[Active] Backdoor.Tidserv then PC Performance and Stability Analysis Report

Atlas98 · Jul 20, 2011

I am new to this forum, but have read the rules and promise to follow through with the instructions from this forum and not to do anything except follow the instructions from this forum!

Symantec Endpoint Protection flagged the Backdoor.Tidserv! malware on my laptop (32-bit Windows 7 Enterprise OS) about one or even two months ago. I was busy so I just stopped using the laptop for a few weeks. The next time I started it up, I got the PC Performance and Stability Analysis Report windows, with the hidden desktop, Start Menu, and All Programs.

I didn't know about this forum then, so I ran CC Cleaner, MBAM, ESET NOD32, (trial), did some manual registry editing, and ran checks on some Hijack This logs. I unhid my desktop and did a few other things, and I think the Hijack This logs were clean. Unfortunately, I did not record all of my activities, and I don't remember where I left things when I stopped using the laptop again because I got busy with other stuffs.

Well, I really need my laptop again, I havent figured out how to unhid my START menu, and step 2 of your 7 step preliminary removal instructions found a problem, and I had a really hard time getting MBAM to even run (couldnt uninstall MBAM, and MBAM couldnt run -- eventually had to download the random name version and install it to a new folder). So my laptop is probably still infected with something.

Thank you for your help!

Bobbye · Jul 21, 2011

Welcome to TechSpot! I'll help with the malware:

My Guidelines: please read and follow:

Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.

Read my instructions carefully. If you don't understand or have a problem, ask me.

If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.

Follow the order of the tasks I give you. Order is crucial in cleaning process.

File sharing programs should be uninstalled or disabled during the cleaning process..

Observe these:
[o] Don't use any other cleaning programs or scans while I'm helping you.
[o] Don't use a Registry cleaner or make any changes in the Registry.
[o] Don't download and install new programs- except those I give you.

Please let me know if there is any change in the system.

If I have not replied for 2 days, you can send me a PM reminder. Include the URL of your thread. Please do not send me a PM to tell me your logs are up.
If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
=====================================
Please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

When you have finished, leave the logs for review in your next reply .
NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

Please observe my\ guidelines not to run an other scans or change Registry entries while I'm helping you.

Atlas98 · Jul 21, 2011

step 5 - MBAM, GMER, and DDS (2) logs

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7216

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

7/20/2011 8:49:15 PM
mbam-log-2011-07-20 (20-49-15).txt

Scan type: Quick scan
Objects scanned: 155991
Time elapsed: 4 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallPaper (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

===================================
GMER LOG
===================================

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-07-20 20:55:23
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD6400BEVT-00A0RT0 rev.01.01A01
Running: gmer_b0kf8t0x.exe; Driver: C:\Users\koguma\AppData\Local\Temp\awdiipog.sys

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

===================================
DDS Log
===================================

.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_20
Run by zg at 22:31:41 on 2011-07-20
Microsoft Windows 7 Enterprise 6.1.7600.0.1252.1.1033.18.1916.1342 [GMT -4:00]
.
AV: ESET NOD32 Antivirus 4.2 *Enabled/Outdated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
AV: Symantec Endpoint Protection *Disabled/Outdated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: ESET NOD32 Antivirus 4.2 *Enabled/Outdated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Symantec Endpoint Protection *Disabled/Outdated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\CheckPoint\SSL Network Extender\slimsvc.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Windows\System32\WebUpdateSvc4.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Garmin\gStart.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\stuffs\temp\DDS by sUBs\dds.scr
C:\Windows\system32\WSCRIPT.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [gStart] c:\program files\garmin\gStart.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [<NO NAME>]
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware2\mbam.exe" /runcleanupscript
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://wormhole.brandeis.edu/dana-cached/sc/JuniperSetupClient.cab
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\koguma\appdata\roaming\mozilla\firefox\profiles\uh9jmplt.default\
FF - prefs.js: browser.search.selectedEngine - Scroogle SSL search
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
.
============= SERVICES / DRIVERS ===============
.
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 cpextender;Check Point SSL Network Extender;c:\program files\checkpoint\ssl network extender\slimsvc.exe [2009-4-2 353672]
R2 eamonm;eamonm;c:\windows\system32\drivers\eamonm.sys [2010-12-21 137144]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2011-1-12 810144]
R2 epfwwfpr;epfwwfpr;c:\windows\system32\drivers\epfwwfpr.sys [2010-12-21 95384]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2010-1-17 2477304]
R2 WebUpdate4;Web Update Wizard Service V4 by PowerProgrammer;c:\windows\system32\WebUpdateSvc4.exe [2007-4-4 229856]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-5-11 105592]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2010-3-4 277536]
R3 VNA;Check Point Virtual Network Adapter;c:\windows\system32\drivers\vna.sys [2009-4-2 129304]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-9-28 41272]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-7-16 1343400]
.
=============== Created Last 30 ================
.
2011-07-21 00:42:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2
2011-07-21 00:38:18 709968 ----a-w- c:\windows\isRS-000.tmp
.
==================== Find3M ====================
.
2011-07-06 23:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-22 19:36:05 26496 ----a-w- c:\windows\system32\drivers\Diskdump.sys
.
============= FINISH: 22:39:47.70 ===============

===================================
GMER ATTACH
===================================

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-05-19.01)
.
Microsoft Windows 7 Enterprise
Boot Device: \Device\HarddiskVolume1
Install Date: 7/16/2010 1:21:35 PM
System Uptime: 7/20/2011 8:51:31 PM (2 hours ago)
.
Motherboard: TOSHIBA | | Portable PC
Processor: Intel(R) Pentium(R) Dual CPU T3400 @ 2.16GHz | CPU | 2166/667mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 596 GiB total, 144.64 GiB free.
D: is CDROM ()
E: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID:
Description:
Device ID: ACPI\TOS1901\2&DABA3FF&1
Manufacturer:
Name:
PNP Device ID: ACPI\TOS1901\2&DABA3FF&1
Service:
.
==== System Restore Points ===================
.
RP64: 4/9/2011 7:15:10 PM - Scheduled Checkpoint
RP65: 4/22/2011 10:42:43 AM - Windows Update
RP66: 5/8/2011 3:42:15 PM - Windows Update
RP67: 5/12/2011 3:00:15 AM - Windows Update
RP68: 5/24/2011 9:49:56 AM - Scheduled Checkpoint
RP69: 5/26/2011 4:50:14 PM - Windows Update
RP70: 5/27/2011 12:37:45 PM - Windows Update
RP71: 6/18/2011 4:54:10 PM - Installed ESET NOD32 Antivirus
RP72: 6/19/2011 2:45:33 PM - Windows Update
.
==== Installed Programs ======================
.
Update for Microsoft Office 2007 (KB2508958)
Adobe Acrobat 9 Pro
Adobe Acrobat 9.2.0 - CPSID_50026
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
CCleaner
Check Point SSL Network Extender
Compatibility Pack for the 2007 Office system
DVD Decrypter (Remove Only)
ESET NOD32 Antivirus
FreeRIP v3.2
Garmin Training Center
Garmin USB Drivers
J2SE Runtime Environment 5.0 Update 12
Java Auto Updater
Java(TM) 6 Update 20
Juniper Networks Setup Client
Juniper Terminal Services Client
K-Lite Codec Pack 5.8.3 (Standard)
LiveUpdate 3.3 (Symantec Corporation)
Malwarebytes' Anti-Malware version 1.51.1.1800
Microsoft .NET Framework 4 Client Profile
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access database engine 2007 (English)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Edition 2003
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft WSE 3.0 Runtime
Mozilla Firefox (3.6.17)
OGA Notifier 2.0.0048.0
OverDrive Media Console
SAS 9.2
SAS Deployment Tester - Client 1.3
SAS Drivers for ODBC
SAS Enterprise Guide 4.2
SAS OnlineDoc 9.2 for Windows
SAS Power and Sample Size 3.1
SAS Simulation Studio 1.5
SAS SQL Library for C 9.2
SAS Universal Viewer 1.0
SAS Versioned Jar Repository 9.2
SAS XML Mapper 9.2
SAS/ETS Model Editor 2.1
SAS/GRAPH ODS Graphics Editor 9.2
SAS/IML Studio 3.2
SAS/SECURE Java 9.2
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2466156)
Security Update for 2007 Microsoft Office System (KB2509488)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2464583)
Security Update for Microsoft Office Groove 2007 (KB2494047)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
Security Update for Microsoft Office Publisher 2007 (KB2284697)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Stat/Transfer Nine
Stata11
Symantec Endpoint Protection
Synaptics Pointing Device Driver
TeraCopy 2.12
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 (KB2509470)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (KB2536413)
VLC media player 1.0.5
Web Update Wizard (Redistributable) 4.0
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (06/03/2009 2.3.0.0)
Windows Essentials Media Codec Pack 2.2c
WinRAR archiver
WinZip 11.2
.
==== Event Viewer Messages From Past Week ========
.
7/20/2011 8:54:38 PM, Error: Microsoft-Windows-WMPNSS-Service [14346] - A new media server was not initialized because RegisterRunningDevice() encountered error '0x80070005'. Restart your computer, and then restart the WMPNetworkSvc service.
.
==== End Of File ===========================

Bobbye · Jul 22, 2011

Unless you get the security correct and current, there will be no point in trying to clean the system. Running now:
AV: ESET NOD32 Antivirus 4.2 *Enabled/Outdated*
AV: Symantec Endpoint Protection *Disabled/Outdated*
SP: ESET NOD32 Antivirus 4.2 *Enabled/Outdated*
SP: Windows Defender *Disabled/Updated* > Antimalware protection only.
SP: Symantec Endpoint Protection *Disabled/Outdated*

If you want to keep the Eset Nod32 AV, please purchase the program and update it. Remove SEP.
If you want to keep SEP, please renew the subscription and update it. Remove Eset Node32.
Please reboot the computer when through.
========================================
Java is very outdated. I'm seeing many malware entries in the Java cache of users with outdated versions.
Please update ASAP to current v6u26> Java Updates . Uninstall any earlier versions> J2SE Runtime Environment 5.0 Update 12 and Java(TM) 6 Update 20 in Add/Remove Programs as they are vulnerabilities for the system.

Note: Uncheck 'Install Yahoo Toolbar' on the download screen before you do the update.
------------------------
Please open Firefox> Tools> Addons> Find the Java v5u12 and v6u20 and remove them. When you update Java, you do not need to put a separate extension in Firefox
=============================================
The following processes look to be work related. Is this your work computer?
SAS 9.2
Check Point SSL Network Extender
Web Update Wizard V4 from Data Perceptions //// PowerProgrammer > Hidden file> Software Update Wizard integrates with any development environment or programming language and can be used to update 32 bit or 64 bit Windows applications.
Stat/Transfer Nine> Stat/Transfer provides menu interface and batch facility to move tables from Excel to SAS or moving megabytes of survey data between statistical packages.
===============================================
Please note: If you have Combofix on the desktop already, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed

Click START> then RUN

Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

--------------------------------------
Download Combofix from HERE or HERE and save to the desktop

Double click combofix.exe & follow the prompts.

ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

.Click on Yes, to continue scanning for malware

.If Combofix asks you to update the program, allow

.Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

.Close any open browsers.

.Double click combofix.exe & follow the prompts to run.

When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.

Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
=============================================

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESETOnlineScan

For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
[o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
[o] Double click on the on your desktop.

Check 'Yes I accept terms of use.'

Click Start button

Accept any security warnings from your browser.

Uncheck 'Remove found threats'

Check 'Scan archives/

Leave remaining settings as is.

Press the Start button.

ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.

When the scan completes, press List of found threats

Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.

Push the Back button

Push Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
============================================
All logs in next reply please.

Be sure to note that you are asked not to run any other cleaning scans except what I give you and not to do any work in the Registry on your own while I am helping you.

Atlas98 · Jul 23, 2011

ComboFix and Eset Online Scan logs

Bobbye,

Thanks very much for your help!

1. Eset Nod32 AV was uninstalled, and SEP Updated. Should I enable Windows Defender? (Fyi, I deactivated SEP and installed the trial version of Eset Nod32 after getting the PC Performance and Stability Report).

2. Updated Java to v6u26. I didn't see a v5u12 Firefox plug-in. I did find the v6u20 plug-in and disabled it, but don't know how to remove it. I don't know what you mean by not needing to put a separate v6u26 extension in Firefox. Do I need to do anything else?

3. This is not a work computer. I got this laptop as a Christmas gift two years ago. It came with Vista and I upgraded to 7 Enterprise when I upgraded the hard drive. But I do have a separate work laptop, which is why I could just stop using this laptop for a month when it got infected. And even though I have a work laptop, I do sometimes use this one for work.

Check Point SSL Network Extender is the gateway to my employer's VPN, and lets me RDC to the computer on my desk at work. I use SAS and Stat/Transfer for work and have licenses for my personal computer. But I do not know what "Web Update Wizard V4 for Data Perceptions //// PowerProgrammer" is, and never noticed it before. I looked for it in the Control Panel Programs list, and it was installed on the same day as Stat/Transfer Nine (in October 2010). There is no folder for it in C:\Program Files. Should I uninstall it?

4. I searched for ComboFix and the Windows Recovery Console. ComboFix wasn't installed, the Recovery Console was. I ran ComboFix and the log is appended below. After the ComboFix run, I got the following error and rebooted.
C:\Program Files\Internet Explorer\explorer.exe
Illegal operation attempted on a registry key that has been marked for deletion.

5. The Eset Online Scan scanned 164,177 files. No threats found, 164177 scanned files, 0 infected files, 0 cleaned files, 3:43:31 Total Scan Time, Scan status Finished. Should I uninstall to remove all ESET Online Scanner files from my computer?

6. My Start Menu is still empty, so I need to find exe files to launch most software. My Start Menu All Programs list is mostly empty. It contains: Internet Explorer, Accessories, DVD Decrypter, Essential Codec Pack, Juniper Networks, Maintenance, Malwarebytes' Anti-Malware, Startup, and WinRAR.

Am I still infected? Thanks you!!

======================
=ComboFix Log
======================

ComboFix 11-07-22.02 - zg 07/22/2011 21:16:41.1.2 - x86
Microsoft Windows 7 Enterprise 6.1.7600.0.1252.1.1033.18.1916.1160 [GMT -4:00]
Running from: c:\users\koguma\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Symantec Endpoint Protection *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\koguma\AppData\Local\Temp\B672.tmp
c:\users\koguma\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows 7 Recovery
.
.
((((((((((((((((((((((((( Files Created from 2011-06-23 to 2011-07-23 )))))))))))))))))))))))))))))))
.
.
2011-07-23 01:22 . 2011-07-23 01:24 -------- d-----w- c:\users\koguma\AppData\Local\temp
2011-07-23 01:22 . 2011-07-23 01:22 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-07-23 01:14 . 2011-07-23 01:15 -------- d-----w- C:\32788R22FWJFW
2011-07-23 01:03 . 2011-07-23 01:03 -------- d-----w- c:\program files\Common Files\Java
2011-07-23 01:02 . 2011-07-23 01:02 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-07-23 01:02 . 2011-07-23 01:02 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-07-21 00:42 . 2011-07-21 00:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-06 23:52 . 2010-09-28 23:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
"gStart"="c:\program files\Garmin\gStart.exe" [2008-08-13 1891416]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-01-18 115560]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-10-03 38768]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-10-03 640376]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 136216]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 170520]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware2\mbam.exe" [2011-07-06 1047656]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-07-06 41272]
R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\D87.tmp [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-07-16 1343400]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 cpextender;Check Point SSL Network Extender;c:\program files\CheckPoint\SSL Network Extender\slimsvc.exe [2009-04-02 353672]
S2 WebUpdate4;Web Update Wizard Service V4 by PowerProgrammer;c:\windows\System32\WebUpdateSvc4.exe [2007-04-04 229856]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-05-10 105592]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2010-03-04 277536]
S3 VNA;Check Point Virtual Network Adapter;c:\windows\system32\DRIVERS\vna.sys [2009-04-02 129304]
.
.
.
------- Supplementary Scan -------
.
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 68.87.71.230 68.87.73.246 192.168.33.1
FF - ProfilePath - c:\users\koguma\AppData\Roaming\Mozilla\Firefox\Profiles\uh9jmplt.default\
FF - prefs.js: browser.search.selectedEngine - Scroogle SSL search
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-Symantec Antvirus
AddRemove-febb569a337f725f5f8607711f665d3b - c:\program files\Java\jre1.5.0_12\bin\javaw.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\D87.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\windows\system32\conhost.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\windows\system32\sppsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2011-07-22 21:29:14 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-23 01:29
.
Pre-Run: 156,483,801,088 bytes free
Post-Run: 156,400,508,928 bytes free
.
- - End Of File - - 40746F1D78626BE2329F4D3165219AEF

Bobbye · Jul 23, 2011

For the Combofix error you experienced, please see this Note 5 in the directions:

Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.

===================================
For the question about the outdated versions of Java and installing Java extensions in Firefox:
The problem is that Java updates do not overwrite the old version anywhere in the system, including the browser. So>

1. You don't need to actively do anything to FF when you update Java>> but
2. You will need to manually remove the outdated Java from both the Control Panel and Firefox.
3. You must run Firefox as Administrator to see the Disable/Enable/Uninstall buttons
4. Depending on whether the Java Condole is installed or just the plugins, you may only have the Disable choice, not the uninstall. (Any plugins or extensions that you 'grayed out for the Admin have already been disabled.)

Image courtesy ghacks

5.A update or new installation of the JRE will add a new Java Console extension to the web browser.

Note: It is recommended that you do not copy Java plugins from other locations to the Firefox plugins folder. Outdated Java plugins can cause Java not to work if you update Java and then uninstall the older Java version, if plugins from the old Java version are still in the Firefox plugins folder.
==========================================
You don't need to remove the Eset program or other cleaning programs now. Everything will be removed when we're finished. Please read out instructions carefully. The directions for Combofix tell you to disable security before the scan>>

[*].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Then we remind you to re-enable it afterwards>>

[*] When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.

Leave all of the programs I asked about since they were installed the same day. They are all legitimate programs. After you resume using the system, if you find some are no longer being used, you can uninstall them.
========================================
I'll be back after lunch to set up some script for you to run through Combofix.

Bobbye · Jul 23, 2011

I meant to include this in my previous reply:
Download Unhide.exe and save to the desktop.

Double-click on Unhide.exe icon to run the program.

This program will remove the +H, or hidden, attribute from all the files on your hard drives.

=================================
Please run this Custom CFScript:

[1]. Close any open browsers.
[2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
[3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
Code:
File::
c:\windows\isRS-000.tmp
c:\windows\system32\D87.tmp
DDS::
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MEMSWEEP2]
Driver::
MEMSWEEP2
FCopy::
Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
============================================
Please update the Adobe Reader from v9 to v10(X): Adobe Reader site Uninstall any earlier updates as they are vulnerabilities.
============================================
Please let me know how the system is working now.

Atlas98 · Jul 23, 2011

Administrative Tools folder empty now

Thanks for explaining the Java extensions in Firefox. I guess that I just had the plugins installed since I only had the Disable choice.

Why did you repeat the Combofix directions? I have been reading your instructions repeatedly and meticulously, both before and while following your instructions. Was there a problem with the previous Combofix run? I disabled SEP by right-clicking on its icon in the Windows System Tray. I didn't expect ComboFix to reboot my computer, so SEP may have started automatically after the reboot, although I checked after ComboFix generated the log file and I thought that I had to restart SEP manually.

But because of your warning, I decided to disable and stop the SEP services before following your latest instructions to run ComboFix. When I clicked on Control Panel then Administrative Tools to see my Services, I was surprised to see an empty Administrative Tools folder. So I had to enter mmc in the Start Menu RUN box, then add the Services snap-in. I can't remember when I last looked at the Windows log files using the Administrative Tools Event Viewer, but I think this may be a relatively new symptom.

I haven't uninstalled Acrobat yet because I have Adobe Acrobat Pro 9 installed, and don't have a license for Acrobat X Pro. I just applied the latest updates (now running version 9.4.5). Does Acrobat Pro 9 have the same vulnerabilities as the free version (or any vulnerabilities)? I will definitely uninstall if it does.

This is the latest ComboFix log. I hope that I ran it correctly this time!

Thanks again for your help, the unhide, and the script. I am happy to have my Start Menu and widgets back!

ComboFix 11-07-22.02 - zg 07/23/2011 19:13:21.2.2 - x86
Microsoft Windows 7 Enterprise 6.1.7600.0.1252.1.1033.18.1916.1112 [GMT -4:00]
Running from: c:\users\koguma\Desktop\ComboFix.exe
Command switches used :: c:\users\koguma\Desktop\CFScript.txt
AV: Symantec Endpoint Protection *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Symantec Endpoint Protection *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\windows\isRS-000.tmp"
"c:\windows\system32\D87.tmp"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MEMSWEEP2
-------\Service_MEMSWEEP2
.
.
((((((((((((((((((((((((( Files Created from 2011-06-23 to 2011-07-23 )))))))))))))))))))))))))))))))
.
.
2011-07-23 23:20 . 2011-07-23 23:20 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-07-23 01:38 . 2011-07-23 01:38 -------- d-----w- c:\program files\ESET
2011-07-23 01:22 . 2011-07-23 23:23 -------- d-----w- c:\users\koguma\AppData\Local\temp
2011-07-23 01:03 . 2011-07-23 01:03 -------- d-----w- c:\program files\Common Files\Java
2011-07-23 01:02 . 2011-07-23 01:02 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-07-23 01:02 . 2011-07-23 01:02 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-07-21 00:42 . 2011-07-21 00:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-06 23:52 . 2010-09-28 23:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
"gStart"="c:\program files\Garmin\gStart.exe" [2008-08-13 1891416]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-01-18 115560]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-10-03 38768]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-10-03 640376]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 136216]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 170520]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware2\mbam.exe" [2011-07-06 1047656]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-07-06 41272]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-07-16 1343400]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 cpextender;Check Point SSL Network Extender;c:\program files\CheckPoint\SSL Network Extender\slimsvc.exe [2009-04-02 353672]
S2 WebUpdate4;Web Update Wizard Service V4 by PowerProgrammer;c:\windows\System32\WebUpdateSvc4.exe [2007-04-04 229856]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-05-10 105592]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2010-03-04 277536]
S3 VNA;Check Point Virtual Network Adapter;c:\windows\system32\DRIVERS\vna.sys [2009-04-02 129304]
.
.
.
------- Supplementary Scan -------
.
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 68.87.71.230 68.87.73.246 192.168.33.1
FF - ProfilePath - c:\users\koguma\AppData\Roaming\Mozilla\Firefox\Profiles\uh9jmplt.default\
FF - prefs.js: browser.search.selectedEngine - Scroogle SSL search
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\WUDFHost.exe
c:\windows\system32\taskhost.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\windows\system32\conhost.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\windows\system32\sppsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2011-07-23 19:29:01 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-23 23:29
.
Pre-Run: 153,930,354,688 bytes free
Post-Run: 153,517,019,136 bytes free
.
- - End Of File - - B2FBFA5501A8B583E43B3D275EFD41F0

Atlas98 · Jul 23, 2011

why is SEP still running?

I can't believe that I have to ask this question! I was just re-reading the latest ComboFix log (attached in my previous reply), and saw the following list.

------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\windows\system32\conhost.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\windows\system32\sppsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe

There is no way that SEP should have been running. Before running ComboFix, from the MMC Services Snap-in, I Stopped *and* changed the Startup Type to Disabled:
Symantec Endpoint Protection
Symantec Event Manager
Symantec Management Clinet
Symantec Network Access Control
Symantec Settings Manager.

After that, I rebooted and confirmed that each of these services had not started, and the Startup Type was Disabled. I also sorted the running services to see what had started, and confirmed that the SEP icon in the Windows System Tray reported that SEP was disabled. And after running ComboFix, all of the SEP services were still Disabled, and so I reset the Startup Type to Manual and manually started each service.

So what am I doing wrong? Feeling really dumb right now...

Bobbye · Jul 24, 2011

Not to worry! You're not doing anything wrong!
Look in the Combofix header> see these?

AV: Symantec Endpoint Protection *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Symantec Endpoint Protection *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

This is what I look at when I open the log.
===========================================
Neither of these entries show in Combofix after you disabled SEP, then ran the CFFix, which then generated a new log.:

R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2010-1-17 2477304]
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

It does not show in the current log in "Other processes running."
==================================================

Why did you repeat the Combofix directions? I have been reading your instructions repeatedly and meticulously, both before and while following your instructions. Was there a problem with the previous Combofix run?

I didn't.

My Reply #4: Download Combofix and save to the desktop
You posted the Log posted in your reply #5

My Reply #7: Please run this Custom CFScript:

Your Reply #8: New Combofix log after running the script in Combofix> Command switches used :: c:\users\koguma\Desktop\CFScript.txt

And if there are any other entries to remove, I will set up new script for you to run.

Do you understand?

Atlas98 · Jul 24, 2011

Are you waiting on me still?

Bobbye,

Thanks for your explanation. I think I understand things now.

I re-read all of the posts and did a windows explorer date search for all files between 7/22/2011 and 7/24/2011 to look for any log files that I may have missed. I think that I have done everything you have instructed, except for removing Adobe Acrobat Pro v9. Not sure if I have to do that, and my Administrative Tools folder is empty.

I found the ComboFix-qurantined-files.txt file (created 7/23/2011 7:29PM), and the contents are pasted below. I can see that you are responding to quite a few posts, so I will just wait for further instruction. Thank you for volunteering so much of your time to help users like me!!

2011-07-23 23:18:22 . 2011-07-23 23:18:22 1,192 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_MEMSWEEP2.reg.dat
2011-07-23 23:18:22 . 2011-07-23 23:18:22 1,054 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_MEMSWEEP2.reg.dat
2011-07-23 23:13:11 . 2011-07-23 23:13:11 0 ----a-w- C:\Qoobox\Quarantine\catchme.txt
2011-07-23 01:28:23 . 2011-07-23 01:28:23 706 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-febb569a337f725f5f8607711f665d3b.reg.dat
2011-07-23 01:28:10 . 2011-07-23 01:28:10 582 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SafeBoot-Symantec Antvirus.reg.dat
2011-07-23 01:20:26 . 2011-07-23 23:18:03 19,674 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2011-07-23 01:15:44 . 2011-07-23 23:13:11 124 ----a-w- C:\Qoobox\Quarantine\catchme.log
2011-07-23 00:59:57 . 2011-07-23 00:59:57 311,248 ----a-w- C:\Qoobox\Quarantine\C\Users\koguma\AppData\Local\Temp\B672.tmp.vir

Bobbye · Jul 24, 2011

You should just follow my directions. Don't worry about missing logs. If one is missing, I'll ask for it.

You don't need to post the Qoobox entries. This is where Combofix send the processes that are removed> either by Combofix itself or from the script I write that you run through Combofix. When I see the log that is generated after you run the script, I will see the deletions and quarantines in that log, below the header.
===========================================
How are you accessing the Administrative Tools? So far, nothing I've asked you to do would require you to access them. But the following would make the section more accessible:

You can add the Administrative Tools menu to either the Start menu or to the Start menu and the All Programs submenu of the Start menu by completing the following steps:

1. Right-click Start,> click Properties> the Taskbar And Start Menu Properties dialog box is displayed with the Start Menu tab selected by default.
2. Click Customize>Scroll down the list until you can see the System Administrative Tools heading.
3. At this point, you have two options:

If you want to display the Administrative Tools menu as a submenu of the All Programs menu, select Display On The All Programs Menu.

If you want to display the Administrative Tools menu directly on the Start menu and as a submenu of the All Programs menu, select Display On The All Programs Menu And The Start Menu.

Are you not seeing the Event Viewer, Services, Component Services. Computer Management, Data Source or Performance? Some of it? All of it? None of it?

Does anything else appear to be missing? Programs? Icons? Files? When I know the extent, I'll give you a short program to run to remove the 'hide' feature. But I would like to know what you are attempting to access in the Administrative Tools.
==================================
As for my replies, yes, I reply if you ask a question or post a log. That's what we're doing here> working together to clean the system. Sometimes I can reply more quickly. Other times when it is very busy, it might take me a day- or even 2.

Atlas98 · Jul 24, 2011

I wanted to open the Administrative Tools folder to get to Services, so I could disable SEP for the ComboFix run. I opened Administrative Tools from the Start Menu, Control Panel, Administrative Tools. When I open this folder, it is empty. No Component Services, Computer Management, Data Sources, Event Viewer, Local Security Policy, Performance, or Services. Nothing. I couldnt find this folder in Windows 7 to unhide the shortcuts manually. But these snap-ins all run with no problem. I just need to enter mmc in the Start Menu Run box and then add the snap-ins manually.

I think that a few program folders and icons may be missing, but I will post again after doing a more careful check.

Atlas98 · Jul 25, 2011

more hidden shortcuts

My Start Menu -> All Programs -> Accessories menu contains shortcuts for Command Prompt, Notepad, Run, Windows Explorer, and the following folders: Ease of Access, System Tools, Tablet PC (empty), and Windows Power Shell (empty). I think that shortcuts for Calculator, Paint, Remote Desktop Connection, Snipping Tool, Sticky Notes, Windows Explorer, Windows Mobility, and Wordpad are still hidden.

The Accessories menu Ease of Access folder seems to contain all of its shortcuts (Ease of Access Center, Magnifier, Narrator, On-Screen Keyboard), but System Tools is missing quite a few shortcuts.

System Tools contains shortcuts for Computer, Control Panel, Internet Explorer (no add-ons), and Private Character Editor. I think that the shortcuts to Disk Cleanup, Disk Defragmenter, Resource Monitor, System Information, System Restore, Task Scheduler and probably a few more are still hidden.

The Tablet PC and Windows Power Shell are both empty.

Also, most of my Program Folders seem to have list folders privileges only. These folders are empty: DVD Decrypter, FreeRip3, Games, Garmin, Microsoft Silverlight, Mozilla Firefox, OverDrive Media Console, Startup, Stata11, StatTransfer9, Symantec Endpoint Protection, Tablet PC, TeraCopy, and Winzip.

And the following folders contain subfolders, which may contain subfolders, but no shortcuts are visible: K-Lite Codec Pack, Microsoft Office, SAS, and VideoLAN.

I think that Default Programs, Desktop Gadget Gallery, Mozilla Firefox, Windows Fax and Scan, Windows Media Center, Windows Media Player, Windows Update, and XPS Viewer are also hidden from the Start Menu All Programs list.

I think that's it. Thanks for your help!

Bobbye · Jul 26, 2011

Run the following and see if what is 'missing' can then be found: No log- just run:

Download Unhide.exe and save to the desktop.

Double-click on Unhide.exe icon to run the program.

This program will remove the +H, or hidden, attribute from all the files on your hard drives.

============================================
You can find a great walk through with screen shots on customizing the Start menu with screen shots http://www.sevenforums.com/tutorials/265-start-menu-customize.html

Let me know if the unhide program helps.

Atlas98 · Jul 31, 2011

Shortcuts might be missing, not hidden

Running unhide.exe didn't generate any changes, and customizing the START MENU doesn't allow me to replace any of the missing shortcuts.

I checked my "C:\ProgramData\Microsoft\Windows\Start Menu" and "C:\Users\Koguma\AppData\Roaming\Microsoft\Windows\Start Menu\Programs" folders. There do not appear to be any hidden files in these folders, and list folders privileges doesn't appear to be set for any folders.

At this point, do I just need to manually recreate all of my missing shortcuts and paste them into the ""C:\ProgramData\Microsoft\Windows\Start Menu" folder? I tested this, and it does work for the "C:\ProgramData\Microsoft\Windows\Start Menu" folder. It didn't work instantaneously for the "C:\Users\Koguma\AppData\Roaming\Microsoft\Windows\Start Menu\Programs" folder, but I didn't re-log and I assume that the profile settings are loaded only at log-on.

Am I malware free? Thanks again!

Bobbye · Aug 1, 2011

And the following folders contain subfolders, which may contain subfolders, but no shortcuts are visible: K-Lite Codec Pack, Microsoft Office, SAS, and VideoLAN.

Creating Shortcuts

Folders or Documents
Right click on folder> Send To> Desktop (to create a shortcut) Once the shortcut is on the Desktop, you can drag and drop to other location. (Taskbar, Toolbar, Favorites, Start menu)

Web Sites:
Click on icon to left of Address bar> Drag to desktop or anywhere else you want it.

Anything on Start Menu
Hold down right mouse button> Drag icon from Start menu to Desktop. Release mouse button and choose Create link in Desktop

Control Panel:
Drag any icon from CP to Desktop. Leave there or drag and drop to other location

Disc Drives
Open Computer from Start menu> Right click drive you want> Choose Create Shortcut

Nearly anything else
Drag and drop while holding down right mouse button. Release button and choose Create Shortcut

---------------------------------------------------
If you have difficulty finding a program to create a shortcut:
Right click on Start> Explore> Navigate to Programs> Double click to open the Programs. Find program you want to create a shortcut for and double click on it. Look for the .exe file> Right click> Send To> Desktop (to create a shortcut.

Atlas98 · Aug 1, 2011

Am I malware free?

Thanks for the instructions. I will replace my missing shortcuts as I use the programs. Is there anything else that I need to do?

Bobbye · Aug 4, 2011

I corrected the tag for the site with screen shorts for the start menu. Sorry about that. Shortcuts can becomes corrupt. All you need to do is recreate them as long as the program or app is still on the system.

Please go ahead and recreate the ones you want. We have remove the malware. Since the other problems seems to have been resolved:
Remove all of the tools we used and the files and folders they created

Uninstall ComboFix and all Backups of the files it deleted
[o] Click START> then RUN
[o] Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

Download OTCleanIt by OldTimer and save it to your Desktop.
[o] Double click OTCleanIt.exe.
[o] Click the CleanUp! button.
[o] If you are prompted to Reboot during the cleanup, select Yes.
[o]The tool will delete itself once it finishes.
Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Set a new, clean Restore Point
[o] Click on Start> right click on Computer> Properties
[o] Select System Protection
[o] Click on the Create button (near bottom)
[o] Type a name for the Restore Point
[o] Click on Create again to save the restore point.

Deleting all but the most recent System Protection point in Windows 7
[o] Click Start> Computer> right click the C Drive and choose Properties> enter.
[o] Click Disk Cleanup from there.

[o] Click Clean up system files
This restarts Disk Cleanup to run in elevated mode.
[o] Click the More Options tab

[o] Click the Clean up under System Restore and Shadow Copies.
[o] Click OK.
[o] You will get a confirmation screen> Just click Delete.
[o] Click OK on the Disk Cleanup Screen.
[o] Click Delete Files on the Confirmation screen.

This runs the Disk Cleanup utility along with other selections if you have chosen any. (if you had a lot System Restore points, you will see a significant change in the free space in C drive)
Images courtesy lytebyte.

Empty the Recycle Bin

TechSpot

[Active] Backdoor.Tidserv then PC Performance and Stability Analysis Report

Atlas98 Newcomer, in training

Bobbye Helper on the Fringe

Atlas98 Newcomer, in training

Bobbye Helper on the Fringe

Atlas98 Newcomer, in training

Bobbye Helper on the Fringe

Bobbye Helper on the Fringe

Atlas98 Newcomer, in training

Atlas98 Newcomer, in training

Bobbye Helper on the Fringe

Atlas98 Newcomer, in training

Bobbye Helper on the Fringe

Atlas98 Newcomer, in training

Atlas98 Newcomer, in training

Bobbye Helper on the Fringe

Atlas98 Newcomer, in training

Bobbye Helper on the Fringe

Atlas98 Newcomer, in training

Bobbye Helper on the Fringe