54 . 2013-10-19 03:54    0    ----a-w-    c:\windows\SysWow64\services.exe
2013-10-19 03:54 . 2013-10-19 03:54    0    ----a-w-    c:\windows\SysWow64\conhost.exe
2013-10-19 03:54 . 2013-10-19 03:54    0    ----a-w-    c:\windows\SysWow64\smss.exe
2013-10-19 03:54 . 2013-10-19 03:54    0    ----a-w-    c:\windows\SysWow64\lsass.exe
2013-10-16 05:54 . 2013-10-16 05:54    --------    d-----w-    c:\users\EV\AppData\Local\AVG SafeGuard toolbar
2013-10-16 05:54 . 2013-10-16 06:00    --------    d-----w-    c:\programdata\AVG SafeGuard toolbar
2013-10-16 05:54 . 2013-10-16 05:54    --------    d-----w-    c:\programdata\Systweak
2013-10-16 05:54 . 2013-10-16 06:00    --------    d-----w-    c:\program files (x86)\Common Files\AVG Secure Search
2013-10-16 05:53 . 2013-10-16 06:00    --------    d-----w-    c:\program files (x86)\AVG SafeGuard toolbar
2013-10-16 05:53 . 2013-10-16 06:00    --------    d-----w-    c:\users\EV\AppData\Local\GreatArcadeHits
2013-10-16 05:53 . 2013-10-16 05:55    --------    d-----w-    c:\users\EV\AppData\Roaming\Systweak
2013-10-16 05:53 . 2013-10-16 06:00    --------    d-----w-    c:\program files (x86)\RegClean Pro
2013-10-16 05:53 . 2013-10-16 05:53    --------    d-----w-    c:\users\EV\AppData\Roaming\DigitalSite
2013-10-16 05:53 . 2013-10-16 05:53    --------    d--h--w-    c:\programdata\Common Files
2013-10-09 05:00 . 2013-07-04 12:50    633856    ----a-w-    c:\windows\system32\comctl32.dll
2013-10-09 04:59 . 2013-09-08 02:30    1903552    ----a-w-    c:\windows\system32\drivers\tcpip.sys
2013-10-06 03:42 . 2013-10-06 03:43    --------    d-----w-    c:\programdata\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-10-06 03:42 . 2013-10-06 03:43    --------    d-----w-    c:\program files\iTunes
2013-10-06 03:42 . 2013-10-06 03:43    --------    d-----w-    c:\program files (x86)\iTunes
2013-10-06 03:42 . 2013-10-06 03:42    --------    d-----w-    c:\program files\iPod
2013-09-27 23:28 . 2013-10-21 08:00    --------    d-----w-    C:\TMRescueDisk
2013-09-27 23:23 . 2013-06-13 06:35    100640    ----a-w-    c:\windows\system32\drivers\tmeevw.sys
2013-09-27 23:23 . 2013-05-15 10:23    303392    ----a-w-    c:\windows\system32\drivers\tmnciesc.sys
2013-09-27 23:23 . 2011-08-22 15:33    105744    ----a-w-    c:\windows\system32\drivers\tmtdi.sys
2013-09-27 23:23 . 2013-09-04 06:24    116264    ----a-w-    c:\windows\system32\drivers\tmactmon.sys
2013-09-27 23:23 . 2013-09-04 06:22    85424    ----a-w-    c:\windows\system32\drivers\tmevtmgr.sys
2013-09-27 23:23 . 2013-09-04 06:17    282624    ----a-w-    c:\windows\system32\drivers\tmcomm.sys
2013-09-27 23:23 . 2013-07-01 13:08    50976    ----a-w-    c:\windows\system32\drivers\TMEBC64.sys
2013-09-27 23:21 . 2013-09-27 23:21    59    ----a-w-    c:\windows\system32\SupportTool.exe.bat
2013-09-27 23:20 . 2013-09-27 23:21    --------    d-----w-    c:\program files\Trend Micro
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-10-09 06:37 . 2012-03-29 21:44    692616    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2013-10-09 06:37 . 2011-09-02 03:16    71048    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-10-09 06:31 . 2011-08-26 19:05    80541720    ----a-w-    c:\windows\system32\MRT.exe
2013-08-29 01:48 . 2013-10-09 04:59    44032    ----a-w-    c:\windows\apppatch\acwow64.dll
2013-08-05 02:25 . 2013-09-12 05:21    155584    ----a-w-    c:\windows\system32\drivers\ataport.sys
2013-08-02 02:14 . 2013-09-12 05:21    215040    ----a-w-    c:\windows\system32\winsrv.dll
2013-08-02 02:13 . 2013-09-12 05:21    424448    ----a-w-    c:\windows\system32\KernelBase.dll
2013-08-02 02:13 . 2013-09-12 05:21    1161216    ----a-w-    c:\windows\system32\kernel32.dll
2013-08-02 02:12 . 2013-09-12 05:21    43520    ----a-w-    c:\windows\system32\csrsrv.dll
2013-08-02 02:12 . 2013-09-12 05:21    6144    ---ha-w-    c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2013-08-02 02:12 . 2013-09-12 05:21    4608    ---ha-w-    c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2013-08-02 02:12 . 2013-09-12 05:21    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2013-08-02 02:12 . 2013-09-12 05:21    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2013-08-02 02:12 . 2013-09-12 05:20    4096    ---ha-w-    c:\windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2013-08-02 02:12 . 2013-09-12 05:20    4096    ---ha-w-    c:\windows\system32\api-ms-win-core-synch-l1-1-0.dll
2013-08-02 02:12 . 2013-09-12 05:20    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-string-l1-1-0.dll
2013-08-02 02:12 . 2013-09-12 05:20    6656    ----a-w-    c:\windows\system32\apisetschema.dll
2013-08-02 02:12 . 2013-09-12 05:21    3584    ---ha-w-    c:\windows\system32\api-ms-win-core-misc-l1-1-0.dll
2013-08-02 02:12 . 2013-09-12 05:21    3584    ---ha-w-    c:\windows\system32\api-ms-win-core-memory-l1-1-0.dll
2013-08-02 02:12 . 2013-09-12 05:20    4608    ---ha-w-    c:\windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2013-08-02 02:12 . 2013-09-12 05:20    4096    ---ha-w-    c:\windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2013-08-02 02:12 . 2013-09-12 05:20    3584    ---ha-w-    c:\windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2013-08-02 02:12 . 2013-09-12 05:20    3584    ---ha-w-    c:\windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2013-08-02 02:12 . 2013-09-12 05:20    3584    ---ha-w-    c:\windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2013-08-02 02:12 . 2013-09-12 05:20    3584    ---ha-w-    c:\windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2013-08-02 02:12 . 2013-09-12 05:20    3584    ---ha-w-    c:\windows\system32\api-ms-win-core-heap-l1-1-0.dll
2013-08-02 02:12 . 2013-09-12 05:20    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-profile-l1-1-0.dll
2013-08-02 02:12 . 2013-09-12 05:20    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-io-l1-1-0.dll
2013-08-02 02:12 . 2013-09-12 05:20    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2013-08-02 02:12 . 2013-09-12 05:20    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-handle-l1-1-0.dll
2013-08-02 02:12 . 2013-09-12 05:20    4096    ---ha-w-    c:\windows\system32\api-ms-win-core-localization-l1-1-0.dll
2013-08-02 02:12 . 2013-09-12 05:21    5120    ---ha-w-    c:\windows\system32\api-ms-win-core-file-l1-1-0.dll
2013-08-02 02:12 . 2013-09-12 05:20    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2013-08-02 02:12 . 2013-09-12 05:20    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2013-08-02 02:12 . 2013-09-12 05:20    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2013-08-02 02:12 . 2013-09-12 05:20    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-debug-l1-1-0.dll
2013-08-02 02:12 . 2013-09-12 05:20    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2013-08-02 02:12 . 2013-09-12 05:20    3072    ---ha-w-    c:\windows\system32\api-ms-win-core-console-l1-1-0.dll
2013-08-02 01:50 . 2013-09-12 05:21    274944    ----a-w-    c:\windows\SysWow64\KernelBase.dll
2013-08-02 01:48 . 2013-09-12 05:21    5120    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-file-l1-1-0.dll
2013-08-02 01:48 . 2013-09-12 05:21    4096    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-sysinfo-l1-1-0.dll
2013-08-02 01:48 . 2013-09-12 05:21    3584    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-namedpipe-l1-1-0.dll
2013-08-02 01:48 . 2013-09-12 05:20    4608    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-processthreads-l1-1-0.dll
2013-08-02 01:48 . 2013-09-12 05:20    4096    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-synch-l1-1-0.dll
2013-08-02 01:48 . 2013-09-12 05:20    4096    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-misc-l1-1-0.dll
2013-08-02 01:48 . 2013-09-12 05:20    4096    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-localregistry-l1-1-0.dll
2013-08-02 01:48 . 2013-09-12 05:20    4096    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-localization-l1-1-0.dll
2013-08-02 01:48 . 2013-09-12 05:20    3584    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-processenvironment-l1-1-0.dll
2013-08-02 01:48 . 2013-09-12 05:20    3584    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-memory-l1-1-0.dll
2013-08-02 01:48 . 2013-09-12 05:20    3584    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-libraryloader-l1-1-0.dll
2013-08-02 01:48 . 2013-09-12 05:20    3584    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-interlocked-l1-1-0.dll
2013-08-02 01:48 . 2013-09-12 05:20    3584    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-heap-l1-1-0.dll
2013-08-02 01:48 . 2013-09-12 05:20    3072    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-string-l1-1-0.dll
2013-08-02 01:48 . 2013-09-12 05:20    3072    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-rtlsupport-l1-1-0.dll
2013-08-02 01:48 . 2013-09-12 05:20    3072    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-profile-l1-1-0.dll
2013-08-02 01:48 . 2013-09-12 05:20    3072    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-io-l1-1-0.dll
2013-08-02 01:48 . 2013-09-12 05:20    3072    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-handle-l1-1-0.dll
2013-08-02 01:48 . 2013-09-12 05:20    3072    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-fibers-l1-1-0.dll
2013-08-02 01:48 . 2013-09-12 05:20    3072    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-errorhandling-l1-1-0.dll
2013-08-02 01:48 . 2013-09-12 05:20    6656    ----a-w-    c:\windows\SysWow64\apisetschema.dll
2013-08-02 01:48 . 2013-09-12 05:20    3072    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-delayload-l1-1-0.dll
2013-08-02 01:48 . 2013-09-12 05:20    3072    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-debug-l1-1-0.dll
2013-08-02 01:48 . 2013-09-12 05:20    3072    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-datetime-l1-1-0.dll
2013-08-02 01:48 . 2013-09-12 05:20    3072    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-console-l1-1-0.dll
2013-08-02 01:09 . 2013-09-12 05:21    338432    ----a-w-    c:\windows\system32\conhost.exe
2013-08-02 00:59 . 2013-09-12 05:21    112640    ----a-w-    c:\windows\system32\smss.exe
2013-08-02 00:43 . 2013-09-12 05:20    6144    ---ha-w-    c:\windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2013-08-02 00:43 . 2013-09-12 05:20    4608    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2013-08-02 00:43 . 2013-09-12 05:20    3584    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2013-08-02 00:43 . 2013-09-12 05:20    3072    ---ha-w-    c:\windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2013-07-26 02:24 . 2013-09-12 05:20    14172672    ----a-w-    c:\windows\system32\shell32.dll
2013-07-26 02:24 . 2013-09-12 05:20    197120    ----a-w-    c:\windows\system32\shdocvw.dll
2013-07-25 09:25 . 2013-08-15 02:21    1888768    ----a-w-    c:\windows\system32\WMVDECOD.DLL
2013-07-25 08:57 . 2013-08-15 02:21    1620992    ----a-w-    c:\windows\SysWow64\WMVDECOD.DLL
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Akamai NetSession Interface"="c:\users\EV\AppData\Local\Akamai\netsession_win.exe" [2013-06-05 4489472]
"Adobe Acrobat Synchronizer"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\AdobeCollabSync.exe" [2013-09-03 1272704]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-21 1475584]
"HP Officejet Pro 8600 (NET)"="c:\program files\HP\HP Officejet Pro 8600\Bin\ScanToPCActivationApp.exe" [2011-09-09 2676584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SVPWUTIL"="c:\program files (x86)\TOSHIBA\Utilities\SVPWUTIL.exe" [2010-11-09 532480]
"HWSetup"="c:\program files\TOSHIBA\Utilities\HWSetup.exe" [2010-03-04 423936]
"KeNotify"="c:\program files (x86)\TOSHIBA\Utilities\KeNotify.exe" [2010-08-16 34160]
"ToshibaAppPlace"="c:\program files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe" [2010-09-23 552960]
"NortonOnlineBackupReminder"="c:\program files (x86)\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe" [2010-08-17 3218792]
"ToshibaServiceStation"="c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2011-02-11 1295736]
"EEventManager"="c:\progra~2\EPSONS~1\EVENTM~1\EEventManager.exe" [2009-04-07 673616]
"Trend Micro RUBotted V2.0 Beta"="c:\program files (x86)\Trend Micro\RUBotted\RUBottedGUI.exe" [2013-07-26 1102872]
.
c:\users\EV\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Monitor Ink Alerts - HP Officejet Pro 8600 (Network).lnk - c:\windows\system32\RunDll32.exe "c:\program files\HP\HP Officejet Pro 8600\bin\HPStatusBL.dll",RunDLLEntry SERIALNUMBER=CN27HBK1F905KD;CONNECTION=NW;MONITOR=1; [2009-7-13 45568]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2011-3-2 2745760]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
"AppInit_DLLs"=c:\windows\SysWOW64\nvinit.dll
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 lxebCATSCustConnectService;lxebCATSCustConnectService;c:\windows\system32\spool\DRIVERS\x64\3\\lxebserv.exe;c:\windows\SYSNATIVE\spool\DRIVERS\x64\3\\lxebserv.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [x]
R3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys;c:\windows\SYSNATIVE\DRIVERS\jmcr.sys [x]
R3 silabenm;Super Tuner Serial Port Enumerator Driver;c:\windows\system32\DRIVERS\silabenm.sys;c:\windows\SYSNATIVE\DRIVERS\silabenm.sys [x]
R3 silabser;Super Tuner Driver;c:\windows\system32\DRIVERS\silabser.sys;c:\windows\SYSNATIVE\DRIVERS\silabser.sys [x]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R4 lxeb_device;lxeb_device;c:\windows\system32\lxebcoms.exe;c:\windows\SYSNATIVE\lxebcoms.exe [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
S0 nvpciflt;nvpciflt;c:\windows\system32\DRIVERS\nvpciflt.sys;c:\windows\SYSNATIVE\DRIVERS\nvpciflt.sys [x]
S0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\DRIVERS\thpdrv.sys;c:\windows\SYSNATIVE\DRIVERS\thpdrv.sys [x]
S0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\DRIVERS\Thpevm.SYS;c:\windows\SYSNATIVE\DRIVERS\Thpevm.SYS [x]
S0 TMEBC;TMEBC;c:\windows\system32\DRIVERS\TMEBC64.sys;c:\windows\SYSNATIVE\DRIVERS\TMEBC64.sys [x]
S0 tos_sps64;TOSHIBA tos_sps64 Service;c:\windows\system32\DRIVERS\tos_sps64.sys;c:\windows\SYSNATIVE\DRIVERS\tos_sps64.sys [x]
S1 tmevtmgr;tmevtmgr;c:\windows\system32\DRIVERS\tmevtmgr.sys;c:\windows\SYSNATIVE\DRIVERS\tmevtmgr.sys [x]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe;c:\windows\SYSNATIVE\svchost.exe [x]
S2 Amsp;Trend Micro Solution Platform;c:\program files\Trend Micro\AMSP\coreServiceShell.exe coreFrameworkHost.exe;c:\program files\Trend Micro\AMSP\coreServiceShell.exe coreFrameworkHost.exe [x]
S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys;c:\windows\SYSNATIVE\drivers\npf.sys [x]
S2 regi;regi;c:\windows\system32\drivers\regi.sys;c:\windows\SYSNATIVE\drivers\regi.sys [x]
S2 RUBotSrv;Trend Micro RUBotted Service;c:\program files (x86)\Trend Micro\RUBotted\RUBotSrv.exe;c:\program files (x86)\Trend Micro\RUBotted\RUBotSrv.exe [x]
S2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\TOSHIBA\TECO\TecoService.exe;c:\program files\TOSHIBA\TECO\TecoService.exe [x]
S2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\DRIVERS\TVALZFL.sys;c:\windows\SYSNATIVE\DRIVERS\TVALZFL.sys [x]
S2 UDSS;UDSS;c:\program files (x86)\Common Files\Ulead Systems\UDSS\UDSS.exe;c:\program files (x86)\Common Files\Ulead Systems\UDSS\UDSS.exe [x]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
S3 BtFilter;Bluetooth LowerFilter Class Filter Driver;c:\windows\system32\DRIVERS\btfilter.sys;c:\windows\SYSNATIVE\DRIVERS\btfilter.sys [x]
S3 CeKbFilter;CeKbFilter;c:\windows\system32\DRIVERS\CeKbFilter.sys;c:\windows\SYSNATIVE\DRIVERS\CeKbFilter.sys [x]
S3 enecir;ENE CIR Receiver;c:\windows\system32\DRIVERS\enecir.sys;c:\windows\SYSNATIVE\DRIVERS\enecir.sys [x]
S3 enecirhid;ENE CIR HID Receiver;c:\windows\system32\DRIVERS\enecirhid.sys;c:\windows\SYSNATIVE\DRIVERS\enecirhid.sys [x]
S3 enecirhidma;ENE CIR HIDmini Filter;c:\windows\system32\DRIVERS\enecirhidma.sys;c:\windows\SYSNATIVE\DRIVERS\enecirhidma.sys [x]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3hub.sys [x]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3xhc.sys [x]
S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys;c:\windows\SYSNATIVE\DRIVERS\pgeffect.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
S3 TMachInfo;TMachInfo;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [x]
S3 tmeevw;tmeevw;c:\windows\system32\DRIVERS\tmeevw.sys;c:\windows\SYSNATIVE\DRIVERS\tmeevw.sys [x]
S3 tmnciesc;tmnciesc;c:\windows\system32\DRIVERS\tmnciesc.sys;c:\windows\SYSNATIVE\DRIVERS\tmnciesc.sys [x]
S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [x]
S3 TPCHSrv;TPCH Service;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
Akamai    REG_MULTI_SZ       Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2013-10-22 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-29 06:37]
.
2013-10-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-08-18 16:00]
.
2013-10-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-08-18 16:00]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ThpSrv"="c:\windows\system32\thpsrv" [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-04-08 167256]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-04-08 391000]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-04-08 418136]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-03-05 11780712]
"RtHDVBg"="c:\program files\Realtek\Audio\HDA\RAVBg64.exe" [2011-03-01 2189416]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2010-12-08 710040]
"TosVolRegulator"="c:\program files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe" [2009-11-11 24376]
"Logitech Download Assistant"="c:\windows\System32\LogiLDA.dll" [2012-09-20 1832760]
"WrtMon.exe"="c:\windows\system32\spool\drivers\x64\3\WrtMon.exe" [2006-09-20 20480]
"Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2013-07-23 221584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=c:\windows\System32\nvinitx.dll
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://start.toshiba.com/g/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = <local>;127.0.0.1:9421
IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\EV\AppData\Roaming\Mozilla\Firefox\Profiles\iqql4pye.default-1371966597990\
FF - prefs.js: browser.startup.homepage - hxxp://www.utsandiego.com/
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKLM-Run-TSleepSrv - %ProgramFiles(x86)%\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
Toolbar-Locked - (no file)
HKLM-Run-TPwrMain - c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE
HKLM-Run-HSON - c:\program files (x86)\TOSHIBA\TBS\HSON.exe
HKLM-Run-TCrdMain - c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
HKLM-Run-Teco - c:\program files (x86)\TOSHIBA\TECO\Teco.exe
HKLM-Run-TosWaitSrv - c:\program files (x86)\TOSHIBA\TPHM\TosWaitSrv.exe
HKLM-Run-TosNC - c:\program files (x86)\Toshiba\BulletinBoard\TosNcCore.exe
HKLM-Run-TosReelTimeMonitor - c:\program files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Akamai]
"ServiceDll"="c:\program files (x86)\common files\akamai/netsession_win_8fa3539.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-10-22  01:14:18
ComboFix-quarantined-files.txt  2013-10-22 08:14
.
Pre-Run: 44,693,819,392 bytes free
Post-Run: 44,849,598,464 bytes free
.
- - End Of File - - 87A4CBAD9614210DE7C24E5C7D7B8A19
 



#7 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:30 PM

Posted 22 October 2013 - 03:50 AM

Please zip the following files:

 

 

 

c:\windows\SysWow64\winlogon.exe
c:\windows\SysWow64\services.exe
c:\windows\SysWow64\conhost.exe
c:\windows\SysWow64\smss.exe
c:\windows\SysWow64\lsass.exe

 

and upload the file here:

 

http://www.bleepingcomputer.com/submit-malware.php?channel=156


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#8 sea weasel

sea weasel
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:30 AM

Posted 22 October 2013 - 06:37 PM

Files zipped and posted.  Any idea yet what virus/malware I naively infected my machine with?  Again, thank you for all the help you've provided; it's much appreciated!



#9 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:30 PM

Posted 23 October 2013 - 12:34 AM

Hard to tell exactly because many malwares are acting the same way.

 

 

Combofix scripting

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Download the attached CFScript.txt and save it to the location where Combofix is.


CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

 

 

 

 

Full System Scan with Malwarebytes Antimalware
 

  • If not existing, please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If the program is already installed:

  • Run Malwarebytes Antimalware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform fullscan, place a checkmark on all hard drives, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Post that log back here.

 

Attached Files


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#10 sea weasel

sea weasel
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:30 AM

Posted 23 October 2013 - 01:05 AM

ComboFix log attached.  Working on the Malware Bytes scan now.

Attached Files



#11 sea weasel

sea weasel
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:30 AM

Posted 23 October 2013 - 10:09 AM

Malwarebyte's Anti-Malware log attached.

Attached Files



#12 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:30 PM

Posted 26 October 2013 - 06:34 AM

Scan with ESET Online Scan

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#13 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:30 PM

Posted 30 October 2013 - 03:32 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users