Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

W32.Xpiro.D detected by Norton


  • This topic is locked This topic is locked
2 replies to this topic

#1 felix83

felix83

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 18 November 2013 - 03:43 PM

Hi everyone,

 

I hope I'm posting correctly here. A couple of days ago I was on a spammy looking website and Norton immediately started complaining of infections, with repeated instances of W32.XPiro.D being removed. I looked around online and it looks like the culprit is wsr30zt32.dll, which I've tried repeatedly to manually delete but it just keeps reappearing. I've run minitoolbox, tdss, adwcleaner and MBAM and I can provide logs for those if necessary. My DDS logs are below.

 

Please be gentle, I don't know what I'm doing.

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16720  BrowserJavaVersion: 10.45.2
Run by Adam at 15:29:18 on 2013-11-18
Microsoft Windows 7 Professional   6.1.7601.1.1252.2.1033.18.3992.1968 [GMT -5:00]
.
AV: Norton 360 *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton 360 *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton 360 *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\ADMonitor.exe
C:\Windows\system32\DTS.exe
C:\Windows\system32\ibmpmsvc.exe
C:\Windows\system32\AtService.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
C:\Program Files (x86)\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files (x86)\Lenovo\Access Connections\AcPrfMgrSvc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50STB.EXE
C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50RPB.EXE
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\Norton 360\Engine\21.1.0.18\N360.exe
C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.EXE
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\ProgramData\TVersity\Media Server\MediaServer.exe
C:\Program Files (x86)\Lenovo\Access Connections\AcSvc.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Norton 360\Engine\21.1.0.18\N360.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe
C:\Windows\System32\TpShocks.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Users\Adam\AppData\Roaming\Google\Google Talk\googletalk.exe
C:\Program Files (x86)\AirVideoServer\AirVideoServer.exe
C:\Program Files (x86)\Lenovo\Access Connections\SvcGuiHlpr.exe
C:\Program Files\Digiarty\Air_Playit\airplayit.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files (x86)\Digital Line Detect\DLG.exe
C:\Program Files (x86)\RotateImage\RCIMGDIR.exe
C:\Users\Adam\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe
C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files\Digiarty\Air_Playit\AirPS.exe
C:\Program Files (x86)\Lenovo\Message Center Plus\MCPLaunch.exe
C:\Windows\system32\rundll32.exe
C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe
C:\Windows\system32\svchost.exe -k HsfXAudioService
C:\Program Files (x86)\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\Program Files (x86)\Lenovo\System Update\SUService.exe
C:\Program Files (x86)\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxps://www.google.ca/
uDefault_Page_URL = hxxp://lenovo.msn.com
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton 360\Engine\21.1.0.18\coieplg.dll
BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton 360\Engine\21.1.0.18\IPS\ipsbho.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: IePasswordManagerHelper Class: {BF468356-BB7E-42D7-9F15-4F3B9BCFCED2} - C:\Program Files (x86)\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton 360\Engine\21.1.0.18\coieplg.dll
uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
uRun: [googletalk] C:\Users\Adam\AppData\Roaming\Google\Google Talk\googletalk.exe /autostart
uRun: [cdloader] "C:\Users\Adam\AppData\Roaming\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [iCloudServices] C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
uRun: [ApplePhotoStreams] C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe
uRun: [WorkForce 630(Network)] C:\Windows\System32\spool\DRIVERS\x64\3\E_IATIGBA.EXE /FU "C:\Users\Adam\AppData\Local\Temp\E_S8815.tmp" /EF "HKCU"
uRun: [AirVideoServer] C:\Program Files (x86)\AirVideoServer\AirVideoServer.exe
uRun: [Digiarty_Software_AirPlayit] "C:\Program Files\Digiarty\Air_Playit\airplayit.exe" -min
uRun: [Google Update] "C:\Users\Adam\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [EPSON WorkForce 630 Series] C:\Windows\System32\spool\DRIVERS\x64\3\E_IATIGBA.EXE /FU "C:\Windows\TEMP\E_SF1B7.tmp" /EF "HKCU"
uRun: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe
mRun: [PWMTRV] rundll32 C:\PROGRA~2\ThinkPad\UTILIT~1\PWMTR64V.DLL,PwrMgrBkGndMonitor
mRun: [Message Center Plus] C:\Program Files (x86)\LENOVO\Message Center Plus\MCPLaunch.exe /start
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [FUFAXSTM] "C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe"
mRun: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
mRun: [iTunesHelper] "C:\Program Files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
dRunOnce: [SPReview] "C:\Windows\System32\SPReview\SPReview.exe" /sp:1 /errorfwlink:"http://go.microsoft.com/fwlink/?LinkID=122915" /build:7601
StartupFolder: C:\Users\Adam\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\Adam\AppData\Roaming\Dropbox\bin\Dropbox.exe
StartupFolder: C:\Users\Adam\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\EVERNO~1.LNK - C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe
StartupFolder: C:\Users\Adam\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\BLUETO~1.LNK - C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\DIGITA~1.LNK - C:\Program Files (x86)\Digital Line Detect\DLG.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\RCIMGD~1.LNK - C:\Program Files (x86)\RotateImage\RCIMGDIR.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
mPolicies-System: DisableCAD = dword:1
IE: Add to Evernote 4.0 - C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~4\Office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files (x86)\PokerStars\PokerStarsUpdate.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Users\Adam\Desktop\PartyPoker.lnk
IE: {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - C:\Program Files (x86)\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{18C181D2-5962-4AC1-B039-A238BF340B3C} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{18C181D2-5962-4AC1-B039-A238BF340B3C}\35562767963656 : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{18C181D2-5962-4AC1-B039-A238BF340B3C}\742716E646242796768647 : DHCPNameServer = 64.71.255.198 208.67.220.220 192.168.1.1
TCP: Interfaces\{18C181D2-5962-4AC1-B039-A238BF340B3C}\B65726F64716 : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{18C181D2-5962-4AC1-B039-A238BF340B3C}\B6C6577686F6D656 : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{24C9E21E-6136-4CA2-8FA6-266EE701E4B0} : DHCPNameServer = 64.71.255.198 64.71.255.253
TCP: Interfaces\{CD5331D9-4A46-42D4-B7BA-F5FBDE71D525} : DHCPNameServer = 192.168.1.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
LSA: Notification Packages =  scecli ACGina
x64-BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton 360\Engine64\21.1.0.18\CoIEPlg.dll
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
x64-TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton 360\Engine64\21.1.0.18\CoIEPlg.dll
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
x64-Run: [LENOVO.TPFNF6R] C:\Program Files\Lenovo\HOTKEY\TPFNF6R.exe
x64-Run: [TpShocks] TpShocks.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [FingerPrintSoftware] "C:\Program Files\Lenovo Fingerprint Software\fpapp.exe" \s
x64-Run: [AcWin7Hlpr] C:\Program Files (x86)\Lenovo\Access Connections\AcTBenabler.exe
x64-Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent
x64-Run: [IAAnotif] C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe
x64-Run: [IaNvSrv] C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\OROM\IaNvSrv\IaNvSrv.exe
x64-IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
x64-DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
x64-DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
x64-Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - <orphaned>
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Notify: ATFUS - <no file>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Adam\AppData\Roaming\Mozilla\Firefox\Profiles\zd3ibb4c.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - component: C:\Program Files (x86)\Lenovo\Client Security Solution\PWM Firefox Extension\components\tvtpwm_moz_xpcom.dll
FF - component: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
FF - component: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - component: C:\Users\Adam\AppData\Roaming\Mozilla\Firefox\Profiles\zd3ibb4c.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: C:\Users\Adam\AppData\Roaming\Mozilla\Firefox\Profiles\zd3ibb4c.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Program Files\itunes\Mozilla Plugins\npitunes.dll
FF - plugin: C:\Program Files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: C:\Program Files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: C:\Users\Adam\AppData\Local\Google\Update\1.3.21.165\npGoogleUpdate3.dll
FF - plugin: C:\Users\Adam\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R0 iaNvStor;Intel® Turbo Memory Controller;C:\Windows\System32\drivers\iaNvStor.sys [2009-12-10 344600]
R0 SymDS;Symantec Data Store;C:\Windows\System32\drivers\N360x64\1501000.012\SymDS64.sys [2013-11-16 493656]
R0 SymEFA;Symantec Extended File Attributes;C:\Windows\System32\drivers\N360x64\1501000.012\SymEFA64.sys [2013-11-16 1147480]
R0 TPDIGIMN;TPDIGIMN;C:\Windows\System32\drivers\ApsHM64.sys [2009-6-29 23592]
R1 BHDrvx64;BHDrvx64;C:\Program Files (x86)\Norton 360\NortonData\21.1.0.18\Definitions\BASHDefs\20131101.003\BHDrvx64.sys [2013-11-1 1524824]
R1 ccSet_N360;N360 Settings Manager;C:\Windows\System32\drivers\N360x64\1501000.012\ccSetx64.sys [2013-11-16 162392]
R1 HssDRV6;Hotspot Shield Routing Driver 6;C:\Windows\System32\drivers\hssdrv6.sys [2013-9-25 46792]
R1 IDSVia64;IDSVia64;C:\Program Files (x86)\Norton 360\NortonData\21.1.0.18\Definitions\IPSDefs\20131115.001\IDSviA64.sys [2013-11-15 521816]
R1 lenovo.smi;Lenovo System Interface Driver;C:\Windows\System32\drivers\smiifx64.sys [2009-7-16 15400]
R1 SymIRON;Symantec Iron Driver;C:\Windows\System32\drivers\N360x64\1501000.012\Ironx64.sys [2013-11-16 264280]
R1 SymNetS;Symantec Network Security WFP Driver;C:\Windows\System32\drivers\N360x64\1501000.012\symnets.sys [2013-11-16 590936]
R2 ADMonitor;AD Monitor;C:\Windows\System32\ADMonitor.exe [2009-9-1 683008]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2009-12-10 755712]
R2 ATService;AuthenTec Fingerprint Service;C:\Windows\System32\AtService.exe [2009-9-1 3045888]
R2 dtsvc;Data Transfer Service;C:\Windows\System32\DTS.exe [2009-9-1 670720]
R2 EPSON_EB_RPCV4_04;EPSON V5 Service4(04);C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50STB.EXE [2011-11-23 719360]
R2 EPSON_PM_RPCV4_04;EPSON V3 Service4(04);C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50RPB.EXE [2011-11-23 681472]
R2 HsfXAudioService;HsfXAudioService;C:\Windows\System32\svchost.exe -k HsfXAudioService [2009-7-13 27136]
R2 N360;Norton 360;C:\Program Files (x86)\Norton 360\Engine\21.1.0.18\N360.exe [2013-11-16 264360]
R2 Power Manager DBC Service;Power Manager DBC Service;C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.exe [2009-12-10 69632]
R2 TPHKSVC;On Screen Display;C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe [2009-10-5 62464]
R3 5U875UVC;Integrated Camera;C:\Windows\System32\drivers\5U875.sys [2009-12-10 92672]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;C:\Windows\System32\drivers\ATSwpWDF.sys [2009-9-1 551936]
R3 CAXHWAZL;CAXHWAZL;C:\Windows\System32\drivers\CAXHWAZL.sys [2009-12-10 292864]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;C:\Windows\System32\drivers\e1y60x64.sys [2009-6-10 281088]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2013-11-18 140376]
R3 HECIx64;Intel® Management Engine Interface;C:\Windows\System32\drivers\HECIx64.sys [2009-12-10 56344]
R3 intelkmd;intelkmd;C:\Windows\System32\drivers\igdpmd64.sys [2009-12-10 7369728]
R3 LenovoRd;LenovoRd;C:\Windows\System32\drivers\LenovoRd.sys [2009-12-10 118016]
R3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\System32\drivers\NETw5s64.sys [2009-9-15 6952960]
R3 taphss6;Anchorfree HSS VPN Adapter;C:\Windows\System32\drivers\taphss6.sys [2013-9-17 42184]
R3 TVTI2C;Lenovo SM bus driver;C:\Windows\System32\drivers\tvti2c.sys [2009-7-2 41536]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 124416]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 685568]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;C:\Program Files\Lenovo\HOTKEY\micmute.exe [2009-10-5 45568]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-6-21 162408]
S2 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-3-4 1801728]
S3 btwl2cap;Bluetooth L2CAP Service;C:\Windows\System32\drivers\btwl2cap.sys [2009-12-10 35104]
S3 Netaapl;Apple Mobile Device Ethernet Service;C:\Windows\System32\drivers\netaapl64.sys [2011-5-10 22528]
S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\System32\drivers\netw5v64.sys [2009-6-10 5434368]
S3 PCDSRVC{184E4FA0-DE8C26D4-06000000}_0;PCDSRVC{184E4FA0-DE8C26D4-06000000}_0 - PCDR Kernel Mode Service Helper Driver;C:\progra~1\pc-doc~1\pcdsrvc_x64.pkms [2009-8-18 23536]
S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\System32\drivers\VSTAZL6.SYS [2009-7-13 292864]
S3 SrvHsfV92;SrvHsfV92;C:\Windows\System32\drivers\VSTDPV6.SYS [2009-7-13 1485312]
S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\System32\drivers\VSTCNXT6.SYS [2009-7-13 740864]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2013-4-30 59392]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-12-13 54784]
.
=============== Created Last 30 ================
.
2013-11-18 20:19:43    --------    d-----w-    C:\Users\Adam\AppData\Local\CrashDumps
2013-11-18 20:11:21    --------    d-----w-    C:\AdwCleaner
2013-11-18 20:05:37    --------    d-----w-    C:\ProgramData\Oracle
2013-11-18 20:04:54    96168    ----a-w-    C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2013-11-18 19:55:28    --------    d-sh--w-    C:\$RECYCLE.BIN
2013-11-18 19:37:14    --------    d-----w-    C:\Users\Adam\Tracing
2013-11-18 19:37:00    --------    d--h--w-    C:\jexepackres
2013-11-18 19:36:24    3450    ----a-w-    C:\Users\Adam\AppData\Local\wsr30zt32.dll
2013-11-18 19:14:07    --------    d-----w-    C:\ProgramData\Malwarebytes
2013-11-18 19:14:02    116440    ----a-w-    C:\Windows\System32\drivers\MBAMSwissArmy.sys
2013-11-18 18:24:18    91352    ----a-w-    C:\Windows\System32\drivers\mbamchameleon.sys
2013-11-18 15:25:56    --------    d-----w-    C:\ProgramData\SMR410
2013-11-18 15:20:53    --------    d-----w-    C:\Users\Adam\AppData\Local\NPE
2013-11-16 08:46:42    858200    ----a-r-    C:\Windows\System32\drivers\N360x64\1501000.012\srtsp64.sys
2013-11-16 08:46:42    590936    ----a-r-    C:\Windows\System32\drivers\N360x64\1501000.012\symnets.sys
2013-11-16 08:46:42    493656    ----a-r-    C:\Windows\System32\drivers\N360x64\1501000.012\SymDS64.sys
2013-11-16 08:46:42    36952    ----a-r-    C:\Windows\System32\drivers\N360x64\1501000.012\srtspx64.sys
2013-11-16 08:46:42    264280    ----a-r-    C:\Windows\System32\drivers\N360x64\1501000.012\Ironx64.sys
2013-11-16 08:46:42    23568    ----a-r-    C:\Windows\System32\drivers\N360x64\1501000.012\SymELAM.sys
2013-11-16 08:46:42    162392    ----a-r-    C:\Windows\System32\drivers\N360x64\1501000.012\ccSetx64.sys
2013-11-16 08:46:42    1147480    ----a-r-    C:\Windows\System32\drivers\N360x64\1501000.012\SymEFA64.sys
2013-11-16 08:46:35    --------    d-----w-    C:\Windows\System32\drivers\N360x64\1501000.012
.
==================== Find3M  ====================
.
2013-11-18 18:04:19    13824    ----a-w-    C:\Windows\SysWow64\subst.exe
2013-11-18 17:18:38    598528    ----a-w-    C:\Windows\System32\rundll32.exe
2013-11-18 16:17:00    593408    ----a-w-    C:\Windows\System32\ibmpmsvc.exe
2013-11-18 16:16:59    755712    ----a-w-    C:\Windows\System32\atiesrxx.exe
2013-11-18 16:16:59    670720    ----a-w-    C:\Windows\System32\DTS.exe
2013-11-18 16:16:59    3045888    ----a-w-    C:\Windows\System32\AtService.exe
2013-11-18 15:26:33    19968    ----a-w-    C:\Windows\SysWow64\sort.exe
2013-11-18 15:26:30    314368    ----a-w-    C:\Windows\SysWow64\SndVol.exe
2013-11-18 15:24:50    44032    ----a-w-    C:\Windows\SysWow64\regini.exe
2013-11-18 15:24:48    9216    ----a-w-    C:\Windows\SysWow64\regedt32.exe
2013-11-18 15:24:46    62464    ----a-w-    C:\Windows\SysWow64\reg.exe
2013-11-18 15:24:42    11776    ----a-w-    C:\Windows\SysWow64\recover.exe
2013-11-18 15:24:36    22016    ----a-w-    C:\Windows\SysWow64\ReAgentc.exe
2013-11-18 15:24:31    36352    ----a-w-    C:\Windows\SysWow64\rdrleakdiag.exe
2013-11-18 15:24:27    50176    ----a-w-    C:\Windows\SysWow64\rasphone.exe
2013-11-18 15:24:20    101888    ----a-w-    C:\Windows\SysWow64\raserver.exe
2013-11-18 15:24:10    73216    ----a-w-    C:\Windows\SysWow64\rasdial.exe
2013-11-18 15:24:04    16896    ----a-w-    C:\Windows\SysWow64\rasautou.exe
2013-11-18 15:22:53    97280    ----a-w-    C:\Windows\SysWow64\OptionalFeatures.exe
2013-11-18 15:22:52    62464    ----a-w-    C:\Windows\SysWow64\openfiles.exe
2013-11-18 15:22:34    32768    ----a-w-    C:\Windows\SysWow64\odbcconf.exe
2013-11-18 15:22:32    86016    ----a-w-    C:\Windows\SysWow64\odbcad32.exe
2013-11-18 15:22:31    197632    ----a-w-    C:\Windows\SysWow64\ocsetup.exe
2013-11-18 15:22:29    61952    ----a-w-    C:\Windows\SysWow64\ntprint.exe
2013-11-18 15:22:27    98304    ----a-w-    C:\Windows\SysWow64\nslookup.exe
2013-11-18 15:22:23    179712    ----a-w-    C:\Windows\SysWow64\notepad.exe
2013-11-18 15:22:10    76800    ----a-w-    C:\Windows\SysWow64\newdev.exe
2013-11-18 15:22:08    27136    ----a-w-    C:\Windows\SysWow64\NETSTAT.EXE
2013-11-18 15:22:07    96256    ----a-w-    C:\Windows\SysWow64\netsh.exe
2013-11-18 15:22:05    26112    ----a-w-    C:\Windows\SysWow64\Netplwiz.exe
2013-11-18 15:21:59    25600    ----a-w-    C:\Windows\SysWow64\netiougc.exe
2013-11-18 15:21:56    24064    ----a-w-    C:\Windows\SysWow64\netbtugc.exe
2013-11-18 15:21:55    142336    ----a-w-    C:\Windows\SysWow64\net1.exe
2013-11-18 15:21:54    46080    ----a-w-    C:\Windows\SysWow64\net.exe
2013-11-18 15:21:53    75264    ----a-w-    C:\Windows\SysWow64\ndadmin.exe
2013-11-18 15:21:51    279552    ----a-w-    C:\Windows\SysWow64\NAPSTAT.EXE
2013-11-18 15:21:49    221184    ----a-w-    C:\Windows\SysWow64\Mystify.scr
2013-11-18 15:21:39    70656    ----a-w-    C:\Windows\SysWow64\MuiUnattend.exe
2013-11-18 15:21:14    125440    ----a-w-    C:\Windows\SysWow64\mtstocom.exe
2013-11-18 15:21:06    1049600    ----a-w-    C:\Windows\SysWow64\mstsc.exe
2013-11-18 15:20:51    108032    ----a-w-    C:\Windows\SysWow64\msra.exe
2013-11-18 15:20:47    303104    ----a-w-    C:\Windows\SysWow64\msinfo32.exe
2013-11-18 15:20:43    12800    ----a-w-    C:\Windows\SysWow64\mshta.exe
2013-11-18 15:20:13    983040    ----a-w-    C:\Windows\SysWow64\msdt.exe
2013-11-18 15:20:11    11264    ----a-w-    C:\Windows\SysWow64\MRINFO.EXE
2013-11-18 15:20:10    13312    ----a-w-    C:\Windows\SysWow64\mountvol.exe
2013-11-18 15:20:09    101376    ----a-w-    C:\Windows\SysWow64\mobsync.exe
2013-11-18 15:20:08    1401344    ----a-w-    C:\Windows\SysWow64\mmc.exe
2013-11-18 15:09:45    84480    ----a-w-    C:\Windows\SysWow64\MigAutoPlay.exe
2013-11-18 15:09:14    23040    ----a-w-    C:\Windows\SysWow64\mfpmp.exe
2013-11-18 15:09:12    220672    ----a-w-    C:\Windows\SysWow64\mcbuilder.exe
2013-11-18 15:09:04    98816    ----a-w-    C:\Windows\SysWow64\makecab.exe
2013-11-18 15:09:03    629760    ----a-w-    C:\Windows\SysWow64\Magnify.exe
2013-11-18 15:07:50    82944    ----a-w-    C:\Windows\SysWow64\logman.exe
2013-11-18 15:07:29    95232    ----a-w-    C:\Windows\SysWow64\logagent.exe
2013-11-18 15:07:27    42496    ----a-w-    C:\Windows\SysWow64\lodctr.exe
2013-11-18 15:07:25    89600    ----a-w-    C:\Windows\SysWow64\LocationNotifications.exe
2013-11-18 15:06:55    14336    ----a-w-    C:\Windows\SysWow64\label.exe
2013-11-18 15:06:53    14848    ----a-w-    C:\Windows\SysWow64\ktmutil.exe
2013-11-18 15:06:52    49152    ----a-w-    C:\Windows\SysWow64\jureg.exe
2013-11-18 15:06:26    86528    ----a-w-    C:\Windows\SysWow64\isoburn.exe
2013-11-18 15:06:24    120320    ----a-w-    C:\Windows\SysWow64\iscsicpl.exe
2013-11-18 15:06:23    144896    ----a-w-    C:\Windows\SysWow64\iscsicli.exe
2013-11-18 15:06:22    27136    ----a-w-    C:\Windows\SysWow64\ipconfig.exe
2013-11-18 15:06:20    7680    ----a-w-    C:\Windows\SysWow64\instnm.exe
2013-11-18 15:00:46    9216    ----a-w-    C:\Windows\SysWow64\InfDefaultInstall.exe
2013-11-18 14:58:44    150528    ----a-w-    C:\Windows\SysWow64\iexpress.exe
2013-11-18 14:58:32    137216    ----a-w-    C:\Windows\SysWow64\ieUnatt.exe
2013-11-18 14:58:28    14336    ----a-w-    C:\Windows\SysWow64\icsunattend.exe
2013-11-18 14:58:25    612864    ----a-w-    C:\Windows\SysWow64\icardagt.exe
2013-11-18 14:58:17    27136    ----a-w-    C:\Windows\SysWow64\icacls.exe
2013-11-18 14:57:20    8704    ----a-w-    C:\Windows\SysWow64\HOSTNAME.EXE
2013-11-18 14:57:18    15360    ----a-w-    C:\Windows\SysWow64\hh.exe
2013-11-18 14:57:17    8704    ----a-w-    C:\Windows\SysWow64\help.exe
2013-11-18 14:57:15    974848    ----a-w-    C:\Windows\SysWow64\heciudlg.exe
2013-11-18 14:57:03    64512    ----a-w-    C:\Windows\SysWow64\hdwwiz.exe
2013-11-18 14:57:00    16384    ----a-w-    C:\Windows\SysWow64\grpconv.exe
2013-11-18 14:55:59    79872    ----a-w-    C:\Windows\SysWow64\eventvwr.exe
2013-11-18 14:55:57    35328    ----a-w-    C:\Windows\SysWow64\eventcreate.exe
2013-11-18 14:55:55    288256    ----a-w-    C:\Windows\SysWow64\eudcedit.exe
2013-11-18 14:55:54    123392    ----a-w-    C:\Windows\SysWow64\esentutl.exe
2013-11-18 14:45:24    130560    ----a-w-    C:\Windows\SysWow64\EhStorAuthn.exe
2013-11-18 14:45:22    264704    ----a-w-    C:\Windows\SysWow64\dxdiag.exe
2013-11-18 14:45:22    12288    ----a-w-    C:\Windows\SysWow64\efsui.exe
2013-11-18 14:45:20    130048    ----a-w-    C:\Windows\SysWow64\DWWIN.EXE
2013-11-18 14:45:11    21504    ----a-w-    C:\Windows\SysWow64\dvdupgrd.exe
2013-11-18 14:45:06    9728    ----a-w-    C:\Windows\SysWow64\dvdplay.exe
2013-11-18 14:44:17    66048    ----a-w-    C:\Windows\SysWow64\driverquery.exe
2013-11-18 14:44:15    33280    ----a-w-    C:\Windows\SysWow64\dpnsvr.exe
2013-11-18 14:44:14    29184    ----a-w-    C:\Windows\SysWow64\dplaysvr.exe
2013-11-18 14:44:13    76800    ----a-w-    C:\Windows\SysWow64\DpiScaling.exe
2013-11-18 14:44:11    72192    ----a-w-    C:\Windows\SysWow64\dpapimig.exe
2013-11-18 14:44:08    15872    ----a-w-    C:\Windows\SysWow64\doskey.exe
2013-11-18 14:44:06    28672    ----a-w-    C:\Windows\SysWow64\dnscacheugc.exe
2013-11-18 14:44:05    77824    ----a-w-    C:\Windows\SysWow64\dns-sd.exe
2013-11-18 14:44:04    7168    ----a-w-    C:\Windows\SysWow64\dllhst3g.exe
2013-11-18 14:43:56    522752    ----a-w-    C:\Windows\SysWow64\DisplaySwitch.exe
2013-11-18 14:43:41    202752    ----a-w-    C:\Windows\SysWow64\Dism.exe
2013-11-18 14:43:24    276480    ----a-w-    C:\Windows\SysWow64\diskraid.exe
2013-11-18 14:43:22    17408    ----a-w-    C:\Windows\SysWow64\diskperf.exe
.
============= FINISH: 15:38:43.58 ===============
 

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,940 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:57 AM

Posted 23 November 2013 - 11:09 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===
--RogueKiller--
  • Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
==============

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: Turorial
Link 1
Link 2

IMPORTANT !!! Save ComboFix.exe to your Desktop

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe and follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note: Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Please paste the logs in your next reply DO NOT ATTACH THEM.
Let me know what problem persists.

#3 nasdaq

nasdaq

  • Malware Response Team
  • 38,940 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:57 AM

Posted 28 November 2013 - 09:31 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users