Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit - Multiple audio steams playing on laptop


  • This topic is locked This topic is locked
9 replies to this topic

#1 Allenflo

Allenflo

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:41 PM

Posted 22 April 2014 - 10:38 PM

Hi

 

I have a laptop that appears to have a rootkit virus.   The laptop is simultaneously playing two audio streams that sound like radio feeds.   It appears to be running under svrhost    The process uses about 10% processor and when I close that svchos process in task manager, the audio stops for a few minutes but then starts up again.

 

The OS is Windows 7 SP1 32 bit.

 

Thank You

 

Allen

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 11.0.9600.17041  BrowserJavaVersion: 10.51.2
Run by skakaty at 23:45:21 on 2014-04-22
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.2985.1763 [GMT -4:00]
.
AV: GFI Software VIPRE *Enabled/Updated* {FFE93D16-FD09-0282-C7D3-8B1731B6A051}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: GFI Software VIPRE *Enabled/Updated* {4488DCF2-DB33-0D0C-FD63-B0654A31EAEC}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\IDT\WDM\STacSV.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc7.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe
C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmService.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\IDT\WDM\aestsrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
c:\Program Files\Dell\Dell System Manager\DCPSysMgrSvc.exe
C:\Program Files\HP\HPBDSService\HPBDSService.exe
C:\Windows\system32\IProsetMonitor.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Intel\Services\IPT\jhi_service.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DRIVERS\o2flash.exe
c:\Windows\system32\srvany.exe
c:\Windows\system32\SDIOAssist.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Windows\system32\rserver30\RServer3.exe
C:\Program Files\GFI Software\GFIAgent\SBPIMSvc.exe
C:\Program Files\Malwarebytes' Managed Client\SCComm.exe
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Authentication Manager\WaveAMService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\SPBA\upeksvr.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\STMicroelectronics\AccelerometerP11\FF_Protection.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmNotify.exe
C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell2.exe
C:\dell\DBRM\Reminder\DbrmTrayicon.exe
C:\Program Files\Adobe\Acrobat 10.0\Acrobat\acrotray.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files\GFI Software\GFIAgent\SBAMTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\system32\conhost.exe
C:\ProgramData\bomgar-scc-0x53373e76\bomgar-scc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Dell\Dell System Manager\DCPSysMgr.exe
C:\Windows\system32\igfxext.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\GFI Software\GFIAgent\SBAMSvc.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files\Intel\Intel® Management Engine Components\IMSS\PrivacyIconClient.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\ProgramData\bomgar-scc-0x53373e76\bomgar-scc.exe
C:\ProgramData\bomgar-scc-0x53373e76\bomgar-scc.exe
C:\Windows\system32\rserver30\FamItrfc.Exe
C:\Windows\system32\rserver30\FamItrfc.Exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [Aim] "c:\program files\aim\aim.exe" /d locale=en-US
uRun: [Adobe Acrobat Synchronizer] "c:\program files\adobe\acrobat 10.0\acrobat\AdobeCollabSync.exe"
uRun: [Bomgar Jump Client Reconnect 53373E76] "c:\programdata\bomgar-scc-0x53373e76\bomgar-scc.exe" -pinned
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [SysTrayApp] c:\program files\idt\wdm\sttray.exe
mRun: [NVHotkey] rundll32.exe c:\windows\system32\nvHotkey.dll,Start
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [FreeFallProtection] c:\program files\stmicroelectronics\accelerometerp11\FF_Protection.exe
mRun: [IMSS] "c:\program files\intel\intel® management engine components\imss\PIconStartup.exe"
mRun: [IntelPROSet] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [TdmNotify] c:\program files\dell\dell data protection\access\advanced\wave\trusted drive manager\TdmNotify.exe
mRun: [Dell Webcam Central] "c:\program files\dell webcam\dell webcam central\WebcamDell2.exe" /mode2
mRun: [DBRMTray] c:\dell\dbrm\reminder\DbrmTrayIcon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 10.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 10.0\acrobat\Acrotray.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SBAMTray] "c:\program files\gfi software\gfiagent\SBAMTray.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SBRegRebootCleaner] "c:\program files\gfi software\gfiagent\SBRC.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRunOnce: [DBRMTray] c:\dell\dbrm\reminder\TrayApp.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\dellsy~1.lnk - c:\program files\dell\dell system manager\DCPSysMgr.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{1ce60928-8325-49a8-8b06-633e48dd2b67}\Icon3E5562ED7.ico
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
mPolicies-System: SoftwareSASGeneration = dword:3
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~4\office14\ONBttnIE.dll/105
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://akamaicdn.webex.com/client/WBXclient-T28L10NSP7-15458/webex/ieatgpc1.cab
TCP: NameServer = 192.168.160.35 192.168.160.36
TCP: Interfaces\{51F1AD14-0B42-432E-9D11-C6437E026027} : DHCPNameServer = 192.168.160.35 192.168.160.36
TCP: Interfaces\{71FFD77A-70A4-4DC5-A91C-C3208E66CEE1} : DHCPNameServer = 192.168.160.35 192.168.160.36
TCP: Interfaces\{71FFD77A-70A4-4DC5-A91C-C3208E66CEE1}\16C6F66647 : DHCPNameServer = 4.2.2.1
TCP: Interfaces\{71FFD77A-70A4-4DC5-A91C-C3208E66CEE1}\3424255423743445 : DHCPNameServer = 192.168.140.5
TCP: Interfaces\{71FFD77A-70A4-4DC5-A91C-C3208E66CEE1}\76F676F696E666C696768647 : DHCPNameServer = 172.19.134.2
TCP: Interfaces\{71FFD77A-70A4-4DC5-A91C-C3208E66CEE1}\B616B6164797 : DHCPNameServer = 167.206.245.135 167.206.245.136
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
Notify: spba - c:\program files\common files\spba\homefus2.dll
AppInit_DLLs= c:\windows\system32\nvinit.dll
SSODL: WebCheck - <orphaned>
LSA: Authentication Packages =  msv1_0 wvauth
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\skakaty\appdata\roaming\mozilla\firefox\profiles\xcc3aing.default\
FF - plugin: c:\progra~1\micros~4\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~4\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\acrobat 10.0\acrobat\air\nppdf32.dll
FF - plugin: c:\program files\java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.50401.0\npctrlui.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dvstreaming.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\skakaty\appdata\local\citrix\plugins\104\npappdetector.dll
.
============= SERVICES / DRIVERS ===============
.
R0 nvpciflt;nvpciflt;c:\windows\system32\drivers\nvpciflt.sys [2011-10-25 20328]
R0 stdcfltn;Disk Class Filter Driver for Accelerometer;c:\windows\system32\drivers\stdcfltn.sys [2011-10-25 17904]
R1 raddrvv3;raddrvv3;c:\windows\system32\rserver30\raddrvv3.sys [2012-12-19 48920]
R2 AESTFilters;Andrea ST Filters Service;c:\program files\idt\wdm\AEstSrv.exe [2011-10-25 81920]
R2 bomgar-scc-535736B8;Bomgar Support Customer Client [535736B8];c:\programdata\bomgar-scc-0x53373e76\bomgar-scc.exe [2014-3-29 1252256]
R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostControlService.exe [2011-5-11 826272]
R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostStorageService.exe [2011-5-11 31648]
R2 dcpsysmgrsvc;Dell System Manager Service;c:\program files\dell\dell system manager\DCPSysMgrSvc.exe [2011-1-20 388464]
R2 HP DS Service;HP DS Service;c:\program files\hp\hpbdsservice\HPBDSService.exe [2011-10-17 13824]
R2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IPROSetMonitor.exe [2011-10-25 110752]
R2 jhi_service;Intel® Identity Protection Technology Host Interface Service;c:\program files\intel\services\ipt\jhi_service.exe [2011-2-24 212944]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2014-3-29 418376]
R2 O2SDIOAssist;O2SDIOAssist;c:\windows\system32\srvany.exe [2011-10-25 8192]
R2 RServer3;Radmin Server V3;c:\windows\system32\rserver30\rserver3.exe [2012-12-19 1154752]
R2 SBAMSvc;VIPRE Business;c:\program files\gfi software\gfiagent\SBAMSvc.exe [2013-5-30 3681016]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2013-1-15 68904]
R2 SBPIMSvc;SB Recovery Service;c:\program files\gfi software\gfiagent\SBPIMSvc.exe [2013-5-30 176536]
R2 SCCommService;MEEClientService;c:\program files\malwarebytes' managed client\SCComm.exe [2013-12-11 142848]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2011-6-5 378472]
R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\intel\intel® management engine components\uns\UNS.exe [2011-10-25 2656536]
R2 Wave Authentication Manager Service;Wave Authentication Manager Service;c:\program files\dell\dell data protection\access\advanced\wave\authentication manager\WaveAMService.exe [2011-7-1 1131520]
R2 ZcfgSvc7;Intel® PROSet/Wireless ZeroConfig Service;c:\program files\intel\wifi\bin\ZCfgSvc7.exe [2010-12-23 577536]
R3 Acceler;Accelerometer Service;c:\windows\system32\drivers\accelern.sys [2011-10-25 44144]
R3 BTWAMPFL;BTWAMPFL;c:\windows\system32\drivers\btwampfl.sys [2011-10-25 302120]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2011-10-25 33832]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [2011-10-25 144576]
R3 cvusbdrv;Dell ControlVault;c:\windows\system32\drivers\cvusbdrv.sys [2011-5-10 33896]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2014-3-29 22856]
R3 MEI;Intel® Management Engine Interface;c:\windows\system32\drivers\HECI.sys [2011-10-25 41088]
R3 mirrorv3;mirrorv3;c:\windows\system32\drivers\rminiv3.sys [2012-12-18 3328]
R3 NETwNs32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\drivers\NETwNs32.sys [2011-10-25 7434240]
R3 O2MDFRDR;O2MDFRDR;c:\windows\system32\drivers\o2mdfw7.sys [2011-10-25 60904]
R3 O2SDJRDR;O2SDJRDR;c:\windows\system32\drivers\o2sdjw7.sys [2011-10-25 63976]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 HP LaserJet Service;HP LaserJet Service;c:\program files\hp\hplaserjetservice\HPLaserJetService.exe [2012-5-2 164864]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2014-3-29 701512]
S2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files\common files\roxio shared\oem\12.0\sharedcom\RoxWatch12OEM.exe [2010-11-25 219632]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 CtAudDrv;Provides advanced audio effects for audio devices.;c:\windows\system32\drivers\CtAudDrv.sys [2011-10-25 134144]
S3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]
S3 gfiark;gfiark;c:\windows\system32\drivers\gfiark.sys [2013-6-11 43368]
S3 gfiutil;gfiutil;c:\windows\system32\drivers\gfiutil.sys [2013-6-11 24040]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\ieetwcollector.exe [2014-4-9 108032]
S3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2011-10-25 132480]
S3 netvsc;netvsc;c:\windows\system32\drivers\netvsc60.sys [2010-11-20 126464]
S3 O2MDRRDR;O2MDRRDR;c:\windows\system32\drivers\O2MDRw7.sys [2011-10-25 62440]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2013-5-13 14848]
S3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files\common files\roxio shared\oem\12.0\sharedcom\RoxMediaDB12OEM.exe [2010-11-25 1116656]
S3 sbwtis;sbwtis;c:\windows\system32\drivers\sbwtis.sys [2013-1-15 76064]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 SynthVid;SynthVid;c:\windows\system32\drivers\VMBusVideoM.sys [2010-11-20 19456]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2013-5-13 49664]
S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2013-5-13 27136]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-11-5 1343400]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== Created Last 30 ================
.
2014-04-23 03:43:40 9216 ----a-w- c:\programdata\Z@!-7a14f1a9-8ef3-470c-aafd-e8e3b029724c.tmp
2014-04-23 03:42:57 9216 ----a-w- c:\users\skakaty\appdata\local\Z@!-bbe63c45-f698-4d53-8372-f12dc4d4bb4a.tmp
2014-04-22 05:11:47 -------- d-----w- C:\Software
2014-04-18 13:17:48 24064 ----a-w- c:\users\skakaty\appdata\roaming\lnrif.dll
2014-04-18 13:17:47 149504 ----a-w- c:\users\skakaty\appdata\roaming\zvnqwdo.dll
2014-04-11 19:35:53 -------- d-sh--w- c:\users\skakaty\appdata\local\EmieUserList
2014-04-11 19:35:53 -------- d-sh--w- c:\users\skakaty\appdata\local\EmieSiteList
2014-04-02 15:02:01 -------- d-----w- c:\windows\Offline Address Books
2014-03-29 23:07:07 -------- d-----w- c:\users\skakaty\appdata\local\Dell
2014-03-29 23:06:47 -------- d-----w- C:\Logs
2014-03-29 21:46:04 -------- d-----w- c:\programdata\Oracle
2014-03-29 21:45:27 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2014-03-29 21:43:18 -------- d-----w- c:\programdata\bomgar-scc-0x53373e76
2014-03-29 21:42:45 -------- d-----w- c:\users\skakaty\appdata\local\Deployment
2014-03-29 21:42:45 -------- d-----w- c:\users\skakaty\appdata\local\Apps
2014-03-29 21:02:48 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2014-03-29 21:02:48 231424 ----a-w- c:\windows\system32\mswsock.dll
2014-03-29 21:02:48 1294272 ----a-w- c:\windows\system32\drivers\tcpip.sys
2014-03-29 21:00:52 -------- d-----w- c:\programdata\sccomm
2014-03-29 21:00:47 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-03-29 21:00:46 -------- d-----w- c:\users\skakaty\appdata\local\Programs
2014-03-29 21:00:41 -------- d-----w- c:\program files\Malwarebytes' Managed Client
.
==================== Find3M  ====================
.
2014-03-29 23:09:27 0 ----a-w- c:\windows\invcol.tmp
2014-03-29 21:47:42 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-03-29 21:47:42 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-03-06 08:32:07 2724864 ----a-w- c:\windows\system32\mshtml.tlb
2014-03-06 08:31:27 4096 ----a-w- c:\windows\system32\ieetwcollectorres.dll
2014-03-06 08:02:34 61952 ----a-w- c:\windows\system32\iesetup.dll
2014-03-06 08:02:33 455168 ----a-w- c:\windows\system32\vbscript.dll
2014-03-06 08:01:01 51200 ----a-w- c:\windows\system32\ieetwproxystub.dll
2014-03-06 07:46:36 4254720 ----a-w- c:\windows\system32\jscript9.dll
2014-03-06 07:38:13 112128 ----a-w- c:\windows\system32\ieUnatt.exe
2014-03-06 07:38:10 108032 ----a-w- c:\windows\system32\ieetwcollector.exe
2014-03-06 07:36:40 592896 ----a-w- c:\windows\system32\jscript9diag.dll
2014-03-06 07:28:01 646144 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe
2014-03-06 07:13:43 32256 ----a-w- c:\windows\system32\JavaScriptCollectionAgent.dll
2014-03-06 06:40:39 1967104 ----a-w- c:\windows\system32\inetcpl.cpl
2014-03-06 05:41:49 1789440 ----a-w- c:\windows\system32\wininet.dll
2014-02-07 01:07:56 2349056 ----a-w- c:\windows\system32\win32k.sys
2014-02-04 02:04:11 509440 ----a-w- c:\windows\system32\qedit.dll
2014-01-29 02:06:47 381440 ----a-w- c:\windows\system32\wer.dll
.
=================== ROOTKIT  ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7601 Disk: ST250LT0 rev.0003 -> Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: >>UNKNOWN [0x82C45000]<< >>UNKNOWN [0x8B5AF000]<< >>UNKNOWN [0x8B59E000]<< >>UNKNOWN [0x8B7C3000]<< >>UNKNOWN [0x8B020000]<< >>UNKNOWN [0x82C0E000]<<
_asm { DEC EBP; POP EDX; NOP ; ADD [EBX], AL; ADD [EAX], AL; ADD [EAX+EAX], AL; ADD [EAX], AL;  }
1 ntkrnlpa!IofCallDriver[0x82C7BBBA] -> \Device\Harddisk0\DR0[0x879E5030]
\Driver\Disk[0x879E4D98] -> IRP_MJ_CREATE -> 0x8B5B339F
3 [0x8B5B359E] -> ntkrnlpa!IofCallDriver[0x82C7BBBA] -> [0x879E44D0]
\Driver\stdcfltn[0x879A57A8] -> IRP_MJ_CREATE -> 0x8B7C361C
5 [0x8B7C4854] -> ntkrnlpa!IofCallDriver[0x82C7BBBA] -> \Device\Ide\IAAStorageDevice-1[0x85EAC028]
\Driver\iaStor[0x85E9A2B8] -> IRP_MJ_CREATE -> 0x8B04309C
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0;  }
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 23:46:59.75 ===============
 

Attached Files


Edited by Allenflo, 22 April 2014 - 10:58 PM.


BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:41 AM

Posted 23 April 2014 - 05:03 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

Scan with TDSS-Killer

Please read and follow these instructions carefully. We do not want it to fix anything yet (if found), we need to see a report first.

Download TDSSKiller.zip and extract to your desktop

  • Execute TDSSKiller.exe by doubleclicking on it.
  • Press Start Scan
  • If Malicious objects are found, do NOT select Copy to quarantine. Change the action to Skip, and save the log.
  • Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt


Please attach this file to your next reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 Allenflo

Allenflo
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:41 PM

Posted 23 April 2014 - 09:40 AM

Thanks so much for your help

 

TDSSKiller did not find anything.   The audio continues to play.   I have also ran a full scan of Malware Bytes yesterday and it does not find anything either.

 

Attached is the request file.

 

Thanks!

 

Allen
 

Attached Files


Edited by Allenflo, 23 April 2014 - 09:41 AM.


#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:41 AM

Posted 23 April 2014 - 09:44 AM

Combofix

Combofix should only be run when adviced by a team member!

Link


Important - Save the file to your desktop!


  • Deactivate any and all of your antivirus programs /spyware scanners - they can prevent CF from doing its work.
  • Run Combofix.exe


When finished, Combofix creates a log file named C:\Combofix.txt. Please post its content in your next reply.

Note: When receiving an error message containing ""Illegal operation attempted on a registry key that has been marked for deletion" simply restart your computer to fix this.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 Allenflo

Allenflo
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:41 PM

Posted 23 April 2014 - 12:07 PM

ComboFix 14-04-20.01 - skakaty 04/23/2014  12:21:21.1.4 - x86
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.2985.1392 [GMT -4:00]
Running from: c:\users\skakaty\Desktop\ComboFix.exe
AV: GFI Software VIPRE *Disabled/Updated* {FFE93D16-FD09-0282-C7D3-8B1731B6A051}
SP: GFI Software VIPRE *Disabled/Updated* {4488DCF2-DB33-0D0C-FD63-B0654A31EAEC}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Z@!-6da641b6-6bd1-45de-8e01-74c36dd772e4.tmp
c:\users\skakaty\AppData\Local\Z@!-8af3a9af-889f-4277-9e2a-b51b2ac65bb9.tmp
c:\users\skakaty\AppData\Roaming\lnrif.dll
c:\users\skakaty\AppData\Roaming\zvnqwdo.dll
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_RADDRVV3
-------\Service_raddrvv3
.
.
(((((((((((((((((((((((((   Files Created from 2014-03-23 to 2014-04-23  )))))))))))))))))))))))))))))))
.
.
2014-04-23 16:28 . 2014-04-23 16:40 -------- d-----w- c:\users\skakaty\AppData\Local\temp
2014-04-23 16:28 . 2014-04-23 16:28 -------- d-----w- c:\users\user\AppData\Local\temp
2014-04-23 16:28 . 2014-04-23 16:28 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2014-04-23 16:28 . 2014-04-23 16:28 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-04-23 16:28 . 2014-04-23 16:28 -------- d-----w- c:\users\administrator\AppData\Local\temp
2014-04-22 05:11 . 2014-04-23 03:44 -------- d-----w- C:\Software
2014-04-11 19:35 . 2014-04-11 19:35 -------- d-sh--w- c:\users\skakaty\AppData\Local\EmieUserList
2014-04-11 19:35 . 2014-04-11 19:35 -------- d-sh--w- c:\users\skakaty\AppData\Local\EmieSiteList
2014-04-02 15:02 . 2014-04-02 15:02 -------- d-----w- c:\windows\Offline Address Books
2014-03-29 23:09 . 2014-03-29 23:17 -------- d-----w- c:\users\skakaty\AppData\Local\Mozilla
2014-03-29 23:09 . 2014-03-29 23:09 0 ----a-w- c:\windows\invcol.tmp
2014-03-29 23:09 . 2014-03-29 23:09 -------- d-----w- c:\program files\Mozilla Maintenance Service
2014-03-29 23:07 . 2014-03-29 23:07 -------- d-----w- c:\users\skakaty\AppData\Local\Dell
2014-03-29 23:06 . 2014-03-29 23:06 -------- d-----w- C:\Logs
2014-03-29 21:46 . 2014-03-29 21:46 -------- d-----w- c:\users\skakaty\AppData\Roaming\Oracle
2014-03-29 21:46 . 2014-03-29 21:46 -------- d-----w- c:\programdata\Oracle
2014-03-29 21:46 . 2014-03-29 21:46 -------- d-----w- c:\program files\Common Files\Java
2014-03-29 21:45 . 2014-03-29 21:45 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2014-03-29 21:43 . 2014-04-23 16:40 -------- d-----w- c:\programdata\bomgar-scc-0x53373e76
2014-03-29 21:42 . 2014-03-29 21:43 -------- d-----w- c:\users\skakaty\AppData\Local\Deployment
2014-03-29 21:42 . 2014-03-29 21:42 -------- d-----w- c:\users\skakaty\AppData\Local\Apps
2014-03-29 21:02 . 2014-03-29 21:02 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2014-03-29 21:02 . 2014-03-29 21:02 231424 ----a-w- c:\windows\system32\mswsock.dll
2014-03-29 21:02 . 2014-03-29 21:02 1294272 ----a-w- c:\windows\system32\drivers\tcpip.sys
2014-03-29 21:00 . 2014-04-22 20:21 -------- d-----w- c:\programdata\sccomm
2014-03-29 21:00 . 2013-04-04 18:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-03-29 21:00 . 2014-03-29 21:00 -------- d-----w- c:\users\skakaty\AppData\Local\Programs
2014-03-29 21:00 . 2014-03-29 21:00 -------- d-----w- c:\program files\Malwarebytes' Managed Client
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-03-29 21:47 . 2014-01-24 00:01 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-03-29 21:47 . 2011-10-26 02:06 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-02-07 01:07 . 2014-03-13 16:02 2349056 ----a-w- c:\windows\system32\win32k.sys
2014-02-04 02:04 . 2014-03-13 16:02 509440 ----a-w- c:\windows\system32\qedit.dll
2014-01-29 02:06 . 2014-03-13 16:01 381440 ----a-w- c:\windows\system32\wer.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
@="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
[HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
2011-05-27 22:38 120184 ----a-w- c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
@="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
[HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
2011-05-27 22:38 120184 ----a-w- c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim"="c:\program files\AIM\aim.exe" [2011-05-03 4321112]
"Adobe Acrobat Synchronizer"="c:\program files\Adobe\Acrobat 10.0\Acrobat\AdobeCollabSync.exe" [2013-12-18 1272704]
"Bomgar Jump Client Reconnect 53373E76"="c:\programdata\bomgar-scc-0x53373e76\bomgar-scc.exe" [2014-02-28 1252256]
"Bomgar Support Reconnect [5357ED57]"="c:\programdata\bomgar-scc-0x53373e76\bomgar-scc.exe" [2014-02-28 19:02 1252256]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2011-07-20 505720]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2011-01-25 536668]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2011-06-05 288872]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-06-28 142616]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-06-28 177432]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-06-28 176408]
"FreeFallProtection"="c:\program files\STMicroelectronics\AccelerometerP11\FF_Protection.exe" [2011-07-25 686704]
"IMSS"="c:\program files\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe" [2011-08-09 112408]
"IntelPROSet"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2010-12-23 1210640]
"TdmNotify"="c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmNotify.exe" [2011-05-27 214384]
"Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2010-03-12 462993]
"DBRMTray"="c:\dell\DBRM\Reminder\DbrmTrayIcon.exe" [2011-03-08 227328]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2013-12-18 41336]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2013-12-18 840568]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-10-28 49208]
"SBAMTray"="c:\program files\GFI Software\GFIAgent\SBAMTray.exe" [2013-05-30 3232152]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-22 59720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-05-31 152392]
"SBRegRebootCleaner"="c:\program files\GFI Software\GFIAgent\SBRC.exe" [2013-05-30 202648]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-07-02 254336]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"DBRMTray"="c:\dell\DBRM\Reminder\TrayApp.exe" [2010-02-04 7168]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2011-2-8 840992]
Dell System Manager.lnk - c:\program files\Dell\Dell System Manager\DCPSysMgr.exe [2011-1-20 1459056]
VPN Client.lnk - c:\windows\Installer\{1CE60928-8325-49A8-8B06-633E48DD2B67}\Icon3E5562ED7.ico -user_logon [2012-1-31 6144]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"SoftwareSASGeneration"= 3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\spba]
2010-09-15 16:11 1971536 ----a-w- c:\program files\Common Files\SPBA\homefus2.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\nvinit.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer2"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ    msv1_0 wvauth
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBPIMSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [x]
R2 HP LaserJet Service;HP LaserJet Service;c:\program files\HP\HPLaserJetService\HPLaserJetService.exe [2012-05-03 164864]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2013-04-04 701512]
R2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-11-25 219632]
R3 CtAudDrv;Provides advanced audio effects for audio devices.;c:\windows\system32\Drivers\CtAudDrv.sys [2009-05-28 134144]
R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2011-07-28 45288]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]
R3 gfiark;gfiark;c:\windows\system32\drivers\gfiark.sys [2013-05-23 43368]
R3 gfiutil;gfiutil;c:\windows\system32\drivers\gfiutil.sys [2013-09-04 24040]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe [2014-03-06 108032]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2010-02-27 132480]
R3 netvsc;netvsc;c:\windows\system32\DRIVERS\netvsc60.sys [2010-11-20 126464]
R3 O2MDRRDR;O2MDRRDR;c:\windows\system32\drivers\O2MDRw7.sys [2011-01-04 62440]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-08-23 14848]
R3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-11-25 1116656]
R3 sbwtis;sbwtis;c:\windows\system32\DRIVERS\sbwtis.sys [2013-01-15 76064]
R3 SynthVid;SynthVid;c:\windows\system32\DRIVERS\VMBusVideoM.sys [2010-11-20 19456]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2012-08-23 49664]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2012-08-23 27136]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-11-05 1343400]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
S0 nvpciflt;nvpciflt;c:\windows\system32\DRIVERS\nvpciflt.sys [2011-06-05 20328]
S0 stdcfltn;Disk Class Filter Driver for Accelerometer;c:\windows\system32\DRIVERS\stdcfltn.sys [2011-07-16 17904]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\aestsrv.exe [2009-03-03 81920]
S2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [2011-05-11 826272]
S2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [2011-05-11 31648]
S2 dcpsysmgrsvc;Dell System Manager Service;c:\program files\Dell\Dell System Manager\DCPSysMgrSvc.exe [2011-01-20 388464]
S2 HP DS Service;HP DS Service;c:\program files\HP\HPBDSService\HPBDSService.exe [2011-10-17 13824]
S2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe [2010-09-22 110752]
S2 jhi_service;Intel® Identity Protection Technology Host Interface Service;c:\program files\Intel\Services\IPT\jhi_service.exe [2011-02-24 212944]
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-04-04 418376]
S2 O2SDIOAssist;O2SDIOAssist;c:\windows\system32\srvany.exe [2003-04-19 8192]
S2 RServer3;Radmin Server V3;c:\windows\system32\rserver30\RServer3.exe [2012-12-19 1154752]
S2 SBAMSvc;VIPRE Business;c:\program files\GFI Software\GFIAgent\SBAMSvc.exe [2013-05-30 3681016]
S2 sbapifs;sbapifs;c:\windows\system32\DRIVERS\sbapifs.sys [2013-01-15 68904]
S2 SBPIMSvc;SB Recovery Service;c:\program files\GFI Software\GFIAgent\SBPIMSvc.exe [2013-05-30 176536]
S2 SCCommService;MEEClientService;c:\program files\Malwarebytes' Managed Client\SCComm.exe [2013-12-11 142848]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-06-05 378472]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-08-09 2656536]
S2 Wave Authentication Manager Service;Wave Authentication Manager Service;c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Authentication Manager\WaveAMService.exe [2011-07-01 1131520]
S2 ZcfgSvc7;Intel® PROSet/Wireless ZeroConfig Service;c:\program files\Intel\WiFi\bin\ZCfgSvc7.exe [2010-12-23 577536]
S3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\accelern.sys [2011-07-22 44144]
S3 BTWAMPFL;BTWAMPFL;c:\windows\system32\DRIVERS\btwampfl.sys [2011-10-26 302120]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2011-10-26 33832]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [2009-09-16 144576]
S3 cvusbdrv;Dell ControlVault;c:\windows\system32\Drivers\cvusbdrv.sys [2011-05-10 33896]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-04-04 22856]
S3 MEI;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECI.sys [2010-10-20 41088]
S3 NETwNs32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETwNs32.sys [2010-12-21 7434240]
S3 O2MDFRDR;O2MDFRDR;c:\windows\system32\DRIVERS\O2MDFw7.sys [2011-01-04 60904]
S3 O2SDJRDR;O2SDJRDR;c:\windows\system32\DRIVERS\o2sdjw7.sys [2011-03-23 63976]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ    Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2014-04-23 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2014-01-24 21:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 192.168.160.35 192.168.160.36
FF - ProfilePath - c:\users\skakaty\AppData\Roaming\Mozilla\Firefox\Profiles\xcc3aing.default\
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
SafeBoot-56915657.sys
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_12_0_0_77_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_12_0_0_77_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(624)
c:\windows\system32\wvauth.DLL
c:\windows\System32\TdmNetworkProvider.dll
.
- - - - - - - > 'Explorer.exe'(1664)
c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll
c:\program files\WIDCOMM\Bluetooth Software\btmmhook.dll
c:\program files\WIDCOMM\Bluetooth Software\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\IDT\WDM\STacSV.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\NVIDIA Corporation\Display\NvXDSync.exe
c:\windows\system32\nvvsvc.exe
c:\windows\system32\WLANExt.exe
c:\windows\system32\conhost.exe
c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmService.exe
c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\btwdins.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\windows\system32\DRIVERS\o2flash.exe
c:\windows\system32\SDIOAssist.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\System32\WUDFHost.exe
c:\program files\Intel\Intel® Management Engine Components\LMS\LMS.exe
c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
c:\program files\Common Files\SPBA\upeksvr.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\HidFind.exe
c:\program files\DellTPad\Apntex.exe
c:\windows\system32\conhost.exe
c:\windows\system32\rserver30\FamItrfc.Exe
c:\windows\system32\rserver30\FamItrfc.Exe
c:\program files\Common Files\Java\Java Update\jucheck.exe
c:\windows\system32\igfxext.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\WIDCOMM\Bluetooth Software\BtStackServer.exe
c:\windows\system32\DllHost.exe
.
**************************************************************************
.
Completion time: 2014-04-23  12:45:45 - machine was rebooted
ComboFix-quarantined-files.txt  2014-04-23 16:45
.
Pre-Run: 142,251,651,072 bytes free
Post-Run: 142,921,281,536 bytes free
.
- - End Of File - - E9F9532C63A377ADC15C3B4D61472FAE
5C616939100B85E558DA92B899A0FC36
 



#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:41 AM

Posted 24 April 2014 - 03:19 AM

Are you still getting audio ads now?


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 Allenflo

Allenflo
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:41 PM

Posted 24 April 2014 - 10:26 AM

It looks like it is still infected.  The audio ads continue to play.

 

Thanks

 

Allen



#8 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:41 AM

Posted 24 April 2014 - 10:30 AM

OK, we need a bigger gun on this...

 

 

Scan with FRST (Recovery Environment)


To run FRST on Vista and Windows7:



Plug the flashdrive into the infected PC.

Enter System Recovery Options.


To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.



To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.


On the System Recovery Options menu you will get the following options:

  • Startup Repair
  • System Restore
  • Windows Complete PC Restore
  • Windows Memory Diagnostic Tool
  • Command Prompt
  • Select Command Prompt


  • In the command window:
  • type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
  • Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.

It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#9 Allenflo

Allenflo
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:41 PM

Posted 29 April 2014 - 02:31 PM

Thanks.  It will be a few more days before I am able to apply the fix.  Thanks!!!!



#10 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:41 AM

Posted 08 May 2014 - 03:55 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users